After recent spring boot upgrade (1.5+) I am no longer able to access /metrics endpoint in my application. To solve this, I added management.security.enabled=false and management.security.roles=ACTUATOR. This allowed me to access the endpoint and it still required credentials before viewing. This works but I don’t understand why. Am I only disabling the ACTUATOR role to access this endpoint? Is there any security risk here?
I know after you move to spring boot 2.0.0.M5 only status and info endpoints are enabled by default. In Spring Boot 2 also you no longer need to have management.security.enabled https://github.com/spring-projects/spring-boot/issues/11383
I generally use this:
management.endpoints.web.exposure.include=info, health, metrics, env, beans, configprops
Related
I am using Spring Boot Actuator module in my project which exposes REST endpoint URLs to monitor & manage application usages in production environment, without coding & configuration for any of them.
By default, only /health and /info endpoints are exposed.
I am customising the endpoints via application.properties file as per my use case.
application.properties.
#To expose all endpoints
management.endpoints.web.exposure.include=*
#To expose only selected endpoints
management.endpoints.jmx.exposure.include=health,info,env,beans
I want to understand, where exactly does Spring Boot create actual endpoints for /health and /info and how does it expose them over HTTP?
Thanks #Puce and #MarkBramnik for helping me out with the reference docs & code repository.
I wanted to understand how the endpoints were working and how they were exposed over HTTP, so that I could create custom endpoints to leverage in my application.
One of the great features of Spring Framework is that it’s very easy to extend, and I was able to achieve the same.
To create a custom actuator endpoints, Use #Endpoint annotation on a class. Then leverage #ReadOperation / #WriteOperation / #DeleteOperation annotations on the methods to expose them as actuator endpoint bean as needed.
Reference Doc : Implementing Custom Endpoints
Reference Example :
#Endpoint(id="custom_endpoint")
#Component
public class MyCustomEndpoint {
#ReadOperation
#Bean
public String greet() {
return "Hello from custom endpoint";
}
}
The endpoint id i.e custom_endpoint needs to be configured in the list of actuator endpoints to be enabled.
application.properties :
management.endpoints.web.exposure.include=health,info,custom_endpoint
After a restart, endpoint works like a charm!
I have a Java application using Spring Security 5.2.1 and secured by Keycloak.
The client in Keycloak is a public openid-connect client.
It works fine.
I have now a requirement to use PKCE (Proof Key for Code Exchange).
As Client Support for PKCE has been added to Spring Security 5.2.0.M2 and as I use Spring Security 5.2.1, I can use Spring Security to implement it.
That's the good news.
The 'bad' news is that I found nearly nothing on the Web or in the Spring Security documentation on how I must implement it, practically.
Adding "enable-pkce": true in keycloak.json doesn't work, and I don't find any clear example of what to do.
Is there some documentation, website or whatever else, describing what to do to implementsthis ?
Thank you very much !
From the Spring Security reference documentation https://docs.spring.io/spring-security/site/docs/5.3.1.RELEASE/reference/html5/#initiating-the-authorization-request
PKCE will automatically be used when the following conditions are true:
client-secret is omitted (or empty)
client-authentication-method is set to "none" (ClientAuthenticationMethod.NONE)
I am trying to configure the SB admin in my Spring Boot application and trying to use the actuator endpoints.
My SB application: 2.1.5.RELEASE
For Admin,
I have added below dependencies:
spring-boot-admin-starter-server -> 2.2.1
spring-boot-admin-starter-client ->2.1.1
The application.properties configured as follows:
So far everything is fine, I can able to access all features SB Admin, like logging, health.. etc.
But when I execute the Veracode scan I am ended up with below error.
The error was showing at this property (management.endpoints.web.exposure.include=*).
The Veracode documentation described the link as follows:
https://cwe.mitre.org/data/definitions/749.html
My workaround: As it was talking about 'Exposed Dangerous Method or Function' I thought of applying the spring basic security so that Spring Boot admin console can't be accessed by unauthorized users.
However, my problem didn't resolve. After a lot of research, I came to know that declaring 'management.endpoints.web.exposure.include=*' itself is vulnerable?
That is my guess, in this case, how can I solve this Veracode issue?
We have recently upgraded out Spring-Boot version to 2.1.2 in one of our applications.
I noticed a change in JSON format when I hit this URL:
http://localhost:xxxx/health.
The changed structure is:
{
Health: {
status: "UP"
}
}
Earlier it was:
{
status: "UP"
}
My question is;
1. Why has it been modified?
2. Is there any config to keep the structure as it was before?
With the release of Spring Boot 2, Actuator has been redesigned, and new exciting endpoints were added.
The /actuator/health endpoint is used to check the health or state of the running application. It’s usually exercised by monitoring software to alert us if the running instance goes down or gets unhealthy for other reasons. E.g. Connectivity issues with our DB, lack of disk space…
http://localhost:8080/actuator/health
{
status: "UP"
}
Monitoring and Management over HTTP
If you are developing a web application, Spring Boot Actuator auto-configures all enabled endpoints to be exposed over HTTP. The default convention is to use the id of the endpoint with a prefix of /actuator as the URL path. For example, health is exposed as /actuator/health. TIP: Actuator is supported natively with Spring MVC, Spring WebFlux, and Jersey.
Actuator Security
For security purposes, all actuators other than /health and /info are disabled by default. The management.endpoints.web.exposure.include property can be used to enable the actuators.
If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present, all actuators other than /health and /info are secured by Spring Boot auto-configuration. If you define a custom WebSecurityConfigurerAdapter, Spring Boot auto-configuration will back off and you will be in full control of actuator access rules.
Endpoints
Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the health endpoint provides basic application health information.
Each individual endpoint can be enabled or disabled. This controls whether or not the endpoint is created and its bean exists in the application context. To be remotely accessible an endpoint also has to be exposed via JMX or HTTP. Most applications choose HTTP, where the ID of the endpoint along with a prefix of /actuator is mapped to a URL. For example, by default, the health endpoint is mapped to /actuator/health.
Actuator JSON
The JSON payloads returned from many endpoints have been improved with Spring Boot 2.0.
Many endpoints now have JSON that more accurately reflects the underlying data. For example, the /actuator/conditions endpoint (/autoconfig in Spring Boot 1.5) now has a top level contexts key to group results by ApplicationContext.
8. Health (health)
To retrieve the health of the application, make a GET request to /actuator/health, as shown in the following curl-based example:
$ curl 'http://localhost:8080/actuator/health' -i -X GET
Useful Information : Baeldung
I'm having trouble getting Spring Security to work in my Spring MVC app. It is configured correctly (I think) and I am fully expecting it to use the configured security filter on all requests. It isn't. My question isn't to make sure I'm configured correctly so I'm not going to post any code, I am only asking if there is a method or something I can call in one of my controllers that will return true or false signifying if Spring Security is actually enabled or not so I can know how to proceed debugging. Thanks!
In your case, you could use spring actuator.
This is module used for application monitoring. You can read more about it, in this blog post: http://www.baeldung.com/spring-boot-actuators