Feature Request: Add configuration to limit endpoint access based on HAL discovery results

[carrotFromCali]

Describe the issue

When client applications expose only specific actuator endpoints (e.g., health and loggers) and the HAL index response from /actuator correctly reflects this limited set, Spring Boot Admin server still attempts to access other actuator endpoints that are not listed in the HAL response, resulting in 401 errors.

Scenario:

1. Client configures management.endpoints.web.exposure.include: health,loggers
2. Client's /actuator HAL response correctly returns only the exposed endpoints:

{
  "_links": {
    "self": {"href": "http://localhost:8080/actuator", "templated": false},
    "health": {"href": "http://localhost:8080/actuator/health", "templated": false},
    "health-path": {"href": "http://localhost:8080/actuator/health/{*path}", "templated": true},
    "loggers": {"href": "http://localhost:8080/actuator/loggers", "templated": false},
    "loggers-name": {"href": "http://localhost:8080/actuator/loggers/{name}", "templated": true}
  }
}

3. SBA server still attempts to access other endpoints (e.g., /actuator/env, /actuator/metrics, etc.) that are not listed in the HAL response
4. These requests return 401, generating unnecessary error logs

Expected behavior:

SBA should only access endpoints that are listed in the client's HAL response and not attempt to access any other endpoints.

Question

Is this the expected behavior? If so, is there a way to configure SBA server to strictly respect the HAL response and only access the endpoints advertised by the client?

Environment

• Spring Boot Admin Server: 3.5.7

• Spring Boot Client: 3.5.7

[SteKoe]

Hi @carrotFromCali,

thanks for opening this issue. On which pages is /env called? As long as the /actuator does not expose /env endpoint, we usually do not call it. Hence, it would be nice to have an example, where this happens in your case.

[cdprete]

For what may count, I don't observe this issue in my environments.
Moreover, already in the past, actions were taken to not call /env → #4242
Finally, SBA should get back a 404 when (if) calling a disabled endpoint and not 401 I assume.

[carrotFromCali]

from the traces, I saw the request is initiated not from UI but some backend threads in every 3 sec and 7 sec :

doExecute
Built-In Apache | org.apache.hc.client5.http.impl.classic.InternalHttpClient

btw, the endpoint returns 401 because the registered service has securityFilterChain which blocks some of the endpoints

[carrotFromCali]

btw, our client services also blocks the /actuator endpoint, so SBA server fall back to ProbeEndpointsStrategy instead.

[cdprete]

btw, our client services also blocks the /actuator endpoint, so SBA server fall back to ProbeEndpointsStrategy instead.

This would explain then, I would say.

[SteKoe]

@cdprete is right. When we are not able to retrieve information about which endpoints are enabled, we might end up using ProbeEndpointsStrategy which was designed for Spring Boot 1.x applications. Even though we haven't tested this with current Spring Boot versions, the property spring.boot.admin.probed-endpoints might be interesting for you.

Your expected behavior is:

SBA should only access endpoints that are listed in the client's HAL response and not attempt to access any other endpoints.

but also say

our client services also blocks the /actuator endpoint

so... that contradicts, right? Despite the fact, that it will work, when you do not block /actuator for SBA :)

[hzpz]

@carrotFromCali Did @SteKoe's answer help you?