You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is quite urgent, sorry to break stuff at the last minute, but it's for security.
This has already been discussed (ping @cbornet@gmarziou I think you participated), but we have an issue with our actuator endpoints:
We have a lot of them secured in the SecurityConfiguration, and that makes a long file (and besides it has a small performance cost as Spring Security needs to go thru all of them)
It's not fully secured as when Spring Boot Actuator adds more endpoints we might forget to update them (and there's probably already a security issue here today!!)
Microservices are not secured, as they were supposed to be behind the gateway: in fact that's false in several cases, for example with Heroku, where all services are publicly available. So another big security issue.
My proposal, and I'm going to work on this ASAP (as it's security-related):
Put all endpoints behind "/management" so it's easy to secure them with just one Spring Security rule
(optional) Add basic auth support for them, so that the JHipster Registry (or any other tool) can access them remotely easily
The text was updated successfully, but these errors were encountered:
jdubois
added a commit
to jhipster/jhipster-registry
that referenced
this issue
May 6, 2016
This is quite urgent, sorry to break stuff at the last minute, but it's for security.
This has already been discussed (ping @cbornet @gmarziou I think you participated), but we have an issue with our actuator endpoints:
My proposal, and I'm going to work on this ASAP (as it's security-related):
The text was updated successfully, but these errors were encountered: