-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove management.security.enabled from documentation #11383
Comments
Also update this section for actuator security. |
Additional feedback and migrating spring 1 management endpoint configuration to spring-boot:
My experience using actuator together with spring-security-oauth2 was that |
Thanks for the feedback. That line refers more to the case where you don't have Spring Security on your classpath. In that case, on setting the If Spring Security is on the classpath and no other If a different We can update the doc to make that more explicit. |
So, If i want to expose the actuator endpoints (because the deployment is behind a firewall) similar to what I was doing with spring boot 1, is replacing |
@balajeetm As I've said in my previous comment, the If Spring Security is not present, setting |
@mbhave Thanks. That works |
@balajeetm In attached example method |
I'm having an extremely difficult time trying to figure out what management.security.enabled and management.security.roles has been replaced with... All of these endpoints are available to the world right now. Is there no simple way to lock them down without configuring my WebSecurityConfigurerAdapter? I've combed through the documentation here multiple times without luck: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-endpoints-security Why is the replacement not documented? Sorry - I feel like this is a good spot for this question but can open a question issue if needed - but it seems like it might also be a documentation bug. |
@jblayneyXpanxion as mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. This is a question that would be better suited to Stack Overflow or our gitter channel. If you feel this is a documentation issue please open a new issue rather than commenting on a closed one. Regarding your point about these endpoints being available to the world, that is not true. The default configuration for all endpoints (except health and info) requires authentication when Spring Security is on the classpath. Additionally the endpoints are not exposed over the web by default. They need to be exposed explicitly using the |
management.security.enabled
has been removed in spring-boot 2. But the docs still mention the property. Please adjust the documentation add a sample for the alternative way to disable security on the management endpoints.The text was updated successfully, but these errors were encountered: