Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Health Endpoint No Longer Accessible Since 1.2.0 Upgrade #2120

Closed
davidgoate opened this issue Dec 11, 2014 · 10 comments
Closed

Health Endpoint No Longer Accessible Since 1.2.0 Upgrade #2120

davidgoate opened this issue Dec 11, 2014 · 10 comments
Milestone
1.2.1

Comments

@davidgoate
Copy link

Since upgrading from 1.1.9 to 1.2.0 the /health endpoint is no longer accessible.

I see from the release notes that the default is to deny anonymous access but even by adding the property endpoints.health.sensitive=false access is still being forbidden.

I do have Spring Security on the classpath and I have configured the WebSecurityConfigurerAdapter with http.authorizeRequests().anyRequest().authenticated(). When using 1.1.9 I was able to access /health without authenticating.
@snicoll
Copy link
Member

snicoll commented Dec 11, 2014

As you have seen in the release notes, the health endpoint is no longer accessible anonymously by default, yes. Regarding your other question, I don't think there's so much we can do since you configured Spring security yourself. The sensitive flag only applies with the default configuration that backs off with you configuration.

Does that make sense?

@snicoll snicoll added question status: waiting-for-feedback We need additional information before we can continue labels Dec 11, 2014
@davidgoate
Copy link
Author

Thanks for the response. Yes, what you are saying makes sense but I'm still not entirely clear about why this worked before in that case, since I haven't changed any other code or configuration. Now I think about it perhaps it really was a bug in 1.1.9 that it allowed me to access /health without authenticating when my security configuration was http.authorizeRequests().anyRequest().authenticated().

Either way, setting that property doesn't seem to restore the old behaviour, but as I've said above - perhaps this really was a bug in 1.1.9 that's now been fixed.

@snicoll
Copy link
Member

snicoll commented Dec 11, 2014

This was probably a bug in 1.x, yes. You should really update your security config accordingly.

@snicoll snicoll closed this as completed Dec 11, 2014
@dsyer dsyer removed the status: waiting-for-feedback We need additional information before we can continue label Dec 11, 2014
@snicoll snicoll removed the status: waiting-for-feedback We need additional information before we can continue label Dec 11, 2014
@philwebb philwebb reopened this Dec 12, 2014
@philwebb philwebb removed the question label Dec 12, 2014
@philwebb philwebb added this to the 1.2.1 milestone Dec 12, 2014
@philwebb
Copy link
Member

Reopening because I want to look at this some more at why the property doesn't allow access even with custom security.

@snicoll
Copy link
Member

snicoll commented Dec 12, 2014

Good point, I thought we did not support overriding when the property is set. I had a look and I believe 24e71e8 should be the thing that introduced the regression.

@philwebb philwebb added type: regression A regression from a previous release type: bug A general bug labels Dec 12, 2014
@philwebb
Copy link
Member

I'm having some trouble replicating this. Could you provide your complete @Configuration (including the security configuration)? Even better would be a sample application if you have the time?

@philwebb philwebb added the status: waiting-for-feedback We need additional information before we can continue label Dec 15, 2014
@snicoll
Copy link
Member

snicoll commented Dec 16, 2014

Hey @philwebb, here is the project I used to debug this. If you flip to 1.2.1.BUILD-SNAPSHOT you'll indeed need to log in.

@philwebb philwebb removed the status: waiting-for-feedback We need additional information before we can continue label Dec 16, 2014
@philwebb
Copy link
Member

It seems like this might be an ordering issue. If the security is configured with @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) then the sample works. I think this is because http.authorizeRequests().anyRequest().authenticated(); is indicating that all requests must be authenticated, but calls to non-sensitive /healthendpoints are not.

With the @Order annotation your rules are applied before Boot's, rather than replacing them.

@philwebb philwebb removed type: bug A general bug type: regression A regression from a previous release labels Dec 16, 2014
@philwebb
Copy link
Member

I think the @Order annotation should fix things. Please re-open if that's not the case.

This was referenced Dec 21, 2014
Closed
Closed
@igilham
Copy link

igilham commented Sep 23, 2015

For reference I had this same issue. The @Order annotation fixed it for me. See my Stack Overflow question for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2.1
Development

No branches or pull requests
5 participants
@dsyer @snicoll @philwebb @igilham @davidgoate