New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Health Endpoint No Longer Accessible Since 1.2.0 Upgrade #2120
Comments
As you have seen in the release notes, the health endpoint is no longer accessible anonymously by default, yes. Regarding your other question, I don't think there's so much we can do since you configured Spring security yourself. The sensitive flag only applies with the default configuration that backs off with you configuration. Does that make sense? |
Thanks for the response. Yes, what you are saying makes sense but I'm still not entirely clear about why this worked before in that case, since I haven't changed any other code or configuration. Now I think about it perhaps it really was a bug in 1.1.9 that it allowed me to access /health without authenticating when my security configuration was Either way, setting that property doesn't seem to restore the old behaviour, but as I've said above - perhaps this really was a bug in 1.1.9 that's now been fixed. |
This was probably a bug in 1.x, yes. You should really update your security config accordingly. |
Reopening because I want to look at this some more at why the property doesn't allow access even with custom security. |
Good point, I thought we did not support overriding when the property is set. I had a look and I believe 24e71e8 should be the thing that introduced the regression. |
I'm having some trouble replicating this. Could you provide your complete |
Hey @philwebb, here is the project I used to debug this. If you flip to |
It seems like this might be an ordering issue. If the security is configured with With the |
I think the |
For reference I had this same issue. The |
Since upgrading from 1.1.9 to 1.2.0 the /health endpoint is no longer accessible.
I see from the release notes that the default is to deny anonymous access but even by adding the property
endpoints.health.sensitive=false
access is still being forbidden.I do have Spring Security on the classpath and I have configured the
WebSecurityConfigurerAdapter
withhttp.authorizeRequests().anyRequest().authenticated()
. When using 1.1.9 I was able to access/health
without authenticating.The text was updated successfully, but these errors were encountered: