Enhancement - Spring Boot 3 - Limited options of org.springframework.boot.actuate.endpoint.Show allow sensitive values to be displayed

[solidjb]

Before Spring Boot 3, there were certain keys that were automatically masked on the /env point. Users were also able to configure other keys to be masked.

With Spring Boot 3, however, we now have 3 choices NEVER show any values (i.e. always mask every value), ALWAYS show values (i.e. never mask any value) and WHEN_AUTHORIZED (i.e. never mask any value as long as the caller has been authorized)

In our use case, we protect the /env endpoint with opaque token authorization, and a required scope. If the user is not authorized, then we do not even let them see the endpoint response at all (they will get a 401). But if the user is authorized, then they can see the values of every key - even key/values that were provided by a secret manager.

With the 3 options we have above, NEVER/ALWAYS/WHEN_AUTHORIZED - every value will be shown or masked. There is no ability to mix. I believe it would be beneficial to provide some mechanism to allow some values to be shown while other values are masked. That could be a configurable list of keys (or keySuffixes/keyPrefixes) or one could configure the masking by source name or something.

I think the new enum is too limited and needs to be enhanced.

[wilkinsona]

As described in the documentation, you can define a SanitizingFunction bean to take control of how the values are masked when using ALWAYS or WHEN_AUTHORIZED.

While getting the link to the documentation, I noticed that the Customizing Sanitization section is slightly misleading as the built-in key-based sanitization is no longer performed. I've opened #33990 to improve that.

[solidjb]

@wilkinsona - Thank you for pointing that out - I tried to find referneces to things like masking - I was not using the words sanitize. I will look into implementing the custom santization.