The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently #41569
Description
It seems this statement in docs is wrong or confusing (emphasis mine):
add a bean of type
SecurityFilterChain(doing so does not disable [...] or Actuator's security).
If you create a new Spring Boot 3 application like this
with default configuration actuator is secured:
$ curl -f http://localhost:8080/actuator -w "\n"
curl: (22) The requested URL returned error: 401
but when adding a SecurityFilterChain like this
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(req ->
req.anyRequest().permitAll()
);
return http.build();
}or this
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.securityMatcher("/app")
.authorizeHttpRequests(req ->
req.anyRequest().permitAll()
);
return http.build();
}security is gone
$ curl -f http://localhost:8080/actuator -w "\n"
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"health-path":{"href":"http://localhost:8080/actuator/health/{*path}","templated":true}}}