Protect actuator endpoints out of the box #6889

Closed
philwebb opened this Issue Sep 14, 2016 · 6 comments

Projects

None yet

3 participants

@philwebb
Member

We should protect actuator endpoints with basic-auth even if Spring Security isn't in use. If the user really wants open endpoints, they should opt-in.

@philwebb philwebb added this to the 1.5.0 M1 milestone Sep 14, 2016
@philwebb philwebb changed the title from Protect endpoints out of the box to Protect actuator endpoints out of the box Sep 14, 2016
@philwebb
Member

Related #6888

@mbhave mbhave added a commit that referenced this issue Dec 6, 2016
@mbhave mbhave Add a security interceptor for actuator endpoints
Update `AbstractEndpointHandlerMapping` to support a security
interceptor that can be used to enforce endpoint security.

Fixes gh-6889
d09aafa
@mbhave mbhave added a commit that closed this issue Dec 6, 2016
@mbhave mbhave Add a security interceptor for actuator endpoints
Update `AbstractEndpointHandlerMapping` to support a security
interceptor that can be used to enforce endpoint security.

Fixes gh-6889
d09aafa
@mbhave mbhave closed this in d09aafa Dec 6, 2016
@joshiste
Contributor
joshiste commented Dec 11, 2016 edited

Prior to this commit the actuator endpoints are only protected when Spring Security is on the classpath and a generated password is written to the log, so I can access the endpoints with no further configuration.

After this commit, not using Spring security, I get out-of-the-box protected actuator endpoints but no way to access them, because I have no chance to authenticate. Or am I missing something?

Imho it would be very useful to also generate a password which can be used to access the endpoints or some other form of authentication mechanism...

@philwebb
Member

@joshiste The idea is to make people explicitly opt-in to exposing actuator endpoints rather than accidentally exposing them. I'm not sure that we really want to recreate Spring Security behavior ourselves, especially as a generated password isn't that useful in production apps.

We probably should do more to direct the user so they know what property they need to change to restore Boot 1.4 behavior. I'll reopen this and also tag it for our team discussion to see what the others think.

@philwebb philwebb reopened this Dec 12, 2016
@joshiste
Contributor

@mbhave you removed the discussion label. Can you tell what the results of this discussion are?

@philwebb
Member

@joshiste We're going to make the message more explicit so that people know what to do and investigate how much work it would be to implement basic-auth directly in Boot.

@philwebb
Member

See #7673 for basic auth investigation.

@philwebb philwebb added a commit that referenced this issue Jan 4, 2017
@philwebb philwebb Update actuator security documentation
Update documentation to align with the new role based method.

See gh-6889
f8a53cf
@philwebb philwebb closed this Jan 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment