We should protect actuator endpoints with basic-auth even if Spring Security isn't in use. If the user really wants open endpoints, they should opt-in.
Add a security interceptor for actuator endpoints
Update `AbstractEndpointHandlerMapping` to support a security
interceptor that can be used to enforce endpoint security.
Prior to this commit the actuator endpoints are only protected when Spring Security is on the classpath and a generated password is written to the log, so I can access the endpoints with no further configuration.
After this commit, not using Spring security, I get out-of-the-box protected actuator endpoints but no way to access them, because I have no chance to authenticate. Or am I missing something?
Imho it would be very useful to also generate a password which can be used to access the endpoints or some other form of authentication mechanism...
@joshiste The idea is to make people explicitly opt-in to exposing actuator endpoints rather than accidentally exposing them. I'm not sure that we really want to recreate Spring Security behavior ourselves, especially as a generated password isn't that useful in production apps.
We probably should do more to direct the user so they know what property they need to change to restore Boot 1.4 behavior. I'll reopen this and also tag it for our team discussion to see what the others think.
@mbhave you removed the discussion label. Can you tell what the results of this discussion are?
@joshiste We're going to make the message more explicit so that people know what to do and investigate how much work it would be to implement basic-auth directly in Boot.
See #7673 for basic auth investigation.
Update actuator security documentation
Update documentation to align with the new role based method.