Investigate the effort required to implement basic auth ourselves #7673

philwebb opened this Issue Dec 16, 2016 · 1 comment


None yet

1 participant


We now protect actuator endpoints out the box but without Spring Security there's no way to login. It might be possible for us to implement basic auth ourselves.

@philwebb philwebb added this to the 1.5.0 M1 milestone Dec 16, 2016

After considering all the options I don't think that we should do this. Although it may not be too much code, I think it's quite confusing to have security features sometimes implemented by us and sometimes by Spring Security.

The current situation is quite easy to describe and I think it's pretty reasonable. You need to be a member of the "actuator" group or you need to disable endpoint security if you want to get access. We don't really care how login occurs, as long as the HttpServletRequest is populated appropriately.

@philwebb philwebb closed this Dec 30, 2016
@philwebb philwebb removed this from the 1.5.0 RC1 milestone Dec 30, 2016
@philwebb philwebb added the declined label Dec 30, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment