1.5.0.RC1 - Actuator endpoint security settings

[tedberg]

Upgraded from 1.4.x to 1.5.0.RC1 smoothly, except for the security settings related to the actuator endpoints:

I was using these settings in 1.4.x, which made most endpoints protected, but left info exposed as desired:

endpoints.sensitive=true
endpoints.info.sensitive=false
endpoints.hypermedia.enabled=true

With 1.5, everything became secure, even info, despite the above setting. So then, I turned off the newer security setting via:

management.security.enabled=false

This makes all actuator endpoints freely available, despite "endpoints.sensitive=true".

These settings are still mapped to Boot classes, EndpointProperties in this case, in 1.5. So, perhaps I am not understanding how management.security and endpoints.sensitive are supposed to interact.

So, this request is either to fix a bug if one exists, or to add a bit of documentation as to how these settings relate to one another.

[rajadilipkolli]

Please read 1.5.0.RC1 release notes about the change

[philwebb]

@rajadileepkolli Although the release notes document the changes it sounds like @tedberg has a legitimate bug here. We'll investigate.

[mbhave]

@tedberg I wasn't able to reproduce this with curl http://localhost:8080/info after running the SampleActuatorApplication. It would be helpful if you could provide a sample that demonstrates this behavior.

[davidmelia]

Hi @rajadilipkolli @philwebb I have exactly the same bug updating from 1.4.3 to 1.5. I have a bitbucket example illustrating this on https://bitbucket.org/davidmelia/spring-boot-security-bug

By default this is a 1.4.3 Boot project and if you run it you can access the actuator endpoint on http://localhost:8081/manage/health no problem. If you change the pom to point to 1.5.0.BUILD-SNAPSHOT and navigate to http://localhost:8081/manage/health my custom security kicks on even though management.security.enabled=false

Thanks

[mbhave]

@davidmelia The management.security.enabled flag is meant to turn off the ManagementWebSecurityAutoConfiguration which provides basic auth security for the actuator endpoints. If you configure custom security, you need to explicitly add something like http.authorizeRequests().antMatchers("/manage/**") in your example, to make the actuator endpoints insecure.

[davidmelia]

@mbhave That seems to be a change in behaviour as Spring Boot 1.4 Actuator seamlessly figures the above out when using custom auth i.e. I don't have to add .antMatchers("/manage/**").permitAll()

Maybe we need a footnote in the 1.5 migration guide about this potential behaviour difference with custom auth + actuator.

Thanks

[mbhave]

@davidmelia In 1.4, the ManagementWebSecurityAutoConfiguration had its own IgnoredPathsWebSecurityConfigurerAdapter that added the actuator endpoints as ignored paths. In 1.5 we removed the duplication for configuring ignored paths and now it happens only in the SpringBootWebSecurityConfiguration. However, with custom security, the SpringBootWebSecurityConfiguration gets turned off, implying that all the security configuration will be handled by the custom config.

We will add this difference in behavior to the release notes. Thanks for pointing that out.

[tedberg]

So, given this information, in 1.5, what is the purpose of the configuration setting that declares the endpoints as being sensitive or not? It seems from this explanation that everything is to pass through a traditional Spring Security setup now, making the older config settings irrelevant.

…

On Jan 25, 2017, at 9:44 AM, Madhura ***@***.***> wrote: @davidmelia In 1.4, the ManagementWebSecurityAutoConfiguration had its own IgnoredPathsWebSecurityConfigurerAdapter that added the actuator endpoints as ignored paths. In 1.5 we removed the duplication for configuring ignored paths and now it happens only in the SpringBootWebSecurityConfiguration. However, with custom security, the SpringBootWebSecurityConfiguration gets turned off, implying that all the security configuration will be handled by the custom config. We will add this difference in behavior to the release notes. Thanks for pointing that out. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[philwebb]

@tedberg Actuator security is now enforced directly by the endpoints. In other words we call HttpServletRequest.isUserInRole(...) for every sensitive endpoint. As far as the actuator endpoints are concerned, the user has to be in a valid role for a sensitive endpoint to be accessed. It doesn't really care if Spring Security or some other security framework sets that up.

We'll be hopefully making this easier to understand in Spring Boot 2.0.

[wilkinsona]

There's now a section in the release notes about the change in how ignored paths are handled: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#ignored-paths-and-enablewebsecurity. There are various issues labeled with theme: security that will simplify things in 2.0. #7958, for example.

I think this issue has run its course, so I'm going to close it. Please let me know if I've missed something.