New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.5.0.RC1 - Actuator endpoint security settings #8070
Comments
Please read 1.5.0.RC1 release notes about the change |
@rajadileepkolli Although the release notes document the changes it sounds like @tedberg has a legitimate bug here. We'll investigate. |
@tedberg I wasn't able to reproduce this with |
Hi @rajadilipkolli @philwebb I have exactly the same bug updating from 1.4.3 to 1.5. I have a bitbucket example illustrating this on https://bitbucket.org/davidmelia/spring-boot-security-bug By default this is a 1.4.3 Boot project and if you run it you can access the actuator endpoint on http://localhost:8081/manage/health no problem. If you change the pom to point to 1.5.0.BUILD-SNAPSHOT and navigate to http://localhost:8081/manage/health my custom security kicks on even though management.security.enabled=false Thanks |
@davidmelia The |
@mbhave That seems to be a change in behaviour as Spring Boot 1.4 Actuator seamlessly figures the above out when using custom auth i.e. I don't have to add Maybe we need a footnote in the 1.5 migration guide about this potential behaviour difference with custom auth + actuator. Thanks |
@davidmelia In 1.4, the We will add this difference in behavior to the release notes. Thanks for pointing that out. |
So, given this information, in 1.5, what is the purpose of the configuration setting that declares the endpoints as being sensitive or not? It seems from this explanation that everything is to pass through a traditional Spring Security setup now, making the older config settings irrelevant.
… On Jan 25, 2017, at 9:44 AM, Madhura ***@***.***> wrote:
@davidmelia In 1.4, the ManagementWebSecurityAutoConfiguration had its own IgnoredPathsWebSecurityConfigurerAdapter that added the actuator endpoints as ignored paths. In 1.5 we removed the duplication for configuring ignored paths and now it happens only in the SpringBootWebSecurityConfiguration. However, with custom security, the SpringBootWebSecurityConfiguration gets turned off, implying that all the security configuration will be handled by the custom config.
We will add this difference in behavior to the release notes. Thanks for pointing that out.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@tedberg Actuator security is now enforced directly by the endpoints. In other words we call We'll be hopefully making this easier to understand in Spring Boot 2.0. |
There's now a section in the release notes about the change in how ignored paths are handled: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#ignored-paths-and-enablewebsecurity. There are various issues labeled with I think this issue has run its course, so I'm going to close it. Please let me know if I've missed something. |
Upgraded from 1.4.x to 1.5.0.RC1 smoothly, except for the security settings related to the actuator endpoints:
I was using these settings in 1.4.x, which made most endpoints protected, but left info exposed as desired:
With 1.5, everything became secure, even info, despite the above setting. So then, I turned off the newer security setting via:
This makes all actuator endpoints freely available, despite "endpoints.sensitive=true".
These settings are still mapped to Boot classes,
EndpointProperties
in this case, in 1.5. So, perhaps I am not understanding howmanagement.security
andendpoints.sensitive
are supposed to interact.So, this request is either to fix a bug if one exists, or to add a bit of documentation as to how these settings relate to one another.
The text was updated successfully, but these errors were encountered: