Spring Boot 1.5.1 Actuator Endpoints security configuration issue

[Artgit]

This is my Spring Boot 1.5.1 Actuator application.properties:

#Spring Boot Actuator
management.contextPath: /actuator
management.security.roles=R_0

This is my WebSecurityConfig:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	private UserDetailsService userDetailsService;

	@Value("${logout.success.url}")
	private String logoutSuccessUrl;

	@Override
	protected void configure(HttpSecurity http) throws Exception {

		// @formatter:off
		http.addFilterBefore(new CorsFilter(), ChannelProcessingFilter.class);
		
		http
			.csrf().ignoringAntMatchers("/v1.0/**", "/logout")
        .and()
        	.authorizeRequests()
        	
        	.antMatchers("/oauth/authorize").authenticated()
            //Anyone can access the urls
        	.antMatchers("/signin/**").permitAll()
        	.antMatchers("/v1.0/**").permitAll()
            .antMatchers("/auth/**").permitAll()
            .antMatchers("/actuator/health").permitAll()
            .antMatchers("/actuator/**").hasAuthority("R_0")
            .antMatchers("/login").permitAll()
            .anyRequest().authenticated()
        .and()
            .formLogin()
            	.loginPage("/login")
            	.loginProcessingUrl("/login")
            	.failureUrl("/login?error=true")
            	.usernameParameter("username")
            	.passwordParameter("password")
            	.permitAll()
            .and()
                .logout()
                	.logoutUrl("/logout")
	                .logoutSuccessUrl(logoutSuccessUrl)
	                .permitAll();
		// @formatter:on
	}

	/**
	 * Configures the authentication manager bean which processes authentication requests.
	 */
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
	}

	@Override
	@Bean
	public AuthenticationManager authenticationManagerBean() throws Exception {
		return super.authenticationManagerBean();
	}

}

Right now I'm successfully able to login in my application with a right user that has R_0 authorities but when I trying to access for example

http://localhost:8080/api/actuator/beans

I receive a following error:

There was an unexpected error (type=Forbidden, status=403).
Access is denied. User must have one of the these roles: R_0

How to correctly configure Spring Boot Actuator in order to be aware about the correct Authentication ?

Right now in order to get it workin I have to do the following trick:

management.security.enabled=false

.antMatchers("/actuator/health").permitAll()
.antMatchers("/actuator/**").hasAuthority("R_0")

Is any chance to configure Actuator in a right way ?

This is my StackOverflow question: http://stackoverflow.com/questions/42142556/spring-boot-actuator-endpoints-security-doesnt-work-with-custom-spring-security

[snicoll]

If you add @EnableWebSecurity you're indicating that you want to be in full control. Unfortunately, that wasn't applied properly in Spring Boot 1.4 and has been fixed in 1.5. So this configuration of yours is not "a trick". You are fully configuring security so you need to configure that R_0 role of yours.

[Artgit]

Thanks for your answer. With this approach(own configuration) I can't see right now how to control access level for /actuator/health endpoint. Previously (at Spring Boot 1.4) for anonymous users it returns minimum of information.. something like this

{"status":"UP"}

and

{"status":"UP","diskSpace": {"status":"UP","total":1951300292608,"free":1899948589056,"threshold":10485760}}

for authenticated users. But right now with

management.security.enabled=false

it always returns the fill info like

{"status":"UP","total":1951300292608,"free":1899948589056,"threshold":10485760}}.

Is it possible (and if so - how) to get the same behavior as previously with own security configuration ?

[wilkinsona]

Is it possible (and if so - how) to get the same behavior as previously with own security configuration?

I don't believe you can and that looks like an oversight in the new approach to me.

[wilkinsona]

I don't believe you can and that looks like an oversight in the new approach to me.

Actually, I believe you can. Leave management.security.enabled set to true and give your WebSecurityConfigurerAdapter an order with higher precedence (lower order) than ManagementServerProperties.BASIC_AUTH_ORDER. You could just use ManagementServerProperties.ACCESS_OVERRIDE_ORDER.

@Artgit Please give that a try and let us know how you get on.