You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a Spring Boot application has configured a separate management port, Togglz will still also run on the application port by default. Since the console is also enabled by default, this might be a security risk (although by default the ROLE_ADMIN will be required).
Expected
If togglz.console.use-management-port is not configured, the console will run only on the management port (if available).
Actual
If togglz.console.use-management-port is not configured, the console will run on the management port and the application port.
If togglz.console.use-management-port is false, the console will run on the application port.
If togglz.console.use-management-port is true, the console will run on the management port.
Note that by default the Admin Console runs on the management port (if configured). If the management port (management.port) is not configured it will run on the application port. Setting togglz.console.use-management-port to false will always run the Admin Console on the application port.
So if the user has not explicitly configured anything, both OnConsoleAndUseManagementPort and OnConsoleAndNotUseManagementPort (see TogglzConsoleBaseConfiguration) will both be true:
The PR mentioned above apparently attempted to fix the problem that no console was running at all if no management port was configured (see #341).
Changing the current behavior could be a breaking change for some users (if they have a management port, but currently rely on the availability on the application port with no explicit configuration).
The text was updated successfully, but these errors were encountered:
Overview
If a Spring Boot application has configured a separate management port, Togglz will still also run on the application port by default. Since the console is also enabled by default, this might be a security risk (although by default the
ROLE_ADMIN
will be required).Expected
togglz.console.use-management-port
is not configured, the console will run only on the management port (if available).Actual
togglz.console.use-management-port
is not configured, the console will run on the management port and the application port.togglz.console.use-management-port
is false, the console will run on the application port.togglz.console.use-management-port
is true, the console will run on the management port.Additional Information
Potentially the behavior described could be intended, but based on the documentation and the naming of variables and classes (e.g.
TogglzConsoleBaseConfiguration#OnConsoleAndNotUseManagementPort
I assume that the current behavior is not intended.(Spring Boot Starter documentation, section "Admin Console Security")
The current behavior was introduced with PR #479.
matchIfMissing = true
will always set the value totrue
if it not explicitly set.So if the user has not explicitly configured anything, both
OnConsoleAndUseManagementPort
andOnConsoleAndNotUseManagementPort
(seeTogglzConsoleBaseConfiguration
) will both be true:The PR mentioned above apparently attempted to fix the problem that no console was running at all if no management port was configured (see #341).
Changing the current behavior could be a breaking change for some users (if they have a management port, but currently rely on the availability on the application port with no explicit configuration).
The text was updated successfully, but these errors were encountered: