Skip to content

Provide first class security support for actuator enpoints #6888

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philwebb opened this issue Sep 14, 2016 · 4 comments
Closed

Provide first class security support for actuator enpoints #6888

philwebb opened this issue Sep 14, 2016 · 4 comments

Comments

@philwebb
Copy link
Member

We need a way to secure actuator endpoints without necessarily needing Spring Security. The current situation of needing to make Spring Security directly aware of actuator URLs is quite problematic.
@philwebb philwebb added this to the 1.5.0 M1 milestone Sep 14, 2016
@philwebb philwebb added the type: enhancement A general enhancement label Sep 14, 2016
@philwebb philwebb mentioned this issue Sep 14, 2016
Closed
@philwebb
Copy link
Member Author

The solution should be pluggable so that people can develop their own strategies.

@okohub okohub mentioned this issue Oct 2, 2016
Closed
@philwebb
Copy link
Member Author

philwebb commented Oct 5, 2016

Changing EndpointHandlerMapping.extendInterceptors to add a HandlerInterceptor or WebRequestInterceptor may work. We could use the request.hasRole method to ensure that something has setup security.

@mbhave mbhave assigned mbhave and unassigned mbhave Dec 5, 2016
@mbhave
Copy link
Contributor

mbhave commented Dec 5, 2016

@philwebb the pluggable strategies solution will be for 2.0, right? Protecting actuators out of the box for 1.5 will be taken care of as part of in #6889.

@philwebb philwebb removed this from the 1.5.0 RC1 milestone Dec 5, 2016
@philwebb philwebb removed the type: enhancement A general enhancement label Dec 5, 2016
@philwebb
Copy link
Member Author

philwebb commented Dec 5, 2016

I think #6889 alone will be enough to support pluggable security. As long as the hasRole method is supported somehow then any security should work.

@philwebb philwebb closed this as completed Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philwebb @mbhave