Skip to content

Protect actuator endpoints out of the box #6889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
philwebb opened this issue Sep 14, 2016 · 6 comments
Closed

Protect actuator endpoints out of the box #6889

philwebb opened this issue Sep 14, 2016 · 6 comments
Labels
type: enhancement A general enhancement
Milestone
1.5.0 RC1

Comments

@philwebb
Copy link
Member

We should protect actuator endpoints with basic-auth even if Spring Security isn't in use. If the user really wants open endpoints, they should opt-in.
@philwebb philwebb added the type: enhancement A general enhancement label Sep 14, 2016
@philwebb philwebb added this to the 1.5.0 M1 milestone Sep 14, 2016
@philwebb philwebb changed the title Protect endpoints out of the box Protect actuator endpoints out of the box Sep 14, 2016
@philwebb
Copy link
Member Author

Related #6888

@mbhave mbhave mentioned this issue Dec 5, 2016
Closed
@mbhave mbhave closed this as completed in d09aafa Dec 6, 2016
@joshiste
Copy link
Contributor

joshiste commented Dec 11, 2016
edited
Loading

Prior to this commit the actuator endpoints are only protected when Spring Security is on the classpath and a generated password is written to the log, so I can access the endpoints with no further configuration.

After this commit, not using Spring security, I get out-of-the-box protected actuator endpoints but no way to access them, because I have no chance to authenticate. Or am I missing something?

Imho it would be very useful to also generate a password which can be used to access the endpoints or some other form of authentication mechanism...

@philwebb
Copy link
Member Author

@joshiste The idea is to make people explicitly opt-in to exposing actuator endpoints rather than accidentally exposing them. I'm not sure that we really want to recreate Spring Security behavior ourselves, especially as a generated password isn't that useful in production apps.

We probably should do more to direct the user so they know what property they need to change to restore Boot 1.4 behavior. I'll reopen this and also tag it for our team discussion to see what the others think.

@philwebb philwebb reopened this Dec 12, 2016
@philwebb philwebb added the for: team-attention An issue we'd like other members of the team to review label Dec 12, 2016
@wilkinsona wilkinsona mentioned this issue Dec 13, 2016
Closed
@joshiste joshiste mentioned this issue Dec 14, 2016
Closed
@mbhave mbhave removed the for: team-attention An issue we'd like other members of the team to review label Dec 16, 2016
@joshiste
Copy link
Contributor

@mbhave you removed the discussion label. Can you tell what the results of this discussion are?

@philwebb
Copy link
Member Author

@joshiste We're going to make the message more explicit so that people know what to do and investigate how much work it would be to implement basic-auth directly in Boot.

@philwebb
Copy link
Member Author

See #7673 for basic auth investigation.

philwebb added a commit that referenced this issue Jan 4, 2017
@philwebb
Update actuator security documentation
f8a53cf 
Update documentation to align with the new role based method.

See gh-6889
@philwebb philwebb closed this as completed Jan 6, 2017
@mbhave mbhave mentioned this issue Mar 16, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
1.5.0 RC1
Development

No branches or pull requests
3 participants
@philwebb @mbhave @joshiste