SpringBoot Health endpoint additional paths are not available by default when Spring Security is used

The /actuator/health/{liveness,readiness} endpoints and /actuator/health are open.

I think /livez and /readyz stay locked even when CloudPlatform is NONE and management.endpoint.health.probes.enabled=true (but /actuator/health/* is open). A related but different problem?

Comment From: wilkinsona

The default Actuator web security permits all for requests to the health endpoint:

https://github.com/spring-projects/spring-boot/blob/fa131fa6a0dbab704597ea15e3d88d763ee3d027/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java#L63

If we want livez and readyz to be open by default as well, we'll have to decide if that should be covered by the matcher returned by EndpointRequest.to(HealthEndpoint.class) or if the additional paths should be covered separately.

If we do make a change here, I think it should only happen in a new minor. I wouldn't want to open up livez and readyz by default in a patch release.

Comment From: philwebb

We also need to updated ReactiveManagementWebSecurityAutoConfiguration. Looking at the code, I don't think we can just change EndpointRequest.to(HealthEndpoint.class) since AdditionalHealthEndpointPath can be exposed on main port when the management context is on a different one.