management.security.enabled has been removed in spring-boot 2. But the docs still mention the property. Please adjust the documentation add a sample for the alternative way to disable security on the management endpoints.
Comment From: mbhave
Also update this section for actuator security.
Comment From: mduesterhoeft
Additional feedback and migrating spring 1 management endpoint configuration to spring-boot: I found this section a little confusing - https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-endpoints-security
If you deploy applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. You can do so by changing the management.endpoints.web.expose property, as follows:
My experience using actuator together with spring-security-oauth2 was that management.endpoints.web.expose=* is not enough to expose the enabled endpoins. I also had to use a WebSecurityConfigurerAdapter to permitAll on EndpointRequest.toAnyEndpoint()
Comment From: mbhave
Thanks for the feedback. That line refers more to the case where you don't have Spring Security on your classpath. In that case, on setting the management.endpoints.web.expose=* flag, all actuators will be available and will not require authentication. (likely case being that you're behind a firewall).
If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present, setting the management.endpoints.web.expose=* flag enables all actuators but they will be secured by Spring Boot auto-config.
If a different WebSecurityConfigurerAdapter is present (which is probably true in your case since you're using OAuth in the app), Spring Boot auto-config will back off and the user is in full control of actuator access rules. For this reason, you need to explicitly add permitAll.
We can update the doc to make that more explicit.
Comment From: balajeetm
So, If i want to expose the actuator endpoints (because the deployment is behind a firewall) similar to what I was doing with spring boot 1, is replacing "management.security.enabled=false" with "management.endpoints.web.expose=*" enough or should anything else be done?
Comment From: mbhave
@balajeetm As I've said in my previous comment, the management.endpoints.web.expose=* flag enables all actuators. Further, if Spring Security is on the classpath and you want the actuators to be accessible without requiring any authentication, you need to provide your own WebSecurityConfigurerAdapter which defines all your security configuration. This sample provides an example of how you can configure your own WebSecurityConfigurerAdapter.
If Spring Security is not present, setting management.endpoints.web.expose=* should be enough to access all the actuator endpoints without requiring any authentication.
Comment From: balajeetm
@mbhave Thanks. That works
Comment From: mariuszs
@balajeetm In attached example method EndpointRequest#excluding - cannot be accessed from outside package.
Comment From: philwebb
@mariuszs That was unfortunately a bug. It's been fixed by #12354 and will be in 2.0.1.
Comment From: jblayneyXpanxion
I'm having an extremely difficult time trying to figure out what management.security.enabled and management.security.roles has been replaced with...
All of these endpoints are available to the world right now. Is there no simple way to lock them down without configuring my WebSecurityConfigurerAdapter?
I've combed through the documentation here multiple times without luck: https://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#production-ready-endpoints-security
Why is the replacement not documented? Sorry - I feel like this is a good spot for this question but can open a question issue if needed - but it seems like it might also be a documentation bug.
Comment From: mbhave
@jblayneyXpanxion as mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. This is a question that would be better suited to Stack Overflow or our gitter channel. If you feel this is a documentation issue please open a new issue rather than commenting on a closed one.
Regarding your point about these endpoints being available to the world, that is not true. The default configuration for all endpoints (except health and info) requires authentication when Spring Security is on the classpath. Additionally the endpoints are not exposed over the web by default. They need to be exposed explicitly using the management.endpoints.web.exposure property.