Based on the session given by Phil Webb [1], in the project with simple demo he show-cased that the SanitizingFunction can be included for hiding for example Command Line Arguments from the actuator endpoint.

Based on the code given here if they are two command line arguments passed to this code --test.secret=password and --test.key=important, then

  • password will actually be displayed as ****
  • important will be displayed as you're never gonna get it

Even though both the parameters are passed as command line argument, for password the newly define SantizingFunction was not applied.

Enhancement: Either support some sort of order or override the default behavior?

[1] https://github.com/philwebb/whats-new-in-spring-boot-2-6

Comment From: philwebb

A few options spring to mind for this issue.

  • We could add @Order support to the Sanitizer default sanitizing function. This might be a bit tricky because the function is added by the Sanitizer so we'd only be able to order on class annotations (not on @Bean ones).
  • We could make Sanitizer a bean and allow a completely different implementation
  • We could add a property to disable the default ones
  • We could add something to SanitizableData to indicate that a value has been sanitized already so later functions can skip it.

In the meantime, I think you can set management.endpoint.env.keys-to-sanitize (or equivalent other properties) to an empty list so that the default function becomes a no-op.

Comment From: philwebb

Closing in favor of PR #30006. Thanks @terminux!

Comment From: robin-carry

Thank you @terminux for the fix!