I have a spring boot application which has management endpoints enabled.
The spring application server and the management server are allocated with different set of ports. And the spring application consists of a couple of application filters which would be invoked when Http Requests are made to the server.
Issue
Spring Version 2.6.10
WebFlux and WebFluxSecurity disabled
- The filters were extending
org.springframework.web.filter.GenericFilterBean - The filters are invoked only when the application endpoints were invoked. These do not get invoked when the management endpoints like health check are invoked.
WebFlux and WebFluxSecurity enabled
- The filters now extends
org.springframework.web.server.WebFilter - The filters are invoked in all cases. When the actuator endpoints are invoked, the filters which are meant for application logic gets invoked.
Workaround
To workaround this issue, I have added a org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher in the filters. This will filter out the management endpoints.
EndpointRequest.to(HealthEndpoint.class, PrometheusScrapeEndpoint.class, MetricsEndpoint.class)
My question is, this seems somehow not to be a cleaner solution. For every health check call, these filters will get invoked and the condition won't match. The ideal solution would be that the filters should not have been invoked for management endpoints.
Comment From: bclozel
I'm not sure I understand fully the scope of this issue. Could you answer the following questions?
- it seems that we can remove Spring security completely from the picture, can we?
- in the "WebFlux and WebFluxSecurity disabled" case, you're mentioning a
GenericFilterBean, which is a Servlet filter - this does not apply in the case of reactive applications. Can you clarify?
It sounds like this issue can be summarized as follows; for a Spring Boot app with a separate management port:
* when a Servlet Filter is declared as a bean, this filter is not called for requests on the management port
* when a reactive WebFilter is declared as a bean, this filter is called for requests on the management port
Does that summarize the issue here?
Comment From: adhithya-shankar
Yes, that is correct.
Comment From: philwebb
I believe this is a duplicate of #31811