root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Merge branch '3.1.x' 

Closes gh-38080
This commit is contained in:
Moritz Halbritter 2023-10-27 14:21:26 +02:00
parent f66c76e2a8 140ba4039d
commit 0e63326beb
4 changed files with 41 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
spring-boot-project/spring-boot-actuator-autoconfigure/src/docs/asciidoc/endpoints/env.adoc
View File

@ -14,6 +14,7 @@ The resulting response is similar to the following:
include::{snippets}/env/all/http-response.adoc[] include::{snippets}/env/all/http-response.adoc[]
NOTE: Sanitization of sensitive values has been switched off for this example.
[[env.entire.response-structure]] [[env.entire.response-structure]]
@ -37,7 +38,7 @@ The resulting response is similar to the following:
include::{snippets}/env/single/http-response.adoc[] include::{snippets}/env/single/http-response.adoc[]
NOTE: Sanitization of sensitive values has been switched off for this example.
[[env.single-property.response-structure]] [[env.single-property.response-structure]]
=== Response Structure === Response Structure

33
spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc
View File

@ -33,9 +33,11 @@ The following technology-agnostic endpoints are available:
| `configprops` | `configprops`
| Displays a collated list of all `@ConfigurationProperties`. | Displays a collated list of all `@ConfigurationProperties`.
Subject to <<actuator#actuator.endpoints.sanitization, sanitization>>.
| `env` | `env`
| Exposes properties from Spring's `ConfigurableEnvironment`. | Exposes properties from Spring's `ConfigurableEnvironment`.
Subject to <<actuator#actuator.endpoints.sanitization, sanitization>>.
| `flyway` | `flyway`
| Shows any Flyway database migrations that have been applied. | Shows any Flyway database migrations that have been applied.
@ -70,6 +72,7 @@ The following technology-agnostic endpoints are available:
|`quartz` |`quartz`
|Shows information about Quartz Scheduler jobs. |Shows information about Quartz Scheduler jobs.
Subject to <<actuator#actuator.endpoints.sanitization, sanitization>>.
| `scheduledtasks` | `scheduledtasks`
| Displays the scheduled tasks in your application. | Displays the scheduled tasks in your application.
@ -277,6 +280,36 @@ NOTE: The `management.endpoint.<name>` prefix uniquely identifies the endpoint t
[[actuator.endpoints.sanitization]]
=== Sanitize Sensitive Values
Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be somewhat sensitive.
All values are sanitized by default (that is replaced by `+******+`).
Viewing original values in the unsanitized form can be configured per endpoint using the `showValues` property for that endpoint.
This property can be configured to have the following values:
- `ALWAYS` - all values are shown in their unsanitized form to all users
- `NEVER` - all values are always sanitized (that is replaced by `+******+`)
- `WHEN_AUTHORIZED` - all values are shown in their unsanitized form to authorized users
For HTTP endpoints, a user is considered to be authorized if they have authenticated and have the roles configured by the endpoint's roles property.
By default, any authenticated user is authorized.
For JMX endpoints, all users are always authorized.
[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
----
management:
endpoint:
env:
show-values: WHEN_AUTHORIZED
roles: "admin"
----
The configuration above enables the ability for all users with the `admin` role to view all values in their original form from the `/env` endpoint.
NOTE: When `show-values` is set to `ALWAYS` or `WHEN_AUTHORIZED` any sanitization applied by a `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` will still be applied.
[[actuator.endpoints.hypermedia]] [[actuator.endpoints.hypermedia]]
=== Hypermedia for Actuator Web Endpoints === Hypermedia for Actuator Web Endpoints
A "`discovery page`" is added with links to all the endpoints. A "`discovery page`" is added with links to all the endpoints.

4
spring-boot-project/spring-boot-docs/src/docs/asciidoc/anchor-rewrite.properties
View File

@ -1022,3 +1022,7 @@ container-images.efficient-images.unpacking=deployment.efficient.unpacking
# Spring Boot 3.1 - 3.2 migrations # Spring Boot 3.1 - 3.2 migrations
io.rest-client.resttemplate.http-client=io.rest-client.clienthttprequestfactory io.rest-client.resttemplate.http-client=io.rest-client.clienthttprequestfactory
# gh-35917
howto.actuator.sanitize-sensitive-values=actuator.endpoints.sanitization
howto.actuator.sanitize-sensitive-values.customizing-sanitization=howto.actuator.customizing-sanitization

34
spring-boot-project/spring-boot-docs/src/docs/asciidoc/howto/actuator.adoc
View File

@ -34,38 +34,8 @@ See also the section on "`<<web#web.servlet.spring-mvc.error-handling, Error Han
[[howto.actuator.sanitize-sensitive-values]] [[howto.actuator.customizing-sanitization]]
=== Sanitize Sensitive Values === Customizing Sanitization
Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be somewhat sensitive.
All values are sanitized by default (that is replaced by `+******+`).
Viewing original values in the unsanitized form can be configured per endpoint using the `showValues` property for that endpoint.
This property can be configured to have the following values:
- `ALWAYS` - all values are shown in their unsanitized form to all users
- `NEVER` - all values are always sanitized (that is replaced by `+******+`)
- `WHEN_AUTHORIZED` - all values are shown in their unsanitized form to authorized users
For HTTP endpoints, a user is considered to be authorized if they have authenticated and have the roles configured by the endpoint's roles property.
By default, any authenticated user is authorized.
For JMX endpoints, all users are always authorized.
[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
----
management:
endpoint:
env:
show-values: WHEN_AUTHORIZED
roles: "admin"
----
The configuration above enables the ability for all users with the `admin` role to view all values in their original form from the `/env` endpoint.
NOTE: When `show-values` is set to `ALWAYS` or `WHEN_AUTHORIZED` any sanitization applied by a `<<howto#howto.actuator.sanitize-sensitive-values.customizing-sanitization, SanitizingFunction>>` will still be applied.
[[howto.actuator.sanitize-sensitive-values.customizing-sanitization]]
==== Customizing Sanitization
To take control over the sanitization, define a `SanitizingFunction` bean. To take control over the sanitization, define a `SanitizingFunction` bean.
The `SanitizableData` with which the function is called provides access to the key and value as well as the `PropertySource` from which they came. The `SanitizableData` with which the function is called provides access to the key and value as well as the `PropertySource` from which they came.
This allows you to, for example, sanitize every value that comes from a particular property source. This allows you to, for example, sanitize every value that comes from a particular property source.