Remove management.security.enabled from documentation
Fixes gh-11383
This commit is contained in:
Madhura Bhave
parent
fc3b43e832
commit
7c5cf903fc
|
|
@ -181,8 +181,9 @@ register an `EndpointFilter` bean.
|
|||
[[production-ready-endpoints-security]]
|
||||
=== Securing HTTP Endpoints
|
||||
You should take care to secure HTTP endpoints in the same way that you would any other
|
||||
sensitive URL. Spring Boot does not apply any security on your behalf. However, it does
|
||||
provide some convenient RequestMatcher` objects that can be used in combination with
|
||||
sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Security’s
|
||||
content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users
|
||||
with a certain role to access them, Spring Boot provides some convenient `RequestMatcher` objects that can be used in combination with
|
||||
Spring Security.
|
||||
|
||||
A typical Spring Security configuration might look something like the following example:
|
||||
|
|
@ -219,6 +220,23 @@ endpoints can be accessed without requiring authentication. You can do so by cha
|
|||
management.endpoints.web.expose=*
|
||||
----
|
||||
|
||||
Additionally, if Spring Security is present, you would need to add custom security configuration
|
||||
that allows unauthenticated access to the endpoints. For example,
|
||||
|
||||
[source,java,indent=0]
|
||||
----
|
||||
@Configuration
|
||||
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
|
||||
.anyRequest().permitAll()
|
||||
}
|
||||
|
||||
}
|
||||
----
|
||||
|
||||
|
||||
|
||||
[[production-ready-customizing-endpoints]]
|
||||
|
|
@ -715,20 +733,6 @@ the following example:
|
|||
management.server.port=8081
|
||||
----
|
||||
|
||||
Since your management port is often protected by a firewall and not exposed to the
|
||||
public, you might not need security on the management endpoints, even if your main
|
||||
application is secure. In that case, you should have Spring Security on the classpath,
|
||||
and you can disable management security, as follows:
|
||||
|
||||
[source,properties,indent=0]
|
||||
----
|
||||
management.security.enabled=false
|
||||
----
|
||||
|
||||
CAUTION: If you do not have Spring Security on the classpath, there is no need to
|
||||
explicitly disable the management security in this way. Doing so might even break the
|
||||
application.
|
||||
|
||||
|
||||
|
||||
[[production-ready-management-specific-ssl]]
|
||||
|
|
|
|||
|
|
@ -2997,19 +2997,15 @@ In other words, the two configurations in the following example use the Google p
|
|||
|
||||
[[boot-features-security-actuator]]
|
||||
=== Actuator Security
|
||||
If the Actuator is also in use:
|
||||
For security purposes, all actuators other than `/health` and `/info` are disabled by default.
|
||||
The `management.endpoints.web.expose` flag can be used to enable the actuators.
|
||||
If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present,
|
||||
the actuators are secured by Spring Boot auto-config. If you define a custom `WebSecurityConfigurerAdapter`,
|
||||
Spring Boot auto-config will back off and you will be in full control of actuator access rules.
|
||||
|
||||
* The management endpoints are secure even if the application endpoints are insecure.
|
||||
* Security events are transformed into `AuditEvent` instances and published to the
|
||||
`AuditEventRepository`.
|
||||
* The default user has the `ACTUATOR` role as well as the `USER` role.
|
||||
|
||||
The Actuator security features can be modified by using external properties
|
||||
(`+management.security.*+`). To override the application access rules but not the
|
||||
actuator access rules, add a `@Bean` of type `WebSecurityConfigurerAdapter` and use
|
||||
`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)`. Use
|
||||
`@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)` if you _do_ want to override
|
||||
the application access rules and the actuator access rules.
|
||||
NOTE: Before setting the `management.endpoints.web.expose`, ensure that the exposed actuators
|
||||
do not contain sensitive information and/or are secured by placing them behind a firewall or by
|
||||
something like Spring Security.
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue