diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index 658c5544f28..b45d1e8fa75 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -181,8 +181,9 @@ register an `EndpointFilter` bean. [[production-ready-endpoints-security]] === Securing HTTP Endpoints You should take care to secure HTTP endpoints in the same way that you would any other -sensitive URL. Spring Boot does not apply any security on your behalf. However, it does -provide some convenient RequestMatcher` objects that can be used in combination with +sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Security’s +content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users +with a certain role to access them, Spring Boot provides some convenient `RequestMatcher` objects that can be used in combination with Spring Security. A typical Spring Security configuration might look something like the following example: @@ -219,6 +220,23 @@ endpoints can be accessed without requiring authentication. You can do so by cha management.endpoints.web.expose=* ---- +Additionally, if Spring Security is present, you would need to add custom security configuration +that allows unauthenticated access to the endpoints. For example, + +[source,java,indent=0] +---- + @Configuration + public class ActuatorSecurity extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests() + .anyRequest().permitAll() + } + + } +---- + [[production-ready-customizing-endpoints]] @@ -715,20 +733,6 @@ the following example: management.server.port=8081 ---- -Since your management port is often protected by a firewall and not exposed to the -public, you might not need security on the management endpoints, even if your main -application is secure. In that case, you should have Spring Security on the classpath, -and you can disable management security, as follows: - -[source,properties,indent=0] ----- - management.security.enabled=false ----- - -CAUTION: If you do not have Spring Security on the classpath, there is no need to -explicitly disable the management security in this way. Doing so might even break the -application. - [[production-ready-management-specific-ssl]] diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index e76cfde656c..72e4eb12b07 100644 --- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -2997,19 +2997,15 @@ In other words, the two configurations in the following example use the Google p [[boot-features-security-actuator]] === Actuator Security -If the Actuator is also in use: +For security purposes, all actuators other than `/health` and `/info` are disabled by default. +The `management.endpoints.web.expose` flag can be used to enable the actuators. +If Spring Security is on the classpath and no other WebSecurityConfigurerAdapter is present, +the actuators are secured by Spring Boot auto-config. If you define a custom `WebSecurityConfigurerAdapter`, +Spring Boot auto-config will back off and you will be in full control of actuator access rules. -* The management endpoints are secure even if the application endpoints are insecure. -* Security events are transformed into `AuditEvent` instances and published to the -`AuditEventRepository`. -* The default user has the `ACTUATOR` role as well as the `USER` role. - -The Actuator security features can be modified by using external properties -(`+management.security.*+`). To override the application access rules but not the -actuator access rules, add a `@Bean` of type `WebSecurityConfigurerAdapter` and use -`@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)`. Use -`@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)` if you _do_ want to override -the application access rules and the actuator access rules. +NOTE: Before setting the `management.endpoints.web.expose`, ensure that the exposed actuators +do not contain sensitive information and/or are secured by placing them behind a firewall or by +something like Spring Security.