root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Tweak docs on /health endpoint to reflect secure/sensitive 

Fixes gh-2816
This commit is contained in:
Dave Syer 2015-06-28 22:12:28 +01:00
parent 8c977567d9
commit c39b9f7635
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
View File

@ -86,7 +86,7 @@ The following endpoints are available:
|true
|`health`
|Shows application health information (a simple '`status`' when accessed over an
|Shows application health information (when the application is secure, a simple '`status`' when accessed over an
unauthenticated connection or full message details when authenticated).
|false
@ -157,8 +157,8 @@ For example, the following will disable _all_ endpoints except for `info`:
Health information can be used to check the status of your running application. It is
often used by monitoring software to alert someone if a production system goes down.
The default information exposed by the `health` endpoint depends on how it is accessed.
For an insecure unauthenticated connection a simple '`status`' message is returned, for a
secure or authenticated connection additional details are also displayed (see
For an unauthenticated connection in a secure application a simple '`status`' message is
returned, and for a authenticated connection additional details are also displayed (see
<<production-ready-health-access-restrictions>> for HTTP details).
Health information is collected from all
@ -507,16 +507,30 @@ If you don't want to expose endpoints over HTTP you can set the management port
[[production-ready-health-access-restrictions]]
=== HTTP health endpoint access restrictions
The information exposed by the health endpoint varies depending on whether or not it's
accessed anonymously. By default, when accessed anonymously, any details about the
accessed anonymously, and whether or not the enclosing application is secure.
By default, when accessed anonymously in a secure application, any details about the
server's health are hidden and the endpoint will simply indicate whether or not the server
is up or down. Furthermore, when accessed anonymously, the response is cached for a
configurable period to prevent the endpoint being used in a denial of service attack.
The `endpoints.health.time-to-live` property is used to configure the caching period in
milliseconds. It defaults to 1000, i.e. one second.
The above-described restrictions can be disabled, thereby allowing anonymous users full
access to the health endpoint. To do so, set `endpoints.health.sensitive` to `false`.
The above-described restrictions can be enhanced, thereby allowing only authenticated users full
access to the health endpoint in a secure application. To do so, set `endpoints.health.sensitive` to `true`.
Here's a summary of behaviour (with default `sensitive` flag value "false" indicated in bold):
|====
|Secure | Sensitive | Unauthenticated behaviour | Authenticated behaviour
| false | **false** | Full content | Full content
| false | true | Status only | Full content
| true | **false** | Status only | Full content
| true | true | No content | Full content
|====
[[production-ready-jmx]]