Align default JMX and WEB endpoint exposures

Closes gh-32005

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/expose/EndpointExposure.java

@@ -27,7 +27,7 @@ public enum EndpointExposure {
 	/**
 	 * Exposed via JMX endpoint.
 	 */
-	JMX("*"),
+	JMX("health"),
 
 	/**
 	 * Exposed via a web endpoint.

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfigurationTests.java

@@ -80,8 +80,9 @@ class JmxEndpointAutoConfigurationTests {
 	@Test
 	void jmxEndpointWithCustomEndpointObjectNameFactory() {
 		EndpointObjectNameFactory factory = mock(EndpointObjectNameFactory.class);
-		this.contextRunner.withPropertyValues("spring.jmx.enabled=true").with(mockMBeanServer())
-				.withBean(EndpointObjectNameFactory.class, () -> factory).run((context) -> {
+		this.contextRunner
+				.withPropertyValues("spring.jmx.enabled=true", "management.endpoints.jmx.exposure.include=test")
+				.with(mockMBeanServer()).withBean(EndpointObjectNameFactory.class, () -> factory).run((context) -> {
 					ArgumentCaptor<ExposableJmxEndpoint> argumentCaptor = ArgumentCaptor
 							.forClass(ExposableJmxEndpoint.class);
 					then(factory).should().getObjectName(argumentCaptor.capture());
@@ -96,7 +97,7 @@ class JmxEndpointAutoConfigurationTests {
 				.willReturn(new HashSet<>(Arrays.asList(new ObjectName("test:test=test"))));
 		ArgumentCaptor<ObjectName> objectName = ArgumentCaptor.forClass(ObjectName.class);
 		ApplicationContextRunner jmxEnabledContextRunner = this.contextRunner
-				.withPropertyValues("spring.jmx.enabled=true");
+				.withPropertyValues("spring.jmx.enabled=true", "management.endpoints.jmx.exposure.include=test");
 		jmxEnabledContextRunner.with(mockMBeanServer()).run((parent) -> {
 			jmxEnabledContextRunner.withParent(parent).run(NO_OPERATION);
 			jmxEnabledContextRunner.withParent(parent).run(NO_OPERATION);

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JmxEndpointIntegrationTests.java

@@ -59,18 +59,20 @@ class JmxEndpointIntegrationTests {
 			.withConfiguration(AutoConfigurations.of(EndpointAutoConfigurationClasses.ALL));
 
 	@Test
-	void jmxEndpointsAreExposed() {
+	void jmxEndpointsExposeHealthByDefault() {
 		this.contextRunner.run((context) -> {
 			MBeanServer mBeanServer = context.getBean(MBeanServer.class);
-			checkEndpointMBeans(mBeanServer, new String[] { "beans", "conditions", "configprops", "env", "health",
-					"info", "mappings", "threaddump", "httptrace" }, new String[] { "shutdown" });
+			checkEndpointMBeans(mBeanServer, new String[] { "health" }, new String[] { "beans", "conditions",
+					"configprops", "env", "info", "mappings", "threaddump", "httptrace", "shutdown" });
 		});
 	}
 
 	@Test
 	void jmxEndpointsAreExposedWhenLazyInitializationIsEnabled() {
-		this.contextRunner.withBean(LazyInitializationBeanFactoryPostProcessor.class,
-				LazyInitializationBeanFactoryPostProcessor::new).run((context) -> {
+		this.contextRunner.withPropertyValues("management.endpoints.jmx.exposure.include:*")
+				.withBean(LazyInitializationBeanFactoryPostProcessor.class,
+						LazyInitializationBeanFactoryPostProcessor::new)
+				.run((context) -> {
 					MBeanServer mBeanServer = context.getBean(MBeanServer.class);
 					checkEndpointMBeans(mBeanServer, new String[] { "beans", "conditions", "configprops", "env",
 							"health", "info", "mappings", "threaddump", "httptrace" }, new String[] { "shutdown" });

spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc

@@ -146,109 +146,8 @@ If you want to change only the technologies over which an endpoint is exposed, u
 
 [[actuator.endpoints.exposing]]
 === Exposing Endpoints
+By default, only the health endpoint is exposed over HTTP and JMX.
 Since Endpoints may contain sensitive information, you should carefully consider when to expose them.
-The following table shows the default exposure for the built-in endpoints:
-
-[cols="1,1,1"]
-|===
-| ID | JMX | Web
-
-| `auditevents`
-| Yes
-| No
-
-| `beans`
-| Yes
-| No
-
-| `caches`
-| Yes
-| No
-
-| `conditions`
-| Yes
-| No
-
-| `configprops`
-| Yes
-| No
-
-| `env`
-| Yes
-| No
-
-| `flyway`
-| Yes
-| No
-
-| `health`
-| Yes
-| Yes
-
-| `heapdump`
-| N/A
-| No
-
-| `httptrace`
-| Yes
-| No
-
-| `info`
-| Yes
-| No
-
-| `integrationgraph`
-| Yes
-| No
-
-| `logfile`
-| N/A
-| No
-
-| `loggers`
-| Yes
-| No
-
-| `liquibase`
-| Yes
-| No
-
-| `metrics`
-| Yes
-| No
-
-| `mappings`
-| Yes
-| No
-
-| `prometheus`
-| N/A
-| No
-
-| `quartz`
-| Yes
-| No
-
-| `scheduledtasks`
-| Yes
-| No
-
-| `sessions`
-| Yes
-| No
-
-| `shutdown`
-| Yes
-| No
-
-| `startup`
-| Yes
-| No
-
-| `threaddump`
-| Yes
-| No
-|===
 
 To change which endpoints are exposed, use the following technology-specific `include` and `exclude` properties:
 
@@ -274,7 +173,7 @@ The `exclude` property lists the IDs of the endpoints that should not be exposed
 The `exclude` property takes precedence over the `include` property.
 You can configure both the `include` and the `exclude` properties with a list of endpoint IDs.
 
-For example, to stop exposing all endpoints over JMX and only expose the `health` and `info` endpoints, use the following property:
+For example, to only expose the `health` and `info` endpoints over JMX, use the following property:
 
 [source,yaml,indent=0,subs="verbatim",configprops,configblocks]
 ----