From cea6492c4a57acd72ab79f84af630a7aa49c41e9 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Tue, 16 Aug 2022 14:29:08 -0700 Subject: [PATCH] Align default JMX and WEB endpoint exposures Closes gh-32005 --- .../endpoint/expose/EndpointExposure.java | 2 +- .../JmxEndpointAutoConfigurationTests.java | 7 +- .../JmxEndpointIntegrationTests.java | 12 +- .../src/docs/asciidoc/actuator/endpoints.adoc | 105 +----------------- 4 files changed, 14 insertions(+), 112 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/expose/EndpointExposure.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/expose/EndpointExposure.java index 82c27c853ae..fe878009620 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/expose/EndpointExposure.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/expose/EndpointExposure.java @@ -27,7 +27,7 @@ public enum EndpointExposure { /** * Exposed via JMX endpoint. */ - JMX("*"), + JMX("health"), /** * Exposed via a web endpoint. diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfigurationTests.java index 7c077dd36ea..68421710a4a 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfigurationTests.java @@ -80,8 +80,9 @@ class JmxEndpointAutoConfigurationTests { @Test void jmxEndpointWithCustomEndpointObjectNameFactory() { EndpointObjectNameFactory factory = mock(EndpointObjectNameFactory.class); - this.contextRunner.withPropertyValues("spring.jmx.enabled=true").with(mockMBeanServer()) - .withBean(EndpointObjectNameFactory.class, () -> factory).run((context) -> { + this.contextRunner + .withPropertyValues("spring.jmx.enabled=true", "management.endpoints.jmx.exposure.include=test") + .with(mockMBeanServer()).withBean(EndpointObjectNameFactory.class, () -> factory).run((context) -> { ArgumentCaptor argumentCaptor = ArgumentCaptor .forClass(ExposableJmxEndpoint.class); then(factory).should().getObjectName(argumentCaptor.capture()); @@ -96,7 +97,7 @@ class JmxEndpointAutoConfigurationTests { .willReturn(new HashSet<>(Arrays.asList(new ObjectName("test:test=test")))); ArgumentCaptor objectName = ArgumentCaptor.forClass(ObjectName.class); ApplicationContextRunner jmxEnabledContextRunner = this.contextRunner - .withPropertyValues("spring.jmx.enabled=true"); + .withPropertyValues("spring.jmx.enabled=true", "management.endpoints.jmx.exposure.include=test"); jmxEnabledContextRunner.with(mockMBeanServer()).run((parent) -> { jmxEnabledContextRunner.withParent(parent).run(NO_OPERATION); jmxEnabledContextRunner.withParent(parent).run(NO_OPERATION); diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JmxEndpointIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JmxEndpointIntegrationTests.java index 1db12179183..74606d29990 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JmxEndpointIntegrationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JmxEndpointIntegrationTests.java @@ -59,18 +59,20 @@ class JmxEndpointIntegrationTests { .withConfiguration(AutoConfigurations.of(EndpointAutoConfigurationClasses.ALL)); @Test - void jmxEndpointsAreExposed() { + void jmxEndpointsExposeHealthByDefault() { this.contextRunner.run((context) -> { MBeanServer mBeanServer = context.getBean(MBeanServer.class); - checkEndpointMBeans(mBeanServer, new String[] { "beans", "conditions", "configprops", "env", "health", - "info", "mappings", "threaddump", "httptrace" }, new String[] { "shutdown" }); + checkEndpointMBeans(mBeanServer, new String[] { "health" }, new String[] { "beans", "conditions", + "configprops", "env", "info", "mappings", "threaddump", "httptrace", "shutdown" }); }); } @Test void jmxEndpointsAreExposedWhenLazyInitializationIsEnabled() { - this.contextRunner.withBean(LazyInitializationBeanFactoryPostProcessor.class, - LazyInitializationBeanFactoryPostProcessor::new).run((context) -> { + this.contextRunner.withPropertyValues("management.endpoints.jmx.exposure.include:*") + .withBean(LazyInitializationBeanFactoryPostProcessor.class, + LazyInitializationBeanFactoryPostProcessor::new) + .run((context) -> { MBeanServer mBeanServer = context.getBean(MBeanServer.class); checkEndpointMBeans(mBeanServer, new String[] { "beans", "conditions", "configprops", "env", "health", "info", "mappings", "threaddump", "httptrace" }, new String[] { "shutdown" }); diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc index 8797e6be279..72d14cc1ea5 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/actuator/endpoints.adoc @@ -146,109 +146,8 @@ If you want to change only the technologies over which an endpoint is exposed, u [[actuator.endpoints.exposing]] === Exposing Endpoints +By default, only the health endpoint is exposed over HTTP and JMX. Since Endpoints may contain sensitive information, you should carefully consider when to expose them. -The following table shows the default exposure for the built-in endpoints: - -[cols="1,1,1"] -|=== -| ID | JMX | Web - -| `auditevents` -| Yes -| No - -| `beans` -| Yes -| No - -| `caches` -| Yes -| No - -| `conditions` -| Yes -| No - -| `configprops` -| Yes -| No - -| `env` -| Yes -| No - -| `flyway` -| Yes -| No - -| `health` -| Yes -| Yes - -| `heapdump` -| N/A -| No - -| `httptrace` -| Yes -| No - -| `info` -| Yes -| No - -| `integrationgraph` -| Yes -| No - -| `logfile` -| N/A -| No - -| `loggers` -| Yes -| No - -| `liquibase` -| Yes -| No - -| `metrics` -| Yes -| No - -| `mappings` -| Yes -| No - -| `prometheus` -| N/A -| No - -| `quartz` -| Yes -| No - -| `scheduledtasks` -| Yes -| No - -| `sessions` -| Yes -| No - -| `shutdown` -| Yes -| No - -| `startup` -| Yes -| No - -| `threaddump` -| Yes -| No -|=== To change which endpoints are exposed, use the following technology-specific `include` and `exclude` properties: @@ -274,7 +173,7 @@ The `exclude` property lists the IDs of the endpoints that should not be exposed The `exclude` property takes precedence over the `include` property. You can configure both the `include` and the `exclude` properties with a list of endpoint IDs. -For example, to stop exposing all endpoints over JMX and only expose the `health` and `info` endpoints, use the following property: +For example, to only expose the `health` and `info` endpoints over JMX, use the following property: [source,yaml,indent=0,subs="verbatim",configprops,configblocks] ----