root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Update actuator security documentation 

Update documentation to align with the new role based method.

See gh-6889
This commit is contained in:
Phillip Webb 2017-01-03 18:01:32 -08:00
parent 7c51941578
commit f8a53cf775
1 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
View File

@ -536,11 +536,32 @@ all enabled endpoints to be exposed over HTTP. The default convention is to use
[[production-ready-sensitive-endpoints]]
=== Securing sensitive endpoints
If you add '`Spring Security`' to your project, all sensitive endpoints exposed over HTTP
will be protected. By default '`basic`' authentication will be used with the username
`user` and a generated password (which is printed on the console when the application
starts).
=== Accessing sensitive endpoints
By default all sensitive HTTP endpoints are secured such that only users that have an
`ACTUATOR` role may access them. Security is enforced using the standard
`HttpServletRequest.isUserInRole` method.
TIP: Use the `management.security.roles` property if you want something different to
`ACTUATOR`.
If you are deploying applications behind a firewall, you may prefer that all your actuator
endpoints can be accessed without requiring authentication. You can do this by changing
the `management.security.enabled` property:
.application.properties
[source,properties,indent=0]
----
management.security.enabled=false
----
NOTE: By default, actuator endpoints are exposed on the same port that serves regular
HTTP traffic. Take care not to accidentally expose sensitive information if you change
the `management.security.enabled` property.
If you're deploying applications publicly, you may want to add '`Spring Security`' to
handle user authentication. When '`Spring Security`' is added, by default '`basic`'
authentication will be used with the username `user` and a generated password (which is
printed on the console when the application starts).
TIP: Generated passwords are logged as the application starts. Search for '`Using default
security password`'.
@ -556,10 +577,6 @@ in your `application.properties`:
management.security.roles=SUPERUSER
----
TIP: If you don't use Spring Security and your HTTP endpoints are exposed publicly,
you should carefully consider which endpoints you enable. See
<<production-ready-customizing-endpoints>> for details of how you can set
`endpoints.enabled` to `false` then "`opt-in`" only specific endpoints.
[[production-ready-customizing-management-server-context-path]]