Configure actuator endpoints security

Can this be changed to use Spring Security?

It is Spring Security (what else did you think we'd use?). If you just want to keep the default security rules and customize the AuthenticationManager it should just work if you use the AuthenticationManagerBuilder as recommended by the Spring Security team. The secure method sample has the behavior you are looking for, so you can copy the configuration pattern from there. The key thing, if you want to replace the Boot default authentication strategy, is to get the AuthenticationManager configured in a GlobalAuthenticationConfigurerAdapter like in the sample.

You can switch off management security with management.security.enabled=false (assuming Spring Security is on the classpath). It is mentioned in the user guide, but feel free to propose clarifications.


I would say that sometimes it's easier to exclude autoconfiguration of Spring Boot component and make configuration from scratch if you have very specific case. In this case you could use:

@EnableAutoConfiguration(exclude = {SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class})

Or just ManagementWebSecurityConfiguration.java if you want to keep the rest of Boot Security configuration. And then you could use something like that:

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfiguration {

@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE)
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {

    private final SecurityProperties securityProperties;

    @Autowired
    AuthenticationSecurity(SecurityProperties securityProperties) {
        this.securityProperties = securityProperties;
    }

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        // configuration
    }
}

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    private SecurityProperties security;

    @Autowired
    protected ApplicationSecurity(SecurityProperties security) {
        this.security = security;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // you configuration
    }


}

}

As you can see I have reused the SecurityProperties in this case in order to avoid make my own.

Tags:

Spring Security

Spring Boot

Recent Posts