2

I use spring cloud gateway HoxtonSR8, spring boot 2.3.4 and spring actuator

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>

I want to set password on all actuator endpoints including health and info so only authenticated user can call them. But as far as I know it only can be done using spring security but this framework is incompatible with gateway.

How I can set password on actuator in cloud gateway?

Artemii Kurilko
  • 65
  • 2
  • 9
  • Just as an FYI, another way of handling this is to use a different port than the "public one", via [Spring's `management.server.port`](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-customizing-management-server-port). Especially useful when using an orchestrator like Kubernetes. See https://github.com/qudini/qudini-reactive/tree/master/qudini-reactive-metrics#probes for a configuration example. You can then have that second port secured at network level instead of at app level (more ops-ish than dev-ish). – sp00m Nov 09 '20 at 09:57
  • @sp00m I couldn't find answer how to secure these management enpoints are you suggesting the same as below? If else could you please provide more code. – Artemii Kurilko Nov 09 '20 at 13:07

1 Answers1

0

Actuator endpoints reveal sensitive information about the application.

To password protect the actuator endpoints follow the below steps :

Step 1 : Add spring-boot-starter-security dependency in pom.xml.

   <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
   </dependency>

Thanks to SpringBoot Auto Configuration. It automatically initialises all the security related components.

Step 2 : Define a username and password in your property/yaml file.

See the below configuration.

spring:
  security:
    user:
      name: admin
      password: ********

Step 3 : Restart the application and try to access Secured Endpoints.

You should get “401 Unauthorized” response.

Step 4 : Open actuator endpoint in a Browser and it will prompt for username/password.

If you want just to secure you actuator endpoints, Add below config :

server:
  port: 8080
  context-path: /MyApplication

security:
   user:
       name: admin
       password: secret
   basic:
       enabled: false

management:
   context-path: /actuator
   security:
             enabled: true

This will make sure that application security is disabled but is enabled for actuator endpoints.

Note : Don't configure username/password under management security otherwise it will not work.

Amit kumar
  • 2,169
  • 10
  • 25
  • 36
  • I tried this way, but then when I send not actuator request it still asks for password and login – Artemii Kurilko Nov 05 '20 at 10:05
  • Please check the updated answer to make sure that security is enable only for actuator endpoints. – Amit kumar Nov 05 '20 at 10:12
  • Maybe you should add this: http.formLogin().disable() in your websecurity configuration. – Bram Van Dyck Nov 05 '20 at 10:51
  • 1
    Some of your configuration such as basic.enabled, security.enabled don't work with spring boot 2.3.4.release. I tried to make it via WebSecurityConfigurerAdapter, but it throws error because spring starter security isn't fully compatible with spring cloud gateway. – Artemii Kurilko Nov 09 '20 at 09:54