How to disable security just for /actuator/health?

Question

My spring boot application has security enabled.

How to access /actuator/health without authentication?

There is a WebSecurityConfigurerAdapter in the application.

I found an example using:

public void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/health").permitAll().anyRequest().authenticated();

}

and another example using:

public void configure(WebSecurity web) throws Exception {
    web.ignoring()
            .antMatchers("/actuator/health");
}

What are the advantages and disadvantages of each approach? It will be used for health checking.

score 3 · Answer 1 · answered Jan 15 '22 at 05:41

the first example will still include security features like CORS and different basic security headers. You have only excluded that spring security wont ask for authentication.

While the second example will ignore everything that has to do with spring security, and the requests will not pass through any of spring securitys basic security filters.

Alternative one is always better.

Here you can read about the common security protection you get from spring security per default

Protection Against Exploits

How to disable security just for /actuator/health?

1 Answers1

Linked