0
0
Spring Bootframework~20 mins

Securing actuator endpoints in Spring Boot - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Actuator Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
1:30remaining
What is the default behavior of Spring Boot actuator endpoints regarding security?
By default, how are Spring Boot actuator endpoints secured when no explicit security configuration is provided?
AOnly the health and info endpoints are publicly accessible; others require authentication.
BAll actuator endpoints are publicly accessible without authentication.
CAll actuator endpoints require authentication and are secured by default.
DActuator endpoints are disabled by default and must be enabled explicitly.
Attempts:
2 left
💡 Hint

Think about which endpoints provide non-sensitive information by default.

📝 Syntax
intermediate
2:00remaining
Which configuration snippet correctly restricts actuator endpoints to users with role ADMIN?
Given a Spring Security configuration, which snippet correctly restricts access to all actuator endpoints to users with the role ADMIN?
Ahttp.authorizeHttpRequests().requestMatchers("/actuator/**").permitAll().and().formLogin();
Bhttp.authorizeHttpRequests().requestMatchers("/actuator/**").hasRole("ADMIN").and().httpBasic();
Chttp.authorizeHttpRequests().requestMatchers("/actuator/**").hasAuthority("ROLE_ADMIN").and().httpBasic();
Dhttp.authorizeHttpRequests().requestMatchers("/actuator/**").authenticated().and().httpBasic();
Attempts:
2 left
💡 Hint

Remember the difference between hasRole and hasAuthority in Spring Security.

🔧 Debug
advanced
2:30remaining
Why does this actuator security configuration fail to restrict access?
Consider this Spring Security configuration snippet: http.authorizeHttpRequests() .requestMatchers("/actuator/**").authenticated() .and() .httpBasic(); Users without roles can access actuator endpoints without authentication. Why?
Spring Boot
http.authorizeHttpRequests()
  .requestMatchers("/actuator/**").authenticated()
  .and()
  .httpBasic();
ABecause the security filter chain is not applied to actuator endpoints by default.
BBecause the <code>authenticated()</code> method allows anonymous users by mistake.
CBecause HTTP Basic authentication is not enabled properly.
DBecause the order of matchers is incorrect and another rule permits access before this one.
Attempts:
2 left
💡 Hint

Think about how Spring Security processes multiple rules and their order.

state_output
advanced
1:30remaining
What is the effect of setting management.endpoints.web.exposure.include=* in application.properties?
If you add the following line to your Spring Boot application's application.properties file: management.endpoints.web.exposure.include=* What is the effect on actuator endpoints?
ANo actuator endpoints are exposed until explicitly enabled individually.
BOnly health and info endpoints remain exposed; others stay hidden.
CAll actuator endpoints become exposed over HTTP, including sensitive ones.
DOnly custom actuator endpoints are exposed; built-in ones remain hidden.
Attempts:
2 left
💡 Hint

Consider what the wildcard * means in this context.

🧠 Conceptual
expert
3:00remaining
Which approach best secures actuator endpoints in a production Spring Boot application?
In a production environment, what is the best practice to secure Spring Boot actuator endpoints?
AExpose only necessary endpoints and restrict access using role-based authentication with HTTPS.
BUse default settings without changes, as Spring Boot secures endpoints automatically.
CDisable all actuator endpoints to avoid any security risks.
DExpose all actuator endpoints publicly and rely on network firewalls for protection.
Attempts:
2 left
💡 Hint

Think about balancing functionality and security in production.