Spring Bootframework~30 mins

Securing actuator endpoints in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Securing actuator endpoints

📖 Scenario: You are building a Spring Boot application that exposes actuator endpoints for monitoring. To keep your app safe, you want to secure these endpoints so only authorized users can access them.

🎯 Goal: Secure the Spring Boot actuator endpoints by setting up user credentials and restricting access to the endpoints.

📋 What You'll Learn

Create a Spring Boot application properties configuration with actuator endpoints enabled

Add a user credential configuration for basic authentication

Configure security to restrict actuator endpoints to authenticated users

Verify the actuator endpoints are secured with authentication

💡 Why This Matters

🌍 Real World

Monitoring and managing Spring Boot applications safely in production by securing sensitive actuator endpoints.

💼 Career

Spring Boot developers often need to secure actuator endpoints to protect application health and metrics data from unauthorized access.

Progress0 / 4 steps

Enable actuator endpoints

Create a file src/main/resources/application.properties and add these exact lines to enable all actuator endpoints and expose them over HTTP: management.endpoints.web.exposure.include=* and management.endpoint.health.show-details=always.

Spring Boot

# Create src/main/resources/application.properties and add the required properties
# Your code here

Need a hint?

This configuration allows all actuator endpoints to be accessible over HTTP and shows detailed health info.

Add user credentials for basic authentication

In the same application.properties file, add these exact lines to create a user with username admin and password secret with role ACTUATOR: spring.security.user.name=admin, spring.security.user.password=secret, and spring.security.user.roles=ACTUATOR.

Spring Boot

management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
# Add user credentials below
# Your code here

Need a hint?

This sets up a basic user for authentication with the role ACTUATOR.

Configure security to restrict actuator endpoints

Create a Java class ActuatorSecurityConfig in package com.example.demo that is annotated with @Configuration and @EnableWebSecurity. Inside, define a SecurityFilterChain bean named securityFilterChain that restricts access so only users with role ACTUATOR can access paths starting with /actuator/. Use HTTP Basic authentication and permit all other requests without authentication.

Spring Boot

management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
spring.security.user.name=admin
spring.security.user.password=secret
spring.security.user.roles=ACTUATOR

// Create ActuatorSecurityConfig.java with security configuration
// Your code here

Need a hint?

This configures HTTP Basic authentication and restricts actuator endpoints to users with ACTUATOR role.

Complete security setup and test

Add the @SpringBootApplication annotation to your main application class DemoApplication in package com.example.demo. Ensure the application runs and the actuator endpoints require authentication with username admin and password secret.

Spring Boot

management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
spring.security.user.name=admin
spring.security.user.password=secret
spring.security.user.roles=ACTUATOR

package com.example.demo;

import org.springframework.boot.autoconfigure.SpringBootApplication;

// Add @SpringBootApplication annotation to DemoApplication class
// Your code here

Need a hint?

This completes the Spring Boot app setup with secured actuator endpoints. Run the app and test accessing /actuator/health with the admin credentials.