0
0
SpringbootHow-ToBeginner · 4 min read

How to Secure Actuator Endpoints in Spring Boot

To secure Spring Boot actuator endpoints, enable Spring Security and configure access rules in your application.properties or Java config. Use management.endpoints.web.exposure.include to expose only needed endpoints and restrict access with roles or HTTP basic authentication.
📐

Syntax

Securing actuator endpoints involves configuring Spring Security and setting properties to control which endpoints are exposed and who can access them.

  • management.endpoints.web.exposure.include: Lists endpoints to expose (e.g., health,info).
  • management.endpoint..enabled: Enables or disables specific endpoints.
  • Spring Security configures HTTP security rules to restrict access.
  • Use httpBasic() or other authentication methods to protect endpoints.
java
spring.security.user.name=admin
spring.security.user.password=secret
management.endpoints.web.exposure.include=health,info

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests()
            .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR_ADMIN")
            .anyRequest().authenticated()
          .and()
          .httpBasic();
    }
}
💻

Example

This example shows a Spring Boot application securing actuator endpoints with HTTP Basic authentication. Only users with role ACTUATOR_ADMIN can access actuator endpoints like /actuator/health.

java
package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.core.userdetails.UserDetailsService;

@SpringBootApplication
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

    @Bean
    public UserDetailsService users() {
        UserDetails actuatorAdmin = User.withDefaultPasswordEncoder()
            .username("admin")
            .password("secret")
            .roles("ACTUATOR_ADMIN")
            .build();
        return new InMemoryUserDetailsManager(actuatorAdmin);
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
          .authorizeHttpRequests(authz -> authz
            .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR_ADMIN")
            .anyRequest().authenticated()
          )
          .httpBasic();
        return http.build();
    }
}
Output
When accessing /actuator/health, the browser prompts for username and password. Entering admin/secret grants access and shows health status JSON. Other endpoints require authentication and role ACTUATOR_ADMIN.
⚠️

Common Pitfalls

  • Not enabling Spring Security causes actuator endpoints to be open by default, risking exposure.
  • Exposing all endpoints with management.endpoints.web.exposure.include=* without restrictions is unsafe.
  • Forgetting to assign roles or configure authorization rules leaves endpoints unprotected.
  • Using plain text passwords in production is insecure; use encrypted passwords or external providers.
java
/* Wrong: Exposes all endpoints without security */
management.endpoints.web.exposure.include=*

/* Right: Expose only health and info, secure with roles */
management.endpoints.web.exposure.include=health,info

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
          .authorizeHttpRequests(authz -> authz
            .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR_ADMIN")
            .anyRequest().authenticated()
          )
          .httpBasic();
        return http.build();
    }
}
📊

Quick Reference

  • Expose endpoints: management.endpoints.web.exposure.include=health,info
  • Enable security: Add Spring Security dependency and configure HTTP security.
  • Restrict access: Use roles like ACTUATOR_ADMIN and httpBasic() authentication.
  • Disable unused endpoints: management.endpoint..enabled=false
  • Use strong passwords: Avoid default or plain text passwords in production.

Key Takeaways

Always enable Spring Security to protect actuator endpoints from unauthorized access.
Limit exposed endpoints using management properties to reduce attack surface.
Use role-based access control and HTTP Basic or other authentication methods.
Avoid exposing all endpoints publicly and disable unused ones explicitly.
Use secure password management and avoid default credentials in production.

Related by keyword

Spring Boot vs Spring Framework: Key Differences and When to Use EachSpring Boot vs OtherHow to Use save() Method in Spring Boot with Spring Data JPAJPA and HibernateHow to Create a Spring Boot Project Quickly and EasilyGetting StartedHow to Install Spring Boot: Step-by-Step GuideGetting StartedHow to Run a Spring Boot Application: Simple StepsGetting Started

Up next

How to Use @Slf4j in Spring Boot for LoggingSLF4J vs Logback vs Log4j2 in Spring Boot: Key Differences & UsageHow to Use AOP for Logging in Spring Boot ApplicationsHow to Use AOP for Transaction Management in Spring

More in Actuator

How to Add Actuator to Spring Boot: Simple StepsHow to Create Custom Actuator Endpoint in Spring BootHow to Expose Actuator Endpoints in Spring BootHow to Use Health Endpoint Actuator in Spring Boot