使用JWT安全性启用Spring Boot 2.0执行器端点

Question

First, I'm new to Spring Boot Framework. I have been working on actuator for few days now and was able to set up endpoints to monitor the system. How ever when I integrate JWT for the security all my actuator endpoints got broke.

How can I disable JWT security for actuator endpoints which is on top of spring boot security? Following is my application.yml file properties.

management:
  endpoint:
    metrics:
      enabled: true
  endpoints:
    web:
      exposure:
        include: health, metrics

Answer 1

If you do have dependency on Spring Security you have to configure (disable) it specifically for the /actuator endpoints.

You have to extend WebSecurityConfigurerAdapter as described in the official documentation and permit all access to the desired endpoints. Check out this Spring Boot 2 Security example Disabling actuator security but not user-defined endpoints .

This is how you can disable the security to the actuator endpoints:

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
            .anyRequest().permitAll()
    }

}

The custom security example is also useful.

Answer 2

Complementing hovanessyan answer, if you are using @EnableResourceServer on your configuration, you also will need add the @Order(-1) annotation to your "ActuatorSecurity" class.

See more here: https://stackoverflow.com/a/50048440/9697259