Spring Boot - Only secure actuator endpoints

Question

I'm using Spring Boot ( 1.3.0 ) with Jersey (pom dependencies: spring-boot-starter-jersey , spring-boot-starter-actuator , spring-boot-starter-web , spring-boot-starter-security ).

I have a Jersey endpoint (see below) which is really simple:

@Component
@Path("/helloworld")
public class HelloWorldResource {

    @GET
    public String home() {
        return "Hello World !";
    }
}

I have enabled Spring Boot Actuator by setting a particular path for Spring MVC url ( server.servlet-path=/system ), as explained in Spring Boot guide .
Thanks to spring-boot-starter-security , Actuator endpoints are secured via basic authentification.

My problem here is that /helloworld is also secured, but I would like to leave it unsecured.

How can I do that ?

Thanks !

Answer 1

You have to configure the settings in yaml/properties file like below -

server:
  port: 8080
  context-path: /MyApplication

security:
   user:
       name: admin
       password: secret
   basic:
       enabled: false

management:
   context-path: /actuator
   security:
             enabled: true

So, for your application security is disabled but is enabled for actuator endpoints. Make sure you don't configure username/password under management security otherwise it will not work.

Answer 2

You can add security.user.name property together with management.security.role to your configuration such as application.properties or configuration from spring cloud config center and search the random password in startup logs. Of course ,you can also add password in bootstrap.yml to use what you are specified.