I want to enable the actuator's "logging" endpoint on a production environment. If I can use it on the production environment, I can check the logging configuration on the Spring-Boot-Admin server.
But if I enable it, LoggersEndpoint accepts configuration overwrite request. When it's rewritable, it causes the security issue.
Is there any way to deny "#WriteEndpoint" request on the "loging" endpoint?
What you can do is to secure your endpoints by spring security otherwise,the only option is to disable the logger endpoint like below.
management.endpoint.loggers.enabled=false
Related
I am using spring security in my microservice application, I also have actuator endpoint in place. Whenever I try to deploy my microservice and access the /actuator/prometheus URL it shows me the dialog box to enter Username and password. I want this to remove .
As described in the documentation (section named "Security")
If you deploy applications behind a firewall, you may prefer that all
your actuator endpoints can be accessed without requiring
authentication. You can do so by changing the
management.endpoints.web.exposure.include property, as follows:
management.endpoints.web.exposure.include=*
The old spring security oauth can do this by spring-security-oauth2-autoconfigure
How can it be implemented using the latest spring security 5.7.x?
It seems that you have to create separate authorization server, resource server, and client...unlike the previous, you just have to enable configuration for authorization and resource server
But I am curious if there is a way to do libe the old way?
I discover this on my own.
Both the authorization and resource server can be in 1 springboot app and both can use same port.
It is the security configuration filter chain that you have to restrict both the "/login", "/oauth2/authorize"
Authorization server configuration is configured the basic way and so is the Resource server.
I have an authorization server and resource server contained under one single spring boot application. I only want to enable the password flow.
I believe that would mean I only need the /oauth/token endpoint, however my swagger UI is configured to autofind all endpoints and shows:
authorization-endpoint(/oauth/authorize)
check-token-endpoint (/oauth/check_token)
token-endpoint (/oauth/token)
whitelabel-approval-endpoint (/oauth/confirm_access)
whitelabel-error-endpoint (/oauth/error)
As per the spring-security-oauth2-boot src code:
Spring Security access rule for the check token endpoint (e.g. a SpEL expression like "isAuthenticated()") . Default is empty, which is interpreted as "denyAll()" (no access).
This is the same for the token key endpoint.
If all access is denied to this endpoint by default and I am not changing them, should I turn them off completely/is there a way. Also, if i cannot disable them, can i disable them in the swagger docs auto configure to reduce clutter?
I'm trying to set up a sample application using spring boot admin (both server + client side) and have run into an issue with authentication.
When spring security is enabled on the management/actuator endpoints on the client side the spring-boot-admin server does not seem able to communicate with the client -- logging in to the Admin interface via a Web browser results in a continuous loop of authentication windows popping up and prompting for usernames/passwords. Hitting cancel will display an HTTP 401 error on the page.
Here's a configuration that works on the client side:
management.security.enabled=false
security.basic.enabled=true
security.user.name=test
security.user.password=test
spring.boot.admin.url=http://localhost:9081/admin
spring.boot.admin.username=admin
spring.boot.admin.password=admin
This will:
Disable security for spring-boot's management/actuator resource
Enable security for all other resources (HTTP basic auth - user: test, password: test)
Register the spring-admin client on startup using the url http://localhost:9081/admin (HTTP basic auth - user: admin, password:admin)
I'm guessing the spring boot admin app doesn't support communication with secured clients because I don't see any configuration properties that would allow the information to be passed in upon client registration.
Has anyone got around this limitation and if so, how? I'd rather not leave the actuator endpoints "open to the public" so-to-speak, even though they are actually just exposed on the company's internal network.
There is no security feature included since the various solutions look very different. But I've put up some examples: https://github.com/joshiste/spring-boot-admin-samples
In our setup Zuul should act as router for our Microservices. This means that also CORS OPTIONS request should be routed to our Microservices (noone else knows about the correct CORS settings...).
How to setup Spring-Boot/Spring-MVC/Zuul that it routes the CORS to the microservices?
There are many Answers around how to enable and how to configure cors. But they aim on how to enable CORS or "allow every domain". There is no answer how to disable the CORS handling on a Spring-Boot with Zuul setup.
The Problem is that Spring-Boot in its autoconfiguration hijacks the CORS OPTIONS requests and isn't forwarding it to the zuul part. To disable the CORS Filter just put this into your application properties or yml.
spring.mvc.dispatch-options-request=true
Now the CORS Requests are forwarded to your microservices.