GhostProgrammer - Jeff Miller

Team to Create Outside the Box

Spring

Securing Your Spring Boot Actuator Endpoints: A Comprehensive Guide

ByJeffery Miller

Apr 15, 2025

Spring Boot Actuator provides invaluable insights into the inner workings of your running application. From health checks and metrics to thread dumps and environment details, these endpoints are crucial for monitoring and managing your application in production. However, exposing them without proper security can open doors to malicious actors, potentially revealing sensitive information or allowing unauthorized control.

This article will guide you through various methods to secure your Spring Boot Actuator endpoints, ensuring only authorized personnel can access this critical data.

Why Secure Actuator Endpoints?

Consider the potential risks of leaving your actuator endpoints unprotected:

  • Information Disclosure: Endpoints like /env, /configprops, and /beans can expose sensitive configuration details, environment variables (potentially including API keys and passwords), and the application’s bean definitions.
  • Operational Interference: Endpoints like /shutdown (if enabled) could allow unauthorized termination of your application. Endpoints like /threaddump might reveal internal execution details that could be exploited.
  • Metrics Manipulation: While less direct, access to metrics endpoints could be used to infer system load or even potentially influence application behavior in sophisticated attacks.

Therefore, implementing robust security measures for your Spring Boot Actuator endpoints is paramount for maintaining the confidentiality, integrity, and availability of your application.

Common Security Approaches

Spring Security is the de facto standard for securing Spring applications, and it offers several ways to protect your actuator endpoints. Let’s explore the most common approaches:

1. Basic HTTP Authentication

Basic authentication is a simple, widely supported mechanism that involves sending a username and password with each request.

  • Implementation: Add the Spring Security dependency to your pom.xml or build.gradle:

<dependency>

<groupId>org.springframework.boot</groupId>

<artifactId>spring-boot-starter-security</artifactId>

</dependency>

“`

```gradle
// Gradle
implementation 'org.springframework.boot:spring-boot-starter-security'
```
  • Configuration (in application.properties or application.yml): Propertiesmanagement.security.enabled=true management.security.http.basic.enabled=true management.security.http.basic.realm=Actuator spring.security.user.name=actuator spring.security.user.password=securepassword
    • management.security.enabled=true: Enables security for management endpoints (Actuator).
    • management.security.http.basic.enabled=true: Enables HTTP Basic authentication for management endpoints.
    • management.security.http.basic.realm=Actuator: Sets the realm for the authentication challenge.
    • spring.security.user.name and spring.security.user.password: Define the username and password for accessing the endpoints. Remember to use strong, unique passwords in production.
  • Pros: Easy to implement and widely understood.
  • Cons: Sends credentials in Base64 encoding with every request, which is not inherently secure over non-HTTPS connections. Should always be used in conjunction with HTTPS.

2. Custom Spring Security Configuration

For more fine-grained control, you can define custom Spring Security rules specifically for your actuator endpoints.

  • Implementation: Create a Spring Security configuration class: Javaimport org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; @Configuration public class ActuatorSecurityConfig { @Bean public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception { http .securityMatcher(EndpointRequest.toAnyEndpoint()) .authorizeHttpRequests(requests -> requests .requestMatchers(EndpointRequest.to( "health", // Allow unauthenticated access to health "info" // Allow unauthenticated access to info )).permitAll() .anyRequest().authenticated() ) .httpBasic(); return http.build(); } @Bean public InMemoryUserDetailsManager userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("actuator") .password("securepassword") .roles("ACTUATOR") .build(); return new InMemoryUserDetailsManager(user); } }
  • Explanation:
    • securityMatcher(EndpointRequest.toAnyEndpoint()): This ensures these security rules only apply to Actuator endpoints.
    • authorizeHttpRequests(...): Defines authorization rules for requests.
    • requestMatchers(EndpointRequest.to("health", "info")).permitAll(): Allows unauthenticated access to the /health and /info endpoints, which is often desirable for basic monitoring.
    • anyRequest().authenticated(): Requires authentication for all other Actuator endpoints.
    • .httpBasic(): Enables HTTP Basic authentication.
    • InMemoryUserDetailsManager: This example uses an in-memory user store for simplicity. In a real application, you would typically integrate with a more robust user management system (e.g., JDBC, LDAP).
  • Pros: Provides granular control over endpoint access, allows whitelisting specific endpoints for public access.
  • Cons: Requires more configuration than basic authentication.

3. Role-Based Access Control

You can further enhance security by assigning roles to users and granting access to specific actuator endpoints based on those roles.

  • Implementation: Extend the custom Spring Security configuration from the previous example: Javaimport org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; @Configuration public class ActuatorSecurityConfig { @Bean public SecurityFilterChain actuatorSecurityFilterChain(HttpSecurity http) throws Exception { http .securityMatcher(EndpointRequest.toAnyEndpoint()) .authorizeHttpRequests(requests -> requests .requestMatchers(EndpointRequest.to("health", "info")).permitAll() .requestMatchers(EndpointRequest.to("metrics", "threaddump")).hasRole("MONITOR") .requestMatchers(EndpointRequest.to("env", "configprops", "beans")).hasRole("ADMIN") .anyRequest().authenticated() ) .httpBasic(); return http.build(); } @Bean public InMemoryUserDetailsManager userDetailsService() { UserDetails monitorUser = User.withDefaultPasswordEncoder() .username("monitor") .password("monitorpassword") .roles("MONITOR") .build(); UserDetails adminUser = User.withDefaultPasswordEncoder() .username("admin") .password("adminpassword") .roles("ADMIN", "ACTUATOR") // Assuming ACTUATOR role is needed for basic access .build(); return new InMemoryUserDetailsManager(monitorUser, adminUser); } }
  • Explanation:
    • .requestMatchers(EndpointRequest.to("metrics", "threaddump")).hasRole("MONITOR"): Only users with the “MONITOR” role can access these endpoints.
    • .requestMatchers(EndpointRequest.to("env", "configprops", "beans")).hasRole("ADMIN"): Only users with the “ADMIN” role can access these more sensitive endpoints.
    • The InMemoryUserDetailsManager now creates users with specific roles.
  • Pros: Enforces the principle of least privilege, allowing you to grant specific access based on user roles.
  • Cons: Requires careful planning of roles and permissions.

4. Network-Level Security

While application-level security is crucial, don’t overlook network-level security measures:

  • Firewall Rules: Configure your firewall to restrict access to the actuator endpoints to only trusted IP addresses or networks. This adds an extra layer of defense.
  • Internal Network Access: If your monitoring tools are within your internal network, consider making the actuator endpoints only accessible from within that network.

5. Disabling Sensitive Endpoints (If Not Needed)

If you don’t require certain sensitive endpoints in your production environment, you can disable them altogether:

  • Configuration (in application.properties or application.yml): Propertiesmanagement.endpoint.env.enabled=false management.endpoint.configprops.enabled=false management.endpoint.shutdown.enabled=false
  • Pros: Reduces the attack surface by eliminating potentially risky endpoints.
  • Cons: Limits the available monitoring and management information.

Best Practices and Considerations

  • Always Use HTTPS: Regardless of the authentication method you choose, ensure your application is running over HTTPS to encrypt the communication, including the authentication credentials.
  • Strong Passwords: Use strong, unique passwords for any form of authentication. Avoid default or easily guessable passwords.
  • Principle of Least Privilege: Grant only the necessary access to each user or role.
  • Regularly Review Security Configuration: As your application evolves, periodically review your security configurations to ensure they remain appropriate and effective.
  • Externalized Configuration: Avoid hardcoding sensitive credentials directly in your application code. Use environment variables, configuration servers (like Spring Cloud Config), or secrets management tools.
  • Audit Logging: Implement audit logging to track access attempts to your actuator endpoints, which can be valuable for security monitoring and incident response.
  • Consider Security Headers: Implement security headers like X-Content-Type-Options, Strict-Transport-Security, and X-Frame-Options to further harden your application.

Conclusion

Securing your Spring Boot Actuator endpoints is a critical aspect of production readiness. By implementing appropriate authentication and authorization mechanisms, leveraging network-level security, and following best practices, you can significantly reduce the risk of unauthorized access and protect sensitive information about your application. Choose the security approach that best fits your application’s requirements and security posture, and remember that a layered security approach provides the most robust protection.

Discover more from GhostProgrammer - Jeff Miller

Subscribe to get the latest posts sent to your email.

By Jeffery Miller

I am known for being able to quickly decipher difficult problems to assist development teams in producing a solution. I have been called upon to be the Team Lead for multiple large-scale projects. I have a keen interest in learning new technologies, always ready for a new challenge.

Related Post

Spring

Architecting with Spring and Spring Cloud

May 9, 2025 Jeffery Miller
Spring

Centralized API Documentation with Spring Gateway and Springdoc

Apr 24, 2025 Jeffery Miller
Spring

Beyond the Basics: Optimizing Your Spring Boot Applications for Performance – Fine-tune your application for speed and efficiency.

Jan 29, 2025 Jeffery Miller

You missed

Spring Events

Tracking User Lifecycle: Capturing Login, Failed Login, and Signup Events in Spring Authorization Server

May 13, 2025 Jeffery Miller
Java Extras

ANSI Colors simpler

May 12, 2025 Jeffery Miller
Spring Discovery

Discovery First Bootstrap

May 12, 2025 Jeffery Miller
Spring Discovery

Spring Boot Admin Server with Spring Cloud Discovery

May 12, 2025 Jeffery Miller