Securing Actuator and Spring Boot Admin
This section covers how to secure your Spring Boot Actuator endpoints and how to effectively monitor them visually using Spring Boot Admin.
Securing Actuator Endpoints
Actuator endpoints expose sensitive information about your application's internals, such as memory usage, environment variables, bean configurations, and more. Because of this, it is critical to secure these endpoints in a production environment.
You can secure Actuator endpoints just like any other endpoint in your application by leveraging Spring Security.
1. Add Spring Security Dependency
If your application doesn't already use Spring Security, add it to your pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
2. Configure Endpoint Security
You can configure a SecurityFilterChain bean to restrict access to the /actuator/** paths. A common approach is to only allow users with a specific role, such as ADMIN, to access these endpoints.
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class ActuatorSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/**").hasRole("ADMIN") // Restrict to ADMIN role
.anyRequest().permitAll() // Adjust based on your app's needs
).httpBasic();
return http.build();
}
}
By ensuring these endpoints are properly secured, you prevent malicious actors from gaining detailed insight into your system's architecture and runtime state.
Viewing Actuator Data in Spring Boot Admin
While the JSON provided by Actuator endpoints is useful for automated monitoring systems, it can be difficult for humans to read and analyze effectively. Spring Boot Admin is an open-source project by Codecentric that provides a highly intuitive and powerful user interface for managing and monitoring Spring Boot applications.
1. Setting Up the Spring Boot Admin Server
Spring Boot Admin operates on a client-server architecture. First, you need to create a dedicated Spring Boot application to serve as the Admin Server.
Add the Spring Boot Admin Server dependency to a new Spring Boot project:
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-server</artifactId>
</dependency>
Enable the server by adding the @EnableAdminServer annotation to your main application class:
import de.codecentric.boot.admin.server.config.EnableAdminServer;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
@EnableAdminServer
public class AdminServerApplication {
public static void main(String[] args) {
SpringApplication.run(AdminServerApplication.class, args);
}
}
2. Registering a Client Application
To monitor your actual application (the client), you must register it with the Admin Server.
In your client application's pom.xml, add the Admin Client dependency:
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
</dependency>
Finally, configure the client to communicate with the Admin Server by updating your application.properties (or application.yml):
# URL of your Spring Boot Admin Server
spring.boot.admin.client.url=http://localhost:8080
# Make sure actuator endpoints are exposed so the Admin Server can read them
management.endpoints.web.exposure.include=*
Once correctly configured, you can open the Admin Server UI in your browser to view real-time metrics, log files, JVM statistics, and more for all registered client applications.