rewrite-spring icon indicating copy to clipboard operation
rewrite-spring copied to clipboard
verified publisher icon openrewrite

2.4-2.5: Secure Info Endpoint

Open fabapp2 opened this issue 4 years ago • 0 comments

Release Notes The /info actuator endpoint is no longer exposed over the web by default. Additionally, if Spring Security is on the classpath and your application doesn't have a custom security configuration, the endpoint requires authenticated access by default.

Condition

  • org.springframework.boot:spring-boot-actuator is on classpath (MUST)
  • org.springframework.security:spring-security-web is on classpath (OPTIONAL)
  • Does a custom security configuration exist (OPTIONAL)

Description with only actuator on classpath

The scan found org.springframework.boot:spring-boot-actuator on the classpath. The actuator /info endpoint is no longer exposed over the web by default. If the /info endpoint needs to be accessible over the web you'll need to declare it as exposed over web. See Exposing Endpoints. Neither Spring Security nor a security configuration was found. You should take care to secure HTTP endpoints in the same way that you would any other sensitive URL. See Securing HTTP Endpoints for further information.

If you used the /info endpoint for health-checks you might consider using the /health endpoint instead.

Description with actuator and security on classpath without custom security configuration

The scan found org.springframework.boot:spring-boot-actuator and org.springframework.security:spring-security-core-* on the classpath but no custom security configuration.

The actuator /info endpoint is no longer exposed over the web by default. If the /info endpoint needs to be accessible over the web you'll need to declare it as exposed over web. See Exposing Endpoints.

No security configuration was found and the /info endpoint now requires authenticated access by default using basic authentication with the default user named user and the random password that's logged at startup, see Security for further information.

If you want to change the authentication bahaviour you can provide a custom security config for the /info endpoint. This also allows you to preserve the old behaviour by deactivating authentication in the custom security config. See Securing HTTP Endpoints for further information.

If you used the /info endpoint for health-checks you might consider using the /health endpoint instead.

Description with actuator and security on classpath with custom security configuration

The scan found org.springframework.boot:spring-boot-actuator and org.springframework.security:spring-security-core-* on the classpath and custom security configuration(s) in these classes [list of security configurations]. The actuator /info endpoint is no longer exposed over the web by default. If the /info endpoint needs to be accessible over the web you'll need to declare it as exposed over web. See Exposing Endpoints. Spring security and a custom security configuration was found. You should take care to provide a security configuration for the /info endpoint. See Securing HTTP Endpoints for further information.

If you used the /info endpoint for health-checks you might consider using the /health endpoint instead.

fabapp2 avatar Jan 12 '22 13:01 fabapp2