/livez and /readyz are shut down when Spring Security is on the classpath and CloudPlatform is CLOUD_FOUNDRY

[dsyer]

The /actuator/health/{liveness,readiness} endpoints and /actuator/health are open.

I think /livez and /readyz stay locked even when CloudPlatform is NONE and management.endpoint.health.probes.enabled=true (but /actuator/health/* is open). A related but different problem?

[wilkinsona]

The default Actuator web security permits all for requests to the health endpoint:

https://github.com/spring-projects/spring-boot/blob/fa131fa6a0dbab704597ea15e3d88d763ee3d027/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java#L63

If we want livez and readyz to be open by default as well, we'll have to decide if that should be covered by the matcher returned by EndpointRequest.to(HealthEndpoint.class) or if the additional paths should be covered separately.

If we do make a change here, I think it should only happen in a new minor. I wouldn't want to open up livez and readyz by default in a patch release.

[philwebb]

We also need to updated ReactiveManagementWebSecurityAutoConfiguration. Looking at the code, I don't think we can just change EndpointRequest.to(HealthEndpoint.class) since AdditionalHealthEndpointPath can be exposed on main port when the management context is on a different one.