Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Health endpoint additional paths are not available by default when Spring Security is used #40962

Closed
dsyer opened this issue May 31, 2024 · 2 comments
Closed

Health endpoint additional paths are not available by default when Spring Security is used #40962

dsyer opened this issue May 31, 2024 · 2 comments
Assignees
@philwebb
Labels
type: bug A general bug
Milestone
3.4.0-M3

Comments

@dsyer
Copy link
Member

dsyer commented May 31, 2024
edited
Loading

The /actuator/health/{liveness,readiness} endpoints and /actuator/health are open.

I think /livez and /readyz stay locked even when CloudPlatform is NONE and management.endpoint.health.probes.enabled=true (but /actuator/health/* is open). A related but different problem?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 31, 2024
@wilkinsona
Copy link
Member

The default Actuator web security permits all for requests to the health endpoint:

spring-boot/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

Line 63 in fa131fa

requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class)).permitAll();

If we want livez and readyz to be open by default as well, we'll have to decide if that should be covered by the matcher returned by EndpointRequest.to(HealthEndpoint.class) or if the additional paths should be covered separately.

If we do make a change here, I think it should only happen in a new minor. I wouldn't want to open up livez and readyz by default in a patch release.

@wilkinsona wilkinsona added the for: team-meeting An issue we'd like to discuss as a team to make progress label May 31, 2024
@philwebb philwebb added type: bug A general bug and removed type: bug A general bug status: waiting-for-triage An issue we've not yet triaged labels Jun 17, 2024
@philwebb philwebb self-assigned this Jun 17, 2024
@philwebb philwebb added type: bug A general bug and removed for: team-meeting An issue we'd like to discuss as a team to make progress labels Jun 17, 2024
@philwebb philwebb modified the milestones: 3.2.x, 3.3.x, 3.4.x Jun 17, 2024
@philwebb
Copy link
Member

We also need to updated ReactiveManagementWebSecurityAutoConfiguration. Looking at the code, I don't think we can just change EndpointRequest.to(HealthEndpoint.class) since AdditionalHealthEndpointPath can be exposed on main port when the management context is on a different one.

@philwebb philwebb added the status: pending-design-work Needs design work before any code can be developed label Sep 13, 2024
@philwebb philwebb changed the title /livez and /readyz are shut down when Spring Security is on the classpath and CloudPlatform is CLOUD_FOUNDRY Health endpoint additional paths are not available by default when Spring Security is used Sep 18, 2024
@philwebb philwebb modified the milestones: 3.4.x, 3.4.0-M3 Sep 19, 2024
@philwebb philwebb removed the status: pending-design-work Needs design work before any code can be developed label Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
type: bug A general bug
Projects
None yet
Milestone
3.4.0-M3
Development

No branches or pull requests
4 participants
@dsyer @philwebb @wilkinsona @spring-projects-issues