Skip to content

Expose full health details to unauthorized user without disabling management security #8912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
berinle opened this issue Apr 17, 2017 · 6 comments
Closed

Expose full health details to unauthorized user without disabling management security #8912

berinle opened this issue Apr 17, 2017 · 6 comments
Assignees
@mbhave
Labels
status: duplicate A duplicate of another issue

Comments

@berinle
Copy link

berinle commented Apr 17, 2017

Currently, the health endpoint of an app reports only { "status": "UP" } when all is ok or { "status": "DOWN" } when one or more things aren't ok. Per the docs, there seems to be no way to expose the full health information to unauthenticated users without fully disabling security of management endpoints. It will be great if the full details of a the health endpoint can be exposed to an unauthenticated user without having to leave the whole management endpoints open.

endpoints.health.sensitive=false
management.security.enabled=false
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2017
@mbhave
Copy link
Contributor

mbhave commented Apr 17, 2017
edited
Loading

@berinle I think adding another flag for "secure" might be confusing. We can improve the behavior in 2.0, maybe by providing a nested path for accessing the full status such as health/full, instead of having two modes for /health which leads to a complicated security model. For 1.5, we can add a @ConditionalOnMissingBean to the existing HealthMvcEndpoint autoconfiguration. This will allow you to add a bean for the HealthMvcEndpoint in your configuration class. It would look something like this:

@Bean
public HealthMvcEndpoint exposeDetailsHealthMvcEndpoint(HealthEndpoint delegate) {
	return new HealthMvcEndpoint(delegate) {

		@Override
                protected boolean exposeHealthDetails(HttpServletRequest request,
		         Principal principal) {
	             return true;
                }

	};
}

Does that sound reasonable?

@mbhave mbhave added the status: waiting-for-feedback We need additional information before we can continue label Apr 17, 2017
@mbhave mbhave self-assigned this Apr 17, 2017
@berinle
Copy link
Author

berinle commented Apr 17, 2017
edited
Loading

I agree @mbhave. It will be a bit convoluted to add an additional secure flag. Your recommendations sound reasonable to me.

Thanks!

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 17, 2017
@mbhave mbhave added type: enhancement A general enhancement theme: security and removed status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged labels Apr 17, 2017
@berinle
Copy link
Author

berinle commented May 24, 2017

@mbhave good morning. any update on this? Is it in anyway possible to override the current HealthMvcEndpoint without a substantial rewrite while I await a fix/workaround? Also, if that is possible, can you please share a snippet similar to the one you provided above to get me going? Thanks!

@mbhave
Copy link
Contributor

mbhave commented May 24, 2017

@berinle The above snippet will override the current HealthMvcEndpoint. As of 1.5.3, the HealthMvcEndpoint bean created by default is @ConditionalOnMissingBean so adding your own bean that always exposes health details should do what you want.

@berinle
Copy link
Author

berinle commented May 25, 2017

@mbhave thanks! works great after i upgraded to 1.5.3.

@mbhave
Copy link
Contributor

mbhave commented May 25, 2017

Closing as duplicate of #5750.

@mbhave mbhave closed this as completed May 25, 2017
@mbhave mbhave added status: duplicate A duplicate of another issue and removed priority: normal type: enhancement A general enhancement labels May 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mbhave mbhave

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@berinle @mbhave @spring-projects-issues