restspring-bootspring-mvcrestful-authenticationspring-boot-actuator

Spring Boot application with Actuator

I have an SpringBoot app. 2.1.3.RELEASE securized by JWT, I want to add an actuator. I added this dependency

<dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

this is my configFile:

@Profile("api")
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = LoggerFactory.getLogger(ApiWebSecurityConfig.class);

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;


    @Autowired
    private UserSecurityService userSecurityService;

    @Value("${jwt.header}")
    private String tokenHeader;


    @Value("${server.servlet.context-path}")
    private String serverContextPath;

    /** The encryption SALT. */
    private static final String SALT = "fd&eekj§sfs23#$1*(_)nof";


    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userSecurityService)
                .passwordEncoder(passwordEncoder());
    }


    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12, new SecureRandom(SALT.getBytes()));
    }


    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }


    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {

         httpSecurity
         // we don't need CSRF because our token is invulnerable
         .csrf().disable()

         .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()

         // don't create session
         .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
         .authorizeRequests()

         // Un-secure H2 Database
         .antMatchers("/h2-console/**/**").permitAll()
         .antMatchers("/auth/**").permitAll()
         .anyRequest().authenticated();


     // Custom JWT based security filter
         JwtAuthorizationTokenFilter authenticationTokenFilter = new JwtAuthorizationTokenFilter(userDetailsService(), jwtTokenUtil, tokenHeader);
         httpSecurity
             .addFilterBefore(authenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);


     // disable page caching
     httpSecurity
         .headers()
         .frameOptions().sameOrigin()  // required to set for H2 else H2 Console will be blank.
         .cacheControl();
    }


    @Override
    public void configure(WebSecurity web) throws Exception {
        // AuthenticationTokenFilter will ignore the below paths
        web
            .ignoring()
            .antMatchers(
                HttpMethod.POST,
                "/auth"
            )

            .antMatchers(
                    HttpMethod.GET,
                    "/actuator"
                )


            .antMatchers(
                HttpMethod.POST,
                    "/reg"
            );
    }
}

but when I access in the postman to http://127.0.0.1:8080/myApp/actuator/

I got a 

{
    "timestamp": "2019-03-21T16:39:47.877+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/myApp/actuator/"
}

and HTTP Status 404 – Not Found

when accessing http://127.0.0.1:8080/actuator/

Solution

  • By default the URL is: 

    http://localhost:8080/actuator

    try to change your config from

            .antMatchers(
                HttpMethod.GET,
                "/actuator"
            )

    to

            .antMatchers(
                HttpMethod.GET,
                "/actuator/**"
            )