
Spring Security - Custom Authentication Provider and HTTP Basic for Actuator Endpoints

I´ve got a running Spring Boot Application (Spring Boot v2.4.1) and I would like to monitor it using Spring Boot Admin.

I have already setup the server and I can monitor the instance of my application with the /actuator/ endpoint not secured. I have a permitAll() on it.

Now I´d like to secure it, but I do not know how to do it without messing with my current Security Configuration.

I have Spring Security configured to match username and password from a DB and with a CustomAuthenticationProvider. If possible I would like to add a Actuator Endpoints with a HTTP Basic authentication.

This is my current security config:

            .antMatchers("/user/**").hasAnyAuthority(AUTHORITY_ADMIN, AUTHORITY_USER)
            .successHandler(new CustomUrlAuthenticationSuccessHandler(translator))

I would like to keep that configuration and also tell spring that whenever a user hits /actuator/ endpoint, it will requiere HTTP Basic Security credentials.

I was thinking on having two @Configuration classes, extending WebSecurityConfigurerAdapter. One would be the one I´ve already got and the other one for the actuator endpoints. But I had no luck with it.

Thank you

Thank you very much


  • This is how I solve it: I create a new @Configuraiton class extending WebSecurityConfigurerAdapter,

    I was unable to stop using WebSecurityConfigurerAdapter (as suggested by @Marcus-Hert-da-Coregio in the comments) because if I do not extend it I was not able to define my custom AuthenticationProvider.

    This class has @Order(1) so it would take precedence over my other initial configuration (which I set to @Order(2)). And this is it's content:

        protected void configure(HttpSecurity http) throws Exception {

    Then my custom AuthenticationProvider will verify if the given credentials for accessing the actuator endpoints are valid.

    Addittional information

    The reason why this fails the first time I test it was because I was not setting the initial


    by adding it I was telling SpringSecurity that this configuration should only be applied to those endpoints. I get that notion from this article

    I hope this helps someone in the future