What is Spring Actuator?

Spring Boot Actuator is a submodule of Spring Boot that provides production-ready features to help you monitor and manage your application. It exposes various REST endpoints to monitor metrics, health, and application-specific configurations.

Key Features of Spring Boot Actuator:

Health Checks: Check the status of application components.
Metrics: Monitor application performance metrics like memory usage, garbage collection, etc.
Environment Details: Inspect environment properties, system properties, and configurations.
Custom Endpoints: Define your own endpoints to expose application-specific information.
Integration: Easily integrates with monitoring tools like Prometheus, Grafana, etc.

How to Enable Spring Boot Actuator?

1. Add Dependency

Add the spring-boot-starter-actuator dependency in your pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

2. Expose Actuator Endpoints

By default, only the /actuator/health and /actuator/info endpoints are exposed. To expose more endpoints, configure them in application.properties or application.yml.

application.properties:

management.endpoints.web.exposure.include=*

application.yml:

management:
  endpoints:
    web:
      exposure:
        include: "*"

Common Actuator Endpoints

Endpoint	Description
`/actuator/health`	Displays the health of the application.
`/actuator/info`	Displays arbitrary application info.
`/actuator/metrics`	Provides application performance metrics.
`/actuator/env`	Exposes environment properties.
`/actuator/loggers`	Manage application logging levels.
`/actuator/httptrace`	Displays HTTP request traces.

How to Secure Actuator Endpoints?

By default, Actuator endpoints are public. It’s critical to secure them, especially in production environments. Below are different ways to secure these endpoints:

1. Use Spring Security

Add Spring Security to your application to secure Actuator endpoints.

Add Dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Define Security Configuration:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class ActuatorSecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .requestMatchers("/actuator/health", "/actuator/info").permitAll() // Allow health and info
                .requestMatchers("/actuator/**").authenticated() // Protect other endpoints
                .and()
            .httpBasic(); // Use HTTP Basic authentication for simplicity

        return http.build();
    }
}

Set Credentials (in application.properties):

spring.security.user.name=admin
spring.security.user.password=admin123

2. Restrict Access to Specific Roles

To allow only specific roles to access Actuator endpoints, configure role-based access.

Update Security Configuration:

http
    .authorizeRequests()
        .requestMatchers("/actuator/health", "/actuator/info").permitAll()
        .requestMatchers("/actuator/**").hasRole("ADMIN") // Allow only ADMIN role
        .and()
    .httpBasic();

3. Use IP Whitelisting

You can restrict access to Actuator endpoints by allowing requests only from specific IP addresses.

Security Configuration for IP Whitelisting:

import org.springframework.security.web.util.matcher.IpAddressMatcher;

http
    .authorizeRequests()
        .requestMatchers("/actuator/**").access("hasIpAddress('192.168.1.100')") // Replace with your IP
        .and()
    .httpBasic();

4. Custom Security for Each Endpoint

You can secure each endpoint differently using the management.endpoint.<endpoint>.enabled property.

Example:

management.endpoint.health.enabled=true
management.endpoint.info.enabled=true
management.endpoint.env.enabled=false

Alternatively, secure individual endpoints programmatically:

http
    .authorizeRequests()
        .requestMatchers("/actuator/health").permitAll()
        .requestMatchers("/actuator/metrics").hasRole("METRICS_ADMIN")
        .and()
    .httpBasic();

5. Disable Unnecessary Endpoints

To minimize the attack surface, disable unnecessary Actuator endpoints.

Example:

management.endpoints.web.exposure.exclude=beans,loggers,httptrace

Example: Full Actuator Security Configuration

Here’s a comprehensive configuration for securing Actuator endpoints in a Spring Boot application:

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // Disable CSRF for simplicity
            .authorizeRequests()
                .requestMatchers("/actuator/health", "/actuator/info").permitAll() // Allow public access to health and info
                .requestMatchers("/actuator/**").hasRole("ADMIN") // Secure other endpoints with ADMIN role
                .and()
            .httpBasic(); // Use HTTP Basic authentication

        return http.build();
    }
}

Best Practices for Securing Actuator

Minimal Exposure: Expose only the endpoints you need.
Authentication and Authorization: Require authentication for all sensitive endpoints.
Role-Based Access Control: Use roles to control access to different endpoints.
IP Restriction: Restrict access to trusted IPs for critical endpoints.
Monitoring Tools: Integrate with monitoring tools (e.g., Prometheus, Grafana) over secure connections.
Disable Unnecessary Endpoints: Disable endpoints you don’t need to reduce the attack surface.

Testing Actuator Security

Access endpoints like /actuator/health or /actuator/info in a browser.
Use tools like Postman or curl to test endpoints with credentials.

Example:

curl -u admin:admin123 http://localhost:8080/actuator/metrics

By following these practices and configurations, you can effectively secure Spring Boot Actuator endpoints in your microservices-based application.

Spring Actuator

What is Spring Actuator?

Spring Boot Actuator is a submodule of Spring Boot that provides production-ready features to help you monitor and manage your application. It exposes various REST endpoints to monitor metrics, health, and application-specific configurations.

Key Features of Spring Boot Actuator:

How to Enable Spring Boot Actuator?

1. Add Dependency

2. Expose Actuator Endpoints

Common Actuator Endpoints

How to Secure Actuator Endpoints?

1. Use Spring Security

2. Restrict Access to Specific Roles

3. Use IP Whitelisting

4. Custom Security for Each Endpoint

5. Disable Unnecessary Endpoints

Example: Full Actuator Security Configuration

Best Practices for Securing Actuator

Testing Actuator Security

Post a Comment

Post a Comment

How to write custom queries in JPA

Java 11 Features

Internal Working of HashMap in Java

How to write custom queries in JPA

Contact Form

Spring Actuator

What is Spring Actuator?

Spring Boot Actuator is a submodule of Spring Boot that provides production-ready features to help you monitor and manage your application. It exposes various REST endpoints to monitor metrics, health, and application-specific configurations.

Key Features of Spring Boot Actuator:

How to Enable Spring Boot Actuator?

1. Add Dependency

2. Expose Actuator Endpoints

Common Actuator Endpoints

How to Secure Actuator Endpoints?

1. Use Spring Security

2. Restrict Access to Specific Roles

3. Use IP Whitelisting

4. Custom Security for Each Endpoint

5. Disable Unnecessary Endpoints

Example: Full Actuator Security Configuration

Best Practices for Securing Actuator

Testing Actuator Security

You Might Like

Post a Comment

Post a Comment

Contact Form