Spring Boot actuator health endpoint not accessible after upgrading to Boot 1.2

2
votes

I'm having trouble upgrading Spring Boot from 1.1.12 to 1.2.5 but have the same issue in all versions of 1.2.x. The /health endpoint provided by Actuator is now returning 401 Unauthorized to an integration test that used to work. No code has changed while upgrading the dependency.

Here's the test case:

@Test
public void testNoUserForStatusEndpoint() throws Exception {
    HttpEntity<String> entity = new HttpEntity<>(null, headers);
    ResponseEntity<String> response = template
            .exchange(base + "/health", HttpMethod.GET, entity, String.class);
    assertEquals(HttpStatus.OK, response.getStatusCode());
    assertEquals("{\"status\":\"UP\"}", response.getBody());
}

I expect to see the basic "UP" status but no further details as the user is anonymous and not authenticated.

Setting management.security.enabled=false in application.properties causes the endpoint to return the complete health information. This is not desirable.

Setting endpoints.health.sensitive=false does nothing.

The security configuration has not changed. It is based on Apache termination and a certificate whitelist, which also hasn't changed.

@Override
public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.addFilterBefore(new CustomAuthenticationFilter(authenticationManager(), Environment.getUserWhitelist()), BasicAuthenticationFilter.class);
}

How can I make the test pass?

Updates:

Originally the only relevant setting in application.properties that was defined is endpoints.health.enabled=true.

Adding management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN to application.properties makes no difference.

Using all three properties results in a 401 (doesn't work):

endpoints.health.enabled=true
endpoints.health.sensitive=false
management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN

The main class is just a stripped down Spring Boot application launcher:

@Configuration
@EnableAutoConfiguration
@ComponentScan
public class Application {
    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }
}

I have tried adding http.authorizeRequests().antMatchers("/health**").permitAll(); to the first line of the security configuration method detailed above. It did not make a difference.

According to Spring Boot issue 2120, The endpoints.health.sensitive property is ignored when using custom security. I found no mention of this in the documentation.

4
javaspring-boot-actuator
Similar to this question but the security details are different.Ian Gilham

4 Answers

4
votes

Or add management.security.enabled=false to the application.properties

2
votes

I have found a solution.

Adding @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) to my custom authentication filter (referred to as CustomAuthenticationFilter in the question) changes the semantics of defining a security filter bean.

Without the annotation, Spring Boot assumes I want to override all the filters and just use my custom filter in isolation.

With the annotation, Spring Boot adds my filter to the list of predefined filters. This allows the /health endpoint to work again.

See Spring Boot issue 2120 on GitHub for details.

1
votes

I was getting 404 error with /health url. However its worked with /actuator/health url instead of /health.

0
votes

Pls try this on the application.properties or application.yml :-

management.health.status.order=UP,DOWN,OUT_OF_SERVICE,UNKNOWN