Enabling Spring Boot Health Actuator with OAuth2 Authentication

6
votes

We've seen a number of questions related to Spring Boot's Health Actuator endpoint for version 1.5+. Having gone through a number of them, we're still at a loss.

Our goals are:

  1. To utilize Spring Boot/Spring Security's auto configuration of the security filter chaining (i.e. not have to fully implement/configure HttpSecurity)
  2. To enable secured health access (to see a full view into the health information of the application)
  3. To enable unsecured health access (to allow for an endpoint to function as a liveness probe in Kubernetes)

We've tried:

  1. Using a WebSecurityConfigurerAdapter and configuring the WebSecurity object to ignore security for the /health endpoint, and then mapping a separate endpoint to the /health endpoint according to Routing multiple URLs to Spring Boot Actuator's health endpoint to hopefully enable a secured path.
  2. Ensuring that security.oauth2.resource.filter-order=3 as was recommended in https://github.com/spring-projects/spring-boot/issues/5072. This puts the OAuth2AuthenticationProcessingFilter before the Actuator's Mvc endpoints, and allows for requests that contain pre-authenticated Authorization: Bearer ... headers (such as JWT authorizations) to be processed. However, it dictates that all requests contain authorization - otherwise, the FilterSecurityInterceptor triggers Secure object: FilterInvocation: URL: /health; Attributes: [#oauth2.throwOnError(authenticated)] and an AccessDeniedException

Utilizing Basic Authentication for /health and OAuth2 for everything else is a no-go (see Spring boot oauth2 management httpbasic authentication & https://github.com/spring-projects/spring-boot/issues/5072).

The question that we keep coming back to is how do we get:

  • Anonymous requests to the /health endpoint to function as unsecured
  • Pre-authenticated requests (i.e. those that contain pre-authenticated Authorization: Bearer ... headers) to the /health endpoint not having the appropriate authorizations or roles to function as unsecured
  • Pre-authenticated requests (i.e. those that contain pre-authenticated Authorization: Bearer ... headers) to the /health endpoint having the appropriate authorizations or roles to function as secured

We can easily allow any request to access /health by having something like:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  public void configure(WebSecurity web) throws Exception {
    super.configure(web);
    web.ignoring().antMatchers(HttpMethod.GET, "/health", "/info");
  }
}

And that works great solely as a readiness/liveness probe. However, when the user is actually authenticated, it doesn't provide the benefit of seeing which backing services may be misbehaving.

Thanks in advance!

2
spring-bootspring-securityjwtspring-security-oauth2spring-boot-actuator
I'm not sure that I understand the questions fully. Do you just want to use Spring Security with Spring Actuator and just allow all users to do the /health check?! I mean just allow any request to access /health?!Kenny Tai Huynh

2 Answers

0
votes

I faced something similar and this somewhat works: Add a hacky access rule for actuators eg: #oauth2.clientHasRole('ROLE_CLIENT') or hasRole('ROLE_ANONYMOUS') that enables the security context to be populated for the actuator endpoints (for both authenticated and non authenticated requests) and tweak the 'sensitive' actuator endpoints configuration. /health should return basic info for anonymous and full info for authenticated in this case, provided you enable the management security and mark it as non sensitive. You still need to keep the filter configuration.

0
votes

Try this, work for me

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.antMatcher("/**").authorizeRequests()
            .antMatchers("/actuator/**","/assets/**")
            .permitAll()
            ........
    ;

}