It's no exaggeration to say that Actuator is the most modified feature of Spring Boot 2.0. If you raise the details, there will be no sharp edges, so for the time being, here are some points to be aware of when migrating from 1.x.
Probably the most common error in Actuator when upgrading an existing app made with Boot 1.x to 2.0 is "404 Not Found" (at least I did).
In fact, since 2.0, all Actuator endpoints have been prefixed with / actuator. In other words, the URL that was previously specified as localhost: 8080 / info must be changed to localhost: 8080 / actuator / info.
This prefix can be changed with the following properties.
application.Examples of properties
#The default value is"/actuator"
management.endpoints.web.base-path=/admin
You can also change the port number for the Actuator endpoint and add a context path. Please note that if you do not specify the port number, the context path will not be attached.
application.Examples of properties
management.server.port=9999
management.server.servlet.context-path=/admin-context
In other words, if you write all the above three settings, the Actuator endpoint will be localhost: 9999 / admin-context / admin / info.
/ info and / health are publishedThis also causes a 404 error. / env, / beans, etc. are not published by default.
Set the endpoint you want to publish as follows.
application.Examples of properties
management.endpoints.web.exposure.include=env,beans,loggers
If you specify even one, it will not be published unless you explicitly specify
/ infoand/ health.
Specify * if you want to publish all endpoints.
application.Examples of properties
management.endpoints.web.exposure.include=*
Conversely, endpoints that are not exposed are specified in management.endpoints.web.exposure.exclude. For example, if you write as follows, all endpoints except / env and / info will be published.
application.Examples of properties
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=env,info
Endpoints that are set to publish but are not individually activated will not be published. For example, if you write as follows, only / beans and / health will be published. Although / auditevents is specified as public, it will not be published because it has been disabled.
application.Examples of properties
management.endpoints.web.exposure.include=auditevents,beans,health
# /auditevents are disabled and will not be published
management.endpoint.auditevents.enabled=false
Each endpoint can be enabled with
management.endpoint.xxxxx.enabled(xxxxxis the endpoint name)
Starting with Spring Boot 1.5, sensitive Actuator endpoints have been protected (only users with the ʻACTUATOR` role can access them).
With Spring Boot 2.0, the concept of sensitive is gone in the first place, and all publicly available endpoints are no longer protected. To secure the endpoint, you need to explicitly include Spring Security and write the security settings in Java Config.
pom.xml
...
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<!--Added Spring Security!-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
...
</dependencies>
...
JavaConfig example
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//Create general users and users to access Actuator
//(User name, password, role name are optional)
auth.inMemoryAuthentication()
.passwordEncoder(NoOpPasswordEncoder.getInstance()) //NoOpPasswordEncoder is prohibited in production!
.withUser("actuator").password("password").roles("ACTUATOR").and()
.withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//Enable BASIC authentication
http.httpBasic();
//Actuator endpoints can only be accessed by the ACTUATOR role,
//Others can be accessed by any role as long as you are logged in
http.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
.anyRequest().authenticated();
//Do not disable CSRF in production!
http.csrf().disable();
}
}
Note that there are two ʻEndpointRequest
classes, one for Servlet and one for Reactive. This time we are assuming a Servlet base, so use the ʻEndpointRequestclass in the ʻorg.springframework.boot.actuate.autoconfigure.security.servlet` package.
Access example with curl
$ curl -v -u actuator:password localhost:8080/actuator/health | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'actuator'
> GET /actuator/health HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWN0dWF0b3I6cGFzc3dvcmQ=
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=C472F3844F17FC8EBC779A35DEFB085F; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/vnd.spring-boot.actuator.v2+json;charset=UTF-8
< Transfer-Encoding: chunked
< Date: Fri, 09 Mar 2018 07:03:55 GMT
<
{ [20 bytes data]
100 15 0 15 0 0 165 0 --:--:-- --:--:-- --:--:-- 166
* Connection #0 to host localhost left intact
{
"status": "UP"
}
If you pay attention to the above three points, you should be able to upgrade the app created in 1.x to 2.0 and run it for the time being. However, there are many other changes to Actuator, so be sure to read through the Actuator chapter in the official docs! https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready.html I'd like to write a blog explaining this ... Well, please wait patiently!
Recommended Posts