If you use the Spring Boot Actuator for management endpoints, you probably want them to be secure, and, by default, they are. In fact, as soon as you add the Actuator to a secure application, you get an additional filter chain that applies only to the actuator endpoints. It is defined with a request matcher that matches only actuator endpoints and it has an order of ManagementServerProperties.BASIC_AUTH_ORDER, which is 5 fewer than the default SecurityProperties fallback filter, so it is consulted before the fallback.
If you want your application security rules to apply to the actuator endpoints, you can add a filter chain that is ordered earlier than the actuator one and that has a request matcher that includes all actuator endpoints. If you prefer the default security settings for the actuator endpoints, the easiest thing is to add your own filter later than the actuator one, but earlier than the fallback (for example, ManagementServerProperties.BASIC_AUTH_ORDER + 1), as follows:
But then the class comment for ManagementWebSecurityConfigurerAdapter (spring-boot-actuator-autoconfigure-2.3.4.RELEASE) says:
The default configuration for web security when the actuator dependency is on the classpath. It is different from org.springframework.boot.autoconfigure.security.servlet.SpringBootWebSecurityConfiguration in that it allows unauthenticated access to the HealthEndpoint and InfoEndpoint. If the user specifies their own WebSecurityConfigurerAdapter, this will back-off completely and the user should specify all the bits that they want to configure as part of the custom security configuration.
Those seem to be in disagreement. Which one is correct?
Also, there is no such constant ManagementServerProperties.BASIC_AUTH_ORDER.
On this page it says:
But then the class comment for ManagementWebSecurityConfigurerAdapter (spring-boot-actuator-autoconfigure-2.3.4.RELEASE) says:
Those seem to be in disagreement. Which one is correct?
Also, there is no such constant
ManagementServerProperties.BASIC_AUTH_ORDER
.