search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
74.81k stars 40.6k forks source link

The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently #41569

Closed criztovyl closed 2 months ago

criztovyl commented 2 months ago

It seems this statement in docs is wrong or confusing (emphasis mine):

add a bean of type SecurityFilterChain (doing so does not disable [...] or Actuator's security).

https://github.com/spring-projects/spring-boot/blob/ab3c5799acc9a59730b41c6e46d4a1c8bec2f3d7/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc?plain=1#L37

If you create a new Spring Boot 3 application like this

https://start.spring.io/#!type=gradle-project&language=java&platformVersion=3.3.2&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=security,web,actuator

with default configuration actuator is secured:

$ curl -f http://localhost:8080/actuator -w "\n"
curl: (22) The requested URL returned error: 401

but when adding a SecurityFilterChain like this

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(req ->
                req.anyRequest().permitAll()
        );
        return http.build();
    }

or this

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/app")
                .authorizeHttpRequests(req ->
                        req.anyRequest().permitAll()
                );
        return http.build();
    }

security is gone

$ curl -f http://localhost:8080/actuator -w "\n"
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"health-path":{"href":"http://localhost:8080/actuator/health/{*path}","templated":true}}}
wilkinsona commented 2 months ago

Thanks for spotting and reporting this, @criztovyl. You're right that the docs are wrong. The javadoc for ManagementWebSecurityAutoConfiguration describes things accurately:

https://github.com/spring-projects/spring-boot/blob/4d466c3cc0971a85054fa6ce2318e5b95514238f/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java#L42-L45

wilkinsona commented 2 months ago

The Actuator security documentation is accurate:

https://github.com/spring-projects/spring-boot/blob/a021d3ca9c282a48ff7bcc47434c845e8433a9b3/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc?plain=1#L223-L224

We need to make things consistent.