Spring Boot Actuator

Under Bitbucket is documented that the actuator can be used. I tried different approaches and get always problems with the realms authentication.

I want to analyse the json-streams for the responses, so i can better build the pojo’s. Some examples seem outdated, so the pojo must be modified (ie. accountId). I found a solution with

@Configuration
public class RequestLoggingFilterConfig {

	@Bean
	public CommonsRequestLoggingFilter logFilter() {
		CommonsRequestLoggingFilter filter = new CommonsRequestLoggingFilter();
		filter.setIncludeQueryString(true);
		filter.setIncludePayload(true);
		filter.setMaxPayloadLength(10000);
		filter.setIncludeHeaders(false);
		filter.setAfterMessagePrefix("REQUEST DATA : ");
		return filter;
	}
}

but want to unse actuator. Could you give an example, when you write in documentation that it can be used (and is not in conflict with the atlassian-spring-framework).

I don’t fully understand your example and what you are trying to do.

But atlassian-connect-spring-boot simply makes sure to not interfere with Actuator. Otherwise, the two are entirely unrelated. We have an integration test that verifies this.

I stumbled upon this post during my search on how to make the actuator/health-endpoint open. Even if the documentation says that the endpoint is open by default, I’m asked for username and password when building my app on atlassian-connect-spring-boot. I guess there is a root-rule which says that all endpoints should be secured. That should not be a problem, but how can I open specified endpoints? The property atlassian.connect.require-auth-exclude-paths does not seem to help. In an ordinary spring-boot I would create a .permitAll in httpSecurity. But how to accomplish this here? Any ideas are very welcome. Best regards, Oddvin

@OddvinRsand does the example from 13.2.3 Production-ready Features - Endpoints - Security not work?

Additionally, if Spring Security is present, you would need to add custom security configuration that allows unauthenticated access to the endpoints, as the following example shows:

@Configuration(proxyBeanMethods = false)
public class MySecurityConfiguration {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.requestMatcher(EndpointRequest.toAnyEndpoint());
        http.authorizeRequests((requests) -> requests.anyRequest().permitAll());
        return http.build();
    }
}

Thanks for your quick response :zap:
Seems like it is our implementation of the connect-spring-boot (in a parent with only a limited set of configuration options) which is hiding the HttpSecurity for me. I will have to look further into the parent-module and see if I can open it up. As I understand your suggestions, there should be nothing from the connect-spring-boot that should interfer with th config of the Actuator.

Using SecurityFilterChain errors out because ACSB already has a WebSecurityConfigurerAdapter (AtlassianConnectWebSecurityConfigurer).

It looks like I was able to open up Actuator by adding a new bean like this:


@Configuration
public class ActuatorSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Autowired
    private WebEndpointProperties webEndpointProperties;

    protected void configure(HttpSecurity http) throws Exception {
        String managementPath = this.webEndpointProperties.getBasePath();
        if (managementPath != null) {
            http.antMatcher(managementPath + "/**").anonymous();
        }
    }
}
2 Likes