Out of the box, all sensitive Spring Boot Actuator endpoints are secured. Only authenticated users who have the ACTUATOR role can access those endpoints. You can change the ACTUATOR role name to something else, say SUPERADMIN, by setting the following property:
management.security.roles=SUPERADMIN
If you have the Spring Boot Security starter on the classpath, the Actuator endpoints will be secured by Spring Security.
Add the Security starter dependency to pom.xml:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> Rather than using the default user credentials, you can configure the security user credential in application.properties as follows:
security.user.name=admin security.user.password=Password1$ security.user.role=USER,ADMIN,ACTUATOR
Now if you try to access any endpoint, e.g. http://localhost:8080/actuator/beans, you will be prompted to enter credentials. If, for any reason, you want to disable security for your Actuator endpoints, you can set the following property:
management.security.enabled=false
This will disable security for all Actuator endpoints.
