Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict actuator access based on HTTP method via configuration #39046

Closed
csterwa opened this issue Jan 5, 2024 · 2 comments
Closed

Restrict actuator access based on HTTP method via configuration #39046

csterwa opened this issue Jan 5, 2024 · 2 comments
Labels
status: duplicate A duplicate of another issue

Comments

@csterwa
Copy link

csterwa commented Jan 5, 2024

Problem Statement

There are situations where actuators are added to applications for enhancing troubleshooting and runtime management to Spring Boot applications. These actuators could have PUT, POST and DELETE endpoints (@WriteOperation) that could be accessed on that application's actuator port. There are concerns about keeping these actuators, or even worse accidentally, getting into production environments with these accessible.

Is it possible for actuators to automatically add a configuration option to enable/disable read or write operations? It would be nice to have this be configurable on:

  • A per actuator condition. For instance, don't allow write operations on /actuator/logging
  • Globally configurable for all actuators on the application
  • Or globally configured but overridable for specific actuators (stretch option, not necessary)

Current Operations

Currently, there is @ReadOperation and @WriteOperation annotations that map to HTTP verbs. Perhaps having the option of disabling write operations would help with this need.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 5, 2024
@philwebb philwebb added for: team-meeting An issue we'd like to discuss as a team to make progress status: pending-design-work Needs design work before any code can be developed labels Jan 5, 2024
@wilkinsona
Copy link
Member

I think this is probably a duplicate of #29596.

@philwebb
Copy link
Member

I think so as well. Marking as a duplicate of #29596

@philwebb philwebb closed this as not planned Won't fix, can't repro, duplicate, stale Feb 14, 2024
@philwebb philwebb added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged status: pending-design-work Needs design work before any code can be developed for: team-meeting An issue we'd like to discuss as a team to make progress labels Feb 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@philwebb @csterwa @wilkinsona @spring-projects-issues