feat: permit access to actuators (but only as configured)

Pfeil · Pfeil · commit 89dd47594707 · 2025-01-28T13:51:01.000+01:00
Provides a sane default (info and health) for local use and docker.
diff --git a/config/application-default.properties b/config/application-default.properties
@@ -44,7 +44,7 @@ spring.servlet.multipart.max-request-size: 100MB
 management.endpoint.health.access: unrestricted
 management.endpoint.health.show-details: ALWAYS
 management.endpoint.health.sensitive: false
-management.endpoints.web.exposure.include: *
+management.endpoints.web.exposure.include: health, info
 
 ###############
 ### Logging ###
@@ -106,6 +106,7 @@ spring.autoconfigure.exclude=org.keycloak.adapters.springboot.KeycloakAutoConfig
 # enables search endpoint at /api/v1/search
 repo.search.enabled: false
 repo.search.index: *
+# only enable if endpoint is enabled:
 management.health.elasticsearch.enabled: false
 
 # TO BE REMOVED!
@@ -132,6 +133,8 @@ spring.cloud.gateway.proxy.sensitive=content-length
 # exchange aka. topic and the queue. The routingKeys are defining wich messages are 
 # routed to the aforementioned queue.
 repo.messaging.enabled: false
+# enables report via health actuator. Only activate if messaging is enabled.
+management.health.rabbit.enabled: false
 repo.messaging.hostname: localhost
 repo.messaging.port: 5672
 repo.messaging.sender.exchange: record_events
diff --git a/config/application-docker.properties b/config/application-docker.properties
@@ -44,7 +44,7 @@ spring.servlet.multipart.max-request-size: 100MB
 management.endpoint.health.enabled: true
 management.endpoint.health.show-details: ALWAYS
 management.endpoint.health.sensitive: false
-management.endpoints.web.exposure.include: *
+management.endpoints.web.exposure.include: health, info
 
 ###############
 ### Logging ###
@@ -106,6 +106,7 @@ spring.autoconfigure.exclude=org.keycloak.adapters.springboot.KeycloakAutoConfig
 # enables search endpoint at /api/v1/search
 repo.search.enabled: false
 repo.search.index: *
+# only enable if endpoint is enabled:
 management.health.elasticsearch.enabled: false
 
 # TO BE REMOVED!
@@ -132,6 +133,8 @@ spring.cloud.gateway.proxy.sensitive=content-length
 # exchange aka. topic and the queue. The routingKeys are defining wich messages are 
 # routed to the aforementioned queue.
 repo.messaging.enabled: false
+# enables report via health actuator. Only activate if messaging is enabled.
+management.health.rabbit.enabled: false
 repo.messaging.hostname: localhost
 repo.messaging.port: 5672
 repo.messaging.sender.exchange: record_events
diff --git a/src/main/java/edu/kit/datamanager/pit/configuration/WebSecurityConfig.java b/src/main/java/edu/kit/datamanager/pit/configuration/WebSecurityConfig.java
@@ -77,6 +77,8 @@ protected SecurityFilterChain filterChain(HttpSecurity http, Logger logger) thro
           .requestMatchers(HttpMethod.GET, "/swagger-ui.html").permitAll()
           .requestMatchers(HttpMethod.GET, "/swagger-ui/**").permitAll()
           .requestMatchers(HttpMethod.GET, "/v3/**").permitAll()
+          // permit access to actuator endpoints
+          .requestMatchers("/actuator/**").permitAll()
           // only the actual API is protected
           .requestMatchers("/api/v1/**").authenticated()
       )

Original file line number	Diff line number	Diff line change
`@@ -77,6 +77,8 @@ protected SecurityFilterChain filterChain(HttpSecurity http, Logger logger) thro`
`77`	`77`	`.requestMatchers(HttpMethod.GET, "/swagger-ui.html").permitAll()`
`78`	`78`	`.requestMatchers(HttpMethod.GET, "/swagger-ui/**").permitAll()`
`79`	`79`	`.requestMatchers(HttpMethod.GET, "/v3/**").permitAll()`
	`80`	`+ // permit access to actuator endpoints`
	`81`	`+ .requestMatchers("/actuator/**").permitAll()`
`80`	`82`	`// only the actual API is protected`
`81`	`83`	`.requestMatchers("/api/v1/**").authenticated()`
`82`	`84`	`)`