Skip to content

Cannot access a Jolokia endpoint with spring security on #40237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dasivon021 opened this issue Apr 9, 2024 · 1 comment
Closed

Cannot access a Jolokia endpoint with spring security on #40237

dasivon021 opened this issue Apr 9, 2024 · 1 comment
Labels
for: stackoverflow A question that's better suited to stackoverflow.com status: invalid An issue that we don't feel is valid

Comments

@dasivon021
Copy link

dasivon021 commented Apr 9, 2024
edited
Loading

I have Spring Boot 3.1.5 and inside yaml I have:

management:
  security:
    enabled: false
  endpoint:
    metrics.enabled: true
    httptrace.enabled: true
    shutdown.enabled: true
  endpoints:
    web.exposure.include: metrics, health, info, httptrace, jolokia
    jmx.exposure.include: health

I also have spring security on cp, and I think that I have enabled the path correctly:

@Bean
 public SecurityFilterChain getSecurityFilterChain(HttpSecurity http) throws Exception {

        return http.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(
                        (requests) ->
                                requests.requestMatchers(HttpMethod.GET,
                                                Stream.concat(
                                                                Arrays.stream(AUTH_WHITELIST),  //{"/actuator/**"};
                                                                Arrays.stream(OPEN_API_WHITELIST)) //other swagger endpoints etc
                                                        .toArray(String[]::new))
                                        .permitAll()
                                        .anyRequest()
                                        .authenticated())
                .sessionManagement(
                        session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .exceptionHandling(
                        httpSecurityExceptionHandlingConfigurer ->
                                httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(
                                        new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
                .csrf()
                .disable()
                .logout()
                .disable()
                .build();
    }

I get 401 at http://localhost:8080/actuator/jolokia

I also added a bean as suggested on the docs:

@Bean
    public ServletRegistrationBean<AgentServlet> jolokia() {
        ServletRegistrationBean<AgentServlet> jolokiaServlet = new ServletRegistrationBean<>(new AgentServlet(), "/jolokia/*");
        jolokiaServlet.setLoadOnStartup(0);
        jolokiaServlet.setAsyncSupported(true);
        jolokiaServlet.setInitParameters(Map.of(ConfigKey.DEBUG.getKeyValue(), "true"));
        jolokiaServlet.setInitParameters(Map.of(ConfigKey.AGENT_DESCRIPTION.getKeyValue(), "Spring Servlet Jolokia Agent"));
        return jolokiaServlet;
    }

Don't understand this log line:
[o.a.c.c.C.[Tomcat].[localhost].[/]] SID= CID= [restartedMain] correlationId= channel= externalReferenceId= jolokia: No access restrictor found, access to any MBean is allowed

Related with:

#37568
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 9, 2024
@wilkinsona
Copy link
Member

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Apr 9, 2024
@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: stackoverflow A question that's better suited to stackoverflow.com status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @dasivon021