Skip to content

The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently #41569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
criztovyl opened this issue Jul 21, 2024 · 2 comments
Closed

The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently #41569

criztovyl opened this issue Jul 21, 2024 · 2 comments
Assignees
@wilkinsona
Labels
type: documentation A documentation update
Milestone
3.2.9

Comments

@criztovyl
Copy link

criztovyl commented Jul 21, 2024
edited
Loading

It seems this statement in docs is wrong or confusing (emphasis mine):

add a bean of type SecurityFilterChain (doing so does not disable [...] or Actuator's security).

spring-boot/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc

Line 37 in ab3c579

To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).

If you create a new Spring Boot 3 application like this

https://start.spring.io/#!type=gradle-project&language=java&platformVersion=3.3.2&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=security,web,actuator

with default configuration actuator is secured:

$ curl -f http://localhost:8080/actuator -w "\n"
curl: (22) The requested URL returned error: 401

but when adding a SecurityFilterChain like this

	@Bean
	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		http.authorizeHttpRequests(req ->
				req.anyRequest().permitAll()
		);
		return http.build();
	}

or this

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/app")
                .authorizeHttpRequests(req ->
                        req.anyRequest().permitAll()
                );
        return http.build();
    }

security is gone

$ curl -f http://localhost:8080/actuator -w "\n"
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"health-path":{"href":"http://localhost:8080/actuator/health/{*path}","templated":true}}}
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 21, 2024
@wilkinsona wilkinsona changed the title wrong docs on Security auto configuration, custom SecurityFilterChain and Actuator Security? Documentation that describes the effect upon Actuator of defining your own SecurityFilterChain is inaccurate Jul 22, 2024
@wilkinsona wilkinsona added type: documentation A documentation update and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 22, 2024
@wilkinsona wilkinsona added this to the 3.2.x milestone Jul 22, 2024
@wilkinsona
Copy link
Member

Thanks for spotting and reporting this, @criztovyl. You're right that the docs are wrong. The javadoc for ManagementWebSecurityAutoConfiguration describes things accurately:

spring-boot/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

Lines 42 to 45 in 4d466c3

* on the classpath. It allows unauthenticated access to the {@link HealthEndpoint}. If
* the user specifies their own{@link SecurityFilterChain} bean, this will back-off
* completely and the user should specify all the bits that they want to configure as part
* of the custom security configuration.

criztovyl added a commit to criztovyl/spring-boot that referenced this issue Jul 22, 2024
@criztovyl
Documentation that describes the effect upon Actuator of defining yo…
869baa1 
…ur own SecurityFilterChain is inaccurate spring-projects#41569
@wilkinsona wilkinsona changed the title Documentation that describes the effect upon Actuator of defining your own SecurityFilterChain is inaccurate The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently Jul 29, 2024
@wilkinsona
Copy link
Member

The Actuator security documentation is accurate:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Lines 223 to 224 in a021d3c

If Spring Security is on the classpath and no other `SecurityFilterChain` bean is present, all actuators other than `/health` are secured by Spring Boot auto-configuration.
If you define a custom `SecurityFilterChain` bean, Spring Boot auto-configuration backs off and lets you fully control the actuator access rules.

We need to make things consistent.

@wilkinsona wilkinsona self-assigned this Jul 29, 2024
@wilkinsona wilkinsona mentioned this issue Jul 29, 2024
Closed
@wilkinsona wilkinsona modified the milestones: 3.2.x, 3.2.9 Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: documentation A documentation update
Projects
None yet
Milestone
3.2.9
Development

No branches or pull requests
3 participants
@wilkinsona @criztovyl @spring-projects-issues