Enabling actuator provides many benefits but could expose internal system information even to an authenticated user. In this screencast we will show how to disable actuator endpoints from your spring boot application.
Detailed Video Notes
Spring acutator is a series of endpoints that allow you to see into your application. When enabled, navigating to
/health will indicate if the application is healthy by returning a status of 200 or unhealthy by returning an empty response. While this information is useful, these endpoints may contain sensitive system information such as internal bean names, application server information or thread dumps listing files. In this tutorial lets find out how to configure spring boot acutator to turn off the
/health endpoint as an example.
Note, while using
health as an example it could be applied to anyone of the existing endpoints such as
Spring created a web interface to quickly initialize a web application with spring boot. A very similar process can be found within spring sts and the starter projects. Lets create a web application by filling in data and generating a project. Once downloaded we can import the maven project into a workspace. Notice that in our pom.xml file we have the
Examining actuator properties
Boot is built around a series of switches contained in a file named
application.yml file that allow for configuration. There isn't an all encompassing list of properties but a good reference can be found in spring boots reference docs. For each actuator endpoint there is common property exist such as
enabled while a handful of endpoints have custom elements. The pattern is
endpoints.#nameOfEndPoint.#identifier. Since the project we created has a blank properties file lets add properties to support the
/health end point.
Turn off end point
Lets fire up our server and make a request to
/health to validate the project is configure properly. Making a request to
/health should return the a json response with a status of up.
To turn it off we simply need to change
endpoints.health.enabled from true to false. Making this change and restarting should give us a json response containing "This end point is disabled". While this turns off
/health URL it still makes it accessible. If you want more control on which endpoints are turned on you can change
endpoints.enabled=false which will require each endpoint to have configuration within the application.properties file.
Thanks for joining in today's level up lunch, have a great day!