In the previous sections, we covered the essentials of a Spring Boot actuator and implemented our custom reactive actuator endpoint. Notice that, when exposing useful information, a Spring Boot actuator may also disclose sensitive information. Access to environment variables, a structure of the application, configuration properties, ability to do heap and thread dumps, and other factors might simplify the lives of bad guys who are trying to hack our application. In these cases, a Spring Boot actuator may also expose private users' data. Therefore, we have to care about secured access for all actuator endpoints as well as the usual REST endpoints.
Due to the fact that a Spring Boot actuator shares a security model with the rest of the application, it is easy to configure access permissions in the place where the main security configuration is defined. For example, the following code only permits access to the /actuator/ endpoint for users who have the ACTUATOR authority:
@Bean public SecurityWebFilterChain securityWebFilterChain(
ServerHttpSecurity http
) { return http.authorizeExchange() .pathMatchers("/actuator/").hasRole("ACTUATOR") .anyExchange().authenticated() .and().build(); }
Of course, we may configure access policies differently. Usually, it is appropriate to give unauthenticated access to /actuator/info and /actuator/health endpoints, which are often used for application identification and health-check procedures, and to secure other endpoints that could potentially hold some sensitive information or information that may help during an attack on the system.
On the other hand, we may expose all management endpoints on a separate port and configure network access rules. Consequently, all management will only happen through the internal virtual network. To provide such a configuration, all we have to do is provide the management.server.port property with the desired HTTP port.
To generalize, a Spring Boot actuator brings a lot of features that simplify application identification, monitoring, and management. With tight Spring WebFlux integration, Actuator 2.x uses resources efficiently thanks to the fact that most of its endpoints support reactive types. Actuator 2.x simplifies the overall development process without causing a lot of hassle, expanding application capabilities, consolidating better default application behavior, and making the life of the DevOps team easier.
Although a Spring Boot Actuator is quite useful on its own, it shines even more in conjunction with tools that automatically gather monitoring information and represent such information in a visual form through charts, trends, and alerts. Therefore, later in the chapter, we cover a handy module called Spring Boot Admin that allows accessing all vital management information for multiple services with a single pretty UI.