How to secure actuator endpoints with role in Spring Boot 2?
If your application is a resource server you don't need the SecConfig class.
So if you remove it, in your ResourceServerConfig
class you can secure the actuators and just let admin through:
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/ajax/**").authenticated()
.antMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().authenticated()
.and()
.csrf()
.disable();
}
}
I add .anyRequest().authenticated()
to secure the rest of the application endpoints.