Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable security on management port for Spring Boot app?

Tags:

java

spring-boot

spring-security

I am setting up a Spring Boot 1.3 secured application, but with an management port that is inaccessible to the public, so I don't need any security on this port.

This is simply what I want to achieve:

server.port = 8080     # -> secure
management.port = 8081 # -> unsecure

But as soon as I add a WebSecurityConfigurerAdapter, it automatically is in effect for both ports. Setting management.security.enabled=false has no effect if management port is different, is this a bug? How can I otherwise disable security for the management port only?

My simple security configuration:

@Configuration
@EnableWebSecurity
static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated();
    }
}

I know a possible workaround could be to set custom context-path eg. /manage and ignore this path from security, but it doesn't seem ideal to use a non-standard path plus the fiddling to resolve path into the security config without hard-coding it, so I would like to find out whether there is a standard approach to this.

like image 726
nedenom Avatar asked Sep 21 '25 05:09

nedenom

2 Answers

You can always add a request matcher and skip the security checks for the management port. A workaround for Spring Boot 2 is as follows. This might work for older Spring Boot versions too. Please try and see. 

public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

   // this is the port for management endpoints
   @Value("${management.server.port}")
   private int managementPort;

   @Override
   protected void configure(HttpSecurity http) throws Exception {
       http
            .authorizeRequests()
            .requestMatchers(checkPort(managementPort)).permitAll()
            .anyRequest().authenticated();

   }

  /**
   * This method verifies whether a request port is equal to the provided method parameter
   *
   * @param port Port that needs to be checked with the incoming request port
   * @return Returns a request matcher object with port comparison
   */
   private RequestMatcher checkPort(final int port) {
       return (HttpServletRequest request) -> port == request.getLocalPort();
   }
}

Inspired by this answer.

like image 90
Keet Sugathadasa Avatar answered Sep 22 '25 18:09

Keet Sugathadasa

Looks like it is in fact a bug: https://github.com/spring-projects/spring-boot/issues/4624

like image 20
nedenom Avatar answered Sep 22 '25 18:09

nedenom

Sign in to Comment

Related questions

Cross product of two collections using the Stream API
How to validate min, max password length before hashing?
How to obtain hibernate generated sql without aliases
Unboxing issues
using weka with python for loading the classifier model
ProcessBuilder cannot run bat file with spaces in path
Reading binary file byte by byte
how to create temp table using jdbc java
Media projections require a foreground service of type ServiceInfo.FOREGROUND_SERVICE_TYPE_MEDIA_PROJECTION
Quarkus/Hibernate relationship between two tables
Android studio doesnt recognise EncryptedSharedPreferences import

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!