Spring Boot Is Easy: Actuator

Spring boot logo

In this article, we will go over an important subproject of the spring boot framework actuator. Actuator provides production-ready features that help you monitor and manage spring web applications.

After you have developed and deployed your application it’s important to continuously monitor it’s performance. This helps us reduce downtime, and improve application performance. actuator seamlessly integrates with our spring applications. We do not need to make any changes in our source code. The actuator exposes different endpoints which we can use to monitor our application.

In this article, We will see:

1. how to integrate the actuator into the app
2. how to access actuator endpoints
3. how to secure actuator endpoints

This article assumes you know how to create a spring boot application and have a project ready. We will go over the steps specific to the actuator.

1. the actuator in the app

Integrating the actuator is very easy. You only need to add dependency in the pom.xml (for maven) or build.gradle (for gradle).

<! —  https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-actuator →
<dependency>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-actuator</artifactId>
 <version>3.1.2</version>
</dependency>

// https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-actuator
implementation group: ‘org.springframework.boot’, name: ‘spring-boot-starter-actuator’, version: ‘3.1.2’

This is all. Restart your app and the actuator should have started his work. No code change is required in your app source.

actuator started (console logs)

As you can see in the logs. The actuator has exposed only one endpoint. This endpoint is for health checks. Visit the endpoint at http://localhost:8080/actuator/health/.

We will have to do some configuring in our application.properties file to access other endpoints that the actuator can expose.

2. Access actuator endpoints

As of now actuator has only exposed a single endpoint /actuator/health.

Go to application.properties file and put the following there

management.endpoints.jmx.exposure.include=health,info
management.info.env.enabled=true

This will expose one more endpoint /actuator/info. If you visit this now you will see an empty result. This is because we have not put any app-related info as yet. We will put this info in the application.properties file itself.

info.app.name = Boot
info.app.desc = Boot application for learning
info.app.ver = 1.0.0

Anything after info.* will be picked and shown by /actuator/info.

Other configurations you can use are:

1. Expose all actuator endpoints :

management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=env,beans

env, beans are endpoints that actuator provides. If you use this configuration all endpoints except env, beans will be exposed.

List of available endpoints: https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html

3. Secure actuator endpoints

We are now able to access these endpoints over HTTP calls. Which is cool. but there is no security mechanism to control access to these endpoints which can expose important information. We will use spring security to mitigate this problem.

3.1 Add Spring security dependency:

For maven:

<! —  https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security →
<dependency>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-security</artifactId>
 <version>3.1.2</version>
</dependency>

For gradle:

// https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security
implementation group: ‘org.springframework.boot’, name: ‘spring-boot-starter-security’, version: ‘3.1.2’

As you may know, Spring security by default adds a basic authentication layer on all the URLs. So if you did not have this already configured on your app your application endpoints will also be put behind basic authentication. It will also generate a random password at startup that we can use to log in. We can customize the username and password.

Put the following in the application.properties file:

spring.security.user.name=admin
spring.security.user.password=admin
spring.security.user.roles=ADMIN

We can use these credentials to login.

Now we need to create a SecurityConfiguration class to define authentication and authorization for actuator endpoints.

@Configuration
@EnableWebSecurity
public class WebSecurity {
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
            .requestMatchers("/actuator/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .httpBasic();
        return http.build();
    }
}

we have created a method which returns SecurityFilterChain that defines how requests to a regex /actuator/** should be processed.

You can put this class in seperate package. Create a package by name config and put this in there.

Now your actuator endpoints won’t be accessible to anyone. You will have to login to access them.

Conclusion

We are at the end of this article now. We have tried to understand how we can setup the service monitoring with the actuator and how to secure exposed endpoints. Next, you will want to understand how to utilize these endpoints. For that look into spring boot admin and integration with third-party monitoring tools like Prometheus, Grafana etc.

Until next time!!!!!

Also See:

Your Entry point in Spring Security (part 1)

Your Entry point in Spring Security (part 2)