48. Monitoring and management over HTTP

If you are developing a Spring MVC application, Spring Boot Actuator will auto-configure all enabled endpoints to be exposed over HTTP. The default convention is to use the id of the endpoint as the URL path. For example, health is exposed as /health.

48.1 Securing sensitive endpoints

If you add ‘Spring Security’ to your project, all sensitive endpoints exposed over HTTP will be protected. By default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).

[Tip]Tip

Generated passwords are logged as the application starts. Search for ‘Using default security password’.

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. For example, you might set the following in your application.properties:

security.user.name=admin
security.user.password=secret
management.security.roles=SUPERUSER
[Tip]Tip

If you don’t use Spring Security and your HTTP endpoints are exposed publicly, you should carefully consider which endpoints you enable. See Section 47.1, “Customizing endpoints” for details of how you can set endpoints.enabled to false then “opt-in” only specific endpoints.

48.2 Customizing the management endpoint paths

Sometimes it is useful to group all management endpoints under a single path. For example, your application might already use /info for another purpose. You can use the management.context-path property to set a prefix for your management endpoint:

management.context-path=/manage

The application.properties example above will change the endpoint from /{id} to /manage/{id} (e.g. /manage/info).

You can also change the “id” of an endpoint (using endpoints.{name}.id) which then changes the default resource path for the MVC endpoint. Legal endpoint ids are composed only of alphanumeric characters (because they can be exposed in a number of places, including JMX object names, where special characters are forbidden). The MVC path can be changed separately by configuring endpoints.{name}.path, and there is no validation on those values (so you can use anything that is legal in a URL path). For example, to change the location of the /health endpoint to /ping/me you can set endpoints.health.path=/ping/me.

[Tip]Tip

If you provide a custom MvcEndpoint remember to include a settable path property, and default it to /{id} if you want your code to behave like the standard MVC endpoints. (Take a look at the HealthMvcEndpoint to see how you might do that.) If your custom endpoint is an Endpoint (not an MvcEndpoint) then Spring Boot will take care of the path for you.

48.3 Customizing the management server port

Exposing management endpoints using the default HTTP port is a sensible choice for cloud based deployments. If, however, your application runs inside your own data center you may prefer to expose endpoints using a different HTTP port.

The management.port property can be used to change the HTTP port.

management.port=8081

Since your management port is often protected by a firewall, and not exposed to the public you might not need security on the management endpoints, even if your main application is secure. In that case you will have Spring Security on the classpath, and you can disable management security like this:

management.security.enabled=false

(If you don’t have Spring Security on the classpath then there is no need to explicitly disable the management security in this way, and it might even break the application.)

48.4 Configuring management-specific SSL

When configured to use a custom port, the management server can also be configured with its own SSL using the various management.ssl.* properties. For example, this allows a management server to be available via HTTP while the main application uses HTTPS:

server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:store.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enable=false

Alternatively, both the main server and the management server can use SSL but with different key stores:

server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:main.jks
server.ssl.key-password=secret
management.port=8080
management.ssl.enable=true
management.ssl.key-store=classpath:management.jks
management.ssl.key-password=secret

48.5 Customizing the management server address

You can customize the address that the management endpoints are available on by setting the management.address property. This can be useful if you want to listen only on an internal or ops-facing network, or to only listen for connections from localhost.

[Note]Note

You can only listen on a different address if the port is different to the main server port.

Here is an example application.properties that will not allow remote management connections:

management.port=8081
management.address=127.0.0.1

48.6 Disabling HTTP endpoints

If you don’t want to expose endpoints over HTTP you can set the management port to -1:

management.port=-1

48.7 HTTP health endpoint access restrictions

The information exposed by the health endpoint varies depending on whether or not it’s accessed anonymously, and whether or not the enclosing application is secure. By default, when accessed anonymously in a secure application, any details about the server’s health are hidden and the endpoint will simply indicate whether or not the server is up or down. Furthermore, when accessed anonymously, the response is cached for a configurable period to prevent the endpoint being used in a denial of service attack. The endpoints.health.time-to-live property is used to configure the caching period in milliseconds. It defaults to 1000, i.e. one second.

The above-described restrictions can be enhanced, thereby allowing only authenticated users full access to the health endpoint in a secure application. To do so, set endpoints.health.sensitive to true. Here’s a summary of behavior (with default sensitive flag value “false” indicated in bold):

management.security.enabledendpoints.health.sensitiveUnauthenticatedAuthenticated

false

false

Full content

Full content

false

true

Status only

Full content

true

false

Status only

Full content

true

true

No content

Full content