By default, all endpoints except for shutdown are enabled. To configure the enablement of an endpoint, use its management.endpoint.<id>.enabled property. The following example enables the shutdown endpoint:

management.endpoint.shutdown.enabled=true

If you prefer endpoint enablement to be opt-in rather than opt-out, set the management.endpoints.enabled-by-default property to false and use individual endpoint enabled properties to opt back in. The following example enables the info endpoint and disables all other endpoints:

management.endpoints.enabled-by-default=false
management.endpoint.info.enabled=true

	Note
	Disabled endpoints are removed entirely from the application context. If you want to change only the technologies over which an endpoint is exposed, use the include and exclude properties instead.

Since Endpoints may contain sensitive information, careful consideration should be given about when to expose them. The following table shows the default exposure for the built-in endpoints:

To change which endpoints are exposed, use the following technology-specific include and exclude properties:

The include property lists the IDs of the endpoints that are exposed. The exclude property lists the IDs of the endpoints that should not be exposed. The exclude property takes precedence over the include property. Both include and exclude properties can be configured with a list of endpoint IDs.

For example, to stop exposing all endpoints over JMX and only expose the health and info endpoints, use the following property:

management.endpoints.jmx.exposure.include=health,info

* can be used to select all endpoints. For example, to expose everything over HTTP except the env and beans endpoints, use the following properties:

management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=env,beans

	Note
	* has a special meaning in YAML, so be sure to add quotes if you want to include (or exclude) all endpoints, as shown in the following example: management: endpoints: web: exposure: include: "*"

	Note
	If your application is exposed publicly, we strongly recommend that you also secure your endpoints.

	Tip
	If you want to implement your own strategy for when endpoints are exposed, you can register an EndpointFilter bean.

You should take care to secure HTTP endpoints in the same way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Security’s content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users with a certain role to access them, Spring Boot provides some convenient RequestMatcher objects that can be used in combination with Spring Security.

A typical Spring Security configuration might look something like the following example:

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
				.anyRequest().hasRole("ENDPOINT_ADMIN")
				.and()
			.httpBasic();
	}

}

The preceding example uses EndpointRequest.toAnyEndpoint() to match a request to any endpoint and then ensures that all have the ENDPOINT_ADMIN role. Several other matcher methods are also available on EndpointRequest. See the API documentation (HTML or PDF) for details.

If you deploy applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. You can do so by changing the management.endpoints.web.exposure.include property, as follows:

application.properties. 

management.endpoints.web.exposure.include=*

Additionally, if Spring Security is present, you would need to add custom security configuration that allows unauthenticated access to the endpoints as shown in the following example:

@Configuration
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
			.anyRequest().permitAll();
	}

}

Endpoints automatically cache responses to read operations that do not take any parameters. To configure the amount of time for which an endpoint will cache a response, use its cache.time-to-live property. The following example sets the time-to-live of the beans endpoint’s cache to 10 seconds:

application.properties. 

management.endpoint.beans.cache.time-to-live=10s

	Note
	The prefix management.endpoint.<name> is used to uniquely identify the endpoint that is being configured.

	Note
	When making an authenticated HTTP request, the Principal is considered as input to the endpoint and, therefore, the response will not be cached.

A “discovery page” is added with links to all the endpoints. The “discovery page” is available on /actuator by default.

When a custom management context path is configured, the “discovery page” automatically moves from /actuator to the root of the management context. For example, if the management context path is /management, then the discovery page is available from /management. When the management context path is set to /, the discovery page is disabled to prevent the possibility of a clash with other mappings.

Cross-origin resource sharing (CORS) is a W3C specification that lets you specify in a flexible way what kind of cross-domain requests are authorized. If you use Spring MVC or Spring WebFlux, Actuator’s web endpoints can be configured to support such scenarios.

CORS support is disabled by default and is only enabled once the management.endpoints.web.cors.allowed-origins property has been set. The following configuration permits GET and POST calls from the example.com domain:

management.endpoints.web.cors.allowed-origins=https://example.com
management.endpoints.web.cors.allowed-methods=GET,POST

	Tip
	See CorsEndpointProperties for a complete list of options.

If you add a @Bean annotated with @Endpoint, any methods annotated with @ReadOperation, @WriteOperation, or @DeleteOperation are automatically exposed over JMX and, in a web application, over HTTP as well. Endpoints can be exposed over HTTP using Jersey, Spring MVC, or Spring WebFlux. If both Jersey and Spring MVC are available, Spring MVC will be used.

You can also write technology-specific endpoints by using @JmxEndpoint or @WebEndpoint. These endpoints are restricted to their respective technologies. For example, @WebEndpoint is exposed only over HTTP and not over JMX.

You can write technology-specific extensions by using @EndpointWebExtension and @EndpointJmxExtension. These annotations let you provide technology-specific operations to augment an existing endpoint.

Finally, if you need access to web-framework-specific functionality, you can implement Servlet or Spring @Controller and @RestController endpoints at the cost of them not being available over JMX or when using a different web framework.

53.7.1 Receiving Input

Operations on an endpoint receive input via their parameters. When exposed via the web, the values for these parameters are taken from the URL’s query parameters and from the JSON request body. When exposed via JMX, the parameters are mapped to the parameters of the MBean’s operations. Parameters are required by default. They can be made optional by annotating them with @org.springframework.lang.Nullable.

Each root property in the JSON request body can be mapped to a parameter of the endpoint. Consider the following JSON request body:

{
	"name": "test",
	"counter": 42
}

This can be used to invoke a write operation that takes String name and int counter parameters.

	Tip
	Because endpoints are technology agnostic, only simple types can be specified in the method signature. In particular declaring a single parameter with a custom type defining a name and counter properties is not supported.

	Note
	To allow the input to be mapped to the operation method’s parameters, Java code implementing an endpoint should be compiled with -parameters, and Kotlin code implementing an endpoint should be compiled with -java-parameters. This will happen automatically if you are using Spring Boot’s Gradle plugin or if you are using Maven and spring-boot-starter-parent.

Input type conversion

The parameters passed to endpoint operation methods are, if necessary, automatically converted to the required type. Before calling an operation method, the input received via JMX or an HTTP request is converted to the required types using an instance of ApplicationConversionService.

53.7.2 Custom Web Endpoints

Operations on an @Endpoint, @WebEndpoint, or @EndpointWebExtension are automatically exposed over HTTP using Jersey, Spring MVC, or Spring WebFlux. If both Jersey and Spring MVC are available, Spring MVC will be used.

Web Endpoint Request Predicates

A request predicate is automatically generated for each operation on a web-exposed endpoint.

Path

The path of the predicate is determined by the ID of the endpoint and the base path of web-exposed endpoints. The default base path is /actuator. For example, an endpoint with the ID sessions will use /actuator/sessions as its path in the predicate.

The path can be further customized by annotating one or more parameters of the operation method with @Selector. Such a parameter is added to the path predicate as a path variable. The variable’s value is passed into the operation method when the endpoint operation is invoked.

HTTP method

The HTTP method of the predicate is determined by the operation type, as shown in the following table:

Operation	HTTP method
@ReadOperation	GET
@WriteOperation	POST
@DeleteOperation	DELETE

Consumes

For a @WriteOperation (HTTP POST) that uses the request body, the consumes clause of the predicate is application/vnd.spring-boot.actuator.v2+json, application/json. For all other operations the consumes clause is empty.

Produces

The produces clause of the predicate can be determined by the produces attribute of the @DeleteOperation, @ReadOperation, and @WriteOperation annotations. The attribute is optional. If it is not used, the produces clause is determined automatically.

If the operation method returns void or Void the produces clause is empty. If the operation method returns a org.springframework.core.io.Resource, the produces clause is application/octet-stream. For all other operations the produces clause is application/vnd.spring-boot.actuator.v2+json, application/json.

Web Endpoint Response Status

The default response status for an endpoint operation depends on the operation type (read, write, or delete) and what, if anything, the operation returns.

A @ReadOperation returns a value, the response status will be 200 (OK). If it does not return a value, the response status will be 404 (Not Found).

If a @WriteOperation or @DeleteOperation returns a value, the response status will be 200 (OK). If it does not return a value the response status will be 204 (No Content).

If an operation is invoked without a required parameter, or with a parameter that cannot be converted to the required type, the operation method will not be called and the response status will be 400 (Bad Request).

Web Endpoint Range Requests

An HTTP range request can be used to request part of an HTTP resource. When using Spring MVC or Spring Web Flux, operations that return a org.springframework.core.io.Resource automatically support range requests.

	Note
	Range requests are not supported when using Jersey.

Web Endpoint Security

An operation on a web endpoint or a web-specific endpoint extension can receive the current java.security.Principal or org.springframework.boot.actuate.endpoint.SecurityContext as a method parameter. The former is typically used in conjunction with @Nullable to provide different behavior for authenticated and unauthenticated users. The latter is typically used to perform authorization checks using its isUserInRole(String) method.

You can use health information to check the status of your running application. It is often used by monitoring software to alert someone when a production system goes down. The information exposed by the health endpoint depends on the management.endpoint.health.show-details property which can be configured with one of the following values:

The default value is never. A user is considered to be authorized when they are in one or more of the endpoint’s roles. If the endpoint has no configured roles (the default) all authenticated users are considered to be authorized. The roles can be configured using the management.endpoint.health.roles property.

	Note
	If you have secured your application and wish to use always, your security configuration must permit access to the health endpoint for both authenticated and unauthenticated users.

Health information is collected from the content of a HealthIndicatorRegistry (by default all HealthIndicator instances defined in your ApplicationContext. Spring Boot includes a number of auto-configured HealthIndicators and you can also write your own. By default, the final system state is derived by the HealthAggregator which sorts the statuses from each HealthIndicator based on an ordered list of statuses. The first status in the sorted list is used as the overall health status. If no HealthIndicator returns a status that is known to the HealthAggregator, an UNKNOWN status is used.

	Tip
	The HealthIndicatorRegistry can be used to register and unregister health indicators at runtime.

53.8.1 Auto-configured HealthIndicators

The following HealthIndicators are auto-configured by Spring Boot when appropriate:

Name	Description
CassandraHealthIndicator	Checks that a Cassandra database is up.
CouchbaseHealthIndicator	Checks that a Couchbase cluster is up.
DiskSpaceHealthIndicator	Checks for low disk space.
DataSourceHealthIndicator	Checks that a connection to DataSource can be obtained.
ElasticsearchHealthIndicator	Checks that an Elasticsearch cluster is up.
InfluxDbHealthIndicator	Checks that an InfluxDB server is up.
JmsHealthIndicator	Checks that a JMS broker is up.
LdapHealthIndicator	Checks that an LDAP server is up.
MailHealthIndicator	Checks that a mail server is up.
MongoHealthIndicator	Checks that a Mongo database is up.
Neo4jHealthIndicator	Checks that a Neo4j database is up.
RabbitHealthIndicator	Checks that a Rabbit server is up.
RedisHealthIndicator	Checks that a Redis server is up.
SolrHealthIndicator	Checks that a Solr server is up.

	Tip
	You can disable them all by setting the management.health.defaults.enabled property.

53.8.2 Writing Custom HealthIndicators

To provide custom health information, you can register Spring beans that implement the HealthIndicator interface. You need to provide an implementation of the health() method and return a Health response. The Health response should include a status and can optionally include additional details to be displayed. The following code shows a sample HealthIndicator implementation:

import org.springframework.boot.actuate.health.Health;
import org.springframework.boot.actuate.health.HealthIndicator;
import org.springframework.stereotype.Component;

@Component
public class MyHealthIndicator implements HealthIndicator {

	@Override
	public Health health() {
		int errorCode = check(); // perform some specific health check
		if (errorCode != 0) {
			return Health.down().withDetail("Error Code", errorCode).build();
		}
		return Health.up().build();
	}

}

	Note
	The identifier for a given HealthIndicator is the name of the bean without the HealthIndicator suffix, if it exists. In the preceding example, the health information is available in an entry named my.

In addition to Spring Boot’s predefined Status types, it is also possible for Health to return a custom Status that represents a new system state. In such cases, a custom implementation of the HealthAggregator interface also needs to be provided, or the default implementation has to be configured by using the management.health.status.order configuration property.

For example, assume a new Status with code FATAL is being used in one of your HealthIndicator implementations. To configure the severity order, add the following property to your application properties:

management.health.status.order=FATAL, DOWN, OUT_OF_SERVICE, UNKNOWN, UP

The HTTP status code in the response reflects the overall health status (for example, UP maps to 200, while OUT_OF_SERVICE and DOWN map to 503). You might also want to register custom status mappings if you access the health endpoint over HTTP. For example, the following property maps FATAL to 503 (service unavailable):

management.health.status.http-mapping.FATAL=503

	Tip
	If you need more control, you can define your own HealthStatusHttpMapper bean.

The following table shows the default status mappings for the built-in statuses:

Status	Mapping
DOWN	SERVICE_UNAVAILABLE (503)
OUT_OF_SERVICE	SERVICE_UNAVAILABLE (503)
UP	No mapping by default, so http status is 200
UNKNOWN	No mapping by default, so http status is 200

53.8.3 Reactive Health Indicators

For reactive applications, such as those using Spring WebFlux, ReactiveHealthIndicator provides a non-blocking contract for getting application health. Similar to a traditional HealthIndicator, health information is collected from the content of a ReactiveHealthIndicatorRegistry (by default all HealthIndicator and ReactiveHealthIndicator instances defined in your ApplicationContext. Regular HealthIndicator that do not check against a reactive API are executed on the elastic scheduler.

	Tip
	In a reactive application, The ReactiveHealthIndicatorRegistry should be used to register and unregister health indicators at runtime. If you need to register a regular HealthIndicator, you should wrap it using HealthIndicatorReactiveAdapter.

To provide custom health information from a reactive API, you can register Spring beans that implement the ReactiveHealthIndicator interface. The following code shows a sample ReactiveHealthIndicator implementation:

@Component
public class MyReactiveHealthIndicator implements ReactiveHealthIndicator {

	@Override
	public Mono<Health> health() {
		return doHealthCheck() //perform some specific health check that returns a Mono<Health>
			.onErrorResume(ex -> Mono.just(new Health.Builder().down(ex).build()));
	}

}

	Tip
	To handle the error automatically, consider extending from AbstractReactiveHealthIndicator.

53.8.4 Auto-configured ReactiveHealthIndicators

The following ReactiveHealthIndicators are auto-configured by Spring Boot when appropriate:

Name	Description
CassandraReactiveHealthIndicator	Checks that a Cassandra database is up.
CouchbaseReactiveHealthIndicator	Checks that a Couchbase cluster is up.
MongoReactiveHealthIndicator	Checks that a Mongo database is up.
RedisReactiveHealthIndicator	Checks that a Redis server is up.

	Tip
	If necessary, reactive indicators replace the regular ones. Also, any HealthIndicator that is not handled explicitly is wrapped automatically.

Application information exposes various information collected from all InfoContributor beans defined in your ApplicationContext. Spring Boot includes a number of auto-configured InfoContributor beans, and you can write your own.

53.9.1 Auto-configured InfoContributors

The following InfoContributor beans are auto-configured by Spring Boot, when appropriate:

Name	Description
EnvironmentInfoContributor	Exposes any key from the Environment under the info key.
GitInfoContributor	Exposes git information if a git.properties file is available.
BuildInfoContributor	Exposes build information if a META-INF/build-info.properties file is available.

	Tip
	It is possible to disable them all by setting the management.info.defaults.enabled property.

53.9.2 Custom Application Information

You can customize the data exposed by the info endpoint by setting info.* Spring properties. All Environment properties under the info key are automatically exposed. For example, you could add the following settings to your application.properties file:

info.app.encoding=UTF-8
info.app.java.source=1.8
info.app.java.target=1.8

	Tip
	Rather than hardcoding those values, you could also expand info properties at build time. Assuming you use Maven, you could rewrite the preceding example as follows: info.app.encoding[email protected]@ info.app.java.source[email protected]@ info.app.java.target[email protected]@

53.9.3 Git Commit Information

Another useful feature of the info endpoint is its ability to publish information about the state of your git source code repository when the project was built. If a GitProperties bean is available, the git.branch, git.commit.id, and git.commit.time properties are exposed.

	Tip
	A GitProperties bean is auto-configured if a git.properties file is available at the root of the classpath. See "Generate git information" for more details.

If you want to display the full git information (that is, the full content of git.properties), use the management.info.git.mode property, as follows:

management.info.git.mode=full

53.9.4 Build Information

If a BuildProperties bean is available, the info endpoint can also publish information about your build. This happens if a META-INF/build-info.properties file is available in the classpath.

	Tip
	The Maven and Gradle plugins can both generate that file. See "Generate build information" for more details.

import java.util.Collections;

import org.springframework.boot.actuate.info.Info;
import org.springframework.boot.actuate.info.InfoContributor;
import org.springframework.stereotype.Component;

@Component
public class ExampleInfoContributor implements InfoContributor {

	@Override
	public void contribute(Info.Builder builder) {
		builder.withDetail("example",
				Collections.singletonMap("key", "value"));
	}

}

{
	"example": {
		"key" : "value"
	}
}