From 2a7fd5011dc0806717311fb245772fbd3a9f300e Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Fri, 14 Apr 2017 11:52:00 -0700 Subject: [PATCH] Clarify docs on actuator security Closes gh-8646 --- .../main/asciidoc/production-ready-features.adoc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index eaf68a7117..3f1ca83abf 100644 --- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -583,6 +583,20 @@ in your `application.properties`: management.security.roles=SUPERUSER ---- +If your application has custom security configuration and you want all your actuator endpoints +to be accessible without authentication, you need to explicitly configure that in your +security configuration. Along with that, you need to change the `management.security.enabled` +property to `false`. + +If your custom security configuration secures your actuator endpoints, you also need to ensure that +the authenticated user has the roles specified under `management.security.roles`. + +TIP: If you don't have a use case for exposing basic health information to unauthenticated users, +and you have secured the actuator endpoints with custom security, you can set `management.security.enabled` +to `false`. This will inform Spring Boot to skip the additional role check. + + + [[production-ready-customizing-management-server-context-path]]