avatic/lcc_tool
avatic/lcc_tool
1
0
Fork 0
Code Issues 31 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Refined actuator endpoint security rules:

Browse source 
- Allowed public access to `/actuator/health`.
- Enforced authentication for other `/actuator/**` endpoints in production.
- Allowed all `/actuator/**` endpoints in development.
This commit is contained in:
Jan 2025-10-30 21:56:35 +01:00
parent f62cfbfb66
commit f7efc9eb81
2 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/main/java/de/avatic/lcc/config/SecurityConfig.java
View file

@ -70,6 +70,8 @@ public class SecurityConfig {
.cors(cors -> cors.configurationSource(prodCorsConfigurationSource())) // Production CORS
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers("/actuator/health").permitAll()
.requestMatchers("/actuator/**").authenticated()
.requestMatchers("/oauth2/token").permitAll()
.requestMatchers("/api/**").authenticated()
.requestMatchers("/api/dev/**").denyAll()
@ -174,6 +176,8 @@ public class SecurityConfig {
.cors(cors -> cors.configurationSource(devCorsConfigurationSource())) // Dev CORS
.authorizeHttpRequests(auth -> auth
.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers("/actuator/health").permitAll()
.requestMatchers("/actuator/**").permitAll()
.requestMatchers("/oauth2/token").permitAll()
.requestMatchers("/api/**").permitAll()
.requestMatchers("/api/dev/**").permitAll()

2
src/main/resources/application.properties
View file

@ -14,7 +14,7 @@ spring.cloud.azure.active-directory.authorization-clients.graph.scopes=openid,pr
# Management Endpoints
management.endpoints.web.exposure.include=health,info,metrics
management.endpoint.health.show-details=always
management.endpoint.health.show-details=when-authorized
# Flyway Migration
spring.flyway.enabled=true