Springboot Security Actuator

Hello,

My flowable spring boot application is integrated with the keycloak right now. But I have an issue regarding actuator endpoints.

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Profile("!nosec")
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/actuator/**").permitAll()//health-checks and metrics internal endpoints should not require authentication
                .anyRequest().authenticated()
                .and()
                .oauth2Login(oauthLogin -> oauthLogin.permitAll())//redirect to login if no token or session is provided
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); //validate JWT Bearer token
    }

}

This is my Security configuration. This allows me to make request on my actuator endpoints but it gives me http 401 when I try to go to task module or one of the engines in the admin panel.

If I set Order to LOWEST_PRECEDENCE (or just Order), since flowable’s own security classes have higher precedence, my actuator endpoints require authorization.

I would think that there must be a very simple solution for this but as I said, haven’t found one yet.

Thank you

Hey @umutkazan,

I would suggest you to have a look at how our ActuatorWebSecurityConfigurerAdapter is configured and adapt yours.

Your question is more of a Spring Security question and not a Flowable one.

The most important part you need is a requestMatcher for the HttpSecurity. If you do not provide one, then all the requests will be handled by your security configuraiton.

Cheers,
Filip