Springboot Security Actuator


My flowable spring boot application is integrated with the keycloak right now. But I have an issue regarding actuator endpoints.

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
                .antMatchers("/actuator/**").permitAll()//health-checks and metrics internal endpoints should not require authentication
                .oauth2Login(oauthLogin -> oauthLogin.permitAll())//redirect to login if no token or session is provided
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); //validate JWT Bearer token


This is my Security configuration. This allows me to make request on my actuator endpoints but it gives me http 401 when I try to go to task module or one of the engines in the admin panel.

If I set Order to LOWEST_PRECEDENCE (or just Order), since flowable’s own security classes have higher precedence, my actuator endpoints require authorization.

I would think that there must be a very simple solution for this but as I said, haven’t found one yet.

Thank you