With Spring Security, we can define a role, for example, ACTUATOR_ADMIN, and make the endpoints only accessible to authenticated users who are in this role, as shown in the following:
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
...
protected void configure(HttpSecurity http) throws Exception {
http
...
.antMatchers(PUBLIC).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).
hasAnyRole("ACTUATOR_ADMIN")
.anyRequest().authenticated()
...
}
...
}
In application.properties, we will comment out the port setting, as in the following:
# management.server.port=9000
In this way, we can access the Actuator's endpoints with an authenticated user who has the required role.