mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-07-05 00:56:58 +08:00
Improve "Sanitize Sensitive Values" section in reference documentation
Closes gh-39094
This commit is contained in:
parent
e2420caefd
commit
bec84959ed
@ -282,19 +282,27 @@ NOTE: The `management.endpoint.<name>` prefix uniquely identifies the endpoint t
|
||||
|
||||
[[actuator.endpoints.sanitization]]
|
||||
=== Sanitize Sensitive Values
|
||||
Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be somewhat sensitive.
|
||||
All values are sanitized by default (that is replaced by `+******+`).
|
||||
Viewing original values in the unsanitized form can be configured per endpoint using the `showValues` property for that endpoint.
|
||||
This property can be configured to have the following values:
|
||||
Information returned by the `/env`, `/configprops` and `/quartz` endpoints can be sensitive, so by default values are always fully sanitized (replaced by `+******+`).
|
||||
|
||||
- `ALWAYS` - all values are shown in their unsanitized form to all users
|
||||
- `NEVER` - all values are always sanitized (that is replaced by `+******+`)
|
||||
- `WHEN_AUTHORIZED` - all values are shown in their unsanitized form to authorized users
|
||||
Values can only be viewed in an unsanitized form when:
|
||||
|
||||
- The `show-values` property has been set to something other than `NEVER`
|
||||
- No custom `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` beans apply
|
||||
|
||||
The `show-values` property can be configured for sanitizable endpoints to one of the following values:
|
||||
|
||||
- `NEVER` - values are always fully sanitized (replaced by `+******+`)
|
||||
- `ALWAYS` - values are shown to all users (as long as no `SanitizingFunction` bean applies)
|
||||
- `WHEN_AUTHORIZED` - values are shown only to authorized users (as long as no `SanitizingFunction` bean applies)
|
||||
|
||||
For HTTP endpoints, a user is considered to be authorized if they have authenticated and have the roles configured by the endpoint's roles property.
|
||||
By default, any authenticated user is authorized.
|
||||
|
||||
For JMX endpoints, all users are always authorized.
|
||||
|
||||
The following example allows all users with the `admin` role to view values from the `/env` endpoint in their original form.
|
||||
Unuthorized users, or users without the `admin` role, will see only sanitized values.
|
||||
|
||||
[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
|
||||
----
|
||||
management:
|
||||
@ -304,9 +312,7 @@ For JMX endpoints, all users are always authorized.
|
||||
roles: "admin"
|
||||
----
|
||||
|
||||
The configuration above enables the ability for all users with the `admin` role to view all values in their original form from the `/env` endpoint.
|
||||
|
||||
NOTE: When `show-values` is set to `ALWAYS` or `WHEN_AUTHORIZED` any sanitization applied by a `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` will still be applied.
|
||||
NOTE: This example assumes that no `<<howto#howto.actuator.customizing-sanitization, SanitizingFunction>>` beans have been defined.
|
||||
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user