mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-08-29 03:06:45 +08:00
02d7e2826c
Previously, if security.ignored was set to none and the error controller
was disabled, there would be no paths to ignore and we would call
IgnoredRequestConfigurer.antMatchers with an empty array. While a bit
pointless, this had no effect on Spring Security’s configuration.
This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty
array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As
Spring Boot configures its ignored paths with highest precedence this
means that security is now disabled for every path.
This commit updates both the management security and application
security configuration to avoid calling antMatchers with an empty
array, thereby ensuring that we don’t inadvertently ignore every path.
Even if the change to Spring Security is reverted we can keep this
change. The behaviour will remain the same and, arguably, it makes the
intent of our configuration clearer.
Closes gh-4345
[1]
|
||
|---|---|---|
| .. | ||
| src | ||
| pom.xml | ||
| README.adoc | ||
= Spring Boot - Actuator
Spring Boot Actuator includes a number of additional features to help you monitor and
manage your application when it's pushed to production. You can choose to manage and
monitor your application using HTTP endpoints, with JMX or even by remote shell (SSH or
Telnet). Auditing, health and metrics gathering can be automatically applied to your
application. The
http://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#production-ready[user guide]
covers the features in more detail.
== Enabling the Actuator
The simplest way to enable the features is to add a dependency to the
`spring-boot-starter-actuator` "`Starter POM`". To add the actuator to a Maven based
project, add the following "`starter`" dependency:
[source,xml,indent=0]
----
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
</dependencies>
----
For Gradle, use the declaration:
[indent=0]
----
dependencies {
compile("org.springframework.boot:spring-boot-starter-actuator")
}
----
== Features
* **Endpoints** Actuator endpoints allow you to monitor and interact with your
application. Spring Boot includes a number of built-in endpoints and you can also add
your own. For example the `health` endpoint provides basic application health
information. Run up a basic application and look at `/health` (and see `/mappings` for
a list of other HTTP endpoints).
* **Metrics** Spring Boot Actuator includes a metrics service with "`gauge`" and
"`counter`" support. A "`gauge`" records a single value; and a "`counter`" records a
delta (an increment or decrement). Metrics for all HTTP requests are automatically
recorded, so if you hit the `metrics` endpoint should see a sensible response.
* **Audit** Spring Boot Actuator has a flexible audit framework that will publish events
to an `AuditService`. Once Spring Security is in play it automatically publishes
authentication events by default. This can be very useful for reporting, and also to
implement a lock-out policy based on authentication failures.
* **Process Monitoring** In Spring Boot Actuator you can find `ApplicationPidListener`
which creates a file containing the application PID (by default in the application
directory with a file name of `application.pid`).