Secure your Spring Boot Actuator Endpoints and configure Prometheus with Basic Authentication

Secure your Spring Boot Actuator Endpoints and configure Prometheus with Basic Authentication

When setting up Prometheus for the first time it might not work. If you enable debug logs you will see that Prometheus cannot scrape the actuator logs.

To fix this we need to configure your Spring App and Prometheus with Basic Authentication and configure Prometheus to access the Actuator Endpoints.

To set up your Prometheus + Grafana Setup you can follow the excellent guide on Refactor First: Monitoring Spring Boot Application with Prometheus and Grafana by Amrut Prabhu

Custom SecurityConfig

After you got everything working without Authentication you need to configure your SecurityConfiguration like this:

@Configuration
@EnableWebSecurity
class SecurityConfig{
    val logger: Logger = LoggerFactory.getLogger(SupabaseSecurityConfig::class.java)

    @Bean
    fun filterChain(
        http: HttpSecurity,
        authManager: AuthenticationManager
    ): SecurityFilterChain {
        http.invoke {
            authorizeHttpRequests {
                authorize(EndpointRequest.toAnyEndpoint(), hasRole("ACTUATOR"))
                authorize(anyRequest, authenticated)
            }
            authenticationManager = authManager
            httpBasic {}
        }
        return http.build()
    }

    @Bean
    fun authManager(
        http: HttpSecurity
    ): AuthenticationManager {
        val authenticationManagerBuilder = http.getSharedObject(
            AuthenticationManagerBuilder::class.java
        )
        authenticationManagerBuilder.inMemoryAuthentication()
            .withUser("prometheus")
            .password("{bcrypt}\$2a\$\$LVUNCy8Lht68w7KA0nobWuwyzbW8AdF3bRC25glv7M12ACAZ4PT8u")
            .roles("ACTUATOR")
        return authenticationManagerBuilder.build()
    }

}

Using a custom authenticationManager gives us the ability to add other AuthenticationProviders using:

authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider)

Supabase Security Spring Boot Starter

If you are using the Supabase Security Spring Boot Starter it is even easier!

supabase:
  basicAuth:
    enabled: true
    username: prometheus
    password: "{bcrypt}$2a$10$AqgP120RLJ48mvTv.diNHeVlQA/WdsrgEr0aLe5P1ffYPy1FQAecy"
    roles:
      - "ACTUATOR"
  roles:
    admin:
      get:
        - "/actuator/**"

You can encrypt the password using the Spring Boot CLI

Prometheus

Then you can configure your prometheus.yaml with the basic auth credentials:

scrape_configs:
- job_name: 'Spring Boot Application input'
  metrics_path: '/actuator/prometheus'
  scrape_interval: 2s
  static_configs:
    - targets: ['localhost:8080']
      labels:
      application: 'My Spring Boot Application'
      basic_auth:
      username: "prometheus"
      password: "plain-text-password"

If you want to learn more about HTMX + Spring Boot check out my series Web development without the JavaScript headache with Spring + HTMX.

My side business PhotoQuest is also built with HTMX + JTE