Secure your Spring Boot Actuator Endpoints and configure Prometheus with Basic Authentication
Thomas Schühly’s server-side rendering journey started as a developer trying to make life easier while developing his first bootstrapped product in his free time. Creating Spring ViewComponent enabled him to be the youngest Speaker at the largest European Spring conference and build awesome software full-time with his open-source library at alanda.io. He regularly talks at Java User Groups about htmx and server-side rendering with Spring while contributing to the open-source community. PhotoQuest
When setting up Prometheus for the first time it might not work. If you enable debug logs you will see that Prometheus cannot scrape the actuator logs.
To fix this we need to configure your Spring App and Prometheus with Basic Authentication and configure Prometheus to access the Actuator Endpoints.
To set up your Prometheus + Grafana Setup you can follow the excellent guide on Refactor First: Monitoring Spring Boot Application with Prometheus and Grafana by Amrut Prabhu
Custom SecurityConfig
After you got everything working without Authentication you need to configure your SecurityConfiguration like this:
@Configuration
@EnableWebSecurity
class SecurityConfig{
val logger: Logger = LoggerFactory.getLogger(SupabaseSecurityConfig::class.java)
@Bean
fun filterChain(
http: HttpSecurity,
authManager: AuthenticationManager
): SecurityFilterChain {
http.invoke {
authorizeHttpRequests {
authorize(EndpointRequest.toAnyEndpoint(), hasRole("ACTUATOR"))
authorize(anyRequest, authenticated)
}
authenticationManager = authManager
httpBasic {}
}
return http.build()
}
@Bean
fun authManager(
http: HttpSecurity
): AuthenticationManager {
val authenticationManagerBuilder = http.getSharedObject(
AuthenticationManagerBuilder::class.java
)
authenticationManagerBuilder.inMemoryAuthentication()
.withUser("prometheus")
.password("{bcrypt}\$2a\$\$LVUNCy8Lht68w7KA0nobWuwyzbW8AdF3bRC25glv7M12ACAZ4PT8u")
.roles("ACTUATOR")
return authenticationManagerBuilder.build()
}
}
Using a custom authenticationManager gives us the ability to add other AuthenticationProviders using:
authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider)
Supabase Security Spring Boot Starter
If you are using the Supabase Security Spring Boot Starter it is even easier!
supabase:
basicAuth:
enabled: true
username: prometheus
password: "{bcrypt}$2a$10$AqgP120RLJ48mvTv.diNHeVlQA/WdsrgEr0aLe5P1ffYPy1FQAecy"
roles:
- "ACTUATOR"
roles:
admin:
get:
- "/actuator/**"
You can encrypt the password using the Spring Boot CLI
Prometheus
Then you can configure your prometheus.yaml with the basic auth credentials:
scrape_configs:
- job_name: 'Spring Boot Application input'
metrics_path: '/actuator/prometheus'
scrape_interval: 2s
static_configs:
- targets: ['localhost:8080']
labels:
application: 'My Spring Boot Application'
basic_auth:
username: "prometheus"
password: "plain-text-password"
If you want to learn more about HTMX + Spring Boot check out my series Web development without the JavaScript headache with Spring + HTMX.
My side business PhotoQuest is also built with HTMX + JTE
