Secure your Spring Boot Actuator Endpoints and configure Prometheus with Basic Authentication

Thomas SchühlyThomas Schühly
2 min read

When setting up Prometheus for the first time it might not work. If you enable debug logs you will see that Prometheus cannot scrape the actuator logs.

To fix this we need to configure your Spring App and Prometheus with Basic Authentication and configure Prometheus to access the Actuator Endpoints.

To set up your Prometheus + Grafana Setup you can follow the excellent guide on Refactor First: Monitoring Spring Boot Application with Prometheus and Grafana by Amrut Prabhu

Custom SecurityConfig

After you got everything working without Authentication you need to configure your SecurityConfiguration like this:

@Configuration
@EnableWebSecurity
class SecurityConfig{
    val logger: Logger = LoggerFactory.getLogger(SupabaseSecurityConfig::class.java)

    @Bean
    fun filterChain(
        http: HttpSecurity,
        authManager: AuthenticationManager
    ): SecurityFilterChain {
        http.invoke {
            authorizeHttpRequests {
                authorize(EndpointRequest.toAnyEndpoint(), hasRole("ACTUATOR"))
                authorize(anyRequest, authenticated)
            }
            authenticationManager = authManager
            httpBasic {}
        }
        return http.build()
    }

    @Bean
    fun authManager(
        http: HttpSecurity
    ): AuthenticationManager {
        val authenticationManagerBuilder = http.getSharedObject(
            AuthenticationManagerBuilder::class.java
        )
        authenticationManagerBuilder.inMemoryAuthentication()
            .withUser("prometheus")
            .password("{bcrypt}\$2a\$\$LVUNCy8Lht68w7KA0nobWuwyzbW8AdF3bRC25glv7M12ACAZ4PT8u")
            .roles("ACTUATOR")
        return authenticationManagerBuilder.build()
    }

}

Using a custom authenticationManager gives us the ability to add other AuthenticationProviders using:

authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider)

Supabase Security Spring Boot Starter

If you are using the Supabase Security Spring Boot Starter it is even easier!

supabase:
  basicAuth:
    enabled: true
    username: prometheus
    password: "{bcrypt}$2a$10$AqgP120RLJ48mvTv.diNHeVlQA/WdsrgEr0aLe5P1ffYPy1FQAecy"
    roles:
      - "ACTUATOR"
  roles:
    admin:
      get:
        - "/actuator/**"

You can encrypt the password using the Spring Boot CLI

Prometheus

Then you can configure your prometheus.yaml with the basic auth credentials:

scrape_configs:
- job_name: 'Spring Boot Application input'
  metrics_path: '/actuator/prometheus'
  scrape_interval: 2s
  static_configs:
    - targets: ['localhost:8080']
      labels:
      application: 'My Spring Boot Application'
      basic_auth:
      username: "prometheus"
      password: "plain-text-password"

If you want to learn more about HTMX + Spring Boot check out my series Web development without the JavaScript headache with Spring + HTMX.

My side business PhotoQuest is also built with HTMX + JTE

0
Subscribe to my newsletter

Read articles from Thomas Schühly directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#prometheusSpringbootSpringSpring frameworkobservabilityActuator

Written by

Thomas Schühly
Thomas Schühly

Thomas Schühly’s server-side rendering journey started as a developer trying to make life easier while developing his first bootstrapped product in his free time. Creating Spring ViewComponent enabled him to be the youngest Speaker at the largest European Spring conference and build awesome software full-time with his open-source library at alanda.io. He regularly talks at Java User Groups about htmx and server-side rendering with Spring while contributing to the open-source community. PhotoQuest