Скачать или смотреть How to Allow Actuator Endpoints in Spring Cloud Gateway with OAuth2 Resource Server

Learn how to configure Spring Cloud Gateway to permit actuator endpoints without requiring a JWT token, while still securing other requests with OAuth2 authentication.
---
This video is based on the question https://stackoverflow.com/q/71776950/ asked by the user 'dmance' ( https://stackoverflow.com/u/5481641/ ) and on the answer https://stackoverflow.com/a/71779545/ provided by the user 'dmance' ( https://stackoverflow.com/u/5481641/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: Spring Cloud Gateway Oauth2 Resource Server allow actuator endpoints

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
How to Allow Actuator Endpoints in Spring Cloud Gateway with OAuth2 Resource Server

When working with Spring Cloud Gateway, integrating security is essential for safeguarding your APIs. However, a common challenge arises when you want to allow certain actuator endpoints, such as /health or /info, without requiring authentication through a valid JWT (JSON Web Token). This guide will delve into how you can achieve that and smoothly bypass security for actuator endpoints while maintaining the need for authentication in other areas.

The Challenge

You have set up your Spring Cloud Gateway with the following configurations that enforce security for all incoming requests via JWT tokens issued by a server like Keycloak:

[[See Video to Reveal this Text or Code Snippet]]

And you’ve enabled security in your main method:

[[See Video to Reveal this Text or Code Snippet]]

In your application properties, you've specified the necessary configurations for JWT:

[[See Video to Reveal this Text or Code Snippet]]

The problem comes when you discover that even accessing /actuator/health, normally meant for monitoring the health of your application, requires a valid token. You want to allow unauthenticated access to these actuator endpoints while keeping authentication on other API requests intact.

The Solution

To allow unauthenticated access to actuator endpoints, you need to implement a custom security configuration. This involves creating a security filter chain that specifies which endpoints should be publicly accessible and which should remain protected.

Step-by-Step Implementation

Create a Security Configuration Class: Firstly, create a new class that will hold your security configurations. Here’s how to do it:

[[See Video to Reveal this Text or Code Snippet]]

Define the Security Filter Chain: Inside your class, define the SecurityWebFilterChain. This is where you can specify the authorization rules for your application.

[[See Video to Reveal this Text or Code Snippet]]

Conclusion: By implementing the above configurations, the actuator health check routes /actuator/health and /actuator/info are now exempt from requiring a valid JWT token. All other requests will still require proper authentication, helping to maintain the security of your application while allowing for accessible health checks.

Final Thoughts

By utilizing Spring WebFlux security settings, you can fine-tune your API's security needs effectively. Allowing free access to actuator endpoints improves operational visibility without compromising on the security of other service calls. With the right configurations in place, you can ensure that your applications remain both secure and user-friendly.

By following these steps, you'll seamlessly integrate actuator endpoints in your Spring Cloud Gateway application while leveraging the benefits of OAuth2 security.