Spring Boot 3 with Okta - permit to /actuator/health endpoint

attila.boros · July 15, 2024, 10:10am

I’m curious is there any way to allow access to /actuator/health without Okta authentication?

In my spring application, I set the following security filter chain but it seems not working:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
DefaultRelyingPartyRegistrationResolver relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(
this.relyingPartyRegistrationRepository);
Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver,
new OpenSamlMetadataResolver());
http.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class);

            http.authorizeHttpRequests(authorize -> authorize
                            .requestMatchers("/actuator/health").permitAll()
                            .anyRequest().authenticated())
                            .saml2Login(saml2 -> saml2.loginPage("/saml2/authenticate/okta").defaultSuccessUrl("/")
                                            .failureUrl("/"))
                            .saml2Logout(withDefaults());
            return http.build();
    }

I want to deploy this microservice to AWS ECS, using ALB, but the health check fails. Does anyone have a similar issue, or is it something I missed during configuration?

monica345 · July 17, 2024, 6:54am

Hello,
You’re almost there with allowing access to /actuator/health without Okta in your Spring app! Here are the solutions (pick the one that works best for you):
Option 1: Fix the Order

Right now, your code checks for authentication even for /actuator/health. Simply move the line that allows all requests (permitAll) for this endpoint before the line that requires authentication for everything else.

Option 2: Separate Security Chain

Create a special security chain just for /actuator endpoints. This gives you more control.

Option 3: Special Health Check User

Make a user with access only to the health endpoint and configure Spring Security to allow this user.

Important:

Whichever option you choose, test it carefully to make sure it works.
Exposing the health endpoint without authentication can be risky, so choose the solution that keeps your app secure.

Bonus Tip: Double-check your AWS ECS health check configuration to ensure it targets the correct URL (/actuator/health).

By trying these options, you should be able to get your health checks working without Okta!

attila.boros · July 17, 2024, 9:49am

Thanks for the detailed information; I’ll try these options and consider which should be the best for my case.

system · August 16, 2024, 9:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Okta-spring-boot-starter Cannot Create an Anonymous Route Exception OAuth/OIDC spring , java	3	1978	February 15, 2024
Multiple Authentication Methods with okta-spring-boot Questions	2	4462	July 3, 2020
Problems with HTTP GET Questions	1	3177	January 19, 2024
Spring-security-saml-dsl without Spring Boot SAML java , saml	2	7659	January 17, 2024
How do I turn off authentication in dev sandbox Questions	2	3610	August 16, 2020

Spring Boot 3 with Okta - permit to /actuator/health endpoint

Related topics