28.4 Actuator Security
If the Actuator is also in use, you will find:
- The management endpoints are secure even if the application endpoints are insecure.
- Security events are transformed into
AuditEvents
and published to theAuditService
. - The default user will have the
ADMIN
role as well as theUSER
role.
The Actuator security features can be modified using external properties (management.security.*
). To override the application access rules add a @Bean
of type WebSecurityConfigurerAdapter
and use @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
if you don’t want to override the actuator access rules, or @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
if you do want to override the actuator access rules.