spring-boot-admin-docs/src/site/docs/05-security/index.md
Spring Boot Admin Server and Client can be secured using Spring Security. This section covers all aspects of securing your Spring Boot Admin deployment.
A complete Spring Boot Admin deployment has multiple security concerns:
graph TD
A[User Browser] -->|1 Login to Admin UI| B["Spring Boot Admin Server
• Form login + HTTP Basic authentication
• CSRF protection for UI
• Remember-me functionality"]
B -->|2 Access actuator endpoints| C["Client Application Instance
• Secured actuator endpoints
• Client provides credentials via metadata
• Server authenticates using instance-auth"]
Protect the Admin UI and API endpoints:
Secure the client application's actuator endpoints:
See: Actuator Security
Configure CSRF tokens for Admin UI while allowing client registration:
/instances registration without CSRFSee: CSRF Protection
Enhanced security with client certificates:
spring:
security:
user:
name: admin
password: ${ADMIN_PASSWORD}
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/assets/**").permitAll()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated()
)
.formLogin(formLogin -> formLogin.loginPage("/login"))
.httpBasic(Customizer.withDefaults());
return http.build();
}
}
Client Configuration:
spring:
boot:
admin:
client:
url: http://admin-server:8080
instance:
metadata:
user.name: actuator
user.password: ${ACTUATOR_PASSWORD}
security:
user:
name: actuator
password: ${ACTUATOR_PASSWORD}
management:
endpoints:
web:
exposure:
include: "*"
Server Configuration:
spring:
boot:
admin:
instance-auth:
enabled: true
# Credentials from instance metadata
Use this checklist to ensure your deployment is secure:
/instancesuser.name, user.password)Goal: Simple security for local development.
# Admin Server
spring:
security:
user:
name: user
password: password
No actuator security needed in development.
Goal: Different roles for read-only vs admin users.
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/assets/**", "/login").permitAll()
.requestMatchers("/instances/**").hasRole("ADMIN")
.anyRequest().hasAnyRole("ADMIN", "USER")
)
.formLogin(formLogin -> formLogin.loginPage("/login"))
.httpBasic(Customizer.withDefaults());
return http.build();
}
@Bean
public UserDetailsService userDetailsService(PasswordEncoder encoder) {
UserDetails admin = User.builder()
.username("admin")
.password(encoder.encode(System.getenv("ADMIN_PASSWORD")))
.roles("ADMIN")
.build();
UserDetails user = User.builder()
.username("viewer")
.password(encoder.encode(System.getenv("VIEWER_PASSWORD")))
.roles("USER")
.build();
return new InMemoryUserDetailsManager(admin, user);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
Goal: Use Kubernetes service accounts for authentication.
# Admin Server
spring:
boot:
admin:
discovery:
enabled: true
# Spring Security with OAuth2
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id: spring-boot-admin
client-secret: ${OAUTH2_CLIENT_SECRET}
provider:
keycloak:
issuer-uri: https://keycloak.company.com/realms/main
Goal: Use unique credentials for each client service.
Admin Server:
spring:
boot:
admin:
instance-auth:
enabled: true
service-map:
service-a:
user-name: service-a-actuator
user-password: ${SERVICE_A_PASSWORD}
service-b:
user-name: service-b-actuator
user-password: ${SERVICE_B_PASSWORD}
default-user-name: default-actuator
default-password: ${DEFAULT_PASSWORD}
Client (Service A):
spring:
application:
name: service-a
security:
user:
name: service-a-actuator
password: ${SERVICE_A_PASSWORD}
Never hardcode passwords. Use environment variables or secret management:
spring:
security:
user:
name: ${ADMIN_USER:admin}
password: ${ADMIN_PASSWORD}
Docker:
docker run -e ADMIN_PASSWORD=secret123 my-admin-server
Kubernetes Secret:
apiVersion: v1
kind: Secret
metadata:
name: admin-credentials
type: Opaque
data:
password: c2VjcmV0MTIz # base64 encoded
Only expose necessary endpoints:
management:
endpoints:
web:
exposure:
include: health,info,metrics,loggers
Use TLS for all communication:
server:
port: 8443
ssl:
enabled: true
key-store: classpath:keystore.p12
key-store-password: ${KEYSTORE_PASSWORD}
key-store-type: PKCS12
Log authentication attempts and failures:
logging:
level:
org.springframework.security: DEBUG
de.codecentric.boot.admin: DEBUG
Configure security headers for the Admin UI:
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'")
)
.frameOptions(frame -> frame.sameOrigin())
.xssProtection(xss -> xss.block(true))
.httpStrictTransportSecurity(hsts -> hsts
.includeSubDomains(true)
.maxAgeInSeconds(31536000)
)
);
return http.build();
}
}
Cause: Admin Server doesn't have credentials to access actuator endpoints.
Solution: Add credentials to instance metadata:
spring:
boot:
admin:
client:
instance:
metadata:
user.name: actuator
user.password: ${ACTUATOR_PASSWORD}
Cause: CSRF protection blocking /instances endpoint.
Solution: Exempt registration endpoints from CSRF:
.csrf(csrf -> csrf
.ignoringRequestMatchers(
new AntPathRequestMatcher("/instances", POST.name()),
new AntPathRequestMatcher("/instances/*", DELETE.name())
)
)
Cause: Login page assets blocked by security.
Solution: Permit access to assets and login:
.authorizeHttpRequests(auth -> auth
.requestMatchers("/assets/**", "/login").permitAll()
.anyRequest().authenticated()
)
Cause: No UserDetailsService configured.
Solution: Add UserDetailsService bean:
@Bean
public InMemoryUserDetailsManager userDetailsService(PasswordEncoder encoder) {
UserDetails user = User.builder()
.username("admin")
.password(encoder.encode("password"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(user);
}