Spring Boot Actuator: A Complete Guide

Spring Boot Actuator is a sub-project of Spring Boot. It provides several production-grade services to your application out of the box. Once Actuator is configured in your Spring Boot application, you can interact and monitor your application by invoking different HTTP endpoints exposed by Spring Boot Actuator such as application health, bean details, version details, configurations, logger details, etc.

Spring Boot includes a number of built-in endpoints, and you can also add your own or even configure existing endpoints to be exposed on any custom endpoints of your choice. It is obvious that all the endpoints cannot be exposed publicly, considering that there are many sensitive endpoints like beans, env, etc. Hence, Spring Boot also sets sensitive defaults to true for many endpoints that require a username/password when they are accessed over HTTP (or simply disabled if web security is not enabled). Health and info are not sensitive by default.

How to Enable Spring Boot Actuator

This is easy. You only need to include the following maven dependency in your existing pom.xml file:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

Different Actuator Endpoints

Once above maven dependency is included in the POM file, 16 different actuator REST endpoints, such as actuator, beans, dump, info, loggers, and metrics are exposed.

For a complete list of actuator REST endpoints, with examples, you can take a look here.

If you are using Spring MVC on top of this, then four additional endpoints — docs, heapdump, jolokia, and logfile can be used.

Customizing Actuator Endpoints

Spring Boot allows customizing endpoints by using Spring properties. Simply mention the properties you want to customize in your application.properties. You can customize an endpoint in three ways. You can enable or disable an endpoint, customize its sensitivity, and also its id.

The following is an example that changes the sensitivity and id of the metrics endpoint and also enables shutdown.

endpoints.metrics.id=springmetrics
endpoints.metrics.sensitive=false
endpoints.metrics.enabled=true

Apart from this, you can also customize the endpoints globally. The following example marks all endpoints as sensitive except info.

endpoints.sensitive=true
endpoints.info.sensitive=false

If you're interested, here are the code and configurations for customization of actuator endpoints.

Securing Actuator Endpoints

As we saw, there are only two endpoints, health and info, that are by default not sensitive. But other endpoints, like loggers and beans, that are sensitive and hence require authorization to access. To access these sensitive endpoints, you can either disable the sensitivity or secure it using Spring Security.

To secure the actuator endpoints, include following maven dependency in your pom.xml file.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

In Spring Boot, including the above dependencies will by default provide inbuilt form-based authentication with the userid as the user and a randomly generated password. The following entries are then required to enable basic security to your sensitive endpoints.

management.security.enabled=true
security.basic.enabled=true
security.user.name=admin
security.user.password=admin

To access the actuator-restricted endpoints, you have to have the ACTUATOR role. It is a default configuration.

Apart from this, you can also secure actuator REST endpoints using AuthenticationManagerBuilder  by extending the WebSecurityConfigurerAdapter class provided by Spring. Here is the complete implementation using AuthenticationManagerBuilder.

Creating a Custom Actuator Endpoint

The best thing about Spring is that it always encourages developers to come up with their own configurations and implementations — and this is the case with actuator endpoints, too.

To customize the endpoint and define your own endpoint, simply implement the interface Endpoint and override its methods. That's it, you're finished exposing your own endpoints.

The following is a simple code snippet that defines a custom endpoint in Spring Actuator. It can be accessed at /showendpoints.

import org.springframework.boot.actuate.endpoint.AbstractEndpoint;
import org.springframework.boot.actuate.endpoint.Endpoint;
import org.springframework.stereotype.Component;

import java.util.List;

@Component
public class ListEndPoints extends AbstractEndpoint<List<Endpoint>> {
    private List<Endpoint> endpoints;

    public ListEndPoints(List<Endpoint> endpoints) {
        super("showendpoints");
        this.endpoints = endpoints;
    }

    @Override
    public List<Endpoint> invoke() {
        return this.endpoints;
    }
}

Thanks for reading! Let me know your thoughts on Spring Boot Actuator below.