Secure Metrics

Author: NikitaBaranov

Extra-Docker/Demo/demo-mvc_final/metricbeat.yml

@@ -7,6 +7,8 @@ metricbeat.modules:
   period: 10s
   hosts: ["app:8080"]
   metrics_path: /actuator/prometheus
+  username: "admin"
+  password: "admin"
 
 output.elasticsearch:
   hosts: ["elasticsearch:9200"]

Extra-Docker/Demo/demo-mvc_final/src/main/java/com/codingnomads/demo_web/configurations/SecurityConfiguration.java

@@ -104,6 +104,26 @@ protected void doFilterInternal(HttpServletRequest request,
         };
     }
 
+    /**
+     * Configuration for Actuator endpoints.
+     * It uses Basic Auth for Metricbeat/observability tools.
+     */
+    @Bean
+    @Order(0) // Highest priority
+    public SecurityFilterChain actuatorSecurity(HttpSecurity http, OncePerRequestFilter mdcFilter) throws Exception {
+        http
+                .securityMatcher("/actuator/**")
+                .authorizeHttpRequests(auth -> auth
+                        .anyRequest().hasRole("ADMIN")
+                )
+                .httpBasic(Customizer.withDefaults())
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterAfter(mdcFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+
     /**
      * Configuration for the REST API (/api/**).
      * It uses JWT (JSON Web Tokens) and is 'stateless', meaning the server doesn't remember the user between requests.
@@ -148,10 +168,9 @@ public SecurityFilterChain mvcSecurity(HttpSecurity http, OncePerRequestFilter m
                         // Permit access to static resources without logging in
                         .requestMatchers("/css/**", "/js/**", "/images/**", "/webjars/**", "/favicon.ico").permitAll()
                         // Permit access to home, signup, and error pages
-                        .requestMatchers("/", "/signup", "/errors").permitAll()
-                        // Only users with ADMIN role can access /admin/** and Actuator
+                        .requestMatchers("/", "/signup", "/error").permitAll()
+                        // Only users with ADMIN role can access /admin/**
                         .requestMatchers("/admin/**").hasRole("ADMIN")
-                        .requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
                         // Everything else requires the user to be logged in
                         .anyRequest().authenticated())
                 .formLogin(login -> login