CAS, being a Spring-Boot application at heart, includes a number of endpoints to help you monitor and manage the server when it’s pushed to production. You can choose to manage and monitor the deployment using HTTP endpoints, referred to as actuators. This tutorial provides a basic overview of the endpoints provided by both Spring Boot and CAS and also provides instructions on how such endpoints can be secured for access and win.
Our starting position is based on the following:
7.0.x
jq
In essence, actuator endpoints bring production-ready features to CAS. Monitoring a running CAS instance, gathering metrics, understanding traffic or the state of our database becomes trivial with such endpoints. The main benefit of these endpoints is that we can get production grade tools without having to actually implement these features ourselves. Actuators are mainly used to expose operational information about the running application – health, metrics, info, dump, env, etc. These are HTTP endpoints or JMX beans to enable us to interact with it.
The full list of endpoints provided to your CAS deployment is posted here. Note that you do not need to do anything extra special to get these endpoints added to your deployment; these are all available by default and just need to be turned on and secured for access.
Starting with Spring Boot 2
and CAS 6.0.x
, the actuator endpoints and their method of security are entirely revamped. Here are the main differences:
enabled
and sensitive
is now gone, and each endpoint entirely embraces Spring Security for protection.@Endpoint
and can be standalone or extensions of existing endpoints such as /health
.Let’s go through a number of scenarios that might be helpful. Bear in mind that in order to work with an endpoint, you must go through the following steps:
Remember that the default path for endpoints exposed over the web is at /actuator
, such as /actuator/status
.
Expose the CAS status
endpoint over the web, enable it and make sure its protected via basic authentication:
management.endpoints.web.exposure.include=status
management.endpoint.status.enabled=true
cas.monitor.endpoints.endpoint.status.access=AUTHENTICATED
spring.security.user.name=casuser
spring.security.user.password=Mellon
Expose the CAS status
endpoint over the web, enable it and make sure a list of IP addresses can reach it:
management.endpoints.web.exposure.include=status
management.endpoint.status.enabled=true
cas.monitor.endpoints.endpoint.status.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.status.required-ip-addresses=1.2.3.4,0.0.0.0
Expose the Spring Boot health
and info
endpoints over the web, enable them and make sure access to health
is secured via basic authentication:
management.endpoints.web.exposure.include=health,info
management.endpoint.health.enabled=true
management.endpoint.health.show-details=always
management.endpoint.info.enabled=true
cas.monitor.endpoints.endpoint.health.access=AUTHENTICATED
cas.monitor.endpoints.endpoint.info.access=ANONYMOUS
spring.security.user.name=casuser
spring.security.user.password=Mellon
Enable and expose all endpoints with no regard for security:
management.endpoints.web.exposure.include=*
management.endpoints.enabled-by-default=true
cas.monitor.endpoints.endpoint.defaults.access=ANONYMOUS
In addition to the usual, let’s remap the path to endpoints to start with endpoints
instead
of actuator
, and lets rename the status
endpoint to be heartbeat
:
management.endpoints.web.path-mapping.status=heartbeat
management.endpoints.web.base-path=/endpoints
management.endpoints.web.exposure.include=status
management.endpoint.status.enabled=true
cas.monitor.endpoints.endpoint.status.access=IP_ADDRESS
cas.monitor.endpoints.endpoint.status.required-ip-addresses=1.2.3.4
By default, the Spring Security library in CAS will generate credentials for basic authentication attempts, if credentials are left undefined in the CAS configuration. When undefined, you would see warnings in the logs similar to the below example:
Using default security password: 78fa095d-3f4c-48b1-ad50-e24c31d5cf35
You can control and generate your own credentials via:
spring.security.user.name=...
spring.security.user.password=...
This is only relevant in scenarios where an http request is protected with an authentication scheme of sorts which typically is Basic Authentication, and Spring Security is in charge of enforcing and validating the authentication request, as it would be in the case with authenticated access to CAS actuator endpoints. You should note that the above warnings typically are displayed at the INFO
log level. If you wish to get rid of the log messages altogether, you can fine-tune your logging configuration to ensure that the org.springframework.boot.autoconfigure.security
category is set to log WARN
or ERROR
messages.
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
It’s important that you start off simple and make changes one step at a time. Once you have a functional environment, you can gradually and slowly add customizations to move files around.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time