Spring Boot HttpSecurity fluent api order?

By | July 12, 2018

Spring 2.0.3.RELEASE

Goal: Implement Spring Boot Security (basic auth for starters) on all endpoints except /actuator/health, /actuator/info and /ping (a custom controller that just returns ResponseEntity.status(HttpStatus.NO_CONTENT).build()).

The below gives me a 401. Any combination seems to either give me complete anonymous access to all endpoints or 401 to all.

I’ve set the spring.security.user.name and ...password in application.yml and it is working correctly.

I’ve implemented…

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(final HttpSecurity http) throws Exception {


        // just trying to get health working for starters

The below seemed like it was restricted to Actuator’s /health and /info endpoints, but instead is also opening up my custom /ping endpoint as well (it’s not in this list).

http.requestMatcher(EndpointRequest.to("health", "info"))

Leave a Reply

Your email address will not be published. Required fields are marked *