# 异常情况：

## /health 只有status信息,没有其他

{

"status" : "UP"

}

## /metrics 提示没有权限

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Mon Nov 20 10:42:15 CST 2017

There was an unexpected error (type=Unauthorized, status=401).

Full authentication is required to access this resource.

# 解决办法【设置端点访问 】：

## 方式1-关闭验证

application.properties添加配置参数

management.security.enabled=false

## 方式2-开启HTTP basic认证

• 添加依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
• application.properties 添加用户名和密码

security.user.name=admin

security.user.password=123456

management.security.enabled=true

management.security.role=ADMIN

• 访问URL http://localhost:8080/env 后，就看到需要输入用户名和密码了。

# 原因分析：

## Actuator endpoints 【断点】：

Actuator endpoints allow you to monitor and interact with your application.

Spring Boot includes a number of built-in endpoints and you can also add your own.

For example the health endpoint provides basic application health information.

Actuator 端点允许您监视和与您的应用程序进行交互。

Spring Boot包含许多内置的端点，您也可以添加自己的端点。

例如， health端点提供基本的应用程序健康信息。

The way that endpoints are exposed will depend on the type of technology that you choose.

Most applications choose HTTP monitoring, where the ID of the endpoint is mapped to a URL.

For example, by default, the health endpoint will be mapped to /health.

端点的暴露方式取决于您选择的技术类型。

大多数应用程序选择HTTP监视，其中端点的ID映射到一个URL。

例如，默认情况下，health端点将被映射到/health。

The following technology agnostic endpoints are available:

ID Description Sensitive
Default

actuator

Provides a hypermedia-based “discovery page” for the other endpoints. Requires Spring HATEOAS to be on the classpath.

true

auditevents

Exposes audit events information for the current application.

true

autoconfig

Displays an auto-configuration report showing all auto-configuration candidates and the reason why they ‘were’ or ‘were not’ applied.

true

beans

Displays a complete list of all the Spring beans in your application.

true

configprops

Displays a collated list of all @ConfigurationProperties.

true

dump

true

env

Exposes properties from Spring’s ConfigurableEnvironment.

true

flyway

Shows any Flyway database migrations that have been applied.

true

health

Shows application health information (when the application is secure, a simple ‘status’ when accessed over an unauthenticated connection or full message details when authenticated).

false

info

Displays arbitrary application info.

false

loggers

Shows and modifies the configuration of loggers in the application.

true

liquibase

Shows any Liquibase database migrations that have been applied.

true

metrics

Shows ‘metrics’ information for the current application.

true

mappings

Displays a collated list of all @RequestMapping paths.

true

shutdown

Allows the application to be gracefully shutdown (not enabled by default).

true

trace

Displays trace information (by default the last 100 HTTP requests).

true

## Accessing sensitive endpoints【访问敏感端点】

By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them.

Security is enforced using the standard HttpServletRequest.isUserInRole method.

(默认情况下，所有敏感的HTTP端点都是安全的，只有具有ACTUATOR角色的用户 可以访问它们。

Use the management.security.roles property if you want something different to ACTUATOR.

If you are deploying applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication.

You can do this by changing the management.security.enabled property:

application.properties.

management.security.enabled=false

By default, actuator endpoints are exposed on the same port that serves regular HTTP traffic.

Take care not to accidentally expose sensitive information if you change the management.security.enabled property.

(默认情况下，执行器端点暴露在提供常规HTTP通信的相同端口上。

注意不要在更改management.security.enabled属性时意外暴露敏感信息。)

If you’re deploying applications publicly, you may want to add ‘Spring Security’ to handle user authentication.

When ‘Spring Security’ is added, by default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).

(如果您公开部署应用程序，则可能需要添加“Spring Security”来处理用户身份验证。

Generated passwords are logged as the application starts. Search for ‘Using default security password’.

生成的密码在应用程序启动时被记录。搜索“使用默认安全密码”。

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints.

For example, you might set the following in your application.properties:

security.user.name=admin
management.security.roles=SUPERUSER

If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the management.security.enabledproperty to false.

(如果您的应用程序具有自定义安全配置，并且您希望所有执行器端点无需身份验证即可访问，则需要在安全配置中明确配置该端点。与此同时，你需要改变management.security.enabled 属性false。)

If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under management.security.roles.

(如果您的自定义安全配置保护您的执行器端点，则还需要确保经过身份验证的用户具有在下指定的角色management.security.roles。)

If you don’t have a use case for exposing basic health information to unauthenticated users,

and you have secured the actuator endpoints with custom security, you can set management.security.enabled to false.

This will inform Spring Boot to skip the additional role check.

(如果您没有用于向未经验证的用户公开基本健康信息的用例，并且已经使用自定义安全保护了执行器端点，则可以设置management.security.enabled 为false。这将通知Spring Boot跳过额外的角色检查。)

©️2019 CSDN 皮肤主题: 酷酷鲨 设计师: CSDN官方博客