界: Security Features

软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。

Spring Boot Misconfiguration: Actuator Endpoint Security Disabled

Abstract
Spring Boot 应用程序使用 Actuator 端点,无需身份验证。
Explanation
Spring Boot 应用程序可以配置为部署 Actuator,Actuator 属于 REST 端点,允许用户对应用程序的不同方面进行监控。共有多种不同的内置 Actuator,可能会暴露敏感数据,因而标记为“敏感”。默认情况下,所有敏感 HTTP 端点都将受到保护,因此只有具备 ACTUATOR 角色的用户才能进行访问。

此应用程序禁用敏感端点的身份验证要求:

示例 1


management.security.enabled=false


或者,将敏感端点标记为非敏感:

示例 2


endpoints.health.sensitive=false


或者,将自定义 Actuator 设置为非敏感:


@Component
public class CustomEndpoint implements Endpoint<List<String>> {

    public String getId() {
        return "customEndpoint";
    }

    public boolean isEnabled() {
        return true;
    }

    public boolean isSensitive() {
        return false;
    }

    public List<String> invoke() {
        // Custom logic to build the output
        ...
    }
}
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_actuator_endpoint_security_disabled