1

I read How to shutdown a Spring Boot Application in a correct way?, so I try to use http shutdown endpoints to shutdown my spring boot embedded tomcat application.

But I need it to be accessed only by localhost so that nobody else will shutdown my applications.

I find I can use management.address=127.0.0.1 t not allow remote management connections.

But what if I need some endpoints like /health , /info still remote access available?

Is there a way to ONLY hook the shutdown endpoints so that I can check the requester ip?

Community
  • 1
  • 1
JaskeyLam
  • 13,279
  • 17
  • 103
  • 134

1 Answers1

0

A couple of possible solutions:

  1. Block all the actuators from non-localhost access, and write a proxy @Controller that will re-expose the requested actuators. When someone hits the endpoint, it could call the actuator itself, collect the response from the actuator, and return it.

  2. Expose all the actuators, and put a servlet filter in front of the shutdown endpoint that would block any clients that aren't localhost.

I think the first is probably the safest and easiest solution.

Josh Ghiloni
  • 1,170
  • 7
  • 19