3

I'm trying to use the Spring endpoints to gracefully shut down my application but I'm getting an error:

2016-08-09 13:46:54.606  WARN 13315 --- [nio-8090-exec-6] .w.s.m.s.DefaultHandlerExceptionResolver : Handler execution resulted in exception: Request method 'POST' not supported

I'm using this guide and I've set my application.properties to have endpoints.shutdown.enabled=true and also endpoints.shutdown.sensitive=false. I've also included compile("org.springframework.boot:spring-boot-starter-actuator") in my build.gradle.

When I send the CURL request: curl -X POST https://localhost:8090/shutdown -k
I get the following response from the server:

{"timestamp":1470747537792,"status":405,"error":"Method Not Allowed","exception":"org.springframework.web.HttpRequestMethodNotSupportedException","message":"Request method 'POST' not supported","path":"/shutdown"}

Am I doing anything incorrectly? Is there anything that I may be missing? I have CSRF enabled throughout the app so it's not an option to disable that for my application.

Community
  • 1
  • 1
px06
  • 1,990
  • 1
  • 19
  • 40
  • What happens if you don't use POST? – RealSkeptic Aug 09 '16 at 13:00
  • `{"timestamp":1470748694304,"status":405,"error":"Method Not Allowed","exception":"org.springframework.web.HttpRequestMethodNotSupportedException","message":"Request method 'GET' not supported","path":"/shutdown"}` – px06 Aug 09 '16 at 13:18

4 Answers4

2

You need to send a CSRF token either as a header or a parameter or something. Your example:

curl -X POST https://localhost:8090/shutdown -k

does not include a CSRF token so of course Spring will reject it. That is indeed the whole point of the CSRF filter. You will need to decide whether it is appropriate to exclude the /shutdown uri from that filter or whether you want to require a token/nonce to be present.

Dave L.
  • 8,707
  • 7
  • 39
  • 64
  • 2
    I understand that the CSRF is required but how can I send a CSRF token to the `/shutdown` URI? Is there a way to generate a token and send that as a parameter? It's not a request mapping that I'm defining as it's predefined in Spring so I'm confused on how to provide headers for the request. – px06 Aug 09 '16 at 15:40
1

As david suggested, CSRF is required because it's globally required for all POST requests by Spring. So The only way I could think of bypassing it is by disabling the CSRF for the /shutdown endpoint.

In my SecurityConfig I set: 

http.csrf().ignoringAntMatchers("/shutdown");

This would disable the csrf protection only for the /shutdown url whilst keeping it active for the rest of the application.

Note: This facility was added in Spring 4.

px06
  • 1,990
  • 1
  • 19
  • 40
1

I'am using Springboot-1.5.3-RELEASE, use http method POST (not GET)。 It works.

user3086002
  • 11
  • 1
1

If you use spring-boot-starter-actuator:

I had the same issue and added following text into the application.properties file in the src/main/resources folder.

management.endpoint.shutdown.enabled=true
management.endpoints.web.exposure.include=health,info,shutdown

Rebuild the application, run it and send the request ( for example: localhost:8080/actuator/shutdown )

StackOverflow
  • 11
  • 1
  • 2