Spring Boot Actuator

Actuators are nothing but Spring Boot provided production-ready features to our application. Spring Boot includes a number of additional features to help you monitor and manage your application when you push it to production. You can choose to manage and monitor your application by using HTTP endpoints. Monitoring of application, gathering metrics, understanding traffic becomes trivial with this dependency.

The main benefit is actually getting all this feature, the moment you add Spring Actuators in your application dependency, without you actually implementing it. Once this dependency is on the classpath several endpoints are available for us out of the box. As with most Spring modules, we can easily configure or extend it in many ways.

Enabling Production-ready Features

The spring-boot-actuator module provides all of Spring Boot’s production-ready features. The simplest way to enable the features is to add a dependency to the spring-boot-starter-actuator ‘Starter’.

To add the actuator to a Maven based project, add the following ‘Starter’ dependency:

<dependency> 
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

Endpoints

Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the /health endpoint provides basic application health information.

Here are some of the most common endpoints Boot provides out of the box:

  • /health – Shows application health information (a simple ‘status’ when accessed over an unauthenticated connection or full message details when authenticated); it’s not sensitive by default
  • /info – Displays arbitrary application info; not sensitive by default
  • /metrics – Shows ‘metrics’ information for the current application; it’s also sensitive by default
  • /trace – Displays trace information (by default the last few HTTP requests)

The full list can be found below

IDDescriptionEnabled by default
auditeventsExposes audit events information for the current application.Yes
beansDisplays a complete list of all the Spring beans in your application.Yes
cachesExposes available caches.Yes
conditionsShows the conditions that were evaluated on configuration and auto-configuration classes and the reasons why they did or did not match.Yes
configpropsDisplays a collated list of all @ConfigurationProperties.Yes
envExposes properties from Spring’s ConfigurableEnvironment.Yes
flywayShows any Flyway database migrations that have been applied.Yes
healthShows application health information.Yes
httptraceDisplays HTTP trace information (by default, the last 100 HTTP request-response exchanges).Yes
infoDisplays arbitrary application info.Yes
integrationgraphShows the Spring Integration graph.Yes
loggersShows and modifies the configuration of loggers in the application.Yes
liquibaseShows any Liquibase database migrations that have been applied.Yes
metricsShows ‘metrics’ information for the current application.Yes
mappingsDisplays a collated list of all @RequestMapping paths.Yes
scheduledtasksDisplays the scheduled tasks in your application.Yes
sessionsAllows retrieval and deletion of user sessions from a Spring Session-backed session store. Not available when using Spring Session’s support for reactive web applications.Yes
shutdownLets the application be gracefully shutdown.No
threaddumpPerforms a thread dump.Yes

Enabling Endpoints

By default, all endpoints except for shutdown are enabled. To configure the enablement of an endpoint, use its management.endpoint.<id>.enabled property. The following example enables the  shutdown  endpoint:

management.endpoint.shutdown.enabled=true

If you want endpoint enablement to be opt-in rather than opt-out, set the management.endpoints.enabled-by-default property to false and use individual endpoint enabled properties to opt back in. The following example enables the info endpoint and disables all other endpoints:

management.endpoints.enabled-by-default=false 
management.endpoint.info.enabled=true

Exposing Endpoints

You do not let the world know about your application beans. That’s why there is constraint over endpoints. i.e. you should not expose /beans endpoint over HTTP(web). Here is the list of built-in endpoints and their default exposure.

IDJMXWeb
auditeventsYesNo
beansYesNo
cachesYesNo
conditionsYesNo
configpropsYesNo
envYesNo
flywayYesNo
healthYesYes
heapdumpN/ANo
httptraceYesNo
infoYesYes
integrationgraphYesNo
jolokiaN/ANo
logfileN/ANo
loggersYesNo
liquibaseYesNo
metricsYesNo
mappingsYesNo
prometheusN/ANo
scheduledtasksYesNo
sessionsYesNo
shutdownYesNo
threaddumpYesNo

To change which endpoints are exposed, use the following technology-specific include and exclude properties:

PropertyDefault
management.endpoints.jmx.exposure.exclude
management.endpoints.jmx.exposure.include*
management.endpoints.web.exposure.exclude
management.endpoints.web.exposure.includeinfo, health

The include property lists the IDs of the endpoints that are exposed. The exclude property lists the IDs of the endpoints that should not be exposed. The exclude property takes precedence over the include property. Both include and exclude properties can be configured with a list of endpoint IDs.

For example, to stop exposing all endpoints over JMX and only expose the health and info endpoints, use the following property:

management.endpoints.jmx.exposure.include=health,info

* can be used to select all endpoints. For example, to expose everything over HTTP except the env and beans endpoints, use the following properties:

management.endpoints.web.exposure.include=* 
management.endpoints.web.exposure.exclude=env, beans

Securing HTTP Endpoints

You should take care to secure HTTP endpoints in the same way that you would any other sensitive URL. If Spring Security is present, endpoints are secured by default using Spring Security’s content-negotiation strategy. If you wish to configure custom security for HTTP endpoints, for example, only allow users with a certain role to access them, Spring Boot provides some convenient RequestMatcher objects that can be used in combination with Spring Security. For example:-

@Configuration 
public class ActuatorSecurity extends WebSecurityConfigurerAdapter {

       @Override
       protected void configure(HttpSecurity http) throws Exception {
                   http.requestMatcher(EndpointRequest.toAnyEndpoint())
                  .authorizeRequests() .anyRequest().hasRole("ENDPOINT_ADMIN")
                  .and() .httpBasic();
      }
}

The above code ensure that who have the ENDPOINT_ADMIN role will be authenticated.

If you deploy applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. You can do so by changing the management.endpoints.web.exposure.include property, as follows:

application.properties. 

management.endpoints.web.exposure.include=*

Configuring Endpoints

Endpoints automatically cache responses to read operations that do not take any parameters. To configure the amount of time for which an endpoint will cache a response, use its cache.time-to-live property. The following example sets the time-to-live of the beans endpoint’s cache to 10 seconds:

application.properties. 

management.endpoint.beans.cache.time-to-live=10s

Hope this cleared some of your doubts about Spring Actuator.