Require ACTUATOR role rather than ADMIN
Update management security to require an `ACTUATOR` role rather than `ADMIN` by default. This should reduce the risk of users accidentally exposing actuator endpoints because they happen to use a role named `ADMIN`. Fixes gh-7569
This commit is contained in:
@@ -73,7 +73,7 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
|
||||
@Override
|
||||
public void init(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.inMemoryAuthentication().withUser("admin").password("admin")
|
||||
.roles("ADMIN", "USER").and().withUser("user").password("user")
|
||||
.roles("ADMIN", "USER", "ACTUATOR").and().withUser("user").password("user")
|
||||
.roles("USER");
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user