Require ACTUATOR role rather than ADMIN

Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.

Fixes gh-7569
This commit is contained in:
Madhura Bhave
2016-12-05 13:59:31 -08:00
parent 95be208f0f
commit 1be5812cf0
8 changed files with 14 additions and 14 deletions

View File

@@ -73,7 +73,7 @@ public class SampleMethodSecurityApplication extends WebMvcConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("admin")
.roles("ADMIN", "USER").and().withUser("user").password("user")
.roles("ADMIN", "USER", "ACTUATOR").and().withUser("user").password("user")
.roles("USER");
}