In this article I will show you how to secure your Spring Boot Actuator Endpoints with Basic Auth and configure Prometheus to access the Actuator Endpoints.

To set up your Prometheus + Grafana Setup you can follow the excellent guide on Refactor First: Monitoring Spring Boot Application with Prometheus and Grafana by Amrut Prabhu

Custom SecurityConfig

After you got everything working without Authentication you need to configure your SecurityConfiguration like this:

@Configuration
@EnableWebSecurity
class SecurityConfig{
    val logger: Logger = LoggerFactory.getLogger(SupabaseSecurityConfig::class.java)

    @Bean
    fun filterChain(
        http: HttpSecurity,
        authManager: AuthenticationManager
    ): SecurityFilterChain {
        http.invoke {
            authorizeHttpRequests {
                authorize(EndpointRequest.toAnyEndpoint(), hasRole("ACTUATOR"))
                authorize(anyRequest, authenticated)
            }
            authenticationManager = authManager
            httpBasic {}
        }
        return http.build()
    }
    
    @Bean
    fun authManager(
        http: HttpSecurity
    ): AuthenticationManager {
        val authenticationManagerBuilder = http.getSharedObject(
            AuthenticationManagerBuilder::class.java
        )
        authenticationManagerBuilder.inMemoryAuthentication()
            .withUser("prometheus")
            .password("{bcrypt}\$2a\$\$LVUNCy8Lht68w7KA0nobWuwyzbW8AdF3bRC25glv7M12ACAZ4PT8u")
            .roles("ACTUATOR")
        return authenticationManagerBuilder.build()
    }

}

Using a custom authenticationManager gives us the ability to add other AuthenticationProviders using:

authenticationManagerBuilder.authenticationProvider(customAuthenticationProvider)

Supabase Security Spring Boot Starter

If you are using the Supabase Security Spring Boot Starter it is even easier!

supabase:
  basicAuth:
    enabled: true
    username: prometheus
    password: "{bcrypt}$2a$10$AqgP120RLJ48mvTv.diNHeVlQA/WdsrgEr0aLe5P1ffYPy1FQAecy"
    roles:
      - "ACTUATOR"
  roles:
    admin:
      get:
        - "/actuator/**"

You can encrypt the password using the Spring Boot CLI

Prometheus

Then you can configure your prometheus.yaml with the basic auth credentials:

scrape_configs:
- job_name: 'Spring Boot Application input'
  metrics_path: '/actuator/prometheus'
  scrape_interval: 2s
  static_configs:
    - targets: ['localhost:8080']
      labels:
      application: 'My Spring Boot Application'
      basic_auth:
      username: "prometheus"
      password: "plain-text-password"