Spring Boot 2.0 actuator change analysis

This post is a change analysis between Spring Boot 2.0 and 1.5.

Endpoints availability

New endpoints

Several new endpoints have been added to the actuator in Spring Boot 2.0:

ENDPOINT DESCRIPTION NOTES

httptrace

Displays info from the last HTTP requests

scheduledtasks

Displays the scheduled tasks in your application

sessions

Allows display and deletion of Spring Session related data

prometheus

Provides a Prometheus-compatible endpoint

Requires Spring MVC

Changes
The dump endpoint has been renamed to threaddump to disambiguate with the heapdump endpoint.

Endpoint configuration

Endpoint-related properties have been moved from the top-levelendpoint property to management.endpoint, i.e.:

Spring Boot 1.5
Spring Boot 2.0

Cache management

Spring Boot 1.5
Only the health endpoint caches responses.
Spring Boot 2.0
All parameter-less read operations have such a cache.

Cache TTL can be configured, but it will be the same across all endpoints.

JMX access

Spring Boot 1.5
Endpoints are accessible over HTTP by default. In order to send metrics from the metrics endpoints to JMX, an additional exporter bean needs to be registered.
Spring Boot 2.0
JMX MBean wrappers are registered around (nearly) all endpoints. Every bean offers one single simple operation that displays the same data as if sending a GET request to the HTTP endpoint of the same. For example, the org.springframework.boot.Endpoint.Info MBean provides the info() operation, as shown below:

By default, JMX MBeans are not secured

Security

Spring Boot 1.5
Endpoints may be flagged as sensitive. In order to access such endpoints, one has to autenticate with username/password credentials. The sensivity of each endpoint can be overriden inapplication.properties.
Spring Boot 2.0
Endpoints are secured using Spring Security if present: fine-grained configuration can be achieved using code.

Overall security can be disabled using the application.propertiesconfiguration file.

Health indicators security

Spring Boot 1.5
Only the overal health status (i.e. { status: UP }) is exposed when not authenticated. If details are must be displayed regardless of authentication status, the endpoint must be configured accordingly:

Spring Boot 2.0
There are 3 levels, details being shown:

  1. Always
  2. Only when authorized
  3. Never

Custom endpoints

Spring Boot 1.5
Creating a custom endpoint is a two-step process:

  1. Create a class that implements the Endpoint interface
  2. Register an instance of this class in the Spring contect, e.g.through a @Bean-annotated method

    Methods from such endpoints need to be annotated with Spring MVC’s @RequestMapping in order to be exposed over HTTP.

Spring Boot 2.0
The class doesn’t need to extend from a specific superclass. However, the class needs to be annotated with @Endpoint.

The framework takes care of providing the implementation.

Moreover, to replace Spring MVC annotations, Spring Boot offers@ReadOperation, @WriteOperation, and @DeleteOperation annotations.

Endpoints are accessible via HTTP and JMX. It’s possible to restrict accessibility to either the former or the later, by annotation the class with @WebEndpoint or @JmxEndpoint.

Additional health indicators

Spring Boot adds health indicators around the following dependencies:

  • Influx DB
  • Kafka
  • Neo4J

Conclusion

Spring Boot 2 changes how the actuator behaves in many non-trivial ways. Should one relies on Spring Boot’s actuator, one should take time to evaluate the effort to migrate.


发表评论

电子邮件地址不会被公开。 必填项已用*标注