Master Spring Boot Actuator: Quick Start, Key Endpoints, and Security
This tutorial walks through what Spring Boot Actuator is, how to quickly create a demo project, configure endpoint exposure, explore essential endpoints such as health, metrics, loggers, and shutdown, and secure them with Spring Security, providing code snippets and configuration examples.
Introduction
After a micro‑service architecture migration, the author needed to monitor all Spring Boot services and turned to Spring Boot Actuator for production‑grade health checks, metrics, and management.
What is Spring Boot Actuator
Actuator exposes internal application information via HTTP and JMX, integrates with external monitoring systems (Prometheus, Grafana, DataDog, etc.) through Micrometer, and provides endpoints for health, metrics, logs, and more.
Quick Start – Create a Demo
Create a project using Spring Boot CLI:
spring init -d=web,actuator -n=actuator-demo actuator-demoOr via Spring Initializr (image omitted).
Add the Actuator starter dependency:
<dependencies>
...
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
...
</dependencies>Gradle equivalent:
dependencies {
compile("org.springframework.boot:spring-boot-starter-actuator")
}Endpoints Overview
Actuator provides native endpoints that fall into three categories:
Application configuration – environment, auto‑configuration report, etc.
Metrics – JVM memory, CPU, thread pools, HTTP stats, etc.
Operational control – shutdown, restart, etc.
Endpoint Exposure Configuration
Configure which endpoints are exposed via HTTP or JMX. Example properties:
management.endpoints.web.exposure.include=*
management.endpoints.web.exposure.exclude=beans,trace
management.endpoints.web.base-path=/monitorAfter restarting, endpoints are available under /monitor/*.
Important Endpoints
/health
Shows application health. Control detail level with management.endpoint.health.show-details (values: never, when-authorized, always). management.endpoint.health.show-details=always When enabled, /actuator/health returns JSON with status and component health indicators (e.g., diskSpace).
/metrics
Lists available metric names. Retrieve a specific metric with /actuator/metrics/{name}, optionally with tags.
GET /actuator/metrics/jvm.memory.max
GET /actuator/metrics/jvm.memory.max?tag=id:Metaspace/loggers
Shows all logger configurations and allows changing a logger’s level at runtime via a POST request.
{"configuredLevel":"DEBUG"}/info
Exposes arbitrary application information configured in application.properties.
info.app.name=actuator-test-demo
info.app.encoding=UTF-8
info.app.java.source=1.8
info.app.java.target=1.8/beans
Returns metadata about all beans in the Spring context.
/heapdump
Generates a JVM heap dump that can be opened with VisualVM.
/threaddump
Provides a snapshot of all threads, their states, and stack traces.
/shutdown
Gracefully shuts down the application (requires management.endpoint.shutdown.enabled=true and a POST request).
management.endpoint.shutdown.enabled=trueCustom Health Indicator Example
@Component
public class CustomHealthIndicator extends AbstractHealthIndicator {
@Override
protected void doHealthCheck(Health.Builder builder) throws Exception {
builder.up()
.withDetail("app", "这个项目很健康")
.withDetail("error", "Nothing, I'm very good");
}
}Integrating Spring Security
Add the security starter dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>Define a security configuration to protect Actuator endpoints:
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.context.ShutdownEndpoint;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint())
.hasRole("ACTUATOR_ADMIN")
.requestMatchers(PathRequest.toStaticResources().atCommonLocations())
.permitAll()
.antMatchers("/")
.permitAll()
.antMatchers("/**")
.authenticated()
.and()
.httpBasic();
}
}Configure a default user with the required role:
spring.security.user.name=actuator
spring.security.user.password=actuator
spring.security.user.roles=ACTUATOR_ADMINConclusion
Spring Boot Actuator offers a powerful set of tools for monitoring, managing, and securing Spring Boot applications, and with a few configuration steps you can expose useful endpoints, customize health checks, adjust logging on the fly, and protect everything with Spring Security.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
ITFLY8 Architecture Home
ITFLY8 Architecture Home - focused on architecture knowledge sharing and exchange, covering project management and product design. Includes large-scale distributed website architecture (high performance, high availability, caching, message queues...), design patterns, architecture patterns, big data, project management (SCRUM, PMP, Prince2), product design, and more.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.