1222 lines
39 KiB
Plaintext
1222 lines
39 KiB
Plaintext
[[production-ready]]
|
|
= Spring Boot Actuator: Production-ready features
|
|
|
|
[partintro]
|
|
--
|
|
Spring Boot includes a number of additional features to help you monitor and manage your
|
|
application when it's pushed to production. You can choose to manage and monitor your
|
|
application using HTTP endpoints or with JMX. Auditing, health and metrics gathering can
|
|
be automatically applied to your application.
|
|
|
|
Actuator HTTP endpoints are only available with a Spring MVC-based application. In
|
|
particular, it will not work with Jersey <<howto.adoc#howto-use-actuator-with-jersey,
|
|
unless you enable Spring MVC as well.>>
|
|
--
|
|
|
|
|
|
|
|
[[production-ready-enabling]]
|
|
== Enabling production-ready features
|
|
The {github-code}/spring-boot-project/spring-boot-actuator[`spring-boot-actuator`] module provides all of
|
|
Spring Boot's production-ready features. The simplest way to enable the features is to add
|
|
a dependency to the `spring-boot-starter-actuator` '`Starter`'.
|
|
|
|
.Definition of Actuator
|
|
****
|
|
An actuator is a manufacturing term, referring to a mechanical device for moving or
|
|
controlling something. Actuators can generate a large amount of motion from a small
|
|
change.
|
|
****
|
|
|
|
To add the actuator to a Maven based project, add the following '`Starter`'
|
|
dependency:
|
|
|
|
[source,xml,indent=0]
|
|
----
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.springframework.boot</groupId>
|
|
<artifactId>spring-boot-starter-actuator</artifactId>
|
|
</dependency>
|
|
</dependencies>
|
|
----
|
|
|
|
For Gradle, use the declaration:
|
|
|
|
[source,groovy,indent=0]
|
|
----
|
|
dependencies {
|
|
compile("org.springframework.boot:spring-boot-starter-actuator")
|
|
}
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-endpoints]]
|
|
== Endpoints
|
|
Actuator endpoints allow you to monitor and interact with your application. Spring Boot
|
|
includes a number of built-in endpoints and you can also add your own. For example the
|
|
`health` endpoint provides basic application health information.
|
|
|
|
The way that endpoints are exposed will depend on the type of technology that you choose.
|
|
Most applications choose HTTP monitoring, where the ID of the endpoint along with a prefix of
|
|
`/application` is mapped to a URL. For example, by default, the `health` endpoint will be mapped
|
|
to `/application/health`.
|
|
|
|
The following technology agnostic endpoints are available:
|
|
|
|
[cols="2,5"]
|
|
|===
|
|
| ID | Description
|
|
|
|
|`auditevents`
|
|
|Exposes audit events information for the current application.
|
|
|
|
|`autoconfig`
|
|
|Displays an auto-configuration report showing all auto-configuration candidates and the
|
|
reason why they '`were`' or '`were not`' applied.
|
|
|
|
|`beans`
|
|
|Displays a complete list of all the Spring beans in your application.
|
|
|
|
|`configprops`
|
|
|Displays a collated list of all `@ConfigurationProperties`.
|
|
|
|
|`env`
|
|
|Exposes properties from Spring's `ConfigurableEnvironment`.
|
|
|
|
|`flyway`
|
|
|Shows any Flyway database migrations that have been applied.
|
|
|
|
|`health`
|
|
|Shows application health information.
|
|
|
|
|`info`
|
|
|Displays arbitrary application info.
|
|
|
|
|`loggers`
|
|
|Shows and modifies the configuration of loggers in the application.
|
|
|
|
|`liquibase`
|
|
|Shows any Liquibase database migrations that have been applied.
|
|
|
|
|`metrics`
|
|
|Shows '`metrics`' information for the current application.
|
|
|
|
|`mappings`
|
|
|Displays a collated list of all `@RequestMapping` paths.
|
|
|
|
|`sessions`
|
|
|Allows retrieval and deletion of user's sessions from Spring Session backed session
|
|
store.
|
|
|
|
|`shutdown`
|
|
|Allows the application to be gracefully shutdown (not enabled by default).
|
|
|
|
|`status`
|
|
|Show application status information (i.e. `health` status with no additional details).
|
|
|
|
|`threaddump`
|
|
|Performs a thread dump.
|
|
|
|
|`trace`
|
|
|Displays trace information (by default the last 100 HTTP requests).
|
|
|===
|
|
|
|
If your application is a web application (Spring MVC, Spring WebFlux, or Jersey), the
|
|
following additional endpoints can also be used:
|
|
|
|
[cols="2,5"]
|
|
|===
|
|
| ID | Description
|
|
|
|
|`heapdump`
|
|
|Returns a GZip compressed `hprof` heap dump file.
|
|
|
|
|`logfile`
|
|
|Returns the contents of the logfile (if `logging.file` or `logging.path` properties have
|
|
been set). Supports the use of the HTTP `Range` header to retrieve part of the log file's
|
|
content.
|
|
|
|
|`prometheus`
|
|
|Exposes metrics in a format that can be scraped by a Prometheus server.
|
|
|
|
|===
|
|
|
|
[[production-ready-endpoints-security]]
|
|
=== Securing endpoints
|
|
By default all HTTP endpoints are secured such that only users that have an `ACTUATOR`
|
|
role may access them. Security is enforced using the standard
|
|
`HttpServletRequest.isUserInRole` method.
|
|
|
|
TIP: Use the `management.security.roles` property if you want something different to
|
|
`ACTUATOR`.
|
|
|
|
If you are deploying applications behind a firewall, you may prefer that all your actuator
|
|
endpoints can be accessed without requiring authentication. You can do this by changing
|
|
the `management.security.enabled` property:
|
|
|
|
.application.properties
|
|
[source,properties,indent=0]
|
|
----
|
|
management.security.enabled=false
|
|
----
|
|
|
|
NOTE: By default, actuator endpoints are exposed on the same port that serves regular
|
|
HTTP traffic. Take care not to accidentally expose sensitive information if you change
|
|
the `management.security.enabled` property.
|
|
|
|
If you're deploying applications publicly, you may want to add '`Spring Security`' to
|
|
handle user authentication. When '`Spring Security`' is added, by default '`basic`'
|
|
authentication will be used with the username `user` and a generated password (which is
|
|
printed on the console when the application starts).
|
|
|
|
TIP: Generated passwords are logged as the application starts. Search for '`Using default
|
|
security password`'.
|
|
|
|
You can use Spring properties to change the username and password and to change the
|
|
security role(s) required to access the endpoints. For example, you might set the following
|
|
in your `application.properties`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
security.user.name=admin
|
|
security.user.password=secret
|
|
management.security.roles=SUPERUSER
|
|
----
|
|
|
|
If your application has custom security configuration and you want all your actuator
|
|
endpoints to be accessible without authentication, you need to explicitly configure that
|
|
in your security configuration. Along with that, you need to change the
|
|
`management.security.enabled` property to `false`.
|
|
|
|
If your custom security configuration secures your actuator endpoints, you also need to
|
|
ensure that the authenticated user has the roles specified under
|
|
`management.security.roles`.
|
|
|
|
TIP: If you don't have a use case for exposing basic health information to unauthenticated
|
|
users, and you have secured the actuator endpoints with custom security, you can set
|
|
`management.security.enabled` to `false`. This will inform Spring Boot to skip the
|
|
additional role check.
|
|
|
|
|
|
|
|
[[production-ready-customizing-endpoints]]
|
|
=== Customizing endpoints
|
|
Endpoints can be customized using Spring properties. You can change if an endpoint is
|
|
`enabled` and its `id`.
|
|
|
|
For example, here is an `application.properties` that changes the id of the `beans`
|
|
endpoint and also enables `shutdown`.
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
endpoints.beans.id=springbeans
|
|
endpoints.shutdown.enabled=true
|
|
----
|
|
|
|
NOTE: The prefix ‟`endpoints` + `.` + `name`” is used to uniquely identify the endpoint
|
|
that is being configured.
|
|
|
|
By default, all endpoints except for `shutdown` are enabled. If you prefer to
|
|
specifically "`opt-in`" endpoint enablement you can use the `endpoints.default.enabled`
|
|
property. For example, the following will disable _all_ endpoints except for `info`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
endpoints.default.enabled=false
|
|
endpoints.info.enabled=true
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-endpoint-hypermedia]]
|
|
=== Hypermedia for actuator web endpoints
|
|
A "`discovery page`" is added with links to all the endpoints. The "`discovery page`" is
|
|
available on `/application` by default.
|
|
|
|
When a custom management context path is configured, the "`discovery page`" will
|
|
automatically move from `/application` to the root of the management context. For example,
|
|
if the management context path is `/management` then the discovery page will be available
|
|
from `/management`. When the management context path is set to `/` the discovery page
|
|
is disabled to prevent the possibility of a clash with other mappings.
|
|
|
|
|
|
|
|
[[production-ready-endpoint-cors]]
|
|
=== CORS support
|
|
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing]
|
|
(CORS) is a http://www.w3.org/TR/cors/[W3C specification] that allows you to specify in a
|
|
flexible way what kind of cross domain requests are authorized. If you are using Spring
|
|
MVC or Spring WebFlux, Actuator's web endpoints can be configured to support such
|
|
scenarios.
|
|
|
|
CORS support is disabled by default and is only enabled once the
|
|
`management.endpoints.cors.allowed-origins` property has been set. The configuration below
|
|
permits `GET` and `POST` calls from the `example.com` domain:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.endpoints.cors.allowed-origins=http://example.com
|
|
management.endpoints.cors.allowed-methods=GET,POST
|
|
----
|
|
|
|
TIP: Check {sc-spring-boot-actuator-autoconfigure}/endpoint/web/servlet/CorsEndpointProperties.{sc-ext}[CorsEndpointProperties]
|
|
for a complete list of options.
|
|
|
|
|
|
|
|
[[production-ready-customizing-endpoints-programmatically]]
|
|
=== Adding custom endpoints
|
|
If you add a `@Bean` annotated with `@Endpoint`, any methods annotated with
|
|
`@ReadOperation` or `@WriteOperation` will automatically be exposed over JMX and, in a web
|
|
application, over HTTP as well.
|
|
|
|
TIP: If you are doing this as a library feature consider adding a configuration class
|
|
annotated with `@ManagementContextConfiguration` to `/META-INF/spring.factories` under the
|
|
key `org.springframework.boot.actuate.autoconfigure.ManagementContextConfiguration`. If
|
|
you do that then the endpoint will move to a child context with all the other web
|
|
endpoints endpoints if your users ask for a separate management port or address.
|
|
|
|
|
|
|
|
[[production-ready-health]]
|
|
=== Health information
|
|
Health information can be used to check the status of your running application. It is
|
|
often used by monitoring software to alert someone if a production system goes down.
|
|
The default information exposed by the `health` endpoint depends on how it is accessed.
|
|
For an unauthenticated connection in a secure application a simple '`status`' message is
|
|
returned, and for an authenticated connection additional details are also displayed (see
|
|
<<production-ready-health-access-restrictions>> for HTTP details).
|
|
|
|
Health information is collected from all
|
|
{sc-spring-boot-actuator}/health/HealthIndicator.{sc-ext}[`HealthIndicator`] beans defined
|
|
in your `ApplicationContext`. Spring Boot includes a number of auto-configured
|
|
`HealthIndicators` and you can also write your own. By default, the final system state is
|
|
derived by the `HealthAggregator` which sorts the statuses from each `HealthIndicator`
|
|
based on an ordered list of statuses. The first status in the sorted list is used as the
|
|
overall health status. If no `HealthIndicator` returns a status that is known to the
|
|
`HealthAggregator`, an `UNKNOWN` status is used.
|
|
|
|
|
|
|
|
==== Auto-configured HealthIndicators
|
|
The following `HealthIndicators` are auto-configured by Spring Boot when appropriate:
|
|
|
|
[cols="1,4"]
|
|
|===
|
|
|Name |Description
|
|
|
|
|{sc-spring-boot-actuator}/cassandra/CassandraHealthIndicator.{sc-ext}[`CassandraHealthIndicator`]
|
|
|Checks that a Cassandra database is up.
|
|
|
|
|{sc-spring-boot-actuator}/system/DiskSpaceHealthIndicator.{sc-ext}[`DiskSpaceHealthIndicator`]
|
|
|Checks for low disk space.
|
|
|
|
|{sc-spring-boot-actuator}/jdbc/DataSourceHealthIndicator.{sc-ext}[`DataSourceHealthIndicator`]
|
|
|Checks that a connection to `DataSource` can be obtained.
|
|
|
|
|{sc-spring-boot-actuator}/elasticsearch/ElasticsearchHealthIndicator.{sc-ext}[`ElasticsearchHealthIndicator`]
|
|
|Checks that an Elasticsearch cluster is up.
|
|
|
|
|{sc-spring-boot-actuator}/jms/JmsHealthIndicator.{sc-ext}[`JmsHealthIndicator`]
|
|
|Checks that a JMS broker is up.
|
|
|
|
|{sc-spring-boot-actuator}/mail/MailHealthIndicator.{sc-ext}[`MailHealthIndicator`]
|
|
|Checks that a mail server is up.
|
|
|
|
|{sc-spring-boot-actuator}/mongo/MongoHealthIndicator.{sc-ext}[`MongoHealthIndicator`]
|
|
|Checks that a Mongo database is up.
|
|
|
|
|{sc-spring-boot-actuator}/amqp/RabbitHealthIndicator.{sc-ext}[`RabbitHealthIndicator`]
|
|
|Checks that a Rabbit server is up.
|
|
|
|
|{sc-spring-boot-actuator}/redis/RedisHealthIndicator.{sc-ext}[`RedisHealthIndicator`]
|
|
|Checks that a Redis server is up.
|
|
|
|
|{sc-spring-boot-actuator}/solr/SolrHealthIndicator.{sc-ext}[`SolrHealthIndicator`]
|
|
|Checks that a Solr server is up.
|
|
|===
|
|
|
|
TIP: It is possible to disable them all using the `management.health.defaults.enabled`
|
|
property.
|
|
|
|
|
|
==== Writing custom HealthIndicators
|
|
To provide custom health information you can register Spring beans that implement the
|
|
{sc-spring-boot-actuator}/health/HealthIndicator.{sc-ext}[`HealthIndicator`] interface.
|
|
You need to provide an implementation of the `health()` method and return a `Health`
|
|
response. The `Health` response should include a status and can optionally include
|
|
additional details to be displayed.
|
|
|
|
[source,java,indent=0]
|
|
----
|
|
import org.springframework.boot.actuate.health.Health;
|
|
import org.springframework.boot.actuate.health.HealthIndicator;
|
|
import org.springframework.stereotype.Component;
|
|
|
|
@Component
|
|
public class MyHealthIndicator implements HealthIndicator {
|
|
|
|
@Override
|
|
public Health health() {
|
|
int errorCode = check(); // perform some specific health check
|
|
if (errorCode != 0) {
|
|
return Health.down().withDetail("Error Code", errorCode).build();
|
|
}
|
|
return Health.up().build();
|
|
}
|
|
|
|
}
|
|
----
|
|
|
|
NOTE: The identifier for a given `HealthIndicator` is the name of the bean without the
|
|
`HealthIndicator` suffix if it exists. In the example above, the health information will
|
|
be available in an entry named `my`.
|
|
|
|
In addition to Spring Boot's predefined {sc-spring-boot-actuator}/health/Status.{sc-ext}[`Status`]
|
|
types, it is also possible for `Health` to return a custom `Status` that represents a
|
|
new system state. In such cases a custom implementation of the
|
|
{sc-spring-boot-actuator}/health/HealthAggregator.{sc-ext}[`HealthAggregator`]
|
|
interface also needs to be provided, or the default implementation has to be configured
|
|
using the `management.health.status.order` configuration property.
|
|
|
|
For example, assuming a new `Status` with code `FATAL` is being used in one of your
|
|
`HealthIndicator` implementations. To configure the severity order add the following
|
|
to your application properties:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.health.status.order=FATAL, DOWN, OUT_OF_SERVICE, UNKNOWN, UP
|
|
----
|
|
|
|
The HTTP status code in the response reflects the overall health status (e.g. `UP`
|
|
maps to 200, `OUT_OF_SERVICE` or `DOWN` to 503). You might also want to register custom
|
|
status mappings if you access the health endpoint over HTTP. For example, the following
|
|
maps `FATAL` to 503 (service unavailable).
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.health.status.http-mapping.FATAL=503
|
|
----
|
|
|
|
TIP: If you need more control you can define your own `HealthStatusHttpMapper` bean.
|
|
|
|
The default status mappings for the built-in statuses are:
|
|
|
|
[cols="1,3"]
|
|
|===
|
|
|Status |Mapping
|
|
|
|
|DOWN
|
|
|SERVICE_UNAVAILABLE (503)
|
|
|
|
|OUT_OF_SERVICE
|
|
|SERVICE_UNAVAILABLE (503)
|
|
|
|
|UP
|
|
|No mapping by default, so http status is 200
|
|
|
|
|UNKNOWN
|
|
|No mapping by default, so http status is 200
|
|
|===
|
|
|
|
|
|
|
|
[[production-ready-application-info]]
|
|
=== Application information
|
|
Application information exposes various information collected from all
|
|
{sc-spring-boot-actuator}/info/InfoContributor.{sc-ext}[`InfoContributor`] beans defined
|
|
in your `ApplicationContext`. Spring Boot includes a number of auto-configured
|
|
`InfoContributors` and you can also write your own.
|
|
|
|
[[production-ready-application-info-autoconfigure]]
|
|
==== Auto-configured InfoContributors
|
|
|
|
The following `InfoContributors` are auto-configured by Spring Boot when appropriate:
|
|
|
|
[cols="1,4"]
|
|
|===
|
|
|Name |Description
|
|
|
|
|{sc-spring-boot-actuator}/info/EnvironmentInfoContributor.{sc-ext}[`EnvironmentInfoContributor`]
|
|
|Expose any key from the `Environment` under the `info` key.
|
|
|
|
|{sc-spring-boot-actuator}/info/GitInfoContributor.{sc-ext}[`GitInfoContributor`]
|
|
|Expose git information if a `git.properties` file is available.
|
|
|
|
|{sc-spring-boot-actuator}/info/BuildInfoContributor.{sc-ext}[`BuildInfoContributor`]
|
|
|Expose build information if a `META-INF/build-info.properties` file is available.
|
|
|===
|
|
|
|
TIP: It is possible to disable them all using the `management.info.defaults.enabled`
|
|
property.
|
|
|
|
[[production-ready-application-info-env]]
|
|
==== Custom application info information
|
|
You can customize the data exposed by the `info` endpoint by setting `+info.*+` Spring
|
|
properties. All `Environment` properties under the info key will be automatically
|
|
exposed. For example, you could add the following to your `application.properties`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
info.app.encoding=UTF-8
|
|
info.app.java.source=1.8
|
|
info.app.java.target=1.8
|
|
----
|
|
|
|
[TIP]
|
|
====
|
|
Rather than hardcoding those values you could also
|
|
<<howto.adoc#howto-automatic-expansion,expand info properties at build time>>.
|
|
|
|
Assuming you are using Maven, you could rewrite the example above as follows:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
info.app.encoding=@project.build.sourceEncoding@
|
|
info.app.java.source=@java.version@
|
|
info.app.java.target=@java.version@
|
|
----
|
|
====
|
|
|
|
|
|
|
|
[[production-ready-application-info-git]]
|
|
==== Git commit information
|
|
Another useful feature of the `info` endpoint is its ability to publish information
|
|
about the state of your `git` source code repository when the project was built. If a
|
|
`GitProperties` bean is available, the `git.branch`, `git.commit.id` and
|
|
`git.commit.time` properties will be exposed.
|
|
|
|
TIP: A `GitProperties` bean is auto-configured if a `git.properties` file is available
|
|
at the root of the classpath. See
|
|
<<howto.adoc#howto-git-info,Generate git information>> for more details.
|
|
|
|
If you want to display the full git information (i.e. the full content of
|
|
`git.properties`), use the `management.info.git.mode` property:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.info.git.mode=full
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-application-info-build]]
|
|
==== Build information
|
|
The `info` endpoint can also publish information about your build if a `BuildProperties`
|
|
bean is available. This happens if a `META-INF/build-info.properties` file is available
|
|
in the classpath.
|
|
|
|
TIP: The Maven and Gradle plugins can both generate that file, see
|
|
<<howto.adoc#howto-build-info,Generate build information>> for more details.
|
|
|
|
|
|
[[production-ready-application-info-custom]]
|
|
==== Writing custom InfoContributors
|
|
To provide custom application information you can register Spring beans that implement
|
|
the {sc-spring-boot-actuator}/info/InfoContributor.{sc-ext}[`InfoContributor`] interface.
|
|
|
|
The example below contributes an `example` entry with a single value:
|
|
|
|
[source,java,indent=0]
|
|
----
|
|
import java.util.Collections;
|
|
|
|
import org.springframework.boot.actuate.info.Info;
|
|
import org.springframework.boot.actuate.info.InfoContributor;
|
|
import org.springframework.stereotype.Component;
|
|
|
|
@Component
|
|
public class ExampleInfoContributor implements InfoContributor {
|
|
|
|
@Override
|
|
public void contribute(Info.Builder builder) {
|
|
builder.withDetail("example",
|
|
Collections.singletonMap("key", "value"));
|
|
}
|
|
|
|
}
|
|
----
|
|
|
|
If you hit the `info` endpoint you should see a response that contains the following
|
|
additional entry:
|
|
|
|
[source,json,indent=0]
|
|
----
|
|
{
|
|
"example": {
|
|
"key" : "value"
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-monitoring]]
|
|
== Monitoring and management over HTTP
|
|
If you are developing a Spring MVC application, Spring Boot Actuator will auto-configure
|
|
all enabled endpoints to be exposed over HTTP. The default convention is to use the
|
|
`id` of the endpoint with a prefix of `/application` as the URL path. For example, `health`
|
|
is exposed as `/application/health`.
|
|
|
|
|
|
|
|
[[production-ready-customizing-management-server-context-path]]
|
|
=== Customizing the management endpoint paths
|
|
Sometimes it is useful to customize the prefix for the management endpoints.
|
|
For example, your application might already use `/application` for another purpose.
|
|
You can use the `management.endpoints.web.base-path` property to change the prefix for your
|
|
management endpoint:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.endpoints.web.base-path=/manage
|
|
----
|
|
|
|
The `application.properties` example above will change the endpoint from `/application/{id}` to
|
|
`/manage/{id}` (e.g. `/manage/info`).
|
|
|
|
NOTE: Unless the management port has been configured to
|
|
<<production-ready-customizing-management-server-port,expose endpoints using a different
|
|
HTTP port>>, `management.endpoints.web.base-path` is relative to `server.context-path`. If `management.server.port`
|
|
is configured, `management.endpoints.web.base-path`, is relative to `management.server.servlet.context-path`.
|
|
|
|
|
|
|
|
[[production-ready-customizing-management-server-port]]
|
|
=== Customizing the management server port
|
|
Exposing management endpoints using the default HTTP port is a sensible choice for cloud
|
|
based deployments. If, however, your application runs inside your own data center you
|
|
may prefer to expose endpoints using a different HTTP port.
|
|
|
|
The `management.server.port` property can be used to change the HTTP port.
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.server.port=8081
|
|
----
|
|
|
|
Since your management port is often protected by a firewall, and not exposed to the public
|
|
you might not need security on the management endpoints, even if your main application is
|
|
secure. In that case you will have Spring Security on the classpath, and you can disable
|
|
management security like this:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.security.enabled=false
|
|
----
|
|
|
|
(If you don't have Spring Security on the classpath then there is no need to explicitly
|
|
disable the management security in this way, and it might even break the application.)
|
|
|
|
|
|
|
|
[[production-ready-management-specific-ssl]]
|
|
=== Configuring management-specific SSL
|
|
When configured to use a custom port, the management server can also be configured with
|
|
its own SSL using the various `management.server.ssl.*` properties. For example, this allows a
|
|
management server to be available via HTTP while the main application uses HTTPS:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
server.port=8443
|
|
server.ssl.enabled=true
|
|
server.ssl.key-store=classpath:store.jks
|
|
server.ssl.key-password=secret
|
|
management.server.port=8080
|
|
management.server.ssl.enabled=false
|
|
----
|
|
|
|
Alternatively, both the main server and the management server can use SSL but with
|
|
different key stores:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
server.port=8443
|
|
server.ssl.enabled=true
|
|
server.ssl.key-store=classpath:main.jks
|
|
server.ssl.key-password=secret
|
|
management.server.port=8080
|
|
management.server.ssl.enabled=true
|
|
management.server.ssl.key-store=classpath:management.jks
|
|
management.server.ssl.key-password=secret
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-customizing-management-server-address]]
|
|
=== Customizing the management server address
|
|
You can customize the address that the management endpoints are available on by
|
|
setting the `management.server.address` property. This can be useful if you want to
|
|
listen only on an internal or ops-facing network, or to only listen for connections from
|
|
`localhost`.
|
|
|
|
NOTE: You can only listen on a different address if the port is different to the
|
|
main server port.
|
|
|
|
Here is an example `application.properties` that will not allow remote management
|
|
connections:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.server.port=8081
|
|
management.server.address=127.0.0.1
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-disabling-http-endpoints]]
|
|
=== Disabling HTTP endpoints
|
|
If you don't want to expose endpoints over HTTP you can set the management port to `-1`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.server.port=-1
|
|
----
|
|
|
|
|
|
[[production-ready-health-access-restrictions]]
|
|
=== HTTP health endpoint format and access restrictions
|
|
The information exposed by the health endpoint varies depending on whether or not it's
|
|
accessed anonymously, and whether or not the enclosing application is secure.
|
|
By default, when accessed anonymously in a secure application, any details about the
|
|
server's health are hidden and the endpoint will simply indicate whether or not the server
|
|
is up or down.
|
|
|
|
Sample summarized HTTP response (default for anonymous request):
|
|
|
|
[source,indent=0]
|
|
----
|
|
$ curl -i localhost:8080/health
|
|
HTTP/1.1 200
|
|
X-Application-Context: application
|
|
Content-Type: application/vnd.spring-boot.actuator.v2+json;charset=UTF-8
|
|
Content-Length: 15
|
|
|
|
{"status":"UP"}
|
|
----
|
|
|
|
Sample summarized HTTP response for status "DOWN" (notice the 503 status code):
|
|
|
|
[source,indent=0]
|
|
----
|
|
$ curl -i localhost:8080/health
|
|
HTTP/1.1 503
|
|
X-Application-Context: application
|
|
Content-Type: application/vnd.spring-boot.actuator.v2+json;charset=UTF-8
|
|
Content-Length: 17
|
|
|
|
{"status":"DOWN"}
|
|
----
|
|
|
|
Sample detailed HTTP response:
|
|
|
|
[source,indent=0]
|
|
----
|
|
$ curl -i localhost:8080/health
|
|
HTTP/1.1 200 OK
|
|
X-Application-Context: application
|
|
Content-Type: application/vnd.spring-boot.actuator.v2+json;charset=UTF-8
|
|
Content-Length: 221
|
|
|
|
{
|
|
"status" : "UP",
|
|
"diskSpace" : {
|
|
"status" : "UP",
|
|
"total" : 63251804160,
|
|
"free" : 31316164608,
|
|
"threshold" : 10485760
|
|
},
|
|
"db" : {
|
|
"status" : "UP",
|
|
"database" : "H2",
|
|
"hello" : 1
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-jmx]]
|
|
== Monitoring and management over JMX
|
|
Java Management Extensions (JMX) provide a standard mechanism to monitor and manage
|
|
applications. By default Spring Boot will expose management endpoints as JMX MBeans
|
|
under the `org.springframework.boot` domain.
|
|
|
|
|
|
|
|
[[production-ready-custom-mbean-names]]
|
|
=== Customizing MBean names
|
|
The name of the MBean is usually generated from the `id` of the endpoint. For example
|
|
the `health` endpoint is exposed as `org.springframework.boot:type=Endpoint,name=Health`.
|
|
|
|
If your application contains more than one Spring `ApplicationContext` you may find that
|
|
names clash. To solve this problem you can set the `management.endpoints.jmx.unique-names`
|
|
property to `true` so that MBean names are always unique.
|
|
|
|
You can also customize the JMX domain under which endpoints are exposed. Here is an
|
|
example `application.properties`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.endpoints.jmx.domain=com.example.myapp
|
|
management.endpoints.jmx.unique-names=true
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-disable-jmx-endpoints]]
|
|
=== Disabling JMX endpoints
|
|
If you don't want to expose endpoints over JMX you can set the `endpoints.default.jmx.enabled`
|
|
property to `false`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
endpoints.default.jmx.enabled=false
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-jolokia]]
|
|
=== Using Jolokia for JMX over HTTP
|
|
Jolokia is a JMX-HTTP bridge giving an alternative method of accessing JMX beans. To
|
|
use Jolokia, simply include a dependency to `org.jolokia:jolokia-core`. For example,
|
|
using Maven you would add the following:
|
|
|
|
[source,xml,indent=0]
|
|
----
|
|
<dependency>
|
|
<groupId>org.jolokia</groupId>
|
|
<artifactId>jolokia-core</artifactId>
|
|
</dependency>
|
|
----
|
|
|
|
Jolokia can then be accessed using `/application/jolokia` on your management HTTP server.
|
|
|
|
|
|
|
|
[[production-ready-customizing-jolokia]]
|
|
==== Customizing Jolokia
|
|
Jolokia has a number of settings that you would traditionally configure using servlet
|
|
parameters. With Spring Boot you can use your `application.properties`, simply prefix the
|
|
parameter with `management.jolokia.config.`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.jolokia.config.debug=true
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-disabling-jolokia]]
|
|
==== Disabling Jolokia
|
|
If you are using Jolokia but you don't want Spring Boot to configure it, simply set the
|
|
`management.jolokia.enabled` property to `false`:
|
|
|
|
[source,properties,indent=0]
|
|
----
|
|
management.jolokia.enabled=false
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-loggers]]
|
|
== Loggers
|
|
Spring Boot Actuator includes the ability to view and configure the log levels of your
|
|
application at runtime. You can view either the entire list or an individual logger's
|
|
configuration which is made up of both the explicitly configured logging level as well as
|
|
the effective logging level given to it by the logging framework. These levels can be:
|
|
|
|
* `TRACE`
|
|
* `DEBUG`
|
|
* `INFO`
|
|
* `WARN`
|
|
* `ERROR`
|
|
* `FATAL`
|
|
* `OFF`
|
|
* `null`
|
|
|
|
with `null` indicating that there is no explicit configuration.
|
|
|
|
|
|
|
|
[[production-ready-logger-configuration]]
|
|
=== Configure a Logger
|
|
In order to configure a given logger, you `POST` a partial entity to the resource's URI:
|
|
|
|
[source,json,indent=0]
|
|
----
|
|
{
|
|
"configuredLevel": "DEBUG"
|
|
}
|
|
----
|
|
|
|
TIP: You can also pass a `null` `configuredLevel` to "reset" the specific level of the
|
|
logger (and use the default configuration instead).
|
|
|
|
|
|
|
|
[[production-ready-metrics]]
|
|
== Metrics
|
|
Spring Boot Actuator provides dependency management and auto-configuration for
|
|
https://micrometer.io[Micrometer], an application metrics facade that supports numerous
|
|
monitoring systems:
|
|
|
|
- https://github.com/Netflix/atlas[Atlas]
|
|
- https://www.datadoghq.com[Datadog]
|
|
- http://ganglia.sourceforge.net[Ganglia]
|
|
- https://graphiteapp.org[Graphite]
|
|
- https://www.influxdata.com[Influx]
|
|
- https://prometheus.io[Prometheus]
|
|
|
|
Micrometer provides a separate module for each supported monitoring system. Depending on
|
|
one (or more) of these modules is sufficient to get started with Micrometer in your
|
|
Spring Boot application. To learn more about Micrometer's capabilities, please refer to
|
|
its https://micrometer.io/docs[reference documentation].
|
|
|
|
|
|
|
|
[[production-ready-metrics-spring-mvc]]
|
|
=== Spring MVC metrics
|
|
Auto-configuration will enable the instrumentation of requests handled by Spring MVC.
|
|
When `spring.metrics.web.server.auto-time-requests` is `true`, this instrumentation will
|
|
occur for all requests. Alternatively, when set to `false`, instrumentation can be enabled
|
|
by adding `@Timed` to a request-handling method.
|
|
|
|
Metrics will, by default, be generated with the name `http.server.requests`. The name
|
|
can be customized using the `spring.metrics.web.server.requests-metrics-name` property.
|
|
|
|
|
|
|
|
[[production-ready-metrics-spring-mvc-tags]]
|
|
==== Spring MVC metric tags
|
|
Spring MVC-related metrics will, by default, be tagged with the following:
|
|
|
|
- Request's method,
|
|
- Request's URI (templated if possible)
|
|
- Simple class name of any exception that was thrown while handling the request
|
|
- Response's status
|
|
|
|
To customize the tags, provide a `@Bean` that implements `WebMvcTagsProvider`.
|
|
|
|
|
|
[[production-ready-metrics-web-flux]]
|
|
=== WebFlux metrics
|
|
Auto-configuration will enable the instrumentation of all requests handled by WebFlux
|
|
controllers. A helper class, `RouterFunctionMetrics`, is also provided that can be
|
|
used to instrument applications using WebFlux's functional programming model.
|
|
|
|
Metrics will, by default, be generated with the name `http.server.requests`. The name
|
|
can be customized using the `spring.metrics.web.server.requests-metrics-name` property.
|
|
|
|
|
|
|
|
[[production-ready-metrics-web-flux-tags]]
|
|
==== WebFlux metric tags
|
|
WebFlux-related metrics for the annotation-based programming model will, by default,
|
|
be tagged with the following:
|
|
|
|
- Request's method,
|
|
- Request's URI (templated if possible)
|
|
- Simple class name of any exception that was thrown while handling the request
|
|
- Response's status
|
|
|
|
To customize the tags, provide a `@Bean` that implements `WebFluxTagsProvider`.
|
|
|
|
Metrics for the functional programming model will, by default, be tagged with the
|
|
following:
|
|
|
|
- Request's method,
|
|
- Request's URI (templated if possible)
|
|
- Response's status
|
|
|
|
To customize the tags, use the `defaultTags` method on the `RouterFunctionMetrics`
|
|
instance that you are using.
|
|
|
|
|
|
|
|
[[production-ready-metrics-rest-template]]
|
|
=== RestTemplate metrics
|
|
Auto-configuration will customize the auto-configured `RestTemplate` to enable the
|
|
instrumentation of its requests. `MetricsRestTemplateCustomizer` can be used to
|
|
customize your own `RestTemplate` instances.
|
|
|
|
Metrics will, by default, be generated with the name `http.client.requests`. The name
|
|
can be customized using the `spring.metrics.web.client.requests-metrics-name` property.
|
|
|
|
|
|
|
|
[[production-ready-metrics-rest-template-tags]]
|
|
==== RestTemplate metric tags
|
|
Metrics generated by an instrumented `RestTemplate` will, by default, be tagged with
|
|
the following:
|
|
|
|
- Request's method
|
|
- Request's URI (templated if possible)
|
|
- Response's status
|
|
- Request URI's host
|
|
|
|
|
|
|
|
[[production-ready-metrics-integration]]
|
|
Auto-configuration will enable binding of a number of Spring Integration-related
|
|
metrics:
|
|
|
|
.General metrics
|
|
|===
|
|
| Metric | Description
|
|
|
|
| `spring.integration.channelNames`
|
|
| Number of Spring Integration channels
|
|
|
|
| `spring.integration.handlerNames`
|
|
| Number of Spring Integration handlers
|
|
|
|
| `spring.integration.sourceNames`
|
|
| Number of Spring Integration sources
|
|
|===
|
|
|
|
.Channel metrics
|
|
|===
|
|
| Metric | Description
|
|
|
|
| `spring.integration.channel.receives`
|
|
| Number of receives
|
|
|
|
| `spring.integration.channel.sendErrors`
|
|
| Number of failed sends
|
|
|
|
| `spring.integration.channel.sends`
|
|
| Number of successful sends
|
|
|===
|
|
|
|
.Handler metrics
|
|
|===
|
|
| Metric | Description
|
|
|
|
| `spring.integration.handler.duration.max`
|
|
| Maximum handler duration in milliseconds
|
|
|
|
| `spring.integration.handler.duration.min`
|
|
| Minimum handler duration in milliseconds
|
|
|
|
| `spring.integration.handler.duration.mean`
|
|
| Mean handler duration in milliseconds
|
|
|
|
| `spring.integration.handler.activeCount`
|
|
| Number of active handlers
|
|
|===
|
|
|
|
.Source metrics
|
|
|===
|
|
| Metric | Description
|
|
|
|
| `spring.integration.source.messages`
|
|
| Number of successful source calls
|
|
|===
|
|
|
|
|
|
|
|
[[production-ready-auditing]]
|
|
== Auditing
|
|
Spring Boot Actuator has a flexible audit framework that will publish events once Spring
|
|
Security is in play ('`authentication success`', '`failure`' and '`access denied`'
|
|
exceptions by default). This can be very useful for reporting, and also to implement a
|
|
lock-out policy based on authentication failures. To customize published security events
|
|
you can provide your own implementations of `AbstractAuthenticationAuditListener` and
|
|
`AbstractAuthorizationAuditListener`.
|
|
|
|
You can also choose to use the audit services for your own business events. To do that
|
|
you can either inject the existing `AuditEventRepository` into your own components and
|
|
use that directly, or you can simply publish `AuditApplicationEvent` via the Spring
|
|
`ApplicationEventPublisher` (using `ApplicationEventPublisherAware`).
|
|
|
|
|
|
|
|
[[production-ready-tracing]]
|
|
== Tracing
|
|
Tracing is automatically enabled for all HTTP requests. You can view the `trace` endpoint
|
|
and obtain basic information about the last 100 requests:
|
|
|
|
[source,json,indent=0]
|
|
----
|
|
[{
|
|
"timestamp": 1394343677415,
|
|
"info": {
|
|
"method": "GET",
|
|
"path": "/trace",
|
|
"headers": {
|
|
"request": {
|
|
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
|
|
"Connection": "keep-alive",
|
|
"Accept-Encoding": "gzip, deflate",
|
|
"User-Agent": "Mozilla/5.0 Gecko/Firefox",
|
|
"Accept-Language": "en-US,en;q=0.5",
|
|
"Cookie": "_ga=GA1.1.827067509.1390890128; ..."
|
|
"Authorization": "Basic ...",
|
|
"Host": "localhost:8080"
|
|
},
|
|
"response": {
|
|
"Strict-Transport-Security": "max-age=31536000 ; includeSubDomains",
|
|
"X-Application-Context": "application:8080",
|
|
"Content-Type": "application/json;charset=UTF-8",
|
|
"status": "200"
|
|
}
|
|
}
|
|
}
|
|
},{
|
|
"timestamp": 1394343684465,
|
|
...
|
|
}]
|
|
----
|
|
|
|
The following are included in the trace by default:
|
|
|
|
[cols="1,2"]
|
|
|===
|
|
|Name |Description
|
|
|
|
|Request Headers
|
|
|Headers from the request.
|
|
|
|
|Response Headers
|
|
|Headers from the response.
|
|
|
|
|Cookies
|
|
|`Cookie` from request headers and `Set-Cookie` from response headers.
|
|
|
|
|Errors
|
|
|The error attributes (if any).
|
|
|
|
|Time Taken
|
|
|The time taken to service the request in milliseconds.
|
|
|===
|
|
|
|
|
|
|
|
[[production-ready-custom-tracing]]
|
|
=== Custom tracing
|
|
If you need to trace additional events you can inject a
|
|
{sc-spring-boot-actuator}/trace/TraceRepository.{sc-ext}[`TraceRepository`] into your
|
|
Spring beans. The `add` method accepts a single `Map` structure that will be converted to
|
|
JSON and logged.
|
|
|
|
By default an `InMemoryTraceRepository` will be used that stores the last 100 events. You
|
|
can define your own instance of the `InMemoryTraceRepository` bean if you need to expand
|
|
the capacity. You can also create your own alternative `TraceRepository` implementation
|
|
if needed.
|
|
|
|
|
|
|
|
[[production-ready-process-monitoring]]
|
|
== Process monitoring
|
|
In Spring Boot Actuator you can find a couple of classes to create files that are useful
|
|
for process monitoring:
|
|
|
|
* `ApplicationPidFileWriter` creates a file containing the application PID (by default in
|
|
the application directory with the file name `application.pid`).
|
|
* `EmbeddedServerPortFileWriter` creates a file (or files) containing the ports of the
|
|
embedded server (by default in the application directory with the file name
|
|
`application.port`).
|
|
|
|
These writers are not activated by default, but you can enable them in one of the ways
|
|
described below.
|
|
|
|
|
|
|
|
[[production-ready-process-monitoring-configuration]]
|
|
=== Extend configuration
|
|
In `META-INF/spring.factories` file you can activate the listener(s) that
|
|
writes a PID file. Example:
|
|
|
|
[indent=0]
|
|
----
|
|
org.springframework.context.ApplicationListener=\
|
|
org.springframework.boot.system.ApplicationPidFileWriter,\
|
|
org.springframework.boot.actuate.system.EmbeddedServerPortFileWriter
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-process-monitoring-programmatically]]
|
|
=== Programmatically
|
|
You can also activate a listener by invoking the `SpringApplication.addListeners(...)`
|
|
method and passing the appropriate `Writer` object. This method also allows you to
|
|
customize the file name and path via the `Writer` constructor.
|
|
|
|
|
|
|
|
[[production-ready-cloudfoundry]]
|
|
== Cloud Foundry support
|
|
Spring Boot's actuator module includes additional support that is activated when you
|
|
deploy to a compatible Cloud Foundry instance. The `/cloudfoundryapplication` path
|
|
provides an alternative secured route to all `@Endpoint` beans.
|
|
|
|
The extended support allows Cloud Foundry management UIs (such as the web
|
|
application that you can use to view deployed applications) to be augmented with Spring
|
|
Boot actuator information. For example, an application status page may include full health
|
|
information instead of the typical "`running`" or "`stopped`" status.
|
|
|
|
NOTE: The `/cloudfoundryapplication` path is not directly accessible to regular users.
|
|
In order to use the endpoint a valid UAA token must be passed with the request.
|
|
|
|
|
|
|
|
[[production-ready-cloudfoundry-disable]]
|
|
=== Disabling extended Cloud Foundry actuator support
|
|
If you want to fully disable the `/cloudfoundryapplication` endpoints you can add the
|
|
following to your `application.properties` file:
|
|
|
|
|
|
.application.properties
|
|
[source,properties,indent=0]
|
|
----
|
|
management.cloudfoundry.enabled=false
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-cloudfoundry-ssl]]
|
|
=== Cloud Foundry self signed certificates
|
|
By default, the security verification for `/cloudfoundryapplication` endpoints makes SSL
|
|
calls to various Cloud Foundry services. If your Cloud Foundry UAA or Cloud Controller
|
|
services use self-signed certificates you will need to set the following property:
|
|
|
|
.application.properties
|
|
[source,properties,indent=0]
|
|
----
|
|
management.cloudfoundry.skip-ssl-validation=true
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-cloudfoundry-custom-security]]
|
|
=== Custom security configuration
|
|
If you define custom security configuration, and you want extended Cloud Foundry actuator
|
|
support, you'll should ensure that `/cloudfoundryapplication/**` paths are open. Without
|
|
a direct open route, your Cloud Foundry application manager will not be able to obtain
|
|
endpoint data.
|
|
|
|
For Spring Security, you'll typically include something like
|
|
`mvcMatchers("/cloudfoundryapplication/**").permitAll()` in your configuration:
|
|
|
|
[source,java,indent=0]
|
|
----
|
|
include::{code-examples}/cloudfoundry/CloudFoundryIgnorePathsExample.java[tag=security]
|
|
----
|
|
|
|
|
|
|
|
[[production-ready-whats-next]]
|
|
== What to read next
|
|
If you want to explore some of the concepts discussed in this chapter, you can take a
|
|
look at the actuator {github-code}/spring-boot-samples[sample applications]. You also
|
|
might want to read about graphing tools such as http://graphite.wikidot.com/[Graphite].
|
|
|
|
Otherwise, you can continue on, to read about <<deployment.adoc#deployment,
|
|
'`deployment options`'>> or jump ahead
|
|
for some in-depth information about Spring Boot's
|
|
_<<build-tool-plugins.adoc#build-tool-plugins, build tool plugins>>_.
|