Running in to an issue with 401 error when deployed on cluster. Note the issue not occurring during local development. Issue occurs only once deployed on testing cluster. Currently the project is in only development/testing phase.

Back-End config(Spring properties file):

server.port=8085
management.health.defaults.enabled=false
management.endpoint.health.show-details="ALWAYS"
management.server.port=${management.port:1234}
management.endpoints.enabled-by-default=true
management.endpoints.web.base-path=/
management.endpoints.web.exposure.include=health, prometheus

Angular: login is successful(using relative url's to port 8085 once deployed on the cluster) but after login my dashboard page makes calls to acutator health and prometheus end-points:

these are the URLs: healthUrl: "http://localhost:1234/health" metricsUrl: "http://localhost:1234/prometheus"

Spring Security:

@Configuration
@EnableWebSecurity
public class ActuatorWebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .cors().configurationSource(corsConfigurationSource())
                .and()
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll()
                .antMatchers("/**").authenticated()
                .and().httpBasic()
                .and()
                .addFilterBefore(new ForwardedHeaderFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowCredentials(true);
        configuration.setAllowedMethods(Arrays.asList("GET","POST","OPTIONS"));
        configuration.setAllowedHeaders(Collections.singletonList("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
}

CodePudding user response：

Please provide the entire class with the security configuration, including all annotations, so we can understand it better.

CodePudding user response：

Below are couple of suggestions to dive deep into this

1. assuming your prometheus itself is being served over HTTPS, can you post your tls config? I am suspecting there is some issue with that, also can you recheck your spring-actuator config in prometheus file.
2. Can you check the metric, health, info path in prometheus file.