Some years ago, I discovered the Spring Boot actuator:
Spring Boot includes a number of additional features to help you monitor and manage your application when it’s pushed to production. You can choose to manage and monitor your application using HTTP endpoints, with JMX or even by remote shell (SSH or Telnet). Auditing, health and metrics gathering can be automatically applied to your application.
To sum it up, the actuator offers endpoints that allow monitoring of the application from different angles. This post is a change analysis between Spring Boot 2.0 and 1.5.
Endpoints availability
- New endpoints
-
Several new endpoints have been added to the actuator in Spring Boot 2.0:
Endpoint Description Notes httptrace
Displays info from the last HTTP requests
scheduledtasks
Displays the scheduled tasks in your application
sessions
Allows display and deletion of Spring Session related data
prometheus
Provides a Prometheus-compatible endpoint
Requires Spring MVC
- Changes
-
The
dump
endpoint has been renamed tothreaddump
to disambiguate with theheapdump
endpoint.
Endpoint configuration
Endpoint-related properties have been moved from the top-level endpoint
property to management.endpoint
, i.e.:
- Spring Boot 1.5
-
endpoints.shutdown.enabled=true
- Spring Boot 2.0
-
management.endpoint.shutdown.enabled=true
Cache management
- Spring Boot 1.5
-
Only the
health
endpoint caches responses. - Spring Boot 2.0
-
All parameter-less read operations have such a cache.
Cache TTL can be configured, but it will be the same across all endpoints.
JMX access
- Spring Boot 1.5
-
Endpoints are accessible over HTTP by default. In order to send metrics from the
metrics
endpoints to JMX, an additional exporter bean needs to be registered. - Spring Boot 2.0
-
JMX MBean wrappers are registered around (nearly) all endpoints. Every bean offers one single simple operation that displays the same data as if sending a
GET
request to the HTTP endpoint of the same. For example, the org.springframework.boot.Endpoint.Info MBean provides theinfo()
operation, as shown below:By default, JMX MBeans are not secured
Security
- Spring Boot 1.5
-
Endpoints may be flagged as sensitive. In order to access such endpoints, one has to autenticate with username/password credentials. The sensivity of each endpoint can be overriden in
application.properties
. - Spring Boot 2.0
-
Endpoints are secured using Spring Security if present: fine-grained configuration can be achieved using code.
Overall security can be disabled using the application.properties
configuration file.
Health indicators security
- Spring Boot 1.5
-
Only the overal health status (i.e.
{ status: UP }
) is exposed when not authenticated. If details are must be displayed regardless of authentication status, the endpoint must be configured accordingly:endpoints.health.sensitive=false
- Spring Boot 2.0
-
There are 3 levels, details being shown:
- Always
- Only when authorized
- Never
Custom endpoints
- Spring Boot 1.5
-
Creating a custom endpoint is a two-step process:
- Create a class that implements the
Endpoint
interface - Register an instance of this class in the Spring contect, e.g. through a
@Bean
-annotated methodMethods from such endpoints need to be annotated with Spring MVC’s
@RequestMapping
in order to be exposed over HTTP.
- Create a class that implements the
- Spring Boot 2.0
-
The class doesn’t need to extend from a specific superclass. However, the class needs to be annotated with
@Endpoint
.The framework takes care of providing the implementation. Moreover, to replace Spring MVC annotations, Spring Boot offers
@ReadOperation
,@WriteOperation
, and@DeleteOperation
annotations.Endpoints are accessible via HTTP and JMX. It’s possible to restrict accessibility to either the former or the later, by annotation the class with
@WebEndpoint
or@JmxEndpoint
.
Additional health indicators
Spring Boot adds health indicators around the following dependencies:
- Influx DB
- Kafka
- Neo4J
Conclusion
Spring Boot 2 changes how the actuator behaves in many non-trivial ways. Should one relies on Spring Boot’s actuator, one should take time to evaluate the effort to migrate.