Spring Boot Actuator: Quick Start, Endpoint Overview, and Security Integration

Introduction

Spring Boot Actuator provides production‑ready features such as health checks, metrics collection, and HTTP tracing, enabling monitoring and management of Spring Boot applications. It can be integrated with external monitoring systems like Prometheus, Grafana, DataDog, etc.

What is Spring Boot Actuator

The Actuator module exposes internal application information via HTTP and JMX endpoints, allowing developers to monitor application health, metrics, logs, and more.

Quick Start – Creating a Demo

You can generate a demo project using the Spring Boot CLI:

spring init -d=web,actuator -n=actuator-demo actuator-demo

Or via Spring Initializr. Add the following Maven dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

For Gradle:

dependencies {
    compile "org.springframework.boot:spring-boot-starter-actuator"
}

Endpoints Overview

Actuator provides several native endpoints grouped into three categories:

Application configuration (environment, config report, etc.)

Metrics (memory, threads, JVM, HTTP requests, etc.)

Operational control (shutdown, etc.)

Important Endpoints

/health

Shows aggregated health information. Visibility is controlled by management.endpoint.health.show-details (values: never , when-authorized , always ).

management.endpoint.health.show-details=always

/metrics

Returns a list of available metric names. Detailed metric data can be fetched via /actuator/metrics/{metricName} or with query parameters.

http://localhost:8080/actuator/metrics/jvm.memory.max

/loggers

Exposes all configured loggers and allows runtime log‑level changes via a POST request.

{
  "configuredLevel": "DEBUG"
}

/info

Displays custom application information defined in application.properties .

info.app.name=actuator-test-demo
info.app.encoding=UTF-8
info.app.java.source=1.8
info.app.java.target=1.8

/beans

Lists all beans in the Spring context with their aliases, types, scopes, and dependencies.

/heapdump

Generates a JVM heap dump that can be opened with tools like VisualVM.

/threaddump

Provides a snapshot of all threads, their states, and stack traces.

/shutdown

Gracefully shuts down the application when enabled and accessed via a POST request.

management.endpoint.shutdown.enabled=true

Securing Actuator Endpoints with Spring Security

If Spring Security is on the classpath, endpoints are protected by default. Add the security starter if missing:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Example security configuration (version 2) that restricts all actuator endpoints to users with role ACTUATOR_ADMIN while allowing static resources and the root path:

import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.actuate.context.ShutdownEndpoint;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class ActuatorSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR_ADMIN")
            .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .antMatchers("/").permitAll()
            .antMatchers("/**").authenticated()
            .and().httpBasic();
    }
}

Define the admin user in application.properties :

spring.security.user.name=actuator
spring.security.user.password=actuator
spring.security.user.roles=ACTUATOR_ADMIN