Java
javaTutorial
Spring Boot service: securely expose internal API through independent management port
Spring Boot service: securely expose internal API through independent management port
This article details how to use built-in configuration to isolate internal management APIs (such as Actuator endpoints) from public business APIs in Spring Boot applications. By configuring independent management ports and precisely controlling exposed endpoints, service security can be effectively enhanced to ensure that only authorized internal systems can access monitoring and management functions, while public traffic is completely isolated from the main service port, avoiding additional proxy layer configuration.
In modern microservice architecture, Spring Boot applications are usually deployed behind a load balancer to provide public business APIs to the outside world. However, in addition to these public interfaces, services often need to expose some APIs for monitoring, health checking or management purposes, such as Prometheus indicator grabbing endpoints or various management endpoints provided by Spring Boot Actuator. How to safely and effectively isolate these internal APIs to prevent them from being accessed by outsiders without authorization is a common challenge.
A common idea is to introduce an additional proxy layer, such as Nginx, to forward and filter requests in front of each service instance. While this approach works, it increases deployment complexity and maintenance costs. Fortunately, Spring Boot itself provides powerful configuration options that can solve this problem natively and achieve internal API isolation.
Spring Boot management port and endpoint exposure mechanism
The Spring Boot Actuator module provides production-level monitoring and management capabilities for applications. By default, all Actuator endpoints are exposed on the application's main HTTP port. To decouple these internal management endpoints from the public business API, Spring Boot introduces the management.server.port configuration property.
Core configuration principles:
- Independent management port (management.server.port) : By setting the management.server.port property, you can specify an independent HTTP port for the Actuator endpoint. This means that the Spring Boot application will listen on two ports at the same time: one for handling business requests (usually 8080 or the port configured through server.port), and another specifically for handling management endpoint requests. This physical port isolation is the first step towards internal API security.
- Precise control over exposed endpoints (management.endpoints.web.exposure.include) : Even with a separate management port, we may not want all Actuator endpoints to be exposed. The management.endpoints.web.exposure.include property allows us to explicitly specify which Actuator endpoints should be exposed via Web (HTTP). This provides fine-grained control, exposing only necessary endpoints, further reducing the attack surface.
Configuration example
Suppose we want to expose the Prometheus metrics and health check endpoints on a separate management port 9090, and only allow these two endpoints to be accessed. In Spring Boot 2.7.X and later versions, you can configure the following in application.properties or application.yml:
application.properties:
# Specify the port management.server.port=9090 that the management endpoint listens on #Explicitly specify that only health and prometheus endpoints are exposed management.endpoints.web.exposure.include=health,prometheus
application.yml:
management:
server:
port: 9090
endpoints:
web:
exposure:
include: health,prometheus
Configuration instructions:
- management.server.port=9090: This will migrate the Actuator endpoint from the default server.port to port 9090. The main application's business API is still accessed through server.port (e.g. 8080).
- management.endpoints.web.exposure.include=health,prometheus: This configuration instructs Spring Boot to only expose the /actuator/health and /actuator/prometheus endpoints through the Web. All other Actuator endpoints (such as /actuator/info, /actuator/beans, etc.) will not be exposed via HTTP on any port.
Practices and Notes
- Network firewall configuration : Even if you isolate management endpoints to separate ports, it is highly recommended to restrict access to management ports at the network level (such as server firewall or cloud security group). Only IP addresses from internal monitoring systems, CI/CD tools, or specific operation and maintenance networks are allowed to access this port.
- Authentication and Authorization : For sensitive internal APIs, even on standalone ports, consider adding additional authentication and authorization mechanisms, such as using Spring Security to provide basic authentication, OAuth2, or API Key verification for requests to the management port. This provides double protection for internal APIs.
- Avoid default exposure : management.endpoints.web.exposure.include The default value is *, which exposes all endpoints. For security reasons, it is always recommended to explicitly list the endpoints that need to be exposed instead of relying on default values or using management.endpoints.web.exposure.exclude to exclude.
- Version compatibility : The above configuration is valid in Spring Boot 2.x and higher. For earlier versions, the configuration properties may be slightly different, please consult the official documentation for the corresponding version.
- Logging and monitoring : Ensure that access to management ports is also adequately logged and monitored to detect abnormal access patterns in a timely manner.
Summarize
By utilizing the management.server.port and management.endpoints.web.exposure.include configurations provided by Spring Boot, we can elegantly and efficiently isolate the internal management API from the public business API. This approach not only avoids the introduction of additional proxy layers and reduces system complexity, but also significantly improves application security through physical port isolation and fine-grained endpoint control. Combined with appropriate network firewalls and authentication and authorization mechanisms, a Spring Boot service can be built that is both powerful and secure.
The above is the detailed content of Spring Boot service: securely expose internal API through independent management port. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undresser.AI Undress
AI-powered app for creating realistic nude photos
ArtGPT
AI image generator for creative art from text prompts.
Stock Market GPT
AI powered investment research for smarter decisions
Hot Article
Popular tool
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
20521
7
13634
4
How to configure Spark distributed computing environment in Java_Java big data processing
Mar 09, 2026 pm 08:45 PM
Spark cannot run in local mode, ClassNotFoundException: org.apache.spark.sql.SparkSession. This is the most common first step of getting stuck: even the dependencies are not correct. Only spark-core_2.12 is written in Maven, but spark-sql_2.12 is not added. SparkSession crashes as soon as it is built. The Scala version must strictly match the official Spark compiled version - Spark3.4.x uses Scala2.12 by default. If you use spark-sqljar of 2.13, the class loader cannot directly find the main class. Practical advice: Go to mvnre
How to safely map user-entered weekday string to integer value and implement date offset operation in Java
Mar 09, 2026 pm 09:43 PM
This article introduces a concise and maintainable way to map the weekday string (such as "Monday") to the corresponding serial number (1-7), and use the modulo operation to realize the forward and backward offset of any number of days (such as Monday plus 4 days to get Friday), avoiding lengthy if chains and hard-coded logic.
How to use Homebrew to install Java on Mac_A must-have Java tool chain for developers
Mar 09, 2026 pm 09:48 PM
Homebrew installs the latest stable version of openjdk (such as JDK22) by default, not the LTS version; you need to explicitly execute brewinstallopenjdk@17 or brewinstallopenjdk@21 to install the LTS version, and manually configure PATH and JAVA_HOME to be correctly recognized by the system and IDE.
What is exception masking (Suppressed Exceptions) in Java_Multiple resource shutdown exception handling
Mar 10, 2026 pm 06:57 PM
What is SuppressedException: It is not "swallowed", but actively archived by the JVM. SuppressedException is not an exception loss, but the JVM quietly attaches the secondary exception to the main exception under the premise that "only one exception must be thrown" for you to verify afterwards. It is automatically triggered by the JVM in only two scenarios: one is that the resource closure in try-with-resources fails, and the other is that you manually call addSuppressed() in finally. The key difference is: the former is fully automatic and safe; the latter requires you to keep it to yourself, and it can be written as shadowing if you are not careful. try-
How to correctly implement runtime file writing in Java applications (avoiding JAR internal write failures)
Mar 09, 2026 pm 07:57 PM
After a Java application is packaged as a JAR, data cannot be written directly to the resources in the JAR package (such as test.txt) because the JAR is essentially a read-only ZIP archive; the correct approach is to write variable data to an external path (such as a user directory, a temporary directory, or a configuration-specified path).
What is the underlying principle of array expansion in Java_Java memory dynamic adjustment analysis
Mar 09, 2026 pm 09:45 PM
ArrayList.add() triggers expansion because grow() is called when size is equal to elementData.length. The first add allocates 10 capacity, and subsequent expansion is 1.5 times and not less than the minimum requirement, relying on delayed initialization and System.arraycopy optimization.
Complete tutorial on reading data from file and initializing two-dimensional array in Java
Mar 09, 2026 pm 09:18 PM
This article explains in detail how to load an integer sequence in an external text file into a Java two-dimensional array according to a specified row and column structure (such as 2500×100), avoiding manual assignment or index out-of-bounds, and ensuring accurate data order and robust and reusable code.
A concise method in Java to compare whether four byte values are equal and non-zero
Mar 09, 2026 pm 09:40 PM
This article introduces several professional solutions for efficiently and safely comparing multiple byte type return values (such as getPlayer()) in Java to see if they are all equal and non-zero. We recommend two methods, StreamAPI and logical expansion, to avoid Boolean and byte mis-comparison errors.
