- * @return context runner customizations
- */
public static StreamService Registry] + Admin[Spring Boot Admin
Server] + + Apps -->|Register| Eureka + Admin -->|Discover| Eureka + Admin -.->|Monitor| Apps +``` + +Applications register with Eureka, and the Admin Server discovers them through Eureka's registry. + +## Setting Up Eureka Server + +First, you need a Eureka Server running. Here's a minimal setup: + +### Dependencies + +```xml title="pom.xml" + +
Service Registry] + Admin[Spring Boot Admin
Server] + + Apps -->|Register| Agent + Agent -->|Sync| Server + Admin -->|Discover| Server + Admin -.->|Monitor| Apps +``` + +## Setting Up Consul + +### Install Consul + +```bash +# macOS +brew install consul + +# Linux +wget https://releases.hashicorp.com/consul/1.17.0/consul_1.17.0_linux_amd64.zip +unzip consul_1.17.0_linux_amd64.zip +sudo mv consul /usr/local/bin/ + +# Docker +docker run -d --name=consul -p 8500:8500 consul:latest +``` + +### Start Consul + +```bash +# Development mode +consul agent -dev + +# Production mode +consul agent -server -bootstrap-expect=1 -data-dir=/tmp/consul +``` + +Access Consul UI at: `http://localhost:8500` + +## Configuring Spring Boot Admin Server + +### Add Dependencies + +```xml title="pom.xml" +
Distributed Data)] + end + + subgraph Server1["Admin Server 1"] + ES1[Event Store] + end + + subgraph Server2["Admin Server 2"] + ES2[Event Store] + end + + Apps -->|Register| Server1 + Apps -->|Register| Server2 + + Server1 <-->|Sync| HZ + Server2 <-->|Sync| HZ + + ES1 -.->|Shared State| HZ + ES2 -.->|Shared State| HZ +``` + +## Why Hazelcast? + +- **High Availability**: No single point of failure +- **Scalability**: Add more Admin Server instances +- **Shared State**: All servers see the same application state +- **Distributed Events**: Events propagated across cluster +- **Simple Setup**: Minimal configuration required + +## Setting Up Hazelcast + +### Add Dependencies + +```xml title="pom.xml" +
Needs credentials to access
secured actuator endpoints"] -->|HTTP Basic Auth
user.name + user.password| B["Client Application
Secured actuator endpoints:
/actuator/health
/actuator/metrics
/actuator/env"] +``` + +--- + +## Quick Start + +### 1. Client: Secure Actuator Endpoints + +Add Spring Security to your client application: + +**Maven**: + +```xml +
• Sends CSRF token in requests
• Token stored in XSRF-TOKEN cookie
• Angular/React reads cookie and sends X-XSRF-TOKEN header"] --> B["**Spring Boot Admin Server**
• Validates CSRF token for UI requests
• Exempts /instances endpoint client registration
• Exempts /actuator/** health checks"] + C["**Client Application**
• Registers without CSRF token
• Uses HTTP POST to /instances"] --> B +``` + +--- + +## Why CSRF Protection? + +CSRF attacks trick authenticated users into performing unwanted actions: + +1. User logs into Admin Server in their browser +2. User visits malicious website +3. Malicious website sends request to Admin Server using user's session +4. Without CSRF protection, the request succeeds + +**CSRF tokens prevent this**: + +- Each request requires a unique token +- Tokens are tied to the user's session +- Malicious websites cannot obtain valid tokens + +--- + +## CSRF Configuration + +### Complete Example + +```java +package com.example.admin; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.security.web.csrf.CookieCsrfTokenRepository; +import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; + +import de.codecentric.boot.admin.server.config.AdminServerProperties; + +import static org.springframework.http.HttpMethod.DELETE; +import static org.springframework.http.HttpMethod.POST; + +@Configuration +public class SecurityConfig { + + private final AdminServerProperties adminServer; + + public SecurityConfig(AdminServerProperties adminServer) { + this.adminServer = adminServer; + } + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(auth -> auth + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/assets/**"))) + .permitAll() + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/login"))) + .permitAll() + .anyRequest().authenticated() + ) + .formLogin(formLogin -> formLogin + .loginPage(adminServer.path("/login")) + ) + .httpBasic(Customizer.withDefaults()); + + // Custom CSRF filter to expose token to JavaScript + http.addFilterAfter(new CustomCsrfFilter(), BasicAuthenticationFilter.class); + + // CSRF configuration + http.csrf(csrf -> csrf + // Use cookie-based token repository (accessible to JavaScript) + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + // Use attribute-based token handler + .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()) + // Exempt specific endpoints + .ignoringRequestMatchers( + // Client registration + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")), + // Client deregistration + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/instances/*")), + // Notification endpoints + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/notifications/**")), + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/notifications/**")), + // Admin Server's own actuator + PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/actuator/**")) + ) + ); + + return http.build(); + } +} +``` + +--- + +## Custom CSRF Filter + +The Admin UI (JavaScript) needs access to the CSRF token. Create a filter to expose it: + +```java +package com.example.admin; + +import java.io.IOException; + +import jakarta.servlet.FilterChain; +import jakarta.servlet.ServletException; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.springframework.security.web.csrf.CsrfToken; +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.WebUtils; + +public class CustomCsrfFilter extends OncePerRequestFilter { + + public static final String CSRF_COOKIE_NAME = "XSRF-TOKEN"; + + @Override + protected void doFilterInternal(HttpServletRequest request, + HttpServletResponse response, + FilterChain filterChain) + throws ServletException, IOException { + + // Get CSRF token from request attributes + CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName()); + + if (csrf != null) { + Cookie cookie = WebUtils.getCookie(request, CSRF_COOKIE_NAME); + String token = csrf.getToken(); + + // Set cookie if not present or token changed + if (cookie == null || token != null && !token.equals(cookie.getValue())) { + cookie = new Cookie(CSRF_COOKIE_NAME, token); + cookie.setPath("/"); + response.addCookie(cookie); + } + } + + filterChain.doFilter(request, response); + } +} +``` + +**What this does**: + +1. Extracts CSRF token from Spring Security +2. Stores it in a cookie named `XSRF-TOKEN` +3. Cookie is **not** HTTP-only (JavaScript can read it) +4. Admin UI reads cookie and includes token in requests + +--- + +## How CSRF Works in Admin Server + +### 1. User Opens Admin UI + +``` +GET / HTTP/1.1 +``` + +**Response**: + +``` +HTTP/1.1 200 OK +Set-Cookie: XSRF-TOKEN=abc123; Path=/ +Set-Cookie: JSESSIONID=xyz789; Path=/; HttpOnly + + +... +``` + +### 2. JavaScript Makes Request + +Admin UI JavaScript reads `XSRF-TOKEN` cookie and sends it in header: + +```javascript +fetch('/instances/123/actuator/info', { + method: 'GET', + headers: { + 'X-XSRF-TOKEN': 'abc123' // From cookie + }, + credentials: 'same-origin' +}) +``` + +**HTTP Request**: + +``` +GET /instances/123/actuator/info HTTP/1.1 +X-XSRF-TOKEN: abc123 +Cookie: XSRF-TOKEN=abc123; JSESSIONID=xyz789 +``` + +### 3. Spring Security Validates Token + +Spring Security compares: + +- Token from `X-XSRF-TOKEN` header +- Token from `XSRF-TOKEN` cookie + +If they match, request is allowed. + +### 4. Client Registration (Exempted) + +Client applications register **without** CSRF token: + +``` +POST /instances HTTP/1.1 +Content-Type: application/json + +{ + "name": "my-service", + "healthUrl": "http://localhost:8081/actuator/health" +} +``` + +This works because `/instances` is in `ignoringRequestMatchers`. + +--- + +## Cookie vs Session Token Repository + +### Cookie-Based (Recommended for SPA) + +```java +.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) +``` + +**Pros**: + +- JavaScript can read token from cookie +- Works with Single Page Applications (SPA) +- Stateless (no server-side session storage) + +**Cons**: + +- Cookie not HTTP-only (accessible to JavaScript) +- Requires custom filter to set cookie + +### Session-Based (Default) + +```java +.csrfTokenRepository(new HttpSessionCsrfTokenRepository()) +``` + +**Pros**: + +- More secure (token not exposed to JavaScript) +- Simpler configuration + +**Cons**: + +- Requires server-side session +- Harder to use with SPA frameworks + +**Spring Boot Admin requires cookie-based** because the UI is a JavaScript SPA. + +--- + +## Exempted Endpoints + +### Client Registration + +```java +.ignoringRequestMatchers( + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")), + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/instances/*")) +) +``` + +**Why?** + +- Client applications don't have CSRF tokens +- They register/deregister via simple HTTP POST/DELETE +- Not vulnerable to CSRF (no browser session involved) + +### Actuator Endpoints + +```java +.ignoringRequestMatchers( + PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/actuator/**")) +) +``` + +**Why?** + +- Admin Server's own health checks +- Load balancers, monitoring tools access these +- No CSRF risk (stateless, no session) + +### Notification Endpoints + +```java +.ignoringRequestMatchers( + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/notifications/**")), + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/notifications/**")) +) +``` + +**Why?** + +- Webhook endpoints from external services (Slack, Teams, etc.) +- Cannot provide CSRF tokens +- Authenticated via other means (webhook secrets) + +--- + +## Context Path Support + +If using a custom context path: + +```yaml +spring: + boot: + admin: + context-path: /admin +``` + +Use `adminServer.path()` to include context path automatically: + +```java +PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")) +``` + +This becomes `/admin/instances` automatically. + +--- + +## Testing CSRF Protection + +### Test UI Request (Requires Token) + +**Without token**: + +```bash +curl -X POST http://localhost:8080/applications/my-app/restart \ + -H "Cookie: JSESSIONID=abc123" +``` + +**Response**: `403 Forbidden` + +**With token**: + +```bash +curl -X POST http://localhost:8080/applications/my-app/restart \ + -H "Cookie: JSESSIONID=abc123; XSRF-TOKEN=def456" \ + -H "X-XSRF-TOKEN: def456" +``` + +**Response**: `200 OK` + +### Test Client Registration (Exempted) + +```bash +curl -X POST http://localhost:8080/instances \ + -H "Content-Type: application/json" \ + -d '{ + "name": "test-service", + "healthUrl": "http://localhost:8081/actuator/health" + }' +``` + +**Response**: `201 Created` (no CSRF token needed) + +### Test Actuator (Exempted) + +```bash +curl http://localhost:8080/actuator/health +``` + +**Response**: `200 OK` (no CSRF token needed) + +--- + +## Disable CSRF (Not Recommended) + +For development/testing only: + +```java +@Bean +@Profile("dev") +public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(/* ... */) + .csrf(csrf -> csrf.disable()); // Disable CSRF + + return http.build(); +} +``` + +**Only disable CSRF for development and testing.** + +--- + +## SameSite Cookie Attribute + +Enhance CSRF protection with SameSite cookies: + +```yaml +server: + servlet: + session: + cookie: + same-site: strict +``` + +**Options**: + +- `strict`: Cookie only sent for same-site requests (most secure) +- `lax`: Cookie sent for top-level navigation (default) +- `none`: Cookie sent for all requests (requires `secure=true`) + +**Recommendation**: Use `lax` for Admin Server (allows direct navigation). + +--- + +## Troubleshooting + +### Issue: 403 Forbidden on all requests + +**Cause**: CSRF token missing or invalid. + +**Check**: + +1. Cookie is set: + + ```bash + curl -i http://localhost:8080/ + ``` + + Should see `Set-Cookie: XSRF-TOKEN=...` + +2. Custom CSRF filter is registered: + + ```java + http.addFilterAfter(new CustomCsrfFilter(), BasicAuthenticationFilter.class) + ``` + +3. Token repository is cookie-based: + + ```java + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + ``` + +### Issue: Client registration fails with 403 + +**Cause**: `/instances` endpoint not exempted from CSRF. + +**Solution**: Add to `ignoringRequestMatchers`: + +```java +.csrf(csrf -> csrf + .ignoringRequestMatchers( + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")), + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/instances/*")) + ) +) +``` + +### Issue: Token cookie not accessible to JavaScript + +**Cause**: Cookie is HTTP-only. + +**Solution**: Use `withHttpOnlyFalse()`: + +```java +.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) +``` + +### Issue: Token changes on every request + +**Expected behavior**. Spring Security generates new tokens regularly for security. + +**If problematic**: Use `CookieCsrfTokenRepository` with custom settings: + +```java +CookieCsrfTokenRepository repository = CookieCsrfTokenRepository.withHttpOnlyFalse(); +repository.setCookieName("XSRF-TOKEN"); +repository.setHeaderName("X-XSRF-TOKEN"); +``` + +### Issue: CSRF protection not working with context path + +**Cause**: Matchers don't include context path. + +**Solution**: Use `adminServer.path()`: + +```java +PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")) +``` + +Not: + +```java +new AntPathRequestMatcher("/instances", POST.name()) +``` + +--- + +## Advanced Configuration + +### Custom Token Header/Cookie Names + +```java +CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository(); +repository.setCookieName("MY-CSRF-TOKEN"); +repository.setHeaderName("X-MY-CSRF-TOKEN"); +repository.setParameterName("_csrf"); +repository.setCookieHttpOnly(false); + +http.csrf(csrf -> csrf + .csrfTokenRepository(repository) +) +``` + +Update `CustomCsrfFilter` accordingly: + +```java +public static final String CSRF_COOKIE_NAME = "MY-CSRF-TOKEN"; +``` + +### Conditional CSRF Protection + +Enable CSRF only for browser requests: + +```java +http.csrf(csrf -> csrf + .requireCsrfProtectionMatcher(request -> { + // Require CSRF for browser requests (non-API) + String method = request.getMethod(); + if ("GET".equals(method) || "HEAD".equals(method) || + "TRACE".equals(method) || "OPTIONS".equals(method)) { + return false; // Safe methods + } + + String header = request.getHeader("X-Requested-With"); + if ("XMLHttpRequest".equals(header)) { + return true; // AJAX requests + } + + String accept = request.getHeader("Accept"); + if (accept != null && accept.contains("application/json")) { + return false; // API clients + } + + return true; // Browser requests + }) +) +``` + +### Multiple Security Filter Chains + +Separate CSRF rules for UI and API: + +```java +@Configuration +public class SecurityConfig { + + @Bean + @Order(1) + public SecurityFilterChain apiFilterChain(HttpSecurity http, + AdminServerProperties adminServer) throws Exception { + http + .securityMatcher(adminServer.path("/api/**")) + .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) + .httpBasic(Customizer.withDefaults()) + .csrf(csrf -> csrf.disable()); // No CSRF for API + + return http.build(); + } + + @Bean + @Order(2) + public SecurityFilterChain uiFilterChain(HttpSecurity http, + AdminServerProperties adminServer) throws Exception { + http + .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) + .formLogin(/* ... */) + .csrf(csrf -> csrf // CSRF for UI + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + ); + + return http.build(); + } +} +``` + +--- + +## Best Practices + +1. **Always enable CSRF** when deploying +2. **Use cookie-based repository** for JavaScript SPAs +3. **Exempt only necessary endpoints** (client registration, actuator) +4. **Use SameSite cookies** for additional protection +5. **Test CSRF protection** before deploying +6. **Use HTTPS** to prevent token theft +7. **Rotate session IDs** after login +8. **Monitor for CSRF attacks** in logs + +--- + +## Complete Working Example + +**SecurityConfig.java**: + +```java +package com.example.admin; + +import java.util.UUID; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.Customizer; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; +import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler; +import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; +import org.springframework.security.web.csrf.CookieCsrfTokenRepository; +import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler; +import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; + +import de.codecentric.boot.admin.server.config.AdminServerProperties; + +import static org.springframework.http.HttpMethod.DELETE; +import static org.springframework.http.HttpMethod.POST; + +@Configuration +public class SecurityConfig { + + private final AdminServerProperties adminServer; + + public SecurityConfig(AdminServerProperties adminServer) { + this.adminServer = adminServer; + } + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + SavedRequestAwareAuthenticationSuccessHandler successHandler = + new SavedRequestAwareAuthenticationSuccessHandler(); + successHandler.setTargetUrlParameter("redirectTo"); + successHandler.setDefaultTargetUrl(adminServer.path("/")); + + http + .authorizeHttpRequests(auth -> auth + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/assets/**"))) + .permitAll() + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/login"))) + .permitAll() + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/actuator/info"))) + .permitAll() + .requestMatchers(PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/actuator/health"))) + .permitAll() + .anyRequest().authenticated() + ) + .formLogin(formLogin -> formLogin + .loginPage(adminServer.path("/login")) + .successHandler(successHandler) + ) + .logout(logout -> logout + .logoutUrl(adminServer.path("/logout")) + ) + .httpBasic(Customizer.withDefaults()); + + http.addFilterAfter(new CustomCsrfFilter(), BasicAuthenticationFilter.class) + .csrf(csrf -> csrf + .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()) + .ignoringRequestMatchers( + PathPatternRequestMatcher.withDefaults() + .matcher(POST, adminServer.path("/instances")), + PathPatternRequestMatcher.withDefaults() + .matcher(DELETE, adminServer.path("/instances/*")), + PathPatternRequestMatcher.withDefaults() + .matcher(adminServer.path("/actuator/**")) + ) + ); + + http.rememberMe(rememberMe -> rememberMe + .key(UUID.randomUUID().toString()) + .tokenValiditySeconds(1209600) + ); + + return http.build(); + } + + @Bean + public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) { + UserDetails user = User.builder() + .username("admin") + .password(passwordEncoder.encode(System.getenv("ADMIN_PASSWORD"))) + .roles("ADMIN") + .build(); + + return new InMemoryUserDetailsManager(user); + } + + @Bean + public PasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } +} +``` + +**CustomCsrfFilter.java** (same as shown earlier). + +--- + +## See Also + +- [Server Authentication](./10-server-authentication.md) - Configure Spring Security +- [Actuator Security](./20-actuator-security.md) - Secure client endpoints +- [Spring Security CSRF Documentation](https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html) diff --git a/spring-boot-admin-docs/src/site/docs/05-security/_category_.json b/spring-boot-admin-docs/src/site/docs/05-security/_category_.json new file mode 100644 index 00000000000..3b4938cffd8 --- /dev/null +++ b/spring-boot-admin-docs/src/site/docs/05-security/_category_.json @@ -0,0 +1,4 @@ +{ + "position": 5, + "label": "Security" +} diff --git a/spring-boot-admin-docs/src/site/docs/05-security/index.md b/spring-boot-admin-docs/src/site/docs/05-security/index.md new file mode 100644 index 00000000000..eafb0d6bf38 --- /dev/null +++ b/spring-boot-admin-docs/src/site/docs/05-security/index.md @@ -0,0 +1,486 @@ +--- +sidebar_position: 1 +sidebar_custom_props: + icon: 'shield' +--- + +# Security + +Spring Boot Admin Server and Client can be secured using Spring Security. This section covers all aspects of securing +your Spring Boot Admin deployment. + +## Security Overview + +A complete Spring Boot Admin deployment has multiple security concerns: + +```mermaid +graph TD + A[User Browser] -->|1 Login to Admin UI| B["Spring Boot Admin Server
• Form login + HTTP Basic authentication
• CSRF protection for UI
• Remember-me functionality"] + B -->|2 Access actuator endpoints| C["Client Application Instance
• Secured actuator endpoints
• Client provides credentials via metadata
• Server authenticates using instance-auth"] +``` + +## Security Layers + +### 1. Admin Server Security + +Protect the Admin UI and API endpoints: + +- **Authentication**: Form login for UI, HTTP Basic for API clients +- **Authorization**: Role-based access control +- **CSRF Protection**: Protect against Cross-Site Request Forgery +- **Session Management**: Remember-me functionality + +**See**: [Server Authentication](./10-server-authentication.md) + +### 2. Actuator Endpoint Security + +Secure the client application's actuator endpoints: + +- **Spring Security**: Protect actuator with authentication +- **Credentials Sharing**: Pass credentials to Admin Server via metadata +- **Per-Service Auth**: Different credentials per service + +**See**: [Actuator Security](./20-actuator-security.md) + +### 3. CSRF Protection + +Configure CSRF tokens for Admin UI while allowing client registration: + +- **Cookie-based CSRF**: JavaScript-friendly token repository +- **Exempted Endpoints**: Allow `/instances` registration without CSRF +- **Custom CSRF Filter**: Make token available to JavaScript + +**See**: [CSRF Protection](./30-csrf-protection.md) + +### 4. Mutual TLS (Optional) + +Enhanced security with client certificates: + +- **mTLS Between Server and Clients**: Mutual authentication +- **Certificate Validation**: Trust only specific clients +- **SSL Configuration**: Keystore and truststore setup + +--- + +## Quick Start Examples + +### Minimal Secured Server + +```yaml +spring: + security: + user: + name: admin + password: ${ADMIN_PASSWORD} +``` + +```java +@Configuration +public class SecurityConfig { + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/assets/**").permitAll() + .requestMatchers("/login").permitAll() + .anyRequest().authenticated() + ) + .formLogin(formLogin -> formLogin.loginPage("/login")) + .httpBasic(Customizer.withDefaults()); + + return http.build(); + } +} +``` + +### Client with Secured Actuator + +**Client Configuration**: + +```yaml +spring: + boot: + admin: + client: + url: http://admin-server:8080 + instance: + metadata: + user.name: actuator + user.password: ${ACTUATOR_PASSWORD} + + security: + user: + name: actuator + password: ${ACTUATOR_PASSWORD} + +management: + endpoints: + web: + exposure: + include: "*" +``` + +**Server Configuration**: + +```yaml +spring: + boot: + admin: + instance-auth: + enabled: true + # Credentials from instance metadata +``` + +--- + +## Security Checklist + +Use this checklist to ensure your deployment is secure: + +### Admin Server + +- [ ] Enable Spring Security +- [ ] Use strong passwords (externalize via environment variables) +- [ ] Configure form login for UI access +- [ ] Enable HTTP Basic for API/programmatic access +- [ ] Configure CSRF protection with exemptions for `/instances` +- [ ] Set up remember-me with secure random key +- [ ] Use HTTPS for deployments +- [ ] Restrict access by IP (if applicable) +- [ ] Configure session timeout +- [ ] Audit authentication attempts + +### Client Applications + +- [ ] Secure actuator endpoints with Spring Security +- [ ] Pass actuator credentials via metadata (`user.name`, `user.password`) +- [ ] Use strong actuator passwords +- [ ] Limit exposed actuator endpoints to necessary ones +- [ ] Use HTTPS for actuator if possible +- [ ] Verify Admin Server certificate (if using HTTPS) +- [ ] Consider mutual TLS for high-security environments + +### Network Security + +- [ ] Use HTTPS for all communication +- [ ] Configure firewalls to restrict Admin Server access +- [ ] Use VPN or private networks when possible +- [ ] Enable mutual TLS if required +- [ ] Monitor for suspicious access patterns + +--- + +## Common Security Scenarios + +### Scenario 1: Development Environment + +**Goal**: Simple security for local development. + +```yaml +# Admin Server +spring: + security: + user: + name: user + password: password +``` + +No actuator security needed in development. + +### Scenario 2: Production with Role-Based Access + +**Goal**: Different roles for read-only vs admin users. + +```java +@Configuration +public class SecurityConfig { + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.authorizeHttpRequests(auth -> auth + .requestMatchers("/assets/**", "/login").permitAll() + .requestMatchers("/instances/**").hasRole("ADMIN") + .anyRequest().hasAnyRole("ADMIN", "USER") + ) + .formLogin(formLogin -> formLogin.loginPage("/login")) + .httpBasic(Customizer.withDefaults()); + + return http.build(); + } + + @Bean + public UserDetailsService userDetailsService(PasswordEncoder encoder) { + UserDetails admin = User.builder() + .username("admin") + .password(encoder.encode(System.getenv("ADMIN_PASSWORD"))) + .roles("ADMIN") + .build(); + + UserDetails user = User.builder() + .username("viewer") + .password(encoder.encode(System.getenv("VIEWER_PASSWORD"))) + .roles("USER") + .build(); + + return new InMemoryUserDetailsManager(admin, user); + } + + @Bean + public PasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } +} +``` + +### Scenario 3: Kubernetes with Service Accounts + +**Goal**: Use Kubernetes service accounts for authentication. + +```yaml +# Admin Server +spring: + boot: + admin: + discovery: + enabled: true + +# Spring Security with OAuth2 +spring: + security: + oauth2: + client: + registration: + keycloak: + client-id: spring-boot-admin + client-secret: ${OAUTH2_CLIENT_SECRET} + provider: + keycloak: + issuer-uri: https://keycloak.company.com/realms/main +``` + +### Scenario 4: Different Credentials per Service + +**Goal**: Use unique credentials for each client service. + +**Admin Server**: + +```yaml +spring: + boot: + admin: + instance-auth: + enabled: true + service-map: + service-a: + user-name: service-a-actuator + user-password: ${SERVICE_A_PASSWORD} + service-b: + user-name: service-b-actuator + user-password: ${SERVICE_B_PASSWORD} + default-user-name: default-actuator + default-password: ${DEFAULT_PASSWORD} +``` + +**Client (Service A)**: + +```yaml +spring: + application: + name: service-a + + security: + user: + name: service-a-actuator + password: ${SERVICE_A_PASSWORD} +``` + +--- + +## Best Practices + +### 1. Externalize Secrets + +Never hardcode passwords. Use environment variables or secret management: + +```yaml +spring: + security: + user: + name: ${ADMIN_USER:admin} + password: ${ADMIN_PASSWORD} +``` + +**Docker**: + +```bash +docker run -e ADMIN_PASSWORD=secret123 my-admin-server +``` + +**Kubernetes Secret**: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: admin-credentials +type: Opaque +data: + password: c2VjcmV0MTIz # base64 encoded +``` + +### 2. Use Strong Passwords + +- Minimum 16 characters +- Mix of uppercase, lowercase, numbers, symbols +- Use password generators +- Rotate regularly + +### 3. Limit Actuator Exposure + +Only expose necessary endpoints: + +```yaml +management: + endpoints: + web: + exposure: + include: health,info,metrics,loggers +``` + +### 4. Enable HTTPS + +Use TLS for all communication: + +```yaml +server: + port: 8443 + ssl: + enabled: true + key-store: classpath:keystore.p12 + key-store-password: ${KEYSTORE_PASSWORD} + key-store-type: PKCS12 +``` + +### 5. Monitor Security Events + +Log authentication attempts and failures: + +```yaml +logging: + level: + org.springframework.security: DEBUG + de.codecentric.boot.admin: DEBUG +``` + +--- + +## Security Headers + +Configure security headers for the Admin UI: + +```java +@Configuration +public class SecurityConfig { + + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http + .headers(headers -> headers + .contentSecurityPolicy(csp -> csp + .policyDirectives("default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'") + ) + .frameOptions(frame -> frame.sameOrigin()) + .xssProtection(xss -> xss.block(true)) + .httpStrictTransportSecurity(hsts -> hsts + .includeSubDomains(true) + .maxAgeInSeconds(31536000) + ) + ); + + return http.build(); + } +} +``` + +--- + +## Troubleshooting + +### Issue: 401 Unauthorized when accessing instances + +**Cause**: Admin Server doesn't have credentials to access actuator endpoints. + +**Solution**: Add credentials to instance metadata: + +```yaml +spring: + boot: + admin: + client: + instance: + metadata: + user.name: actuator + user.password: ${ACTUATOR_PASSWORD} +``` + +### Issue: CSRF token errors on client registration + +**Cause**: CSRF protection blocking `/instances` endpoint. + +**Solution**: Exempt registration endpoints from CSRF: + +```java +.csrf(csrf -> csrf + .ignoringRequestMatchers( + new AntPathRequestMatcher("/instances", POST.name()), + new AntPathRequestMatcher("/instances/*", DELETE.name()) + ) +) +``` + +### Issue: Login page not loading + +**Cause**: Login page assets blocked by security. + +**Solution**: Permit access to assets and login: + +```java +.authorizeHttpRequests(auth -> auth + .requestMatchers("/assets/**", "/login").permitAll() + .anyRequest().authenticated() +) +``` + +### Issue: Remember-me not working + +**Cause**: No `UserDetailsService` configured. + +**Solution**: Add `UserDetailsService` bean: + +```java +@Bean +public InMemoryUserDetailsManager userDetailsService(PasswordEncoder encoder) { + UserDetails user = User.builder() + .username("admin") + .password(encoder.encode("password")) + .roles("ADMIN") + .build(); + return new InMemoryUserDetailsManager(user); +} +``` + +--- + +## Next Steps + +- [Server Authentication](./10-server-authentication.md) - Secure Admin Server with Spring Security +- [Actuator Security](./20-actuator-security.md) - Secure client actuator endpoints +- [CSRF Protection](./30-csrf-protection.md) - Configure CSRF for UI and API + +--- + +## See Also + +- [Server Configuration](../02-server/01-server.mdx) +- [Client Configuration](../03-client/10-client-features.md) +- [Spring Security Documentation](https://docs.spring.io/spring-security/reference/index.html) diff --git a/spring-boot-admin-docs/src/site/docs/06-customization/_category_.json b/spring-boot-admin-docs/src/site/docs/06-customization/_category_.json new file mode 100644 index 00000000000..d600c8bce13 --- /dev/null +++ b/spring-boot-admin-docs/src/site/docs/06-customization/_category_.json @@ -0,0 +1,4 @@ +{ + "position": 6, + "label": "Customization" +} diff --git a/spring-boot-admin-docs/src/site/docs/third-party/index.md b/spring-boot-admin-docs/src/site/docs/06-customization/index.md similarity index 70% rename from spring-boot-admin-docs/src/site/docs/third-party/index.md rename to spring-boot-admin-docs/src/site/docs/06-customization/index.md index 670f6784091..e0a71bdd4b7 100644 --- a/spring-boot-admin-docs/src/site/docs/third-party/index.md +++ b/spring-boot-admin-docs/src/site/docs/06-customization/index.md @@ -1,5 +1,5 @@ import DocCardList from '@theme/DocCardList'; -# Third Party Integrations +# Customization
• service-a (env=prod)
• service-b (env=dev)
• service-c (env=prod)
• service-d (env=test)"] --> B["InstanceFilter
filter(instance) {
return 'prod'.equals(
instance.getMetadata().get('env')
);
}"] + B --> C["Visible Instances
• service-a (env=prod)
• service-c (env=prod)"] +``` + +--- + +## Default Behavior + +By default, **all instances are visible**: + +```java +@Bean +@ConditionalOnMissingBean +public InstanceFilter instanceFilter() { + return instance -> true; // Accept all instances +} +``` + +--- + +## InstanceFilter Interface + +```java +package de.codecentric.boot.admin.server.services; + +import de.codecentric.boot.admin.server.domain.entities.Instance; + +@FunctionalInterface +public interface InstanceFilter { + + /** + * Test if instance should be visible + * @param instance the instance to filter + * @return true if instance should be included, false to exclude + */ + boolean filter(Instance instance); + +} +``` + +--- + +## How It Works + +`InstanceFilter` is applied by `InstanceRegistry`: + +```java +public Flux
POST /instances
{managementUrl: 'http://client:8080/actuator'}"] --> B[EndpointDetector] + B --> C["1. QueryIndexEndpointStrategy
GET /actuator → Read _links"] + B --> D["2. Fallback ProbeEndpointsStrategy
OPTIONS /actuator/health → 200 OK
OPTIONS /actuator/metrics → 200 OK
OPTIONS /actuator/info → 200 OK"] + C --> E["Instance.endpoints updated
{health, info, metrics, env, loggers, ...}"] + D --> E +``` + +--- + +## Default Behavior + +By default, Admin Server uses a **ChainingStrategy** that: + +1. First tries **QueryIndexEndpointStrategy** (Spring Boot 2.x+ with `/actuator` index) +2. Falls back to **ProbeEndpointsStrategy** (Spring Boot 1.x or if index query fails) + +**AdminServerAutoConfiguration.java**: + +```java +@Bean +@ConditionalOnMissingBean +public EndpointDetectionStrategy endpointDetectionStrategy( + InstanceWebClient instanceWebClient, + AdminServerProperties adminServerProperties, + ApiMediaTypeHandler apiMediaTypeHandler) { + + return new ChainingStrategy( + new QueryIndexEndpointStrategy(instanceWebClient, apiMediaTypeHandler), + new ProbeEndpointsStrategy(instanceWebClient, + adminServerProperties.getProbedEndpoints()) + ); +} +``` + +--- + +## QueryIndexEndpointStrategy + +Queries the actuator index at `/actuator` to discover endpoints. + +### How It Works + +**Request**: + +```http +GET /actuator HTTP/1.1 +Accept: application/vnd.spring-boot.actuator.v3+json +``` + +**Response**: + +```json +{ + "_links": { + "self": { + "href": "http://localhost:8080/actuator", + "templated": false + }, + "health": { + "href": "http://localhost:8080/actuator/health", + "templated": false + }, + "info": { + "href": "http://localhost:8080/actuator/info", + "templated": false + }, + "metrics": { + "href": "http://localhost:8080/actuator/metrics/{requiredMetricName}", + "templated": true + } + } +} +``` + +**Extracted Endpoints**: + +- `health` → `http://localhost:8080/actuator/health` +- `info` → `http://localhost:8080/actuator/info` +- `metrics` is **excluded** (templated) + +### Use Only QueryIndexEndpointStrategy + +```java +package com.example.admin; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import de.codecentric.boot.admin.server.services.ApiMediaTypeHandler; +import de.codecentric.boot.admin.server.services.endpoints.EndpointDetectionStrategy; +import de.codecentric.boot.admin.server.services.endpoints.QueryIndexEndpointStrategy; +import de.codecentric.boot.admin.server.web.client.InstanceWebClient; + +@Configuration +public class EndpointDetectionConfig { + + @Bean + public EndpointDetectionStrategy endpointDetectionStrategy( + InstanceWebClient instanceWebClient, + ApiMediaTypeHandler apiMediaTypeHandler) { + + return new QueryIndexEndpointStrategy(instanceWebClient, apiMediaTypeHandler); + } +} +``` + +**When to use**: + +- All clients are Spring Boot 2.x or newer +- `/actuator` index is available on all clients +- Want fastest detection + +--- + +## ProbeEndpointsStrategy + +Probes individual endpoints using HTTP OPTIONS requests. + +### How It Works + +For each endpoint in the probed list: + +```http +OPTIONS /actuator/health HTTP/1.1 +``` + +If response is `2xx`, the endpoint is considered available. + +### Configuration + +**application.yml**: + +```yaml +spring: + boot: + admin: + probed-endpoints: + - health + - info + - metrics + - env + - loggers + - logfile + - threaddump + - heapdump +``` + +### Custom Endpoint Paths + +If endpoint ID differs from path, use `id:path` syntax: + +```yaml +spring: + boot: + admin: + probed-endpoints: + - health:ping # Endpoint ID "health" at path "/actuator/ping" + - metrics:stats # Endpoint ID "metrics" at path "/actuator/stats" + - custom:my-custom # Endpoint ID "custom" at path "/actuator/my-custom" +``` + +### Use Only ProbeEndpointsStrategy + +```java +package com.example.admin; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import de.codecentric.boot.admin.server.config.AdminServerProperties; +import de.codecentric.boot.admin.server.services.endpoints.EndpointDetectionStrategy; +import de.codecentric.boot.admin.server.services.endpoints.ProbeEndpointsStrategy; +import de.codecentric.boot.admin.server.web.client.InstanceWebClient; + +@Configuration +public class EndpointDetectionConfig { + + @Bean + public EndpointDetectionStrategy endpointDetectionStrategy( + InstanceWebClient instanceWebClient, + AdminServerProperties properties) { + + return new ProbeEndpointsStrategy( + instanceWebClient, + properties.getProbedEndpoints() + ); + } +} +``` + +**When to use**: + +- Supporting Spring Boot 1.x applications +- Actuator index is disabled/unavailable +- Need to detect specific custom endpoints + +--- + +## ChainingStrategy + +Combines multiple strategies with fallback. + +### How It Works + +Tries strategies in order until one succeeds: + +```java +ChainingStrategy( + new QueryIndexEndpointStrategy(...), // Try first + new ProbeEndpointsStrategy(...) // Fallback +) +``` + +If first strategy returns empty, tries next strategy. + +### Custom Chaining + +```java +package com.example.admin; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import de.codecentric.boot.admin.server.config.AdminServerProperties; +import de.codecentric.boot.admin.server.services.ApiMediaTypeHandler; +import de.codecentric.boot.admin.server.services.endpoints.ChainingStrategy; +import de.codecentric.boot.admin.server.services.endpoints.EndpointDetectionStrategy; +import de.codecentric.boot.admin.server.services.endpoints.ProbeEndpointsStrategy; +import de.codecentric.boot.admin.server.services.endpoints.QueryIndexEndpointStrategy; +import de.codecentric.boot.admin.server.web.client.InstanceWebClient; + +@Configuration +public class EndpointDetectionConfig { + + @Bean + public EndpointDetectionStrategy endpointDetectionStrategy( + InstanceWebClient instanceWebClient, + AdminServerProperties properties, + ApiMediaTypeHandler apiMediaTypeHandler) { + + return new ChainingStrategy( + new QueryIndexEndpointStrategy(instanceWebClient, apiMediaTypeHandler), + new ProbeEndpointsStrategy(instanceWebClient, properties.getProbedEndpoints()), + new CustomEndpointStrategy() // Your custom strategy as last resort + ); + } +} +``` + +--- + +## Custom EndpointDetectionStrategy + +Implement `EndpointDetectionStrategy` interface for custom detection logic. + +### Interface + +```java +package de.codecentric.boot.admin.server.services.endpoints; + +import reactor.core.publisher.Mono; + +import de.codecentric.boot.admin.server.domain.entities.Instance; +import de.codecentric.boot.admin.server.domain.values.Endpoints; + +public interface EndpointDetectionStrategy { + + Mono
Port 8761] -->|Service Registry| AS[Admin Server
Port 8080] + ES -->|Service Registry| MA[Monitored Apps] +``` + +**Key Points**: + +1. Applications register with Eureka +2. Admin Server discovers applications from Eureka +3. No direct registration needed + +## Running the Sample + +### Option 1: With External Eureka Server + +#### Start Eureka Server + +```bash +# Using Docker +docker run -d -p 8761:8761 springcloud/eureka + +# Or using Spring Cloud Eureka server JAR +java -jar eureka-server.jar +``` + +Verify Eureka is running: `http://localhost:8761` + +#### Start Admin Server + +```bash +cd spring-boot-admin-samples/spring-boot-admin-sample-eureka +mvn spring-boot:run +``` + +Access Admin UI at: `http://localhost:8080` + +### Option 2: Using Docker Compose (Recommended) + +```bash +cd spring-boot-admin-samples/spring-boot-admin-sample-eureka +docker-compose up +``` + +This starts: + +- Eureka Server (port 8761) +- Admin Server (port 8080) +- Spring Cloud Config Server (port 8888) +- Sample microservices (customers, stores) +- Supporting infrastructure (MongoDB, RabbitMQ) + +**Access Points**: + +- Admin UI: `http://localhost:8080` +- Eureka UI: `http://localhost:8761` +- Config Server: `http://localhost:8888` +- Sample App UI: `http://localhost:80` + +### Change Eureka URL + +```bash +mvn spring-boot:run -Dspring-boot.run.arguments=\ + --eureka.client.serviceUrl.defaultZone=http://other-eureka:8761/eureka/ +``` + +Or set environment variable: + +```bash +export EUREKA_SERVICE_URL=http://other-eureka:8761 +mvn spring-boot:run +``` + +## Project Structure + +### Dependencies + +```xml +
+
+
+ This application has the following instances:
+
+
+
+
+
+
+
+```
+
+**Key Features**:
+
+- Access to `SBA.useApplicationStore()` for application data
+- Global SBA components (`sba-panel`, `sba-status`, `sba-tag`)
+- Reactive data from Vuex store
+- Tailwind CSS classes for styling
+
+## Available SBA Components
+
+Global components you can use without importing:
+
+- `-
+
+
-
+
+
+
+
+ +
+
+
My custom view
+
+```
+
+### 2. Build
+
+```bash
+mvn clean package
+```
+
+### 3. Use in Application
+
+```xml
+
+
+
+
+
+```
+
+## Key Takeaways
+
+✅ **Full Customization**: Add any Vue component to UI
+✅ **SBA Integration**: Access stores, components, APIs
+✅ **Maven Integration**: Build with Maven
+✅ **Reusable**: Package as library for multiple projects
+
+## Next Steps
+
+- [UI Customization Guide](../06-customization/ui/)
+- [Servlet Sample](./10-sample-servlet.md) (uses this extension)
+
+## See Also
+
+- [Vue.js Documentation](https://vuejs.org/)
diff --git a/spring-boot-admin-docs/src/site/docs/09-samples/_category_.json b/spring-boot-admin-docs/src/site/docs/09-samples/_category_.json
new file mode 100644
index 00000000000..0abc048fd0e
--- /dev/null
+++ b/spring-boot-admin-docs/src/site/docs/09-samples/_category_.json
@@ -0,0 +1,4 @@
+{
+ "position": 9,
+ "label": "Samples"
+}
diff --git a/spring-boot-admin-docs/src/site/docs/09-samples/index.md b/spring-boot-admin-docs/src/site/docs/09-samples/index.md
new file mode 100644
index 00000000000..d2469d07943
--- /dev/null
+++ b/spring-boot-admin-docs/src/site/docs/09-samples/index.md
@@ -0,0 +1,278 @@
+---
+
+sidebar_position: 70
+sidebar_custom_props:
+ icon: 'file-code'
+---
+
+# Sample Projects
+
+Spring Boot Admin includes several sample projects demonstrating different deployment scenarios and integration
+patterns. These samples provide working examples you can use as starting points for your own implementations.
+
+## Available Samples
+
+### Basic Deployments
+
+- **[Servlet Sample](./10-sample-servlet.md)** - Traditional servlet-based deployment with security
+- **[Reactive Sample](./20-sample-reactive.md)** - WebFlux reactive deployment
+
+### Service Discovery
+
+- **[Eureka Sample](./30-sample-eureka.md)** - Netflix Eureka integration
+- **[Consul Sample](./40-sample-consul.md)** - HashiCorp Consul integration
+- **[Zookeeper Sample](./50-sample-zookeeper.md)** - Apache Zookeeper integration
+
+### Advanced
+
+- **[Hazelcast Sample](./60-sample-hazelcast.md)** - Clustered deployment with Hazelcast
+- **[Custom UI Sample](./70-sample-custom-ui.md)** - Custom UI extensions and branding
+
+## Repository Location
+
+All samples are available in
+the [Spring Boot Admin GitHub repository](https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples):
+
+```
+spring-boot-admin-samples/
+├── spring-boot-admin-sample-servlet/
+├── spring-boot-admin-sample-reactive/
+├── spring-boot-admin-sample-war/
+├── spring-boot-admin-sample-eureka/
+├── spring-boot-admin-sample-consul/
+├── spring-boot-admin-sample-zookeeper/
+├── spring-boot-admin-sample-hazelcast/
+└── spring-boot-admin-sample-custom-ui/
+```
+
+## Running the Samples
+
+### Prerequisites
+
+- Java 17 or higher
+- Maven 3.6 or higher
+- Docker (optional, for some samples)
+
+### Build All Samples
+
+```bash
+git clone https://github.com/codecentric/spring-boot-admin.git
+cd spring-boot-admin
+mvn clean install -DskipTests
+```
+
+### Run Individual Sample
+
+```bash
+cd spring-boot-admin-samples/spring-boot-admin-sample-servlet
+mvn spring-boot:run
+```
+
+Access the Admin UI at: `http://localhost:8080`
+
+### Default Credentials
+
+Most secured samples use:
+
+- **Username**: `user`
+- **Password**: Check console output or `application.yml`
+
+## Sample Features Comparison
+
+| Feature | Servlet | Reactive | Eureka | Consul | Zookeeper | Hazelcast | Custom UI | WAR |
+|-------------------|---------|----------|---------|---------|-----------|-----------|-----------|---------|
+| Web Stack | Servlet | WebFlux | Servlet | Servlet | Servlet | Servlet | Servlet | Servlet |
+| Security | ✅ | ✅ | ✅ | ✅ | - | - | - | - |
+| Service Discovery | Static | Static | Eureka | Consul | Zookeeper | Static | Static | Static |
+| Clustering | - | - | - | - | - | ✅ | - | - |
+| Custom UI | - | - | - | - | - | - | ✅ | - |
+| JMX Support | ✅ | - | - | - | - | - | - | ✅ |
+| Notifications | ✅ | - | - | - | - | - | - | - |
+
+## Common Configuration
+
+All samples share common patterns:
+
+### Actuator Configuration
+
+```yaml
+management:
+ endpoints:
+ web:
+ exposure:
+ include: "*"
+ endpoint:
+ health:
+ show-details: ALWAYS
+```
+
+### Logging Configuration
+
+```yaml
+logging:
+ file:
+ name: "target/boot-admin-sample.log"
+ pattern:
+ file: "%clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(%5p) %clr(${PID}){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %m%n%wEx"
+```
+
+### Build Info
+
+All samples generate build information:
+
+```xml
+