The effect upon Actuator of defining your own SecurityFilterChain is documented inconsistently

[criztovyl]

It seems this statement in docs is wrong or confusing (emphasis mine):

add a bean of type SecurityFilterChain (doing so does not disable [...] or Actuator's security).

spring-boot/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc

Line 37 in ab3c579

To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type `SecurityFilterChain` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).

If you create a new Spring Boot 3 application like this

https://start.spring.io/#!type=gradle-project&language=java&platformVersion=3.3.2&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=security,web,actuator

with default configuration actuator is secured:

$ curl -f http://localhost:8080/actuator -w "\n"
curl: (22) The requested URL returned error: 401

but when adding a SecurityFilterChain like this

	@Bean
	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		http.authorizeHttpRequests(req ->
				req.anyRequest().permitAll()
		);
		return http.build();
	}

or this

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/app")
                .authorizeHttpRequests(req ->
                        req.anyRequest().permitAll()
                );
        return http.build();
    }

security is gone

$ curl -f http://localhost:8080/actuator -w "\n"
{"_links":{"self":{"href":"http://localhost:8080/actuator","templated":false},"health":{"href":"http://localhost:8080/actuator/health","templated":false},"health-path":{"href":"http://localhost:8080/actuator/health/{*path}","templated":true}}}

[wilkinsona]

Thanks for spotting and reporting this, @criztovyl. You're right that the docs are wrong. The javadoc for ManagementWebSecurityAutoConfiguration describes things accurately:

spring-boot/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

Lines 42 to 45 in 4d466c3

	* on the classpath. It allows unauthenticated access to the {@link HealthEndpoint}. If
	* the user specifies their own{@link SecurityFilterChain} bean, this will back-off
	* completely and the user should specify all the bits that they want to configure as part
	* of the custom security configuration.

[wilkinsona]

The Actuator security documentation is accurate:

spring-boot/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc

Lines 223 to 224 in a021d3c

	If Spring Security is on the classpath and no other `SecurityFilterChain` bean is present, all actuators other than `/health` are secured by Spring Boot auto-configuration.
	If you define a custom `SecurityFilterChain` bean, Spring Boot auto-configuration backs off and lets you fully control the actuator access rules.

We need to make things consistent.