Skip to content

fix: add missing endpoints to the default list of probed endpoints#5361

Merged
SteKoe merged 1 commit into
codecentric:masterfrom
cdprete:fix/missing-actuator-endpoints
May 14, 2026
Merged

fix: add missing endpoints to the default list of probed endpoints#5361
SteKoe merged 1 commit into
codecentric:masterfrom
cdprete:fix/missing-actuator-endpoints

Conversation

@cdprete
Copy link
Copy Markdown
Contributor

@cdprete cdprete commented May 14, 2026

This PR adds some missed endpoint IDs to the default list of probed endpoints configured in de.codecentric.boot.admin.server.config.AdminServerProperties#probedEndpoints

@cdprete cdprete requested a review from a team as a code owner May 14, 2026 16:40
@cdprete cdprete force-pushed the fix/missing-actuator-endpoints branch from 8380fbc to 7557f8f Compare May 14, 2026 16:41
@SteKoe
Copy link
Copy Markdown
Contributor

SteKoe commented May 14, 2026

This is false positive. The listed endpoint IDs are just valid and used for Spring Boot 1.x applications. The comment states it correctly:

For Spring Boot 2.x applications the endpoints should be discovered automatically using the actuator links. For Spring Boot 1.x applications SBA probes for the specified endpoints using an OPTIONS request.

  1. EndpointDetector delegates to a ChainingStrategy (configured in AdminServerAutoConfiguration.java:139-148)
  2. The chain tries QueryIndexEndpointStrategy first -- this is the Spring Boot >= 2 path (e.g. /actuator). It queries the actuator HATEOAS index at the management URL and extracts endpoint links from the _links response.
  3. If that returns empty (e.g. for a Spring Boot 1.x app that has no HAL index), it falls back to ProbeEndpointsStrategy, which individually probes well-known endpoint paths via OPTIONS requests.

The fallback mechanism uses Mono.switchIfEmpty() in ChainingStrategy.java:25, so for a Spring Boot >= 2 app:

  • QueryIndexEndpointStrategy succeeds and returns discovered endpoints
  • ProbeEndpointsStrategy is never invoked

That's why I am reluctant to merge this PR as it will try to probed for endpoints that do not exist in Spring Boot 1.

@cdprete
Copy link
Copy Markdown
Contributor Author

cdprete commented May 14, 2026
edited
Loading

If I remember correctly, the strategy may be configured or somehow mangled to use the probe-based one (e.g.: for security reasons) which then would miss some endpoints.
There was a ticket some months ago proving this (#5062).

The listed endpoint IDs are just valid and used for Spring Boot 1.x applications.

The property is mutable, so if you really want enforce them it should then be read-only.
Maybe its scope should be widen up.

That's why I am reluctant to merge this PR as it will try to probed for endpoints that do not exist in Spring Boot 1.

Of course, up to you.
I just thought it made sense (at least to me).

@SteKoe
Copy link
Copy Markdown
Contributor

SteKoe commented May 14, 2026

If I remember correctly, the strategy may be configured or somehow mangled to use the probe-based one (e.g.: for security reasons) which then would miss some endpoints.

Good catch! Thanks for pointing this out. Yes, when /actuator is, for whatever reason, blocked, than this fixed setup of possible actuators will help to overcome the missing HAL-response. Thank you :)

@SteKoe SteKoe merged commit e266dea into codecentric:master May 14, 2026
1 check passed
@cdprete cdprete deleted the fix/missing-actuator-endpoints branch May 14, 2026 21:29
@cdprete
Copy link
Copy Markdown
Contributor Author

cdprete commented May 14, 2026
edited
Loading

You're welcome. ☺️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cdprete @SteKoe