Small question regarding how to use Spring Security in order to disable particular endpoints over mTLS, two way SSL, but only those specified please?
Background: have a SpringBoot Webflux + Spring Security + Spring Actuator web app that has some business endpoints (example /business) and some non-business endpoints (example /health /metrics, but also /custom-non-actuator-non-business)
The entire web app, (hence the /business endpoint) MUST be over HTTPS. Tests has been performed and business endpoints are validated.
Now, I would like to just expose those /health /metrics /custom-non-actuator-non-business, but still over HTTPS, (not HTTP) but allowing to "skip" mTLS.
We would like to achieve this:
- by not disabling HTTPS for the entire app.
- by not disabling mTLS/SSL for the /business endpoints.
- by not exposing /health /metrics, /custom-non-actuator-non-business over HTTP, keeping HTTPS (no management.server.ssl.enabled=false for actuator, and we have a custom non actuator endpoint anyway)
- by not exposing different set of ports.
Is this possible to achieve this? And how please?
Many thanks!