Flowable Actuators

Spring Boot Actuators

As a Spring Boot 2 application Flowable Engage supports Spring Boot Actuators which provide production ready features such as health and metrics endpoints.

To have Spring Boot base support for actuate you need to add the Spring Boot actuator dependency (if not already added by choosing it in the Spring Initializer):

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>

Additional configuration properties in the application.properties file are needed to be able to access the actuator endpoints:

# Enable actuator endpoints over HTTP
management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=ALWAYS

Actuator endpoints are queried by opening the following URLs in the browser:

For a full list of endpoints please check the Spring Boot Actuator documentation. Also remember to adjust the host and port as needed for your site.

Flowable Actuator Extensions

Flowable provides additional extensions to the default Spring Boot Actuators by adding the following dependency:

<dependency>
    <groupId>com.flowable.platform</groupId>
    <artifactId>flowable-platform-actuate-autoconfigure</artifactId>
</dependency>

Adding this dependency adds a health endpoint at:

http://localhost:8080/flowable-engage/actuator/health

which provides information about the health of the connected Elasticsearch cluster.

Securing the Actuator Endpoints

To secure the endpoints provided by the actuators some additional Spring Security configuration code is needed. This is accomplished by adding file named SecurityActuatorConfiguration.java to your Spring Boot project. The Java file contains the following code:

@ConditionalOnClass(EndpointRequest.class)
@Configuration
@Order(6) // Actuator configuration should kick in before the Form Login there should always be HTTP basic for the endpoints
public class SecurityActuatorConfiguration extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .csrf()
                .disable();

        http
                .requestMatcher(new ActuatorRequestMatcher())
                .authorizeRequests()
                .requestMatchers(EndpointRequest.to(InfoEndpoint.class, HealthEndpoint.class)).permitAll()
                .requestMatchers(EndpointRequest.toAnyEndpoint()).hasAuthority(SecurityConstants.ACCESS_ACTUATORS)
                .anyRequest().denyAll()
                .and().httpBasic();
    }
}

This enables unauthorized access to the health and info endpoints and activates basic authentication for the other actuator endpoints.