Skip to content

[Console] Require authentication for actuator/metrics and warn on H2 default credentials #4388

Description

@shangeyao

Problem

  • /actuator/**, /h2-console/**, and /metrics/** are currently anonymous in Shiro, exposing management endpoints without authentication
  • H2 dev profile seeds a default admin password (streampark) without a startup warning

Proposed solution

  • Keep /actuator/health and /actuator/info anonymous for probes; require JWT for other actuator, H2 console, and metrics endpoints
  • Log a startup WARN when H2 embedded database is detected

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions