Remove Spring Boot Admin to make this project's code simpler

Author: miguno

README.md

@@ -33,15 +33,6 @@ Features:
   at endpoint [/actuator](http://localhost:8123/actuator), e.g. for
   [healthchecks](http://localhost:8123/actuator/health) or [Prometheus
   metrics](http://localhost:8123/actuator/prometheus)
-- Integrates [Spring Boot
-  Admin](https://github.com/codecentric/spring-boot-admin) at endpoint
-  [`/admin`](http://localhost:8123/admin) to inspect the running application.
-  Login with username `admin` and password `admin`.<br />
-  <a href="https://github.com/miguno/java-docker-build-tutorial/raw/main/images/spring-boot-admin-dashboard.png"><img src="https://github.com/miguno/java-docker-build-tutorial/raw/main/images/spring-boot-admin-dashboard.png" alt="Spring Boot Admin screenshot" width="300"></a><br />
-  Note that, in production, [it is recommended to
-  separate the SBA server](https://docs.spring-boot-admin.com/current/faq.html)
-  from your application (the SBA client), unlike what this project does for
-  demonstration purposes.
 - Maven for build management (see [pom.xml](pom.xml)), using
   [Maven Wrapper](https://github.com/apache/maven-wrapper)
 - [GitHub Actions workflows](https://github.com/miguno/java-docker-build-tutorial/actions) for

src/main/java/com/miguno/javadockerbuild/controllers/RootController.java

@@ -42,7 +42,6 @@ public String root() {
           <li><a href="/welcome"><code>/welcome</code></a> &mdash; this app's example endpoint</li>
           <li><a href="/actuator/health"><code>/actuator/health</code></a> &mdash; Spring built-in feature</li>
           <li><a href="/actuator/prometheus"><code>/actuator/prometheus</code></a> &mdash; Spring built-in feature</li>
-          <li><a href="/admin">Spring Boot Admin dashboard</a> <strong>(requires login, see below)</strong></li>
           <li><a href="/swagger-ui.html">Swagger UI</a></li>
         </ul>
         <h2>User Accounts</h2>

src/main/java/com/miguno/javadockerbuild/routes/AdminRedirector.java

@@ -2,9 +2,7 @@
 
 import java.util.UUID;
 
-import de.codecentric.boot.admin.server.config.AdminServerProperties;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
-import jakarta.servlet.DispatcherType;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
@@ -24,16 +22,11 @@
 import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
-import static org.springframework.http.HttpMethod.DELETE;
-import static org.springframework.http.HttpMethod.POST;
-
 /** Secures the endpoints of this application. */
 @Configuration(proxyBeanMethods = false)
 @EnableWebSecurity
 public class AppSecurityConfiguration {
 
-  private final AdminServerProperties adminServer;
-
   @Value("${app.spring-boot-admin.role.user.name}")
   private String roleUserName;
 
@@ -47,9 +40,7 @@ public class AppSecurityConfiguration {
   private String roleAdminPassword;
 
   @SuppressFBWarnings("EI_EXPOSE_REP2")
-  public AppSecurityConfiguration(AdminServerProperties adminServer, SecurityProperties security) {
-    this.adminServer = adminServer;
-  }
+  public AppSecurityConfiguration(SecurityProperties security) {}
 
   /**
    * Applies security policies such as authentication requirements to endpoints.
@@ -63,7 +54,7 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     SavedRequestAwareAuthenticationSuccessHandler successHandler =
         new SavedRequestAwareAuthenticationSuccessHandler();
     successHandler.setTargetUrlParameter("redirectTo");
-    successHandler.setDefaultTargetUrl(this.adminServer.path("/"));
+    successHandler.setDefaultTargetUrl("/");
 
     // NOTE: In this project, the Spring Boot Admin server and client are colocated in the same
     //       application for demonstration purposes. In production, you would typically not do that
@@ -77,20 +68,6 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http.authorizeHttpRequests(
             (authorizeRequests) ->
                 authorizeRequests
-                    //// For the Spring Boot Admin server.
-                    .requestMatchers(
-                        // Permit public access to all static assets.
-                        new AntPathRequestMatcher(this.adminServer.path("/assets/**")),
-                        // Permit public access to the login page.
-                        new AntPathRequestMatcher(this.adminServer.path("/login")))
-                    .permitAll()
-                    // Permit asynchronous processing of a request without requiring authentication.
-                    // FIXME: Permitting any async requests as a workaround appears dangerous.
-                    // https://github.com/spring-projects/spring-security/issues/11027 (from 2022)
-                    .dispatcherTypeMatchers(DispatcherType.ASYNC)
-                    .permitAll()
-
-                    //// For the Spring Boot Admin client (the "real" app being developed).
                     .requestMatchers(
                         new AntPathRequestMatcher("/"),
                         // Permit public access to this app's example endpoint at `/welcome`.
@@ -103,16 +80,9 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         new AntPathRequestMatcher("/actuator/info"),
                         new AntPathRequestMatcher("/actuator/prometheus"))
                     .permitAll()
-
-                    //// Applies to both SBA server and clients.
                     // All other requests must be authenticated.
                     .anyRequest()
                     .authenticated())
-        // For Spring Boot Admin server: enables form-based login and logout.
-        .formLogin(
-            (formLogin) ->
-                formLogin.loginPage(this.adminServer.path("/login")).successHandler(successHandler))
-        .logout((logout) -> logout.logoutUrl(this.adminServer.path("/logout")))
         // Enables HTTP Basic Authentication support.
         .httpBasic(Customizer.withDefaults());
 
@@ -121,20 +91,7 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         .csrf(
             (csrf) ->
                 csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
-                    .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
-                    .ignoringRequestMatchers(
-                        //// For the Spring Boot Admin server.
-                        // Disables CSRF-Protection for the SBA server's endpoints that the SBA
-                        // client uses to (de-)register.
-                        new AntPathRequestMatcher(
-                            this.adminServer.path("/instances"), POST.toString()),
-                        new AntPathRequestMatcher(
-                            this.adminServer.path("/instances/*"), DELETE.toString()),
-
-                        //// For the Spring Boot Admin client.
-                        // Disables CSRF-Protection for the SBA client's actuator endpoints that
-                        // the SBA server uses to collect metrics.
-                        new AntPathRequestMatcher("/actuator/**")));
+                    .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()));
 
     http.rememberMe(
         (rememberMe) -> rememberMe.key(UUID.randomUUID().toString()).tokenValiditySeconds(1209600));
@@ -145,14 +102,6 @@ protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
   /** Required to provide UserDetailsService for "remember functionality". */
   @Bean
   public InMemoryUserDetailsManager userDetailsService(PasswordEncoder passwordEncoder) {
-    // NOTE: Because this example project runs the Spring Boot Admin server and client in the same
-    //       application, both the server's secured (with HTTP Basic Authentication) SBA API
-    //       endpoint and the client's Spring actuator endpoints coincidentally require exactly the
-    //       same username/password combination.
-    //       In production, this is not recommended. See the recommendations of Spring Boot Admin at
-    //       https://docs.spring-boot-admin.com/current/faq.html.
-    //       Instead, in production you would separate clients from the server, and thus different
-    //       username/password combinations can be used.
     // NOTE: HTTP Basic Authentication itself is not recommended for production.
     UserDetails user =
         User.withUsername(roleUserName)

src/main/java/com/miguno/javadockerbuild/security/AppSecurityConfiguration.java

@@ -31,50 +31,3 @@ server.port=8123
 management.endpoints.web.exposure.include=*
 # Enable the env contributor.
 management.info.env.enabled=true
-
-################################################################################
-# Spring Boot Admin                                                            #
-################################################################################
-### Spring Boot Admin: server settings
-spring.boot.admin.context-path=admin
-spring.boot.admin.ui.title=Spring Boot Admin (user: ${app.spring-boot-admin.role.admin.name}, password: ${app.spring-boot-admin.role.admin.password})
-spring.boot.admin.instance-auth.enabled=true
-# Default username to use if SBA Client actuator endpoints are protected with
-# HTTP Basic authentication.
-#
-# Used as fallback when the server attempts to collect metrics from a secured
-# client in the case that the client, upon its own registration with the server,
-# did not provide a particular username and password for the server to use.
-# Clients can pass such metadata to servers so that a server can "personalize"
-# its communication with a client. Here, the client would do this by setting
-# `spring.boot.admin.client.instance.metadata.user.name` and
-# `spring.boot.admin.client.instance.metadata.user.password` in its
-# `application.properties`.
-#spring.boot.admin.instance-auth.default-user-name=${app.spring-boot-admin.role.user.name}
-# Same as `spring.boot.admin.instance-auth.default-user-name`, but for the
-# password.
-#spring.boot.admin.instance-auth.default-password=${app.spring-boot-admin.role.user.password}
-
-### Spring Boot Admin: client settings
-spring.boot.admin.client.enabled=true
-# The URL of the Spring Boot Admin server that the client uses to register
-# itself.
-spring.boot.admin.client.url=http://localhost:${server.port}/admin
-# Username if SBA server API is protected with HTTP Basic Authentication.
-# Used when the client registers itself with a secured SBA server.
-spring.boot.admin.client.username=${app.spring-boot-admin.role.user.name}
-# Password if SBA server API is protected with HTTP Basic Authentication.
-# Used when the client registers itself with a secured SBA server.
-spring.boot.admin.client.password=${app.spring-boot-admin.role.user.password}
-# The URL of the Spring Boot Admin client that is used by the server to collect
-# metrics.
-spring.boot.admin.client.instance.service-base-url=http://localhost:${server.port}/
-# Part of the metadata passed from the SBA client to the SBA server. Here, the
-# SBA client tells the SBA server: "When you (server) are connecting to my
-# (client) actuator endpoints (like `/actuator/health`) to fetch metrics etc.,
-# use the following username in case the actuator endpoints are protected by
-# HTTP Basic authentication."
-spring.boot.admin.client.instance.metadata.user.name=${app.spring-boot-admin.role.user.name}
-# Same as `spring.boot.admin.client.instance.metadata.user.name`, but for the
-# password.
-spring.boot.admin.client.instance.metadata.user.password=${app.spring-boot-admin.role.user.password}