Skip to content

Instantly share code, notes, and snippets.

Created June 6, 2019 06:55
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?

Ask questions and see you at July, 1st, 6.PM. CET:

Also checkout recent episode:


Please keep the questions Java EE-stic. Means: as short and as concise as only possible. Feel free to ask several, shorter questions.

Copy link

AdamBien commented Jul 1, 2019

A framework from alumni:

Copy link

mrbyte2001 commented Jul 2, 2019

Hi Adam

When running payara-micro/server using micro-profile how do you go about implementing authentication for /health & /metrics, programatically?
The goal is to limit who can see metrics/health status, and log (remote ip) if somebody tries to do it that isn't allowed.
What I'm really interested in is implementing it in a jar that can be added with --addjars. This is meant to be in our payara docker image, so that all the services requires same authentication. Basically to ensure you don't forget to add configuration to your application to enable it.


does it make sense to hide health checks behind any security? because you want to use them for your services in e.g. kubernetes to restart pods if they get unavailable. I think you only need to hold them inside your network so that nobody can call http://yourserver/health from outside the cluster (e.g. with nginx or other possibilities).

For the metrics there is already a security configuration if you add

<basicRegistry id="basic" realm="MicroProfileMetrics"> <user name="admin" password="adminadmin"/> <user name="nonadmin" password="guest" /> </basicRegistry> <administrator-role> <user>admin</user> </administrator-role>

to your server.xml then only someone who can login as admin can read it. Maybe there is also a configuration for JWT but I didn't found any so far.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment