By default all sensitive HTTP endpoints are secured such that only users that have an ACTUATOR role may access them. 

Security is enforced using the standard HttpServletRequest.isUserInRole method.

(預設情況下，所有敏感的HTTP端點都是安全的，只有具有ACTUATOR角色的使用者 可以訪問它們。

安全性是使用標準HttpServletRequest.isUserInRole方法強制執行的 

1. Use the management.security.roles property if you want something different to ACTUATOR.

If you are deploying applications behind a firewall, you may prefer that all your actuator endpoints can be accessed without requiring authentication. 

You can do this by changing the management.security.enabled

application.properties. 

management.security.enabled=false

1. Bydefault, actuator endpoints are exposed on the same port that serves regular HTTP traffic.
2. Take care not to accidentally expose sensitive information if you change the management.security.enabled property.
3. (預設情況下，執行器端點暴露在提供常規HTTP通訊的相同埠上。
4. 注意不要在更改management.security.enabled屬性時意外暴露敏感資訊。)

If you’re deploying applications publicly, you may want to add ‘Spring Security’ to handle user authentication. 

When ‘Spring Security’ is added, by default ‘basic’ authentication will be used with the username user and a generated password (which is printed on the console when the application starts).

(如果您公開部署應用程式，則可能需要新增“Spring Security”來處理使用者身份驗證。

當新增“Spring Security”時，預設情況下，“基本”身份驗證將與使用者名稱user和生成的密碼一起使用（在應用程式啟動時在控制檯上列印）。)

1. Generated passwords are logged as the application starts.Searchfor‘Usingdefault security password’.
2. 生成的密碼在應用程式啟動時被記錄。搜尋“使用預設安全密碼”。

You can use Spring properties to change the username and password and to change the security role(s) required to access the endpoints. 

For example, you might set the following in your application.properties:

security.user.name=admin
security.user.password=secret
management.security.roles=SUPERUSER

If your application has custom security configuration and you want all your actuator endpoints to be accessible without authentication, you need to explicitly configure that in your security configuration. Along with that, you need to change the management.security.enabledproperty to false.

(如果您的應用程式具有自定義安全配置，並且您希望所有執行器端點無需身份驗證即可訪問，則需要在安全配置中明確配置該端點。與此同時，你需要改變management.security.enabled 屬性false。)

If your custom security configuration secures your actuator endpoints, you also need to ensure that the authenticated user has the roles specified under management.security.roles.

(如果您的自定義安全配置保護您的執行器端點，則還需要確保經過身份驗證的使用者具有在下指定的角色management.security.roles。)

1. If you don’t have a use casefor exposing basic health information to unauthenticated users,
2. and you have secured the actuator endpoints with custom security, you can set management.security.enabled to false.
3. This will inform SpringBoot to skip the additional role check.
4. (如果您沒有用於向未經驗證的使用者公開基本健康資訊的用例，並且已經使用自定義安全保護了執行器端點，則可以設定management.security.enabled 為false。這將通知Spring Boot跳過額外的角色檢查。)