SpringBoot Actuator Loggers Endpoint 404 When Base Path Set to /

by

Summary

An actuator /loggers endpoint that works at /actuator/loggers fails with a 404 NOT FOUND when the base path is set to /. The cause is that Spring Boot reserves the root path (/) for static content and the primary application mapping, so placing the proxy configuration inside the Spring Security filter chain masks the logger endpoint.

Root Cause

  • Base‑path conflict – Setting management.endpoints.web.base-path=/ tells Spring Boot to expose all actuator endpoints at the application root.
  • Security filter ordering – The custom HttpSecurity rules were added before the default actuator restriction, causing requests to /loggers to be intercepted by the requestMatchers(HttpMethod.GET, "/loggers/**") rule that wasn’t defined, resulting in a 404.
  • Missing actuator endpoints mapping – When the base path is /, the Actuator servlet is registered without a context path, so the default actuator EndpointWebMvcConfiguration does not bind to /loggers; it only binds when the base path is something other than /.

Why This Happens in Real Systems

  • Zero‑configuration defaults – Most teams keep the root context for public APIs; changing it to / pulls in Actuator endpoints into the same namespace.
  • Third‑party security frameworks – When integrating Spring Security, developers often add their own matcher rules without considering the actuator’s own filter chain.
  • Framework evolution – Spring Boot 3.x tightened security around Actuator; endpoints that were publicly accessible in 2.x now require explicit exposure and authentication.

Real-World Impact

  • Operational blind spots – The /loggers endpoint is typically used to adjust log levels at runtime.
  • Unreachable diagnostics – DevOps and support staff cannot query or modify log levels when the endpoint is unavailable.
  • Increased friction – Requires developers to redeploy the application to re‑enable the endpoint or modify security config, causing delays in troubleshooting.

Bullet list of typical consequences:

  • Failure to adjust log levels during incidents.
  • Misleading 404 responses that mask underlying configuration errors.
  • Extra cognitive load for new engineers learning the project.

Example or Code (if necessary and relevant)

A minimal, reproducible configuration that triggers the issue: 

# application.yml
management.endpoints.web.exposure.include=info,health,metrics,loggers
management.endpoints.web.base-path=/
// SecurityConfig.java
@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers(HttpMethod.GET, "/metrics/**").permitAll()
            .requestMatchers(HttpMethod.GET, "/health/**").permitAll()
            .requestMatchers(HttpMethod.GET, "/info/**").permitAll()
        );
}

No code block is used for the fix; the solution is a matter of ordering and explicit endpoint mapping.

How Senior Engineers Fix It

  1. Expose the endpoint explicitly 
    management.endpoint.loggers.enabled=true
  2. Add a dedicated permit rule after the actuator filter chain 
    http
    .requestMatchers(HttpMethod.GET, "/loggers/**").permitAll()
    .anyRequest().authenticated();
  3. Move the base path to a non‑root value or keep Spring’s default 
    management.endpoints.web.base-path=/actuator
  4. Verify the actuator servlet registration
    Run ./mvnw spring-boot:run --debug and ensure EndpointServlet is mapped to /loggers.

All steps above restore /loggers accessibility without compromising security on other endpoints.

Why Juniors Miss It

  • Assumption of implicit ordering – Juniors think security rules run sequentially as written, ignoring the internal actuator configuration.
  • Overlooking defaults – Spring Boot’s defaults change subtly between major releases; junior engineers may not notice that / is no longer a safe base path.
  • Missing documentation – The Actuator FAQ rarely explains this edge case, leading to confusion when the endpoint disappears.
  • Testing gaps – Relying solely on automated tests that only hit public APIs means the failure to expose the logger endpoint slips through.

By keeping these points in mind, senior engineers can preempt the issue and guide juniors toward cleaner, more maintainable security configurations.

Leave a Comment