Problem Health endpoint's cache time to live property is not working when there is a live session (when the user is authenticated using spring security) This is a similar issue with https://github.com/spring-projects/spring-boot/issues/13238, however this time, TTL is not working only when there is an user logged in (authenticated)
Environment Java 1.8 Spring-Boot 2.1.11
Expected Behaviour Health endpoint's cache time to live property should be standalone, not affected by user being authenticated or not
Step to Reproduce 1. ./mvnw spring-boot:run to spin up the application 2. First, access localhost:8080/demo/health and keep refresh to see health TTL is working properly. (timestamp should be updated every 10 seconds as cache.time-to-live property is set to 10 seconds) 2. Access localhost:8080/demo/test in the browser, login with username: user & password: password 3. Then, open the other tab on the browser and access localhost:8080/demo/health 4. Timestamp field is updated every time you hit refresh
Sample application demo.zip
Comment From: bclozel
This behavior is documented here and I think it works as designed. I guess we can't ensure that the Principal information is not derived by the endpoint to send user-specific information.
Is this consistent with this issue?
Comment From: edmundham
@bclozel Thanks for the reply. Yes, the documentation sounds right. You may close this issue as well. Just one thing, would you be able to recommend some techniques or good design practice for authenticated user calling health endpoint? We have multiple applications whose health endpoints are a bit expensive (DB, MQ, etc. checking) and don't want to expose those information to not authenticated & authorized users and still want the caching functionality.