There is a serious issue with spring boot admin leaking credentials back to spring boot admin starter client.

I'll try to explain my findings
Spring boot starter client is sending request to spring boot admin server to register application, spring boot admin server, this is being handling this request on "/api/applications" route and is returning back registered application.

return ResponseEntity.status(HttpStatus.CREATED).body(registeredApp);

This is really serious because spring boot admin server is returning back to client metadata which contains username / password because spring boot client is logging this response to logfiles

if (registeredId.compareAndSet(null, response.getBody().get("id").toString())) { LOGGER.info("Application registered itself as {}", response.getBody());	} else { LOGGER.debug("Application refreshed itself as {}", response.getBody());	}

There is a serialization of these credentials in Application model which filters some keywords but the pattern is not extendable

public static class MetadataSerializer extends StdSerializer<Map<String, String>> { private static final long serialVersionUID = 1L; private static Pattern[] keysToSanitize = createPatterns(".*password$", ".*secret$", ".*key$", ".*$token$", ".*credentials.*", ".*vcap_services$");

This is working fine with default implementation, password is transformed with asterisks
Application registered itself as {id=f402aa60, name=spring-admin, managementUrl=http://localhost:8080/actuator, healthUrl=http://localhost:8080/actuator/health, serviceUrl=http://localhost:8080, statusInfo={status=UNKNOWN, timestamp=1510650299317, details={}}, source=http-api, metadata={user.name=admin, user.password=******}, info={}}

But it really doesn't work if metadata username/password is sent in different format, our deployment with terraform in aws is configured to send username and password with following parameters: USER_NAME and USER_PASSWORD.

Log example looks like:
Application registered itself as {id=40f4ad6a, name="client-app", managementUrl=http://localhost.internal:5100/actuator, healthUrl=http://localhost.internal:5100/actuator/health, serviceUrl=http://localhost.internal:5100, statusInfo={status=UNKNOWN, timestamp=1510327224512, details={}}, source=http-api, metadata={user.name=springadminclient, USER_NAME=springadminclient, user.password=******, USER_PASSWORD=PLAINTEXT_PASSWORD}, info={}}

My solution was to override register method on ApplicationRegistry and return registered application without metadata
return Application.copyOf(registering).withMetadata(Collections.emptyMap()).build();

I strongly suggest removing metadata from response completely as admin starter client has no use of these anyway, it only logs sensitive information in logfiles