Ensure path starts with "/" in ErrorController

When mapping the ErrorController path to Spring Security it's important that it starts with "/". This change ensures that is the case even if the user has omitted the leading "/". Fixes gh-694
12 years ago · 00b85e8c42
2 changed files with 17 additions and 1 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
@ -55,6 +55,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
				@@ -55,6 +55,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
+import org.springframework.util.StringUtils;

 /**
 * {@link EnableAutoConfiguration Auto-configuration} for security of framework endpoints.
@ -142,11 +143,19 @@ public class ManagementSecurityAutoConfiguration {
				@@ -142,11 +143,19 @@ public class ManagementSecurityAutoConfiguration {
 				ignored.remove("none");
 			}
 			if (this.errorController != null) {
-				ignored.add(this.errorController.getErrorPath());
+				ignored.add(normalizePath(this.errorController.getErrorPath()));
 			}
 			ignoring.antMatchers(ignored.toArray(new String[0]));
 		}

+		private String normalizePath(String errorPath) {
+			String result = StringUtils.cleanPath(errorPath);
+			if (!result.startsWith("/")) {
+				result = "/" + result;
+			}
+			return result;
+		}
+
 	}

 	@Configuration
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.UserDetails;
				@@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;

 import static org.junit.Assert.assertEquals;
@ -79,6 +80,12 @@ public class ManagementSecurityAutoConfigurationTests {
				@@ -79,6 +80,12 @@ public class ManagementSecurityAutoConfigurationTests {
 				.size());
 	}

+	@Test
+	public void testPathNormalization() throws Exception {
+		String path = "admin/./error";
+		assertEquals("admin/error", StringUtils.cleanPath(path));
+	}
+
 	@Test
 	public void testWebConfigurationWithExtraRole() throws Exception {
 		this.context = new AnnotationConfigWebApplicationContext();