From 437fb75424d1a2d852aec0a3cd16b55c3080cf30 Mon Sep 17 00:00:00 2001
From: Dave Syer <dsyer@pivotal.io>
Date: Sat, 13 Sep 2014 10:55:39 -0500
Subject: [PATCH 1/2] Add /error to ignored paths for security autoconfig

Protecting /error doesn't make a great deal of sense and if it is
protected you don't get the ErrorPageFilter for the attempt at loading
it, so Tomcat renders its own HTML error page (when deployed as WAR).

Fixes gh-1548
---
 ...agementSecurityAutoConfigurationTests.java |  4 +--
 .../SpringBootWebSecurityConfiguration.java   |  2 +-
 .../SecurityAutoConfigurationTests.java       |  4 +--
 ...ringBootWebSecurityConfigurationTests.java | 34 +++++++++++++++++++
 4 files changed, 39 insertions(+), 5 deletions(-)
 create mode 100644 spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java

diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
index 5874b0afdab..9aa403bc0e1 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
@@ -74,7 +74,7 @@ public class ManagementSecurityAutoConfigurationTests {
 		this.context.refresh();
 		assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class));
 		// 6 for static resources, one for management endpoints and one for the rest
-		assertEquals(8, this.context.getBean(FilterChainProxy.class).getFilterChains()
+		assertEquals(9, this.context.getBean(FilterChainProxy.class).getFilterChains()
 				.size());
 	}
 
@@ -144,7 +144,7 @@ public class ManagementSecurityAutoConfigurationTests {
 		this.context.refresh();
 		// Just the management endpoints (one filter) and ignores now plus the backup
 		// filter on app endpoints
-		assertEquals(8, this.context.getBean(FilterChainProxy.class).getFilterChains()
+		assertEquals(9, this.context.getBean(FilterChainProxy.class).getFilterChains()
 				.size());
 	}
 
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
index 018816d44fd..25686abc3e5 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
@@ -86,7 +86,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
 public class SpringBootWebSecurityConfiguration {
 
 	private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
-			"/images/**", "/**/favicon.ico");
+			"/images/**", "/**/favicon.ico", "/error");
 
 	@Bean
 	@ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class })
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
index e736b05c39b..09c33c24c76 100644
--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfigurationTests.java
@@ -68,10 +68,10 @@ public class SecurityAutoConfigurationTests {
 				PropertyPlaceholderAutoConfiguration.class);
 		this.context.refresh();
 		assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class));
-		// 4 for static resources and one for the rest
+		// 5 for static resources and one for the rest
 		List<SecurityFilterChain> filterChains = this.context.getBean(
 				FilterChainProxy.class).getFilterChains();
-		assertEquals(5, filterChains.size());
+		assertEquals(6, filterChains.size());
 	}
 
 	@Test
diff --git a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java
new file mode 100644
index 00000000000..5d695e0acbb
--- /dev/null
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfigurationTests.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author Dave Syer
+ */
+public class SpringBootWebSecurityConfigurationTests {
+
+	@Test
+	public void testDefaultIgnores() {
+		assertTrue(SpringBootWebSecurityConfiguration
+				.getIgnored(new SecurityProperties()).contains("/error"));
+	}
+
+}

From deef784403419ed57cb733089c0326d8b0781dd2 Mon Sep 17 00:00:00 2001
From: Dave Syer <dsyer@pivotal.io>
Date: Sat, 13 Sep 2014 07:08:06 -0500
Subject: [PATCH 2/2] Blitz some more special characters from the metric names

When MVC path matchers are used as metric keys, they can still contain
invalid characters and patterns (like asterisks). This change removes
some more special characters and also tidies up the names a bit so
no key part starts or ends with "-" (which is ugly).

Fixes gh-1528
---
 .../MetricFilterAutoConfiguration.java           | 16 +++++++++++++++-
 .../MetricFilterAutoConfigurationTests.java      |  8 ++++----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfiguration.java
index 720a25e910e..d4751ed24cb 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfiguration.java
@@ -101,7 +101,7 @@ public class MetricFilterAutoConfiguration {
 					// not convertible
 				}
 				if (bestMatchingPattern != null) {
-					suffix = bestMatchingPattern.toString().replaceAll("[{}]", "-");
+					suffix = fixSpecialCharacters(bestMatchingPattern.toString());
 				}
 				else if (httpStatus.is4xxClientError()) {
 					suffix = UNKNOWN_PATH_SUFFIX;
@@ -114,6 +114,20 @@ public class MetricFilterAutoConfiguration {
 			}
 		}
 
+		private String fixSpecialCharacters(String value) {
+			String result = value.replaceAll("[{}]", "-");
+			result = result.replace("**", "-star-star-");
+			result = result.replace("*", "-star-");
+			result = result.replace("/-", "/");
+			if (result.endsWith("-")) {
+				result = result.substring(0, result.length() - 1);
+			}
+			if (result.startsWith("-")) {
+				result = result.substring(1);
+			}
+			return result;
+		}
+
 		private int getStatus(HttpServletResponse response) {
 			try {
 				return response.getStatus();
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfigurationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfigurationTests.java
index 919a5bbed59..f1c17785bc9 100644
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/MetricFilterAutoConfigurationTests.java
@@ -89,9 +89,9 @@ public class MetricFilterAutoConfigurationTests {
 		mvc.perform(get("/templateVarTest/foo")).andExpect(status().isOk());
 
 		verify(context.getBean(CounterService.class)).increment(
-				"status.200.templateVarTest.-someVariable-");
+				"status.200.templateVarTest.someVariable");
 		verify(context.getBean(GaugeService.class)).submit(
-				eq("response.templateVarTest.-someVariable-"), anyDouble());
+				eq("response.templateVarTest.someVariable"), anyDouble());
 		context.close();
 	}
 
@@ -106,9 +106,9 @@ public class MetricFilterAutoConfigurationTests {
 		mvc.perform(get("/knownPath/foo")).andExpect(status().isNotFound());
 
 		verify(context.getBean(CounterService.class)).increment(
-				"status.404.knownPath.-someVariable-");
+				"status.404.knownPath.someVariable");
 		verify(context.getBean(GaugeService.class)).submit(
-				eq("response.knownPath.-someVariable-"), anyDouble());
+				eq("response.knownPath.someVariable"), anyDouble());
 		context.close();
 	}