GitHub-Spring
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add Spring MVC-generated path suffixes to endpoint paths 

Spring Security doesn't know that Spring MVC maps /foo, /foo.json
and /foo/ all to the same handler. This change explicitly adds
suffixes to the actuator endpoint matchers so they are properly
protected.
pull/618/merge
Dave Syer 12 years ago
parent
97adb5c1b3
commit
72d7c286c0
Notes: Phillip Webb 12 years ago 
Fixes gh-636
2 changed files with 24 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
  2. 17
      spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java

8
spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
Unescape View File

@ -221,7 +221,13 @@ public class ManagementSecurityAutoConfiguration {
List<String> paths = new ArrayList<String>(endpoints.size()); List<String> paths = new ArrayList<String>(endpoints.size());
for (MvcEndpoint endpoint : endpoints) { for (MvcEndpoint endpoint : endpoints) {
if (endpoint.isSensitive() == secure) { if (endpoint.isSensitive() == secure) {
paths.add(endpointHandlerMapping.getPrefix() + endpoint.getPath()); String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
paths.add(path);
if (secure) {
// Add Spring MVC-generated additional paths
paths.add(path + "/");
paths.add(path + ".*");
}
} }
} }
return paths.toArray(new String[paths.size()]); return paths.toArray(new String[paths.size()]);

17
spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
Unescape View File

@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests {
.containsKey("Set-Cookie")); .containsKey("Set-Cookie"));
} }
@Test
public void testMetricsIsSecure() throws Exception {
@SuppressWarnings("rawtypes")
ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/foo", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics.json", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
}
@Test @Test
public void testHome() throws Exception { public void testHome() throws Exception {
@SuppressWarnings("rawtypes") @SuppressWarnings("rawtypes")

Write Preview
Loading…
Cancel
Save