root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Bypass Spring security authentication for remote devtools endpoint 

Closes gh-17878
This commit is contained in:
Madhura Bhave 2019-08-14 19:12:15 -07:00
parent 4b4dc28a86
commit 186530478c
2 changed files with 76 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
spring-boot-project/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java
View File

@ -23,10 +23,13 @@ import javax.servlet.Filter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.boot.autoconfigure.web.ServerProperties;
import org.springframework.boot.autoconfigure.web.ServerProperties.Servlet;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
@ -45,7 +48,11 @@ import org.springframework.boot.devtools.restart.server.SourceFolderUrlFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
/**
* {@link EnableAutoConfiguration Auto-configuration} for remote development support.
@ -53,12 +60,14 @@ import org.springframework.http.server.ServerHttpRequest;
* @author Phillip Webb
* @author Rob Winch
* @author Andy Wilkinson
* @author Madhura Bhave
* @since 1.3.0
*/
@Configuration(proxyBeanMethods = false)
@Conditional(OnEnabledDevToolsCondition.class)
@ConditionalOnProperty(prefix = "spring.devtools.remote", name = "secret")
@ConditionalOnClass({ Filter.class, ServerHttpRequest.class })
@AutoConfigureAfter(SecurityAutoConfiguration.class)
@EnableConfigurationProperties({ ServerProperties.class, DevToolsProperties.class })
public class RemoteDevToolsAutoConfiguration {
@ -127,4 +136,25 @@ public class RemoteDevToolsAutoConfiguration {
}
@Configuration
@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
@ConditionalOnClass(WebSecurityConfigurerAdapter.class)
static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final String url;
SecurityConfiguration(DevToolsProperties devToolsProperties, ServerProperties serverProperties) {
Servlet servlet = serverProperties.getServlet();
String servletContextPath = (servlet.getContextPath() != null) ? servlet.getContextPath() : "";
this.url = servletContextPath + devToolsProperties.getRemote().getContextPath() + "/restart";
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(new AntPathRequestMatcher(this.url)).authorizeRequests().anyRequest().anonymous().and()
.csrf().disable();
}
}
}

47
spring-boot-project/spring-boot-devtools/src/test/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfigurationTests.java
View File

@ -19,6 +19,8 @@ package org.springframework.boot.devtools.autoconfigure;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import javax.servlet.Filter;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
@ -26,6 +28,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration;
import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
import org.springframework.boot.devtools.remote.server.DispatcherFilter;
import org.springframework.boot.devtools.restart.MockRestarter;
import org.springframework.boot.devtools.restart.server.HttpRestartServer;
@ -41,16 +44,22 @@ import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.config.BeanIds;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.Mockito.mock;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests for {@link RemoteDevToolsAutoConfiguration}.
*
* @author Rob Winch
* @author Phillip Webb
* @author Madhura Bhave
*/
@ExtendWith(MockRestarter.class)
class RemoteDevToolsAutoConfigurationTests {
@ -138,6 +147,42 @@ class RemoteDevToolsAutoConfigurationTests {
assertRestartInvoked(true);
}
@Test
void securityConfigurationShouldAllowAccess() throws Exception {
this.context = getContext(() -> loadContext("spring.devtools.remote.secret:supersecret"));
DispatcherFilter filter = this.context.getBean(DispatcherFilter.class);
Filter securityFilterChain = this.context.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN, Filter.class);
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context).addFilter(securityFilterChain)
.addFilter(filter).build();
mockMvc.perform(MockMvcRequestBuilders.get(DEFAULT_CONTEXT_PATH + "/restart").header(DEFAULT_SECRET_HEADER_NAME,
"supersecret")).andExpect(status().isOk());
assertRestartInvoked(true);
}
@Test
void securityConfigurationShouldAllowAccessToCustomPath() throws Exception {
this.context = getContext(() -> loadContext("spring.devtools.remote.secret:supersecret",
"server.servlet.context-path:/test", "spring.devtools.remote.context-path:/custom"));
DispatcherFilter filter = this.context.getBean(DispatcherFilter.class);
Filter securityFilterChain = this.context.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN, Filter.class);
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context).addFilter(securityFilterChain)
.addFilter(filter).build();
mockMvc.perform(
MockMvcRequestBuilders.get("/test/custom/restart").header(DEFAULT_SECRET_HEADER_NAME, "supersecret"))
.andExpect(status().isOk());
assertRestartInvoked(true);
}
@Test
void securityConfigurationDoesNotAffectOtherPaths() throws Exception {
this.context = getContext(() -> loadContext("spring.devtools.remote.secret:supersecret"));
DispatcherFilter filter = this.context.getBean(DispatcherFilter.class);
Filter securityFilterChain = this.context.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN, Filter.class);
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context).addFilter(securityFilterChain)
.addFilter(filter).build();
mockMvc.perform(MockMvcRequestBuilders.get("/my-path")).andExpect(status().isUnauthorized());
}
@Test
void disableRestart() throws Exception {
this.context = getContext(() -> loadContext("spring.devtools.remote.secret:supersecret",
@ -195,7 +240,7 @@ class RemoteDevToolsAutoConfigurationTests {
}
@Configuration(proxyBeanMethods = false)
@Import(RemoteDevToolsAutoConfiguration.class)
@Import({ SecurityAutoConfiguration.class, RemoteDevToolsAutoConfiguration.class })
static class Config {
@Bean