root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Merge pull request #4383 from rwinch/gh-4368 

* pr/4383:
  Secure actuator when all endpoints are sensitive
This commit is contained in:
Phillip Webb 2015-11-10 00:13:45 -08:00
parent 8c642bec74 c6e08eb883
commit 387faa786b
2 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java
View File

@ -67,6 +67,7 @@ import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.ObjectUtils;
@ -95,6 +96,9 @@ public class ManagementWebSecurityAutoConfiguration {
private static final String[] NO_PATHS = new String[0];
private static final RequestMatcher MATCH_NONE = new NegatedRequestMatcher(
AnyRequestMatcher.INSTANCE);
@Bean
@ConditionalOnMissingBean({ IgnoredPathsWebSecurityConfigurerAdapter.class })
public IgnoredPathsWebSecurityConfigurerAdapter ignoredPathsWebSecurityConfigurerAdapter() {
@ -332,8 +336,7 @@ public class ManagementWebSecurityAutoConfiguration {
for (String path : this.endpointPaths.getPaths(endpointHandlerMapping)) {
matchers.add(new AntPathRequestMatcher(server.getPath(path)));
}
return (matchers.isEmpty() ? AnyRequestMatcher.INSTANCE
: new OrRequestMatcher(matchers));
return (matchers.isEmpty() ? MATCH_NONE : new OrRequestMatcher(matchers));
}
}
@ -345,10 +348,12 @@ public class ManagementWebSecurityAutoConfiguration {
ALL,
NON_SENSITIVE {
@Override
protected boolean isIncluded(MvcEndpoint endpoint) {
return !endpoint.isSensitive();
}
};
public String[] getPaths(EndpointHandlerMapping endpointHandlerMapping) {

24
spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfigurationTests.java
View File

@ -61,6 +61,9 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests for {@link ManagementWebSecurityAutoConfiguration}.
@ -231,6 +234,27 @@ public class ManagementWebSecurityAutoConfigurationTests {
.andExpect(springAuthenticateRealmHeader());
}
@Test
public void testMarkAllEndpointsSensitive() throws Exception {
// gh-4368
this.context = new AnnotationConfigWebApplicationContext();
this.context.setServletContext(new MockServletContext());
this.context.register(WebConfiguration.class);
EnvironmentTestUtils.addEnvironment(this.context, "endpoints.sensitive:true");
this.context.refresh();
MockMvc mockMvc = MockMvcBuilders.webAppContextSetup(this.context) //
.apply(springSecurity()) //
.build();
mockMvc //
.perform(get("/health")) //
.andExpect(status().isUnauthorized());
mockMvc //
.perform(get("/info")) //
.andExpect(status().isUnauthorized());
}
private ResultMatcher springAuthenticateRealmHeader() {
return MockMvcResultMatchers.header().string("www-authenticate",
Matchers.containsString("realm=\"Spring\""));