root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 12 Packages Projects Releases Wiki Activity

Add Spring MVC-generated path suffixes to endpoint paths 

Spring Security doesn't know that Spring MVC maps /foo, /foo.json
and /foo/ all to the same handler. This change explicitly adds
suffixes to the actuator endpoint matchers so they are properly
protected.
This commit is contained in:
Dave Syer 2014-04-03 14:03:09 +01:00
parent 97adb5c1b3
commit 72d7c286c0
Notes: Phillip Webb 2014-04-06 21:58:34 -07:00 
Fixes gh-636
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
View File

@ -221,7 +221,13 @@ public class ManagementSecurityAutoConfiguration {
List<String> paths = new ArrayList<String>(endpoints.size()); List<String> paths = new ArrayList<String>(endpoints.size());
for (MvcEndpoint endpoint : endpoints) { for (MvcEndpoint endpoint : endpoints) {
if (endpoint.isSensitive() == secure) { if (endpoint.isSensitive() == secure) {
paths.add(endpointHandlerMapping.getPrefix() + endpoint.getPath()); String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
paths.add(path);
if (secure) {
// Add Spring MVC-generated additional paths
paths.add(path + "/");
paths.add(path + ".*");
}
} }
} }
return paths.toArray(new String[paths.size()]); return paths.toArray(new String[paths.size()]);

17
spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
View File

@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests {
.containsKey("Set-Cookie")); .containsKey("Set-Cookie"));
} }
@Test
public void testMetricsIsSecure() throws Exception {
@SuppressWarnings("rawtypes")
ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/foo", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics.json", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
}
@Test @Test
public void testHome() throws Exception { public void testHome() throws Exception {
@SuppressWarnings("rawtypes") @SuppressWarnings("rawtypes")