root
/
spring-boot
mirror of https://github.com/spring-projects/spring-boot.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Polish " Change info endpoint to be secure and unexposed by default" 

See gh-24715
This commit is contained in:
Madhura Bhave 2021-01-21 13:45:57 -08:00
parent 53c1e79810
commit d07e351eff
3 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java
View File

@ -20,7 +20,6 @@ import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAu
import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration;
import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
import org.springframework.boot.actuate.health.HealthEndpoint;
import org.springframework.boot.actuate.info.InfoEndpoint;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
@ -40,8 +39,8 @@ import org.springframework.security.web.server.WebFilterChainProxy;
/**
* {@link EnableAutoConfiguration Auto-configuration} for Reactive Spring Security when
* actuator is on the classpath. Specifically, it permits access to the health and info
* endpoints while securing everything else.
* actuator is on the classpath. Specifically, it permits access to the health endpoint
* while securing everything else.
*
* @author Madhura Bhave
* @since 2.1.0
@ -59,7 +58,7 @@ public class ReactiveManagementWebSecurityAutoConfiguration {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.authorizeExchange((exchanges) -> {
exchanges.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
exchanges.matchers(EndpointRequest.to(HealthEndpoint.class)).permitAll();
exchanges.anyExchange().authenticated();
});
http.httpBasic(Customizer.withDefaults());

11
spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/info/InfoEndpointAutoConfigurationTests.java
View File

@ -34,6 +34,17 @@ class InfoEndpointAutoConfigurationTests {
private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
.withConfiguration(AutoConfigurations.of(InfoEndpointAutoConfiguration.class));
@Test
void runShouldHaveEndpointBean() {
this.contextRunner.withPropertyValues("management.endpoints.web.exposure.include=info")
.run((context) -> assertThat(context).hasSingleBean(InfoEndpoint.class));
}
@Test
void runWhenNotExposedShouldNotHaveEndpointBean() {
this.contextRunner.run((context) -> assertThat(context).doesNotHaveBean(InfoEndpoint.class));
}
@Test
void runWhenEnabledPropertyIsFalseShouldNotHaveEndpointBean() {
this.contextRunner.withPropertyValues("management.endpoint.info.enabled:false")

5
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxApplicationTests.java
View File

@ -50,11 +50,6 @@ class SampleSecureWebFluxApplicationTests {
.isOk();
}
@Test
void infoInsecureByDefault() {
this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON).exchange().expectStatus().isOk();
}
@Test
void otherActuatorsSecureByDefault() {
this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()