diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java index e8d39331877..296bc2e2bc9 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java @@ -187,7 +187,7 @@ public class SecurityAutoConfiguration { @Override public void configure(WebSecurity builder) throws Exception { IgnoredRequestConfigurer ignoring = builder.ignoring(); - ignoring.antMatchers(this.security.getIgnored()); + ignoring.antMatchers(this.security.getIgnoredPaths()); if (this.errorController != null) { ignoring.antMatchers(this.errorController.getErrorPath()); } diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java index 4b84a2a92a1..e52c39778da 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java @@ -16,6 +16,8 @@ package org.springframework.boot.actuate.properties; +import java.util.ArrayList; +import java.util.List; import java.util.UUID; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -41,8 +43,12 @@ public class SecurityProperties { private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS; - private String[] ignored = new String[] { "/css/**", "/js/**", "/images/**", - "/**/favicon.ico" }; + private List emptyIgnored = new ArrayList(); + + private List ignored = this.emptyIgnored; + + private static String[] DEFAULT_IGNORED = new String[] { "/css/**", "/js/**", + "/images/**", "/**/favicon.ico" }; private Management management = new Management(); @@ -92,14 +98,21 @@ public class SecurityProperties { this.enableCsrf = enableCsrf; } - public void setIgnored(String... ignored) { - this.ignored = ignored; + public void setIgnored(List ignored) { + this.ignored = new ArrayList(ignored); } - public String[] getIgnored() { + public List getIgnored() { return this.ignored; } + public String[] getIgnoredPaths() { + if (this.ignored == this.emptyIgnored) { + return DEFAULT_IGNORED; + } + return this.ignored.toArray(new String[this.ignored.size()]); + } + public static class Headers { public static enum HSTS { diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java index 244f72f55ce..40042c50779 100644 --- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java +++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java @@ -17,6 +17,8 @@ package org.springframework.boot.actuate.properties; import java.util.Collections; +import java.util.HashMap; +import java.util.Map; import org.junit.Test; import org.springframework.beans.MutablePropertyValues; @@ -41,7 +43,7 @@ public class SecurityPropertiesTests { binder.bind(new MutablePropertyValues(Collections.singletonMap( "security.ignored", "/css/**"))); assertFalse(binder.getBindingResult().hasErrors()); - assertEquals(1, security.getIgnored().length); + assertEquals(1, security.getIgnored().size()); } @Test @@ -52,7 +54,20 @@ public class SecurityPropertiesTests { binder.bind(new MutablePropertyValues(Collections.singletonMap( "security.ignored", "/css/**,/images/**"))); assertFalse(binder.getBindingResult().hasErrors()); - assertEquals(2, security.getIgnored().length); + assertEquals(2, security.getIgnored().size()); + } + + @Test + public void testBindingIgnoredMultiValuedList() { + SecurityProperties security = new SecurityProperties(); + RelaxedDataBinder binder = new RelaxedDataBinder(security, "security"); + binder.setConversionService(new DefaultConversionService()); + Map map = new HashMap(); + map.put("security.ignored[0]", "/css/**"); + map.put("security.ignored[1]", "images/**"); + binder.bind(new MutablePropertyValues(map)); + assertFalse(binder.getBindingResult().hasErrors()); + assertEquals(2, security.getIgnored().size()); } @Test