From 33dcd853fdf78b48b1b1b52667f2de2e20dfb8ff Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Tue, 8 Nov 2016 13:18:05 +0000 Subject: [PATCH] Ensure that health endpoint remains insecure without Spring Security The changes made in 6a2ac080 mean that getSecurity() on ManagementServerProperties will no longer return null when Spring Security is on the classpath. This had the unwanted side-effect of causing the health endpoint to hide its details when Spring Security was not on the classpath. This commit reinstates the previous behaviour by only considering the health endpoint to be secure if Spring Security is on the classpath and management.security.enabled is true. Closes gh-7345 --- ...tWebMvcManagementContextConfiguration.java | 18 +++- ...rityHealthMvcEndpointIntegrationTests.java | 95 +++++++++++++++++++ 2 files changed, 109 insertions(+), 4 deletions(-) create mode 100644 spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/NoSpringSecurityHealthMvcEndpointIntegrationTests.java diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/EndpointWebMvcManagementContextConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/EndpointWebMvcManagementContextConfiguration.java index 154d7e9fb1..67f8f1891e 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/EndpointWebMvcManagementContextConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/EndpointWebMvcManagementContextConfiguration.java @@ -20,7 +20,6 @@ import java.util.List; import java.util.Set; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.actuate.autoconfigure.ManagementServerProperties.Security; import org.springframework.boot.actuate.condition.ConditionalOnEnabledEndpoint; import org.springframework.boot.actuate.endpoint.Endpoint; import org.springframework.boot.actuate.endpoint.EnvironmentEndpoint; @@ -49,6 +48,7 @@ import org.springframework.context.annotation.ConditionContext; import org.springframework.context.annotation.Conditional; import org.springframework.core.env.Environment; import org.springframework.core.type.AnnotatedTypeMetadata; +import org.springframework.util.ClassUtils; import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils; import org.springframework.web.cors.CorsConfiguration; @@ -145,9 +145,8 @@ public class EndpointWebMvcManagementContextConfiguration { @ConditionalOnBean(HealthEndpoint.class) @ConditionalOnEnabledEndpoint("health") public HealthMvcEndpoint healthMvcEndpoint(HealthEndpoint delegate) { - Security security = this.managementServerProperties.getSecurity(); - boolean secure = (security != null && security.isEnabled()); - HealthMvcEndpoint healthMvcEndpoint = new HealthMvcEndpoint(delegate, secure); + HealthMvcEndpoint healthMvcEndpoint = new HealthMvcEndpoint(delegate, + isHealthSecure()); if (this.healthMvcEndpointProperties.getMapping() != null) { healthMvcEndpoint .addStatusMapping(this.healthMvcEndpointProperties.getMapping()); @@ -176,6 +175,17 @@ public class EndpointWebMvcManagementContextConfiguration { return new ShutdownMvcEndpoint(delegate); } + private boolean isHealthSecure() { + return isSpringSecurityAvailable() + && this.managementServerProperties.getSecurity().isEnabled(); + } + + private boolean isSpringSecurityAvailable() { + return ClassUtils.isPresent( + "org.springframework.security.config.annotation.web.WebSecurityConfigurer", + getClass().getClassLoader()); + } + private static class LogFileCondition extends SpringBootCondition { @Override diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/NoSpringSecurityHealthMvcEndpointIntegrationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/NoSpringSecurityHealthMvcEndpointIntegrationTests.java new file mode 100644 index 0000000000..3a7e63e419 --- /dev/null +++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/NoSpringSecurityHealthMvcEndpointIntegrationTests.java @@ -0,0 +1,95 @@ +/* + * Copyright 2012-2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.boot.actuate.endpoint.mvc; + +import org.junit.After; +import org.junit.Test; +import org.junit.runner.RunWith; + +import org.springframework.boot.actuate.autoconfigure.EndpointAutoConfiguration; +import org.springframework.boot.actuate.autoconfigure.EndpointWebMvcAutoConfiguration; +import org.springframework.boot.actuate.autoconfigure.ManagementServerPropertiesAutoConfiguration; +import org.springframework.boot.actuate.health.Health; +import org.springframework.boot.actuate.health.HealthIndicator; +import org.springframework.boot.autoconfigure.ImportAutoConfiguration; +import org.springframework.boot.autoconfigure.PropertyPlaceholderAutoConfiguration; +import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration; +import org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration; +import org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration; +import org.springframework.boot.testutil.ClassPathExclusions; +import org.springframework.boot.testutil.FilteredClassPathRunner; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.mock.web.MockServletContext; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; + +import static org.hamcrest.CoreMatchers.containsString; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.setup.MockMvcBuilders.webAppContextSetup; + +/** + * Integration tests for the health endpoint when Spring Security is not available. + * + * @author Andy Wilkinson + */ +@RunWith(FilteredClassPathRunner.class) +@ClassPathExclusions("spring-security-*.jar") +public class NoSpringSecurityHealthMvcEndpointIntegrationTests { + + private AnnotationConfigWebApplicationContext context; + + @After + public void closeContext() { + this.context.close(); + } + + @Test + public void healthDetailIsPresent() throws Exception { + this.context = new AnnotationConfigWebApplicationContext(); + this.context.setServletContext(new MockServletContext()); + this.context.register(TestConfiguration.class); + this.context.refresh(); + MockMvc mockMvc = webAppContextSetup(this.context).build(); + mockMvc.perform(get("/health")).andExpect(status().isOk()) + .andExpect(content().string(containsString("\"hello\":\"world\""))); + } + + @ImportAutoConfiguration({ JacksonAutoConfiguration.class, + HttpMessageConvertersAutoConfiguration.class, EndpointAutoConfiguration.class, + EndpointWebMvcAutoConfiguration.class, + ManagementServerPropertiesAutoConfiguration.class, + PropertyPlaceholderAutoConfiguration.class, WebMvcAutoConfiguration.class }) + @Configuration + static class TestConfiguration { + + @Bean + public HealthIndicator testHealthIndicator() { + return new HealthIndicator() { + + @Override + public Health health() { + return Health.up().withDetail("hello", "world").build(); + } + }; + } + + } + +}