From 09e07428cce0baddfee3a964214803ab1aa776e8 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Wed, 16 Dec 2020 14:53:18 -0800 Subject: [PATCH] Configure CORS in default security configuration for MVC Fixes gh-11987 --- ...anagementWebSecurityConfigurerAdapter.java | 1 + .../CorsSampleActuatorApplicationTests.java | 83 +++++++++++++++++++ .../resources/application-cors.properties | 2 + 3 files changed, 86 insertions(+) create mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java create mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java index 707d866952..e3ccaedb43 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java @@ -44,6 +44,7 @@ class ManagementWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapte requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); + http.cors(); http.formLogin(Customizer.withDefaults()); http.httpBasic(Customizer.withDefaults()); } diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java new file mode 100644 index 0000000000..a2837d7c7a --- /dev/null +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java @@ -0,0 +1,83 @@ +/* + * Copyright 2012-2020 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package smoketest.actuator; + +import java.net.URI; +import java.util.Map; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.context.ApplicationContext; +import org.springframework.http.HttpStatus; +import org.springframework.http.RequestEntity; +import org.springframework.http.ResponseEntity; +import org.springframework.test.context.ActiveProfiles; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Integration test for cors preflight requests to management endpoints. + * + * @author Madhura Bhave + */ +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@ActiveProfiles("cors") +class CorsSampleActuatorApplicationTests { + + private TestRestTemplate testRestTemplate; + + @Autowired + private ApplicationContext applicationContext; + + @BeforeEach + void setUp() { + RestTemplateBuilder builder = new RestTemplateBuilder(); + LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(this.applicationContext.getEnvironment(), + "http"); + builder = builder.uriTemplateHandler(handler); + this.testRestTemplate = new TestRestTemplate(builder); + } + + @Test + void endpointShouldReturnUnauthorized() { + ResponseEntity entity = this.testRestTemplate.getForEntity("/actuator/env", Map.class); + assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED); + } + + @Test + void preflightRequestToEndpointShouldReturnOk() throws Exception { + RequestEntity healthRequest = RequestEntity.options(new URI("/actuator/env")) + .header("Origin", "http://localhost:8080").header("Access-Control-Request-Method", "GET").build(); + ResponseEntity exchange = this.testRestTemplate.exchange(healthRequest, Map.class); + assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK); + } + + @Test + void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception { + RequestEntity entity = RequestEntity.options(new URI("/actuator/env")) + .header("Origin", "http://localhost:9095").header("Access-Control-Request-Method", "GET").build(); + ResponseEntity exchange = this.testRestTemplate.exchange(entity, byte[].class); + assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); + } + +} diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties new file mode 100644 index 0000000000..94bc394189 --- /dev/null +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties @@ -0,0 +1,2 @@ +management.endpoints.web.cors.allowed-origins=http://localhost:8080 +management.endpoints.web.cors.allowed-methods=GET