Ensure that management endpoints with nested paths are secured

Previously each endpoint was secured for path, path/, and path.*. This meant that a request to path/foo was not secured. This commit secures path/** to ensure that requests to a nested endpoint path are also secured. Fixes gh-2476
10 years ago · d7ae0f3b06
parent 6aaa5ee933
commit d7ae0f3b06
3 changed files with 19 additions and 7 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -69,6 +69,7 @@ import org.springframework.util.StringUtils;
 * used as a security hint by the filter created here.
 *
 * @author Dave Syer
+ * @author Andy Wilkinson
 */
@Configuration
@ConditionalOnClass({ EnableWebSecurity.class })
@ -243,8 +244,9 @@ public class ManagementSecurityAutoConfiguration {
 				String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
 				paths.add(path);
 				if (secure) {
+					// Ensure the nested paths are secured
+					paths.add(path + "/**");
 					// Add Spring MVC-generated additional paths
-					paths.add(path + "/");
 					paths.add(path + ".*");
 				}
 			}
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/JolokiaMvcEndpoint.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/JolokiaMvcEndpoint.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2014 the original author or authors.
+ * Copyright 2013-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -42,6 +42,7 @@ import org.springframework.web.util.UrlPathHelper;
 * {@link MvcEndpoint} to expose Jolokia.
 *
 * @author Christian Dupuis
+ * @author Andy Wilkinson
 */
@ConfigurationProperties(prefix = "endpoints.jolokia", ignoreUnknownFields = false)
 public class JolokiaMvcEndpoint implements MvcEndpoint, InitializingBean,
@ -51,7 +52,7 @@ public class JolokiaMvcEndpoint implements MvcEndpoint, InitializingBean,
 	@Pattern(regexp = "/[^/]*", message = "Path must start with /")
 	private String path;

-	private boolean sensitive;
+	private boolean sensitive = true;

 	private boolean enabled = true;

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -41,14 +41,18 @@ import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;

+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasSize;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;

 /**
 * Tests for {@link ManagementSecurityAutoConfiguration}.
 *
 * @author Dave Syer
+ * @author Andy Wilkinson
 */
 public class ManagementSecurityAutoConfigurationTests {

@ -71,11 +75,16 @@ public class ManagementSecurityAutoConfigurationTests {
 				EndpointAutoConfiguration.class, EndpointWebMvcAutoConfiguration.class,
 				ManagementServerPropertiesAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
+		EnvironmentTestUtils.addEnvironment(this.context, "security.basic.enabled:false");
 		this.context.refresh();
 		assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class));
+		FilterChainProxy filterChainProxy = this.context.getBean(FilterChainProxy.class);
 		// 6 for static resources, one for management endpoints and one for the rest
-		assertEquals(8, this.context.getBean(FilterChainProxy.class).getFilterChains()
-				.size());
+		assertThat(filterChainProxy.getFilterChains(), hasSize(8));
+		assertThat(filterChainProxy.getFilters("/beans"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans/"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans.foo"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans/foo/bar"), hasSize(greaterThan(0)));
 	}

 	@Test