Opt-out API Security endpoint discovery (#9623)

We were keeping this feature disabled for now because the backend does not support it yet. However, we’re actively working on adding support, and in the meantime, we need to measure the volume of data we’d need to handle once the feature is enabled.

As a result, this PR sets the default config flag to true:
ConfigDefaults.java#L120

Enabling the feature by default surfaced an issue during test execution:
an exception was thrown due to multiple beans of type RequestMappingHandlerMapping being present in the Spring context, which caused a NoUniqueBeanDefinitionException.

Error:

No qualifying bean of type 'RequestMappingHandlerMapping' available: 
expected single matching bean but found 2: requestMappingHandlerMapping,controllerEndpointHandlerMapping
To resolve this, the instrumentations were updated to:

Use getBeansOfType(...) instead of getBean(...)
Iterate over all available RequestMappingHandlerMapping beans
Collect and merge their handler methods safely.
This avoids the error and ensures compatibility with Spring setups that register multiple handler mappings.

Author: jandro996

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/main/java/datadog/trace/instrumentation/springweb/AppSecDispatcherServletInstrumentation.java

@@ -13,6 +13,7 @@
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.api.Config;
 import datadog.trace.api.telemetry.EndpointCollector;
+import java.util.HashMap;
 import java.util.Map;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.matcher.ElementMatcher;
@@ -71,13 +72,16 @@ public static class AppSecHandlerMappingAdvice {
 
     @Advice.OnMethodExit(suppress = Throwable.class)
     public static void afterRefresh(@Advice.Argument(0) final ApplicationContext springCtx) {
-      final RequestMappingHandlerMapping handler =
-          springCtx.getBean(RequestMappingHandlerMapping.class);
-      if (handler == null) {
+      final Map<String, RequestMappingHandlerMapping> handlers =
+          springCtx.getBeansOfType(RequestMappingHandlerMapping.class);
+      if (handlers == null || handlers.isEmpty()) {
         return;
       }
-      final Map<RequestMappingInfo, HandlerMethod> mappings = handler.getHandlerMethods();
-      if (mappings == null || mappings.isEmpty()) {
+      final Map<RequestMappingInfo, HandlerMethod> mappings = new HashMap<>();
+      for (RequestMappingHandlerMapping mapping : handlers.values()) {
+        mappings.putAll(mapping.getHandlerMethods());
+      }
+      if (mappings.isEmpty()) {
         return;
       }
       EndpointCollector.get().supplier(new RequestMappingInfoIterator(mappings));

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-5.3/src/main/java/datadog/trace/instrumentation/springweb/AppSecDispatcherServletWithPathPatternsInstrumentation.java

@@ -12,6 +12,7 @@
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.api.Config;
 import datadog.trace.api.telemetry.EndpointCollector;
+import java.util.HashMap;
 import java.util.Map;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.matcher.ElementMatcher;
@@ -66,13 +67,16 @@ public static class AppSecHandlerMappingAdvice {
 
     @Advice.OnMethodExit(suppress = Throwable.class)
     public static void afterRefresh(@Advice.Argument(0) final ApplicationContext springCtx) {
-      final RequestMappingHandlerMapping handler =
-          springCtx.getBean(RequestMappingHandlerMapping.class);
-      if (handler == null) {
+      final Map<String, RequestMappingHandlerMapping> handlers =
+          springCtx.getBeansOfType(RequestMappingHandlerMapping.class);
+      if (handlers == null || handlers.isEmpty()) {
         return;
       }
-      final Map<RequestMappingInfo, HandlerMethod> mappings = handler.getHandlerMethods();
-      if (mappings == null || mappings.isEmpty()) {
+      final Map<RequestMappingInfo, HandlerMethod> mappings = new HashMap<>();
+      for (RequestMappingHandlerMapping mapping : handlers.values()) {
+        mappings.putAll(mapping.getHandlerMethods());
+      }
+      if (mappings.isEmpty()) {
         return;
       }
       EndpointCollector.get().supplier(new RequestMappingInfoWithPathPatternsIterator(mappings));

dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java

@@ -117,8 +117,7 @@ public final class ConfigDefaults {
   static final int DEFAULT_APPSEC_WAF_TIMEOUT = 100000; // 0.1 s
   static final boolean DEFAULT_API_SECURITY_ENABLED = true;
   static final float DEFAULT_API_SECURITY_SAMPLE_DELAY = 30.0f;
-  // TODO: change to true once the RFC is approved
-  static final boolean DEFAULT_API_SECURITY_ENDPOINT_COLLECTION_ENABLED = false;
+  static final boolean DEFAULT_API_SECURITY_ENDPOINT_COLLECTION_ENABLED = true;
   static final int DEFAULT_API_SECURITY_ENDPOINT_COLLECTION_MESSAGE_LIMIT = 300;
   static final double DEFAULT_API_SECURITY_DOWNSTREAM_REQUEST_ANALYSIS_SAMPLE_RATE = 0.5D;
   static final int DEFAULT_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS = 1;