Merge pull request #59 from entur/feat/SIK-1688

vevik · web-flow · commit 76c97854f0aa · 2025-10-30T12:05:53.000+01:00
feat: Changed actuator permit from actuator/** too individual paths.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # [Release notes](https://github.com/entur/oidc-auth-client)
 
+## oidc-auth-resource-server v2.0.0
+* Changed actuator permit from actuator/** too individual paths.
+
 ## oidc-auth-resource-server v1.1.4
 * Add support for parameter annotation in JUnit test classes.
 
diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
 group=org.entur.auth.resource-server
-version=1.1.5-SNAPSHOT
+version=2.0.0-SNAPSHOT
 
 org.gradle.jvmargs=-Xms128m -Xmx2048m
diff --git a/oidc-rs-junit-tenant/src/main/java/org/entur/auth/junit/jwt/JwtTokenFactory.java b/oidc-rs-junit-tenant/src/main/java/org/entur/auth/junit/jwt/JwtTokenFactory.java
@@ -116,7 +116,7 @@ public boolean containsTenant(Provider provider, String tenant) {
      * @param audience (optional) array of audience values; may be {@code null}
      * @param claims (optional) additional custom claims to include; may be {@code null}
      * @param expiresAt the expiration time of the token (must be in the future)
-     * @return a signed JWT compact‐serialization string
+     * @return a signed JWT compact serialization string
      * @throws IllegalArgumentException if no key pair exists for the given {@code provider}/{@code
      *     domain}
      */
diff --git a/oidc-rs-spring-boot-web-config/src/main/java/org/entur/auth/spring/config/authorization/AuthorizationHelper.java b/oidc-rs-spring-boot-web-config/src/main/java/org/entur/auth/spring/config/authorization/AuthorizationHelper.java
@@ -23,8 +23,27 @@ public static void configure(
         AuthorizationPermitAllProperties permitAll = authorization.getPermitAll();
 
         if (permitAll.isActuator() && managementBasePath != null) {
-            authorizeRequests.requestMatchers(managementBasePath + "/**").permitAll();
-            log.info("All authorize requests to {}/** will be permitted", managementBasePath);
+            authorizeRequests
+                    .requestMatchers(
+                            HttpMethod.GET,
+                            managementBasePath,
+                            managementBasePath + "/prometheus",
+                            managementBasePath + "/info",
+                            managementBasePath + "/metrics",
+                            managementBasePath + "/health",
+                            managementBasePath + "/health/readiness",
+                            managementBasePath + "/health/liveness")
+                    .permitAll();
+
+            log.info(
+                    "All authorize requests to {}, {}/prometheus, {}/info, {}/metrics, {}/health, {}/health/readiness, {}/health/liveness will be permitted",
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath);
         }
 
         if (permitAll.isOpenApi()) {
diff --git a/oidc-rs-spring-boot-webflux-config/src/main/java/org/entur/auth/spring/config/authorization/ReactiveAuthorizationHelper.java b/oidc-rs-spring-boot-webflux-config/src/main/java/org/entur/auth/spring/config/authorization/ReactiveAuthorizationHelper.java
@@ -21,8 +21,26 @@ public static void configure(
         AuthorizationPermitAllProperties permitAll = authorization.getPermitAll();
 
         if (permitAll.isActuator() && managementBasePath != null) {
-            authorizeExchangeSpec.pathMatchers(managementBasePath + "/**").permitAll();
-            log.info("All authorize requests to {}/** will be permitted", managementBasePath);
+            authorizeExchangeSpec
+                    .pathMatchers(
+                            managementBasePath,
+                            managementBasePath + "/prometheus",
+                            managementBasePath + "/info",
+                            managementBasePath + "/metrics",
+                            managementBasePath + "/health",
+                            managementBasePath + "/health/readiness",
+                            managementBasePath + "/health/liveness")
+                    .permitAll();
+
+            log.info(
+                    "All authorize requests to {}, {}/prometheus, {}/info, {}/metrics, {}/health, {}/health/readiness, {}/health/liveness will be permitted",
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath,
+                    managementBasePath);
         }
 
         if (permitAll.isOpenApi()) {
