Add Spring MVC-generated path suffixes to endpoint paths

Dave Syer · Dave Syer · commit 72d7c286c08d · 2014-04-03T14:03:09.000+01:00
Spring Security doesn't know that Spring MVC maps /foo, /foo.json
and /foo/ all to the same handler. This change explicitly adds
suffixes to the actuator endpoint matchers so they are properly
protected.
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
@@ -221,7 +221,13 @@ private static String[] getEndpointPaths(
 		List<String> paths = new ArrayList<String>(endpoints.size());
 		for (MvcEndpoint endpoint : endpoints) {
 			if (endpoint.isSensitive() == secure) {
-				paths.add(endpointHandlerMapping.getPrefix() + endpoint.getPath());
+				String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
+				paths.add(path);
+				if (secure) {
+					// Add Spring MVC-generated additional paths
+					paths.add(path + "/");
+					paths.add(path + ".*");
+				}
 			}
 		}
 		return paths.toArray(new String[paths.size()]);
diff --git a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java
@@ -70,6 +70,23 @@ public void testHomeIsSecure() throws Exception {
 				.containsKey("Set-Cookie"));
 	}
 
+	@Test
+	public void testMetricsIsSecure() throws Exception {
+		@SuppressWarnings("rawtypes")
+		ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics/", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics/foo", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+		entity = new TestRestTemplate().getForEntity(
+				"http://localhost:8080/metrics.json", Map.class);
+		assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
+	}
+
 	@Test
 	public void testHome() throws Exception {
 		@SuppressWarnings("rawtypes")
