Polish 'Add ability to match Endpoint requests by HTTP method'

See gh-29596

Author: philwebb

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -182,10 +182,6 @@ private ServerWebExchangeMatcher createDelegate(Supplier<C> context) {
 
 		protected abstract ServerWebExchangeMatcher createDelegate(C context);
 
-		protected final List<ServerWebExchangeMatcher> getDelegateMatchers(Set<String> paths) {
-			return getDelegateMatchers(paths, null);
-		}
-
 		protected final List<ServerWebExchangeMatcher> getDelegateMatchers(Set<String> paths, HttpMethod httpMethod) {
 			return paths.stream()
 				.map((path) -> getDelegateMatcher(path, httpMethod))
@@ -312,7 +308,7 @@ public EndpointServerWebExchangeMatcher excludingLinks() {
 		 * the specified http method
 		 */
 		public EndpointServerWebExchangeMatcher withHttpMethod(HttpMethod httpMethod) {
-			return new EndpointServerWebExchangeMatcher(this.includes, this.excludes, false, httpMethod);
+			return new EndpointServerWebExchangeMatcher(this.includes, this.excludes, this.includeLinks, httpMethod);
 		}
 
 		@Override
@@ -379,22 +375,37 @@ public static class AdditionalPathsEndpointServerWebExchangeMatcher
 
 		private final List<Object> endpoints;
 
+		private final HttpMethod httpMethod;
+
 		AdditionalPathsEndpointServerWebExchangeMatcher(WebServerNamespace webServerNamespace, String... endpoints) {
-			this(webServerNamespace, Arrays.asList((Object[]) endpoints));
+			this(webServerNamespace, Arrays.asList((Object[]) endpoints), null);
 		}
 
 		AdditionalPathsEndpointServerWebExchangeMatcher(WebServerNamespace webServerNamespace, Class<?>... endpoints) {
-			this(webServerNamespace, Arrays.asList((Object[]) endpoints));
+			this(webServerNamespace, Arrays.asList((Object[]) endpoints), null);
 		}
 
 		private AdditionalPathsEndpointServerWebExchangeMatcher(WebServerNamespace webServerNamespace,
-				List<Object> endpoints) {
+				List<Object> endpoints, HttpMethod httpMethod) {
 			super(PathMappedEndpoints.class);
 			Assert.notNull(webServerNamespace, "'webServerNamespace' must not be null");
 			Assert.notNull(endpoints, "'endpoints' must not be null");
 			Assert.notEmpty(endpoints, "'endpoints' must not be empty");
 			this.webServerNamespace = webServerNamespace;
 			this.endpoints = endpoints;
+			this.httpMethod = httpMethod;
+		}
+
+		/**
+		 * Restricts the matcher to only consider requests with a particular HTTP method.
+		 * @param httpMethod the HTTP method to include
+		 * @return a copy of the matcher further restricted to only match requests with
+		 * the specified HTTP method
+		 * @since 3.5.0
+		 */
+		public AdditionalPathsEndpointServerWebExchangeMatcher withHttpMethod(HttpMethod httpMethod) {
+			return new AdditionalPathsEndpointServerWebExchangeMatcher(this.webServerNamespace, this.endpoints,
+					httpMethod);
 		}
 
 		@Override
@@ -410,7 +421,7 @@ protected ServerWebExchangeMatcher createDelegate(PathMappedEndpoints endpoints)
 				.map(this::getEndpointId)
 				.flatMap((endpointId) -> streamAdditionalPaths(endpoints, endpointId))
 				.collect(Collectors.toCollection(LinkedHashSet::new));
-			List<ServerWebExchangeMatcher> delegateMatchers = getDelegateMatchers(paths);
+			List<ServerWebExchangeMatcher> delegateMatchers = getDelegateMatchers(paths, this.httpMethod);
 			return (!CollectionUtils.isEmpty(delegateMatchers)) ? new OrServerWebExchangeMatcher(delegateMatchers)
 					: EMPTY_MATCHER;
 		}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.autoconfigure.security.servlet;
+
+import java.util.function.Function;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * {@link RequestMatcherProvider} that provides an {@link AntPathRequestMatcher}.
+ *
+ * @author Madhura Bhave
+ * @author Chris Bono
+ */
+class AntPathRequestMatcherProvider implements RequestMatcherProvider {
+
+	private final Function<String, String> pathFactory;
+
+	AntPathRequestMatcherProvider(Function<String, String> pathFactory) {
+		this.pathFactory = pathFactory;
+	}
+
+	@Override
+	public RequestMatcher getRequestMatcher(String pattern, HttpMethod httpMethod) {
+		String path = this.pathFactory.apply(pattern);
+		return new AntPathRequestMatcher(path, (httpMethod != null) ? httpMethod.name() : null);
+	}
+
+}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,6 @@
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
-import org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider;
 import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
@@ -212,11 +211,6 @@ private RequestMatcher createDelegate(WebApplicationContext context) {
 		protected abstract RequestMatcher createDelegate(WebApplicationContext context,
 				RequestMatcherFactory requestMatcherFactory);
 
-		protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory requestMatcherFactory,
-				RequestMatcherProvider matcherProvider, Set<String> paths) {
-			return getDelegateMatchers(requestMatcherFactory, matcherProvider, paths, null);
-		}
-
 		protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory requestMatcherFactory,
 				RequestMatcherProvider matcherProvider, Set<String> paths, HttpMethod httpMethod) {
 			return paths.stream()
@@ -234,21 +228,37 @@ protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMat
 
 		protected RequestMatcherProvider getRequestMatcherProvider(WebApplicationContext context) {
 			try {
-				return context.getBean(RequestMatcherProvider.class);
+				return getRequestMatcherProviderBean(context);
 			}
 			catch (NoSuchBeanDefinitionException ex) {
 				return (pattern, method) -> new AntPathRequestMatcher(pattern, (method != null) ? method.name() : null);
 			}
 		}
 
-		protected final String toString(List<Object> endpoints, String emptyValue) {
+		private RequestMatcherProvider getRequestMatcherProviderBean(WebApplicationContext context) {
+			try {
+				return context.getBean(RequestMatcherProvider.class);
+			}
+			catch (NoSuchBeanDefinitionException ex) {
+				return getAndAdaptDeprecatedRequestMatcherProviderBean(context);
+			}
+		}
+
+		@SuppressWarnings("removal")
+		private RequestMatcherProvider getAndAdaptDeprecatedRequestMatcherProviderBean(WebApplicationContext context) {
+			org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider bean = context
+				.getBean(org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider.class);
+			return (pattern, method) -> bean.getRequestMatcher(pattern);
+		}
+
+		protected String toString(List<Object> endpoints, String emptyValue) {
 			return (!endpoints.isEmpty()) ? endpoints.stream()
 				.map(this::getEndpointId)
 				.map(Object::toString)
 				.collect(Collectors.joining(", ", "[", "]")) : emptyValue;
 		}
 
-		protected final EndpointId getEndpointId(Object source) {
+		protected EndpointId getEndpointId(Object source) {
 			if (source instanceof EndpointId endpointId) {
 				return endpointId;
 			}
@@ -319,13 +329,14 @@ public EndpointRequestMatcher excludingLinks() {
 		}
 
 		/**
-		 * Restricts the matcher to only consider requests with a particular http method.
-		 * @param httpMethod the http method to include
+		 * Restricts the matcher to only consider requests with a particular HTTP method.
+		 * @param httpMethod the HTTP method to include
 		 * @return a copy of the matcher further restricted to only match requests with
-		 * the specified http method
+		 * the specified HTTP method
+		 * @since 3.5.0
 		 */
 		public EndpointRequestMatcher withHttpMethod(HttpMethod httpMethod) {
-			return new EndpointRequestMatcher(this.includes, this.excludes, false, httpMethod);
+			return new EndpointRequestMatcher(this.includes, this.excludes, this.includeLinks, httpMethod);
 		}
 
 		@Override
@@ -394,20 +405,35 @@ public static class AdditionalPathsEndpointRequestMatcher extends AbstractReques
 
 		private final List<Object> endpoints;
 
+		private final HttpMethod httpMethod;
+
 		AdditionalPathsEndpointRequestMatcher(WebServerNamespace webServerNamespace, String... endpoints) {
-			this(webServerNamespace, Arrays.asList((Object[]) endpoints));
+			this(webServerNamespace, Arrays.asList((Object[]) endpoints), null);
 		}
 
 		AdditionalPathsEndpointRequestMatcher(WebServerNamespace webServerNamespace, Class<?>... endpoints) {
-			this(webServerNamespace, Arrays.asList((Object[]) endpoints));
+			this(webServerNamespace, Arrays.asList((Object[]) endpoints), null);
 		}
 
-		private AdditionalPathsEndpointRequestMatcher(WebServerNamespace webServerNamespace, List<Object> endpoints) {
+		private AdditionalPathsEndpointRequestMatcher(WebServerNamespace webServerNamespace, List<Object> endpoints,
+				HttpMethod httpMethod) {
 			Assert.notNull(webServerNamespace, "'webServerNamespace' must not be null");
 			Assert.notNull(endpoints, "'endpoints' must not be null");
 			Assert.notEmpty(endpoints, "'endpoints' must not be empty");
 			this.webServerNamespace = webServerNamespace;
 			this.endpoints = endpoints;
+			this.httpMethod = httpMethod;
+		}
+
+		/**
+		 * Restricts the matcher to only consider requests with a particular HTTP method.
+		 * @param httpMethod the HTTP method to include
+		 * @return a copy of the matcher further restricted to only match requests with
+		 * the specified HTTP method
+		 * @since 3.5.0
+		 */
+		public AdditionalPathsEndpointRequestMatcher withHttpMethod(HttpMethod httpMethod) {
+			return new AdditionalPathsEndpointRequestMatcher(this.webServerNamespace, this.endpoints, httpMethod);
 		}
 
 		@Override
@@ -426,7 +452,8 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 				.map(this::getEndpointId)
 				.flatMap((endpointId) -> streamAdditionalPaths(endpoints, endpointId))
 				.collect(Collectors.toCollection(LinkedHashSet::new));
-			List<RequestMatcher> delegateMatchers = getDelegateMatchers(requestMatcherFactory, matcherProvider, paths);
+			List<RequestMatcher> delegateMatchers = getDelegateMatchers(requestMatcherFactory, matcherProvider, paths,
+					this.httpMethod);
 			return (!CollectionUtils.isEmpty(delegateMatchers)) ? new OrRequestMatcher(delegateMatchers)
 					: EMPTY_MATCHER;
 		}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/RequestMatcherProvider.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.autoconfigure.security.servlet;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * Interface that can be used to provide a {@link RequestMatcher} that can be used with
+ * Spring Security.
+ *
+ * @author Madhura Bhave
+ * @author Chris Bono
+ * @since 3.5.0
+ */
+@FunctionalInterface
+public interface RequestMatcherProvider {
+
+	/**
+	 * Return the {@link RequestMatcher} to be used for the specified pattern and http
+	 * method.
+	 * @param pattern the request pattern
+	 * @param httpMethod the http method
+	 * @return a request matcher
+	 */
+	RequestMatcher getRequestMatcher(String pattern, HttpMethod httpMethod);
+
+}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/SecurityRequestMatchersManagementContextConfiguration.java

@@ -24,8 +24,6 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
-import org.springframework.boot.autoconfigure.security.servlet.AntPathRequestMatcherProvider;
-import org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath;
 import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.context.annotation.Bean;

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequestIntegrationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2021 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequestTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequestTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2024 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,7 +34,6 @@
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
-import org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider;
 import org.springframework.boot.web.context.WebServerApplicationContext;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.http.HttpMethod;

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/SecurityRequestMatchersManagementContextConfigurationTests.java

@@ -19,8 +19,6 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.autoconfigure.security.servlet.AntPathRequestMatcherProvider;
-import org.springframework.boot.autoconfigure.security.servlet.RequestMatcherProvider;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath;
 import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.boot.test.context.FilteredClassLoader;
@@ -61,7 +59,7 @@ void configurationConditionalOnRequestMatcherClass() {
 	void registersRequestMatcherProviderIfMvcPresent() {
 		this.contextRunner.withUserConfiguration(TestMvcConfiguration.class).run((context) -> {
 			AntPathRequestMatcherProvider matcherProvider = context.getBean(AntPathRequestMatcherProvider.class);
-			RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example");
+			RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example", null);
 			assertThat(requestMatcher).extracting("pattern").isEqualTo("/custom/example");
 		});
 	}
@@ -72,7 +70,7 @@ void registersRequestMatcherForJerseyProviderIfJerseyPresentAndMvcAbsent() {
 			.withUserConfiguration(TestJerseyConfiguration.class)
 			.run((context) -> {
 				AntPathRequestMatcherProvider matcherProvider = context.getBean(AntPathRequestMatcherProvider.class);
-				RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example");
+				RequestMatcher requestMatcher = matcherProvider.getRequestMatcher("/example", null);
 				assertThat(requestMatcher).extracting("pattern").isEqualTo("/admin/example");
 			});
 	}