Ensure that management endpoints with nested paths are secured

wilkinsona · wilkinsona · commit d7ae0f3b0670 · 2015-02-12T17:50:38.000Z
Previously each endpoint was secured for path, path/, and path.*. This meant that a request to path/foo was not secured. This commit secures path/** to ensure that requests to a nested endpoint path are also secured. Fixes gh-2476
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -69,6 +69,7 @@
  * used as a security hint by the filter created here.
  *
  * @author Dave Syer
+ * @author Andy Wilkinson
  */
 @Configuration
 @ConditionalOnClass({ EnableWebSecurity.class })
@@ -243,8 +244,9 @@ private static String[] getEndpointPaths(
 				String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();
 				paths.add(path);
 				if (secure) {
+					// Ensure the nested paths are secured
+					paths.add(path + "/**");
 					// Add Spring MVC-generated additional paths
-					paths.add(path + "/");
 					paths.add(path + ".*");
 				}
 			}
diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/JolokiaMvcEndpoint.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/JolokiaMvcEndpoint.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2014 the original author or authors.
+ * Copyright 2013-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,6 +42,7 @@
  * {@link MvcEndpoint} to expose Jolokia.
  *
  * @author Christian Dupuis
+ * @author Andy Wilkinson
  */
 @ConfigurationProperties(prefix = "endpoints.jolokia", ignoreUnknownFields = false)
 public class JolokiaMvcEndpoint implements MvcEndpoint, InitializingBean,
@@ -51,7 +52,7 @@ public class JolokiaMvcEndpoint implements MvcEndpoint, InitializingBean,
 	@Pattern(regexp = "/[^/]*", message = "Path must start with /")
 	private String path;
 
-	private boolean sensitive;
+	private boolean sensitive = true;
 
 	private boolean enabled = true;
 
diff --git a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfigurationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2014 the original author or authors.
+ * Copyright 2012-2015 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,14 +41,18 @@
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.hasSize;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 
 /**
  * Tests for {@link ManagementSecurityAutoConfiguration}.
  *
  * @author Dave Syer
+ * @author Andy Wilkinson
  */
 public class ManagementSecurityAutoConfigurationTests {
 
@@ -71,11 +75,16 @@ public void testWebConfiguration() throws Exception {
 				EndpointAutoConfiguration.class, EndpointWebMvcAutoConfiguration.class,
 				ManagementServerPropertiesAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
+		EnvironmentTestUtils.addEnvironment(this.context, "security.basic.enabled:false");
 		this.context.refresh();
 		assertNotNull(this.context.getBean(AuthenticationManagerBuilder.class));
+		FilterChainProxy filterChainProxy = this.context.getBean(FilterChainProxy.class);
 		// 6 for static resources, one for management endpoints and one for the rest
-		assertEquals(8, this.context.getBean(FilterChainProxy.class).getFilterChains()
-				.size());
+		assertThat(filterChainProxy.getFilterChains(), hasSize(8));
+		assertThat(filterChainProxy.getFilters("/beans"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans/"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans.foo"), hasSize(greaterThan(0)));
+		assertThat(filterChainProxy.getFilters("/beans/foo/bar"), hasSize(greaterThan(0)));
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2012-2014 the original author or authors.`
	`2`	`+ * Copyright 2012-2015 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -69,6 +69,7 @@`
`69`	`69`	`* used as a security hint by the filter created here.`
`70`	`70`	`*`
`71`	`71`	`* @author Dave Syer`
	`72`	`+ * @author Andy Wilkinson`
`72`	`73`	`*/`
`73`	`74`	`@Configuration`
`74`	`75`	`@ConditionalOnClass({ EnableWebSecurity.class })`
`@@ -243,8 +244,9 @@ private static String[] getEndpointPaths(`
`243`	`244`	`String path = endpointHandlerMapping.getPrefix() + endpoint.getPath();`
`244`	`245`	`paths.add(path);`
`245`	`246`	`if (secure) {`
	`247`	`+ // Ensure the nested paths are secured`
	`248`	`+ paths.add(path + "/**");`
`246`	`249`	`// Add Spring MVC-generated additional paths`
`247`		`- paths.add(path + "/");`
`248`	`250`	`paths.add(path + ".*");`
`249`	`251`	`}`
`250`	`252`	`}`