Account for application path for Jersey servlet endpoints

Closes gh-14895

Author: mbhave

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/web/ServletEndpointManagementContextConfiguration.java

@@ -28,6 +28,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletPath;
+import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -82,11 +83,21 @@ public ServletEndpointRegistrar servletEndpointRegistrar(
 	@ConditionalOnMissingClass("org.springframework.web.servlet.DispatcherServlet")
 	public static class JerseyServletEndpointManagementContextConfiguration {
 
+		private final ApplicationContext context;
+
+		public JerseyServletEndpointManagementContextConfiguration(
+				ApplicationContext context) {
+			this.context = context;
+		}
+
 		@Bean
 		public ServletEndpointRegistrar servletEndpointRegistrar(
 				WebEndpointProperties properties,
 				ServletEndpointsSupplier servletEndpointsSupplier) {
-			return new ServletEndpointRegistrar(properties.getBasePath(),
+			JerseyApplicationPath jerseyApplicationPath = this.context
+					.getBean(JerseyApplicationPath.class);
+			return new ServletEndpointRegistrar(
+					jerseyApplicationPath.getRelativePath(properties.getBasePath()),
 					servletEndpointsSupplier.getEndpoints());
 		}
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/AbstractEndpointRequestIntegrationTests.java

@@ -156,7 +156,7 @@ public Object getAll() {
 
 	}
 
-	interface TestPathMappedEndpoint
+	public interface TestPathMappedEndpoint
 			extends ExposableEndpoint<Operation>, PathMappedEndpoint {
 
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/JerseyEndpointRequestIntegrationTests.java

@@ -23,6 +23,7 @@
 
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.server.model.Resource;
+import org.junit.Test;
 
 import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
 import org.springframework.boot.actuate.endpoint.http.ActuatorMediaType;
@@ -41,12 +42,14 @@
 import org.springframework.boot.autoconfigure.security.servlet.SecurityRequestMatcherProviderAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
 import org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.test.web.reactive.server.WebTestClient;
 
 /**
  * Integration tests for {@link EndpointRequest} with Jersey.
@@ -60,6 +63,8 @@ public class JerseyEndpointRequestIntegrationTests
 	protected WebApplicationContextRunner getContextRunner() {
 		return new WebApplicationContextRunner(
 				AnnotationConfigServletWebServerApplicationContext::new)
+						.withClassLoader(new FilteredClassLoader(
+								"org.springframework.web.servlet.DispatcherServlet"))
 						.withUserConfiguration(JerseyEndpointConfiguration.class,
 								SecurityConfiguration.class, BaseConfiguration.class)
 						.withConfiguration(AutoConfigurations.of(
@@ -70,6 +75,41 @@ protected WebApplicationContextRunner getContextRunner() {
 								JerseyAutoConfiguration.class));
 	}
 
+	@Test
+	public void toLinksWhenApplicationPathSetShouldMatch() {
+		getContextRunner().withPropertyValues("spring.jersey.application-path=/admin")
+				.run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/admin/actuator/").exchange().expectStatus()
+							.isOk();
+					webTestClient.get().uri("/admin/actuator").exchange().expectStatus()
+							.isOk();
+				});
+	}
+
+	@Test
+	public void toEndpointWhenApplicationPathSetShouldMatch() {
+		getContextRunner().withPropertyValues("spring.jersey.application-path=/admin")
+				.run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/admin/actuator/e1").exchange()
+							.expectStatus().isOk();
+				});
+	}
+
+	@Test
+	public void toAnyEndpointWhenApplicationPathSetShouldMatch() {
+		getContextRunner().withPropertyValues("spring.jersey.application-path=/admin",
+				"spring.security.user.password=password").run((context) -> {
+					WebTestClient webTestClient = getWebTestClient(context);
+					webTestClient.get().uri("/admin/actuator/e2").exchange()
+							.expectStatus().isUnauthorized();
+					webTestClient.get().uri("/admin/actuator/e2")
+							.header("Authorization", getBasicAuth()).exchange()
+							.expectStatus().isOk();
+				});
+	}
+
 	@Configuration
 	@EnableConfigurationProperties(WebEndpointProperties.class)
 	static class JerseyEndpointConfiguration {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jersey/JerseyAutoConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.autoconfigure.jersey;
 
-import java.util.Arrays;
+import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
 
@@ -53,6 +53,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.DynamicRegistrationBean;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -96,8 +97,6 @@ public class JerseyAutoConfiguration implements ServletContextAware {
 
 	private final List<ResourceConfigCustomizer> customizers;
 
-	private String path;
-
 	public JerseyAutoConfiguration(JerseyProperties jersey, ResourceConfig config,
 			ObjectProvider<List<ResourceConfigCustomizer>> customizers) {
 		this.jersey = jersey;
@@ -107,16 +106,15 @@ public JerseyAutoConfiguration(JerseyProperties jersey, ResourceConfig config,
 
 	@PostConstruct
 	public void path() {
-		resolveApplicationPath();
 		customize();
 	}
 
-	private void resolveApplicationPath() {
+	private String resolveApplicationPath() {
 		if (StringUtils.hasLength(this.jersey.getApplicationPath())) {
-			this.path = parseApplicationPath(this.jersey.getApplicationPath());
+			return this.jersey.getApplicationPath();
 		}
 		else {
-			this.path = findApplicationPath(AnnotationUtils.findAnnotation(
+			return findApplicationPath(AnnotationUtils.findAnnotation(
 					this.config.getApplication().getClass(), ApplicationPath.class));
 		}
 	}
@@ -130,6 +128,12 @@ private void customize() {
 		}
 	}
 
+	@Bean
+	@ConditionalOnMissingBean
+	public JerseyApplicationPath jerseyApplicationPath() {
+		return this::resolveApplicationPath;
+	}
+
 	@Bean
 	@ConditionalOnMissingBean
 	public FilterRegistrationBean<RequestContextFilter> requestContextFilter() {
@@ -143,13 +147,15 @@ public FilterRegistrationBean<RequestContextFilter> requestContextFilter() {
 	@Bean
 	@ConditionalOnMissingBean(name = "jerseyFilterRegistration")
 	@ConditionalOnProperty(prefix = "spring.jersey", name = "type", havingValue = "filter")
-	public FilterRegistrationBean<ServletContainer> jerseyFilterRegistration() {
+	public FilterRegistrationBean<ServletContainer> jerseyFilterRegistration(
+			JerseyApplicationPath applicationPath) {
 		FilterRegistrationBean<ServletContainer> registration = new FilterRegistrationBean<>();
 		registration.setFilter(new ServletContainer(this.config));
-		registration.setUrlPatterns(Arrays.asList(this.path));
+		registration.setUrlPatterns(
+				Collections.singletonList(applicationPath.getUrlMapping()));
 		registration.setOrder(this.jersey.getFilter().getOrder());
 		registration.addInitParameter(ServletProperties.FILTER_CONTEXT_PATH,
-				stripPattern(this.path));
+				stripPattern(applicationPath.getPath()));
 		addInitParameters(registration);
 		registration.setName("jerseyFilter");
 		registration.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
@@ -166,9 +172,10 @@ private String stripPattern(String path) {
 	@Bean
 	@ConditionalOnMissingBean(name = "jerseyServletRegistration")
 	@ConditionalOnProperty(prefix = "spring.jersey", name = "type", havingValue = "servlet", matchIfMissing = true)
-	public ServletRegistrationBean<ServletContainer> jerseyServletRegistration() {
+	public ServletRegistrationBean<ServletContainer> jerseyServletRegistration(
+			JerseyApplicationPath applicationPath) {
 		ServletRegistrationBean<ServletContainer> registration = new ServletRegistrationBean<>(
-				new ServletContainer(this.config), this.path);
+				new ServletContainer(this.config), applicationPath.getUrlMapping());
 		addInitParameters(registration);
 		registration.setName(getServletRegistrationName());
 		registration.setLoadOnStartup(this.jersey.getServlet().getLoadOnStartup());
@@ -188,14 +195,7 @@ private static String findApplicationPath(ApplicationPath annotation) {
 		if (annotation == null) {
 			return "/*";
 		}
-		return parseApplicationPath(annotation.value());
-	}
-
-	private static String parseApplicationPath(String applicationPath) {
-		if (!applicationPath.startsWith("/")) {
-			applicationPath = "/" + applicationPath;
-		}
-		return applicationPath.equals("/") ? "/*" : applicationPath + "/*";
+		return annotation.value();
 	}
 
 	@Override

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/JerseyRequestMatcherProvider.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.autoconfigure.security.servlet;
+
+import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * {@link RequestMatcherProvider} that provides an {@link AntPathRequestMatcher} that can
+ * be used for Jersey applications.
+ *
+ * @author Madhura Bhave
+ * @since 2.0.7
+ */
+public class JerseyRequestMatcherProvider implements RequestMatcherProvider {
+
+	private final JerseyApplicationPath jerseyApplicationPath;
+
+	public JerseyRequestMatcherProvider(JerseyApplicationPath jerseyApplicationPath) {
+		this.jerseyApplicationPath = jerseyApplicationPath;
+	}
+
+	@Override
+	public RequestMatcher getRequestMatcher(String pattern) {
+		return new AntPathRequestMatcher(
+				this.jerseyApplicationPath.getRelativePath(pattern));
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SecurityRequestMatcherProviderAutoConfiguration.java

@@ -15,9 +15,13 @@
  */
 package org.springframework.boot.autoconfigure.security.servlet;
 
+import org.glassfish.jersey.server.ResourceConfig;
+
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -31,15 +35,36 @@
  * @since 2.0.5
  */
 @Configuration
-@ConditionalOnClass({ RequestMatcher.class, DispatcherServlet.class })
+@ConditionalOnClass({ RequestMatcher.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@ConditionalOnBean(HandlerMappingIntrospector.class)
 public class SecurityRequestMatcherProviderAutoConfiguration {
 
-	@Bean
-	public RequestMatcherProvider requestMatcherProvider(
-			HandlerMappingIntrospector introspector) {
-		return new MvcRequestMatcherProvider(introspector);
+	@Configuration
+	@ConditionalOnClass(DispatcherServlet.class)
+	@ConditionalOnBean(HandlerMappingIntrospector.class)
+	public static class MvcRequestMatcherConfiguration {
+
+		@Bean
+		@ConditionalOnClass(DispatcherServlet.class)
+		public RequestMatcherProvider requestMatcherProvider(
+				HandlerMappingIntrospector introspector) {
+			return new MvcRequestMatcherProvider(introspector);
+		}
+
+	}
+
+	@Configuration
+	@ConditionalOnClass(ResourceConfig.class)
+	@ConditionalOnMissingClass("org.springframework.web.servlet.DispatcherServlet")
+	@ConditionalOnBean(JerseyApplicationPath.class)
+	public static class JerseyRequestMatcherConfiguration {
+
+		@Bean
+		public RequestMatcherProvider requestMatcherProvider(
+				JerseyApplicationPath applicationPath) {
+			return new JerseyRequestMatcherProvider(applicationPath);
+		}
+
 	}
 
 }