Guard against WebServerApplicationContext not being present

Update security matchers and WebFlux actuator support to guard against
the `WebServerApplicationContext` class not being present.

Fixes gh-48388

Author: philwebb

module/spring-boot-actuator/build.gradle

@@ -27,6 +27,7 @@ description = "Spring Boot Actuator"
 dependencies {
 	api(project(":core:spring-boot"))
 
+	optional(project(":module:spring-boot-web-server"))
 	optional("com.fasterxml.jackson.core:jackson-databind")
 	optional("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 	optional("com.github.ben-manes.caffeine:caffeine")

module/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/web/WebServerNamespace.java

@@ -18,6 +18,9 @@
 
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.boot.web.server.context.WebServerApplicationContext;
+import org.springframework.context.ApplicationContext;
+import org.springframework.util.ClassUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -30,6 +33,8 @@
  */
 public final class WebServerNamespace {
 
+	private static final String WEB_SERVER_CONTEXT_CLASS = "org.springframework.boot.web.server.context.WebServerApplicationContext";
+
 	/**
 	 * {@link WebServerNamespace} that represents the main server.
 	 */
@@ -76,6 +81,21 @@ public String toString() {
 		return this.value;
 	}
 
+	/**
+	 * Factory method to create a new {@link WebServerNamespace} from a value. If the
+	 * context is {@code null} or not a web server context then {@link #SERVER} is
+	 * returned.
+	 * @param context the application context
+	 * @return the web server namespace
+	 * @since 4.0.1
+	 */
+	public static WebServerNamespace from(@Nullable ApplicationContext context) {
+		if (!ClassUtils.isPresent(WEB_SERVER_CONTEXT_CLASS, null)) {
+			return SERVER;
+		}
+		return from(WebServerApplicationContext.getServerNamespace(context));
+	}
+
 	/**
 	 * Factory method to create a new {@link WebServerNamespace} from a value. If the
 	 * value is empty or {@code null} then {@link #SERVER} is returned.

module/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/web/WebServerNamespaceTests.java

@@ -35,7 +35,7 @@ void fromWhenValueHasText() {
 
 	@Test
 	void fromWhenValueIsNull() {
-		assertThat(WebServerNamespace.from(null)).isEqualTo(WebServerNamespace.SERVER);
+		assertThat(WebServerNamespace.from((String) null)).isEqualTo(WebServerNamespace.SERVER);
 	}
 
 	@Test

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequest.java

@@ -38,7 +38,6 @@
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
 import org.springframework.boot.security.web.reactive.ApplicationContextServerWebExchangeMatcher;
-import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.core.annotation.MergedAnnotations;
@@ -221,14 +220,14 @@ protected boolean ignoreApplicationContext(@Nullable ApplicationContext applicat
 
 		protected final boolean hasWebServerNamespace(@Nullable ApplicationContext applicationContext,
 				WebServerNamespace webServerNamespace) {
-			return WebServerApplicationContext.hasServerNamespace(applicationContext, webServerNamespace.getValue())
+			return hasServerNamespace(applicationContext, webServerNamespace.getValue())
 					|| hasImplicitServerNamespace(applicationContext, webServerNamespace);
 		}
 
 		private boolean hasImplicitServerNamespace(@Nullable ApplicationContext applicationContext,
 				WebServerNamespace webServerNamespace) {
 			return WebServerNamespace.SERVER.equals(webServerNamespace)
-					&& WebServerApplicationContext.getServerNamespace(applicationContext) == null
+					&& getServerNamespace(applicationContext) == null
 					&& getApplicationContextParent(applicationContext) == null;
 		}
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/EndpointRequest.java

@@ -38,7 +38,6 @@
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
 import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
-import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.core.annotation.MergedAnnotations;
@@ -183,15 +182,14 @@ protected boolean ignoreApplicationContext(WebApplicationContext applicationCont
 
 		protected final boolean hasWebServerNamespace(ApplicationContext applicationContext,
 				WebServerNamespace webServerNamespace) {
-			return WebServerApplicationContext.hasServerNamespace(applicationContext, webServerNamespace.getValue())
+			return hasServerNamespace(applicationContext, webServerNamespace.getValue())
 					|| hasImplicitServerNamespace(applicationContext, webServerNamespace);
 		}
 
 		private boolean hasImplicitServerNamespace(ApplicationContext applicationContext,
 				WebServerNamespace webServerNamespace) {
 			return WebServerNamespace.SERVER.equals(webServerNamespace)
-					&& WebServerApplicationContext.getServerNamespace(applicationContext) == null
-					&& applicationContext.getParent() == null;
+					&& getServerNamespace(applicationContext) == null && applicationContext.getParent() == null;
 		}
 
 		@Override

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/PathRequest.java

@@ -24,7 +24,6 @@
 import org.springframework.boot.h2console.autoconfigure.H2ConsoleProperties;
 import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
-import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -76,7 +75,7 @@ private H2ConsoleRequestMatcher() {
 
 		@Override
 		protected boolean ignoreApplicationContext(WebApplicationContext applicationContext) {
-			return WebServerApplicationContext.hasServerNamespace(applicationContext, "management");
+			return hasServerNamespace(applicationContext, "management");
 		}
 
 		@Override

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/StaticResourceRequest.java

@@ -27,7 +27,6 @@
 
 import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
-import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletPath;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
@@ -148,7 +147,7 @@ private Stream<String> getPatterns(DispatcherServletPath dispatcherServletPath)
 
 		@Override
 		protected boolean ignoreApplicationContext(WebApplicationContext applicationContext) {
-			return WebServerApplicationContext.hasServerNamespace(applicationContext, "management");
+			return hasServerNamespace(applicationContext, "management");
 		}
 
 		@Override

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/reactive/ApplicationContextServerWebExchangeMatcher.java

@@ -22,9 +22,11 @@
 import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
+import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 import org.springframework.web.server.ServerWebExchange;
 
 /**
@@ -41,6 +43,8 @@
  */
 public abstract class ApplicationContextServerWebExchangeMatcher<C> implements ServerWebExchangeMatcher {
 
+	private static final String WEB_SERVER_CONTEXT_CLASS = "org.springframework.boot.web.server.context.WebServerApplicationContext";
+
 	private final Class<? extends C> contextClass;
 
 	private volatile @Nullable Supplier<C> context;
@@ -111,4 +115,34 @@ private Supplier<C> createContext(ServerWebExchange exchange) {
 		return () -> context.getBean(this.contextClass);
 	}
 
+	/**
+	 * Returns {@code true} if the specified context is a
+	 * {@link WebServerApplicationContext} with a matching server namespace.
+	 * @param context the context to check
+	 * @param serverNamespace the server namespace to match against
+	 * @return {@code true} if the server namespace of the context matches
+	 * @since 4.0.1
+	 */
+	protected final boolean hasServerNamespace(@Nullable ApplicationContext context, String serverNamespace) {
+		if (!ClassUtils.isPresent(WEB_SERVER_CONTEXT_CLASS, null)) {
+			return false;
+		}
+		return WebServerApplicationContext.hasServerNamespace(context, serverNamespace);
+	}
+
+	/**
+	 * Returns the server namespace if the specified context is a
+	 * {@link WebServerApplicationContext}.
+	 * @param context the context
+	 * @return the server namespace or {@code null} if the context is not a
+	 * {@link WebServerApplicationContext}
+	 * @since 4.0.1
+	 */
+	protected final @Nullable String getServerNamespace(@Nullable ApplicationContext context) {
+		if (!ClassUtils.isPresent(WEB_SERVER_CONTEXT_CLASS, null)) {
+			return null;
+		}
+		return WebServerApplicationContext.getServerNamespace(context);
+	}
+
 }

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/servlet/ApplicationContextRequestMatcher.java

@@ -19,11 +19,14 @@
 import java.util.function.Supplier;
 
 import jakarta.servlet.http.HttpServletRequest;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.config.AutowireCapableBeanFactory;
+import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -41,6 +44,8 @@
  */
 public abstract class ApplicationContextRequestMatcher<C> implements RequestMatcher {
 
+	private static final String WEB_SERVER_CONTEXT_CLASS = "org.springframework.boot.web.server.context.WebServerApplicationContext";
+
 	private final Class<? extends C> contextClass;
 
 	private volatile boolean initialized;
@@ -110,4 +115,34 @@ protected void initialized(Supplier<C> context) {
 	 */
 	protected abstract boolean matches(HttpServletRequest request, Supplier<C> context);
 
+	/**
+	 * Returns {@code true} if the specified context is a
+	 * {@link WebServerApplicationContext} with a matching server namespace.
+	 * @param context the context to check
+	 * @param serverNamespace the server namespace to match against
+	 * @return {@code true} if the server namespace of the context matches
+	 * @since 4.0.1
+	 */
+	protected final boolean hasServerNamespace(@Nullable ApplicationContext context, String serverNamespace) {
+		if (!ClassUtils.isPresent(WEB_SERVER_CONTEXT_CLASS, null)) {
+			return false;
+		}
+		return WebServerApplicationContext.hasServerNamespace(context, serverNamespace);
+	}
+
+	/**
+	 * Returns the server namespace if the specified context is a
+	 * {@link WebServerApplicationContext}.
+	 * @param context the context
+	 * @return the server namespace or {@code null} if the context is not a
+	 * {@link WebServerApplicationContext}
+	 * @since 4.0.1
+	 */
+	protected final @Nullable String getServerNamespace(@Nullable ApplicationContext context) {
+		if (!ClassUtils.isPresent(WEB_SERVER_CONTEXT_CLASS, null)) {
+			return null;
+		}
+		return WebServerApplicationContext.getServerNamespace(context);
+	}
+
 }

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/PathRequestTests.java

@@ -22,14 +22,19 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.h2console.autoconfigure.H2ConsoleProperties;
+import org.springframework.boot.testsupport.classpath.ClassPathExclusions;
 import org.springframework.boot.web.server.autoconfigure.ServerProperties;
+import org.springframework.boot.web.server.context.WebServerApplicationContext;
+import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.context.support.StaticWebApplicationContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 /**
  * Tests for {@link PathRequest}.
@@ -59,14 +64,31 @@ void toH2ConsoleWhenManagementContextShouldNeverMatch() {
 		assertMatcher(matcher, "management").doesNotMatch("/js/file.js");
 	}
 
+	@Test
+	@ClassPathExclusions(packages = "org.springframework.boot.web.server.context")
+	void toH2ConsoleWhenNoWebServerContextClassPresent() {
+		assertThatExceptionOfType(NoClassDefFoundError.class)
+			.isThrownBy(() -> WebServerApplicationContext.class.getName());
+		RequestMatcher matcher = PathRequest.toH2Console();
+		StaticWebApplicationContext context = new StaticWebApplicationContext();
+		assertMatcher(matcher, context).matches("/h2-console");
+		assertMatcher(matcher, context).matches("/h2-console/subpath");
+		assertMatcher(matcher, context).doesNotMatch("/js/file.js");
+	}
+
 	private RequestMatcherAssert assertMatcher(RequestMatcher matcher) {
-		return assertMatcher(matcher, null);
+		return assertMatcher(matcher, (String) null);
 	}
 
 	private RequestMatcherAssert assertMatcher(RequestMatcher matcher, @Nullable String serverNamespace) {
-		TestWebApplicationContext context = new TestWebApplicationContext(serverNamespace);
-		context.registerBean(ServerProperties.class);
-		context.registerBean(H2ConsoleProperties.class);
+		StaticWebApplicationContext context = new TestWebApplicationContext(serverNamespace);
+		return assertMatcher(matcher, context);
+	}
+
+	private RequestMatcherAssert assertMatcher(RequestMatcher matcher, WebApplicationContext context) {
+		GenericApplicationContext genericContext = (GenericApplicationContext) context;
+		genericContext.registerBean(ServerProperties.class);
+		genericContext.registerBean(H2ConsoleProperties.class);
 		return assertThat(new RequestMatcherAssert(context, matcher));
 	}