Add Spring MVC-generated path suffixes to endpoint paths

Spring Security doesn't know that Spring MVC maps /foo, /foo.json
and /foo/ all to the same handler. This change explicitly adds
suffixes to the actuator endpoint matchers so they are properly
protected.
This commit is contained in:
Dave Syer
2014-04-03 14:03:09 +01:00
parent 97adb5c1b3
commit 72d7c286c0
2 changed files with 24 additions and 1 deletions

View File

@@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests {
.containsKey("Set-Cookie"));
}
@Test
public void testMetricsIsSecure() throws Exception {
@SuppressWarnings("rawtypes")
ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics/foo", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
entity = new TestRestTemplate().getForEntity(
"http://localhost:8080/metrics.json", Map.class);
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
}
@Test
public void testHome() throws Exception {
@SuppressWarnings("rawtypes")