Add Spring MVC-generated path suffixes to endpoint paths
Spring Security doesn't know that Spring MVC maps /foo, /foo.json and /foo/ all to the same handler. This change explicitly adds suffixes to the actuator endpoint matchers so they are properly protected.
This commit is contained in:
@@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests {
|
||||
.containsKey("Set-Cookie"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testMetricsIsSecure() throws Exception {
|
||||
@SuppressWarnings("rawtypes")
|
||||
ResponseEntity<Map> entity = new TestRestTemplate().getForEntity(
|
||||
"http://localhost:8080/metrics", Map.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
|
||||
entity = new TestRestTemplate().getForEntity(
|
||||
"http://localhost:8080/metrics/", Map.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
|
||||
entity = new TestRestTemplate().getForEntity(
|
||||
"http://localhost:8080/metrics/foo", Map.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
|
||||
entity = new TestRestTemplate().getForEntity(
|
||||
"http://localhost:8080/metrics.json", Map.class);
|
||||
assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testHome() throws Exception {
|
||||
@SuppressWarnings("rawtypes")
|
||||
|
||||
Reference in New Issue
Block a user