Configure filter to process preflight requests for webflux actuator endpoints

Fixes gh-24541

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java

@@ -34,9 +34,12 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.WebFilterChainProxy;
+import org.springframework.web.cors.reactive.PreFlightRequestHandler;
+import org.springframework.web.cors.reactive.PreFlightRequestWebFilter;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Reactive Spring Security when
@@ -57,11 +60,13 @@ import org.springframework.security.web.server.WebFilterChainProxy;
 public class ReactiveManagementWebSecurityAutoConfiguration {
 
 	@Bean
-	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
+	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, PreFlightRequestHandler handler) {
 		http.authorizeExchange((exchanges) -> {
 			exchanges.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
 			exchanges.anyExchange().authenticated();
 		});
+		PreFlightRequestWebFilter filter = new PreFlightRequestWebFilter(handler);
+		http.addFilterAt(filter, SecurityWebFiltersOrder.CORS);
 		http.httpBasic(Customizer.withDefaults());
 		http.formLogin(Customizer.withDefaults());
 		return http.build();

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java

@@ -35,6 +35,7 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.context.ApplicationContext;
@@ -68,9 +69,9 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(HealthContributorAutoConfiguration.class,
 					HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class,
-					EnvironmentEndpointAutoConfiguration.class, EndpointAutoConfiguration.class,
-					WebEndpointAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class,
-					ReactiveUserDetailsServiceAutoConfiguration.class,
+					WebFluxAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class,
+					EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
+					ReactiveSecurityAutoConfiguration.class, ReactiveUserDetailsServiceAutoConfiguration.class,
 					ReactiveManagementWebSecurityAutoConfiguration.class));
 
 	@Test

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/CorsSampleActuatorApplicationTests.java

+/*
+ * Copyright 2012-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.secure.webflux;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.ApplicationContext;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+/**
+ * Integration test for cors preflight requests to management endpoints.
+ *
+ * @author Madhura Bhave
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ActiveProfiles("cors")
+class CorsSampleActuatorApplicationTests {
+
+	@Autowired
+	private WebTestClient webClient;
+
+	@Autowired
+	private ApplicationContext applicationContext;
+
+	@Test
+	void endpointShouldReturnUnauthorized() {
+		this.webClient.get().uri("/actuator/env").exchange().expectStatus().isUnauthorized();
+	}
+
+	@Test
+	void preflightRequestToEndpointShouldReturnOk() throws Exception {
+		this.webClient.options().uri("/actuator/env").header("Origin", "http://localhost:8080")
+				.header("Access-Control-Request-Method", "GET").exchange().expectStatus().isOk();
+	}
+
+	@Test
+	void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception {
+		this.webClient.options().uri("/actuator/env").header("Origin", "http://localhost:9095")
+				.header("Access-Control-Request-Method", "GET").exchange().expectStatus().isForbidden();
+	}
+
+}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/resources/application-cors.properties

+management.endpoints.web.cors.allowed-origins=http://localhost:8080
+management.endpoints.web.cors.allowed-methods=GET