Allow /health to be accessed anonymously irresepctive of its sensitivity

The changes in 3bb598a4 overload the health endpoint's sensitive
property such that it's now considered sensitive if management
security is enabled. When an endpoint is sensitive anonymous
access is prevented. This breaks the health endpoint which should
return a filtered view of the server's health when it's accessed
anonymously rather than rejecting the request.

This commit introduces AnonymouslyAccessibleMvcEndpoint, a marker
extension of the MvcEndpoint interface. It is implemented by
HealthMvcEndpoint. ManagementSecurityAutoConfiguration has been
updated to allow anonymous access to endpoints that aren't sensitive
or that implement AnonymouslyAccessibleMvcEndpoint.

Fixes gh-2015

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java

@@ -25,6 +25,7 @@ import javax.annotation.PostConstruct;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.actuate.endpoint.Endpoint;
+import org.springframework.boot.actuate.endpoint.mvc.AnonymouslyAccessibleMvcEndpoint;
 import org.springframework.boot.actuate.endpoint.mvc.EndpointHandlerMapping;
 import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
@@ -268,7 +269,8 @@ public class ManagementSecurityAutoConfiguration {
 		Set<? extends MvcEndpoint> endpoints = endpointHandlerMapping.getEndpoints();
 		List<String> paths = new ArrayList<String>(endpoints.size());
 		for (MvcEndpoint endpoint : endpoints) {
-			if (endpoint.isSensitive() == secure) {
+			if (endpoint.isSensitive() == secure
+					|| (!secure && endpoint instanceof AnonymouslyAccessibleMvcEndpoint)) {
 				String path = endpointHandlerMapping.getPath(endpoint.getPath());
 				paths.add(path);
 				// Add Spring MVC-generated additional paths

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/AnonymouslyAccessibleMvcEndpoint.java

+/*
+ * Copyright 2012-2014 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.endpoint.mvc;
+
+/**
+ * An {@link MvcEndpoint} that should be accessible without authentication
+ *
+ * @author Andy Wilkinson
+ * @since 1.2.0
+ */
+public interface AnonymouslyAccessibleMvcEndpoint extends MvcEndpoint {
+
+}

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/HealthMvcEndpoint.java

@@ -39,7 +39,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
  * @author Andy Wilkinson
  * @since 1.1.0
  */
-public class HealthMvcEndpoint implements MvcEndpoint {
+public class HealthMvcEndpoint implements AnonymouslyAccessibleMvcEndpoint {
 
 	private Map<String, HttpStatus> statusMapping = new HashMap<String, HttpStatus>();
 

spring-boot-samples/spring-boot-sample-actuator/src/main/resources/application.properties

 logging.file: /tmp/logs/app.log
-logging.level.org.springframework.security: DEBUG
+logging.level.org.springframework.security: INFO
 management.address: 127.0.0.1
 #management.port: 8181
 endpoints.shutdown.enabled: true