Match nested paths for insensitive actuators

Update `ManagementWebSecurityAutoConfiguration` to match nested path for insensitive actuators. Prior to this commit, when Spring Security was on the classpath nested paths were considered sensitive (even if the actuator endpoint was not sensitive). i.e. when setting `endpoints.env.sensitive=false` `/env` could be accessed without authentication but `/env/user` could not. Fixes gh-7868 Closes gh-7881

Match nested paths for insensitive actuators
Update `ManagementWebSecurityAutoConfiguration` to match nested path for insensitive actuators. Prior to this commit, when Spring Security was on the classpath nested paths were considered sensitive (even if the actuator endpoint was not sensitive). i.e. when setting `endpoints.env.sensitive=false` `/env` could be accessed without authentication but `/env/user` could not. Fixes gh-7868 Closes gh-7881
4ea47220 · Madhura Bhave · Phillip Webb · 18aa9be4 · 4ea47220 · 4ea47220
Commit 4ea47220 authored Jan 05, 2017 by Madhura Bhave Committed by Phillip Webb Jan 06, 2017
7 changed files
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -257,10 +257,11 @@ public class ManagementWebSecurityAutoConfiguration {

 		private void configurePermittedRequests(
 				ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests) {
+			requests.requestMatchers(new LazyEndpointPathRequestMatcher(
+					this.contextResolver, EndpointPaths.SENSITIVE)).authenticated();
 			// Permit access to the non-sensitive endpoints
 			requests.requestMatchers(new LazyEndpointPathRequestMatcher(
 					this.contextResolver, EndpointPaths.NON_SENSITIVE)).permitAll();
-			requests.anyRequest().authenticated();
 		}

 	}
@@ -276,6 +277,15 @@ public class ManagementWebSecurityAutoConfiguration {
 				return !endpoint.isSensitive();
 			}

+		},
+
+		SENSITIVE {
+
+			@Override
+			protected boolean isIncluded(MvcEndpoint endpoint) {
+				return endpoint.isSensitive();
+			}
+
 		};

 		public String[] getPaths(EndpointHandlerMapping endpointHandlerMapping) {
@@ -289,12 +299,9 @@ public class ManagementWebSecurityAutoConfiguration {
 					String path = endpointHandlerMapping.getPath(endpoint.getPath());
 					paths.add(path);
 					if (!path.equals("")) {
-						if (endpoint.isSensitive()) {
-							// Ensure that nested paths are secured
-							paths.add(path + "/**");
-							// Add Spring MVC-generated additional paths
-							paths.add(path + ".*");
-						}
+						paths.add(path + "/**");
+						// Add Spring MVC-generated additional paths
+						paths.add(path + ".*");
 					}
 					paths.add(path + "/");
 				}

--- a/spring-boot-samples/pom.xml
+++ b/spring-boot-samples/pom.xml
@@ -115,6 +115,7 @@
 		<module>spring-boot-sample-websocket-undertow</module>
 		<module>spring-boot-sample-webservices</module>
 		<module>spring-boot-sample-xml</module>
+		<module>spring-boot-sample-hypermedia-ui-secure</module>
 	</modules>
 	<!-- No dependencies - otherwise the samples won't work if you change the
 		parent -->

--- a/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/pom.xml
+++ b/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/pom.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<artifactId>spring-boot-samples</artifactId>
+		<groupId>org.springframework.boot</groupId>
+		<version>1.5.0.BUILD-SNAPSHOT</version>
+	</parent>
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>spring-boot-sample-hypermedia-ui-secure</artifactId>
+	<name>Spring Boot Hypermedia UI Secure Sample</name>
+	<description>Spring Boot Hypermedia UI Secure Sample</description>
+	<properties>
+		<main.basedir>${basedir}/../..</main.basedir>
+	</properties>
+	<dependencies>
+		<!-- Compile -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-hateoas</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-actuator-docs</artifactId>
+		</dependency>
+		<!-- Test -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+</project>
--- a/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplication.java
+++ b/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplication.java
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SampleHypermediaUiSecureApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SampleHypermediaUiSecureApplication.class, args);
+	}
+
+}
--- a/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/resources/static/index.html
+++ b/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/resources/static/index.html
+<html>
+<body>
+	<h1>Hello World!</h1>
+</body>
+</html>
\ No newline at end of file
--- a/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationTests.java
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
+		"endpoints.env.sensitive=false" })
+public class SampleHypermediaUiSecureApplicationTests {
+
+	@Autowired
+	private TestRestTemplate restTemplate;
+
+	@Test
+	public void links() {
+		String response = this.restTemplate.getForObject("/actuator", String.class);
+		assertThat(response).contains("\"_links\":");
+	}
+
+	@Test
+	public void testInSecureNestedPath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/env",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		ResponseEntity<String> user = this.restTemplate.getForEntity("/env/user",
+				String.class);
+		assertThat(user.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(user.getBody()).contains("{\"user\":");
+	}
+
+	@Test
+	public void testSecurePath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/metrics",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+}
--- a/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationWithContextPathTests.java
+++ b/spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationWithContextPathTests.java
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
+		"management.context-path=/admin" })
+public class SampleHypermediaUiSecureApplicationWithContextPathTests {
+
+	@Autowired
+	private TestRestTemplate restTemplate;
+
+	@Test
+	public void links() {
+		String response = this.restTemplate.getForObject("/admin", String.class);
+		assertThat(response).contains("\"_links\":");
+	}
+
+	@Test
+	public void testSecurePath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/admin/metrics",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+
+}