Allow security.ignored=none to switch off ignores

5f8f0625 · Dave Syer · 938c267a · 5f8f0625 · 5f8f0625 · 5f8f0625
Commit 5f8f0625 authored Sep 06, 2013 by Dave Syer
4 changed files
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
@@ -128,6 +128,9 @@ public class SecurityAutoConfiguration {
 	private static class ApplicationWebSecurityConfigurerAdapter extends
 			WebSecurityConfigurerAdapter {
+		private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
+				"/images/**", "/**/favicon.ico");
 		@Autowired
 		private SecurityProperties security;
@@ -187,10 +190,17 @@ public class SecurityAutoConfiguration {
 		@Override
 		public void configure(WebSecurity builder) throws Exception {
 			IgnoredRequestConfigurer ignoring = builder.ignoring();
-			ignoring.antMatchers(this.security.getIgnoredPaths());
+			List<String> ignored = new ArrayList<String>(this.security.getIgnored());
+			if (ignored.isEmpty()) {
+				ignored.addAll(DEFAULT_IGNORED);
+			}
+			else if (ignored.contains("none")) {
+				ignored.remove("none");
+			}
 			if (this.errorController != null) {
-				ignoring.antMatchers(this.errorController.getErrorPath());
+				ignored.add(this.errorController.getErrorPath());
 			}
+			ignoring.antMatchers(ignored.toArray(new String[0]));
 		}
 		@Override

--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
@@ -43,12 +43,7 @@ public class SecurityProperties {
 	private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS;
-	private List<String> emptyIgnored = new ArrayList<String>();
+	private List<String> ignored = new ArrayList<String>();
-	private List<String> ignored = this.emptyIgnored;
-	private static String[] DEFAULT_IGNORED = new String[] { "/css/**", "/js/**",
-			"/images/**", "/**/favicon.ico" };
 	private Management management = new Management();
@@ -106,13 +101,6 @@ public class SecurityProperties {
 		return this.ignored;
 	}
-	public String[] getIgnoredPaths() {
-		if (this.ignored == this.emptyIgnored) {
-			return DEFAULT_IGNORED;
-		}
-		return this.ignored.toArray(new String[this.ignored.size()]);
-	}
 	public static class Headers {
 		public static enum HSTS {

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfigurationTests.java
@@ -64,7 +64,7 @@ public class SecurityAutoConfigurationTests {
 				EndpointAutoConfiguration.class,
 				ManagementServerPropertiesAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
-		TestUtils.addEnviroment(this.context, "security.ignored:");
+		TestUtils.addEnviroment(this.context, "security.ignored:none");
 		this.context.refresh();
 		// Just the application and\ management endpoints now
 		assertEquals(2, this.context.getBean(FilterChainProxy.class).getFilterChains()

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java
@@ -46,6 +46,28 @@ public class SecurityPropertiesTests {
 		assertEquals(1, security.getIgnored().size());
 	}
+	@Test
+	public void testBindingIgnoredEmpty() {
+		SecurityProperties security = new SecurityProperties();
+		RelaxedDataBinder binder = new RelaxedDataBinder(security, "security");
+		binder.setConversionService(new DefaultConversionService());
+		binder.bind(new MutablePropertyValues(Collections.singletonMap(
+				"security.ignored", "")));
+		assertFalse(binder.getBindingResult().hasErrors());
+		assertEquals(0, security.getIgnored().size());
+	}
+	@Test
+	public void testBindingIgnoredDisable() {
+		SecurityProperties security = new SecurityProperties();
+		RelaxedDataBinder binder = new RelaxedDataBinder(security, "security");
+		binder.setConversionService(new DefaultConversionService());
+		binder.bind(new MutablePropertyValues(Collections.singletonMap(
+				"security.ignored", "none")));
+		assertFalse(binder.getBindingResult().hasErrors());
+		assertEquals(1, security.getIgnored().size());
+	}
 	@Test
 	public void testBindingIgnoredMultiValued() {
 		SecurityProperties security = new SecurityProperties();
@@ -64,10 +86,11 @@ public class SecurityPropertiesTests {
 		binder.setConversionService(new DefaultConversionService());
 		Map<String, String> map = new HashMap<String, String>();
 		map.put("security.ignored[0]", "/css/**");
-		map.put("security.ignored[1]", "images/**");
+		map.put("security.ignored[1]", "/foo/**");
 		binder.bind(new MutablePropertyValues(map));
 		assertFalse(binder.getBindingResult().hasErrors());
 		assertEquals(2, security.getIgnored().size());
+		assertTrue(security.getIgnored().contains("/foo/**"));
 	}
 	@Test