Merge branch '2.3.x' into 2.4.x

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java

@@ -63,7 +63,6 @@ public class ManagementWebSecurityAutoConfiguration {
 			requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
 			requests.anyRequest().authenticated();
 		});
-		http.cors();
 		http.formLogin(Customizer.withDefaults());
 		http.httpBasic(Customizer.withDefaults());
 		return http.build();

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java

@@ -30,7 +30,6 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -62,7 +61,7 @@ class ManagementWebSecurityAutoConfigurationTests {
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
 			AutoConfigurations.of(HealthContributorAutoConfiguration.class, HealthEndpointAutoConfiguration.class,
 					InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class,
-					EndpointAutoConfiguration.class, WebMvcAutoConfiguration.class, WebEndpointAutoConfiguration.class,
+					EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
 					SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class));
 
 	@Test

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java

-/*
- * Copyright 2012-2020 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package smoketest.actuator;
-
-import java.net.URI;
-import java.util.Map;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler;
-import org.springframework.boot.test.web.client.TestRestTemplate;
-import org.springframework.boot.web.client.RestTemplateBuilder;
-import org.springframework.context.ApplicationContext;
-import org.springframework.http.HttpStatus;
-import org.springframework.http.RequestEntity;
-import org.springframework.http.ResponseEntity;
-import org.springframework.test.context.ActiveProfiles;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-/**
- * Integration test for cors preflight requests to management endpoints.
- *
- * @author Madhura Bhave
- */
-@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@ActiveProfiles("cors")
-class CorsSampleActuatorApplicationTests {
-
-	private TestRestTemplate testRestTemplate;
-
-	@Autowired
-	private ApplicationContext applicationContext;
-
-	@BeforeEach
-	void setUp() {
-		RestTemplateBuilder builder = new RestTemplateBuilder();
-		LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(this.applicationContext.getEnvironment(),
-				"http");
-		builder = builder.uriTemplateHandler(handler);
-		this.testRestTemplate = new TestRestTemplate(builder);
-	}
-
-	@Test
-	void endpointShouldReturnUnauthorized() {
-		ResponseEntity<?> entity = this.testRestTemplate.getForEntity("/actuator/env", Map.class);
-		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
-	}
-
-	@Test
-	void preflightRequestToEndpointShouldReturnOk() throws Exception {
-		RequestEntity<?> envRequest = RequestEntity.options(new URI("/actuator/env"))
-				.header("Origin", "http://localhost:8080").header("Access-Control-Request-Method", "GET").build();
-		ResponseEntity<?> exchange = this.testRestTemplate.exchange(envRequest, Map.class);
-		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK);
-	}
-
-	@Test
-	void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception {
-		RequestEntity<?> entity = RequestEntity.options(new URI("/actuator/env"))
-				.header("Origin", "http://localhost:9095").header("Access-Control-Request-Method", "GET").build();
-		ResponseEntity<byte[]> exchange = this.testRestTemplate.exchange(entity, byte[].class);
-		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
-	}
-
-}

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties

-management.endpoints.web.cors.allowed-origins=http://localhost:8080
-management.endpoints.web.cors.allowed-methods=GET