Merge branch '2.0.x'

87506248 · Madhura Bhave · 751a2b43 · 4194baad · 87506248 · 87506248
Commit 87506248 authored Jun 07, 2018 by Madhura Bhave
5 changed files
--- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
+++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/web/trace/servlet/HttpTraceFilter.java
@@ -17,6 +17,8 @@
 package org.springframework.boot.actuate.web.trace.servlet;

 import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -76,6 +78,10 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 	protected void doFilterInternal(HttpServletRequest request,
 			HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
+		if (!isRequestValid(request)) {
+			filterChain.doFilter(request, response);
+			return;
+		}
 		TraceableHttpServletRequest traceableRequest = new TraceableHttpServletRequest(
 				request);
 		HttpTrace trace = this.tracer.receivedRequest(traceableRequest);
@@ -95,6 +101,16 @@ public class HttpTraceFilter extends OncePerRequestFilter implements Ordered {
 		}
 	}

+	private boolean isRequestValid(HttpServletRequest request) {
+		try {
+			new URI(request.getRequestURL().toString());
+			return true;
+		}
+		catch (URISyntaxException ex) {
+			return false;
+		}
+	}
+
 	private String getSessionId(HttpServletRequest request) {
 		HttpSession session = request.getSession(false);
 		return (session != null ? session.getId() : null);

--- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
+++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/servlet/HttpTraceFilterTests.java
@@ -127,4 +127,13 @@ public class HttpTraceFilterTests {
 		}
 	}

+	@Test
+	public void filterRejectsInvalidRequests() throws ServletException, IOException {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setServerName("<script>alert(document.domain)</script>");
+		this.filter.doFilter(request, new MockHttpServletResponse(),
+				new MockFilterChain());
+		assertThat(this.repository.findAll()).hasSize(0);
+	}
+
 }
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveUserDetailsServiceAutoConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/ReactiveUserDetailsServiceAutoConfiguration.java
@@ -80,7 +80,7 @@ public class ReactiveUserDetailsServiceAutoConfiguration {
 			PasswordEncoder encoder) {
 		String password = user.getPassword();
 		if (user.isPasswordGenerated()) {
-			logger.info(String.format("%n%nUsing default security password: %s%n",
+			logger.info(String.format("%n%nUsing generated security password: %s%n",
 					user.getPassword()));
 		}
 		if (encoder != null || PASSWORD_ALGORITHM_PATTERN.matcher(password).matches()) {

--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java
@@ -30,6 +30,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
@@ -67,6 +68,7 @@ public class UserDetailsServiceAutoConfiguration {

 	@Bean
 	@ConditionalOnMissingBean(type = "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository")
+	@Lazy
 	public InMemoryUserDetailsManager inMemoryUserDetailsManager(
 			SecurityProperties properties,
 			ObjectProvider<PasswordEncoder> passwordEncoder) {

--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfigurationTests.java
@@ -34,7 +34,9 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -93,7 +95,7 @@ public class UserDetailsServiceAutoConfigurationTests {
 					UserDetailsService userDetailsService = context
 							.getBean(UserDetailsService.class);
 					assertThat(this.outputCapture.toString())
-							.doesNotContain("Using default security password: ");
+							.doesNotContain("Using generated security password: ");
 					assertThat(userDetailsService.loadUserByUsername("foo")).isNotNull();
 				});
 	}
@@ -106,7 +108,7 @@ public class UserDetailsServiceAutoConfigurationTests {
 					AuthenticationProvider provider = context
 							.getBean(AuthenticationProvider.class);
 					assertThat(this.outputCapture.toString())
-							.doesNotContain("Using default security password: ");
+							.doesNotContain("Using generated security password: ");
 					TestingAuthenticationToken token = new TestingAuthenticationToken(
 							"foo", "bar");
 					assertThat(provider.authenticate(token)).isNotNull();
@@ -149,6 +151,14 @@ public class UserDetailsServiceAutoConfigurationTests {
 						.doesNotHaveBean(InMemoryUserDetailsManager.class)));
 	}

+	@Test
+	public void generatedPasswordShouldNotBePrintedIfAuthenticationManagerBuilderIsUsed() {
+		this.contextRunner
+				.withUserConfiguration(TestConfigWithAuthenticationManagerBuilder.class)
+				.run(((context) -> assertThat(this.outputCapture.toString())
+						.doesNotContain("Using generated security password: ")));
+	}
+
 	private void testPasswordEncoding(Class<?> configClass, String providedPassword,
 			String expectedPassword) {
 		this.contextRunner.withUserConfiguration(configClass)
@@ -227,4 +237,23 @@ public class UserDetailsServiceAutoConfigurationTests {

 	}

+	@Configuration
+	@Import(TestSecurityConfiguration.class)
+	protected static class TestConfigWithAuthenticationManagerBuilder {
+
+		@Bean
+		public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter() {
+			return new WebSecurityConfigurerAdapter() {
+				@Override
+				protected void configure(AuthenticationManagerBuilder auth)
+						throws Exception {
+					auth.inMemoryAuthentication().withUser("hero").password("{noop}hero")
+							.roles("HERO", "USER").and().withUser("user")
+							.password("{noop}user").roles("USER");
+				}
+			};
+		}
+
+	}
+
 }