Fix security config

The management endpoints were still all mixed up with the user endpoints. Fixed that and extracted user endpoints in to conditional block so not protected if path explicitly set to empty string. [#53029715]
2024-08-29 03:06:45 +08:00 · 2013-08-22 11:43:17 +01:00 · 2013-08-22 11:43:17 +01:00 · 43fc107437
commit 43fc107437
parent 6498f0e8b8
16 changed files with 23 additions and 28 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
@ -17,7 +17,6 @@
 package org.springframework.boot.actuate.autoconfigure;

 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;

 import org.apache.commons.logging.Log;
@ -141,12 +140,17 @@ public class SecurityAutoConfiguration {
 				http.httpBasic().and().anonymous().disable();
 				ExpressionUrlAuthorizationConfigurer<HttpSecurity> authorizeUrls = http
 						.authorizeUrls();
-				if (getEndpointPaths(true).length > 0) {
+				String[] paths = getEndpointPaths(true);
+				if (paths.length > 0) {
 					authorizeUrls.antMatchers(getEndpointPaths(true)).hasRole(
 							this.management.getUser().getRole());
 				}
-				authorizeUrls.antMatchers(getSecureApplicationPaths())
-						.hasRole(this.security.getBasic().getRole()).and().httpBasic();
+				paths = getSecureApplicationPaths();
+				if (paths.length > 0) {
+					authorizeUrls.antMatchers(getSecureApplicationPaths()).hasRole(
+							this.security.getBasic().getRole());
+				}
+				authorizeUrls.and().httpBasic();
 			}

 			// No cookies for service endpoints by default
@ -164,7 +168,6 @@ public class SecurityAutoConfiguration {
 					list.add(path);
 				}
 			}
-			list.addAll(Arrays.asList(getEndpointPaths(true)));
 			return list.toArray(new String[list.size()]);
 		}

--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jdbc/AbstractDataSourceConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/jdbc/AbstractDataSourceConfiguration.java
@ -37,7 +37,7 @@ public abstract class AbstractDataSourceConfiguration implements BeanClassLoader

 	private String password = "";

-	private int maxActive = 8;
+	private int maxActive = 100;

 	private int maxIdle = 8;

--- a/spring-boot-samples/spring-boot-sample-actuator-ui/src/test/java/org/springframework/boot/sample/ops/ui/SampleActuatorUiApplicationPortTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator-ui/src/test/java/org/springframework/boot/sample/ops/ui/SampleActuatorUiApplicationPortTests.java
@ -28,7 +28,6 @@ import org.junit.BeforeClass;
 import org.junit.Ignore;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ops.ui.SampleActuatorUiApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -63,7 +62,7 @@ public class SampleActuatorUiApplicationPortTests {
 										.run(SampleActuatorUiApplication.class, args);
 							}
 						});
-		context = future.get(10, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator-ui/src/test/java/org/springframework/boot/sample/ops/ui/SampleActuatorUiApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator-ui/src/test/java/org/springframework/boot/sample/ops/ui/SampleActuatorUiApplicationTests.java
@ -28,7 +28,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ops.ui.SampleActuatorUiApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
@ -63,7 +62,7 @@ public class SampleActuatorUiApplicationTests {
 										.run(SampleActuatorUiApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/EndpointsPropertiesSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/EndpointsPropertiesSampleActuatorApplicationTests.java
@ -28,7 +28,6 @@ import java.util.concurrent.TimeUnit;
 import org.junit.After;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ops.SampleActuatorApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpRequest;
 import org.springframework.http.HttpStatus;
@ -64,7 +63,7 @@ public class EndpointsPropertiesSampleActuatorApplicationTests {
 										.run(configuration, args);
 							}
 						});
-		this.context = future.get(10, TimeUnit.SECONDS);
+		this.context = future.get(60, TimeUnit.SECONDS);
 	}

 	@After
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ManagementAddressSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ManagementAddressSampleActuatorApplicationTests.java
@ -71,7 +71,7 @@ public class ManagementAddressSampleActuatorApplicationTests {
 										.run(SampleActuatorApplication.class, args);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ManagementSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ManagementSampleActuatorApplicationTests.java
@ -27,7 +27,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ops.SampleActuatorApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -62,7 +61,7 @@ public class ManagementSampleActuatorApplicationTests {
 										.run(SampleActuatorApplication.class, args);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/NoManagementSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/NoManagementSampleActuatorApplicationTests.java
@ -69,7 +69,7 @@ public class NoManagementSampleActuatorApplicationTests {
 										.run(SampleActuatorApplication.class, args);
 							}
 						});
-		context = future.get(10, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/SampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/SampleActuatorApplicationTests.java
@ -67,7 +67,7 @@ public class SampleActuatorApplicationTests {
 										.run(SampleActuatorApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ShutdownSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/ShutdownSampleActuatorApplicationTests.java
@ -66,7 +66,7 @@ public class ShutdownSampleActuatorApplicationTests {
 										.run(SampleActuatorApplication.class);
 							}
 						});
-		context = future.get(10, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/UnsecureSampleActuatorApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/org/springframework/boot/sample/ops/UnsecureSampleActuatorApplicationTests.java
@ -27,7 +27,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ops.SampleActuatorApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -60,7 +59,7 @@ public class UnsecureSampleActuatorApplicationTests {
 												"--security.basic.enabled=false");
 							}
 						});
-		context = future.get(10, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-jetty/src/test/java/org/springframework/boot/sample/jetty/SampleJettyApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-jetty/src/test/java/org/springframework/boot/sample/jetty/SampleJettyApplicationTests.java
@ -26,7 +26,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.jetty.SampleJettyApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -56,7 +55,7 @@ public class SampleJettyApplicationTests {
 										.run(SampleJettyApplication.class);
 							}
 						});
-		context = future.get(10, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-traditional/src/test/java/org/springframework/boot/sample/traditional/SampleTraditionalApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-traditional/src/test/java/org/springframework/boot/sample/traditional/SampleTraditionalApplicationTests.java
@ -26,7 +26,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.traditional.SampleTraditionalApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -57,7 +56,7 @@ public class SampleTraditionalApplicationTests {
 										.run(SampleTraditionalApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-web-static/src/test/java/org/springframework/boot/sample/ui/SampleWebStaticApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-static/src/test/java/org/springframework/boot/sample/ui/SampleWebStaticApplicationTests.java
@ -41,7 +41,7 @@ public class SampleWebStaticApplicationTests {
 										.run(SampleWebStaticApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-web-ui/src/test/java/org/springframework/boot/sample/ui/SampleWebUiApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-web-ui/src/test/java/org/springframework/boot/sample/ui/SampleWebUiApplicationTests.java
@ -11,7 +11,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.sample.ui.SampleWebUiApplication;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@ -45,7 +44,7 @@ public class SampleWebUiApplicationTests {
 										.run(SampleWebUiApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass
--- a/spring-boot-samples/spring-boot-sample-websocket/src/test/java/org/springframework/boot/samples/websocket/echo/SampleWebSocketsApplicationTests.java
+++ b/spring-boot-samples/spring-boot-sample-websocket/src/test/java/org/springframework/boot/samples/websocket/echo/SampleWebSocketsApplicationTests.java
@ -59,7 +59,7 @@ public class SampleWebSocketsApplicationTests {
 										.run(SampleWebSocketsApplication.class);
 							}
 						});
-		context = future.get(30, TimeUnit.SECONDS);
+		context = future.get(60, TimeUnit.SECONDS);
 	}

 	@AfterClass