Migrate endpoints.cors to management.endpoints.cors

This commit moves CORS properties out of the endpoints namespace as they
do not refer to a "cors" endpoint but rather to the CORS configuration
of all endpoints.

Closes gh-10053

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/infrastructure/CorsEndpointProperties.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.endpoint;
+package org.springframework.boot.actuate.autoconfigure.endpoint.infrastructure;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -27,8 +27,8 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
  * @author Andy Wilkinson
  * @since 2.0.0
  */
-@ConfigurationProperties(prefix = "endpoints.cors")
-public class EndpointCorsProperties {
+@ConfigurationProperties(prefix = "management.endpoints.cors")
+public class CorsEndpointProperties {
 
 	/**
 	 * Comma-separated list of origins to allow. '*' allows all origins. When not set,

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/infrastructure/WebEndpointInfrastructureManagementContextConfiguration.java

@@ -24,7 +24,6 @@ import org.glassfish.jersey.server.ResourceConfig;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.actuate.autoconfigure.ManagementContextConfiguration;
-import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointCorsProperties;
 import org.springframework.boot.actuate.autoconfigure.web.ManagementServerProperties;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
@@ -50,7 +49,7 @@ import org.springframework.web.servlet.DispatcherServlet;
  */
 @ConditionalOnWebApplication
 @ManagementContextConfiguration
-@EnableConfigurationProperties({ EndpointCorsProperties.class,
+@EnableConfigurationProperties({ CorsEndpointProperties.class,
 		ManagementServerProperties.class })
 class WebEndpointInfrastructureManagementContextConfiguration {
 
@@ -91,7 +90,7 @@ class WebEndpointInfrastructureManagementContextConfiguration {
 		@ConditionalOnMissingBean
 		public WebEndpointServletHandlerMapping webEndpointServletHandlerMapping(
 				EndpointProvider<WebEndpointOperation> provider,
-				EndpointCorsProperties corsProperties,
+				CorsEndpointProperties corsProperties,
 				ManagementServerProperties managementServerProperties) {
 			WebEndpointServletHandlerMapping handlerMapping = new WebEndpointServletHandlerMapping(
 					managementServerProperties.getContextPath(), provider.getEndpoints(),
@@ -103,7 +102,7 @@ class WebEndpointInfrastructureManagementContextConfiguration {
 		}
 
 		private CorsConfiguration getCorsConfiguration(
-				EndpointCorsProperties properties) {
+				CorsEndpointProperties properties) {
 			if (CollectionUtils.isEmpty(properties.getAllowedOrigins())) {
 				return null;
 			}

spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -200,7 +200,7 @@
   }
 ],"hints": [
   {
-    "name": "endpoints.cors.allowed-headers",
+    "name": "management.endpoints.cors.allowed-headers",
     "values": [
       {
         "value": "*"
@@ -213,7 +213,7 @@
     ]
   },
   {
-    "name": "endpoints.cors.allowed-methods",
+    "name": "management.endpoints.cors.allowed-methods",
     "values": [
       {
         "value": "*"
@@ -226,7 +226,7 @@
     ]
   },
   {
-    "name": "endpoints.cors.allowed-origins",
+    "name": "management.endpoints.cors.allowed-origins",
     "values": [
       {
         "value": "*"

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/mvc/MvcEndpointCorsIntegrationTests.java

@@ -77,7 +77,7 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void settingAllowedOriginsEnablesCors() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com")
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com")
 				.applyTo(this.context);
 		createMockMvc()
 				.perform(options("/application/beans").header("Origin", "bar.example.com")
@@ -88,7 +88,7 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void maxAgeDefaultsTo30Minutes() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com")
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com")
 				.applyTo(this.context);
 		performAcceptedCorsRequest()
 				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "1800"));
@@ -96,15 +96,15 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void maxAgeCanBeConfigured() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com",
-				"endpoints.cors.max-age: 2400").applyTo(this.context);
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com",
+				"management.endpoints.cors.max-age: 2400").applyTo(this.context);
 		performAcceptedCorsRequest()
 				.andExpect(header().string(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "2400"));
 	}
 
 	@Test
 	public void requestsWithDisallowedHeadersAreRejected() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com")
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com")
 				.applyTo(this.context);
 		createMockMvc()
 				.perform(options("/application/beans").header("Origin", "foo.example.com")
@@ -116,8 +116,8 @@ public class MvcEndpointCorsIntegrationTests {
 	@Test
 	public void allowedHeadersCanBeConfigured() throws Exception {
 		TestPropertyValues
-				.of("endpoints.cors.allowed-origins:foo.example.com",
-						"endpoints.cors.allowed-headers:Alpha,Bravo")
+				.of("management.endpoints.cors.allowed-origins:foo.example.com",
+						"management.endpoints.cors.allowed-headers:Alpha,Bravo")
 				.applyTo(this.context);
 		createMockMvc()
 				.perform(options("/application/beans").header("Origin", "foo.example.com")
@@ -129,7 +129,7 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void requestsWithDisallowedMethodsAreRejected() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com")
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com")
 				.applyTo(this.context);
 		createMockMvc()
 				.perform(options("/application/health")
@@ -140,8 +140,8 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void allowedMethodsCanBeConfigured() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com",
-				"endpoints.cors.allowed-methods:GET,HEAD").applyTo(this.context);
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com",
+				"management.endpoints.cors.allowed-methods:GET,HEAD").applyTo(this.context);
 		createMockMvc()
 				.perform(options("/application/beans")
 						.header(HttpHeaders.ORIGIN, "foo.example.com")
@@ -152,16 +152,16 @@ public class MvcEndpointCorsIntegrationTests {
 
 	@Test
 	public void credentialsCanBeAllowed() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com",
-				"endpoints.cors.allow-credentials:true").applyTo(this.context);
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com",
+				"management.endpoints.cors.allow-credentials:true").applyTo(this.context);
 		performAcceptedCorsRequest().andExpect(
 				header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true"));
 	}
 
 	@Test
 	public void credentialsCanBeDisabled() throws Exception {
-		TestPropertyValues.of("endpoints.cors.allowed-origins:foo.example.com",
-				"endpoints.cors.allow-credentials:false").applyTo(this.context);
+		TestPropertyValues.of("management.endpoints.cors.allowed-origins:foo.example.com",
+				"management.endpoints.cors.allow-credentials:false").applyTo(this.context);
 		performAcceptedCorsRequest().andExpect(
 				header().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS));
 	}

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -1114,14 +1114,6 @@ content into your application; rather pick only the properties that you need.
 	endpoints.configprops.keys-to-sanitize=password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
 	endpoints.configprops.web.enabled=true # Expose the configprops endpoint as a Web endpoint.
 
-	# ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties])
-	endpoints.cors.allow-credentials= # Set whether credentials are supported. When not set, credentials are not supported.
-	endpoints.cors.allowed-headers= # Comma-separated list of headers to allow in a request. '*' allows all headers.
-	endpoints.cors.allowed-methods= # Comma-separated list of methods to allow. '*' allows all methods. When not set, defaults to GET.
-	endpoints.cors.allowed-origins= # Comma-separated list of origins to allow. '*' allows all origins. When not set, CORS support is disabled.
-	endpoints.cors.exposed-headers= # Comma-separated list of headers to include in a response.
-	endpoints.cors.max-age=1800 # How long, in seconds, the response from a pre-flight request can be cached by clients.
-
 	# ENVIRONMENT ENDPOINT  ({sc-spring-boot-actuator}/endpoint/EnvironmentEndpoint.{sc-ext}[EnvironmentEndpoint])
 	endpoints.env.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.env.enabled=true # Enable the env endpoint.
@@ -1238,6 +1230,14 @@ content into your application; rather pick only the properties that you need.
 	management.cloudfoundry.enabled=true # Enable extended Cloud Foundry actuator endpoints.
     management.cloudfoundry.skip-ssl-validation=false # Skip SSL verification for Cloud Foundry actuator endpoint security calls.
 
+	# ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties])
+	management.endpoints.cors.allow-credentials= # Set whether credentials are supported. When not set, credentials are not supported.
+	management.cors.allowed-headers= # Comma-separated list of headers to allow in a request. '*' allows all headers.
+	management.endpoints.cors.allowed-methods= # Comma-separated list of methods to allow. '*' allows all methods. When not set, defaults to GET.
+	management.endpoints.cors.allowed-origins= # Comma-separated list of origins to allow. '*' allows all origins. When not set, CORS support is disabled.
+	management.endpoints.cors.exposed-headers= # Comma-separated list of headers to include in a response.
+	management.endpoints.cors.max-age=1800 # How long, in seconds, the response from a pre-flight request can be cached by clients.
+
 	# HEALTH INDICATORS
 	management.health.db.enabled=true # Enable database health check.
 	management.health.cassandra.enabled=true # Enable cassandra health check.

spring-boot-docs/src/main/asciidoc/production-ready-features.adoc

@@ -243,13 +243,13 @@ MVC or Spring WebFlux, Actuator's web endpoints can be configured to support suc
 scenarios.
 
 CORS support is disabled by default and is only enabled once the
-`endpoints.cors.allowed-origins` property has been set. The configuration below permits
-`GET` and `POST` calls from the `example.com` domain:
+`management.endpoints.cors.allowed-origins` property has been set. The configuration below
+permits `GET` and `POST` calls from the `example.com` domain:
 
 [source,properties,indent=0]
 ----
-	endpoints.cors.allowed-origins=http://example.com
-	endpoints.cors.allowed-methods=GET,POST
+	management.endpoints.cors.allowed-origins=http://example.com
+	management.endpoints.cors.allowed-methods=GET,POST
 ----
 
 TIP: Check {sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties]

spring-boot-samples/spring-boot-sample-actuator/src/test/resources/application-cors.properties

@@ -1,2 +1,2 @@
-endpoints.cors.allowed-origins=http://localhost:8080
-endpoints.cors.allowed-methods=GET
+management.endpoints.cors.allowed-origins=http://localhost:8080
+management.endpoints.cors.allowed-methods=GET