Secure the actuator endpoints behind /management

Fix #3550
jhipster · May 6, 2016 · bd09d3b · deepu105 · May 6, 2016 · jdubois
1 parent 30a4014
commit bd09d3b
Show file tree

Hide file tree

Showing 16 changed files with 27 additions and 95 deletions.
diff --git a/generators/client/templates/src/main/webapp/app/admin/audits/_audits.service.js b/generators/client/templates/src/main/webapp/app/admin/audits/_audits.service.js
@@ -8,7 +8,7 @@
     AuditsService.$inject = ['$resource'];
 
     function AuditsService ($resource) {
-        var service = $resource(<% if(authenticationType === 'uaa') { %>'<%= uaaBaseName %>/api/audits/:id'<%} else { %>'api/audits/:id'<% } %>, {}, {
+        var service = $resource(<% if(authenticationType === 'uaa') { %>'<%= uaaBaseName %>/api/audits/:id'<%} else { %>'management/jhipster/audits/:id'<% } %>, {}, {
             'get': {
                 method: 'GET',
                 isArray: true

diff --git a/...rators/client/templates/src/main/webapp/app/admin/configuration/_configuration.service.js b/...rators/client/templates/src/main/webapp/app/admin/configuration/_configuration.service.js
@@ -16,7 +16,7 @@
         return service;
 
         function get () {
-            return $http.get('configprops').then(getConfigPropsComplete);
+            return $http.get('management/configprops').then(getConfigPropsComplete);
 
             function getConfigPropsComplete (response) {
                 var properties = [];
@@ -29,7 +29,7 @@
         }
 
         function getEnv () {
-            return $http.get('env').then(getEnvComplete);
+            return $http.get('management/env').then(getEnvComplete);
 
             function getEnvComplete (response) {
                 var properties = {};

diff --git a/generators/client/templates/src/main/webapp/app/admin/health/_health.service.js b/generators/client/templates/src/main/webapp/app/admin/health/_health.service.js
@@ -15,7 +15,7 @@
         return service;
 
         function checkHealth () {
-            return $http.get('health').then(function (response) {
+            return $http.get('management/health').then(function (response) {
                 return response.data;
             });
         }

diff --git a/generators/client/templates/src/main/webapp/app/admin/logs/_logs.service.js b/generators/client/templates/src/main/webapp/app/admin/logs/_logs.service.js
@@ -8,7 +8,7 @@
     LogsService.$inject = ['$resource'];
 
     function LogsService ($resource) {
-        var service = $resource('api/logs', {}, {
+        var service = $resource('management/jhipster/logs', {}, {
             'findAll': { method: 'GET', isArray: true},
             'changeLevel': { method: 'PUT'}
         });

diff --git a/generators/client/templates/src/main/webapp/app/admin/metrics/_metrics.service.js b/generators/client/templates/src/main/webapp/app/admin/metrics/_metrics.service.js
@@ -16,13 +16,13 @@
         return service;
 
         function getMetrics () {
-            return $http.get('metrics/metrics').then(function (response) {
+            return $http.get('management/jhipster/metrics').then(function (response) {
                 return response.data;
             });
         }
 
         function threadDump () {
-            return $http.get('dump').then(function (response) {
+            return $http.get('management/dump').then(function (response) {
                 return response.data;
             });
         }

diff --git a/generators/client/templates/src/main/webapp/app/services/auth/_auth.oauth2.service.js b/generators/client/templates/src/main/webapp/app/services/auth/_auth.oauth2.service.js
@@ -30,13 +30,13 @@
         function login (credentials) {
             var data = 'username=' +  encodeURIComponent(credentials.username) + '&password=' +
                 encodeURIComponent(credentials.password) + '&grant_type=password&scope=read%20write&' +
-                'client_secret=mySecretOAuthSecret&client_id=<%= baseName%>app';
+                'client_secret=my-secret-token-to-change-in-production&client_id=<%= baseName%>app';
 
             return $http.post('oauth/token', data, {
                 headers: {
                     'Content-Type': 'application/x-www-form-urlencoded',
                     'Accept': 'application/json',
-                    'Authorization': 'Basic ' + Base64.encode('<%= baseName%>app' + ':' + 'mySecretOAuthSecret')
+                    'Authorization': 'Basic ' + Base64.encode('<%= baseName%>app' + ':' + 'my-secret-token-to-change-in-production')
                 }
             }).success(authSucess);
 

diff --git a/generators/client/templates/src/main/webapp/robots.txt b/generators/client/templates/src/main/webapp/robots.txt
@@ -7,17 +7,5 @@ Disallow: /api/account/sessions
 Disallow: /api/audits/
 Disallow: /api/logs/
 Disallow: /api/users/
-Disallow: /metrics/
-Disallow: /health/
-Disallow: /trace/
-Disallow: /dump/
-Disallow: /shutdown/
-Disallow: /beans/
-Disallow: /configprops/
-Disallow: /info/
-Disallow: /autoconfig/
-Disallow: /env/
-Disallow: /trace/
+Disallow: /management/
 Disallow: /v2/api-docs/
-Disallow: /configuration/
-Disallow: /protected/
diff --git a/generators/entity/templates/src/test/gatling/simulations/_EntityGatlingTest.scala b/generators/entity/templates/src/test/gatling/simulations/_EntityGatlingTest.scala
@@ -43,7 +43,7 @@ class <%= entityClass %>GatlingTest extends Simulation {
 <%_ } _%>
 <%_ if (authenticationType == 'oauth2') { _%>
 
-    val authorization_header = "Basic " + Base64.getEncoder.encodeToString("<%= baseName%>app:mySecretOAuthSecret".getBytes(StandardCharsets.UTF_8))
+    val authorization_header = "Basic " + Base64.getEncoder.encodeToString("<%= baseName%>app:my-secret-token-to-change-in-production".getBytes(StandardCharsets.UTF_8))
 
     val headers_http_authentication = Map(
         "Content-Type" -> """application/x-www-form-urlencoded""",
@@ -91,7 +91,7 @@ class <%= entityClass %>GatlingTest extends Simulation {
         .formParam("password", "admin")
         .formParam("grant_type", "password")
         .formParam("scope", "read write")
-        .formParam("client_secret", "mySecretOAuthSecret")
+        .formParam("client_secret", "my-secret-token-to-change-in-production")
         .formParam("client_id", "<%= baseName%>app")
         .formParam("submit", "Login")
         .check(jsonPath("$.access_token").saveAs("access_token"))).exitHereIfFailed

diff --git a/...ors/server/templates/src/main/java/package/config/_MicroserviceSecurityConfiguration.java b/...ors/server/templates/src/main/java/package/config/_MicroserviceSecurityConfiguration.java
@@ -52,25 +52,9 @@ protected void configure(HttpSecurity http) throws Exception {
               .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
               .authorizeRequests()
-
-              .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
               .antMatchers("/api/**").authenticated()
-              .antMatchers("/metrics/**").permitAll()
-              .antMatchers("/health/**").permitAll()
-              .antMatchers("/trace/**").permitAll()
-              .antMatchers("/dump/**").permitAll()
-              .antMatchers("/shutdown/**").permitAll()
-              .antMatchers("/beans/**").permitAll()
-              .antMatchers("/configprops/**").permitAll()
-              .antMatchers("/info/**").permitAll()
-              .antMatchers("/autoconfig/**").permitAll()
-              .antMatchers("/env/**").permitAll()
-              .antMatchers("/mappings/**").permitAll()
-              .antMatchers("/liquibase/**").permitAll()
-              .antMatchers("/v2/api-docs/**").permitAll()
-              .antMatchers("/configuration/security").permitAll()
+              .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
               .antMatchers("/configuration/ui").permitAll()
-              .antMatchers("/protected/**").authenticated()
           .and()
               .apply(securityConfigurerAdapter());
 
@@ -123,25 +107,9 @@ public void configure(HttpSecurity http) throws Exception {
               .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
               .authorizeRequests()
-
-              .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
               .antMatchers("/api/**").authenticated()
-              .antMatchers("/metrics/**").permitAll()
-              .antMatchers("/health/**").permitAll()
-              .antMatchers("/trace/**").permitAll()
-              .antMatchers("/dump/**").permitAll()
-              .antMatchers("/shutdown/**").permitAll()
-              .antMatchers("/beans/**").permitAll()
-              .antMatchers("/configprops/**").permitAll()
-              .antMatchers("/info/**").permitAll()
-              .antMatchers("/autoconfig/**").permitAll()
-              .antMatchers("/env/**").permitAll()
-              .antMatchers("/mappings/**").permitAll()
-              .antMatchers("/liquibase/**").permitAll()
-              .antMatchers("/v2/api-docs/**").permitAll()
-              .antMatchers("/configuration/security").permitAll()
-              .antMatchers("/configuration/ui").permitAll()
-              .antMatchers("/protected/**").authenticated();
+              .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
+              .antMatchers("/configuration/ui").permitAll();
 
       }
 

diff --git a/generators/server/templates/src/main/java/package/config/_OAuth2ServerConfiguration.java b/generators/server/templates/src/main/java/package/config/_OAuth2ServerConfiguration.java
@@ -62,25 +62,13 @@ public void configure(HttpSecurity http) throws Exception {
                 .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                 .antMatchers("/api/authenticate").permitAll()
                 .antMatchers("/api/register").permitAll()
-                .antMatchers("/api/logs/**").hasAnyAuthority(AuthoritiesConstants.ADMIN)
                 .antMatchers("/api/**").authenticated()<% if (websocket == 'spring-websocket') { %>
                 .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
                 .antMatchers("/websocket/**").permitAll()<% } %>
-                .antMatchers("/metrics/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/health/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/trace/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/dump/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/shutdown/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/beans/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/configprops/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/info/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/autoconfig/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/env/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/trace/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/liquibase/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/api-docs/**").hasAuthority(AuthoritiesConstants.ADMIN)
-                .antMatchers("/protected/**").authenticated();
-
+                .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
+                .antMatchers("/v2/api-docs/**").permitAll()
+                .antMatchers("/configuration/ui").permitAll()
+                .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN);
         }
     }
 

diff --git a/generators/server/templates/src/main/java/package/config/_SecurityConfiguration.java b/generators/server/templates/src/main/java/package/config/_SecurityConfiguration.java
@@ -138,25 +138,11 @@ protected void configure(HttpSecurity http) throws Exception {
             .antMatchers("/api/account/reset_password/init").permitAll()
             .antMatchers("/api/account/reset_password/finish").permitAll()
             .antMatchers("/api/profile-info").permitAll()
-            .antMatchers("/api/logs/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/api/audits/**").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/api/**").authenticated()<% if (websocket == 'spring-websocket') { %>
             .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/websocket/**").permitAll()<% } %>
-            .antMatchers("/metrics/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/health/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/trace/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/dump/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/shutdown/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/beans/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/configprops/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/info/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/autoconfig/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/env/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/mappings/**").hasAuthority(AuthoritiesConstants.ADMIN)
-            .antMatchers("/liquibase/**").hasAuthority(AuthoritiesConstants.ADMIN)
+            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/v2/api-docs/**").permitAll()
-            .antMatchers("/configuration/security").permitAll()
             .antMatchers("/configuration/ui").permitAll()
             .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/protected/**").authenticated() <%if (authenticationType != 'jwt') { %>;<% } %><% if (authenticationType == 'jwt') { %>

diff --git a/generators/server/templates/src/main/java/package/config/_WebConfigurer.java b/generators/server/templates/src/main/java/package/config/_WebConfigurer.java
@@ -186,7 +186,7 @@ private void initMetrics(ServletContext servletContext, EnumSet<DispatcherType>
         ServletRegistration.Dynamic metricsAdminServlet =
             servletContext.addServlet("metricsServlet", new MetricsServlet());
 
-        metricsAdminServlet.addMapping("/metrics/metrics/*");
+        metricsAdminServlet.addMapping("/management/jhipster/metrics/*");
         metricsAdminServlet.setAsyncSupported(true);
         metricsAdminServlet.setLoadOnStartup(2);
     }

diff --git a/generators/server/templates/src/main/java/package/web/rest/_AuditResource.java b/generators/server/templates/src/main/java/package/web/rest/_AuditResource.java
@@ -22,7 +22,7 @@
  * REST controller for getting the audit events.
  */
 @RestController
-@RequestMapping(value = "/api/audits", produces = MediaType.APPLICATION_JSON_VALUE)
+@RequestMapping(value = "/management/jhipster/audits", produces = MediaType.APPLICATION_JSON_VALUE)
 public class AuditResource {
 
     private AuditEventService auditEventService;

diff --git a/generators/server/templates/src/main/java/package/web/rest/_LogsResource.java b/generators/server/templates/src/main/java/package/web/rest/_LogsResource.java
@@ -17,7 +17,7 @@
  * Controller for view and managing Log Level at runtime.
  */
 @RestController
-@RequestMapping("/api")
+@RequestMapping("/management/jhipster")
 public class LogsResource {
 
     @RequestMapping(value = "/logs",

diff --git a/generators/server/templates/src/main/resources/config/_application.yml b/generators/server/templates/src/main/resources/config/_application.yml
@@ -20,12 +20,14 @@ eureka:
 ribbon:
     eureka:
         enabled: true
+
 <%_ } _%>
 <%_ if (applicationType == 'gateway') { _%>
-
 zuul:
 
 <%_ } _%>
+management:
+    context-path: /management
 
 spring:
     application:

diff --git a/generators/server/templates/src/test/resources/config/_application.yml b/generators/server/templates/src/test/resources/config/_application.yml
@@ -115,7 +115,7 @@ jhipster:
     <%_ if (authenticationType == 'oauth2') { _%>
             oauth:
                 clientid: <%= baseName %>app
-                secret: mySecretOAuthSecret
+                secret: my-secret-token-to-change-in-production
                 # Token is valid 30 minutes
                 tokenValidityInSeconds: 1800
     <%_ } _%>