From b26e842050399f6452122743215d0240d518c5f7 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Wed, 16 Dec 2020 14:53:18 -0800 Subject: [PATCH] Configure CORS in default security configuration for MVC Fixes gh-11987 --- ...anagementWebSecurityConfigurerAdapter.java | 4 + .../JerseyEndpointIntegrationTests.java | 57 +++++++++---- ...mentWebSecurityAutoConfigurationTests.java | 3 +- .../CorsSampleActuatorApplicationTests.java | 83 +++++++++++++++++++ .../resources/application-cors.properties | 2 + 5 files changed, 133 insertions(+), 16 deletions(-) create mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java create mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java index 7c7638a87ca9..48b5cd87409a 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java @@ -22,6 +22,7 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.util.ClassUtils; /** * The default configuration for web security when the actuator dependency is on the @@ -44,6 +45,9 @@ protected void configure(HttpSecurity http) throws Exception { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); + if (ClassUtils.isPresent("org.springframework.web.servlet.DispatcherServlet", null)) { + http.cors(); + } http.formLogin(Customizer.withDefaults()); http.httpBasic(Customizer.withDefaults()); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JerseyEndpointIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JerseyEndpointIntegrationTests.java index d04bb5a28345..88b8c1b4b94d 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JerseyEndpointIntegrationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JerseyEndpointIntegrationTests.java @@ -16,12 +16,17 @@ package org.springframework.boot.actuate.autoconfigure.integrationtest; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + import org.glassfish.jersey.server.ResourceConfig; import org.junit.jupiter.api.Test; import org.springframework.boot.actuate.autoconfigure.beans.BeansEndpointAutoConfiguration; import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration; import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration; +import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration; import org.springframework.boot.actuate.autoconfigure.web.server.ManagementContextAutoConfiguration; import org.springframework.boot.actuate.endpoint.web.annotation.ControllerEndpoint; import org.springframework.boot.actuate.endpoint.web.annotation.RestControllerEndpoint; @@ -55,24 +60,46 @@ void actuatorEndpointsWhenUserProvidedResourceConfigBeanNotAvailable() { testJerseyEndpoints(new Class[] { EndpointsConfiguration.class }); } + @Test + void actuatorEndpointsWhenSecurityAvailable() { + WebApplicationContextRunner contextRunner = getContextRunner( + new Class[] { EndpointsConfiguration.class, ResourceConfigConfiguration.class }, + getAutoconfigurations(ManagementWebSecurityAutoConfiguration.class)); + contextRunner.run((context) -> { + int port = context.getSourceApplicationContext(AnnotationConfigServletWebServerApplicationContext.class) + .getWebServer().getPort(); + WebTestClient client = WebTestClient.bindToServer().baseUrl("http://localhost:" + port).build(); + client.get().uri("/actuator").exchange().expectStatus().isUnauthorized(); + }); + + } + protected void testJerseyEndpoints(Class[] userConfigurations) { + getContextRunner(userConfigurations, getAutoconfigurations()).run((context) -> { + int port = context.getSourceApplicationContext(AnnotationConfigServletWebServerApplicationContext.class) + .getWebServer().getPort(); + WebTestClient client = WebTestClient.bindToServer().baseUrl("http://localhost:" + port).build(); + client.get().uri("/actuator").exchange().expectStatus().isOk().expectBody().jsonPath("_links.beans") + .isNotEmpty().jsonPath("_links.restcontroller").doesNotExist().jsonPath("_links.controller") + .doesNotExist(); + }); + } + + private WebApplicationContextRunner getContextRunner(Class[] userConfigurations, Class[] autoConfigurations) { FilteredClassLoader classLoader = new FilteredClassLoader(DispatcherServlet.class); - new WebApplicationContextRunner(AnnotationConfigServletWebServerApplicationContext::new) - .withClassLoader(classLoader) - .withConfiguration(AutoConfigurations.of(JacksonAutoConfiguration.class, JerseyAutoConfiguration.class, - EndpointAutoConfiguration.class, ServletWebServerFactoryAutoConfiguration.class, - WebEndpointAutoConfiguration.class, ManagementContextAutoConfiguration.class, - BeansEndpointAutoConfiguration.class)) + return new WebApplicationContextRunner(AnnotationConfigServletWebServerApplicationContext::new) + .withClassLoader(classLoader).withConfiguration(AutoConfigurations.of(autoConfigurations)) .withUserConfiguration(userConfigurations) - .withPropertyValues("management.endpoints.web.exposure.include:*", "server.port:0").run((context) -> { - int port = context - .getSourceApplicationContext(AnnotationConfigServletWebServerApplicationContext.class) - .getWebServer().getPort(); - WebTestClient client = WebTestClient.bindToServer().baseUrl("http://localhost:" + port).build(); - client.get().uri("/actuator").exchange().expectStatus().isOk().expectBody().jsonPath("_links.beans") - .isNotEmpty().jsonPath("_links.restcontroller").doesNotExist().jsonPath("_links.controller") - .doesNotExist(); - }); + .withPropertyValues("management.endpoints.web.exposure.include:*", "server.port:0"); + } + + private Class[] getAutoconfigurations(Class... additional) { + List> autoconfigurations = new ArrayList<>(Arrays.asList(JacksonAutoConfiguration.class, + JerseyAutoConfiguration.class, EndpointAutoConfiguration.class, + ServletWebServerFactoryAutoConfiguration.class, WebEndpointAutoConfiguration.class, + ManagementContextAutoConfiguration.class, BeansEndpointAutoConfiguration.class)); + autoconfigurations.addAll(Arrays.asList(additional)); + return autoconfigurations.toArray(new Class[0]); } @ControllerEndpoint(id = "controller") diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java index 4a8bb4f7c9b1..ff19d1b50f25 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java @@ -30,6 +30,7 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration; import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; +import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration; import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext; import org.springframework.boot.test.context.runner.WebApplicationContextRunner; import org.springframework.context.annotation.Configuration; @@ -56,7 +57,7 @@ class ManagementWebSecurityAutoConfigurationTests { private WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration( AutoConfigurations.of(HealthContributorAutoConfiguration.class, HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class, - EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class, + EndpointAutoConfiguration.class, WebMvcAutoConfiguration.class, WebEndpointAutoConfiguration.class, SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class)); @Test diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java new file mode 100644 index 000000000000..a2837d7c7abb --- /dev/null +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java @@ -0,0 +1,83 @@ +/* + * Copyright 2012-2020 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package smoketest.actuator; + +import java.net.URI; +import java.util.Map; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler; +import org.springframework.boot.test.web.client.TestRestTemplate; +import org.springframework.boot.web.client.RestTemplateBuilder; +import org.springframework.context.ApplicationContext; +import org.springframework.http.HttpStatus; +import org.springframework.http.RequestEntity; +import org.springframework.http.ResponseEntity; +import org.springframework.test.context.ActiveProfiles; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Integration test for cors preflight requests to management endpoints. + * + * @author Madhura Bhave + */ +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) +@ActiveProfiles("cors") +class CorsSampleActuatorApplicationTests { + + private TestRestTemplate testRestTemplate; + + @Autowired + private ApplicationContext applicationContext; + + @BeforeEach + void setUp() { + RestTemplateBuilder builder = new RestTemplateBuilder(); + LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(this.applicationContext.getEnvironment(), + "http"); + builder = builder.uriTemplateHandler(handler); + this.testRestTemplate = new TestRestTemplate(builder); + } + + @Test + void endpointShouldReturnUnauthorized() { + ResponseEntity entity = this.testRestTemplate.getForEntity("/actuator/env", Map.class); + assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED); + } + + @Test + void preflightRequestToEndpointShouldReturnOk() throws Exception { + RequestEntity healthRequest = RequestEntity.options(new URI("/actuator/env")) + .header("Origin", "http://localhost:8080").header("Access-Control-Request-Method", "GET").build(); + ResponseEntity exchange = this.testRestTemplate.exchange(healthRequest, Map.class); + assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK); + } + + @Test + void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception { + RequestEntity entity = RequestEntity.options(new URI("/actuator/env")) + .header("Origin", "http://localhost:9095").header("Access-Control-Request-Method", "GET").build(); + ResponseEntity exchange = this.testRestTemplate.exchange(entity, byte[].class); + assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); + } + +} diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties new file mode 100644 index 000000000000..94bc394189d6 --- /dev/null +++ b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties @@ -0,0 +1,2 @@ +management.endpoints.web.cors.allowed-origins=http://localhost:8080 +management.endpoints.web.cors.allowed-methods=GET