You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, using the default auto-configuration for Spring Security, if the user sets security.management.enabed=false (I did it via the YAML, but it should work using any method) the security will be disabled for all endpoints, including the application endpoints.
The text was updated successfully, but these errors were encountered:
Previously the management endpoint filter was applied to all requests
if the user had disabled security.management.enabled, but since it
had no security applied it was letting all requests through.
The fix was to explicitly exclude the whole enclosing configuration
and carefully ignore the management endpoints in the normal security
chain.
Fixesspring-projectsgh-100.
philwebb
pushed a commit
to philwebb/spring-boot
that referenced
this issue
May 31, 2024
Currently, using the default auto-configuration for Spring Security, if the user sets
security.management.enabed=false
(I did it via the YAML, but it should work using any method) the security will be disabled for all endpoints, including the application endpoints.The text was updated successfully, but these errors were encountered: