Skip to content

/actuator/jolokia/list not secured when using EndpointRequest.toAnyEndpoint() #17912

New issue
New issue
Closed
Closed
/actuator/jolokia/list not secured when using EndpointRequest.toAnyEndpoint()#17912
Assignees
philwebbmbhave
Labels
type: blockerAn issue that is blocking us from releasing
Milestone
2.1.8
@copa2

Description

@copa2
copa2
opened on Aug 19, 2019

When configuring a custom role for the actuator endpoints with
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR") this will not work for sub path calls to /actuator/jolokia. (e.g. /actuator/jolokia/list)

Internally it will not match the MvcPattern
Trying to match using Mvc [pattern='/actuator/jolokia/**']

Workaround:
Defined an additional antMatcher("/actuator/jolokia/**").

Version: Spring Boot 2.1.7.RELEASE with Web/Security/Actuator and added jolokia-core.

Relevant Code:
https://github.com/copa2/actuator-security-bug/blob/master/src/main/java/com/example/actuatordemo/ActuatordemoApplication.java#L18-L37

See example project: https://github.com/copa2/actuator-security-bug
Call with curl -v -u "user:password" http://localhost:8080/actuator/jolokia/list

Metadata

Metadata

Assignees

Labels

type: blockerAn issue that is blocking us from releasing

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions