spring.security.dispatcher-types is not applied to Spring Security's filter when running in a separate management context #27372
Description
I started a new project at Spring Initializr with these parameters:
Find the generated code here: https://github.com/juliojgd/sb-trace-http-test
Then, I created a:
@RestController
static class MyController {
@GetMapping("/trace-test")
public ResponseEntity<String> traceTest() {
return ResponseEntity.ok("Right!");
}
}And then with no extra addition or change:
$ mvn clean installRun the project with Actuator on the same port (8080)
$ java -Dspring.security.user.password=p1 -jar target/traceforbidden1-0.0.1-SNAPSHOT.jarNote that in default configuration my endpoint and actuator endpoints are published in the same (8080) port.
Results issuing GET HTTP Requests
$ curl http://localhost:8080/trace-test -u user:p1
Right!
$ curl http://localhost:8080/actuator/health
{"status":"UP"}Everything OK.
Results issuing TRACE HTTP Requests
$ curl -v http://localhost:8080/trace-test -u user:p1 -X TRACE -H "test-header: value"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> TRACE /trace-test HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwMQ==
> User-Agent: curl/7.58.0
> Accept: */*
> test-header: value
>
< HTTP/1.1 405
< Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 449
< Date: Tue, 06 Jul 2021 01:29:45 GMT
<
* Connection #0 to host localhost left intact
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1></body></html>
$ curl -v http://localhost:8080/actuator/health -X TRACE -H "h: h"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> TRACE /actuator/health HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.58.0
> Accept: */*
> h: h
>
< HTTP/1.1 405
< Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 449
< Date: Tue, 06 Jul 2021 01:33:06 GMT
<
* Connection #0 to host localhost left intact
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1></body></htmlEverything seems OK. TRACE HTTP Method is not allowed BOTH in my endpoint and actuator endpoint (perfect for me, it has been depicted as a security risk) and no ECHO behavior is obtained because this echo behavior is the one considered potential harm). Be aware that if the echo behavior (return the received headers) is accomplished, the security risk remains as the risky part is to return the request echo in the response (even if seems to be not alloweb (405))
Run the project with Actuator on different port (8081)
$ java -Dmanagement.server.port=8081 -Dspring.security.user.password=p1 -jar target/traceforbidden1-0.0.1-SNAPSHOT.jar Results with GET Http Method
Same as beforehand, OK
Results issuing TRACE HTTP Requests
With my endpoint in 8080 port OK, not returning the headers as echo response because is not allowed:
$ curl -v http://localhost:8080/trace-test -u user:p1 -X TRACE -H "test-header: value"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'user'
> TRACE /trace-test HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwMQ==
> User-Agent: curl/7.58.0
> Accept: */*
> test-header: value
>
< HTTP/1.1 405
< Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 449
< Date: Tue, 06 Jul 2021 01:36:59 GMT
<
* Connection #0 to host localhost left intact
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1></body></html>But, issuing a request to Actuator endpoint in 8081 port (different):
$ curl -v http://localhost:8081/actuator/health -X TRACE -H "h: h"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8081 (#0)
> TRACE /actuator/health HTTP/1.1
> Host: localhost:8081
> User-Agent: curl/7.58.0
> Accept: */*
> h: h
>
< HTTP/1.1 405
< Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
< Content-Type: message/http
< Content-Length: 89
< Date: Tue, 06 Jul 2021 01:38:29 GMT
<
TRACE /error HTTP/1.1
host: localhost:8081
user-agent: curl/7.58.0
accept: */*
h: hIt is returned the echo of the request! and even the potentially sensitive user-included header named "h" is included.
Clearly is working different when actuator is in the same port or it is in different port.
Is this different behavior intended? I hope not 😄
P.S. I tried to customize the setAllowTrace creating a bean of type ManagementWebServerFactoryCustomizer<TomcatServletWebServerFactory> and then adding a ConnectorCustomizer but it does not work, it seems to not apply to the management (Actuator) Tomcat. It is weird as in the type name is ManagementWebServer...