From 9928d74a9e0670fd9bcb9f982fa17d2305f32f56 Mon Sep 17 00:00:00 2001 From: Madhura Bhave Date: Mon, 4 Jan 2021 12:25:05 -0800 Subject: [PATCH] Revert fix to enable cors for actuator endpoints The fix causes a Jersey application to fail in the absence of a `CorsFilter` or `CorsConfigurationSource` bean. See gh-11987 --- ...anagementWebSecurityConfigurerAdapter.java | 1 - ...mentWebSecurityAutoConfigurationTests.java | 3 +- .../CorsSampleActuatorApplicationTests.java | 83 ------------------- .../resources/application-cors.properties | 2 - 4 files changed, 1 insertion(+), 88 deletions(-) delete mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java delete mode 100644 spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java index e3ccaedb437e..707d86695221 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityConfigurerAdapter.java @@ -44,7 +44,6 @@ protected void configure(HttpSecurity http) throws Exception { requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll(); requests.anyRequest().authenticated(); }); - http.cors(); http.formLogin(Customizer.withDefaults()); http.httpBasic(Customizer.withDefaults()); } diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java index ec3cbd6cf464..fd988102f1af 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfigurationTests.java @@ -30,7 +30,6 @@ import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration; import org.springframework.boot.autoconfigure.security.saml2.Saml2RelyingPartyAutoConfiguration; import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration; -import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration; import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext; import org.springframework.boot.test.context.runner.WebApplicationContextRunner; import org.springframework.context.annotation.Configuration; @@ -57,7 +56,7 @@ class ManagementWebSecurityAutoConfigurationTests { private WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration( AutoConfigurations.of(HealthContributorAutoConfiguration.class, HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class, - EndpointAutoConfiguration.class, WebMvcAutoConfiguration.class, WebEndpointAutoConfiguration.class, + EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class, SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class)); @Test diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java deleted file mode 100644 index a2837d7c7abb..000000000000 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * Copyright 2012-2020 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package smoketest.actuator; - -import java.net.URI; -import java.util.Map; - -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.Test; - -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.boot.test.context.SpringBootTest; -import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler; -import org.springframework.boot.test.web.client.TestRestTemplate; -import org.springframework.boot.web.client.RestTemplateBuilder; -import org.springframework.context.ApplicationContext; -import org.springframework.http.HttpStatus; -import org.springframework.http.RequestEntity; -import org.springframework.http.ResponseEntity; -import org.springframework.test.context.ActiveProfiles; - -import static org.assertj.core.api.Assertions.assertThat; - -/** - * Integration test for cors preflight requests to management endpoints. - * - * @author Madhura Bhave - */ -@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT) -@ActiveProfiles("cors") -class CorsSampleActuatorApplicationTests { - - private TestRestTemplate testRestTemplate; - - @Autowired - private ApplicationContext applicationContext; - - @BeforeEach - void setUp() { - RestTemplateBuilder builder = new RestTemplateBuilder(); - LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(this.applicationContext.getEnvironment(), - "http"); - builder = builder.uriTemplateHandler(handler); - this.testRestTemplate = new TestRestTemplate(builder); - } - - @Test - void endpointShouldReturnUnauthorized() { - ResponseEntity entity = this.testRestTemplate.getForEntity("/actuator/env", Map.class); - assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED); - } - - @Test - void preflightRequestToEndpointShouldReturnOk() throws Exception { - RequestEntity healthRequest = RequestEntity.options(new URI("/actuator/env")) - .header("Origin", "http://localhost:8080").header("Access-Control-Request-Method", "GET").build(); - ResponseEntity exchange = this.testRestTemplate.exchange(healthRequest, Map.class); - assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK); - } - - @Test - void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception { - RequestEntity entity = RequestEntity.options(new URI("/actuator/env")) - .header("Origin", "http://localhost:9095").header("Access-Control-Request-Method", "GET").build(); - ResponseEntity exchange = this.testRestTemplate.exchange(entity, byte[].class); - assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); - } - -} diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties deleted file mode 100644 index 94bc394189d6..000000000000 --- a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties +++ /dev/null @@ -1,2 +0,0 @@ -management.endpoints.web.cors.allowed-origins=http://localhost:8080 -management.endpoints.web.cors.allowed-methods=GET