Describe the bug Access to "/" on a dedicated actuator port is not allowed, even if specified in security filter chain.
To Reproduce
Add http.authorizeRequests().requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll() to security filter chain.
Add management.server.port=8081 to application.properties
Access http://localhost:8081/ will lead to HTTP 401.
Expected behavior Since index is included in EndpointRequest.toAnyEndpoint(), acess should be allowed to "/" on dedicated actuator port.
Comment From: marcusdacoregio
Hi @frederic-kneier,
I tried myself with the configuration you provided and instead I get a 404, therefore the endpoint is allowed. I was not able to reproduce the 401, can you provide a minimal, reproducible sample where I can replay the same behavior?
Comment From: frederic-kneier
Of cause. The following setup will require login to the root of the management endpoint on port 9000. In this config it leads to a basic login request.
Dependencies
implementation("org.springframework.boot:spring-boot-starter-webflux:3.0.5")
implementation("org.springframework.boot:spring-boot-starter-actuator:3.0.5")
implementation("org.springframework.boot:spring-boot-starter-security:3.0.5")
Application.yaml
management:
server:
port: 9000
endpoints:
web:
base-path: /
Application:
@SpringBootApplication
open class Application {
@Bean
open fun securityChain(http:ServerHttpSecurity) = http.run {
authorizeExchange().matchers(EndpointRequest.toAnyEndpoint()).permitAll()
build()
}
}
fun main(args: Array<String>) {
runApplication<Application>(args = args)
}
Comment From: marcusdacoregio
The root endpoint is not considered because when the code reaches this line the basePath is blank, therefore it won't match the basePath. The code that is replacing / with a blank string was introduced by this commit which is quite old so I think the behavior is expected.
Since this is not related to Spring Security, I think the best thing now would be to reach out to Spring Boot to check if this is a bug or understand better that change.