Merge branch '2.4.x'

mbhave · mbhave · commit 58f0e253e7e8 · 2020-12-16T14:58:29.000-08:00
Closes gh-24543
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/ManagementWebSecurityAutoConfiguration.java
@@ -63,6 +63,7 @@ SecurityFilterChain managementSecurityFilterChain(HttpSecurity http) throws Exce
 			requests.requestMatchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
 			requests.anyRequest().authenticated();
 		});
+		http.cors();
 		http.formLogin(Customizer.withDefaults());
 		http.httpBasic(Customizer.withDefaults());
 		return http.build();
diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/java/smoketest/actuator/CorsSampleActuatorApplicationTests.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package smoketest.actuator;
+
+import java.net.URI;
+import java.util.Map;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.ApplicationContext;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration test for cors preflight requests to management endpoints.
+ *
+ * @author Madhura Bhave
+ */
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ActiveProfiles("cors")
+class CorsSampleActuatorApplicationTests {
+
+	private TestRestTemplate testRestTemplate;
+
+	@Autowired
+	private ApplicationContext applicationContext;
+
+	@BeforeEach
+	void setUp() {
+		RestTemplateBuilder builder = new RestTemplateBuilder();
+		LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(this.applicationContext.getEnvironment(),
+				"http");
+		builder = builder.uriTemplateHandler(handler);
+		this.testRestTemplate = new TestRestTemplate(builder);
+	}
+
+	@Test
+	void endpointShouldReturnUnauthorized() {
+		ResponseEntity<?> entity = this.testRestTemplate.getForEntity("/actuator/env", Map.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+
+	@Test
+	void preflightRequestToEndpointShouldReturnOk() throws Exception {
+		RequestEntity<?> healthRequest = RequestEntity.options(new URI("/actuator/env"))
+				.header("Origin", "http://localhost:8080").header("Access-Control-Request-Method", "GET").build();
+		ResponseEntity<?> exchange = this.testRestTemplate.exchange(healthRequest, Map.class);
+		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK);
+	}
+
+	@Test
+	void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception {
+		RequestEntity<?> entity = RequestEntity.options(new URI("/actuator/env"))
+				.header("Origin", "http://localhost:9095").header("Access-Control-Request-Method", "GET").build();
+		ResponseEntity<byte[]> exchange = this.testRestTemplate.exchange(entity, byte[].class);
+		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+	}
+
+}
diff --git a/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties b/spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator/src/test/resources/application-cors.properties
@@ -0,0 +1,2 @@
+management.endpoints.web.cors.allowed-origins=http://localhost:8080
+management.endpoints.web.cors.allowed-methods=GET

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+management.endpoints.web.cors.allowed-origins=http://localhost:8080`
	`2`	`+management.endpoints.web.cors.allowed-methods=GET`