Allow security.ignored=none to switch off ignores

11 years ago · 5f8f062545
parent 938c267a1d
commit 5f8f062545
4 changed files with 38 additions and 17 deletions
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfiguration.java
@ -128,6 +128,9 @@ public class SecurityAutoConfiguration {
 	private static class ApplicationWebSecurityConfigurerAdapter extends
 			WebSecurityConfigurerAdapter {

+		private static List<String> DEFAULT_IGNORED = Arrays.asList("/css/**", "/js/**",
+				"/images/**", "/**/favicon.ico");
+
 		@Autowired
 		private SecurityProperties security;

@ -187,10 +190,17 @@ public class SecurityAutoConfiguration {
 		@Override
 		public void configure(WebSecurity builder) throws Exception {
 			IgnoredRequestConfigurer ignoring = builder.ignoring();
-			ignoring.antMatchers(this.security.getIgnoredPaths());
+			List<String> ignored = new ArrayList<String>(this.security.getIgnored());
+			if (ignored.isEmpty()) {
+				ignored.addAll(DEFAULT_IGNORED);
+			}
+			else if (ignored.contains("none")) {
+				ignored.remove("none");
+			}
 			if (this.errorController != null) {
-				ignoring.antMatchers(this.errorController.getErrorPath());
+				ignored.add(this.errorController.getErrorPath());
 			}
+			ignoring.antMatchers(ignored.toArray(new String[0]));
 		}

 		@Override
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/properties/SecurityProperties.java
@ -43,12 +43,7 @@ public class SecurityProperties {

 	private SessionCreationPolicy sessions = SessionCreationPolicy.STATELESS;

-	private List<String> emptyIgnored = new ArrayList<String>();
-
-	private List<String> ignored = this.emptyIgnored;
-
-	private static String[] DEFAULT_IGNORED = new String[] { "/css/**", "/js/**",
-			"/images/**", "/**/favicon.ico" };
+	private List<String> ignored = new ArrayList<String>();

 	private Management management = new Management();

@ -106,13 +101,6 @@ public class SecurityProperties {
 		return this.ignored;
 	}

-	public String[] getIgnoredPaths() {
-		if (this.ignored == this.emptyIgnored) {
-			return DEFAULT_IGNORED;
-		}
-		return this.ignored.toArray(new String[this.ignored.size()]);
-	}
-
 	public static class Headers {

 		public static enum HSTS {
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfigurationTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/autoconfigure/SecurityAutoConfigurationTests.java
@ -64,7 +64,7 @@ public class SecurityAutoConfigurationTests {
 				EndpointAutoConfiguration.class,
 				ManagementServerPropertiesAutoConfiguration.class,
 				PropertyPlaceholderAutoConfiguration.class);
-		TestUtils.addEnviroment(this.context, "security.ignored:");
+		TestUtils.addEnviroment(this.context, "security.ignored:none");
 		this.context.refresh();
 		// Just the application and\ management endpoints now
 		assertEquals(2, this.context.getBean(FilterChainProxy.class).getFilterChains()
--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/properties/SecurityPropertiesTests.java
@ -46,6 +46,28 @@ public class SecurityPropertiesTests {
 		assertEquals(1, security.getIgnored().size());
 	}

+	@Test
+	public void testBindingIgnoredEmpty() {
+		SecurityProperties security = new SecurityProperties();
+		RelaxedDataBinder binder = new RelaxedDataBinder(security, "security");
+		binder.setConversionService(new DefaultConversionService());
+		binder.bind(new MutablePropertyValues(Collections.singletonMap(
+				"security.ignored", "")));
+		assertFalse(binder.getBindingResult().hasErrors());
+		assertEquals(0, security.getIgnored().size());
+	}
+
+	@Test
+	public void testBindingIgnoredDisable() {
+		SecurityProperties security = new SecurityProperties();
+		RelaxedDataBinder binder = new RelaxedDataBinder(security, "security");
+		binder.setConversionService(new DefaultConversionService());
+		binder.bind(new MutablePropertyValues(Collections.singletonMap(
+				"security.ignored", "none")));
+		assertFalse(binder.getBindingResult().hasErrors());
+		assertEquals(1, security.getIgnored().size());
+	}
+
 	@Test
 	public void testBindingIgnoredMultiValued() {
 		SecurityProperties security = new SecurityProperties();
@ -64,10 +86,11 @@ public class SecurityPropertiesTests {
 		binder.setConversionService(new DefaultConversionService());
 		Map<String, String> map = new HashMap<String, String>();
 		map.put("security.ignored[0]", "/css/**");
-		map.put("security.ignored[1]", "images/**");
+		map.put("security.ignored[1]", "/foo/**");
 		binder.bind(new MutablePropertyValues(map));
 		assertFalse(binder.getBindingResult().hasErrors());
 		assertEquals(2, security.getIgnored().size());
+		assertTrue(security.getIgnored().contains("/foo/**"));
 	}

 	@Test