diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java index 094d63f35c..a949a8b44e 100644 --- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java +++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementSecurityAutoConfiguration.java @@ -221,7 +221,13 @@ public class ManagementSecurityAutoConfiguration { List paths = new ArrayList(endpoints.size()); for (MvcEndpoint endpoint : endpoints) { if (endpoint.isSensitive() == secure) { - paths.add(endpointHandlerMapping.getPrefix() + endpoint.getPath()); + String path = endpointHandlerMapping.getPrefix() + endpoint.getPath(); + paths.add(path); + if (secure) { + // Add Spring MVC-generated additional paths + paths.add(path + "/"); + paths.add(path + ".*"); + } } } return paths.toArray(new String[paths.size()]); diff --git a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java index 8b0325874b..7721c5690e 100644 --- a/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java +++ b/spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/SampleActuatorApplicationTests.java @@ -70,6 +70,23 @@ public class SampleActuatorApplicationTests { .containsKey("Set-Cookie")); } + @Test + public void testMetricsIsSecure() throws Exception { + @SuppressWarnings("rawtypes") + ResponseEntity entity = new TestRestTemplate().getForEntity( + "http://localhost:8080/metrics", Map.class); + assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode()); + entity = new TestRestTemplate().getForEntity( + "http://localhost:8080/metrics/", Map.class); + assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode()); + entity = new TestRestTemplate().getForEntity( + "http://localhost:8080/metrics/foo", Map.class); + assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode()); + entity = new TestRestTemplate().getForEntity( + "http://localhost:8080/metrics.json", Map.class); + assertEquals(HttpStatus.UNAUTHORIZED, entity.getStatusCode()); + } + @Test public void testHome() throws Exception { @SuppressWarnings("rawtypes")