Advertize web endpoints as disabled by default

Following the rework on Security that expects web endpoints to be disabled by default, this commit updates the metadata (including the automatic generation) to reflect this decision.
7 years ago · def094b844
parent c76c16d92b
commit def094b844
4 changed files with 27 additions and 27 deletions
--- a/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
+++ b/spring-boot-actuator/src/main/resources/META-INF/additional-spring-configuration-metadata.json
@ -15,7 +15,7 @@
    "name": "endpoints.all.web.enabled",
    "type": "java.lang.Boolean",
    "description": "Enable all endpoints as Web endpoints.",
-    "defaultValue": true
+    "defaultValue": false
  },
  {
    "name": "endpoints.configprops.keys-to-sanitize",
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@ -1087,92 +1087,92 @@ content into your application; rather pick only the properties that you need.
 	# ALL ENDPOINTS
 	endpoints.all.enabled=true # Enable all endpoints.
 	endpoints.all.jmx.enabled=true # Enable all endpoints as JMX MBeans.
-	endpoints.all.web.enabled=true # Enable all endpoints as Web endpoints.
+	endpoints.all.web.enabled=false # Enable all endpoints as Web endpoints.

 	# AUDIT EVENTS ENDPOINT ({sc-spring-boot-actuator}/endpoint/AuditEventsEndpoint.{sc-ext}[AuditEventsEndpoint])
 	endpoints.auditevents.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.auditevents.enabled=true # Enable the auditevents endpoint.
 	endpoints.auditevents.jmx.enabled=true # Expose the auditevents endpoint as a JMX MBean.
-	endpoints.auditevents.web.enabled=true # Expose the auditevents endpoint as a Web endpoint.
+	endpoints.auditevents.web.enabled=false # Expose the auditevents endpoint as a Web endpoint.

 	# AUTO-CONFIGURATION REPORT ENDPOINT ({sc-spring-boot-actuator}/endpoint/AutoConfigurationReportEndpoint.{sc-ext}[AutoConfigurationReportEndpoint])
 	endpoints.autoconfig.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.autoconfig.enabled=true # Enable the autoconfig endpoint.
 	endpoints.autoconfig.jmx.enabled=true # Expose the autoconfig endpoint as a JMX MBean.
-	endpoints.autoconfig.web.enabled=true # Expose the autoconfig endpoint as a Web endpoint.
+	endpoints.autoconfig.web.enabled=false # Expose the autoconfig endpoint as a Web endpoint.

 	# BEANS ENDPOINT ({sc-spring-boot-actuator}/endpoint/BeansEndpoint.{sc-ext}[BeansEndpoint])
 	endpoints.beans.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.beans.enabled=true # Enable the beans endpoint.
 	endpoints.beans.jmx.enabled=true # Expose the beans endpoint as a JMX MBean.
-	endpoints.beans.web.enabled=true # Expose the beans endpoint as a Web endpoint.
+	endpoints.beans.web.enabled=false # Expose the beans endpoint as a Web endpoint.

 	# CONFIGURATION PROPERTIES REPORT ENDPOINT ({sc-spring-boot-actuator}/endpoint/ConfigurationPropertiesReportEndpoint.{sc-ext}[ConfigurationPropertiesReportEndpoint])
 	endpoints.configprops.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.configprops.enabled=true # Enable the configprops endpoint.
 	endpoints.configprops.jmx.enabled=true # Expose the configprops endpoint as a JMX MBean.
 	endpoints.configprops.keys-to-sanitize=password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
-	endpoints.configprops.web.enabled=true # Expose the configprops endpoint as a Web endpoint.
+	endpoints.configprops.web.enabled=false # Expose the configprops endpoint as a Web endpoint.

 	# ENVIRONMENT ENDPOINT  ({sc-spring-boot-actuator}/endpoint/EnvironmentEndpoint.{sc-ext}[EnvironmentEndpoint])
 	endpoints.env.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.env.enabled=true # Enable the env endpoint.
 	endpoints.env.jmx.enabled=true # Expose the env endpoint as a JMX MBean.
 	endpoints.env.keys-to-sanitize=password,secret,key,token,.*credentials.*,vcap_services # Keys that should be sanitized. Keys can be simple strings that the property ends with or regex expressions.
-	endpoints.env.web.enabled=true # Expose the env endpoint as a Web endpoint.
+	endpoints.env.web.enabled=false # Expose the env endpoint as a Web endpoint.

 	# FLYWAY ENDPOINT ({sc-spring-boot-actuator}/endpoint/FlywayEndpoint.{sc-ext}[FlywayEndpoint])
 	endpoints.flyway.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.flyway.enabled=true # Enable the flyway endpoint.
 	endpoints.flyway.jmx.enabled=true # Expose the flyway endpoint as a JMX MBean.
-	endpoints.flyway.web.enabled=true # Expose the flyway endpoint as a Web endpoint.
+	endpoints.flyway.web.enabled=false # Expose the flyway endpoint as a Web endpoint.

 	# HEALTH ENDPOINT ({sc-spring-boot-actuator}/endpoint/HealthEndpoint.{sc-ext}[HealthEndpoint])
 	endpoints.health.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.health.enabled=true # Enable the health endpoint.
 	endpoints.health.jmx.enabled=true # Expose the health endpoint as a JMX MBean.
-	endpoints.health.web.enabled=true # Expose the health endpoint as a Web endpoint.
+	endpoints.health.web.enabled=false # Expose the health endpoint as a Web endpoint.

 	# HEAP DUMP ENDPOINT ({sc-spring-boot-actuator}/endpoint/HeapDumpWebEndpoint.{sc-ext}[HeapDumpWebEndpoint])
 	endpoints.heapdump.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.heapdump.enabled=true # Enable the heapdump endpoint.
-	endpoints.heapdump.web.enabled=true # Expose the heapdump endpoint as a Web endpoint.
+	endpoints.heapdump.web.enabled=false # Expose the heapdump endpoint as a Web endpoint.

 	# INFO ENDPOINT ({sc-spring-boot-actuator}/endpoint/InfoEndpoint.{sc-ext}[InfoEndpoint])
 	endpoints.info.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.info.enabled=true # Enable the info endpoint.
 	endpoints.info.jmx.enabled=true # Expose the info endpoint as a JMX MBean.
-	endpoints.info.web.enabled=true # Expose the info endpoint as a Web endpoint.
+	endpoints.info.web.enabled=false # Expose the info endpoint as a Web endpoint.

 	# LIQUIBASE ENDPOINT ({sc-spring-boot-actuator}/endpoint/LiquibaseEndpoint.{sc-ext}[LiquibaseEndpoint])
 	endpoints.liquibase.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.liquibase.enabled=true # Enable the liquibase endpoint.
 	endpoints.liquibase.jmx.enabled=true # Expose the liquibase endpoint as a JMX MBean.
-	endpoints.liquibase.web.enabled=true # Expose the liquibase endpoint as a Web endpoint.
+	endpoints.liquibase.web.enabled=false # Expose the liquibase endpoint as a Web endpoint.

 	# LOG FILE ENDPOINT ({sc-spring-boot-actuator}/endpoint/LogFileWebEndpoint.{sc-ext}[LogFileWebEndpoint])
 	endpoints.logfile.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.logfile.enabled=true # Enable the logfile endpoint.
 	endpoints.logfile.external-file= # External Logfile to be accessed. Can be used if the logfile is written by output redirect and not by the logging system itself.
-	endpoints.logfile.web.enabled=true # Expose the logfile endpoint as a Web endpoint.
+	endpoints.logfile.web.enabled=false # Expose the logfile endpoint as a Web endpoint.

 	# LOGGERS ENDPOINT ({sc-spring-boot-actuator}/endpoint/LoggersEndpoint.{sc-ext}[LoggersEndpoint])
 	endpoints.loggers.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.loggers.enabled=true # Enable the loggers endpoint.
 	endpoints.loggers.jmx.enabled=true # Expose the loggers endpoint as a JMX MBean.
-	endpoints.loggers.web.enabled=true # Expose the loggers endpoint as a Web endpoint.
+	endpoints.loggers.web.enabled=false # Expose the loggers endpoint as a Web endpoint.

 	# REQUEST MAPPING ENDPOINT  ({sc-spring-boot-actuator}/endpoint/RequestMappingEndpoint.{sc-ext}[RequestMappingEndpoint])
 	endpoints.mappings.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.mappings.enabled=true # Enable the mappings endpoint.
 	endpoints.mappings.jmx.enabled=true # Expose the mappings endpoint as a JMX MBean.
-	endpoints.mappings.web.enabled=true # Expose the mappings endpoint as a Web endpoint.
+	endpoints.mappings.web.enabled=false # Expose the mappings endpoint as a Web endpoint.

 	# METRICS ENDPOINT ({sc-spring-boot-actuator}/endpoint/MetricsEndpoint.{sc-ext}[MetricsEndpoint])
 	endpoints.metrics.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.metrics.enabled=true # Enable the metrics endpoint.
 	endpoints.metrics.jmx.enabled=true # Expose the metrics endpoint as a JMX MBean.
-	endpoints.metrics.web.enabled=true # Expose the metrics endpoint as a Web endpoint.
+	endpoints.metrics.web.enabled=false # Expose the metrics endpoint as a Web endpoint.
 	endpoints.metrics.filter.counter-submissions= # Submissions that should be made to the counter.
 	endpoints.metrics.filter.enabled=true # Enable the metrics servlet filter.
 	endpoints.metrics.filter.gauge-submissions= # Submissions that should be made to the gauge.
@ -1187,20 +1187,20 @@ content into your application; rather pick only the properties that you need.
 	endpoints.status.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.status.enabled=true # Enable the status endpoint.
 	endpoints.status.jmx.enabled=true # Expose the status endpoint as a JMX MBean.
-	endpoints.status.web.enabled=true # Expose the status endpoint as a Web endpoint.
+	endpoints.status.web.enabled=false # Expose the status endpoint as a Web endpoint.

 	# THREAD DUMP ENDPOINT ({sc-spring-boot-actuator}/endpoint/ThreadDumpEndpoint.{sc-ext}[ThreadDumpEndpoint])
 	endpoints.threaddump.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.threaddump.enabled=true # Enable the threaddump endpoint.
 	endpoints.threaddump.jmx.enabled=true # Expose the threaddump endpoint as a JMX MBean.
-	endpoints.threaddump.web.enabled=true # Expose the threaddump endpoint as a Web endpoint.
+	endpoints.threaddump.web.enabled=false # Expose the threaddump endpoint as a Web endpoint.

 	# TRACE ENDPOINT ({sc-spring-boot-actuator}/endpoint/TraceEndpoint.{sc-ext}[TraceEndpoint])
 	endpoints.trace.cache.time-to-live=0 # Maximum time in milliseconds that a response can be cached.
 	endpoints.trace.enabled=true # Enable the trace endpoint.
 	endpoints.trace.filter.enabled=true # Enable the trace servlet filter.
 	endpoints.trace.jmx.enabled=true # Expose the trace endpoint as a JMX MBean.
-	endpoints.trace.web.enabled=true # Expose the trace endpoint as a Web endpoint.
+	endpoints.trace.web.enabled=false # Expose the trace endpoint as a Web endpoint.

 	# MANAGEMENT HTTP SERVER ({sc-spring-boot-actuator}/autoconfigure/ManagementServerProperties.{sc-ext}[ManagementServerProperties])
 	management.add-application-context-header=false # Add the "X-Application-Context" HTTP header in each response.
--- a/spring-boot-tools/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessor.java
+++ b/spring-boot-tools/spring-boot-configuration-processor/src/main/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessor.java
@ -392,7 +392,7 @@ public class ConfigurationMetadataAnnotationProcessor extends AbstractProcessor
 			this.metadataCollector.add(ItemMetadata.newProperty(
 					endpointKey(endpointId + ".web"), "enabled", Boolean.class.getName(),
 					type, null, String.format("Expose the %s endpoint as a Web endpoint.",
-							endpointId), enabledByDefault, null));
+							endpointId), false, null));
 		}
 	}

--- a/spring-boot-tools/spring-boot-configuration-processor/src/test/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessorTests.java
+++ b/spring-boot-tools/spring-boot-configuration-processor/src/test/java/org/springframework/boot/configurationprocessor/ConfigurationMetadataAnnotationProcessorTests.java
@ -532,7 +532,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 				.fromSource(SimpleEndpoint.class));
 		assertThat(metadata).has(enabledFlag("simple", true));
 		assertThat(metadata).has(jmxEnabledFlag("simple", true));
-		assertThat(metadata).has(webEnabledFlag("simple", true));
+		assertThat(metadata).has(webEnabledFlag("simple", false));
 		assertThat(metadata).has(cacheTtl("simple"));
 		assertThat(metadata.getItems()).hasSize(5);
 	}
@ -558,7 +558,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 				ofType(String.class).withDefaultValue("test"));
 		assertThat(metadata).has(enabledFlag("customprops", true));
 		assertThat(metadata).has(jmxEnabledFlag("customprops", true));
-		assertThat(metadata).has(webEnabledFlag("customprops", true));
+		assertThat(metadata).has(webEnabledFlag("customprops", false));
 		assertThat(metadata).has(cacheTtl("customprops"));
 		assertThat(metadata.getItems()).hasSize(6);
 	}
@ -580,7 +580,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 		assertThat(metadata).has(Metadata.withGroup("endpoints.web")
 				.fromSource(OnlyWebEndpoint.class));
 		assertThat(metadata).has(enabledFlag("web", true));
-		assertThat(metadata).has(webEnabledFlag("web", true));
+		assertThat(metadata).has(webEnabledFlag("web", false));
 		assertThat(metadata).has(cacheTtl("web"));
 		assertThat(metadata.getItems()).hasSize(4);
 	}
@ -594,7 +594,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 				.fromSource(IncrementalEndpoint.class));
 		assertThat(metadata).has(enabledFlag("incremental", true));
 		assertThat(metadata).has(jmxEnabledFlag("incremental", true));
-		assertThat(metadata).has(webEnabledFlag("incremental", true));
+		assertThat(metadata).has(webEnabledFlag("incremental", false));
 		assertThat(metadata).has(cacheTtl("incremental"));
 		assertThat(metadata.getItems()).hasSize(5);
 		project.replaceText(IncrementalEndpoint.class, "id = \"incremental\"",
@ -618,7 +618,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 				.fromSource(IncrementalEndpoint.class));
 		assertThat(metadata).has(enabledFlag("incremental", true));
 		assertThat(metadata).has(jmxEnabledFlag("incremental", true));
-		assertThat(metadata).has(webEnabledFlag("incremental", true));
+		assertThat(metadata).has(webEnabledFlag("incremental", false));
 		assertThat(metadata).has(cacheTtl("incremental"));
 		assertThat(metadata.getItems()).hasSize(5);
 		project.replaceText(IncrementalEndpoint.class, "id = \"incremental\"",
@ -627,7 +627,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 		assertThat(metadata).has(Metadata.withGroup("endpoints.incremental")
 				.fromSource(IncrementalEndpoint.class));
 		assertThat(metadata).has(enabledFlag("incremental", true));
-		assertThat(metadata).has(webEnabledFlag("incremental", true));
+		assertThat(metadata).has(webEnabledFlag("incremental", false));
 		assertThat(metadata).has(cacheTtl("incremental"));
 		assertThat(metadata.getItems()).hasSize(4);
 	}
@ -650,7 +650,7 @@ public class ConfigurationMetadataAnnotationProcessorTests {
 				.fromSource(IncrementalJmxEndpoint.class));
 		assertThat(metadata).has(enabledFlag("incremental", true));
 		assertThat(metadata).has(jmxEnabledFlag("incremental", true));
-		assertThat(metadata).has(webEnabledFlag("incremental", true));
+		assertThat(metadata).has(webEnabledFlag("incremental", false));
 		assertThat(metadata).has(cacheTtl("incremental"));
 		assertThat(metadata.getItems()).hasSize(5);
 	}