The changes made in 6a2ac080 mean that getSecurity() on
ManagementServerProperties will no longer return null when Spring
Security is on the classpath. This had the unwanted side-effect of
causing the health endpoint to hide its details when Spring Security
was not on the classpath.
This commit reinstates the previous behaviour by only considering
the health endpoint to be secure if Spring Security is on the
classpath and management.security.enabled is true.
Closes gh-7345
Update CloudFoundrySecurityService so that SSL validation is not
required. We're unlikely to have configured public keys for the
REST endpoints we need to call. Since the endpoints are provided via
environment variables we can implicitly trust them.
See gh-7108
Add security to Cloud Foundry actuator endpoints. Security is enforced
by a `HanderInterceptor` on `CloudFoundryEndpointHandlerMapping`. Each
endpoint call expects an 'Authorization' header containing a bearer
token. The token signature is checked against the UAA public keys then
passed to the Cloud Controller to obtain an ultimate access level.
The client may either have 'RESTRICTED' or FULL' access, with the latter
only providing access to a limited set of endpoints.
See gh-7108
Update `ManagementServerProperties` so that `security.sessions` no
longer uses `SessionCreationPolicy` from Spring Security. We now
use our own enun which allows `management.security.*` properties to
be set without the risk of a `ClassNotFoundException`.
Fixes gh-3888
Previously, if an exception was thrown during request handling after
the response had been committed, i.e. after the status and headers
had been written, the metrics filter would assume that it was a 500
response. This was potentially inaccurate as the status had already
been sent to the client and before the exception was thrown and it
may have been something other than a 500.
This commit updates MetricsFilter so that it will use the
status from the response if the response has been committed even when
an exception is thrown.
Closes gh-7277
Add `LoggersEndpoint` that can enables listing and configuration of log
levels. This actuator builds on top of the `LoggingSystem` abstraction
and implements support for Logback, Log4J2, and JUL. The LoggingSystem
interface is modified to require each implementation to list the
configuration of all loggers as well as an individual logger by name.
The MVC endpoint exposes these behaviors at `GET /loggers` and
`GET /loggers/{name}` (much like the metrics actuator).
In addition `POST /loggers/{name}` allows users to modify the level for a given
logger. This modification is passed to the logging implementation, which
then decides, as an internal implementation detail, what the final outcome
of the modification is (e.g. changing all unconfigured children). Users
are then expected to request the listing of all loggers to see what has
changed internally to the logging system.
Closes gh-7086
Update EndpointHandlerMapping so that it can be subclasses easily.
Subclasses can override the `path` that is used to map the endpoint,
allowing different mapping strategies to be used.
See gh-7108