Actuator's EndpointRequest doesn't consider server.servlet.path

[candrews]

In application.properties, set server.servlet.path=/spring

Now notice that EndpointRequest.* doesn't match anything. For example, a request for /spring/actuator/health doesn't match (a request for /actuator/health does match, though - even though it will return a 404).

[candrews]

It looks like the created AntPathRequestMatcher need to have their match patterns prefixed with the server.servlet.path value. Those lines are:
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L191
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L220
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L251

[mbhave]

@candrews I don't think it does. The RequestMatcher matches on request.getServletPath, which in this case (even when the request is /spring/actuator/health) is /actuator/health. If you would like us to investigate this issue further, please provide a minimalistic sample that we can use to reproduce the issue.

[candrews]

Create a new project using https://start.spring.io/ including Web, Security, and Actuator
In application.properties: server.servlet.path=/spring
Create this class:

package com.example.demo;

import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            	// this line works
//            	.requestMatchers(new AntPathRequestMatcher("/spring/actuator/health")).permitAll()
            	
//            	 this line does not work, but should: https://github.com/spring-projects/spring-boot/issues/12934
            	.requestMatchers(EndpointRequest.to("health")).permitAll()
                .anyRequest().denyAll()
                
                .and()
            .formLogin()
                .loginPage("/spring/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    
}

Run it, now go to http://localhost:8080/spring/actuator/health

I'd expect to get a JSON result back with the health check status of "UP" I actually get a 302 redirect.
In WebSecurityConfig, if you comment out the first noted line, and uncomment the second noted line, then run this test again, you'll get the expected result.

[mbhave]

ah, I didn't realize that the property you were configuring was server.servlet.path and not server.servlet.context-path. The issue title says context-path and if that's what you want to do, you'd need to set server.servlet.context-path. EndpointRequest will work in that case. But we need to fix the case where EndpointRequest doesn't match if server.servlet.path is set.

[candrews]

I'm sorry about the error in the title :(
I'm glad we're on the same page now, though! Thank you.