Actuator's EndpointRequest doesn't consider server.servlet.path

[candrews]

In application.properties, set server.servlet.path=/spring

Now notice that EndpointRequest.* doesn't match anything. For example, a request for /spring/actuator/health doesn't match (a request for /actuator/health does match, though - even though it will return a 404).

[candrews]

It looks like the created AntPathRequestMatcher need to have their match patterns prefixed with the server.servlet.path value. Those lines are:
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L191
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L220
https://github.com/spring-projects/spring-boot/blob/v2.0.1.RELEASE/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java#L251

[mbhave]

@candrews I don't think it does. The RequestMatcher matches on request.getServletPath, which in this case (even when the request is /spring/actuator/health) is /actuator/health. If you would like us to investigate this issue further, please provide a minimalistic sample that we can use to reproduce the issue.

[candrews]

Create a new project using https://start.spring.io/ including Web, Security, and Actuator
In application.properties: server.servlet.path=/spring
Create this class:

package com.example.demo;

import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            	// this line works
//            	.requestMatchers(new AntPathRequestMatcher("/spring/actuator/health")).permitAll()
            	
//            	 this line does not work, but should: https://github.com/spring-projects/spring-boot/issues/12934
            	.requestMatchers(EndpointRequest.to("health")).permitAll()
                .anyRequest().denyAll()
                
                .and()
            .formLogin()
                .loginPage("/spring/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    
}

Run it, now go to http://localhost:8080/spring/actuator/health

I'd expect to get a JSON result back with the health check status of "UP" I actually get a 302 redirect.
In WebSecurityConfig, if you comment out the first noted line, and uncomment the second noted line, then run this test again, you'll get the expected result.

[mbhave]

ah, I didn't realize that the property you were configuring was server.servlet.path and not server.servlet.context-path. The issue title says context-path and if that's what you want to do, you'd need to set server.servlet.context-path. EndpointRequest will work in that case. But we need to fix the case where EndpointRequest doesn't match if server.servlet.path is set.

[candrews]

I'm sorry about the error in the title :(
I'm glad we're on the same page now, though! Thank you.

[n0mer]

@mbhave server.servlet.context-path is also ignored in 2.0.1.RELEASE for webflux

I have the following in application.yml

management:
  server:
    port: ${MANAGEMENT_PORT:8889}
    servlet:
      context-path: "/management"

But info endpoint is mapped to /actuator/info, not to /management/actuator/info

2018-05-03 12:38:40.235  INFO 1 --- [           main] .b.a.e.w.r.WebFluxEndpointHandlerMapping : Mapped "{[/actuator/info],methods=[GET],produces=[application/vnd.spring-boot.actuator.v2+json || application/json]}" onto public org.reactivestreams.Publisher<org.springframework.http.ResponseEntity<java.lang.Object>> org.springframework.boot.actuate.endpoint.web.reactive.AbstractWebFluxEndpointHandlerMapping$ReadOperationHandler.handle(org.springframework.web.server.ServerWebExchange)

[snicoll]

@n0mer that fact that it has servlet in the name should be a strong indicator that it will not work on environments that do not require the servlet API. If you have more questions, please ask on StackOverflow or come chat with us on Gitter.

[n0mer]

@snicoll with all respect - do you think that SO or Gitter are proper places to report bugs?

This feature (configuration of custom context-path for webflux), as per https://stackoverflow.com/questions/49196368/context-path-with-webflux, is not yet supported.

[wilkinsona]

@n0mer What you're talking about is not a bug. It's by design that a servlet-specific property has no effect on a WebFlux application. It's also unrelated to this issue which is specifically about the EndpointRequest class that's used to configure Spring Security.

[gmcouto]

I am facing this issue with 2.0.1-RELEASE, but only with jolokia endpoint. All other endpoints are working as expected.

[gmcouto]

I'm still facing this jolokia endpoint issue... With the current 2.0.2.BUILD-SNAPSHOT build.

//actuator specific version
compile group: 'org.springframework.boot', name: 'spring-boot-starter-actuator', version:'2.0.2.BUILD-SNAPSHOT'
compile group: 'org.springframework.boot', name: 'spring-boot-actuator', version:'2.0.2.BUILD-SNAPSHOT'

Shouldn't it be fixed?

[mbhave]

@gmcouto the issue with the JolokiaEndpoint is different. It doesn't appear to be included in the RequestMatcher created by EndpointRequest#including (or excluded from the RequestMatcher if (EndpointRequest#excluded)) . I've created a separate issue for that here.

If you've found that the bug with the Jolokia endpoint is related to the servlet-path being set (which was the original issue here), please provide a sample that reproduces that and we can reopen this issue.

[gmcouto]

If you have server.servlet.path property set on your application, all actuator endpoints will be moved to it accordingly, except the jolokia endpoints.

How the jolokia endpoint is:
http://host:port/context-path/actuator/jolokia

How the jolokia endpoint should be:
http://host:port/context-path/servlet-path/actuator/jolokia

Examples of other endpoints:
http://host:port/context-path/servlet-path/actuator/health
http://host:port/context-path/servlet-path/actuator/auditevents
http://host:port/context-path/servlet-path/actuator/beans

Sample
defect-actuator-jolokia.zip

I have added the same information to the other defect. Not sure how you prefer to track this.

[mbhave]

@gmcouto Thanks for the sample but this issue was about the matchers created by EndpointRequest. Your application does not have Spring Security on the classpath so it has nothing to do with the original issue.

The jolokia issue you've noticed is a separate bug and I've opened an issue for it here.