Skip to content

/actuator/jolokia/list not secured when using EndpointRequest.toAnyEndpoint() #17912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
copa2 opened this issue Aug 19, 2019 · 0 comments
Closed

/actuator/jolokia/list not secured when using EndpointRequest.toAnyEndpoint() #17912

copa2 opened this issue Aug 19, 2019 · 0 comments
Assignees
@philwebb @mbhave
Labels
type: blocker An issue that is blocking us from releasing
Milestone
2.1.8

Comments

@copa2
Copy link

copa2 commented Aug 19, 2019

When configuring a custom role for the actuator endpoints with
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR") this will not work for sub path calls to /actuator/jolokia. (e.g. /actuator/jolokia/list)

Internally it will not match the MvcPattern
Trying to match using Mvc [pattern='/actuator/jolokia/**']

Workaround:
Defined an additional antMatcher("/actuator/jolokia/**").

Version: Spring Boot 2.1.7.RELEASE with Web/Security/Actuator and added jolokia-core.

Relevant Code:
https://github.com/copa2/actuator-security-bug/blob/master/src/main/java/com/example/actuatordemo/ActuatordemoApplication.java#L18-L37

See example project: https://github.com/copa2/actuator-security-bug
Call with curl -v -u "user:password" http://localhost:8080/actuator/jolokia/list
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 19, 2019
@mbhave mbhave added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 19, 2019
@mbhave mbhave added this to the 2.1.x milestone Aug 19, 2019
@mbhave mbhave added type: blocker An issue that is blocking us from releasing and removed type: bug A general bug labels Aug 19, 2019
@mbhave mbhave self-assigned this Aug 19, 2019
@philwebb philwebb mentioned this issue Aug 23, 2019
Closed
@philwebb philwebb self-assigned this Aug 27, 2019
@mbhave mbhave mentioned this issue Aug 28, 2019
Closed
@mbhave mbhave closed this as completed in 674f2f5 Aug 28, 2019
@wilkinsona wilkinsona modified the milestones: 2.1.x, 2.1.8 Aug 28, 2019
@philwebb philwebb mentioned this issue Aug 30, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

@mbhave mbhave

Labels
type: blocker An issue that is blocking us from releasing
Projects
None yet
Milestone
2.1.8
Development

No branches or pull requests
5 participants
@philwebb @wilkinsona @mbhave @copa2 @spring-projects-issues