-
Notifications
You must be signed in to change notification settings - Fork 40.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to match Endpoint requests by http method #29596
base: main
Are you sure you want to change the base?
Add ability to match Endpoint requests by http method #29596
Conversation
@@ -191,38 +194,53 @@ protected RequestMatcherProvider getRequestMatcherProvider(WebApplicationContext | |||
|
|||
private final boolean includeLinks; | |||
|
|||
@Nullable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re: @Nullable
... You will notice I did not use it in the reactive counterpart - on purpose. I wanted to see what the recommendation from the team is in this area. I do not see it widely used in the SB codebase other than mostly on a few params to @Endpoint
methods (selectors, params).
Whatever direction we land I will make both imperative and reactive impls consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We currently don't use them in our own codebase so we may as well strip them out for now. We've got #10712 open to add them consistently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will you handle that in your polish commit @philwebb ? I don't mind doing it - just let me know.
import org.springframework.security.web.server.SecurityWebFilterChain; | ||
import org.springframework.test.web.reactive.server.WebTestClient; | ||
|
||
/** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is net-new and is based on its servlet counterpart. I then added the coverage for the new matching on http method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these tests could inherit from AbstractEndpointRequestIntegrationTests
too. I think that's why there was an abstract
class and looks like an oversight on our part that there wasn't a reactive implementation before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these tests could inherit from AbstractEndpointRequestIntegrationTests too.
I believe AERIT has servlet specific things in it though.
I think that's why there was an abstract class
I believe it was there to test the previous Jersey-flavored RequestMatcherProvider
impl that has since been removed in 2.6.3.
...a/org/springframework/boot/autoconfigure/security/servlet/AntPathRequestMatcherProvider.java
Show resolved
Hide resolved
* @param httpMethod the http method | ||
* @return a request matcher | ||
*/ | ||
RequestMatcher getRequestMatcher(String pattern, HttpMethod httpMethod); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not super-excited about this change. However, this seemed the least intrusive from a breakage standpoint. This leaves the other API in tact but it would break any previous lambda usage as the functional interface method now takes (pattern, method)
vs. the previous (pattern)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been playing with this locally and I'll try to push something soon. I think this API is really in wrong place so we could deprecate it here and move it to org.springframework.boot.actuate.autoconfigure.security.servlet
where it's closer to the actual thing that uses it.
We would also like to backport this to 2.6.x branch but am unsure if the changes to RequestMatcherProvider would prevent that. |
Thanks for the PR Chris.
We don't backport enhancement and this feels like one to me. |
TIL. I respect that sane policy. And yep, this is an enhancement which is can easily be functionally worked around via composition w/ a guard on http method such as: /**
* Returns a matcher that includes the specified {@link Endpoint actuator endpoints} and http method.
* @param httpMethod the http method to include
* @param endpoints the endpoints to include
* @return the configured {@link RequestMatcher}
*/
RequestMatcher to(HttpMethod httpMethod, String... endpoints) {
final EndpointRequest.EndpointRequestMatcher matcher = EndpointRequest.to(endpoints);
return (request) -> {
if (httpMethod != null && !httpMethod.name().equals(request.getMethod())) {
return false;
}
return matcher.matches(request);
};
} |
I've pushed a polish commit to https://github.com/philwebb/spring-boot/tree/gh-29596. I'd like someone else from the team to review. I'm wondering if we should include |
Given how the endpoint abstraction is designed at the moment, wouldn't it make more sense to provide the kind of operation that is requested on the endpoint? |
I agree that's natural for standard endpoints but I think it may be confusing for |
Yep, I saw this as well @philwebb . I ended up keeping HttpMethod until we go down into the |
I thought about this as well @snicoll . I ended up putting on the EndpointRequestMatcher directly to keep the functionality isolated to this particular case where the matchers are being used in the security mappings and where http methods are used. |
@philwebb was this merged in a different PR? |
@csterwa No, I don't believe this has been merged in any form as yet. |
What
This proposal adds the ability to match Actuator endpoint requests by http method.
Why
This provides a finer grained matching of requests. One example use is allowing unrestricted access to an endpoint for GET requests but restricting access to the endpoint for POST requests.
How