Skip to content

Remote devtools endpoint cannot be accessed if actuator and spring security are on the classpath #25868

Closed
hatefpalizgar wants to merge 2 commits intospring-projects:mainfrom
hatefpalizgar:25350
Closed

Remote devtools endpoint cannot be accessed if actuator and spring security are on the classpath #25868
hatefpalizgar wants to merge 2 commits intospring-projects:mainfrom
hatefpalizgar:25350

Conversation

@hatefpalizgar
Copy link
Copy Markdown
Contributor

@hatefpalizgar hatefpalizgar commented Apr 1, 2021
edited by philwebb
Loading

This PR fixes bug #25350 in which remote devtools endpoint cannot be accessed if actuator and spring security are on the classpath. The reason is the lack of explicit ordering for managementSecurityFilterChain which leads to overwriting RemoteDevtoolsSecurity filter chain.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 1, 2021
@wilkinsona
Copy link
Copy Markdown
Member

wilkinsona commented Apr 1, 2021

Thanks for the PR, @hatefpalizgar. Before we can merge this change, we'll need to add a test that verifies that it has fixed the problem. Would you be interested in doing that?

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Apr 1, 2021
@hatefpalizgar
Copy link
Copy Markdown
Contributor Author

hatefpalizgar commented Apr 1, 2021

Sure. I will do it.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 1, 2021
@snicoll snicoll changed the title fixes bug 25350 Remote devtools endpoint cannot be accessed if actuator and spring security are on the classpath Apr 2, 2021
@hatefpalizgar hatefpalizgar force-pushed the 25350 branch 2 times, most recently from 47fee17 to f884e34 Compare April 2, 2021 16:20
@philwebb philwebb added type: bug A general bug and removed status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged labels Apr 6, 2021
@philwebb philwebb added this to the 2.4.x milestone Apr 6, 2021
@philwebb philwebb mentioned this pull request Apr 6, 2021
Closed
@snicoll snicoll assigned snicoll and unassigned snicoll Apr 12, 2021
@philwebb philwebb self-assigned this May 17, 2021
@philwebb philwebb mentioned this pull request May 18, 2021
Closed
philwebb pushed a commit that referenced this pull request May 18, 2021
@philwebb
Allow remote devtools access with Spring Security
9b2e13a 
Update `ManagementWebSecurityAutoConfiguration` so that the
`managementSecurityFilterChain` bean has an explicit order.

Prior to this commit, the `managementSecurityFilterChain` would override
the `securityFilterChain` in `RemoteDevtoolsSecurityConfiguration` which
would prevent the remote devtools endpoint from being accessed.

See gh-25868
philwebb added a commit that referenced this pull request May 18, 2021
@philwebb
Polish 'Allow remote devtools access with Spring Security'
0699fdc 
See gh-25868
@philwebb philwebb closed this in 2df5050 May 18, 2021
@philwebb philwebb modified the milestones: 2.4.x, 2.4.6 May 18, 2021
@philwebb
Copy link
Copy Markdown
Member

philwebb commented May 18, 2021

Thanks for the PR @hatefpalizgar. I've merged this into 2.4.x and main. I managed to simplify the tests a little in 0699fdc

@hatefpalizgar hatefpalizgar deleted the 25350 branch May 18, 2021 04:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@philwebb philwebb

Labels

type: bug A general bug

Projects

None yet

Milestone

2.4.6

Development

Successfully merging this pull request may close these issues.

5 participants

@hatefpalizgar @wilkinsona @philwebb @snicoll @spring-projects-issues