Enable cors in default management security config

Fixes gh-9548

Author: mbhave

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java

@@ -222,7 +222,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				http.requestMatcher(matcher);
 				// ... but permitAll() for the non-sensitive ones
 				configurePermittedRequests(http.authorizeRequests());
-				http.httpBasic().authenticationEntryPoint(entryPoint);
+				http.httpBasic().authenticationEntryPoint(entryPoint).and().cors();
 				// No cookies for management endpoints by default
 				http.csrf().disable();
 				http.sessionManagement()

spring-boot-samples/spring-boot-sample-actuator/pom.xml

@@ -41,6 +41,11 @@
 			<artifactId>spring-boot-starter-remote-shell</artifactId>
 		</dependency>
 		<!-- Runtime -->
+		<dependency>
+			<groupId>org.apache.httpcomponents</groupId>
+			<artifactId>httpclient</artifactId>
+			<scope>runtime</scope>
+		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>

spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/CorsSampleActuatorApplicationTests.java

@@ -0,0 +1,88 @@
+package sample.actuator;
+
+import java.net.URI;
+import java.util.Map;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.LocalHostUriTemplateHandler;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.context.ApplicationContext;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.web.client.RestTemplate;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Integration test for cors preflight requests to management endpoints.
+ *
+ * @author Madhura Bhave
+ */
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@DirtiesContext
+@ActiveProfiles("cors")
+public class CorsSampleActuatorApplicationTests {
+
+	private TestRestTemplate testRestTemplate;
+
+	@Autowired
+	ApplicationContext applicationContext;
+
+	@Before
+	public void setUp() throws Exception {
+		RestTemplate restTemplate = new RestTemplate();
+		LocalHostUriTemplateHandler handler = new LocalHostUriTemplateHandler(
+				this.applicationContext.getEnvironment(), "http");
+		restTemplate.setUriTemplateHandler(handler);
+		restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory());
+		this.testRestTemplate = new TestRestTemplate(restTemplate);
+	}
+
+	@Test
+	public void sensitiveEndpointShouldReturnUnauthorized() throws Exception {
+		ResponseEntity<Map> entity = this.testRestTemplate.getForEntity("/env", Map.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+
+	@Test
+	public void preflightRequestForInsensitiveShouldReturnOk() throws Exception {
+		RequestEntity<?> healthRequest = RequestEntity.options(new URI("/health"))
+				.header("Origin","http://localhost:8080")
+				.header("Access-Control-Request-Method", "GET")
+				.build();
+		ResponseEntity<Map> exchange = this.testRestTemplate.exchange(healthRequest, Map.class);
+		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.OK);
+	}
+
+	@Test
+	public void preflightRequestForSensitiveEndpointShouldReturnOk() throws Exception {
+		RequestEntity<?> entity = RequestEntity.options(new URI("/env"))
+				.header("Origin","http://localhost:8080")
+				.header("Access-Control-Request-Method", "GET")
+				.build();
+		ResponseEntity<Map> env = this.testRestTemplate.exchange(entity, Map.class);
+		assertThat(env.getStatusCode()).isEqualTo(HttpStatus.OK);
+	}
+
+	@Test
+	public void preflightRequestWhenCorsConfigInvalidShouldReturnForbidden() throws Exception {
+		RequestEntity<?> entity = RequestEntity.options(new URI("/health"))
+				.header("Origin","http://localhost:9095")
+				.header("Access-Control-Request-Method", "GET")
+				.build();
+		ResponseEntity<byte[]> exchange = this.testRestTemplate.exchange(entity, byte[].class);
+		assertThat(exchange.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
+	}
+
+}

spring-boot-samples/spring-boot-sample-actuator/src/test/resources/application-cors.properties

@@ -0,0 +1,2 @@
+endpoints.cors.allowed-origins=http://localhost:8080
+endpoints.cors.allowed-methods=GET