Restrict EndpointRequest links to the specified HTTP method

dlwldnjs1009 · wilkinsona · commit 24f62142a316 · 2026-04-17T14:17:55.000+01:00
EndpointRequest.toAnyEndpoint().withHttpMethod(...) restricted endpoint paths but still allowed any HTTP method for the links path, yet the mappings for the links path are only registered for GET requests. Restrict the links path using the configured HttpMethod in both servlet and reactive matchers. Signed-off-by: Lee JiWon <dlwldnjs1009@gmail.com> See gh-50095
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequest.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequest.java
@@ -119,7 +119,7 @@ public static EndpointServerWebExchangeMatcher to(String... endpoints) {
 	 * @return the configured {@link ServerWebExchangeMatcher}
 	 */
 	public static LinksServerWebExchangeMatcher toLinks() {
-		return new LinksServerWebExchangeMatcher();
+		return new LinksServerWebExchangeMatcher(null);
 	}
 
 	/**
@@ -335,7 +335,7 @@ protected ServerWebExchangeMatcher createDelegate(PathMappedEndpoints endpoints)
 			List<ServerWebExchangeMatcher> delegateMatchers = getDelegateMatchers(paths, this.httpMethod);
 			String linksPath = getLinksPath(endpoints.getBasePath());
 			if (this.includeLinks && linksPath != null) {
-				delegateMatchers.add(new LinksServerWebExchangeMatcher());
+				delegateMatchers.add(new LinksServerWebExchangeMatcher(this.httpMethod));
 			}
 			if (delegateMatchers.isEmpty()) {
 				return EMPTY_MATCHER;
@@ -364,18 +364,21 @@ public String toString() {
 	 */
 	public static final class LinksServerWebExchangeMatcher extends AbstractWebExchangeMatcher<WebEndpointProperties> {
 
-		private LinksServerWebExchangeMatcher() {
+		private final HttpMethod httpMethod;
+
+		private LinksServerWebExchangeMatcher(HttpMethod httpMethod) {
 			super(WebEndpointProperties.class);
+			this.httpMethod = httpMethod;
 		}
 
 		@Override
 		protected ServerWebExchangeMatcher createDelegate(WebEndpointProperties properties) {
 			String linksPath = getLinksPath(properties.getBasePath());
 			if (linksPath != null) {
 				List<ServerWebExchangeMatcher> linksMatchers = new ArrayList<>();
-				linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath));
+				linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath, this.httpMethod));
 				if (!linksPath.endsWith("/")) {
-					linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath + "/"));
+					linksMatchers.add(new PathPatternParserServerWebExchangeMatcher(linksPath + "/", this.httpMethod));
 				}
 				return new OrServerWebExchangeMatcher(linksMatchers);
 			}
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequest.java
@@ -225,11 +225,11 @@ protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory r
 		}
 
 		protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMatcherFactory,
-				RequestMatcherProvider matcherProvider, String linksPath) {
+				RequestMatcherProvider matcherProvider, HttpMethod httpMethod, String linksPath) {
 			List<RequestMatcher> linksMatchers = new ArrayList<>();
-			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath));
+			linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath));
 			if (!linksPath.endsWith("/")) {
-				linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath, "/"));
+				linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath, "/"));
 			}
 			return linksMatchers;
 		}
@@ -375,7 +375,8 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 			String basePath = endpoints.getBasePath();
 			String linksPath = getLinksPath(context, basePath);
 			if (this.includeLinks && linksPath != null) {
-				delegateMatchers.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, linksPath));
+				delegateMatchers
+					.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, this.httpMethod, linksPath));
 			}
 			if (delegateMatchers.isEmpty()) {
 				return EMPTY_MATCHER;
@@ -411,7 +412,7 @@ protected RequestMatcher createDelegate(WebApplicationContext context,
 			String linksPath = getLinksPath(context, properties.getBasePath());
 			if (linksPath != null) {
 				return new OrRequestMatcher(
-						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), linksPath));
+						getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), null, linksPath));
 			}
 			return EMPTY_MATCHER;
 		}
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequestTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/reactive/EndpointRequestTests.java
@@ -73,6 +73,10 @@ void toAnyEndpointWithHttpMethodShouldRespectRequestMethod() {
 		ServerWebExchangeMatcher matcher = EndpointRequest.toAnyEndpoint().withHttpMethod(HttpMethod.POST);
 		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/foo");
 		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/foo");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/");
 	}
 
 	@Test
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequestTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/security/servlet/EndpointRequestTests.java
@@ -73,6 +73,10 @@ void toAnyEndpointWithHttpMethodShouldRespectRequestMethod() {
 			.withHttpMethod(HttpMethod.POST);
 		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/foo");
 		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/foo");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator");
+		assertMatcher(matcher, "/actuator").matches(HttpMethod.POST, "/actuator/");
+		assertMatcher(matcher, "/actuator").doesNotMatch(HttpMethod.GET, "/actuator/");
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -225,11 +225,11 @@ protected final List<RequestMatcher> getDelegateMatchers(RequestMatcherFactory r`
`225`	`225`	`}`
`226`	`226`
`227`	`227`	`protected List<RequestMatcher> getLinksMatchers(RequestMatcherFactory requestMatcherFactory,`
`228`		`- RequestMatcherProvider matcherProvider, String linksPath) {`
	`228`	`+ RequestMatcherProvider matcherProvider, HttpMethod httpMethod, String linksPath) {`
`229`	`229`	`List<RequestMatcher> linksMatchers = new ArrayList<>();`
`230`		`- linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath));`
	`230`	`+ linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath));`
`231`	`231`	`if (!linksPath.endsWith("/")) {`
`232`		`- linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, null, linksPath, "/"));`
	`232`	`+ linksMatchers.add(requestMatcherFactory.antPath(matcherProvider, httpMethod, linksPath, "/"));`
`233`	`233`	`}`
`234`	`234`	`return linksMatchers;`
`235`	`235`	`}`
`@@ -375,7 +375,8 @@ protected RequestMatcher createDelegate(WebApplicationContext context,`
`375`	`375`	`String basePath = endpoints.getBasePath();`
`376`	`376`	`String linksPath = getLinksPath(context, basePath);`
`377`	`377`	`if (this.includeLinks && linksPath != null) {`
`378`		`- delegateMatchers.addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, linksPath));`
	`378`	`+ delegateMatchers`
	`379`	`+ .addAll(getLinksMatchers(requestMatcherFactory, matcherProvider, this.httpMethod, linksPath));`
`379`	`380`	`}`
`380`	`381`	`if (delegateMatchers.isEmpty()) {`
`381`	`382`	`return EMPTY_MATCHER;`
`@@ -411,7 +412,7 @@ protected RequestMatcher createDelegate(WebApplicationContext context,`
`411`	`412`	`String linksPath = getLinksPath(context, properties.getBasePath());`
`412`	`413`	`if (linksPath != null) {`
`413`	`414`	`return new OrRequestMatcher(`
`414`		`- getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), linksPath));`
	`415`	`+ getLinksMatchers(requestMatcherFactory, getRequestMatcherProvider(context), null, linksPath));`
`415`	`416`	`}`
`416`	`417`	`return EMPTY_MATCHER;`
`417`	`418`	`}`