From f16a76ff154eb6f62a232401e99c78d3ca65c2ec Mon Sep 17 00:00:00 2001 From: Antony Leons Date: Fri, 20 Mar 2026 15:36:32 +0000 Subject: [PATCH] CME-909: feat(security): disable loggers actuator endpoint and add integration tests --- .../gov/hmcts/ccd/SecurityConfiguration.java | 1 - src/main/resources/application.properties | 3 ++ .../uk/gov/hmcts/ccd/ActuatorSecurityIT.java | 41 +++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 src/test/java/uk/gov/hmcts/ccd/ActuatorSecurityIT.java diff --git a/src/main/java/uk/gov/hmcts/ccd/SecurityConfiguration.java b/src/main/java/uk/gov/hmcts/ccd/SecurityConfiguration.java index 3754275e36..1b57114c6d 100644 --- a/src/main/java/uk/gov/hmcts/ccd/SecurityConfiguration.java +++ b/src/main/java/uk/gov/hmcts/ccd/SecurityConfiguration.java @@ -58,7 +58,6 @@ public class SecurityConfiguration { "/health/liveness", "/health/readiness", "/health", - "/loggers/**", "/", "/status/health", "/swagger-resources/**", diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index d597782b5a..e6a04cd0d6 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -124,6 +124,9 @@ management.server.servlet.context-path=/ management.endpoints.web.base-path=/ management.endpoints.web.exposure.include=health,info +# Explicitly disable the loggers actuator endpoint to prevent runtime log-level manipulation +management.endpoint.loggers.enabled=false + # HEALTH ENDPOINT CONFIG # Enable the health endpoint management.endpoint.health.enabled=true diff --git a/src/test/java/uk/gov/hmcts/ccd/ActuatorSecurityIT.java b/src/test/java/uk/gov/hmcts/ccd/ActuatorSecurityIT.java new file mode 100644 index 0000000000..78b2109068 --- /dev/null +++ b/src/test/java/uk/gov/hmcts/ccd/ActuatorSecurityIT.java @@ -0,0 +1,41 @@ +package uk.gov.hmcts.ccd; + +import jakarta.inject.Inject; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.test.web.servlet.MvcResult; +import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import org.springframework.web.context.WebApplicationContext; + +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; + +class ActuatorSecurityIT extends WireMockBaseTest { + + private MockMvc mockMvc; + + @Inject + private WebApplicationContext wac; + + @BeforeEach + void setUpMockMvc() { + mockMvc = MockMvcBuilders.webAppContextSetup(wac).build(); + } + + @Test + void shouldAllowAnonymousAccessToHealthEndpoint() throws Exception { + MvcResult result = mockMvc.perform(get("/health")).andReturn(); + int status = result.getResponse().getStatus(); + assertTrue(status == 200 || status == 503, + "Expected /health to return 200 or 503, but got: " + status); + } + + @Test + void shouldNotExposeLoggersEndpointAnonymously() throws Exception { + MvcResult result = mockMvc.perform(get("/loggers")).andReturn(); + int status = result.getResponse().getStatus(); + assertTrue(status == 401 || status == 404, + "Expected /loggers to be protected (401) or disabled (404), but got: " + status); + } +}