fix: identify the real management port

JoergSiebahn · JoergSiebahn · commit d7b8a297db20 · 2023-01-18T09:54:56.000+01:00
diff --git a/sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/management/ManagementAccessDecisionVoter.java b/sda-commons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/auth/management/ManagementAccessDecisionVoter.java
@@ -8,11 +8,10 @@
 package org.sdase.commons.spring.boot.web.auth.management;
 
 import java.util.Collection;
-import java.util.Optional;
 import org.springframework.boot.actuate.autoconfigure.web.server.ConditionalOnManagementPort;
 import org.springframework.boot.actuate.autoconfigure.web.server.ManagementPortType;
-import org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext;
-import org.springframework.context.annotation.Lazy;
+import org.springframework.boot.web.servlet.context.ServletWebServerInitializedEvent;
+import org.springframework.context.event.EventListener;
 import org.springframework.security.access.AccessDecisionVoter;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.core.Authentication;
@@ -35,24 +34,27 @@ default boolean supports(Class<?> clazz) {
   @ConditionalOnManagementPort(ManagementPortType.DIFFERENT)
   class DifferentPortManagementAccessDecisionVoter implements ManagementAccessDecisionVoter {
 
-    private final ServletWebServerApplicationContext apiServerContext;
+    /**
+     * The management port discovered in {@link
+     * #onApplicationEvent(ServletWebServerInitializedEvent)}. Initially a value that can't be an
+     * existing port to avoid granting access by accident to the application API.
+     */
+    private int managementPort = -1;
 
-    public DifferentPortManagementAccessDecisionVoter(
-        @Lazy Optional<ServletWebServerApplicationContext> apiServerContext) {
-      this.apiServerContext = apiServerContext.orElse(null);
+    @EventListener
+    public void onApplicationEvent(ServletWebServerInitializedEvent event) {
+      if ("management".equals(event.getApplicationContext().getServerNamespace())) {
+        this.managementPort = event.getWebServer().getPort();
+      }
     }
 
     @Override
     public int vote(
         Authentication authentication,
         FilterInvocation filterInvocation,
         Collection<ConfigAttribute> attributes) {
-      return apiServerContext != null
-              && filterInvocation.getRequest().getLocalPort()
-                  // TODO would be nice to get the real management port - also when the config is 0
-                  != apiServerContext.getWebServer().getPort()
-          ? ACCESS_GRANTED
-          : ACCESS_ABSTAIN;
+      int requestLocalPort = filterInvocation.getRequest().getLocalPort();
+      return requestLocalPort == this.managementPort ? ACCESS_GRANTED : ACCESS_ABSTAIN;
     }
   }
 
