Add property to control 'path' field inclusion in error responses

By default it is included.

Closes gh-38619

Author: mhalbritter

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/web/servlet/ManagementErrorEndpoint.java

@@ -36,6 +36,7 @@
  *
  * @author Dave Syer
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 2.0.0
  */
 @Controller
@@ -72,30 +73,39 @@ private ErrorAttributeOptions getErrorAttributeOptions(ServletWebRequest request
 		if (includeBindingErrors(request)) {
 			options = options.including(Include.BINDING_ERRORS);
 		}
+		options = includePath(request) ? options.including(Include.PATH) : options.excluding(Include.PATH);
 		return options;
 	}
 
 	private boolean includeStackTrace(ServletWebRequest request) {
 		return switch (this.errorProperties.getIncludeStacktrace()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getBooleanParameter(request, "trace");
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
 	private boolean includeMessage(ServletWebRequest request) {
 		return switch (this.errorProperties.getIncludeMessage()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getBooleanParameter(request, "message");
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
 	private boolean includeBindingErrors(ServletWebRequest request) {
 		return switch (this.errorProperties.getIncludeBindingErrors()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getBooleanParameter(request, "errors");
-			default -> false;
+			case NEVER -> false;
+		};
+	}
+
+	private boolean includePath(ServletWebRequest request) {
+		return switch (this.errorProperties.getIncludePath()) {
+			case ALWAYS -> true;
+			case ON_PARAM -> getBooleanParameter(request, "path");
+			case NEVER -> false;
 		};
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ErrorProperties.java

@@ -55,6 +55,11 @@ public class ErrorProperties {
 	 */
 	private IncludeAttribute includeBindingErrors = IncludeAttribute.NEVER;
 
+	/**
+	 * When to include "path" attribute.
+	 */
+	private IncludeAttribute includePath = IncludeAttribute.ALWAYS;
+
 	private final Whitelabel whitelabel = new Whitelabel();
 
 	public String getPath() {
@@ -97,6 +102,14 @@ public void setIncludeBindingErrors(IncludeAttribute includeBindingErrors) {
 		this.includeBindingErrors = includeBindingErrors;
 	}
 
+	public IncludeAttribute getIncludePath() {
+		return this.includePath;
+	}
+
+	public void setIncludePath(IncludeAttribute includePath) {
+		this.includePath = includePath;
+	}
+
 	public Whitelabel getWhitelabel() {
 		return this.whitelabel;
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/AbstractErrorWebExceptionHandler.java

@@ -54,6 +54,7 @@
  *
  * @author Brian Clozel
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 2.0.0
  * @see ErrorAttributes
  */
@@ -168,6 +169,17 @@ protected boolean isBindingErrorsEnabled(ServerRequest request) {
 		return getBooleanParameter(request, "errors");
 	}
 
+	/**
+	 * Check whether the path attribute has been set on the given request.
+	 * @param request the source request
+	 * @return {@code true} if the path attribute has been requested, {@code false}
+	 * otherwise
+	 * @since 3.3.0
+	 */
+	protected boolean isPathEnabled(ServerRequest request) {
+		return getBooleanParameter(request, "path");
+	}
+
 	private boolean getBooleanParameter(ServerRequest request, String parameterName) {
 		String parameter = request.queryParam(parameterName).orElse("false");
 		return !"false".equalsIgnoreCase(parameter);

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/reactive/error/DefaultErrorWebExceptionHandler.java

@@ -75,6 +75,7 @@
  *
  * @author Brian Clozel
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 2.0.0
  */
 public class DefaultErrorWebExceptionHandler extends AbstractErrorWebExceptionHandler {
@@ -164,6 +165,7 @@ protected ErrorAttributeOptions getErrorAttributeOptions(ServerRequest request,
 		if (isIncludeBindingErrors(request, mediaType)) {
 			options = options.including(Include.BINDING_ERRORS);
 		}
+		options = isIncludePath(request, mediaType) ? options.including(Include.PATH) : options.excluding(Include.PATH);
 		return options;
 	}
 
@@ -177,7 +179,7 @@ protected boolean isIncludeStackTrace(ServerRequest request, MediaType produces)
 		return switch (this.errorProperties.getIncludeStacktrace()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> isTraceEnabled(request);
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
@@ -191,7 +193,7 @@ protected boolean isIncludeMessage(ServerRequest request, MediaType produces) {
 		return switch (this.errorProperties.getIncludeMessage()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> isMessageEnabled(request);
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
@@ -205,7 +207,22 @@ protected boolean isIncludeBindingErrors(ServerRequest request, MediaType produc
 		return switch (this.errorProperties.getIncludeBindingErrors()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> isBindingErrorsEnabled(request);
-			default -> false;
+			case NEVER -> false;
+		};
+	}
+
+	/**
+	 * Determine if the path attribute should be included.
+	 * @param request the source request
+	 * @param produces the media type produced (or {@code MediaType.ALL})
+	 * @return if the path attribute should be included
+	 * @since 3.3.0
+	 */
+	protected boolean isIncludePath(ServerRequest request, MediaType produces) {
+		return switch (this.errorProperties.getIncludePath()) {
+			case ALWAYS -> true;
+			case ON_PARAM -> isPathEnabled(request);
+			case NEVER -> false;
 		};
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/error/AbstractErrorController.java

@@ -41,6 +41,7 @@
  * @author Dave Syer
  * @author Phillip Webb
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 1.3.0
  * @see ErrorAttributes
  */
@@ -74,18 +75,43 @@ protected Map<String, Object> getErrorAttributes(HttpServletRequest request, Err
 		return this.errorAttributes.getErrorAttributes(webRequest, options);
 	}
 
+	/**
+	 * Returns whether the trace parameter is set.
+	 * @param request the request
+	 * @return whether the trace parameter is set
+	 */
 	protected boolean getTraceParameter(HttpServletRequest request) {
 		return getBooleanParameter(request, "trace");
 	}
 
+	/**
+	 * Returns whether the message parameter is set.
+	 * @param request the request
+	 * @return whether the message parameter is set
+	 */
 	protected boolean getMessageParameter(HttpServletRequest request) {
 		return getBooleanParameter(request, "message");
 	}
 
+	/**
+	 * Returns whether the errors parameter is set.
+	 * @param request the request
+	 * @return whether the errors parameter is set
+	 */
 	protected boolean getErrorsParameter(HttpServletRequest request) {
 		return getBooleanParameter(request, "errors");
 	}
 
+	/**
+	 * Returns whether the path parameter is set.
+	 * @param request the request
+	 * @return whether the path parameter is set
+	 * @since 3.3.0
+	 */
+	protected boolean getPathParameter(HttpServletRequest request) {
+		return getBooleanParameter(request, "path");
+	}
+
 	protected boolean getBooleanParameter(HttpServletRequest request, String parameterName) {
 		String parameter = request.getParameter(parameterName);
 		if (parameter == null) {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/servlet/error/BasicErrorController.java

@@ -49,6 +49,7 @@
  * @author Michael Stummvoll
  * @author Stephane Nicoll
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 1.0.0
  * @see ErrorAttributes
  * @see ErrorProperties
@@ -121,6 +122,7 @@ protected ErrorAttributeOptions getErrorAttributeOptions(HttpServletRequest requ
 		if (isIncludeBindingErrors(request, mediaType)) {
 			options = options.including(Include.BINDING_ERRORS);
 		}
+		options = isIncludePath(request, mediaType) ? options.including(Include.PATH) : options.excluding(Include.PATH);
 		return options;
 	}
 
@@ -134,7 +136,7 @@ protected boolean isIncludeStackTrace(HttpServletRequest request, MediaType prod
 		return switch (getErrorProperties().getIncludeStacktrace()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getTraceParameter(request);
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
@@ -148,7 +150,7 @@ protected boolean isIncludeMessage(HttpServletRequest request, MediaType produce
 		return switch (getErrorProperties().getIncludeMessage()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getMessageParameter(request);
-			default -> false;
+			case NEVER -> false;
 		};
 	}
 
@@ -162,7 +164,22 @@ protected boolean isIncludeBindingErrors(HttpServletRequest request, MediaType p
 		return switch (getErrorProperties().getIncludeBindingErrors()) {
 			case ALWAYS -> true;
 			case ON_PARAM -> getErrorsParameter(request);
-			default -> false;
+			case NEVER -> false;
+		};
+	}
+
+	/**
+	 * Determine if the path attribute should be included.
+	 * @param request the source request
+	 * @param produces the media type produced (or {@code MediaType.ALL})
+	 * @return if the path attribute should be included
+	 * @since 3.3.0
+	 */
+	protected boolean isIncludePath(HttpServletRequest request, MediaType produces) {
+		return switch (getErrorProperties().getIncludePath()) {
+			case ALWAYS -> true;
+			case ON_PARAM -> getPathParameter(request);
+			case NEVER -> false;
 		};
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/servlet/error/ErrorMvcAutoConfigurationTests.java

@@ -112,8 +112,7 @@ private DispatcherServletWebRequest createWebRequest(Exception ex, boolean commi
 	}
 
 	private ErrorAttributeOptions withAllOptions() {
-		return ErrorAttributeOptions.of(Include.EXCEPTION, Include.STACK_TRACE, Include.MESSAGE,
-				Include.BINDING_ERRORS);
+		return ErrorAttributeOptions.of(Include.values());
 	}
 
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/error/ErrorAttributeOptions.java

@@ -88,7 +88,7 @@ private EnumSet<Include> copyIncludes() {
 	 * @return an {@code ErrorAttributeOptions}
 	 */
 	public static ErrorAttributeOptions defaults() {
-		return of();
+		return of(Include.PATH);
 	}
 
 	/**
@@ -135,7 +135,13 @@ public enum Include {
 		/**
 		 * Include the binding errors attribute.
 		 */
-		BINDING_ERRORS
+		BINDING_ERRORS,
+
+		/**
+		 * Include the request path.
+		 * @since 3.3.0
+		 */
+		PATH
 
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/reactive/error/DefaultErrorAttributes.java

@@ -57,6 +57,7 @@
  * @author Stephane Nicoll
  * @author Michele Mancioppi
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 2.0.0
  * @see ErrorAttributes
  */
@@ -79,6 +80,9 @@ public Map<String, Object> getErrorAttributes(ServerRequest request, ErrorAttrib
 		if (!options.isIncluded(Include.BINDING_ERRORS)) {
 			errorAttributes.remove("errors");
 		}
+		if (!options.isIncluded(Include.PATH)) {
+			errorAttributes.remove("path");
+		}
 		return errorAttributes;
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/servlet/error/DefaultErrorAttributes.java

@@ -61,6 +61,7 @@
  * @author Stephane Nicoll
  * @author Vedran Pavic
  * @author Scott Frederick
+ * @author Moritz Halbritter
  * @since 2.0.0
  * @see ErrorAttributes
  */
@@ -100,6 +101,9 @@ public Map<String, Object> getErrorAttributes(WebRequest webRequest, ErrorAttrib
 		if (!options.isIncluded(Include.BINDING_ERRORS)) {
 			errorAttributes.remove("errors");
 		}
+		if (!options.isIncluded(Include.PATH)) {
+			errorAttributes.remove("path");
+		}
 		return errorAttributes;
 	}
 

spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/reactive/error/DefaultErrorAttributesTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,6 +50,7 @@
  * @author Brian Clozel
  * @author Stephane Nicoll
  * @author Scott Frederick
+ * @author Moritz Halbritter
  */
 class DefaultErrorAttributesTests {
 
@@ -212,6 +213,14 @@ void includeTrace() {
 		assertThat(attributes.get("trace").toString()).startsWith("java.lang");
 	}
 
+	@Test
+	void includePathByDefault() {
+		MockServerHttpRequest request = MockServerHttpRequest.get("/test").build();
+		Map<String, Object> attributes = this.errorAttributes.getErrorAttributes(buildServerRequest(request, NOT_FOUND),
+				ErrorAttributeOptions.defaults());
+		assertThat(attributes).containsEntry("path", "/test");
+	}
+
 	@Test
 	void includePath() {
 		MockServerHttpRequest request = MockServerHttpRequest.get("/test").build();
@@ -220,6 +229,14 @@ void includePath() {
 		assertThat(attributes).containsEntry("path", "/test");
 	}
 
+	@Test
+	void excludePath() {
+		MockServerHttpRequest request = MockServerHttpRequest.get("/test").build();
+		Map<String, Object> attributes = this.errorAttributes.getErrorAttributes(buildServerRequest(request, NOT_FOUND),
+				ErrorAttributeOptions.of());
+		assertThat(attributes).doesNotContainEntry("path", "/test");
+	}
+
 	@Test
 	void includeLogPrefix() {
 		MockServerHttpRequest request = MockServerHttpRequest.get("/test").build();