This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 17f91f005ab20bc7273833ad0a5d25a19d987464 Author: Robert Lazarski <[email protected]> AuthorDate: Wed May 13 10:35:08 2026 -1000 Fix security review findings in sample app HIGH: AnonRequestMatcher used contains("/services/loginservice") which could match crafted URIs like /services/Foo;a=/services/loginservice. Changed to equals() || startsWith() for exact path matching. MEDIUM: Profile check used activeProfiles.contains("dev-insecure") which would match partial names like "dev-insecure-logging". Changed to split on comma and check for exact match in the list. LOW: Clarified in spring-boot-starter.xml that the dev-insecure profile is a sample app pattern, not a built-in starter feature. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- .../src/main/java/userguide/springboot/Axis2Application.java | 8 +++++--- src/site/xdoc/docs/spring-boot-starter.xml | 9 +++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java index ad6e35beac..6c45ea1d14 100644 --- a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java +++ b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java @@ -129,7 +129,8 @@ public class Axis2Application extends SpringBootServletInitializer { @jakarta.annotation.PostConstruct void checkDevInsecureProfile() { devInsecureActive = activeProfiles != null - && activeProfiles.contains("dev-insecure"); + && java.util.Arrays.asList(activeProfiles.split(",")) + .contains("dev-insecure"); if (devInsecureActive) { logger.warn("***********************************************************"); logger.warn("* SECURITY BYPASSED: 'dev-insecure' profile is active. *"); @@ -147,8 +148,9 @@ public class Axis2Application extends SpringBootServletInitializer { @Override public boolean matches(HttpServletRequest request) { String logPrefix = "AnonRequestMatcher.matches , "; - boolean result = request.getRequestURI().toLowerCase().contains( - "/services/loginservice"); + String uri = request.getRequestURI().toLowerCase(); + boolean result = uri.equals("/services/loginservice") + || uri.startsWith("/services/loginservice/"); // Allow all service requests without auth when the // "dev-insecure" Spring profile is active. This is for // local/embedded testing only. Activate via: diff --git a/src/site/xdoc/docs/spring-boot-starter.xml b/src/site/xdoc/docs/spring-boot-starter.xml index 32175aac8c..e57aa1c4ff 100644 --- a/src/site/xdoc/docs/spring-boot-starter.xml +++ b/src/site/xdoc/docs/spring-boot-starter.xml @@ -110,10 +110,11 @@ mvn spring-boot:run -Pembedded \ -Dspring-boot.run.jvmArguments="-Daxis2.repo=target/deploy/axis2-json-api/WEB-INF" </pre> -<p>For local testing without JWT authentication, activate the -<code>dev-insecure</code> profile (bypasses auth for all -<code>/services/*</code> requests — <strong>never use in -production</strong>):</p> +<p>For local testing without JWT authentication, the sample application +implements a <code>dev-insecure</code> Spring profile that bypasses +auth for all <code>/services/*</code> requests. This is a pattern you +can replicate in your own application — it is not a built-in starter +feature. <strong>Never use in production.</strong></p> <pre> mvn spring-boot:run -Pembedded \
