Not recommended to ignore Ant [pattern='/cloudfoundryapplication/**']

[mayrstefan]

Today a developer pointed me to these application messages

Will not secure Ant [pattern='/cloudfoundryapplication/**']
You are asking Spring Security to ignore Ant [pattern='/cloudfoundryapplication/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.

This is happening for a Spring Boot Application running the latest Java Builldpack. Those URLs are accessed by the VMware Tanzu Apps Manager. Which is okay so far. But this pattern doesn't exist in our code. We think this comes from same magic buildpack voodoo. So where is this coming from and why is it injected in a way that is not recommended?

[dmikusa]

I don't believe this comes from the buildpack. The /cloudfoundryapplication path is added by Spring Boot Actuators.

You can disable adding that by setting management.cloudfoundry.enabled=false. See reference docs.

The warning itself comes from Spring Security. See this comment which explains the change in recommendation.

If your application is setting these values, you should make the adjustment to use permitAll instead of ignoring that path. If you're not setting that anywhere in the app, perhaps you're not on a new enough Spring Boot to have caught up with that recommendation. Just a guess though. If you can't track it down, asking in a Spring Boot issue/chat/SO post would probably be the way to go.

Hope that helps!

[mayrstefan]

This is now tracked in https://github.com/spring-projects/spring-boot/issues/32622

[dmikusa]

OK, I'm going to close this. If you need anything else from the buildpacks team, just let us know. Thanks