Ignore path parameters when matching routes

tests/integration/security/path-params/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <parent>
+        <artifactId>helidon-tests-integration-security</artifactId>
+        <groupId>io.helidon.tests.integration</groupId>
+        <version>2.3.1-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>helidon-tests-integration-security-path-params</artifactId>
+    <name>Helidon Tests Integration Security Path Parameters</name>
+
+    <description>
+        Integration test for path parameters
+    </description>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.helidon.microprofile.bundles</groupId>
+            <artifactId>helidon-microprofile</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-all</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
+

tests/integration/security/path-params/src/main/java/io/helidon/tests/integration/security/pathparams/AdminResource.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.pathparams;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+/**
+ * An admin resource that should not be accessible without proper credentials.
+ */
+@Path("/admin")
+public class AdminResource {
+
+    /**
+     * The resource.
+     *
+     * @return admin secret.
+     */
+    @GET
+    public String admin() {
+        return "admin";
+    }
+}

tests/integration/security/path-params/src/main/java/io/helidon/tests/integration/security/pathparams/GreetResource.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.pathparams;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+/**
+ * A greet resource that is unprotected.
+ */
+@Path("/greet")
+public class GreetResource {
+
+    /**
+     * A hello resource.
+     *
+     * @return the greeting.
+     */
+    @GET
+    public String hello() {
+        return "Hello World";
+    }
+}

tests/integration/security/path-params/src/main/resources/META-INF/beans.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright (c) 2021 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+
+<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+        xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
+                           http://xmlns.jcp.org/xml/ns/javaee/beans_2_0.xsd"
+        version="2.0"
+        bean-discovery-mode="annotated">
+</beans>

tests/integration/security/path-params/src/main/resources/application.yaml

@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2021 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+server.port: 0
+security:
+  providers:
+    - abac:
+    - http-basic-auth:
+        realm: "helidon"
+        users:
+          - login: "success"
+            password: "password"
+            roles: ["admin"]
+          - login: "fail"
+            password: "password"
+  web-server:
+    paths:
+      - path: "/admin"
+        authenticate: true
+        authorize: true
+        abac:
+          roles-allowed:
+            user:
+              - admin

tests/integration/security/path-params/src/main/resources/logging.properties

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2021 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Example Logging Configuration File
+# For more information see $JAVA_HOME/jre/lib/logging.properties
+
+# Send messages to the console
+handlers=io.helidon.common.HelidonConsoleHandler
+
+# HelidonConsoleHandler uses a SimpleFormatter subclass that replaces "!thread!" with the current thread
+java.util.logging.SimpleFormatter.format=%1$tY.%1$tm.%1$td %1$tH:%1$tM:%1$tS %4$s %3$s !thread!: %5$s%6$s%n
+
+# Global logging level. Can be overridden by specific loggers
+.level=INFO
+AUDIT.level=FINEST
+

tests/integration/security/path-params/src/test/java/io/helidon/tests/integration/security/pathparams/AdminTest.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2021 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.helidon.tests.integration.security.pathparams;
+
+import java.util.Base64;
+import java.util.function.Function;
+
+import javax.ws.rs.client.Client;
+import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.WebTarget;
+import javax.ws.rs.core.Response;
+
+import io.helidon.common.http.Http;
+import io.helidon.microprofile.server.Server;
+
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+class AdminTest {
+    private static Server server;
+    private static Client client;
+
+    private static Function<String, WebTarget> target;
+
+    @BeforeAll
+    static void initClass() {
+        server = Server.create()
+                .start();
+
+        client = ClientBuilder.newClient();
+
+        int port = server.port();
+        String baseUri = "http://localhost:" + port;
+        target = p -> client.target(baseUri + p);
+    }
+
+    @AfterAll
+    static void destroyClass() {
+        if (server != null) {
+            server.stop();
+        }
+        if (client != null) {
+            client.close();
+        }
+    }
+
+    @Test
+    void testGreetResource() {
+        String response = target.apply("/greet").request().get(String.class);
+        assertThat(response, is("Hello World"));
+    }
+
+    @Test
+    void testAdminResource1() {
+        Response response = target.apply("/admin").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResource2() {
+        Response response = target.apply("/admin;a=b").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResource3() {
+        Response response = target.apply("/admin;a=b;c=d").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResource4() {
+        Response response = target.apply("/admin;").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResource5() {
+        Response response = target.apply("/admin/;").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResource6() {
+        Response response = target.apply("/admin/;/").request().get();
+        assertThat(response.getStatus(), is(Http.Status.UNAUTHORIZED_401.code()));
+    }
+
+    @Test
+    void testAdminResourceBasicAuth1() {
+        Response response = target.apply("/admin").request()
+                .header("Authorization", basic("success"))
+                .get();
+        assertThat(response.getStatus(), is(Http.Status.OK_200.code()));
+    }
+
+    @Test
+    void testAdminResourceBasicAuth2() {
+        Response response = target.apply("/admin;a=b").request()
+                .header("Authorization", basic("success"))
+                .get();
+        assertThat(response.getStatus(), is(Http.Status.OK_200.code()));
+    }
+
+    private String basic(String user) {
+        String uap = user + ":password";
+        return "basic " + Base64.getEncoder().encodeToString(uap.getBytes());
+    }
+}

tests/integration/security/pom.xml

@@ -38,5 +38,6 @@
         <module>gh1487</module>
         <module>gh2297</module>
         <module>gh2455</module>
+        <module>path-params</module>
     </modules>
 </project>

webserver/webserver/src/main/java/io/helidon/webserver/HandlerRoute.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2020 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2021 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,8 @@
 
 import io.helidon.common.http.Http;
 
+import static io.helidon.webserver.PathHelper.extractPathParams;
+
 /**
  * Represents a single routable {@link Handler} in the {@link Routing}.
  */
@@ -139,14 +141,14 @@ public Map<String, String> diagnosticEvent() {
     }
 
     /**
-     * Matches this against a URI path.
+     * Matches this against a URI path. Drops any path parameters before matching.
      *
      * @param path resolved and normalized URI path to test against.
      * @return a {@link PathMatcher.Result} of the test.
      * @throws NullPointerException in case that {@code path} parameter is {@code null}.
      */
     public PathMatcher.Result match(CharSequence path) {
-        return pathMatcher.match(path);
+        return pathMatcher.match(extractPathParams(path.toString()));
     }
 
     @Override