github
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java
Copy file name to clipboardExpand all lines: java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java
+7-7Lines changed: 7 additions & 7 deletions b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java
Copy file name to clipboardExpand all lines: java/ql/test/query-tests/security/CWE-200/semmle/tests/SpringBootActuators/SpringBootActuatorsTest.java
+7-7Lines changed: 7 additions & 7 deletions
@@ -265,15 +265,15 @@ protected void configureOkNoPermitAll7_securityMatchers(HttpSecurity http) throw
     http.securityMatchers(matcher -> EndpointRequest.toAnyEndpoint()).authorizeHttpRequests().anyRequest();
   }
 
-  // Spring doc example
-  // https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.security
-  public void securityFilterChain(HttpSecurity http) throws Exception {
-		http.securityMatcher(EndpointRequest.toAnyEndpoint());
-		http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
-	}
+  // QHelp Bad example
+  public void securityFilterChain1(HttpSecurity http) throws Exception {
+    // BAD: Unauthenticated access to Spring Boot actuator endpoints is allowed
+    http.securityMatcher(EndpointRequest.toAnyEndpoint());
+    http.authorizeHttpRequests((requests) -> requests.anyRequest().permitAll()); // $ hasExposedSpringBootActuator
+  }
 
   // QHelp Good example
-  protected void configureQhelpGood(HttpSecurity http) throws Exception {
+  public void securityFilterChain2(HttpSecurity http) throws Exception {
     // GOOD: only users with ENDPOINT_ADMIN role are allowed to access the actuator endpoints
     http.securityMatcher(EndpointRequest.toAnyEndpoint());
     http.authorizeHttpRequests((requests) -> requests.anyRequest().hasRole("ENDPOINT_ADMIN"));