Fix Improper Assets Management in Micronaut

Improper Assets Management in Micronaut often manifests as 'Shadow APIs' or leaky static resource mappings. When you map routes lazily or leave management endpoints exposed, you're handing an attacker a map to your internal state. We're talking about directory traversal via static resource misconfiguration and unintended exposure of internal metadata. Secure asset management means strict path white-listing and isolating management traffic.

The Vulnerable Pattern

micronaut:
  router:
    static-resources:
      default:
        mapping: "/**"
        paths: "file:./"
# This is a disaster. Mapping the root path to the filesystem root allows attackers to fetch application.yml, source code, or even sensitive env files.

The Secure Implementation

The fix involves three pillars of asset hardening: 1. Namespace Isolation: Never map to the root (/**). Use a specific prefix like /static/ or /assets/. 2. Source Restriction: Use 'classpath:' instead of 'file:' to ensure the app only serves bundled resources, preventing path traversal to the host OS. 3. Endpoint Inventory: Explicitly disable all management endpoints (beans, env, routes) and only enable what is strictly necessary (like health) with 'sensitive: true' to ensure they are behind authentication.

micronaut:
  router:
    static-resources:
      assets:
        mapping: "/static/**"
        paths: "classpath:public"
  security:
    interceptors:
      - pattern: "/static/**"
        access: "isAnonymous()"
# Management isolation
endpoints:
  all:
    enabled: false
    sensitive: true
  health:
    enabled: true
    sensitive: false