Previously, if security.ignored was set to none and the error controller
was disabled, there would be no paths to ignore and we would call
IgnoredRequestConfigurer.antMatchers with an empty array. While a bit
pointless, this had no effect on Spring Security’s configuration.
This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty
array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As
Spring Boot configures its ignored paths with highest precedence this
means that security is now disabled for every path.
This commit updates both the management security and application
security configuration to avoid calling antMatchers with an empty
array, thereby ensuring that we don’t inadvertently ignore every path.
Even if the change to Spring Security is reverted we can keep this
change. The behaviour will remain the same and, arguably, it makes the
intent of our configuration clearer.
Closes gh-4345
[1] 8663ac4173
In 1.3, our Gradle plugin no longer automatically applies the
application plugin. This affects the default options that are
available for explicitly configuring a project's main class. This
commit updates the documentation accordingly.
Closes gh-3768
The syntax was a bit tortured. This should clarify things and also
de-emphasise the "production" use case for the file system
properties file (we want to be cloud native don't we?).
That way any properties that are needed for processing the config
files will be available in time. Makes sense given that env vars
is the main carrier of the inline JSON.
The HATEOAS sample does not support XML responses. Previously, the
controller doesn't constrain the media types that it could produce.
This would result in a failure when handling a request that prefers
XML responses.
This commit updates the produces clauses in the controller so that
the sample will only attempt to produce JSON.
Closes gh-4343
The documentation recommends configuring the HTTP connector in code
and using application.properties to configure the HTTPS connector
as it's easier. This commit updates the sample to follow that
recommendation.
Closes gh-4342
Previously, the "Common application properties" appendix had no
consistent use of a configuration key value. It could just as well be
the default value or an example.
We now always document the default value after the "=" sign and
eventually add an example with the phrasing "For instance".
The keys have also been reordered so that they follow a natural (i.e.
lexical) order.
Closes gh-3230
Closes gh-3160
Closes gh-3155
Closes gh-3153
The PROPERTIES creator mode has the unfortunate side-effect of stopping
mixins from working. This commit updates the auto-configured module to
use the DEFAULT creator mode instead.
Closes gh-4336
The latest Spring Framework 4.2.3 snapshots appear to be trimming
whitespace as part of the binding process. This commit updates the
test's expectations accordingly.
During a restart, the Restarter runs all registered shutdown hooks. This
breaks Log4J2 as it leaves it in a shutdown state that leaves logging
switched off such that no output it produced when the application starts
up again.
This commit introduces a new RestartListener abstraction.
RestartListeners are notified prior to the application being restarted.
A Log4J2-specific implementation is provided that prepares Log4J2 for
restart by removing any shutdown callbacks from its shutdown callback
registry. This prevents the restart from shutting down Log4J2, ensuring
that it still functions when the application restarts.
Closes gh-4279
Previously, it had the same plugin name as
WhitespaceThrowablePatternConverter which meant that only one of the
two plugins was available and the other’s converter keys didn’t work.
Closes gh-4337
Make sure that `autoApprove`, `accessTokenValiditySeconds`, and
`refreshTokenValiditySeconds` properties from the `ClientDetails`
are used
Closes gh-4306
As there is no way to copy all the converters of a `ConversionService` to
another, `RelaxedConversionService` uses a fallback `ConversionService`
when the user-provided one failed.
That fallback is taking care of converting `String` to `Enum` in a case
insensitive way but it has no registered converter to convert a comma
separated String to a collection of something.
Ironically, our current test suite has plenty of cases where we map a
`String` to a collection of enums and they all pass. This is because
the tests do not provide a custom `ConverterService` so we end up
immediately in the fallback scenario. Since no converter is able to
convert the String to a collection, the property editor support of the
binder takes care of that for us and try to convert each individual
value.
In a regular use case however, a `ConversionService` is provided and
fails to map the collection if the String value(s) don't have the exact
same case as the annotations they represent. Since the original
`ConversionService` has claimed it was able to convert a collection,
the raw `String` value is passed to the fallback converter and that one
fails to convert the raw String.
The fallback converter now registers the necessary converters to
convert collections. Additional tests have been added to test that in
a more explicit way.
Closes gh-4322
Previously it was possible to bind a bean to the root prefix by just
adding `@EnableConfigurationProperties` with the class of said bean.
This use case is misleading and prevents any meta-data to be generated
for that object since the annotation processor reacts on the presence of
the `@ConfigurationProperties` annotation.
If a class is included in the list of configuration properties bean to
create via the `@EnableConfigurationProperties` annotation we now make
sure that the `@configurationProperties` annotation is present on it.
Closes gh-3460
Previously, ConfigFileApplicationListener was listed in spring.factories
as both an EnvironmentPostProcessor and an ApplicationListener. This
was problematic as ConfigFileApplicationListener is stateful and listing
it twice lead to two separate instances with separate state.
This commit restore ConfigFileApplicationListener to only being an
ApplicationListener. The driving of EnvironmentPostProcessors that was
performed by EnvironmentPostProcessingApplicationListener is now
performed by ConfigFileApplicationListener which adds itself as an
EnvironmentPostProcessor. This ensures that there’s only a single
instance of ConfigFileApplicationListener, allowing its state to be
managed correctly.
Closes gh-4258
Previously, the auto-configuration of DevTools’ debug, restart, and
health handlers assumed that the server was running on its default
context path and, if server.context-path was set to a non-default value,
the handlers would not work as expected.
This commit updates the auto-configuration of the three handlers to
consider the server’s context path when configuring their URIs. Now,
when a custom server context path is used, no further configuration is
required other than the inclusion of that context path when providing
the remote URL as an argument to RemoteSpringApplication.
Closes gh-4301
We have some requirements for filter ordering:
1. The character encoding filter must go first
2. Spring Session’s filter should go early
3. RequestContextFilter should go late so that it any request wrapping
performed by other filters is reflected in the request that’s set
in the RequestContextHolder
4. Spring Security’s Filter must go after RequestContextFilter so that
any code called by Filters in Spring Security’s Filter chain can
retrieve the request from RequestContextHolder, for example
OAuth2ClientContextFilter.
See gh-4331
Previously, the nested private static class would cause an error at
startup stating that it was not accessible when trying to bind the
property from the environment. The nested class should be public.
Closes gh-4323
For some reason, Cargo fails when the Tomcat deployment tests are run
after the TomEE deployment tests. It complains that it can’t find one
of its own classes. This commit changes the order so that the TomEE
tests run before the Tomcat tests.
\_(ツ)_/¯
Previously, LoggingApplicationListener used %rEx as the default
exception conversion word. This would result in the nested causes
being logging in reverse order, i.e. the most deeply nested cause
would be logged first.
This commit updates the default to be %wEx and adds a test to verify
the default behaviour.
Closes gh-4247
FacesListener in Mojarra 2.2.12 (used in Glassfish 4.1.1) is a
ServletContainerInitializer that’s annotated to handle types annotated
with javax.annotation.Resource.
OAuth2RestOperationsConfiguration.SessionScopedConfiguration is one such
class. This leads to com.sun.faces.config.DelegatingAnnotationProvider
calling getAnnotations on SessionScopedConfiguration.class. This fails
with a java.lang.ArrayStoreException due to SessionScopedConfiguration
being annotated with @ConditionalOnBean(OAuth2ClientConfiguration) and
OAuth2ClientConfiguration not being on the classpath.
DelegatingAnnotationProvider currently catches NoClassDefFoundErrors
thrown during its annotation processing. It needs to be made more
robust so that it also copes with an ArrayStoreException, in a similar
way to how org.glassfish.apf.impl.AnnotationProcessorImpl was updated to
fix GLASSFISH-21265 [1]. I’ve opened an issue to this effect [2].
In the meantime, we can work around the brittleness in
DelegatingAnnotationProvider by restructuring
SessionScopedConfiguration. This commit moves the use of @Resource into
a nested inner class, ClientContextConfiguration, while leaving the use
of @ConditionalOnBean on SessionScopedConfiguration. This means that it
is now ClientContextConfiguration that is passed to FacesListener and
processed by DelegatingAnnotationProcessor, thereby avoiding exposing
it to the @ConditionalOnBean annotation that it does not handle
gracefully. A Glassfish-based deployment test has also been added to
verify the fix.
Closes gh-2079
Closes gh-4321
[1] https://java.net/jira/browse/GLASSFISH-21265
[2] https://java.net/jira/browse/JAVASERVERFACES-4076
Andy Wilkinson
Dave Syer
Stephane Nicoll
Kyle Lieber
Johnny Lim
Vedran Pavic
Tommy Ludwig