We have some requirements for filter ordering:
1. The character encoding filter must go first
2. Spring Session’s filter should go early
3. RequestContextFilter should go late so that it any request wrapping
performed by other filters is reflected in the request that’s set
in the RequestContextHolder
4. Spring Security’s Filter must go after RequestContextFilter so that
any code called by Filters in Spring Security’s Filter chain can
retrieve the request from RequestContextHolder, for example
OAuth2ClientContextFilter.
See gh-4331
Previously, the nested private static class would cause an error at
startup stating that it was not accessible when trying to bind the
property from the environment. The nested class should be public.
Closes gh-4323
For some reason, Cargo fails when the Tomcat deployment tests are run
after the TomEE deployment tests. It complains that it can’t find one
of its own classes. This commit changes the order so that the TomEE
tests run before the Tomcat tests.
\_(ツ)_/¯
Previously, LoggingApplicationListener used %rEx as the default
exception conversion word. This would result in the nested causes
being logging in reverse order, i.e. the most deeply nested cause
would be logged first.
This commit updates the default to be %wEx and adds a test to verify
the default behaviour.
Closes gh-4247
FacesListener in Mojarra 2.2.12 (used in Glassfish 4.1.1) is a
ServletContainerInitializer that’s annotated to handle types annotated
with javax.annotation.Resource.
OAuth2RestOperationsConfiguration.SessionScopedConfiguration is one such
class. This leads to com.sun.faces.config.DelegatingAnnotationProvider
calling getAnnotations on SessionScopedConfiguration.class. This fails
with a java.lang.ArrayStoreException due to SessionScopedConfiguration
being annotated with @ConditionalOnBean(OAuth2ClientConfiguration) and
OAuth2ClientConfiguration not being on the classpath.
DelegatingAnnotationProvider currently catches NoClassDefFoundErrors
thrown during its annotation processing. It needs to be made more
robust so that it also copes with an ArrayStoreException, in a similar
way to how org.glassfish.apf.impl.AnnotationProcessorImpl was updated to
fix GLASSFISH-21265 [1]. I’ve opened an issue to this effect [2].
In the meantime, we can work around the brittleness in
DelegatingAnnotationProvider by restructuring
SessionScopedConfiguration. This commit moves the use of @Resource into
a nested inner class, ClientContextConfiguration, while leaving the use
of @ConditionalOnBean on SessionScopedConfiguration. This means that it
is now ClientContextConfiguration that is passed to FacesListener and
processed by DelegatingAnnotationProcessor, thereby avoiding exposing
it to the @ConditionalOnBean annotation that it does not handle
gracefully. A Glassfish-based deployment test has also been added to
verify the fix.
Closes gh-2079
Closes gh-4321
[1] https://java.net/jira/browse/GLASSFISH-21265
[2] https://java.net/jira/browse/JAVASERVERFACES-4076
Previously, if getValidDocumentRoot() returned null, only the embedded
Tomcat container would use a temporary directory. This left Jetty and
Undertow unable to provide a URL for the root of the servlet context,
i.e. servletContext.getResource("/") would return null.
This commit updates the embedded containers for Jetty and Undertow to
behave in the same way as Tomcat. A test has been added to verify that
all three containers can produce a non-null URL for the root of the
servlet context.
Closes gh-2878
Previously, OrderedRequestContextFilter was ordered such that it
ran after Spring Security's Filter. This meant that the request
context was unavailable to any Filters in Spring Security's Filter
chain. Specifically, this caused a failure when using @EnableOAuth2Sso
as OAuth2ClientAuthenticationProcessingFilter, which is added to
Spring Security's Filter chain would be unable to use the
request-scoped bean upon which it depends.
This commit updates the order of OrderedRequestContextFilter so that
the request context is set up before Spring Security's Filter runs.
The tests for SampleGitHubApplication have been updated to use
TestRestTemplate rather than MockMvc. This is necessary as the latter,
via ServletTestExecutionListener, automatically populates the request
context holder, masking the fact that the request context filter was
setting it up too late.
Closes gh-4270
If a filter is registered in `web.xml` with no `dispatcher` element, the
spec states that it should have the `REQUEST` dispatcher type only.
As we are adding more dispatcher types by default, it can be surprising
for users migrating from a `web.xml` based web app. The documentation
has now an explicit note about this.
Closes gh-2689
Previously, NamePatternFilter looked for “*”, “$”, “^”, or “+” when
trying to identify a string as being a regular expression. This meant
that it missed the use of a character class ([a-z], for example). This
commit adds “[“} to the list of characters that are considered to be
part of a regular expression.
Closes gh-4233
Stephane Nicoll
Vedran Pavic
Andy Wilkinson
Tommy Ludwig
Johnny Lim
Dave Syer
Axel Fontaine
Huang YunKun
d10xa
Phillip Webb