Several libraries that Spring Boot supports depend on JBoss Logging but
they use a variety of versions. This means that the actual version of
JBoss Logging that will be used depends on your build system. Gradle
will pick the latest version that’s in the dependency graph, Maven
will pick the version that’s nearest the root of the graph and, if two
dependencies are equidistant, it’ll pick the version that’s pulled in
by the dependency listed first in the pom. In short, it’s very hard to
reason about the version of JBoss Logging that you’ll actually use at
runtime.
This commit adds dependency management for JBoss Logging so that a
consistent version is used, irrespective of your build system or
dependencies.
Closes gh-4185
jersey-spring3 has a transtive dependencies on HK2’s bean-validator
module that embeds JBoss Logging, Hibernate Validator, and Classmate
without repackaging them. This makes it impossible to control the
version of those three libraries that will be used without relying on
classpath ordering.
This commit excludes the bean-validator dependency from jersey-spring3.
The Jersey starter already depends on our Validation starter which
pulls in the proper, and controllable, version of the three
dependencies listed above so users of our starters will be unaffected.
Closes gh-4186
This commit adds dependency management for Cassandra Driver’s three
modules. The version is the latest maintenance release of the minor version that’s used by Spring Data Cassandra in the Spring Data Gosling release train.
Closes gh-4167
Prior to 8.0.28 Tomcat required the key store and trust store (if any)
to be available directly on the filesystem, i.e. classpath: resources
would not work. Tomcat 8.0.28 removed this limitation.
This commit updates to Tomcat 8.0.28, updates the tests to verify
the new Tomcat capability and removes the obsolete documentation of
the restriction.
Closes gh-4048
Liquibase 3.4.0 contains a bug that causes the initialization of its
ServiceLocator to pollute its map of loggers with a DefaultLogger for
the logger named "liquibase". Liquibase 3.4.1 contains a change that
improves the situation, but does not address is completely. Creating a
CustomResolverServiceLocator, as we do, still causes the map of
loggers to be polluted due to logging that's performed in
ClassLoaderResourceAccessor.getResourcesAsStream.
The commit address the problem by upgrading to Liquibase 3.4.1 and
adding the package containing our custom logger to the default service
locator before we register our custom service locator. This ensures
that the logging that's performed during the creation of our custom
service locator will still use our custom logger.
Closes gh-3470
Closes gh-3616
Typically, a Spring Boot maintenance release would not move to a new
minor version of a dependency. However there is a security
vulnerability in Groovy [1] and 2.4.4 is the only release which
contains a fix for it.
The commit upgrades to 2.4.4, thereby ensuring that users of Groovy
are not vulnerable by default. Users of Groovy whose applications are
not affected by the vulnerability may choose to downgrade back to
2.3.11 by overriding Spring Boot's dependency management.
Closes gh-3540
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
Embedded MongoDB is now auto-configured when it is on the classpath.
The Mongo instance will listen on the port specified by the
spring.data.mongodb.port property. If this property has a value of
zero and randomly allocated port will be used. In such an event, the
MongoClient created by MongoAutoConfiguration will be automatically
configured to use the port that was allocated.
By default, MongoDB 2.6.10 will be used. This can be configured using
the spring.embedded-mongodb.version property. Mongo's sync delay
feature is enabled by default. This can be configured using the
spring.embedded-mongobd.features property.
Closes gh-2002
Add a new `spring-boot-configuration-metadata` module that provides an
API to manipulate Spring Boot configuration meta-data. Can read meta-data
from arbitrary locations, though the standard
`META-INF/spring-configuration-metadata.json` location must be preferred.
Closes gh-1970
Hazelcast introduced a regression in their dependency management as of
3.5 which brings freemarker. This has unfortunate side effect in a Spring
Boot application since the freemarker auto-configuration kicks in for no
apparent reason when hazelcast is used.
An exclusion has been applied until the issue is fixed in hazelcast.
Closes gh-3418
If spring-hateoas is on the classpath and an MvcEndpoint returns a
@ResponseBody it will be extended and wrapped into a Resource with links.
All the existing endpoints that return sensible JSON data can be extended
this way (i.e. not /logfile). The HAL browser will also be added as an
endpoint if available on the classpath. Finally, asciidocs for the
Actuator endpoints are available as a separate jar file, which if
included in an app will also generate a new (HTTP) endpoint.
Fixes gh-1390
Previously, spring-boot required org.json:json to be on the compile
classpath, but it was only there by virtue of it being a transitive
dependency of another of spring-boot’s dependency. This commit makes
it clear that spring-boot has an (optional) dependency on org.json:json
by having an explicit dependency declaration for it. Additionally, the
name of the version property and the alphabetical ordering in
spring-boot-dependencies have been corrected.
Closes gh-3290
Update `spring-boot-dependencies` to exclude `commons-logging` from
`infinispan-spring4`. The version pulled in was very old and included
a transitive dependency to `servlet-api` 2.4.
Fixes gh-3291
Add auto-configuration support for Apache Artemis which was formed when
HornetQ was donated to the Apache Foundation. The majority of this code
is based on the HornetQ auto-configuration.
Fixes gh-3154
Closes gh-3246
This commit aligns our dependency management for GemFire with the
version used by the version of Spring Data GemFire that we currently
depend upon.
Previously, some dependency management that was added (see #2884) to
work around problems with GemFire 8.0’s dependencies; specifically it
depended on different versions of org.eclipse.jdt.core.compiler:ecj and
xml-apis:xml-apis. The different dependency versions appear to no
longer be a problem with 8.1 so this dependency management is now
redundant and has been removed.
Closes gh-3284
This commit adds support for automatically configuring Spring Session.
In a web application when both Spring Session and Spring Data Redis
are on the classpath, Spring Session's Redis Http Session support
will be auto-configured. The max inactive interval for Redis-backed
sessions can be configured via the environment using the existing
server.session-timeout property.
Closes gh-2318
* Automatically spin up Authorization Server and Resource Server
* Automatically configures method level security included OAuth2Expression handler
* Wrote extensive unit tests verifying default behavior as well as the auto-configuration backing off when custom Authorization/Resource servers are included
* Created org.springframework.boot.security.oauth2 subpackage to contain it
* Can also disable either resource of authorization server completely with a single property for each
* Print out the auto-generated secrets and other settings
* Added spring-boot-sample-secure-oauth2 to provide a sample that can be run and poked with curl as well as some automated tests.
* Make users ask for which servers to install by adding @Enable*
* User has to @EnableGlobalMethodSecurity instead of using properties files
Add Spring Security OAuth2 support to Spring Boot CLI
* Triggered from either @EnableAuthorizationServer or @EnableResourceServer
* Needs to have @EnableGlobalMethodSecurity to allow picking the annotation model.
* By default, comes with import support for @PreAuthorize, @PreFilter, @PostAuthorize, and @PostFilter via a single start import
* Also need import support for the enable annotations mentioned above.
* Added extra test case and sample (oauth2.groovy)