Replace `WebSecurityConfigurer` and `WebSecurityConfigurerAdapter`
configurations with `WebSecurityCustomizer` or `SecurityFilterChain`
beans.
Closes gh-23421
Previously, the default servlet was registered automatically when using
embedded Jetty, Tomcat, or Undertow. However, it is not used by the
majority of applications where Spring MVC's DispatcherServlet will be
the only servlet that's needed. As such configuring the default servlet
was wasting CPU and memory.
This commit changes the default for registering the default servlet to
false. It can be re-enabled by setting
server.servlet.register-default-servlet=true.
Closes gh-22915
Refactor `BootstrapRegistry` support following initial prototype work
with the Spring Cloud team.
This update splits the `BootstrapRegistry` API into `BootstrapRegistry`,
`BootstrapContext` and `ConfigurableBootstrapContext` interfaces and
moves it to the same package as `SpringApplication`.
A new `Bootstrapper` interface has been introduced that can be added
to the `SpringApplication` to customize the `BootstrapRegistry` before
it's used.
Closes gh-23326
Add a simple `BootstrapRegistry` that can be used to store and share
object instances across `EnvironmentPostProcessors`. The registry
can be injected into the constructor of any `EnvironmentPostProcessor`.
Registrations can also perform additional actions when the
`ApplicationContext` has been prepared. For example, they could register
the the bootstrap instances as beans so that they become available to
the application.
See gh-22956
Previously, waitsForQuietPeriod would iterate 10 times, touching a new
file and then sleeping for 100ms at it did so. With a quiet period of
200ms, this was intended to result in a single change set containing
10 files. However, the test would fail occasionally as multiple change
sets were detected. The test is multi-threaded and is, therefore, at
the mercy of the scheduler. If the thread that is iterating and
touching the files takes over 200ms to be scheduled – exceeding the
watcher's quiet period – the watcher may detect a change set while the
changes are still being made. Eliminating this possibilty would require
the test to participate in the watcher's synchronization, which would
require some changes to its implementation. Instead, this commit
aims to avoid the problem by sleeping for 1/10 of the time (10ms) and
expecting a single change set of 100 files. The hope is that the much
shorter sleep time will result in the file touching thread being
scheduled well within the 200ms quiet period.
Closes gh-22732
Update `EnvironmentPostProcessorApplicationListener` so that it can
either use values from `spring.factories` or use a factory interface.
Closes gh-22529
Deprecate `ConfigFileApplicationListener` and provide a replacement
mechanism that supports arbitrary config data imports.
This commit updates the following areas:
- Extract `EnvironmentPostProcessor` invocation logic from the
`ConfigFileApplicationListener` to new dedicated listener. Also
providing support for `Log` injection.
- Extract `RandomPropertySource` adding logic from the
`ConfigFileApplicationListener` to a dedicated class.
- Migrate to the recently introduced `DefaultPropertiesPropertySource`
class when moving the defaultProperties `PropertySource`
- Replace processing logic with a phased approach to ensure that
profile enablement happens in a distinct phase and that profiles
can no longer be activated on an ad-hoc basis.
- Provide a more predictable and logical import order for processing
`application.properties` and `application.yml` files.
- Add support for a `spring.config.import` property which can be used
to import additional config data. Also provide a pluggable API
allowing third-parties to resolve and load locations themselves.
- Add `spring.config.activate.on-profile` support which replaces the
existing `spring.profiles` property.
- Add `spring.config.activate.on-cloud-platform` support which allows
a config data document to be active only on a given cloud platform.
- Support a `spring.config.use-legacy-processing` property allowing the
previous processing logic to be used.
Closes gh-22497
Co-authored-by: Madhura Bhave <mbhave@vmware.com>
Previously, Spring Boot's modules published Gradle Module Metadata
(GMM) the declared a platform dependency on spring-boot-dependencies.
This provided versions for each module's own dependencies but also had
they unwanted side-effect of pulling in spring-boot-dependencies
constraints which would influence the version of other dependencies
declared in the same configuration. This was undesirable as users
should be able to opt in to this level of dependency management, either
by using the dependency management plugin or by using Gradle's built-in
support via a platform dependency on spring-boot-dependencies.
This commit reworks how Spring Boot's build uses
spring-boot-dependencies and spring-boot-parent to provide its own
dependency management. Configurations that aren't seen by consumers are
configured to extend a dependencyManagement configuration that has an
enforced platform dependency on spring-boot-parent. This enforces
spring-boot-parent's version constraints on Spring Boot's build without
making them visible to consumers. To ensure that the versions that
Spring Boot has been built against are visible to consumers, the
Maven publication that produces pom files and GMM for the published
modules is configured to use the resolved versions from the module's
runtime classpath.
Fixes gh-21911
Prior to this commit, there was a property server.error.include-details
that allowed configuration of the message and errors attributes in a
server error response.
This commit separates the control of the message and errors attributes
into two separate properties named server.error.include-message and
server.error.include-binding-errors. When the message attribute is
excluded from a servlet response, the value is changed from a
hard-coded text value to an empty value.
Fixes gh-20505
Previously, DefaultResourceLoader instances were created using the
default constructor. This causes the resource loader to capture the
TCCL that was in place at that time. This can lead to a class loader
leak if the resource loader is referenced directly or indirectly from
a static field of a class loaded by a different class loader.
This commit updates the creation of DefaultResourceLoader instances
in main code so that the resource load will use the class loader of
the creating class. In almost all cases this will be the same class
loader as was the thread context class loader that was being captured
so the change in behavior is minimal. Crucially, it will still address
the situation where the TCCL was different.
Note the DevTools' ApplicationContextResourceLoader has been updated
to explicitly use the TCCL. This ensures that it uses the restart
class loader which is required for DevTools to function correctly.
Fixes gh-20900
Prior to this commit, default error responses included the message
from a handled exception. When the exception was a BindException, the
error responses could also include an errors attribute containing the
details of the binding failure. These details could leak information
about the application.
This commit removes the exception message and binding errors detail
from error responses by default, and introduces a
`server.error.include-details` property that can be used to cause
these details to be included in the response.
Fixes gh-20505
Previously, DevToolsDataSourceCondition called
getBeanNamesForType(Class) which could trigger unwanted initialization
of lazy init singletons and objects created by FactoryBeans.
This commit updates DevToolsDataSourceCondition to prohibit eager
init when getting the names of the beans of a particular type.
Fixes gh-20430
This commit changes uses of ClassLoader.loadClass to Class.forName for
consistency with what was initiated in #19342 and better compatibility
with GraalVM.
Closes gh-19824
Update all dependencies declarations to use the form `scope(reference)`
rather than `scope reference`.
Prior to this commit we declared dependencies without parentheses unless
we were forced to add them due to an `exclude`.
Replace Gradle single quote strings with the double quote form
whenever possible. The change helps to being consistency to the
dependencies section where mostly single quotes were used, but
occasionally double quotes were required due to `${}` references.
This paves the way for publishing Gradle module metadata once the
problem caused by snapshot versions and our two-step publication
process has been addressed.
See gh-19609
This reverts commit b34a311d02 as,
having disabled the publishing of Gradle's module metadata (4f75ab5),
the changes are no longer needed.
See gh-19609
Previously, enforcedPlatform dependencies were using to pull in the
constraints defined in spring-boot-dependencies and
spring-boot-parent and applied them strictly so that the constrained
version had to be used. This worked as intended in Spring Boot's own
build but incorrectly enforced those same strict version requirements
on external consumers of Spring Boot's modules.
This commit reworks how Spring Boot defines its internal dependency
management so that platform dependencies are exposed to external
consumers while enforced platform dependencies are using internally.
See gh-19609
Previously, Maven's default behaviour was relied up which resulted
in the artifact ID being appended to each URL as it was inherited.
This behaviour can only be disabled in Maven 3.6 and later, a version
that we cannot use due to an incompatibility with the Flatten Plugin.
This commit works around Maven's default behaviour by defining
properties for the SCM URL, connection, and developer connection and
then explicitly defining the settings in each pom using these
properties. The explicit definition of the properties in each pom
prevents them being inherited from the parent, thereby disabling the
unwanted appending of the artifact ID to the URL.
Fixes gh-18328
This commit makes sure that any subsequent call on addProtocolResolver
on the context will impact the ResourceLoader implementation that
DevTools sets on the context.
This makes sure that any custom ProtocolResolver that is set later in
the lifecycle is taken into account.
Closes gh-17214
Meta-annotate `ClassPathExclusions` and `ClassPathOverrides` with
so that the `ModifiedClassPathExtension` no longer needs to be
used directly.
See gh-17491
Apply checkstyle rule to ensure that private and package private
classes do not have unnecessary public methods. Test classes have
also been unified as much as possible to use default scoped
inner-classes.
Closes gh-7316
Since the move to JUnit 5, a number of tests were failing on Windows.
The majority were failing due to open file handles preventing the
clean up of the tests' temporary directory. This commit addresses
these failures by updating the tests to close JarFiles, InputStreams,
OutputStreams etc.
A change has also been made to CachingOperationInvokerTests to make
a flakey test more robust. Due to System.currentTimeMillis() being
less precise on Windows than it is on *nix platforms, the test could
fail as it would not sleep for long enough for the TTL period to have
expired.
As of spring-projects/spring-hateoas#854, Spring HATEOAS is not relying
on Objenesis anymore and removed the cache that was being used for it.
This commit removes the support for clearing that cache when running an
application with Devtools enabled.
See gh-16833
This commit migrates `AnnotationConfigReactiveWebApplicationContext`
parent to the `GenericApplicationContext` abstraction. Any use of
`AnnotationConfigWebApplicationContext` is also removed as it also
inherits from the `AbstractRefreshableApplicationContext` outdated
hierarchy.
A new `AnnotationConfigServletWebApplicationContext` context is
introduced instead, extending from `GenericApplicationContext` and
providing the counter part of the reactive context for the Servlet-based
web app tests.
See gh-16096
Previously, DevTools would retry the upload of the changes to an
application in the event of a ConnectException. If a different
network-level failure occurred, it would not be retried and would
cause the file watching thread to die.
This commit attempts to make things more robust by retrying all
SocketExceptions and not just ConnectExceptions. A warning is
logged when a failure occurs. A separate debug message that
includes the exception is also logged.
Closes gh-10317