Update CloudFoundrySecurityService so that SSL validation is not
required. We're unlikely to have configured public keys for the
REST endpoints we need to call. Since the endpoints are provided via
environment variables we can implicitly trust them.
See gh-7108
Add security to Cloud Foundry actuator endpoints. Security is enforced
by a `HanderInterceptor` on `CloudFoundryEndpointHandlerMapping`. Each
endpoint call expects an 'Authorization' header containing a bearer
token. The token signature is checked against the UAA public keys then
passed to the Cloud Controller to obtain an ultimate access level.
The client may either have 'RESTRICTED' or FULL' access, with the latter
only providing access to a limited set of endpoints.
See gh-7108
Update `ManagementServerProperties` so that `security.sessions` no
longer uses `SessionCreationPolicy` from Spring Security. We now
use our own enun which allows `management.security.*` properties to
be set without the risk of a `ClassNotFoundException`.
Fixes gh-3888
Previously, if an exception was thrown during request handling after
the response had been committed, i.e. after the status and headers
had been written, the metrics filter would assume that it was a 500
response. This was potentially inaccurate as the status had already
been sent to the client and before the exception was thrown and it
may have been something other than a 500.
This commit updates MetricsFilter so that it will use the
status from the response if the response has been committed even when
an exception is thrown.
Closes gh-7277
Add `LoggersEndpoint` that can enables listing and configuration of log
levels. This actuator builds on top of the `LoggingSystem` abstraction
and implements support for Logback, Log4J2, and JUL. The LoggingSystem
interface is modified to require each implementation to list the
configuration of all loggers as well as an individual logger by name.
The MVC endpoint exposes these behaviors at `GET /loggers` and
`GET /loggers/{name}` (much like the metrics actuator).
In addition `POST /loggers/{name}` allows users to modify the level for a given
logger. This modification is passed to the logging implementation, which
then decides, as an internal implementation detail, what the final outcome
of the modification is (e.g. changing all unconfigured children). Users
are then expected to request the listing of all loggers to see what has
changed internally to the logging system.
Closes gh-7086
Update EndpointHandlerMapping so that it can be subclasses easily.
Subclasses can override the `path` that is used to map the endpoint,
allowing different mapping strategies to be used.
See gh-7108
Introduce a new NamedMvcEndpoint interface which can be used when an
MvcEndpoint also has a logical name. Existing MvcEndpoints have been
reworked to implement the NamedMvcEndpoint interface.
Fixes gh-7156
Remove EndpointWebMvcManagementContextConfiguration `disabled` logic
since the configuration should even be processed when the management
port is `-1`.
Closes gh-7154
In addition, dependency management for `hazelcast-hibernate5` module has
been added, and a separate dependency version was introduced for
`hazelcast-hibernate4` module.
Closes gh-7023
This commit enables compatibility build against Spring Framework 5.
The Velocity and Guava support that are deprecated in the 1.x line have
been removed and few other classes contain minor change to comply to non
backward compatible changes in Spring Framework 5.
This commit also switches the required java version to 8.
Closes gh-6977
Previously, the servlet path was being applied twice. Once by the
code that sets up the DefaultCurieProvider and once by the provider
itself which uses ServletUriComponentBuilder's
fromCurrentServletMapping() to build the application URI.
This commit removes the duplicate logic when creating the
DefaultCurieProvider.
Closes gh-6585
This commit improves the JMS health indicator to identify a broken broker
that uses failover. An attempt to start the connection is a good way to
make sure that it is effectively available.
Closes gh-6818
Update our `ResourceHttpRequestHandler` subclass so that the following
warning is no longer displayed:
"Locations list is empty. No resources will be served unless a
custom ResourceResolver is configured as an alternative to
PathResourceResolver."
Fixes gh-6791
Previously, the HAL browser endpoint did not consider the dispatcher
servlet’s path (server.servlet-path) when redirecting to browser.html
or when updating the API entry point in the served HTML.
This commit moves to using ServletUriComponentsBuilder to build the URI
for the redirect and the path for the entry point. In the interests of
simplicity the logic that sometimes redirected and sometimes forwarded
the request has been changed so that it will always perform a redirect.
Closes gh-6586
Previously, when access logging was enabled and the management server
was running on a separate port, both the main server and the management
server would write their access logs to the same file. Having two
separate containers writing to the same file could cause problems such
as causing log rotation to break.
This commit updates the actuator so that when the management server is
running on a separate port (and therefore using a separate container)
it prepends management_ to the access log prefix so that the main
server and the management server write their access logs to separate
files in the same directory.
Closes gh-6618
Allow an instance of StatsDClient to be injected into the StatsdMetricWriter
which is used for exporting metrics to a Statsd server. This new constructor
allows the client to be injected but does not change the default behavior of
the writer.
Previously, auto-configuration of the Flyway and Liquibase endpoints
would fail if there were multiple Flyway or Spring Liquibase beans
in the application context.
This commit updates them so that they are now conditional on a single
candidate.
Closes gh-6609
Commit b02aba4 has renamed `management.security.role` to
`management.security.roles`. Unfortunately, the `HealthMvcEndpoint`
was still looking at the old property.
This commit makes sure that the proper key is used and any custom
role is applied rather than an unconditional `ADMIN` role.
See gh-6540
Call afterPropertiesSet on the delegate `ResourceHttpRequestHandler`
to prevent an NPE. This change is required for compatibility with
Spring Framework 4.3 following SPR-13834.
Closes gh-6592
Previously, MetricExportAutoConfiguration consumed
ExportMetricWriter-annotated GaugeWriter beans in its constructor and
also produced such a bean from one of its @Bean methods. This cycle
caused a BeanCurrentlyInCreationException to be thrown when the
bean method was active (the spring.metrics.export.statsd.host property
was set).
This commit break the cycle by moving the bean method into a separate,
nested configuration class. It also updates the existing test for
auto-configuration of a Statsd writer to catch any possible cycles
and to verify that the writer has be registered with the
MetricsExporter.
Closes gh-6544