Commit Graph

36 Commits (63232b9bc244fef7dd5d45a0995221563d8d1959)

Author SHA1 Message Date
Andy Wilkinson b871a1e457 Merge branch '2.7.x' 3 years ago
Andy Wilkinson 48f8021d88 Migrate @Local*Port annotations to spring-boot-test
Closes gh-29589
3 years ago
Madhura Bhave 48a6470ddb Merge branch '2.7.x' into main 3 years ago
Madhura Bhave d9d161cd6b Allow previously authorized users to access the error page
Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
 or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.

This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.

Fixes gh-28953
3 years ago
Andy Wilkinson fe7b13ec46 Upgrade to Spring Framework 6 and Jakarta EE 9
Closes gh-28619
Closes gh-28620
Closes gh-28621
Closes gh-28622
Closes gh-28623
Closes gh-28624
Closes gh-28625
Closes gh-28626
Closes gh-28627
Closes gh-28628
Closes gh-28629
Closes gh-28630
Closes gh-28631
Closes gh-28632
Closes gh-28633
Closes gh-28634
Closes gh-28635
Closes gh-28636
Closes gh-28638
Closes gh-28639
Closes gh-28640
Closes gh-28644
Closes gh-28645
Closes gh-28650
Closes gh-28711
Closes gh-28866
Closes gh-28867
Closes gh-28868
Closes gh-28872

See gh-28641
See gh-28642
See gh-28643
See gh-28646
See gh-28647
See gh-28648
See gh-28649
See gh-28721
See gh-28869
See gh-28871
3 years ago
Andy Wilkinson 85f9949513 Remove support for Jolokia
Closes gh-28704
3 years ago
Phillip Webb beb68671bb Update copyright year of changed files 3 years ago
Phillip Webb b6d0b44703 Fix @SuppressWarnings 3 years ago
Madhura Bhave dd1d1482dc Deny unauthorized access to the error page
Fixes gh-26356

Co-authored-by Andy Wilkinson <wilkinsona@vmware.com>
3 years ago
Andy Wilkinson 5e4a502b2d Merge branch '2.4.x' into 2.5.x
Closes gh-28661
3 years ago
Andy Wilkinson 2cec3971d7 Prohibit unwanted dependencies in all modules not just starters
Closes gh-28658
3 years ago
Andy Wilkinson db781a0d84 Merge branch '2.4.x'
See gh-25077
4 years ago
Andy Wilkinson 788a42d694 Merge branch '2.3.x' into 2.4.x
See gh-25076
4 years ago
Andy Wilkinson 67479b6380 Add junit-platform-launcher dependency by convention
Closes gh-25074
4 years ago
Phillip Webb d8b6960997 Merge branch '2.4.x'
Closes gh-25077
4 years ago
Phillip Webb 257608a3a3 Merge branch '2.3.x' into 2.4.x
Closes gh-25076
4 years ago
Phillip Webb 939b5dfc26 Add junit-platform-launcher dependency
Update `build.gradle` files to ensure that `junit-platform-launcher` is
a `testRuntimeOnly` dependency. This ensures that tests can be run from
Eclipse.

Closes gh-25074
4 years ago
Phillip Webb c9a2c4e326 Merge branch '2.4.x' 4 years ago
Hatef Palizgar 53c1e79810 Change info endpoint to be secure and unexposed by default
See gh-24715
4 years ago
izeye 5e3f618f9d Polish
See gh-24604
4 years ago
Madhura Bhave 0818f27f44 Configure WebSecurity using WebSecurityCustomizer
Replace `WebSecurityConfigurer` and `WebSecurityConfigurerAdapter`
configurations with `WebSecurityCustomizer` or `SecurityFilterChain`
beans.

Closes gh-23421
4 years ago
Andy Wilkinson 10f887a5ad Introduce management base-path property for servlet and reactive actuator
Previously, the base path of a servlet-based management server could be
configured using management.server.servlet.context-path but there was no
equivalent property for WebFlux.

This commit introduces a new property, management.server.base-path,
that can be used with both servlet and reactive management servers. The
existing servlet-specific property has been deprecated in favour of the
new general property. When using the servlet stack, if both the general
property and the servlet-specific property are set, the new general
property takes precedence. When using the reactive stack, only the new
general property is considered.

Closes gh-22906
4 years ago
Andy Wilkinson 4fdd1a64c9 Merge branch '2.2.x' into 2.3.x
Closes gh-21718
5 years ago
Andy Wilkinson 1a52009cfb Migrate CustomServletPathSampleActuatorTests to JUnit Jupiter
Closes gh-21717
5 years ago
Scott Frederick a30740f8d2 Separate server properties for message and errors
Prior to this commit, there was a property server.error.include-details
that allowed configuration of the message and errors attributes in a
server error response.

This commit separates the control of the message and errors attributes
into two separate properties named server.error.include-message and
server.error.include-binding-errors. When the message attribute is
excluded from a servlet response, the value is changed from a
hard-coded text value to an empty value.

Fixes gh-20505
5 years ago
Scott Frederick 70d4994502 Disable exception details on default error views
Prior to this commit, default error responses included the message
from a handled exception. When the exception was a BindException, the
error responses could also include an errors attribute containing the
details of the binding failure. These details could leak information
about the application.

This commit removes the exception message and binding errors detail
from error responses by default, and introduces a
`server.error.include-details` property that can be used to cause
these details to be included in the response.

Fixes gh-20505
5 years ago
Phillip Webb e0013454b5 Use parentheses when declaring dependencies
Update all dependencies declarations to use the form `scope(reference)`
rather than `scope reference`.

Prior to this commit we declared dependencies without parentheses unless
we were forced to add them due to an `exclude`.
5 years ago
Phillip Webb 0209cd3e4c Polish quote form used in Gradle scripts
Replace Gradle single quote strings with the double quote form
whenever possible. The change helps to being consistency to the
dependencies section where mostly single quotes were used, but
occasionally double quotes were required due to `${}` references.
5 years ago
Andy Wilkinson abbad9973a Polish smoke tests' Gradle configuration 5 years ago
Andy Wilkinson ce99db1902 Port the build to Gradle
Closes gh-19609
Closes gh-19608
5 years ago
Madhura Bhave 2726540e76 Merge branch '2.1.x'
Closes gh-17980
5 years ago
Stephane Nicoll 4d21efcc0a Remove outdated comment in smoke tests
Closes gh-17741
5 years ago
Phillip Webb 6675f49334 Switch to multi-line security configuration
Now that we have lambda style security configuration we can further
improve readability by switching to one statement per line.

See gh-17525
5 years ago
Madhura Bhave 39a7b9da38 Switch to lambda style security configuration
Closes gh-17525
5 years ago
Phillip Webb a9ba7080ce Merge branch '2.1.x' 5 years ago
Madhura Bhave d9466f5659 Move smoke tests under spring-boot-test
See gh-17393
5 years ago