This commit removes auto-configuration support for Spring Security
OAuth, paving the way for the introduction of auto-configuration for
Spring Security 5's new OAuth-related features.
Closes gh-10255
This commit improves the Spring Session sample by providing multiple
build profiles that make it possible to easily try out different session
stores. By default, JDBC session store backed by an in-memory embedded H2
database is used.
See gh-10351
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.
Closes gh-7958
This commit replaces the Acuator's support for hypermedia with a
single endpoint that returns HAL-formatted links to all of the
available endpoints. This is done without requiring Spring HATEOAS
to be on the classpath in a similar manner to the existing
CloudFoundry discovery endpoint.
Closes gh-9901
This commit raises the minimum supported version of Thymeleaf to
3.0.x. It also upgrades Spring Social to a version that is compatible
with Thymeleaf 3.
Closes gh-7450
Closes gh-6258
See gh-7885
Update `ManagementWebSecurityAutoConfiguration` to match nested path
for insensitive actuators.
Prior to this commit, when Spring Security was on the classpath
nested paths were considered sensitive (even if the actuator
endpoint was not sensitive). i.e. when setting
`endpoints.env.sensitive=false` `/env` could be accessed without
authentication but `/env/user` could not.
Fixes gh-7868
Closes gh-7881
The default is now SecurityProperties.ACCESS_OVERRIDE_ORDER-1
(instead of 3), and the user can set it with
security.oauth2.resource.filter-order (as opposed to being hard
coded). The filter is provided by Spring OAuth2 so this change is
a BeanPostProcessor to call a setter on that object.
Fixes gh-5072
Update `JettyEmbeddedServletContainerFactory` to support Jetty 9.4
directly and Jetty 9.3 via reflection. The primary difference between
Jetty 9.3 and 9.4 are the session management classes. Websocket suppport
has also been updates, but this is handled transparently by the
Spring Framework support.
Fixes gh-7599
This commit promotes the plugin dependency management for the
`maven-enforcer-plugin` and `maven-invoker-plugin` to the root. That way
these can be used in samples as well rather than having a separate copy.
Closes gh-7517
Update `ManagementServerProperties` so that `security.sessions` no
longer uses `SessionCreationPolicy` from Spring Security. We now
use our own enun which allows `management.security.*` properties to
be set without the risk of a `ClassNotFoundException`.
Fixes gh-3888
Update dependency management to exclude commons-logging and add
an enforcer rule to spring-boot-samples to try and prevent unwanted
commons-logging dependencies from sneaking back in again.
Closes gh-7067