This is quite a big step, but I think it helps a lot. Since Spring
Boot always creates an AuthenticationManager if it doesn't find one
already registered, it makes sense to also make it into a @Bean.
Spring Security does not register its AuthenticationManager by
default though, so we have to do that for it if the user has created
one with an @Autowired AuthenticationManagerBuilder, but not registered
it as a @Bean.
Having the @Bean (marked @Primary to prevent issues with @Autowired)
makes it easier to reason about what Spring Boot has done for you, and
easier to default in simple use cases to the boot-created
AuthenticationManager. For example, if I want an OAuth2 Authorization
Server with password grant, it makes total sense for the
AuthenticationManager for users to be the same as the @Primary one.
Now it is easy to set that up (just @Autowire it).
...bean with no explicit @Bean DispatcherServlet. We still have to check
by bean name (slightly unfortunate, but we need to avoid instantiating
too early) so there's now another magic
bean name for the registration bean ("dispatcherServletRegistration")
that the user has to replace if he wants the registration without
defining a servlet @Bean
Fixes gh-482
Rename ConfigurableEmbeddedServletContainerFactory to
ConfigurableEmbeddedServletContainer and extract
AbstractConfigurableEmbeddedServletContainer from
AbstractEmbeddedServletContainerFactory.
There's no explicit support for older Servlet specs in Spring Boot,
but we can at least make it easy for others to provide such
support by not adding stuff to the context when in an older container.
Some assumptions were being made in tests, e.g. about
there being an AuthenticationManager @Bean, which were
false with the new Security 3.2.1 updates from Rob.
Also parent-child contexts with the actuator were
problematic because they didn't exclude the web configuration
for the management security in the parent context.
Fixes gh-244
Also change strategy for defaulting of Authentication. Spring
Boot authentication defaults are now encapsulated and can easily
be overridden by a user defined AuthenticationManager.
The existing behaviour of JobLauncherCommandLineRunner was really too
basic. It has now been enhanced (at the expense of duplicating a lot
of code in Spring Batch it seems) to automatically increment job
parameters if it can, and to retry a failed or stopped execution
if it can (without incrementing, but with additional job parameters
added from command line if they are non-identifying).
The JobLauncherCommandLineRunner is more extendable and exposes
its DI wiring points now as well, so hopefully users can make
use of it independently of autoconfig (by providing a @Bean of
that type).
Not everything from the wishlist in gh-325 is implememented yet,
but it should be a good platform to work with and to extend.
Better even than logging would be to fail fast? Surely it's a
mistake not to have any /templates if Thymeleaf is in use.
User can disable failfast by exlcuding thymeleaf configuration
or by providing their own ITemplateResolver.
Fixes gh-294
User can switch the behaviour on and off with
spring.datasource.continueOnError:true|false. I decided
not to add an extra nested level of property resolution
because of the existing spring.datasource.schema
(and other properties relating to initialization) because
concision seemed like a good thing with those more common
settings.
Fixes gh-374
The DispatcherServletAutoConfiguration had a condition on it that
meant it wasn't used at all if there was no EmbeddedServletContainerFactory.
It's amazing that any WAR ever deployed.
Also added some info logging to servlet and filter registrations.
Update OnBeanCondition to attempt to consider FactoryBean classes
for bean type matches. To ensure early instantiation does not occur, the
object type from the FactoryBean is deduced by resolving generics on the
declaration.
Fixes gh-355
Update AbstractRepositoryConfigurationSourceSupport to use the newly
introduced RepositoryConfigurationDelegate instead of effectively
reimplementing Spring Data Commons functionality which was prone to
changes in the API (code that wasn't considered to be API in the first
place).
Switch from implementing BeanClassLoaderAware to ResourceLoaderAware
to avoid having to set up a DefaultResourceLoader which should also
improve IDE integration.
Fixes gh-236
Disable Mongo auto-configuation when @EnableMongoRepositories is used
and adapt the test helper classes accordingly.
Change the property prefix and dependency management version property
from `...mongo` to `...mongodb` for consistency with Spring Data.
Fixes gh-315
Update SpringApplication so that ApplicationListener and
ApplicationInitializer methods must be called separately. This helps
to prevent unexpected side effects when calling the setters and
also encourages separation of concerns.
The few situations where a class was both an ApplicationInitializer
and ApplicationListener are now handled by registering an inner
listener from the `initialize` method.
BeanFactory.getBean() already looks in the parent context
so we have to be careful and not use the parent when locating
the report singleton
Fixes gh-290
Spring Boot provides a default AuthenticatiomManager for getting
started quickly with security and never exposing insecure
endpoints. To override that feature as users move to the next
stage in their project, they may have to do something slightly
different depending on whether it is a webapp or not.
In any app (web or not), providing a @Bean of type
AuthenticationManager always works, but you don't get the benefit of
the builder features.
In a webapp the user can also extend WebSecurityConfigurerAdapter
to provides a custom AuthenticationManager, and the preferred
way of doing that is via a void method that is autowired with an
AuthenticationManagerBuilder. The default AuthenticationManager is
built in a configurer with @Order(LOWEST_PRECEDENCE - 3) so
to override it the user's confugrer must have higher precedence
(lower @Order).
@EnableGlobalMethodSecurity can also be used in a non-webapp, and
Spring Boot will still provide a default AuthenticationManager.
To override it the user has to either extend
GlobalMethodSecurityConfiguration or provide a @Bean of type
AuthenticationManager (there's no other way to
capture the AuthenticationManagerBuilder that doesn't happen too late
in the beans lifecyle).
Fixes gh-244
If any @Import (or @Enable*, especially @EnableScheduling) has registered
bean *names* as ApplicationListeners, and the application context wasn't
refreshed fully when it failed, then the listener lookup could fail and
mask the original exception
Fixes gh-253
Upgrade to Tomcat 7.0.50, working around the potential
NullPointerException by also adding dependencies to
tomcat-embedded-jasper (which is now also required for Hibernate
Validator 5.0, see commit 377953babd)
Fixes gh-245
Update the 'default' package used for @Entity and Repository scanning
to be the package of the class annotated with @EnableAutoConfiguration
rather than using @ComponentScan.
This allows JPA and Spring Data to be used without requiring component
scanning and also removes the confusion that could arise from reusing
the @ComponentScan annotation, which already has well defined semantics.
Fixes gh-200
Refine the `AutoConfigurationReportLoggingInitializer` log level to
only display the information about enabling debug if the debug level
if not on.
Fixes gh-199
Update the `AutoConfigurationReportLoggingInitializer` to only output
the report at debug level. A crash report now triggers an info output
suggesting the user runs again with '--debug' to display the report.
Fixes gh-199
Add a new `SpringNamingStrategy` hibernate `NamingStrategy` that
extends `ImprovedNamingStrategy` to improve the name of foreign
key columns.
Fixes gh-213
Instead of adding active prpfiles for every one we encounter, we need to
build up a complete "default" Environment and then ask it what the active
profiles are. Implemented in ConfigFileApplicationListener.
Fixes gh-198
Phillip Webb
Dave Syer
Piotr Maj
Andy Piper
Josh Long
Spring Buildmaster
Rob Winch
Oliver Gierke
hoserdude
Christian Dupuis
Jakub Kubrynski
Christopher Smith
Andy Wilkinson