jersey-spring3 has a transtive dependencies on HK2’s bean-validator
module that embeds JBoss Logging, Hibernate Validator, and Classmate
without repackaging them. This makes it impossible to control the
version of those three libraries that will be used without relying on
classpath ordering.
This commit excludes the bean-validator dependency from jersey-spring3.
The Jersey starter already depends on our Validation starter which
pulls in the proper, and controllable, version of the three
dependencies listed above so users of our starters will be unaffected.
Closes gh-4186
Previously, no `errors` attribute is made available in the standard JSON
error document if a request body object is invalid. This is due to the
fact that the framework throws a `MethodArgumentNotValidException holding
a `BindingResult` object that was not detected.
We now make sure to extract the `BindingResult` from such exception.
Closes gh-4166
Previously, EndpointWebMvcChildContextConfiguration would attempt to
create a /error endpoint, irrespective of whether or not the parent
had such an endpoint. If the endpoint was disabled in the parent this
would cause a failure due to the absence of an ErrorAttributes bean.
This commit updates EndpointWebMvcChildContextConfiguration to make
the creation of its /error endpoint conditional on the existence of
an ErrorAttributes bean.
Closes gh-4164
Previously, SecurityFilterAutoConfiguration would be created even if
spring-security-web was not on the classpath. This didn't cause a
failure as all of its beans were disabled. It was, however, wasteful,
as the configuration class was processed and a bean created for it
unnecessarily.
This commit makes the whole class conditional on the presence of
spring-security-web so that it will be skipped entirely when the
dependency is not available.
Closes gh-4160
This commit adds dependency management for Cassandra Driver’s three
modules. The version is the latest maintenance release of the minor version that’s used by Spring Data Cassandra in the Spring Data Gosling release train.
Closes gh-4167
Add an `excludeDevtools` property to both the Maven and Gradle plugin
that removes `org.springframework.boot:spring-boot-devtools` (if
necessary) when repackaging the application.
Closes gh-3171
Update SecurityFilterAutoConfiguration to use a DelegatingFilterProxy
filter rather directly referencing the springSecurityFilterChain bean.
Using a DelegatingFilterProxy helps to prevent early initialization of
beans and makes Spring Security work in a similar to way to if were
installed in a regular WAR deployment.
Fixes gh-4154
Spring Boot will eagerly initialize a `ConversionService` named
`conversionService` for configuration keys processing. This commit adds
a note in the documentation regarding that special behaviour.
Closes gh-4162
Spring Security 4’s default configuration will, irrespective of any
other header writers that are added, enable writers for the following
headers:
- X-Content-Type
- X-XSS-Protection
- Cache-Control
- X-Frame-Options
Previously, SecurityProperties.headers used false as the default for the
properties that enable or disable these headers but the configuration is
only applied when the properties are true. This left us with the right
default behaviour (the headers are enabled) but meant that the
properties could not be used to switch off the headers.
This commit changes the defaults for the four properties to true and
updates SpringBootWebSecurityConfiguration to only apply the
configuration when the properties are false. This leaves us with the
desired defaults while allowing users to disable one or more of the
properties by setting the relevant property to false.
Closes gh-3517
So far we have wrongly advertized that the `spring-boot-starter-parent`
filters application configuration in such a way that standard Spring
placeholders are not processed.
In order to achieve such feature, the `useDefaultDelimiters` property
must be set to `false` as otherwise default delimiters are appended to
the list of custom delimiters.
This property is not enabled so that only keys surrounded by `@` are
filtered by the build.
Closes gh-3092
The second level cache of Hibernate can be configured with dedicated
factories that look up for the presence of a cache infrastructure. As
Hibernate shouldn't have to know about Spring, that lookup is done
against the respective proprietary APIs.
We now make sure that caching (and the general purpose Hazelcast
auto-configuration) is fully processed before JPA kicks in. In particular
an explicit `dependsOn` attribute on those beans is added when they are
processed.
Closes gh-4158
Update ConfigFileEnvironmentPostProcessor to load profile specific
sections for all previously processed profiles. Prior to this commit
multi-profile YAML files were only loaded from the root
`application.yml` file.
With the updated logic, an `application-test.yml` file containing the
following:
someTestProperty: xyz
---
spring:
profiles: profile1
specificProperty: one
Can have the profile sub-document loaded using:
-Dspring.profiles.active=test,profile1
Fixes gh-4132
Prior to 8.0.28 Tomcat required the key store and trust store (if any)
to be available directly on the filesystem, i.e. classpath: resources
would not work. Tomcat 8.0.28 removed this limitation.
This commit updates to Tomcat 8.0.28, updates the tests to verify
the new Tomcat capability and removes the obsolete documentation of
the restriction.
Closes gh-4048
Previously, the parent context was only considered when the builder
was used to run the application. If the application was built using
the builder and then run using SpringApplication.run, the parent
context was not considered.
This commit updates the builder to consider the parent both when it's
used to run the application and when it's used to build the
application that will later be run via SpringApplication.run
Closes gh-4014
When the actuator is enabled, Spring Boot provides two `MBeanExporter`
bean definitions: a general purpose one and a dedicated one for Actuator
endpoints.
This commit flag the general purpose one `@Primary` so that component
can safely inject it by type if necessary. In particular, this fix the
doc of the `JmxMetricWriter`.
Closes gh-4007
Andy Wilkinson
Stephane Nicoll
izeye
Phillip Webb