Prior to this commit, the GraphQL schema assembled by the
auto-configuration would provide no option for disabling the field
introspection.
While this feature is essential for many tools (including GraphiQL),
some prefer disabling it because this allows clients to gather
information about types and schema easily. This commit introduces a new
`spring.graphql.schema.introspection.enabled` configuration property.
Because potential attackers can still gather this information and this
feature is a core concern in the GraphQL spec, introspection is enabled
by default for Spring Boot applications.
Closes gh-29248
This commit configures security features for Spring GraphQL.
In the case of both MVC and WebFlux, this contributes
`DataFetcherExceptionResolver` instances to resolve security exceptions
and expose them as proper errors in the GraphQL response.
For MVC only, this also configures a
`SecurityContextThreadLocalAccessor`. This component ensures that the
security context is propagated between `ThreadLocal` and the Reactor
asynchronous execution.
See gh-29140
This commit auto-configures a GraphQL WebSocket endpoint for both Spring
MVC and Spring WebFlux. This is only enabled if the required libraries
are on the classpath and if the `"spring.graphql.websocket.path"`
property is defined.
See gh-29140
Spring GraphQL ships with a static version of the graphiql IDE for
exploring and querying GraphQL endpoints.
See https://github.com/graphql/graphiql for more information.
This commit auto-configures the GraphiQL handler for both MVC and
WebFlux and points GraphiQL to the GraphQL HTTP endpoint exposed by the
application. This feature is disabled by default and can be switched on
with "spring.graphql.graphiql.enabled=true".
See gh-29140
This commit configuresa new endpoint for printing in text format the
resolved GraphQL schema.
This endpoint is exposed by default under "/graphql/schema" and must be
enabled with "spring.graphql.schema.printer=true".
See gh-29140
This commit adds two new auto-configuration classes for Spring GraphQL
support. Once the base GraphQL infrastructure is in place, we can now
expose the `GraphQlService` over an HTTP transport.
Spring GraphQL supports both MVC and WebFlux, so this commit ships with
one auto-configuration for each.
Developers can configure the HTTP path where the GraphQL resource is
exposed using the `spring.graphql.path` configuration property (this
defaults to `"/graphql"`).
See gh-29140
This commit adds a new `FailureAnalyzer` for exceptions thrown when no
GraphQL schema file could be found.
This lists configured locations (with `"classpath:..."` notation) and
also resolved locations - this helps developers figure out how the
pattern are resolved and why schema files cannot be found.
See gh-29140
This commit adds the auto-configuration for setting up the base Spring
GraphQL infrastructure. Because GraphQL doesn't depend on any particular
transport, we must have a separate configuration for creating:
* the `GraphQlSource`, which holds the schema and the `GraphQL` instance
* the `GraphQlService` for executing incoming requests
* the `BatchLoaderRegistry` for batch loading support
* the `AnnotatedControllerConfigurer` for supporting the annotated
controllers programming model
This comes with a starting point for the `"spring.graphql.*"`
configuration properties; we can now configure the locations and file
extensions of GraphQL schema files we should load and configure at
startup.
See gh-29140
This commit maps the `server.servlet.session.cookie.same-site`
configuration property to the `DefaultCookieSerializer` bean configured
in the Spring Session auto-configuration.
See gh-28784
Update `ErrorPageSecurityFilterConfiguration` to guard against the case
where `spring-security-core` is on the classpath but
`spring-security-web` is not.
Fixes gh-28774
This commits exposes the RestClientBuilder as a bean even when the
RestHighLevelClient is not available. It allows users to create their
own RestClient beans using the Spring Boot configured RestClientBuilder
when they are not using the RestHighLevelClient.
Fixes gh-28655
Bean post-processors only apply to the context in which they're
registered. ValidationAutoConfiguration will only auto-configure the
MethodValidationPostProcessor if the post-processor is missing from
the current context and any of its ancestors. If an ancestor context
contains the post-processor it will not be auto-configured and the
descendant context will not have method validation configured.
This commit updates the auto-configuration to limit the search for
an existing MethodValidationPostProcessor bean to the current
context.
Fixes gh-27890
Update Tomcat, Jetty and Undertow `ServletWebServerFactory`
implementations so that they can write SameSite cookie attributes.
The session cookie will be customized whenever the
`server.servlet.session.cookie.same-site` property is set.
Other cookies can be customized with the new `CookieSameSiteSupplier`
interface which can be registered using `@Bean` methods.
Closes gh-20971
Co-authored-by Andy Wilkinson <wilkinsona@vmware.com>
Relocate the recently introduced `spring.webflux.session` properties
to `server.reactive.session` and create a unified `Cookie` properties
class.
Reactive session properties now mirror the existing
`server.servlet.session` properties and better reflect the fact that
they are related to the server and not just for WebFlux.
See gh-26714
Fix `WebFluxAutoConfigurationTests` following upstream Spring Framework
changes. Also refine `WebMvcAutoConfigurationTests` to check the locations
are set even if they are filtered.
See gh-28223
The `spring.integration.poller.fixed-rate` property must be set to the
constructor of the `PeriodicTrigger` and its `fixedRate` flag should be
set to `true`. The current code-base has it exactly opposite: the flag
is set to `true` when `fixed-delay` is provided.
* Fix `IntegrationAutoConfiguration.asTrigger()` method for the proper
`fixedRate` setting logic.
* Cover the change with a new test-case
* Add a message handling verification to the `defaultPoller()` test to
be sure that poller auto-configuration works as it is claimed.
See gh-28237
Spring Framework will filter non-existent locations from any configured
static resource handlers starting with 5.3.11. Tests that verify
static resource locations should account for this change.
See gh-28223
When polling consumers or source polling channel adapters are used in
Spring Integration applications, they require some polling policy to
be configured.
This comment auto-configures a PollerMetadata bean which customized
via newly added `spring.integration.poller.*` configuration
properties or overriden completely be user-defined bean.
See gh-27992
Previously, the detector for AbstractDataSourceInitializers used the
default detector order. This resulted in the initializers detected
initializers running before Flyway. Constrastingly, the detector for
DataSourceScriptDatabaseInitializers uses a custom order so its
detected initializers would run after Flyway.
This commit aligns the order of the detector for
AbstractDataSourceInitializers with the order of the detector for
DataSourceScriptDatabaseInitializers. This ensures that script-based
initialization runs in the same order with respect to Flyway,
irrespective of which initializer implementation is driving it.
Fixes gh-28079
Previously, a number of Elasticsearch properties were duplicated
across the spring.elasticsearch.rest and
spring.data.elasticsearch.client.reactive prefixes for configuring
the blocking REST client provided by Elasticsearch and the reactive
client provided by Spring Data respectively. This could cause
problems when using the Elasticsearch REST client configured with
a custom spring.elasticsearch.rest.uris. If Spring WebFlux (to make
use of WebClient) and Spring Data Elasticsearch were on the classpath,
the reactive Elasticsearch Client would be autoconfigured but it
would use the default value of its analogous
spring.data.elasticsearch.client.reactive.endpoints property. It
would be unable to connect, causing a startup failure.
This commit consoliates the configuration properties where possible.
Each setting that is common across the two clients is now configured
using a single, shared spring.elasticsearch property. Each setting
that is specific to the blocked REST client or the WebClient-based
reactive client now have prefixes of spring.elasticsearch.restclient
and spring.elasticsearch.webclient respectively.
The old properties beneath spring.elasticsearch.rest and
spring.data.elasticsearch.client.reactive have been deprecated. If a
any deprecated property is set, all of the new properties are
ignored. In other words, to migrate to the new properties, each usage
of a now-deprecated property must be updated to use its new
replacement instead.
Closes gh-23106
`ErrorHandler/BatchErrorHandler` will be deprecated in a future release
in favor of `CommonErrorHandler`. Currently, the legacy handlers are
adapted to a `CommonErrorHandler` or ignored if a `CommonErrorHandler`
is configured.
See gh-27927
Previously, when the preferred json mapper was set to Gson, the Gson
HTTP message converter was added before any other converters. This
changed the form of String responses that were already valid. When
Jackson is in use, a string converter is used as it appears earlier
in the list than the Jackson converter. When the mapper is switched
to Gson, the Gson converter is added first in the list of converters
and the Strong converter is no longer used. This results in the
String, that was already valid JSON, being converted again. This
changes its form as quotes are escaped, etc.
This commit updates HttpMessageConverters so that the Gson converter
is added to the list immediately before the default Jackson
converter. This is done by considering the Gson converter to be an
equivalent of the Jackson converter.
Fixes gh-27354
This is a follow-on from 3fec4110 which only considered
BatchDataSourceInitializer as a possible initializer of Batch's
database schema. Flyway and Liquibase are now also considered.
Closes gh-27193
Prior to this commit, `NettyProperties` would use `DISABLED` as the
default level for leak detection in Netty. This is not the default value
enforced by Netty, which is `SIMPLE`.
This commit changes the default configuration property value and ensures
that both stay in sync.
Fixes gh-27046
The auto-config requires Spring JDBC for DataSource creation from
spring.flyway.url or spring.liquibase.url, checking Flyway migrations
exist, etc. Without it, the application fails to start due to missing
spring-jdbc classes.
This commit updates the auto-config so that it backs off in the
absence of spring-jdbc.
Closes gh-26849