Some assumptions were being made in tests, e.g. about
there being an AuthenticationManager @Bean, which were
false with the new Security 3.2.1 updates from Rob.
Also parent-child contexts with the actuator were
problematic because they didn't exclude the web configuration
for the management security in the parent context.
Fixes gh-244
Requires Loaded 1.1.5 (or better).
For Maven you can just add springloaded to the dependencies of the
spring-boot plugin (and also set MAVEN_OPTS=-noverify).
For Gradle add springloaded to the build dependencies (-noverify
can be added by the plugin).
In both cases there is also support for adding an arbitrary java agent
via configuration. Samples are provided in
spring-boot-sample-[simple,web-ui].
The ApplicationPlugin is only added if there is no JavaExec task
already present, and additionally it computes its own man class if
none is provided. So "gradle run" and "gradle bootRun" look
superficially similar, but "bootRun" has extra options, including
the agent and Loaded support.
Fixes gh-251, gh-183
Detect when an application is running in development (by the presence
of a build file) and automatically add a 'development' profile.
Additional detectors can be developed by implementing the
`ProfileDetector` interface and registering with the `SpringApplication`
Fixes gh-296
Spring Boot provides a default AuthenticatiomManager for getting
started quickly with security and never exposing insecure
endpoints. To override that feature as users move to the next
stage in their project, they may have to do something slightly
different depending on whether it is a webapp or not.
In any app (web or not), providing a @Bean of type
AuthenticationManager always works, but you don't get the benefit of
the builder features.
In a webapp the user can also extend WebSecurityConfigurerAdapter
to provides a custom AuthenticationManager, and the preferred
way of doing that is via a void method that is autowired with an
AuthenticationManagerBuilder. The default AuthenticationManager is
built in a configurer with @Order(LOWEST_PRECEDENCE - 3) so
to override it the user's confugrer must have higher precedence
(lower @Order).
@EnableGlobalMethodSecurity can also be used in a non-webapp, and
Spring Boot will still provide a default AuthenticationManager.
To override it the user has to either extend
GlobalMethodSecurityConfiguration or provide a @Bean of type
AuthenticationManager (there's no other way to
capture the AuthenticationManagerBuilder that doesn't happen too late
in the beans lifecyle).
Fixes gh-244
Add a new `SpringNamingStrategy` hibernate `NamingStrategy` that
extends `ImprovedNamingStrategy` to improve the name of foreign
key columns.
Fixes gh-213
Usage:
$ gradle bootRun
...
Edit files in src/main/resources and see the changes live in a web app
(e.g. static resources in /static).
The old functionality of bootRun has been replaced (since it didn't add
a lot of value and also didn't expose any JMV argument setters of anything).
This new feature set is backed by any existing "run" task configuration.
In addition autodetects a main class if there is one in the project
sources, so no need for mainClassName = '...' in build.gradle.
Applies the 'application' plugin (so no need to declare that either).
Fixes gh-225
Update SpringApplication to run by default in 'headless' mode. This
prevents the AWT system from creating a Java icon (for example in the
OSX dock).
Also update builds to run tests in 'headless' mode.
Long package names are really unnecessary in samples and they
just clutter things up. Also Spring Loaded doesn't work with
org.sfw packages, so to demo that technology you need a
different package name.
Main user-facing interface is still Counter/GaugeService but the
back end behind that has more options. The Default*Services write
metrics to a MetricWriter and there are some variants of that, and
also variants of MetricReader (basic read-only actions).
MetricRepository is now a combination of MetricReader, MetricWriter
and some more methods that make it a bit more repository like.
There is also a MultiMetricReader and a MultiMetricRepository for
the common case where metrics are stored in related (often open
ended) groups. Examples would be complex metrics like histograms
and "rich" metrics with averages and statistics attached (which
are both closed) and "field counters" which count the occurrences
of values of a particular named field or slot in an incoming message
(e.g. counting Twitter hastags, open ended).
In memory and redis implementations are provided for the repositories.
Generally speaking the in memory repository should be used as a
local buffer and then scheduled "exports" can be executed to copy
metric values accross to a remote repository for aggregation.
There is an Exporter interface to support this and a few implementations
dealing with different strategies for storing the results (singly or
grouped).
Codahale metrics are also supported through the MetricWriter interface.
Currently implemented through a naming convention (since Codahale has
a fixed object model this makes sense): metrics beginning with "histogram"
are Histograms, "timer" for Timers, "meter" for Meters etc.
Support for message driven metric consumption and production are provided
through a MetricWriterMessageHandler and a MessageChannelMetricWriter.
No support yet for pagination in the repositories, or for HATEOAS style
HTTP endpoints.
We get more control over the handling and in particular the registration
of the endpoint this way. It was practically impossible to disable the
AgentServlet bean when in a parent context of the management server
because of lifecyce issues - you don't know that the user wants a
separate management server until too late.
This approach also makes it possible to test with spring-test MVC
support.
When management endpoints are on a different port the HandlerMappings
are restricted to a single EndpointHandlerMapping, so the error
controller (which is a normal @Controller with @RequestMappings) does
not get mapped.
Fixed by addinga shim Endpoint on "/error" that delegates to the
ErrorController (which interface picks up an extra method).
- Gather autoconfiguration conditional decisiions (true and false)
- Provide an actuator endpoint as one means to read the report
- Define @EnableAutConfigurationReport annotation to turn this feature on
- Tidy up autoconfig report a bit and log it if --debug=true
This commit adds a new starter named spring-boot-starter-shell-crsh and auto configuration support to embed a system shell within Spring Boot applications.
The embedded shell allows clients to connect via ssh or telnet to the Boot app and execute commands. Commands can be implemented and embedded with app.
For sample usage see spring-boot-samples-actuator.
Previously the management endpoint filter was applied to all requests
if the user had disabled security.management.enabled, but since it
had no security applied it was letting all requests through.
The fix was to explicitly exclude the whole enclosing configuration
and carefully ignore the management endpoints in the normal security
chain.
Fixes gh-100.
In some cases the websocket communication fails and Snake#sendMessage throws an exception.
In that case the send loop is interrupted and later clients are not update.
The RC1 version had some websocket issues, that prevented propper websocket communication.
In some cases the SocketJS communication was downgraded to 'xhr_streaming'.
Builder for SpringApplication and ApplicationContext instances with
convenient fluent API and context hierarchy support. Simple example
of a context hierarchy:
new SpringApplicationBuilder(ParentConfig.class)
.child(ChildConfig.class).run(args);
Another common use case is setting default arguments, e.g.
active Spring profiles, to set up the environment for an application:
new SpringApplicationBuilder(Application.class).profiles("server")
.defaultArgs("--transport=local").run(args);
If your needs are simpler, consider using the static convenience
methods in SpringApplication instead.
[#49703716] [bs-116] Parent context for some beans maybe?
Update SpringBootServletInitializer with separate getConfigClass() and
getAdditionalConfigClasses() methods. This change makes it easier to
use the SpringBootServletInitializer with the common use case of a
single config class.
The `Tomcat.start()` has to happen to initialize the `ServletContext`
but we can immediately stop the connector and then restart it when
the context is finished refreshing. Seems to make curl fail quickly
if an app is slow to start.
A side effect is that spring-boot-starter-data-jpa needs
to include an aspectjweaver depdendency. Hope that doesn't
hurt anything else.
[Fixes#56780004]
Fix TomcatEmbeddedServletContainerFactory to set a MERGED_WEB_XML
attribute when JSPs are used. This is required for EL support with
JSPs since Jasper checks the version number in the web.xml. Without
any web.xml Jasper default to disabling EL.
Issue: #55752948
Remove '/resources/**' mapping since it can cause problems with the
'/**' when the developer defines their own 'resources' sub-folder.
Also remove default servlet config since the resources mapping renders
it redundant.
Issue: #55494446
The management endpoints were still all mixed up
with the user endpoints. Fixed that and extracted
user endpoints in to conditional block so not
protected if path explicitly set to empty string.
[#53029715]
Rework several aspects of database auto-configuration:
- Use RelaxedPropertyResolver to obtain property values
- Extract EmbeddedDatabaseConnection from EmbeddedDatabaseConfiguration
- Rename several configuration classes for consistency
Issue: #53028397
Management endpoints are still secure by default if
Spring Security is present, but now the default
user details have an ADMIN role, and a random password
(which is logged at INFO level if not overridden).
To override you add management.user.password (name, role)
to external properties.
[Fixes#53029715] [bs-203]
Opinionated defaults for WebSockets:
* If spring-websocket is on the classpath and so is
the Tomcat WSci initializer then it is added to the context
* A DefaultSockJsService is added if none is present
* User has only to define @Beans of type WebSocketHandler with
name starting "/"
* Each one is converted to a SockJsHttpRequestHandler and
mapped to "/<beanName>/**"
The DispatcherServlet adds a default InternalViewResolver
which was used by some apps, but when the actuator was
available it added an "/error" bean and effectively
switched off the default view resolver. The net fix was
to add an InternalViewResolver at the same time as
adding any other ViewResolvers.
[Fixes#55357516] [bs-290] Actuator UI app cannot serve static index.html
* Add integration tests for /error view
* Add "error" @Bean as default view for HTML
Users may see side effects because now there will be
a ContentNegotiatingViewResolver by default for the
first time in a vanilla Actuator app. Should be
interesting.
[Fixes#54597932] [bs-273] Circular view reference for /error
Also introduced new strategy for customizing Tomcat Context
(TomcatContextCustomizer) - any that are added to the factory
will be applied before any other customizations in postProcessContext()
[Fixes#54670052] [bs-275] Make Tomcat access valve logs more accessible
Various cleanups to the Spring Data JPA example, including:
* Move repositories into service package and make them package private
thus only expose the service interfaces to clients.
* Merge HotelRepository and HotelSummaryRepository and make service
implementations package protected.
* Introduce integration test base class to bootstrap the app as
SpringAppliation.run would.
* Refactor central test case to rather use Spring MVC integration
testing framework.
* Add integration tests for repositories to execute query methods.
Rework main build POM to be an aggregator pom that does not inherit
from any parent. Introduce new spring-boot-dependencies module to
act as a parent for both spring-boot-starter-parent and
spring-boot-parent.
* Added additional search in
AbstractEmbeddedServletContainerFactory.getValidDocumentRoot() to
detect a /WEB-INF/ directory in the code archive
* If the code archive is in /WEB-INF/** then we assume it is
safe to serve content from / (exposes the loader classes
but nothing sensitive from the app)
[Fixes#54345578]
* For a jar deployment add classpath:static/index.html
(works via Spring MVC mapping)
* For a war the same thing works, but so does adding
index.html to src/main/webapp (works via container
default servlet)
[Fixes#54092261] [bs-252]