The management endpoints were still all mixed up
with the user endpoints. Fixed that and extracted
user endpoints in to conditional block so not
protected if path explicitly set to empty string.
[#53029715]
Rework several aspects of database auto-configuration:
- Use RelaxedPropertyResolver to obtain property values
- Extract EmbeddedDatabaseConnection from EmbeddedDatabaseConfiguration
- Rename several configuration classes for consistency
Issue: #53028397
Management endpoints are still secure by default if
Spring Security is present, but now the default
user details have an ADMIN role, and a random password
(which is logged at INFO level if not overridden).
To override you add management.user.password (name, role)
to external properties.
[Fixes#53029715] [bs-203]
Opinionated defaults for WebSockets:
* If spring-websocket is on the classpath and so is
the Tomcat WSci initializer then it is added to the context
* A DefaultSockJsService is added if none is present
* User has only to define @Beans of type WebSocketHandler with
name starting "/"
* Each one is converted to a SockJsHttpRequestHandler and
mapped to "/<beanName>/**"
The DispatcherServlet adds a default InternalViewResolver
which was used by some apps, but when the actuator was
available it added an "/error" bean and effectively
switched off the default view resolver. The net fix was
to add an InternalViewResolver at the same time as
adding any other ViewResolvers.
[Fixes#55357516] [bs-290] Actuator UI app cannot serve static index.html
* Add integration tests for /error view
* Add "error" @Bean as default view for HTML
Users may see side effects because now there will be
a ContentNegotiatingViewResolver by default for the
first time in a vanilla Actuator app. Should be
interesting.
[Fixes#54597932] [bs-273] Circular view reference for /error
Also introduced new strategy for customizing Tomcat Context
(TomcatContextCustomizer) - any that are added to the factory
will be applied before any other customizations in postProcessContext()
[Fixes#54670052] [bs-275] Make Tomcat access valve logs more accessible
Various cleanups to the Spring Data JPA example, including:
* Move repositories into service package and make them package private
thus only expose the service interfaces to clients.
* Merge HotelRepository and HotelSummaryRepository and make service
implementations package protected.
* Introduce integration test base class to bootstrap the app as
SpringAppliation.run would.
* Refactor central test case to rather use Spring MVC integration
testing framework.
* Add integration tests for repositories to execute query methods.
Rework main build POM to be an aggregator pom that does not inherit
from any parent. Introduce new spring-boot-dependencies module to
act as a parent for both spring-boot-starter-parent and
spring-boot-parent.
* Added additional search in
AbstractEmbeddedServletContainerFactory.getValidDocumentRoot() to
detect a /WEB-INF/ directory in the code archive
* If the code archive is in /WEB-INF/** then we assume it is
safe to serve content from / (exposes the loader classes
but nothing sensitive from the app)
[Fixes#54345578]
* For a jar deployment add classpath:static/index.html
(works via Spring MVC mapping)
* For a war the same thing works, but so does adding
index.html to src/main/webapp (works via container
default servlet)
[Fixes#54092261] [bs-252]