Spring Security now filters every dispatch by default and not only
once-per-request. Security configuration has been updated in a number of
places to restore the old behavior as needed for the tests to pass.
gh-31703 has been opened to review this and to investigate if we can
now remove the error page security filter and rely on the filtering of
every dispatch instead.
In addition to switching to once-per-request filtering where needed,
this commit also restructures the configuration of the error page
security filter. The restructuring was necessary to ensure that the
privilege evaluator bean has been defined before the conditions on the
error page security filter are evaluated. Without the change, the filter
was no longer being configured as the privilege evaluator hadn't been
defined before the on bean condition was evaluated. We may want to back
port this change as the ordering doesn't appear to have been defined
before and we were just getting lucky.
See gh-31622
See spring-projects/spring-security#11466
This commit makes the following potentially breaking changes:
- Dependency management for modules that do not exist in Hibernate
6.1 has been removed.
- Hibernate's modules are now in the org.hibernate.orm group. Users
not using the starter or using modules that are not in the starter
will have to update their build configuration accordingly.
- spring.jpa.hibernate.use-new-id-generator-mappings has been removed
as Hibernate no longer supports switching back to the old ID
generator mappings.
Co-authored-by: Andy Wilkinson <wilkinsona@vmware.com>
Closes gh-31674
Update `CompositeHandlerExceptionResolver` to search for beans in
all contexts. Note that `BeanFactoryUtils.beansOfTypeIncludingAncestors`
cannot not be used since we need to pick up all beans, even if they
have the same name.
See gh-31495
Update `JarFile` and related classes so that `close()` is not longer
called early.
Prior to this commit, we would always immediately close the underlying
jar file to prevent file locking issues with our build. This causes
issues on certain JVMs when they attempt to verify a signed jar.
The file lock issues have now been solved by returning a custom input
stream from `JarUrlConnection` which captures and delegates the close
method.
Fixes gh-29356
This commit updates several smoke tests in order to avoid conflicts
with NAME environment variable that is present in WSL and causes
project build to fail. Previous attempt to fix this in 7da42d71 was
incomplete.
See gh-31267
spring.security.saml2.relyingparty.registration.*.asserting-party.* is
now named spring.security.saml2.relyingparty.registration.*.assertingparty.*
Closes gh-30785
Rename spring.security.saml2.relyingparty.registration.*.identity-provider.*
to spring.security.saml2.relyingparty.registration.*.asserting-party.*
The old property names are still supported, but will lead to a warning
in the logs.
Closes gh-30642
This commit temporarily disables the Redis Session smoke test, as it
relies on the Session Actuator endpoint being present.
Since spring-projects/spring-session#1711, the default session
repository contributed is not of type `FindByIndexNameSessionRepository`
and thus cannot support the Session endpoint use case.
Until gh-30673 is resolved, this test is disabled.
See gh-30673
Previously, if spring.main.web-application-type was configured in
application.properties to servlet or reactive, setting
webEnvironment=NONE on @SpringBootTest would not work correctly and
a servlet or reactive web application context would be created
based on the value of spring.main.web-application-type.
This commit updates the test context bootstapper to set
spring.main.web-application-type to none when webEnvironment has been
set to none. This is done in the merged context configuration's
property source properties which are applied to the environment in a
high-precedence test property source that will override configuration
in application.properties.
Closes gh-29695
This commit switches to 1.0.0-SNAPSHOT for Spring GraphQL, before its
upcoming 1.0.0-M6 version.
This commit adapts to the changes introduced in
spring-projects/spring-graphql#317 : now that `GraphQlClient` has been
introduced, `GraphQlTester` has been aligned with the new
infrastructure. The `@GraphQlTest` and `@SpringBootTest` testing support
is now using different variants for each.
All samples have been updated to use the proper GraphQL terminology, see
and spring-projects/spring-graphql#310 .
See gh-29637
Due to gh-29695, smoketest.profile.ActiveProfilesTests starts a web
server bound to the default port (8080) despite the test setting
`webEnvironment` to `NONE`.
This commit works around the problem by running the tests with
server.port set to zero.
Closes gh-30086
ContextHandler.ApproveAliases has been deprecated. We tried to
replace it with AllowedResourceAliasChecker but it does not
behave in the same way and causes CI failures on Windows.
ContextHandler.ApproveAliases always returns true so we should
hardcode our own implementation that does the same.
Closes gh-30045
Implements a new AutoConfigurationLoader, which loads
auto-configurations from a file in META-INF/spring-boot.
Adapts the AutoConfigurationImportSelector to use the new loader.
Adapts the ImportAutoConfigurationImportSelector to use the new loader.
Adapts the metadata plugin in the build to additionally load the
auto-configurations from the new file.
Updates the documentation for auto-configurations and test slices.
Closes gh-29872
H2 2.x contains several important changes such as moving the primary key
generation mechanism to a sequence-based identifier. This commit fixes
a number of tests that were failing.
Closes gh-29651
Co-authored-by: Andy Wilkinson <wilkinsona@vmware.com>
Previously, the error page security filter passed the request's URI
to the privilege evaluator. This was incorrect in applications with
a custom context path as the privilege evaluator must be passed a
path that does not include the context path and the request URI
includes the context path.
This commit updates the filter to use UrlPathHelper's
pathWithinApplication instead. The path within the application does
not include the context path. In addition, pathWithinAppliation
also correctly handles applications configured with a servlet
mapping other than the default of /.
Closes gh-29299
Co-Authored-By: Andy Wilkinson <wilkinsona@vmware.com>
Update `SpringBootContextLoader` so that when possible the
`SpringApplication` remains in control of creating the `Environment`
instance.
Prior to this commit, we would always create the `Environment` in the
`SpringBootContextLoader` and then call `setEnvironment` on the
`SpringApplication`. This meant that the `ApplicationEnvironment`
classes were not used and that `isCustomEnvironment` was set to `true`
so no conversion was applied.
With the updated code, an `ApplicationListener` is used to mutate the
`Environment` instance and add the required test property sources.
Fixes gh-29169
Refine the logic introduced in 64270eca to use a side-effect free
Environment implementation rather than converting the Environment early.
Early conversion can cause condition evaluation issues if
`src/test/resources/application.properties` files are bound to the
`SpringApplication`. Specifically the `spring.main.web-application-type`
property can change the `Environment` type which must happen before
conditions are evaluated.
Fixes gh-29169
Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.
This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.
Fixes gh-28953
Andy Wilkinson
Oliver Drotbohm
dreis2211
Stephane Nicoll
Phillip Webb
Guirong Hu
Lars Grefer
Vedran Pavic
Scott Frederick
Moritz Halbritter
Brian Clozel
Eddú Meléndez
Moritz Halbritter
Chris Dennis
Henning Poettker
Yanming Zhou
Madhura Bhave
izeye