Update Spring Boot nested JarFile support to improve the performance of
signed jars. Prior to this commit, `certificates` and `codeSigners`
were read by streaming the entire jar whenever the existing values
were `null`. Unfortunately, the contract for `getCertificates` and
get `getCodeSigners` states that `null` is a valid return value. This
meant that full jar streaming would occur whenever either method was
called on an entry that had no result. The problem was further
exacerbated by the fact that entries might not be cached.
See gh-19041
Update `ValidationBindHandler` so that pushed fields that reference
map keys can be used. This fixes a regression that was introduced in
commit 4483f417 when we switched to a `AbstractBindingResult` that no
longer required public getters/setters.
Closes gh-20350
Remove casting "timestamp" to `java.util.Date` in
`ErrorMvcAutoConfiguration` as the cast is not necessary and it
prevents other types (e.g. `java.time`) from being used.
See gh-23256
Prior to this commit, Actuator would sanitize properties values when
serializing them on the dedicated endpoint. Keys like "password" or
"secret" are entirely sanitized, but other keys like "uri" or "address"
are considered as URI types and only the password part of the user info
is sanitized.
This commit fixes the sanitization process where lists of such URI types
would not match the first entries of the list since they're starting
with `'['`. This commit improves the regexp matching process to sanitize
all URIs within a collection.
The documentation is also updated to better underline the processing
difference between complete sanitization and selective sanitization for
URIs.
Fixes gh-23037
Previous to this commit the connection idle timeout and heartbeat
interval were mapped to seconds whereas Cassandra expects ms for all
duration types.
This commit fixes the mapping and removes the default duration unit
since it should be considered ms like every other duration properties.
Closes gh-23249
Previously, PropertiesLauncher would close each archive that it
iterated over when creating its ClassLoader. This was not aligned
with JarLauncher's behaviour and left the ClassLoader with closed
archives. The close was introduced in [1] and became more apparent
following the change to fail operations on closed archives [2].
This commit updates Launcher to remove the close() that was added in
[1]. This aligns the behavior of PropertiesLauncher with JarLauncher
and ensures that the ClassLoader does not have entries backed by
closed archives on its classpath.
Fixes gh-23165
[1] ad72f86bdb
[2] ed7a5db174
Update `OriginTrackedYamlLoader` to remove node limits and recursive
parsing restrictions. SnakeYAML 1.26 introduced these options in order
to protect against the "billion laugh attacks" but since we consider
`application.yml` files to be trusted, we don't need these restrictions.
Fixes gh-23096
mathieufortin01
Phillip Webb
lock14
Brian Clozel
David Good
Stephane Nicoll
Andy Wilkinson