Previously if every actuator endpoint was marked as sensitive, then all
endpoints were marked as permitted.
This commit ensures that if all endpoints are marked as sensitive, then
all the endpoints are secured.
Fixes gh-4368
Closes gh-4383
Rename HAL and docs MVC endpoints so that classnames consistently end
with MvcEndpoint. Also rename integration tests so that they are grouped
together in the IDE.
The CLI application advertises `-cp` support but it appears that only
`--cp` is really supported. The fix for gh-178 forgot to update the
call to `getParser().parse(...)`.
See gh-178
The HUP signal was being used to stop the service and for some reason,
sometimes it was being ignored. This commit change forces the use of the
TERM signal (the default signal of kill).
Fixes gh-4378
Closes gh-4414
Introduce `AbstractAuthenticationAuditListener` and
`AbstractAuthorizationAuditListener` classes so that users can
extended them to replace the auto-configured defaults.
Closes gh-4406
Update EmbeddedWebApplicationContext so that the servlet container is
shutdown after the context is closed. Unfortunately shutting the
container down before the context has been closed causes exceptions if
the `/shutdown` actuator endpoint is used. It can also cause the Tomcat
classloader to throw IllegalStateExceptions if resources are accessed
during shutdown.
As this commit effectively reverts 0069e41c we need to fix the shutdown
deadlock issue reported in gh-4130 in a different way. The deadlock can
be caused when an incoming HTTP connection occurs whilst the context is
closing. The incoming connection triggers the `FrameworkServlet` to
call `initWebApplicationContext` which in turn calls `refresh`. The
`FrameworkServlet` checks `ApplicationContext.isActive()` before
performing an initialization but prior to this commit we would set
active to `false` before stopping the servlet container. We now override
`onClose` rather than `doClose` in `EmbeddedWebApplicationContext` to
ensure that the active flag is only set to `false` once the servlet
container has been stopped.
See gh-4130
Fixes gh-4396
Spring Initalizr now bundles a wrapper script for the build system. While
that wrapper has the necessary execute flag in the zip archive, that flag
is lost as the zip abstraction does not honor those.
The init command now makes sure to restore the execute flag on `mvnw`
and `gradlew` if necessary.
Unfortunately, this can't be tested as the Windows build would fail to
assert that the executable flag has been propertly set.
Closes gh-4392
Make sure that the general Hazelcast auto-configuration is processed
before the cache auto-configuration. This was supposed to be fixed and
tested in 721b5a2 but unfortunately the `@AutoConfigureAfter` annotation
was placed on a regular `@Configuration` class (which has no effect).
The tests were passing because the ordering is actually hardcoded in the
test. The relevant tests now use `ImportAutoConfiguration` that simulates
the same order as the one use by the actual application.
Closes gh-4389
Commit 8e0a94f introduced a post processor that adds an explicit link
between the `HazelcastInstance` and the `EntityManagerFactory` so that
Hazelcast is fully initialized before Hibernate actually kicks in.
Unfortunately, the conditions that were implemented to register this post
processor are wrong and any app that has both JPA and Hazelcast support
blows up if no bean with name `hazelcastInstance` is defined.
This commit fixes the situation and reworks the configuration in a
separate auto-configuration that runs after the Hazelcast and JPA support
and check both the presence of an `EntityManagerFactory` and a bean of
name `hazelcastInstance`. If any of those conditions does not apply the
post processor is no longer registered.
Closes gh-4158
Set `CachedIntrospectionResults.IGNORE_BEANINFO_PROPERTY_NAME` by
default to improve startup performance. The `spring.beaninfo.ignore`
property can be set in `application.properties` if BeanInfo classes
should be searched.
Fixes gh-4390
Add a BackgroundPreinitializer to trigger early initialization in a
background thread of time consuming tasks. By moving certain
initialization tasks to background thread and triggering them early
we can improve the critical path when the application starts. For
example, Tomcat's MBeanFactory class parses several XML files when
first loaded. If we trigger the load in a background thread it completes
before Tomcat actually needs to use it.
The initial set of initializers included with this commit are:
- Tomcat MBeanFactory
- javax.validation
- Spring's AllEncompassingFormHttpMessageConverter
See gh-4252
Allows users to configure "allowed" file extensions for controller
mappings, so that browsers will not switch to downloading "f.txt"
(part of the recent RFD attack fixes in Spring MVC).
See gh-4220
Commit d0cf6b5 introduced a `endpoints.metrics.filter.enabled` property
key meant to disable the filter. Unfortunately, the `endpoints.metrics`
namespace is already managed so setting this property will fail.
We now use the same key than the one used to disable the metrics
endpoint.
Closes gh-4365
The Maven POM does all the dependency resolutions for the
spring-boot-antlib project. Delegating this task to Ivy, which is
buried deep in the Antrun/Antunit part of the build, makes any kind
of proxy configuration much more complex.
The ivysettings.xml already has the local M2 repository configured,
but because the folder "repository" is missing, the artifacts, already
downloaded by Maven cannot be resolved from this location.
The Spring and Maven Central repositories should be removed from the
ivysettings.xml files in order to force all resolves to be done through
the local M2 repository. The POM of joda-time version 2.8.1 has an
optional dependency to joda-convert 1.2, which lets the Ivy resolve
process fail, because this version of the joda-convert library was
not resolved by any of the Maven POMs. It seems as if Ivy does not
respect the optional scope, defined in the joda-time POM.
Pass proxy settings to the forked process to make the Gradle distribution download work
Create a gradle.properties file for each Gradle integration test and writes the forking
process' proxy settings as systemProp.http(s).Host/Port to the properties file.
This configures the external process with the right proxy settings to let it download
the Gradle distribution via the HTTP proxy server.
Added a hint for Windows users to get the core.autocrlf setting right
When the core.autocrlf setting under Windows is set to false for example
All files are not converted regarding their EOL characters to the
Windows format with CRLF at a line's end. There is a checkstyle
validation that checks that all files have the system's line endings
and in some test-cases the value from the system property "line.ending"
is used to check test output. So without the conversion, those checks
are going to fail, resulting in build errors.
Fixes gh-4367, fixes gh-3816
Rob Winch
Phillip Webb
Johnny Lim
Vedran Pavic
Pedro Vilaca
Stephane Nicoll
Dave Syer
邱占波
mrumpf