Previously, when writing a repackaged jar, an attempt to write all of
an entry's parent directories would always be made, irrespective of
whether or not the entry itself had already been written. This was
inefficient as, due to the way that the jar is written, once an entry
itself has been written, we know that all of its parent directories
will also have been written.
This commit updates the jar writer so that no attempt is made to
write parent directory entries if the entry itself has already been
written.
Fixes gh-29175
Update `IncludeExcludeGroupMemberPredicate` so that exclusion rules are
also applied to child contributors. The restores the behavior of Spring
Boot 2.5.x where `management.endpoint.health.group.mygroup.exclude=db`
would exclude 'db/one', 'db/two' etc.
Fixes gh-29251
Prior to this commit, the GraphQL schema assembled by the
auto-configuration would provide no option for disabling the field
introspection.
While this feature is essential for many tools (including GraphiQL),
some prefer disabling it because this allows clients to gather
information about types and schema easily. This commit introduces a new
`spring.graphql.schema.introspection.enabled` configuration property.
Because potential attackers can still gather this information and this
feature is a core concern in the GraphQL spec, introspection is enabled
by default for Spring Boot applications.
Closes gh-29248
Prior to this commit, the `GraphQlTesterContextCustomizer` would
register a `WebGraphQlTester` instance as a `GraphQlTester` bean., only
exposing the `GraphQlTester` type. This is not in line with the
documentation and also does not register the bean definition with the
most specific type.
With this issue, a `@SpringBootTest` integration test will not be
injected with a `WebGraphQlTester` if it asks one.
This commit ensures that the `WebGraphQlTester` is registered as such
and that all related classes are renamed as a result.
Fixes gh-29250
This commit adds the required infrastructure for instrumenting the
GraphQL engine and datafetchers in order to collect metrics.
With this infrastructure, we can collect metrics such as:
* "graphql.request", a timer for GraphQL query
* "graphql.datafetcher", a timer for GraphQL datafetcher calls
* "graphql.request.datafetch.count", a distribution summary of
datafetcher count per query
* "graphql.error", an error counter
See gh-29140
This commit adds the `@GraphQlTest` annotation which brings a new type
of sliced test for GraphQL applications. This considers all the required
infrastructure brought by `@AutoConfigureGraphQl`, but also brings
application components like `@Controller` beans and
`RuntimeWiringConfigurer`.
With this type of test, we'll only initialize a minimal setup for
testing a set of Controllers, without involving any transport-related
component.
See gh-29140
This commit adds the required infrastructure to auto-configure a
`GraphQlTester` or `WebGraphQlTester` in Spring Boot tests.
Specific annotations like `AutoConfigureGraphQlTester` and
`AutoConfigureWebGraphQlTester` will contribute pre-configured beans for
testing a GraphQL with the tester.
This also ships a `ContextCustomize` for contributing a `GraphQlTester`
in the case of a full `@SpringBootTest` integration test against a live
server.
See gh-29140
This commit adds the `@AutoConfigureGraphQl` test annotation. It can be
used to import the relevant auto-configurations when testing a GraphQL
application.
Currently, it will get the main `GraphQlAutoConfiguration`, but also
what's required for configuring codecs and validation support.
See gh-29140
This commit configures security features for Spring GraphQL.
In the case of both MVC and WebFlux, this contributes
`DataFetcherExceptionResolver` instances to resolve security exceptions
and expose them as proper errors in the GraphQL response.
For MVC only, this also configures a
`SecurityContextThreadLocalAccessor`. This component ensures that the
security context is propagated between `ThreadLocal` and the Reactor
asynchronous execution.
See gh-29140
GraphiQL is useful when working on a GraphQL API - it allows
developers to craft queries and test newly developed feature. This
is not enabled by default, as this should not be exposed in production
without the developer's knowledge.
This commit flips this value when Spring Boot devtools is active for a
better developer experience.
See gh-29140
This commit auto-configures a GraphQL WebSocket endpoint for both Spring
MVC and Spring WebFlux. This is only enabled if the required libraries
are on the classpath and if the `"spring.graphql.websocket.path"`
property is defined.
See gh-29140
Spring GraphQL ships with a static version of the graphiql IDE for
exploring and querying GraphQL endpoints.
See https://github.com/graphql/graphiql for more information.
This commit auto-configures the GraphiQL handler for both MVC and
WebFlux and points GraphiQL to the GraphQL HTTP endpoint exposed by the
application. This feature is disabled by default and can be switched on
with "spring.graphql.graphiql.enabled=true".
See gh-29140
This commit configuresa new endpoint for printing in text format the
resolved GraphQL schema.
This endpoint is exposed by default under "/graphql/schema" and must be
enabled with "spring.graphql.schema.printer=true".
See gh-29140
This commit adds two new auto-configuration classes for Spring GraphQL
support. Once the base GraphQL infrastructure is in place, we can now
expose the `GraphQlService` over an HTTP transport.
Spring GraphQL supports both MVC and WebFlux, so this commit ships with
one auto-configuration for each.
Developers can configure the HTTP path where the GraphQL resource is
exposed using the `spring.graphql.path` configuration property (this
defaults to `"/graphql"`).
See gh-29140
This commit adds a new `FailureAnalyzer` for exceptions thrown when no
GraphQL schema file could be found.
This lists configured locations (with `"classpath:..."` notation) and
also resolved locations - this helps developers figure out how the
pattern are resolved and why schema files cannot be found.
See gh-29140
This commit adds the auto-configuration for setting up the base Spring
GraphQL infrastructure. Because GraphQL doesn't depend on any particular
transport, we must have a separate configuration for creating:
* the `GraphQlSource`, which holds the schema and the `GraphQL` instance
* the `GraphQlService` for executing incoming requests
* the `BatchLoaderRegistry` for batch loading support
* the `AnnotatedControllerConfigurer` for supporting the annotated
controllers programming model
This comes with a starting point for the `"spring.graphql.*"`
configuration properties; we can now configure the locations and file
extensions of GraphQL schema files we should load and configure at
startup.
See gh-29140
Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.
This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.
Fixes gh-28953
When `setUseCodeAsDefaultMessage(true)` was set on a message source,
attempting to interpolate the default message returned from the message
source would result in the code being unusable by upstream message
resolvers.
Fixes gh-28930