Previously, ServerThread.lastHttpRequestTime was written while
synchronized on this.httpConnections but was read without
synchronization. This could lead to a read of the field producing the
wrong value and cause premature connection timeout.
This commit moves the call to checkNotDisconnected into a block that
sychronizes on this.httpConnections, thereby ensuring that
lastHttpRequestTime can be read safely.
Closes gh-4668
Some libraries like aspectj are using findResource to see the raw
bytecode of a class. It will even call findResource for every method of
every class of beans that are post processed. This can be significant
performance hit on startup when LaunchedURLClassLoader and there are a
lot of nested jars.
See gh-3640
Fixes gh-4557
A dependency on the Servlet API (the filter's dispatcher types) causes
a failure when Spring Security is used in a non-web application.
This commit removes the dependency on javax.servlet.DispatcherType
in favour of using a Set of Strings. SecurityFilterAutoConfiguration,
which is only enabled for web applications, is the responsible for
converting each String to a DispatcherType.
Closes gh-4505
This commit introduces a new property, application.title, that can
be used in a banner. Its value is resolved from the application
manifest's Implementation-Title attribute.
Closes gh-4603
This commit adds a new property, security.filter-dispatcher-types
that can be used to configure the dispatcher types of Spring
Security's filter chain. The default remains unchanged.
Closes gh-4505
Previously, if a regular expression was used when calling the metrics or
environment endpoints, a metric or property with a null value would
result in a 404 response.
This commit updates the two affected endpoints so that any metric or
property whose name matches the regular expression but has a null value
is ignored. This allows all of the matching metrics or properties with
non-null values to be returned in a 200 OK response.
Closes gh-4552
This commit documents the color converter, the explicit colors and
styles that is supports, and the implicit colors used for each log
level.
Closes gh-4592
Previously, ConfigFileApplicationListener would always add itself to the
end of the list of environment post processors loaded via
spring.factories. This meant that its order (highest precedence + 10)
would not be honoured and it would only be in the right place in the
list if any other post processors happened to have a higher precedence.
This commit updates ConfigFileApplicationListener to sort the list of
post processors using AnnotationAwareOrderComparator once its added
itself to the list.
Closes gh-4595
Previously, EmbeddedWebApplicationContext used synchronized, but did
not do so consistently. It also synchronized on this so its lock was
exposed outside of the class, creating a risk of deadlock if a caller
synchronized incorrectly. Furthermore, not all fields on the class
were sychronized so the class wasn't truly thread-safe.
This commit attempts to rectify some of the problems above. The use
of synchronized has been dropped in favour of using a volatile field
for the embedded servlet container. Whenever this field is accessed,
a local variable is used to "cache" the value thereby preventing a
change on another thread from causing unwanted behaviour such as an
NPE.
Closes gh-4593
There’s a race condition in start-stop-daemon when --make-pidfile and
--background are used together [1]. This race condition can lead to the
command returning before the PID file has been created. The missing PID
file then causes the launch script to incorrectly report that the
service failed to start.
This commit updates the launch script to wait for up to 10 seconds for
the PID file to be created when start-stop-daemon is used to launch the
app.
Closes gh-4524
[1] https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1036899
Previously, JerseyAutoConfiguration was a WebApplicationInitializer.
This was problematic as auto-configuration classes should not be ordered
(they should use AutoConfigureBefore etc instead) but the web
application initializer needs to be ordered so that it can run early and
configure Jersey before it runs.
This commit has moved the WebApplicationInitializer implementation into
a separate class so that it can be ordered independently of the
auto-configuration class. Note that the new class must be public for
the servlet container (Tomcat at least) to be able to instantiate it.
Closes gh-4527
Remove 3.4.1 logger workaround (adding package to default service). See
CORE-2436 on the liquibase tracker for more details.
Closes gh-4591
Closes gh-4625
If a request to the actuator endpoint ends with a slash with Spring
HATEOAS on the classpath, an empty array of links is returned whereas
a request without the slash returns a response with all the expected
links to the actuator's other endpoints.
This commit adds an automatic redirection so that both URIs return the
expected result.
Closes gh-4575
Some libraries like aspectj are using findResource to see the raw
bytecode of a class. It will even call findResource for every method of
every class of beans that are post processed. This can be significant
performance hit on startup when LaunchedURLClassLoader and there are a
lot of nested jars.
See gh-3640
Fixes gh-4557
The need to set the order of ResourceServerConfiguration was
a bad assumption. The value of the order seems strange as well
(-10), and a comment explaining it makes no sense (a resource
server normally wants its filter *after* not *before* the existing
auth server filter). Removing the bean post processor didn't
fail any tests.
In case there are multiple resource servers in the same context
there was also a problem that they ended up with the same order.
If user set the management.port *and* the management.context-path
then the /error path was in the wrong place because formerly it
was implemented (in this case) by an MvcEndpoint. If we
switch it to a regular @Controller (which are now supported in the
child context if there is one) then it won't disappear under the
management.context-path.
Also use lazy request matching in ignores as well as secure paths.
The problem was that the ignores were constructed eagerly from the
actuator paths before they were available (the EndpointHandlerMapping
needs to be lazily accessed to avoid a security-induced bean creation
cascade).
Fixes gh-4624
Previously, the `spring.datasource.name` property was ignored when Spring
Boot configures an embedded data source with a connection pool.
`EmbeddedDatabaseConnection` is now aligned to the purely embedded case
to take that property into account.
Closes gh-4586
Since the `LoggingSystem` may be retrieved very early during the context
initialization, we should do a lookup by name even if only one instance
of that bean is ultimately expected in the context.
The constant defining the bean name is now public to ease that use case.
Closes gh-4584
One of the options of the new `banner-mode` property is `off`. YAML maps
`off` to `false` and since we are exposing the method from the
`SpringApplication` public class we can't change the signature to accept
a `String` and do the conversion ourselves.
This commit adds a dedicated section in the guide to warn users about
that particular situation. Adding quotes around the value prevents the
conversion.
Closes gh-4600
Yunkun Huang
Andy Wilkinson
Ivan Chen
Vladimir Tsanev
Ruben Dijkstra
吉田 尚弘
Vedran Pavic
Johnny Lim
Gary Russell
Stephane Nicoll
Dave Syer
Jean de Klerk
Kazuki Shimizu