Replace `WebSecurityConfigurer` and `WebSecurityConfigurerAdapter`
configurations with `WebSecurityCustomizer` or `SecurityFilterChain`
beans.
Closes gh-23421
Add a simple `BootstrapRegistry` that can be used to store and share
object instances across `EnvironmentPostProcessors`. The registry
can be injected into the constructor of any `EnvironmentPostProcessor`.
Registrations can also perform additional actions when the
`ApplicationContext` has been prepared. For example, they could register
the the bootstrap instances as beans so that they become available to
the application.
See gh-22956
Update `EnvironmentPostProcessorApplicationListener` so that it can
either use values from `spring.factories` or use a factory interface.
Closes gh-22529
Deprecate `ConfigFileApplicationListener` and provide a replacement
mechanism that supports arbitrary config data imports.
This commit updates the following areas:
- Extract `EnvironmentPostProcessor` invocation logic from the
`ConfigFileApplicationListener` to new dedicated listener. Also
providing support for `Log` injection.
- Extract `RandomPropertySource` adding logic from the
`ConfigFileApplicationListener` to a dedicated class.
- Migrate to the recently introduced `DefaultPropertiesPropertySource`
class when moving the defaultProperties `PropertySource`
- Replace processing logic with a phased approach to ensure that
profile enablement happens in a distinct phase and that profiles
can no longer be activated on an ad-hoc basis.
- Provide a more predictable and logical import order for processing
`application.properties` and `application.yml` files.
- Add support for a `spring.config.import` property which can be used
to import additional config data. Also provide a pluggable API
allowing third-parties to resolve and load locations themselves.
- Add `spring.config.activate.on-profile` support which replaces the
existing `spring.profiles` property.
- Add `spring.config.activate.on-cloud-platform` support which allows
a config data document to be active only on a given cloud platform.
- Support a `spring.config.use-legacy-processing` property allowing the
previous processing logic to be used.
Closes gh-22497
Co-authored-by: Madhura Bhave <mbhave@vmware.com>
Prior to this commit, there was a property server.error.include-details
that allowed configuration of the message and errors attributes in a
server error response.
This commit separates the control of the message and errors attributes
into two separate properties named server.error.include-message and
server.error.include-binding-errors. When the message attribute is
excluded from a servlet response, the value is changed from a
hard-coded text value to an empty value.
Fixes gh-20505
Previously, DefaultResourceLoader instances were created using the
default constructor. This causes the resource loader to capture the
TCCL that was in place at that time. This can lead to a class loader
leak if the resource loader is referenced directly or indirectly from
a static field of a class loaded by a different class loader.
This commit updates the creation of DefaultResourceLoader instances
in main code so that the resource load will use the class loader of
the creating class. In almost all cases this will be the same class
loader as was the thread context class loader that was being captured
so the change in behavior is minimal. Crucially, it will still address
the situation where the TCCL was different.
Note the DevTools' ApplicationContextResourceLoader has been updated
to explicitly use the TCCL. This ensures that it uses the restart
class loader which is required for DevTools to function correctly.
Fixes gh-20900
Prior to this commit, default error responses included the message
from a handled exception. When the exception was a BindException, the
error responses could also include an errors attribute containing the
details of the binding failure. These details could leak information
about the application.
This commit removes the exception message and binding errors detail
from error responses by default, and introduces a
`server.error.include-details` property that can be used to cause
these details to be included in the response.
Fixes gh-20505
Previously, DevToolsDataSourceCondition called
getBeanNamesForType(Class) which could trigger unwanted initialization
of lazy init singletons and objects created by FactoryBeans.
This commit updates DevToolsDataSourceCondition to prohibit eager
init when getting the names of the beans of a particular type.
Fixes gh-20430
This commit makes sure that any subsequent call on addProtocolResolver
on the context will impact the ResourceLoader implementation that
DevTools sets on the context.
This makes sure that any custom ProtocolResolver that is set later in
the lifecycle is taken into account.
Closes gh-17214
Apply checkstyle rule to ensure that private and package private
classes do not have unnecessary public methods. Test classes have
also been unified as much as possible to use default scoped
inner-classes.
Closes gh-7316
As of spring-projects/spring-hateoas#854, Spring HATEOAS is not relying
on Objenesis anymore and removed the cache that was being used for it.
This commit removes the support for clearing that cache when running an
application with Devtools enabled.
See gh-16833
Previously, DevTools would retry the upload of the changes to an
application in the event of a ConnectException. If a different
network-level failure occurred, it would not be retried and would
cause the file watching thread to die.
This commit attempts to make things more robust by retrying all
SocketExceptions and not just ConnectExceptions. A warning is
logged when a failure occurs. A separate debug message that
includes the exception is also logged.
Closes gh-10317
This covers the cases when:
* An Java agent based reloader (e.g. JRebel) is being used
* The reloader was disabled by using a system property
See gh-14807
Update `DevToolsPropertyDefaultsPostProcessor` to automatically set
the recently introduced `spring.messages.reloadable` property to
`true`.
Closes gh-14699
Rework `DevToolsPropertyDefaultsPostProcessor` so that web logging no
longer defaults to `DEBUG`. The post processor now logs an info hint
to suggest the user configure the logging themselves.
Closes gh-14575
Previously, if a class was added and then changed, a restart would be triggered
and things would behave as if the class had been deleted. This occurred
because, when looking for additional classes that were not on the original
classpath, only files that had been added were considered. The subsequent
change to the class was noticed as a modified rather than an addition,
resulting in the class being skipped.
This commit updates the resource resolver to only ignore deleted files and
consider both added files and modified files when looking for additional
resources.
Closes gh-14205
Reinstate `web` logging when devtools is in use, making use of the new
logging groups support. Devtools now also logs an `INFO` message
informing that properties defaults are offers an easy way to disable
them.
Closes gh-14450
Update `DevToolsPropertyDefaultsPostProcessor` to remove custom logging
level configuration. Unfortunately it's not easy to back-off logging
overrides when the user has a custom logback/log4j configuration.
Closes gh-14310
Since SPR-16946, Spring Framework revisited the DEBUG logging output
developers get while working on Spring MVC and Spring WebFlux
applications.
This commit aligns to those changes where DEBUG output was produced
in Spring Boot (especially in `DefaultErrorWebExceptionHandler`).
This also enables DEBUG logging on the related packages when running an
application with Spring Boot Developer Tools, providing a better
development experience.
This is also adding the new `spring.insights.web.log-request-details`
configuration property, which logs additional information about the
incoming requests at the DEBUG and TRACE levels. Since that information
can be sensitive (e.g. credentials, tokens, etc.), this property is not
enabled by default nor activated by the Developer Tools.
Closes: gh-13511
Previously, the logging system was cleaned up in response to the
root context's ContextClosedEvent being received. This event is
published early in a context's close processing. As a result, the
logging system is in cleaned up state while, for example, disposable
beans are being destroyed.
This commit reworks the logic that triggers logging system clean up
to use a disposable bean instead. Disposable beans are called in
reverse-registration order. The logging clean up bean is registered as
early as possible so that it should be the last disposable bean to
be called.
Closes gh-11676
Rename `reactive-repositories` to `reactiverepositories` and replace
`spring.resources.cache-control` with `spring.resources.cache.control`.
Fixes gh-11090
Update appropriate configuration properties to use the `Duration`
type, rather than an ad-hoc mix of milliseconds or seconds.
Configuration properties can now be defined in a consistent and readable
way. For example `server.session.timeout=5m`.
Properties that were previously declared using seconds are annotated
with `@DurationUnit` to ensure a smooth upgrade experience. For example
`server.session.timeout=20` continues to mean 20 seconds.
Fixes gh-11080
Move projects to better reflect the way that Spring Boot is released.
The following projects are under `spring-boot-project`:
- `spring-boot`
- `spring-boot-autoconfigure`
- `spring-boot-tools`
- `spring-boot-starters`
- `spring-boot-actuator`
- `spring-boot-actuator-autoconfigure`
- `spring-boot-test`
- `spring-boot-test-autoconfigure`
- `spring-boot-devtools`
- `spring-boot-cli`
- `spring-boot-docs`
See gh-9316
Andy Wilkinson
Madhura Bhave
Phillip Webb
Stephane Nicoll
Andy Wilkinson
XenoAmess
Scott Frederick
Phillip Webb
dreis2211
wycm
Kant Leung
rajadilipkolli
HaiTao Zhang
LiangYong
周武栋
Johnny Lim
Brian Clozel
wonwoo
Marcus Eisele
michal
igor-suhorukov
andrey.onufreyko