Previously, DefaultResourceLoader instances were created using the
default constructor. This causes the resource loader to capture the
TCCL that was in place at that time. This can lead to a class loader
leak if the resource loader is referenced directly or indirectly from
a static field of a class loaded by a different class loader.
This commit updates the creation of DefaultResourceLoader instances
in main code so that the resource load will use the class loader of
the creating class. In almost all cases this will be the same class
loader as was the thread context class loader that was being captured
so the change in behavior is minimal. Crucially, it will still address
the situation where the TCCL was different.
Note the DevTools' ApplicationContextResourceLoader has been updated
to explicitly use the TCCL. This ensures that it uses the restart
class loader which is required for DevTools to function correctly.
Fixes gh-20900
Prior to this commit, default error responses included the message
from a handled exception. When the exception was a BindException, the
error responses could also include an errors attribute containing the
details of the binding failure. These details could leak information
about the application.
This commit removes the exception message and binding errors detail
from error responses by default, and introduces a
`server.error.include-details` property that can be used to cause
these details to be included in the response.
Fixes gh-20505
Previously, DevToolsDataSourceCondition called
getBeanNamesForType(Class) which could trigger unwanted initialization
of lazy init singletons and objects created by FactoryBeans.
This commit updates DevToolsDataSourceCondition to prohibit eager
init when getting the names of the beans of a particular type.
Fixes gh-20430
This commit changes uses of ClassLoader.loadClass to Class.forName for
consistency with what was initiated in #19342 and better compatibility
with GraalVM.
Closes gh-19824
Update all dependencies declarations to use the form `scope(reference)`
rather than `scope reference`.
Prior to this commit we declared dependencies without parentheses unless
we were forced to add them due to an `exclude`.
Replace Gradle single quote strings with the double quote form
whenever possible. The change helps to being consistency to the
dependencies section where mostly single quotes were used, but
occasionally double quotes were required due to `${}` references.
This paves the way for publishing Gradle module metadata once the
problem caused by snapshot versions and our two-step publication
process has been addressed.
See gh-19609
This reverts commit b34a311d02 as,
having disabled the publishing of Gradle's module metadata (4f75ab5),
the changes are no longer needed.
See gh-19609
Previously, enforcedPlatform dependencies were using to pull in the
constraints defined in spring-boot-dependencies and
spring-boot-parent and applied them strictly so that the constrained
version had to be used. This worked as intended in Spring Boot's own
build but incorrectly enforced those same strict version requirements
on external consumers of Spring Boot's modules.
This commit reworks how Spring Boot defines its internal dependency
management so that platform dependencies are exposed to external
consumers while enforced platform dependencies are using internally.
See gh-19609
Previously, Maven's default behaviour was relied up which resulted
in the artifact ID being appended to each URL as it was inherited.
This behaviour can only be disabled in Maven 3.6 and later, a version
that we cannot use due to an incompatibility with the Flatten Plugin.
This commit works around Maven's default behaviour by defining
properties for the SCM URL, connection, and developer connection and
then explicitly defining the settings in each pom using these
properties. The explicit definition of the properties in each pom
prevents them being inherited from the parent, thereby disabling the
unwanted appending of the artifact ID to the URL.
Fixes gh-18328