Previously, each 5xx response to a request that used a path variable
would result in a metric being recorded that contained the path
variable. Therefore, if a different path variable was included in each
request, a new metric would be recorded for each request. This is
problematic as it can lead to the metrics being flooded with unwanted
entries.
This commit updates MetricsFilter to treat 5xx responses sent before
mapping has occurred in the same way as 4xx and redirect responses.
A single metric, counter.status.500.unmapped, is now used.
Closes gh-4377
Previously, ServerThread would check for a disconnect as soon as it
had been started. This raced with it handling its first connection. If
the check for disconnect won the race it would incorrectly determine
that the disconnect timeout had been reached and wouldn’t respond to
the connection.
This commit updates ServerThread so that it only checks the disconnect
timeout once it’s handled at least one connection.
Closes gh-4668
Previously, the auto-configuration for embedded Mongo did not specify
a bind IP so Mongo was started without one. This would lead to Mongo
binding to all available network interfaces. This caused some friction
with the Windows firewall as it would ask for permission every time
embedded Mongo was launched.
This commit updates the auto-configuration to use
spring.data.mongodb.host to configure the bind IP for embedded Mongo.
If spring.data.mongodb.host is null, the auto-configuration will use
the loopback address instead.
Closes gh-4630
Previously, disabling SecurityAutoConfiguration could cause
SecurityFilterAutoConfiguration to fail if Spring Security’s filter
chain bean existing in the context. SecurityFilterAutoConfiguration
relies on SecurityProperties which is created by
SecurityAutoConfiguration. When SecurityAutoConfiguration is disabled,
there’s no SecurityProperties bean so SecurityFilterAutoConfiguration
would fail due to the missing dependency.
This commit updates SecurityFilterAutoConfiguration to create a
SecurityProperties bean if one does not already exist.
Closes gh-4525
Previously, when a session attribute that had been stored in Redis was
being deserialized, the app class loader would be used. This would
result in a ClassCastException if the attribute was an instance of a
class visible to the restart class loader.
This commit auto-configures Spring Session’s RedisTemplate to use a
custom deserializer that uses the restart class loader when
deserializing session attributes.
Closes gh-3805
Previously, LoggingApplicationListener would clean up the logging
system in response to any application context with which it was
registered being closed. This caused problems when a child context was
closed. Specifically, closing the child context would cause any
SLF4J-based logging systems to unregister the JUL bridge handler
preventing an JUL logging being bridged into Logback or Log4J2.
This commit updates LoggingApplicationListener so that the logging
system is only cleaned up when a root application context is
closed.
Closes gh-4651
Previously, the test that verified that Undertow's access log could be
enabled and was written to the correct file expected the log to be
available as soon as the request to the server had completed. Undertow
writes the access log asynchronously so the test failed intermittently
due to a race between the access log being written and the test
asserting that it exists.
This commit updates the test to wait for up to 10 seconds for the
access log to be available.
See gh-4670
Undertow 1.3.2 changed the default access log file suffix from '.log'
to just 'log'. Thus we need to adapt the file name pattern to include
the missing dot.
Closes gh-4670
Previously, ServerThread.lastHttpRequestTime was written while
synchronized on this.httpConnections but was read without
synchronization. This could lead to a read of the field producing the
wrong value and cause premature connection timeout.
This commit moves the call to checkNotDisconnected into a block that
sychronizes on this.httpConnections, thereby ensuring that
lastHttpRequestTime can be read safely.
Closes gh-4668
Some libraries like aspectj are using findResource to see the raw
bytecode of a class. It will even call findResource for every method of
every class of beans that are post processed. This can be significant
performance hit on startup when LaunchedURLClassLoader and there are a
lot of nested jars.
See gh-3640
Fixes gh-4557
A dependency on the Servlet API (the filter's dispatcher types) causes
a failure when Spring Security is used in a non-web application.
This commit removes the dependency on javax.servlet.DispatcherType
in favour of using a Set of Strings. SecurityFilterAutoConfiguration,
which is only enabled for web applications, is the responsible for
converting each String to a DispatcherType.
Closes gh-4505
This commit introduces a new property, application.title, that can
be used in a banner. Its value is resolved from the application
manifest's Implementation-Title attribute.
Closes gh-4603
This commit adds a new property, security.filter-dispatcher-types
that can be used to configure the dispatcher types of Spring
Security's filter chain. The default remains unchanged.
Closes gh-4505
Previously, if a regular expression was used when calling the metrics or
environment endpoints, a metric or property with a null value would
result in a 404 response.
This commit updates the two affected endpoints so that any metric or
property whose name matches the regular expression but has a null value
is ignored. This allows all of the matching metrics or properties with
non-null values to be returned in a 200 OK response.
Closes gh-4552
This commit documents the color converter, the explicit colors and
styles that is supports, and the implicit colors used for each log
level.
Closes gh-4592
Previously, ConfigFileApplicationListener would always add itself to the
end of the list of environment post processors loaded via
spring.factories. This meant that its order (highest precedence + 10)
would not be honoured and it would only be in the right place in the
list if any other post processors happened to have a higher precedence.
This commit updates ConfigFileApplicationListener to sort the list of
post processors using AnnotationAwareOrderComparator once its added
itself to the list.
Closes gh-4595
Previously, EmbeddedWebApplicationContext used synchronized, but did
not do so consistently. It also synchronized on this so its lock was
exposed outside of the class, creating a risk of deadlock if a caller
synchronized incorrectly. Furthermore, not all fields on the class
were sychronized so the class wasn't truly thread-safe.
This commit attempts to rectify some of the problems above. The use
of synchronized has been dropped in favour of using a volatile field
for the embedded servlet container. Whenever this field is accessed,
a local variable is used to "cache" the value thereby preventing a
change on another thread from causing unwanted behaviour such as an
NPE.
Closes gh-4593
There’s a race condition in start-stop-daemon when --make-pidfile and
--background are used together [1]. This race condition can lead to the
command returning before the PID file has been created. The missing PID
file then causes the launch script to incorrectly report that the
service failed to start.
This commit updates the launch script to wait for up to 10 seconds for
the PID file to be created when start-stop-daemon is used to launch the
app.
Closes gh-4524
[1] https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1036899