As auto-configuration for Spring Security OAuth has been removed
from Spring Boot 2.0 and Spring Security 5 doesn't have OAuth
2.0 Authorization / Resource Server support yet, it has not
been obvious at all how to implement an OAUth 2.0 server with
Spring Boot 2.0.
For that reason, this new section briefly explains the current
temporary situation and points to the spring-security-oauth2-autoconfigure
module that restores the auto-configuration support for OAuth
2.0 Authorization and Resource Servers.
Closes gh-12491
Update `Map` and `Collection` binders to create a copy of the existing
collection whenever possible. Prior to this commit the binder would
always mutate the existing value and then call the setter with the
same instance. This could cause issues if the setter expected a
different instance.
Fixes gh-12322
Refine `BasicErrorController` mappings so that only JSON and XML get
structured responses. A simple string response is returned for all
other media types.
Fixes gh-12513
Update JAR `Handler` logic so that the existing `jarFile` is only used
if the requested URL starts with the same path. Prior to this commit it
was possible to construct a URL with another URL as context. This could
mean that the `handler` was shared and the already resolved `jarFile`
contained in the handler wasn't necessarily suitable.
Fixes gh-12483
Previously, the underlying RandomAccessDataFile was not closed when
the JarFile that was using it was closed. This causes a problem on
Windows as the open file handle prevents the file from being deleted.
This commit updates JarFile to close the underlying
RandomAccessDataFile when it is closed and has a JarFileType of
DIRECT.
Previously, when accessing the manifest of a jar file that maps to a
nested directory (BOOT-INF/classes) a new JarFile was created from the
root jar file, the manifest was retrieved, and the new JarFile was
closed. This could lead to the underlying RandomAccessDataFile being
closed while it was still in use.
This commit improves JarFile to retrieve the manifest from the
existing outer JarFile, thereby avoiding the need to create and close
a new JarFile.
Unfortunately, PropertiesLauncher creates a number of scenarios where
a JarFile with a type of direct is closed while it’s still being used.
To accommodate this behaviour, RandomAccessDataFile has been updated
so that it can re-open the underlying RandomAccessFile if it is used
after it has been closed.
Closes gh-12296
This commit disables the default HTML view in the WebFlux error handling
support when `server.error.whitelabel.enabled=false`.
In this case, the original exception will be forwarded down the stream
and handled by the default `WebExceptionHandler` provided by Spring
WebFlux (likely to respond a blank page and an error HTTP response
status).
Closes gh-12520
Update `SpringConfigurationPropertySources` adapter logic so that and
exact instance match is used when checking if the cache can be used.
Prior to this commit if a property source was replaced with one that
had exactly the same name, the adapted version would not change.
Fixes gh-12451