Previously, a number of Actuator endpoints ignored a context hierarchy
or assumed that it would always be linear. This commit reworks the
affected endpoints so that the no longer assume a linear hierarchy.
A side-effect of a non-linear hierarchy is that there may be multiple
different beans with the same name (in a linear hierarchy, a bean
with the same name as one in an ancestor context, replaces that bean).
The affected endpoints have also been updated so that, when bean names
are used as keys, those keys are grouped by application context. This
prevents a bean in one context from accidentially overwriting a bean
in another context.
Closes gh-11019
Extract functionality from the `RegistrationBean` into a new class
designed to work with dynamic registration. Servet and Filter
registration beans now extend from `DynaimcRegistrationBean`, where as
`ServletListenerRegistrationBean` extends directly from
`RegistrationBean`.
This refactor allows the removal of `ServletListenerRegistrationBean`
deprecated methods.
Fixes gh-11344
This commit moves management.server.context-path to
management.server.servlet.context-path to align with the configuration
key for the application's main context path.
Closes gh-11359
Update ImageBanner to support animated GIFs. Animations rely on ANSI
cursor codes so don't work so well in an IDE. They do, however, work
when running the app from a terminal.
See also commit 47bc5e71ab
Closes gh-11118
Previously, the Health web extension was defined in the management
context and, as a result, it wasn't found when a separate port was
required. The side effect is that anything that the health web extension
does was not active anymore in that case.
This commit makes sure that the extension is always defined as part of
the main context where operations are discovered and merged.
Closes gh-11285
Now that Spring Boot supports Freemarker for both Spring MVC and Spring
WebFlux, the dedicated starter should not pull the Web starter
transitively and let developers manually choose the web stack.
Closes gh-11246
Drop the status endpoint and merge functionality back into the health
endpoint. The `management.endpoint.health.show-details` property can
be used to change if full details, or just the status is displayed.
Fixes gh-11113
Update endpoint code to provide cleaner separation of concerns.
Specifically, the top level endpoint package is no longer aware of
the fact that JMX and HTTP are ultimately used to expose endpoints.
Caching concerns have also been abstracted behind a general purpose
`OperationMethodInvokerAdvisor` interface.
Configuration properties have been refined to further enforce
separation. The `management.endpoint.<name>` prefix provides
configuration for a single endpoint (including enable and cache
time-to-live). These properties are now technology agnostic (they
don't include `web` or `jmx` sub properties).
The `management.endpoints.<technology>` prefix provide exposure specific
configuration. For example, `management.endpoints.web.path-mapping`
allow endpoint URLs to be changed.
Endpoint enabled/disabled logic has been simplified so that endpoints
can't be disabled per exposure technology. Instead a filter based
approach is used to allow refinement of what endpoints are exposed over
a given technology.
Fixes gh-10176
- Modifying dependencies to starter-web with tomcat exclusion plus
alternative servlet container instead of manual dependency on
spring-webmvc as it is the preferrable way to use alternative servlet
container
- Previously RestTemplate with ssl was configured manually in tests - now
it rellies on autoconfiguration - changed this for multi-connector test
and added test to ensure that ssl autoconfiguration is working
- Most samples with alterntative servlet containers used some kind of
service reading property and returning default since it wasn't
configured - removed it, since it is not specific to using alternative
servlet containers.
See gh-10548
Following some changes in the latest snapshot this includes:
- Some updates to oauth2 client auto-config
- Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter
- Remove reactive security starter
Closes gh-10704
Previously, the custom layout sample did not configure the source
and target for the compiler. This meant that both defaulted to 1.5
which is not supported by Java 9's javac. The oldest support version
is 1.6.
This commit sets the maven.compiler.source and maven.compiler.target
properties to 1.8 (the lowest version support by Boot 2.0) allowing
the sample to build with both Java 8 and Java 9.
See gh-10515
This reverts commit bbca612a57.
StandardJarScanner, which contains the faulty assumption about
URLClassLoader is part of Jasper. Jetty, like Tomcat, uses Jasper for
JSPs so it's also affected.
See gh-10456
This commit adds support for auto-configuration of Spring WS automatic
WSDL and XSD exposure i.e. registration of `WsdlDefinition` and
`XsdDefinition` beans. The bean registration is triggered by configuring
`spring.webservices.wsdl-locations` property which will search the
provided locations for WSDL/XSD files and register appropriate beans.
See gh-9635
This commit removes auto-configuration support for Spring Security
OAuth, paving the way for the introduction of auto-configuration for
Spring Security 5's new OAuth-related features.
Closes gh-10255
This commit improves the Spring Session sample by providing multiple
build profiles that make it possible to easily try out different session
stores. By default, JDBC session store backed by an in-memory embedded H2
database is used.
See gh-10351
This commit only provides dependency management for JUnit Jupiter,
excluding experimental and migration support artifacts. It also removes
dependency management for the platform as it is used by IDEs and build
tools). The `junit-platform.version` is still available though to allow
users to configure their plugin with a supported placeholder for the
version.
Also, given that `junit-vintage-engine`'s version does not match the
JUnit 4 version it supports, we will not add dependency management for
it.
Closes gh-10240
This commit makes the "spring.session.store-type" property optional,
adding an additional check when it is not present that validates only
one supported implementation is available on the classpath.
As Spring Session has been modularized, the chance that multiple
implementations are available on the classpath are lower. When only
one implementation is present, we attempt to auto-configure it. When
more than one implementation is present and no session store is
configured, a NonUniqueSessionRepositoryException is thrown.
Closes gh-9863
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("status", "info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
.requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()
Closes gh-7958
Restructure actuator packages to improve structure. The following
changes have been made:
- Separate actuator and actuator auto-configuration into different
modules.
- Move endpoint code into `spring-boot-actuator`.
- Move `Endpoint` implementations from a single package into
technology specific packages.
- Move `HealthIndicator` implementations from a single package into
technology specific packages.
- As much as possible attempt to mirror the `spring-boot` package
structure and class naming in `spring-boot-actuator` and
`spring-boot-actuator-autoconfigure`.
- Move `DataSourceBuilder` and DataSource meta-data support from
`spring-boot-actuator` to `spring-boot`.
Fixes gh-10261
Spring Framework 5 provides support for JUnit 5. This commit adds
dependency management for JUnit 5 and an upgrade for
spring-boot-sample-junit-jupiter sample.
See gh-10240
This commit adds a strategy interface to specific if a given DataSource
has its schema managed. The Hibernate auto-configuration uses it to set
it to "none" if a mechanism to initialize the DataSource is
found and "create-drop" otherwise.
Both Flyway and Liquibase implements that strategy interface and
register it in the context accordingly.
Closes gh-9262
Since the autoconfig totally backs off in the presence
of a WebSecurityConfigurerAdapter, there is no need to
order them ahead of/after the one provided by Spring Boot.
See gh-7958
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.
Closes gh-7958
This commit moves CORS properties out of the endpoints namespace as they
do not refer to a "cors" endpoint but rather to the CORS configuration
of all endpoints.
Closes gh-10053
This commit migrates the Actuator onto the new endpoint infrastruture.
In addition to the existing support for accessing the endpoints via
JMX and HTTP using Spring MVC, support for access via HTTP using
Jersey and WebFlux has been added. This includes using a separate
management port where we now spin up an additional, appropriately
configured servlet or reactive web server to expose the management
context on a different HTTP port to the main application.
Closes gh-2921
Closes gh-5389
Closes gh-9796
This commit replaces the Acuator's support for hypermedia with a
single endpoint that returns HAL-formatted links to all of the
available endpoints. This is done without requiring Spring HATEOAS
to be on the classpath in a similar manner to the existing
CloudFoundry discovery endpoint.
Closes gh-9901
Elastic have announced [1] that embedded Elasticsearch is no longer
supported. This commit brings us into line with that announcement by
removing the auto-configuration that would create an Elasticsearch
Node and NodeClient.
To use the Elasticsearch auto-configuration, a user must now provide
the address of one or more cluster nodes
(via the spring.elastisearch.cluster-nodes property) which will then
be used to create a TransportClient.
See gh-9374
[1] https://www.elastic.co/blog/elasticsearch-the-server
Clarify the cache sample and in particular that Infinispan does not
bootstrap with a default configuration file. Hence the custom
`infinispan.xml` configuration is enabled by default if Infinispan is
available on the classpath.
See gh-9417
If the auto-configured `Scheduler` instance backed by JDBC job store is
used as a dependency in an application component, the initialization of
`Scheduler` will be triggered before `QuartzDatabaseInitializer`. This
will result in failure due to schema not being prepared in time for
`Scheduler` to populate job details.
This commit ensures `QuartzDatabaseInitializer` is initialized before the
auto-configured `Scheduler` by introducing a dependency between the two.
See gh-9411
Since SPR-15536, WebFlux.fn is now configured with `@EnableWebFlux`,
along the annotated controllers. Both `RouterFunction` and Controller
instances can now live within the same application and they share
the same web infrastructure.
This commit removes the custom auto-configuration for `RouterFunction`
and relies on `@EnableWebFlux` for that.
Closes gh-9165
Update `SpringApplication` so that the `run` methods and constructors
now require `Class<?>` arguments, rather than `Objects`. String based
sources can still be loaded, but must now be set on the `getSources()`
collections. `Package` and `Resource` types are no longer directly
supported.
This change should help IDEs offer better content assist, and will
help integrations with alternative languages such as Ceylon.
Users currently passing in Class references or using the
`spring.main.sources` property should not be affected by this change. If
an XML resource is being used, some refactoring may be required (see the
changes to `SampleSpringXmlApplication` in this commit).
Fixes gh-9170
This commit changes the default file extension for Mustache templates,
from `.html` to `.mustache`, which is the file extension used in the
official reference documentation and by most IDE plugins.
Fixes gh-8997
Thymeleaf 3.0 implements the Spring 5.0 view infrastructure for WebMVC
and the new WebFlux framework. This commit adds auto-configuration for
the WebFlux support.
In that process, the configuration property for `spring.thymeleaf` has
been changed to add `spring.thymeleaf.servlet` and
`spring.thymeleaf.reactive` for MVC/WebFlux specific properties.
Now that the `spring-boot-starter-thymeleaf` does not only support
Spring MVC, the transitive dependency on `spring-boot-starter-web` is
removed from it.
Fixes gh-8124
This commit moves the existing Spring MVC Mustache support to its own
`servlet` package and adds a new one under `reactive` for the WebFlux
web applications.
New `MustacheView` and `MustacheViewResolver` types resolve and render
Mustache views for WebFlux applications.
Since this templating engine is now supported by two flavors of Spring
web apps, the `spring-boot-starter-mustache` does not depend anymore on
the `spring-boot-starter-web` one: it's up to the developer to add the
relevant starter `web` or `webflux` to their application.
Fixes gh-8648
The neo4j embedded driver no longer embeds the neo4j kernel and users are
expected to add that dependency manually. We don't provide dependency
management for any of them so this commit updates the documentation to
refers to the official documentation.
Closes gh-8567
Previously to this commit, transaction management was only enabled when
a `DataSource` is configured. The processing of `@Transactional`
annotations are now enabled as long as a `PlatformTransactionManager` is
present.
Also, the `spring.aop.proxy-target-class` is now honoured if set, still
defaulting to CGLIB mode.
Closes gh-8434
This commit our Neo4j OGM dependency with the Spring Data Neo4j
snapshots that are currently included in snapshots of Spring Data Kay.
It switches to using Neo4j's Bolt driver by default, aligning it with
the default of the latest Spring Data Neo4j 5 snapshots.
It also contains a workaround for a Neo4j OGM issue [1] and a change
to Neo4jDataAutoConfigurationTests that prevents the entire classpath
from being scanned.
See gh-8687
[1] https://github.com/neo4j/neo4j-ogm/issues/340
Restructure `org.springframework.boot.autoconfigure.web` to better align
with the new package structure in `spring-boot`.
Auto-configuration is now split into client, servlet and reactive
sub-packages. In addition a new `http` package now handles common
HTTP concerns.
Fixes gh-8616
Rework `org.springframework.boot.context.embedded` to relocate classes
to `org.springframework.boot.web`. Packages are now organized around
the following areas:
Packages for shared concerns, for example the `WebServer` interface
to start/stop a server and the common configuration elements:
- org.springframework.boot.web.context
- org.springframework.boot.web.server
Servlet specific packages:
- org.springframework.boot.web.servlet.server
- org.springframework.boot.web.servlet.context
- org.springframework.boot.web.servlet.filter
Reactive specific packages:
- org.springframework.boot.web.reactive.context
- org.springframework.boot.web.reactive.server
Embedded server implementations (both reactive and servlet):
- org.springframework.boot.web.embedded
In addition:
- Rename `EmbeddedServletContainerFactory` to `ServletWebServerFactory`
to align with the `ReactiveWebServerFactory`.
- Rename `EmbeddedWebApplicationContext` to
`ServletWebServerApplicationContext` and
- Rename `EmbeddedReactiveWebApplicationContext` to
`ReactiveWebServerApplicationContext`.
- Add checkstyle rules to restrict imports.
- Fixup all affected code to use the correct imports and local names.
Fixes gh-8532
As of Hazelcast 3.7, the bootstrap is pretty slow by default due to the
networking discovery. This commit disables both TCP/IP and multicast
discoveries.
This commit exposes a `WebTestClient` automatically in a reactive
integration test that uses an embedded web server. This is similar to
what we do with `TestRestTemplate` for servlet based integration tests.
Closes gh-8399
Previously, the custom layout sample could only be built successfully
if spring-boot-dependencies had be installed locally, making its
effective pom available in the local Maven cache.
This commit updates the sample's tests to look at its own pom to
determine the version of Spring Boot that should be used in the
Gradle tests.
Closes gh-8330
This commit refactors the `ServerProperties` property keys and
introduces a separate "server.servlet" namespace to isolate
servlet-specific properties from the rest.
Closes gh-8066
This contract is not specific to servlet containers and should be
reused by all web server implementations (including reactive variants).
Fixes gh-8208
This commit removes `ServerProperties` and `ManagementServerProperties`
auto-configurations. Those properties objects are now created using
`@EnableConfigurationProperties` only.
Closes gh-8108
This commit raises the minimum supported version of Thymeleaf to
3.0.x. It also upgrades Spring Social to a version that is compatible
with Thymeleaf 3.
Closes gh-7450
Closes gh-6258
See gh-7885
Update `ConfigurationPropertiesBindingPostProcessor` so that
`@Validated` is expected to be used to trigger JSR-330 validation.
Any existing configuration classes that use JSR-330 annotations but
don't have `@Validated` will currently still be validated, but will
now log a warning. This should give users a chance to add the requested
annotations before the next Spring Boot release where we will use them
as the exclusive signal that validation is required.
Closes gh-7579
The user property is only available on Unix-like platforms (due to
the USER environment variable). This commit updates the test to
explicitly set a specific property and then check that it's accessible
via the env endpoint rather than using one that is OS-specific.
See gh-7868
See gh-7881
When the context is closed, FileWritingMessageHandler is stopped and
it closes its output files. However, it appears to do so in a manner
which means that they may be closed after the call to close the
context is completed. This causes problems on Windows as files that
are still open cannot be deleted.
This commit adds a workaround to SampleIntegrationApplicationTests
so that it makes up to 10 attempts each 0.5s apart to clean up the
input and output directories.
Update `ManagementWebSecurityAutoConfiguration` to match nested path
for insensitive actuators.
Prior to this commit, when Spring Security was on the classpath
nested paths were considered sensitive (even if the actuator
endpoint was not sensitive). i.e. when setting
`endpoints.env.sensitive=false` `/env` could be accessed without
authentication but `/env/user` could not.
Fixes gh-7868
Closes gh-7881
The default is now SecurityProperties.ACCESS_OVERRIDE_ORDER-1
(instead of 3), and the user can set it with
security.oauth2.resource.filter-order (as opposed to being hard
coded). The filter is provided by Spring OAuth2 so this change is
a BeanPostProcessor to call a setter on that object.
Fixes gh-5072
Update ClassLoaderFilesResourcePatternResolver to support servlet
resources when it's being used with a WebApplicationContext.
Prior to commit 918e122ddc a `ResourceLoader` was not added to the
`ApplicationContext`, meaning that servlet resources could be found by
virtue of the protected `getResourceByPath()` method. Following commit
918e122ddc, the context `ResourceLoader` is set, meaning that all calls
to `getResource` delegate to the `ResourceLoader` and the
`ApplicationContext` methods are not invoked. Since the devtools
`ResourceLoader` wasn't Servlet aware, servlet resources could not
be found.
Fixes gh-7752
Update `JettyEmbeddedServletContainerFactory` to support Jetty 9.4
directly and Jetty 9.3 via reflection. The primary difference between
Jetty 9.3 and 9.4 are the session management classes. Websocket suppport
has also been updates, but this is handled transparently by the
Spring Framework support.
Fixes gh-7599
Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.
Fixes gh-7569
This commit promotes the plugin dependency management for the
`maven-enforcer-plugin` and `maven-invoker-plugin` to the root. That way
these can be used in samples as well rather than having a separate copy.
Closes gh-7517