Ensure that Collections.isEmpty() is used to check if there are no
elements in a collections. This is more explicit and can be faster than
calling .size().
Closes gh-4783
Spring Data’s web support includes a handler method argument resolver,
ProxyingHandlerMethodArgumentResolver, that inaccurately claims that it
can handle all interface handler method arguments. This causes problems
for handler methods that take Spring Mobile’s Device as an argument as
the proxied Device instance does not behave correctly.
This commit works around the problem by assigning an order to the
WebMvcConfigurerAdapter that registers Spring Mobile’s argument resolver
with Spring MVC. This ordering ensures that Spring Mobile’s resolver
takes precedence over Spring Data’s for Device arguments.
Closes gh-4163
Extend ElasticsearchDataAutoConfiguration to also configure an
ElasticsearchConverter and SimpleElasticsearchMappingContext both
of which are required for Spring Data REST.
Closes gh-3847
Google App Engine probits the creation of new threads. This leads to a
failure in BackgroundPreinitializer when the single thread executor
attempts to create its single thread.
This commit enhances the existing fail safety of
BackgroundPreinitializer by catching any exceptions thrown while
creating the executor and submitting the tasks to it. Any initialisation
that has not performed in the background will be performed in the
foreground instead.
Closes gh-4662
Previously, ActiveMQ's pooled connection factory was not closed as
part of the application context being closed. This would leave
non-daemon threads running which could cause shutdown to hang unless
the JVM itself was shutting down (in which case a shutdown hook would
stop the pool).
This commit configures each pooled connection factory bean with a
custom destroy method so that the pool is stopped as part of the
application context being closed. To allow the destroy method to only
be declared when the connection factory is pooled, the bean method
has been split into two; one for pooled and one for non-pooled. This
is a partial backport of the changes made in bedf2edf.
Closes gh-4748
Add a `server.server-header` property which can be used to override the
`server` header usually sent back automatically by Tomcat/Jetty or
Undertow.
See https://www.owasp.org/index.php/Securing_tomcat for background.
Fixes gh-4461
Closes gh-4504
In bedf2edf, the return type of the auto-configuration method that
creates batch's ExitCodeGenerator was changed from ExitCodeGenerator
to JobExecutionExitCodeGenerator but the on missing bean condition
was left unchanged. This means that the auto-configured bean can
only be switched off by a JobExecutionExitCodeGenerator bean, rather
than any bean that implements ExitCodeGenerator.
This commit corrects the use of @ConditionalOnMissingBean to allow any
ExitCodeGenerator bean to switch off the auto-configured one.
Closes gh-4752
Previously, BasicErrorController would return the response status
set in the javax.servlet.error.status_code request attribute when
serving JSON but would also return a 200 OK response when serving
HTML. This didn’t cause much trouble when a person was browsing, but
proved problematic for machine clients that request text/html and care
about the response status. For example, the success handler would be
driven for an XHR request even though the response was really an error.
This commit updates BasicErrorController to set the response status for
text/html responses to match the status that it would use in an
application/json response.
Closes gh-4694
Previously, the auto-configuration for embedded Mongo did not specify
a bind IP so Mongo was started without one. This would lead to Mongo
binding to all available network interfaces. This caused some friction
with the Windows firewall as it would ask for permission every time
embedded Mongo was launched.
This commit updates the auto-configuration to use
spring.data.mongodb.host to configure the bind IP for embedded Mongo.
If spring.data.mongodb.host is null, the auto-configuration will use
the loopback address instead.
Closes gh-4630
Previously, disabling SecurityAutoConfiguration could cause
SecurityFilterAutoConfiguration to fail if Spring Security’s filter
chain bean existing in the context. SecurityFilterAutoConfiguration
relies on SecurityProperties which is created by
SecurityAutoConfiguration. When SecurityAutoConfiguration is disabled,
there’s no SecurityProperties bean so SecurityFilterAutoConfiguration
would fail due to the missing dependency.
This commit updates SecurityFilterAutoConfiguration to create a
SecurityProperties bean if one does not already exist.
Closes gh-4525
A dependency on the Servlet API (the filter's dispatcher types) causes
a failure when Spring Security is used in a non-web application.
This commit removes the dependency on javax.servlet.DispatcherType
in favour of using a Set of Strings. SecurityFilterAutoConfiguration,
which is only enabled for web applications, is the responsible for
converting each String to a DispatcherType.
Closes gh-4505
This commit adds a new property, security.filter-dispatcher-types
that can be used to configure the dispatcher types of Spring
Security's filter chain. The default remains unchanged.
Closes gh-4505
Previously, JerseyAutoConfiguration was a WebApplicationInitializer.
This was problematic as auto-configuration classes should not be ordered
(they should use AutoConfigureBefore etc instead) but the web
application initializer needs to be ordered so that it can run early and
configure Jersey before it runs.
This commit has moved the WebApplicationInitializer implementation into
a separate class so that it can be ordered independently of the
auto-configuration class. Note that the new class must be public for
the servlet container (Tomcat at least) to be able to instantiate it.
Closes gh-4527
The need to set the order of ResourceServerConfiguration was
a bad assumption. The value of the order seems strange as well
(-10), and a comment explaining it makes no sense (a resource
server normally wants its filter *after* not *before* the existing
auth server filter). Removing the bean post processor didn't
fail any tests.
In case there are multiple resource servers in the same context
there was also a problem that they ended up with the same order.
Previously, the `spring.datasource.name` property was ignored when Spring
Boot configures an embedded data source with a connection pool.
`EmbeddedDatabaseConnection` is now aligned to the purely embedded case
to take that property into account.
Closes gh-4586
The SsoSecurityConfigurer that gets added when a user has a custom
WebSecurityConfigurer with @EnableOAuth2Sso is quite opinionated, and
this is preventing users from custimizing the exception handling in the
customized UI security. This change makes it less opinionated, using
request matchers to configure the default instead of ovewriting the
single authentication entry point.
Also adds an entry point responding with a 401 for XHR clients (just like
the vanilla HTTP Basic auth).
Fixes gh-4629
Add a `spring.mvc.static-path-pattern` property which can be used to
configure the path pattern used to serve static resources.
Fixes gh-4444
Closes gh-4448
Update MongoProperties to use `MongoCredential.createCredential` rather
than `MongoCredential.createMongoCRCredential`. This allows connections
to Mongo 3.0 servers to authenticate using the SCRAM-SHA-1 mechanism.
Closes gh-4237
Make sure that the general Hazelcast auto-configuration is processed
before the cache auto-configuration. This was supposed to be fixed and
tested in 721b5a2 but unfortunately the `@AutoConfigureAfter` annotation
was placed on a regular `@Configuration` class (which has no effect).
The tests were passing because the ordering is actually hardcoded in the
test. The relevant tests now use `ImportAutoConfiguration` that simulates
the same order as the one use by the actual application.
Closes gh-4389
Commit 8e0a94f introduced a post processor that adds an explicit link
between the `HazelcastInstance` and the `EntityManagerFactory` so that
Hazelcast is fully initialized before Hibernate actually kicks in.
Unfortunately, the conditions that were implemented to register this post
processor are wrong and any app that has both JPA and Hazelcast support
blows up if no bean with name `hazelcastInstance` is defined.
This commit fixes the situation and reworks the configuration in a
separate auto-configuration that runs after the Hazelcast and JPA support
and check both the presence of an `EntityManagerFactory` and a bean of
name `hazelcastInstance`. If any of those conditions does not apply the
post processor is no longer registered.
Closes gh-4158
Add a BackgroundPreinitializer to trigger early initialization in a
background thread of time consuming tasks. By moving certain
initialization tasks to background thread and triggering them early
we can improve the critical path when the application starts. For
example, Tomcat's MBeanFactory class parses several XML files when
first loaded. If we trigger the load in a background thread it completes
before Tomcat actually needs to use it.
The initial set of initializers included with this commit are:
- Tomcat MBeanFactory
- javax.validation
- Spring's AllEncompassingFormHttpMessageConverter
See gh-4252
Allows users to configure "allowed" file extensions for controller
mappings, so that browsers will not switch to downloading "f.txt"
(part of the recent RFD attack fixes in Spring MVC).
See gh-4220
We can expect that occasionally a user clicks on a login link when
the token is expired. If the UserInfoTokenServices tries to
authenticate the user at that point, it can retain the option to
refresh the expired token if we preserve the state. Since the
state is in session scope all we need to do is to check that the
token that is being checked has the same value as the one in the
OAuth2ClientContext and re-use the context if it is.
Fixes gh-4251
Update `EnableAutoConfigurationImportSelector` to directly use the
RelaxedDataBinder when obtaining excludes. This removes the need for
the additional getProperties method on RelaxedPropertyResolver.
See gh-4352
`spring.application.exclude` is retrieved via the
`RelaxedPropertyResolver` API explicitly and it does not have any
standard API to retrieve a list of values. As a consequence that property
could only be specified as a comma-separated value.
This felt convoluted in YAML. `RelaxedPropertyResolver` has now a
`getProperties` method that works with both comma-separated value and
index elements (i.e. list).
Closes gh-4352
Previously, if security.ignored was set to none and the error controller
was disabled, there would be no paths to ignore and we would call
IgnoredRequestConfigurer.antMatchers with an empty array. While a bit
pointless, this had no effect on Spring Security’s configuration.
This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty
array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As
Spring Boot configures its ignored paths with highest precedence this
means that security is now disabled for every path.
This commit updates both the management security and application
security configuration to avoid calling antMatchers with an empty
array, thereby ensuring that we don’t inadvertently ignore every path.
Even if the change to Spring Security is reverted we can keep this
change. The behaviour will remain the same and, arguably, it makes the
intent of our configuration clearer.
Closes gh-4345
[1] 8663ac4173
The PROPERTIES creator mode has the unfortunate side-effect of stopping
mixins from working. This commit updates the auto-configured module to
use the DEFAULT creator mode instead.
Closes gh-4336
Make sure that `autoApprove`, `accessTokenValiditySeconds`, and
`refreshTokenValiditySeconds` properties from the `ClientDetails`
are used
Closes gh-4306
Previously it was possible to bind a bean to the root prefix by just
adding `@EnableConfigurationProperties` with the class of said bean.
This use case is misleading and prevents any meta-data to be generated
for that object since the annotation processor reacts on the presence of
the `@ConfigurationProperties` annotation.
If a class is included in the list of configuration properties bean to
create via the `@EnableConfigurationProperties` annotation we now make
sure that the `@configurationProperties` annotation is present on it.
Closes gh-3460
We have some requirements for filter ordering:
1. The character encoding filter must go first
2. Spring Session’s filter should go early
3. RequestContextFilter should go late so that it any request wrapping
performed by other filters is reflected in the request that’s set
in the RequestContextHolder
4. Spring Security’s Filter must go after RequestContextFilter so that
any code called by Filters in Spring Security’s Filter chain can
retrieve the request from RequestContextHolder, for example
OAuth2ClientContextFilter.
See gh-4331
FacesListener in Mojarra 2.2.12 (used in Glassfish 4.1.1) is a
ServletContainerInitializer that’s annotated to handle types annotated
with javax.annotation.Resource.
OAuth2RestOperationsConfiguration.SessionScopedConfiguration is one such
class. This leads to com.sun.faces.config.DelegatingAnnotationProvider
calling getAnnotations on SessionScopedConfiguration.class. This fails
with a java.lang.ArrayStoreException due to SessionScopedConfiguration
being annotated with @ConditionalOnBean(OAuth2ClientConfiguration) and
OAuth2ClientConfiguration not being on the classpath.
DelegatingAnnotationProvider currently catches NoClassDefFoundErrors
thrown during its annotation processing. It needs to be made more
robust so that it also copes with an ArrayStoreException, in a similar
way to how org.glassfish.apf.impl.AnnotationProcessorImpl was updated to
fix GLASSFISH-21265 [1]. I’ve opened an issue to this effect [2].
In the meantime, we can work around the brittleness in
DelegatingAnnotationProvider by restructuring
SessionScopedConfiguration. This commit moves the use of @Resource into
a nested inner class, ClientContextConfiguration, while leaving the use
of @ConditionalOnBean on SessionScopedConfiguration. This means that it
is now ClientContextConfiguration that is passed to FacesListener and
processed by DelegatingAnnotationProcessor, thereby avoiding exposing
it to the @ConditionalOnBean annotation that it does not handle
gracefully. A Glassfish-based deployment test has also been added to
verify the fix.
Closes gh-2079
Closes gh-4321
[1] https://java.net/jira/browse/GLASSFISH-21265
[2] https://java.net/jira/browse/JAVASERVERFACES-4076
Add a BeanFactoryPostProcessor to set PRESERVE_TARGET_CLASS_ATTRIBUTE
to true on all ErrorController bean definitions. Without this attribute
AOP advice on @Controllers causes ErrorController beans to be created
as JDK proxies (since they implement a single valid looking interface)
and therefore not get found by Spring MVC.
Fixes gh-4236
Provide a property to customize the application path that serves as the
base URI for a JAX-RS compliant application. If both `spring.jersey.path`
and an `@ApplicationPath` are present, the property takes precedence.
Closes gh-4201
Update WebMvcAutoConfiguration to use a RequestContextFilter instead of
a RequestContextListener.
Using a filter is required for some Spring Session operations (see
https://github.com/spring-projects/spring-session/issues/129).
This update also has the added benefit of allowing the Response to be
accessed from RequestContextHolder.getRequestAttributes() by casting it
to ServletRequestAttributes.
Fixes gh-2637
Previously, HornetQ and Artemis tests were using a test configuration
class listing the configuration classes to use explicitly in the purpose
of disabling the XA support.
This had a very unfortunate side effect for Artemis as we forgot to add
an import on the "real" configuration and this got unnoticed because of
this duplication.
It turns out that this special configuration class is no longer necessary
as XA backs off automatically anyway now. The tests have been updated
to use the regular auto-configuration and were failing with Artemis. The
import has now be added.
Closes gh-4226
Previously, no `errors` attribute is made available in the standard JSON
error document if a request body object is invalid. This is due to the
fact that the framework throws a `MethodArgumentNotValidException holding
a `BindingResult` object that was not detected.
We now make sure to extract the `BindingResult` from such exception.
Closes gh-4166
Previously, SecurityFilterAutoConfiguration would be created even if
spring-security-web was not on the classpath. This didn't cause a
failure as all of its beans were disabled. It was, however, wasteful,
as the configuration class was processed and a bean created for it
unnecessarily.
This commit makes the whole class conditional on the presence of
spring-security-web so that it will be skipped entirely when the
dependency is not available.
Closes gh-4160
Update SecurityFilterAutoConfiguration to use a DelegatingFilterProxy
filter rather directly referencing the springSecurityFilterChain bean.
Using a DelegatingFilterProxy helps to prevent early initialization of
beans and makes Spring Security work in a similar to way to if were
installed in a regular WAR deployment.
Fixes gh-4154
Spring Security 4’s default configuration will, irrespective of any
other header writers that are added, enable writers for the following
headers:
- X-Content-Type
- X-XSS-Protection
- Cache-Control
- X-Frame-Options
Previously, SecurityProperties.headers used false as the default for the
properties that enable or disable these headers but the configuration is
only applied when the properties are true. This left us with the right
default behaviour (the headers are enabled) but meant that the
properties could not be used to switch off the headers.
This commit changes the defaults for the four properties to true and
updates SpringBootWebSecurityConfiguration to only apply the
configuration when the properties are false. This leaves us with the
desired defaults while allowing users to disable one or more of the
properties by setting the relevant property to false.
Closes gh-3517
The second level cache of Hibernate can be configured with dedicated
factories that look up for the presence of a cache infrastructure. As
Hibernate shouldn't have to know about Spring, that lookup is done
against the respective proprietary APIs.
We now make sure that caching (and the general purpose Hazelcast
auto-configuration) is fully processed before JPA kicks in. In particular
an explicit `dependsOn` attribute on those beans is added when they are
processed.
Closes gh-4158
When the actuator is enabled, Spring Boot provides two `MBeanExporter`
bean definitions: a general purpose one and a dedicated one for Actuator
endpoints.
This commit flag the general purpose one `@Primary` so that component
can safely inject it by type if necessary. In particular, this fix the
doc of the `JmxMetricWriter`.
Closes gh-4007
Instead of always creating a new ElasticSearch client, we now check for
the presence of a custom bean configuration and use that if it's
available.
Closes gh-4143
Closes gh-4146
Previously, if Solr 5 was on the classpath, SolrAutoConfiguration
would fail with a rather cryptic error message due to a change in the
inheritance hierarchy of CloudSolrServer between Solr 4 and Solr 5.
This commit updates SolrAutoConfiguration to be conditional on a
class that exists in Solr 4 but was removed in Solr 5. This has the
effect of switching off the auto-configuration when Solr 5 is on
the classpath, allowing the auto-configuration report to be used to
identify why the configuration was disabled. The documentation has
also been updated to state that Spring Boot does not currently support
Solr 5.0.
Closes gh-2795
Default will extract an "authorities" key from the map coming from the
server. No existing servers I am aware of actually send that data, but
it might be helpful as a default nevertheless. User can override the
default by adding a bean of that type.
Fixes gh-3711
The latest Spring Framework 4.2.2 snapshots have reworked
EventListenerMethodProcessor so that it no longer queries a proxies
target class. Previously, when this was happening, it happened early
in the context's lifecycle when the bean's concrete type was unknown.
The led to the target class being set as the proxied interface.
With the latest 4.2.2 snapshots, the first call to
AopUtils.getTargetClass() happens in the test, by which time the
actual concrete type of the bean is known. This commit updates the
test so that its expectations match the more precise result.
ClassUtils.isPresent(String, ClassLoader) swallows all Throwables when
trying to load a class by name. For this reason
UnsupportedClassVersionError will also be swallowed when user code is
trying to use a driver library which has been compiled with a later
JDK than the one the application is running with. All the user would
see was "Cannot load driver class". This change simply propagates the
UnsupportedClassVersionNumberError so that it is easier for users to
find the root cause of the problem.
Closes gh-4082
Closes gh-4091
If a DataSource class is found in the classpath then
EmbeddedDataSourceConfiguration will not be used, so the in-memory
database will not be shutdown on application context closing.
As a result, unnecessary database initialization may cause subsequent
tests to fail, for example see [1].
[1] https://github.com/spring-projects/spring-boot/issues/1712
Previously, if an application used JPA and declared its own Flyway bean,
startup would fail. The custom Flyway bean would switch off
auto-configuration of the FlywayMigrationInitializer bean but the
context’s entity manager factory beans would still be configured to
depend on the migration initialiser.
This commit splits the post-processor that configures the dependencies
into two. One that configures the dependency on the Flyway bean and
one that configures the dependency on the FlywayMigrationInitializer
bean. When to auto-configuration of the FlywayMigrationInitializer is
switched off, the auto-configuration of the latter dependency is also
switched off.
Closes gh-4079
For reasons I don't (yet?) understand, shutting down the databases
proactively triggers a StackOverflowError in Jersey. Reverting the
change while I try to figure out what's going in.
Update all TemplateAvailabilityProvider implementations to use the
relaxed property binder. Also fix FreeMarkerTemplateAvailabilityProvider
to use `template-loader-path` rather than `path`.
Fixes gh-4085
Update the logged auto-configuration report so that each line includes
"matched", "did not match" text. This helps when looking to see if a
specific auto-configuration class was applied or not.
Fixes gh-4084
This commit updates ConditionalOnJava to remove a dependency on the
deprecated JdkVersion API from Spring Framework. In its place it now
looks for the presence of certain classes to determine the version of
Java on which its running.
Closes gh-4005
Previously `spring.velocity.charset` only controlled the output encoding
with the templates being loaded with the default encoding. We now
consistently set the same value for both the input and output encodings.
It is still possible to override it to a different value using
`spring.velocity.properties.input.encoding`
Closes gh-3994
Previously `spring.velocity.charset` only controlled the output encoding
with the templates being loaded with the default encoding. We now
consistently set the same value for both the input and output encodings.
It is still possible to override it to a different value using
`spring.velocity.properties.input.encoding`
Closes gh-3994
Update `ServerProperties` to automatically enable `use-forward-headers`
when running on a cloud platform.
A new `CloudPlatform` enum has been introduced that detects Heroku and
Cloud Foundry.
See gh-4018
Add a new `server.use-forward-headers` property which can be used to
switch on X-Forwarded-For header support in all supported embedded
servlet containers.
This commit reverts the decision to enable `RemoteIpValve` with Tomcat
by default (gh-3782) and requires that either `user-forward-headers` is
set to true or that `server.tomcat.protocol-header` or
`server.tomcat.remote-ip-header` are set.
See gh-4018
See gh-3782
In order to have more control on the structure of the configuration, we
do not bind to `RepositoryRestConfiguration` directly anymore. This
commit introduces `RepositoryProperties` instead.
See gh-3854
Closes gh-4073
This commit adds auto-configuration support for WebSocket-based
messaging. When the user enables WebSocket messaging (typically via
@EnableWebSocket and @EnableWebSocketMessageBroker) and an ObjectMapper
bean exists, a MappingJackson2MessageConverter that uses the
ObjectMapper will be configured. This causes any spring.jackson.*
configuration to affect WebSocket message conversion in the same way
as it affects HTTP message conversion.
Closes gh-2445
Add `error.include-stacktrace` configuration option to determine when
stack trace attributes should be added. Options are `never`, `always`
or `on-trace-param`.
Prior to this commit stacktrace attributes were never includes in HTML
responses, and only included in JSON responses when a `trace` request
parameter was set to `true`. This has now been changed so that,
by default, stacktrace attributes are never included.
The BasicErrorController includes a protected method that can be
overridden if includes should be different depending on the `produces`
mapping.
Closes gh-2371
This commit simplifies the Jackson-related auto-configuration that’s
applied when Spring HATEOAS and Spring Data REST are on the classpath.
Previously, Boot used Jackson2HalModule to apply the HAL-related
ObjectMapper configuration to the context’s primary ObjectMapper. This
was to allow HAL-formatted responses to be sent for requests accepted
application/json (see gh-2147). This had the unwanted side-effect of
polluting the primary ObjectMapper with HAL-specific functionality.
Furthermore, Jackson2HalModule is an internal of Spring HATEOAS that
@olivergierke has asked us to avoid using.
This commit replaces the use of Jackson2HalModule with a new approach.
Now, the message converters of any RequestMappingHandlerAdapter beans
are examined and any TypeConstrainedMappingJackson2HttpMessageConverter
instances are modified to support application/json in addition to their
default support for application/hal+json. This behaviour can be disabled
by setting spring.hateoas.use-hal-as-default-json-media-type to false.
This property is named after Spring Data REST’s configuration option
which has the same effect when using Spring Data REST. The new property
replaces the old spring.hateoas.apply-to-primary-object-mapper property.
Previously, when Spring Data REST was on the classpath,
JacksonAutoConfiguration would be switched off resulting in the context
containing multiple ObjectMappers, none of which was primary.
This commit configures RepositoryRestMvcAutoConfiguration to run after
JacksonAutoConfiguration. This gives the latter a chance to create its
primary ObjectMapper before the former adds its ObjectMapper beans to
the context.
Previously, the actuator’s hypermedia support assumed that the
HttpMessageConverters bean would contain every HttpMessageConverter
being used by Spring MVC. When Spring HATEOAS is on the classpath this
isn’t the case as it post-processes RequestMappingHandlerAdapter beans
and adds a TypeConstrainedMappingJackson2HttpMessageConverter to them.
This wasn’t a problem in the past as the primary ObjectMapper, used by a
vanilla MappingJackson2HttpMessageConverter, was configured with Spring
HATEOAS’sJackson2HalModule. Now that this pollution has been tidied up
the assumption described above no longer holds true. MvcEndpointAdvice,
which adds links to the actuator’s json responses, has been updated
to look at the HttpMessageConverters of every
RequestMappingHandlerAdapter when it’s trying to find a converter to
use to write a response with additional hypermedia links.
Integration tests have been added to spring-boot-actuator to ensure
that the changes described above have not regressed the ability to
configure its json output using spring.jackson.* properties (see
gh-1729).
Closes gh-3891
Update DataSourceProperties exceptions to include a less misleading
message. Errors message now note that you may need to add an embedded
database to the classpath or active a profile to pickup specific
settings.
Fixes gh-4012
Relocate several auto-configuration classes to `...autoconfigure.data`
to make it clearer that they are Spring Data specific.
Also moved `EntityManagerFactoryBuilder` to `spring-boot` since it is
generally useful and doesn't need to be directly tied to the
auto-configuration module.
Fixes gh-4002
The parameter names module allows users of Java 8 that have compiled
their code with the -parameters option to avoid the name for
annotations to map the json onto constructor and method parameters
with the names of the parameters being used instead.
This commit adds auto-configuration for the module that will only
be enabled when running on Java 8.
Closes gh-3804
For the character encoding filter to work, it's vital that it sets
the request's encoding before any other filters attempt to read the
request. This commit updates the order of
OrderedCharacterEncodingFilter to be HIGHEST_PRECEDENCE and improves
the existing test to check that the ordering is as required.
Closes gh-3912
- Rename local variable to avoid shadowing field with the same name
- Add a test to verify that local.mongo.port is set on the parent
context
Closes gh-3955
Previously, a StackOverflowError would occur when using a random port
for embedded mongo as the logic for propagating the property up the
context hierarchy would repeatedly use the leaf context's parent.
This commit updates the logic to look to see if the current context
has a parent, only calling the method again if it does.
Closes gh-3956
Update HibernateJpaAutoConfiguration to catch LinkageError rather than
NoClassDefFoundError. Required due to the fact that JBoss EAP 6 wraps
NoClassDefFoundErrors.
Fixes gh-3605
Since the meta-data now provide an explicit support for value hints, we
should not copy/paste them in the description as the IDE is able to
process them any way it wants.
Closes gh-3863
All the filters added explicitly by Spring Boot now have order <=
FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER (value 0).
There is nothing we can do about the DispatcherServlet and anything
else downstream of the filter chain.
Fixes gh-3613
Spring HATEOAS 0.19.0.RELEASE provide support for resolving a link’s
title by looking up the key _links.$rel.title. For us to take advantage
of this in Spring Boot, HalHandlerInstantiator must be created using
the link relation message source that’s automatically created by
HateoasConfiguration.
Closes gh-3860
Add aliases for `@ComponentScan`attributes on `@SpringBootApplication`
so that it is possible to customize how the component scan should be
applied on the project.
Previously, one would have to revert to `@EnableAutoConfiguration` to
achieve the same result.
Closes gh-3368
Provide a general purpose Hazelcast integration (i.e. not tied to caching).
Auto-configure a `HazelcastInstance` either based on the presence of a
`Config` bean or a configuration file. Said configuration file can be
specified explicitly or automatically found from default locations.
The cache integration already supports Hazelcast so it has been reworked
to automatically reuse an existing `HazelcastInstance` if available.
Closes gh-2942
This commit ensures that even when a user specifies a
WebSecurityConfiguration that the order of Spring Security's Filter
is still configured.
Closes gh-3824
See gh-3703
Spring MVC requires all handlers for the same path to be on the same handler
so if anyone wants to add new handlers for different content types they
have to copy a lot of code from BasicErrorController. This change increases
the visibility of the basic utility methods in BasicErrorController so that
custom handlers can be added easily.
Fixes gh-3828
Previously, native cache libraries were favored over a standard JSR-107
implementation. If a user has a working setup using JCache with one
provider and switch to another provider, his setup may be broken if we
happen to provide a native support for the new provider.
We now consistently favor JSR-107 if it is present. Native support can
still be enabled via the `spring.cache.type` property.
Closes gh-3822
Previously we had to create a fake Properties object as the factory did
not provide individual setters for the SSL configuration. This has been
added as part of Spring AMQP 1.5.0.RC1 so we're using those instead.
Closes gh-3754
Previously, `ResourceUrlEncodingFilter` was registered even if the
resource chain handling was disabled (which is the default).
We now take care of registering it only if the resource chain handling is
enabled.
Closes gh-3353
Given that Spring Boot uses java config accross the board, a new `value`
attribute is now aliased to the existing `classes` attribute such that
one could write the following:
@SpringApplicationConfiguration(MyConfig.class)
public class MyTest {}
Closes gh-3635
The `spring.datasource.name` property was hidden behind the 'name'
attribute of the Tomcat connection pool (since we are mapping all
datasource implementations on the `spring.datasource` namespace.
This commit replace the injected value by hand with the use of the
regular `DataSourceProperties`. That way, we generate proper meta-data
for it as well.
Closes gh-3755
A new `spring.datasource.type` property can now be used to configure the
connection pool implementation to use (rather than only relying on Boot's
preferences).
Closes gh-3705
Previously, to use a custom ConfigurableWebBindingInitializer, it was
necessary to extend WebMvcConfigurationSupport and override
getConfigurableWebBindingInitializer. This had the unwanted
side-effect of switching off the auto-configuration of Spring MVC.
This commit updates the auto-configuration to look for a
ConfigurableWebBindingInitializer bean and register it with Spring
MVC.
Closes gh-2526
Add a new `@ImportAutoConfiguration` annotation that can be used by
tests that wish to selectively import certain auto-configuration
classes. Also add `@AutoConfigurationPackage` so that package
registration is decoupled from `@EnableAutoConfiguration`.
An added benefit of the change is @EnableAutoConfigurationImportSelector
can now be subclassed to provide custom annotation support if needed.
Fixes gh-3660
See gh-2772
Harmonize the configuration properties for Undertow to match the changes
made for gh-2491.
Move `spring.undertow.accessLog*` to `spring.undertow.accesslog.*`
Add `directory`, `prefix` and `suffix` properties to further customize
how access logs are configured on Tomcat. Relocate all properties to the
`server.tomcat.accesslog` namespace.
`server.tomcat.accessLogPattern` and `server.tomcat.accessLogEnabled` are
deprecated and replaced by `server.tomcat.accesslog.pattern` and
`server.tomcat.accesslog.enabled` respectively.
Closes gh-2491
Three conditions must be met for the console to be enabled:
- H2 is on the classpath
- The application is a web application
- spring.h2.console.enabled is set to true
If spring-boot-devtools is on the classpath, spring.h2.console.enabled
will be set to true automatically. Without the dev tools, the enabled
property will have to be set to true in application.properties.
By default, the console is available at /h2-console. This can be
configured via the spring.h2.console.path property. The value of this
property must begin with a '/'.
When Spring Security is on the classpath the console will be secured
based on the user's security.* configuration. When the console is
secured, CSRF protection is disabled and frame options is set to
SAMEORIGIN for its path. Both settings are required in order for the
console to function.
Closes gh-766
Update the `@EnableAutoConfiguration` annotation to include an `include`
attribute which can be used to specify specific auto-configuration
classes.
Primarily added to so that tests can selectively auto-configure without
needing to worry about class import order.
Fixes gh-3660
Add an auto-configuration that avoid a Spring Boot user to add
`@EnableConfigurationProperties` to its configuration to benefit from
that feature.
As our own auto-configurations are tested independently, such annotation
is still present to avoid a useless reference to this new
auto-configuration.
Closes gh-2457
Previously, BeanTypeRegistry would only look for a @Bean method
with no arguments when trying to determine the type that will be
created by a factory bean. This meant that the type produced by a
factory bean declared via a @Bean that has one or more arguments would
be unknown and any on missing bean conditions look for a bean of the
type produced by the factory bean would match in error.
This commit updates BeanTypeRegistry to, where possible, use the
factory method metadata for the bean definition when determining the
type that will be created. This allows it to determine the type for
factory bean created by @Bean methods that take arguments and also
avoids the use reflection to find the factory method. Where factory
method metadata is not available, the existing reflection-based
approach is used as a fallback.
Closes gh-3657
Add `spring.autoconfigure.exclude` to control the list of
auto-configuration classes to exclude via configuration. Merge the
exclusions defined on the `@EnableAutoConfiguration` or
`@SpringBooApplication` if any.
Closes gh-2435
Currently, the default TemplateResolver had no specific order. Thymeleaf
handles that with a "always first" strategy (that can be confusing if
several TemplateResolver have a "null" order.
While it is a fine default (and changing it could lead to weird side
effects), it has to be changed as soon as another TemplateResolver bean
is defined in the project.
The `spring.thymeleaf.template-resolver-order` property has been added to
control the order of the default TemplateResolver.
Closes gh-3575
Allow to disable the auto-startup flag of the default JMS and RabbitMQ
containers. This effectively permit to disable automatic listening via
configuration.
Closes gh-3587
While the doc states that the default value is '/', setting that value
explicitly will lead to an error since we enforce that the default root
is the empty string.
Changing the doc will probably be more confusing than anything else so
we're now cleaning the user's provided value if necessary
Closes gh-3554
This commit adds a new "Unconditional classes" section to the
auto-configuration report. It lists any auto-configuration classes
that do not have any class-level conditions, i.e. the class will be
always be part of the application's configuration.
Closes gh-2209
A RepositoryRestMvcConfiguration subclass provided by a user is
problematic in a Spring Boot application as it causes
RepositoryRestMvcConfiguration's bean declarations to be processed
before any auto-configuration runs.
One problem that this causes is that it switches off Boot's Jackson
auto-configuration due to RepositoryRestMvcConfiguration having
already declared multiple ObjectMapper beans. Unlike Boot's
auto-configured ObjectMapper, none of these ObjectMappers are marked
as @Primary. This then leads to wiring failures due to multiple
candidates being available.
To address this problem a new RepositoryRestConfigurer abstract has been
introduced in Spring Data Gosling. Its use is now strongly preferred
over subclassing RepositoryRestMvcConfiguration. Note that our own
RepositoryRestMvcConfiguration subclass remains. It is imported as part
of auto-configuration (avoiding the ordering problems described above),
and provides configuration properties binding for
RepositoryRestConfiguration. However, the Jackson ObjectMapper
configuration has been moved out into a new RepositoryRestConfigurer
implementation.
While SpringBootRepositoryRestMvcConfiguration remains, this commit
makes it package private to discourage users from subclassing it. While
this may break existing applications, it, coupled with the documentation
updates, will hopefully guide them toward using
RepositoryRestConfigurer.
Closes gh-3439
It has to come after MongoDataAutoConfiguration (not
MongoAutoConfiguration) because it looks for beans that are defined
there (e.g. MongoMappingContext which is the one that scans for entities).
Fixes gh-3577
Also copies the ExpressionParser (the only public getter), trust
resolver and permission evaluator (if available in the context). Changes
the logic to not replace an existing OAuth2MethodSecurityExpressionHandler
so that users can override simply by providing a bean of that type.
Fixes gh-3542
Restore the deprecated method to give people a change to migrate. The
@DeprecatedConfigurationProperties annotation is now used to generate
the deprecated meta-data, removing the need for manual meta-data.
Closes gh-3537
Update Tomcat, Jetty and Undertow to serialize session data when the
application is stopped and load it again when the application restarts.
Persistent session are opt-in; either by setting `persistentSession`
on the ConfigurableEmbeddedServletContainer or by using the property
`server.session.persistent=true`.
Fixes gh-2490
Previously, the prefix was spring.embedded-mongodb. This was
inconsistent with the prefixes for Artermis and HornetQ which are
spring.artemis.embedded and spring.hornetq.embedded respectively.
See gh-2002
Embedded MongoDB is now auto-configured when it is on the classpath.
The Mongo instance will listen on the port specified by the
spring.data.mongodb.port property. If this property has a value of
zero and randomly allocated port will be used. In such an event, the
MongoClient created by MongoAutoConfiguration will be automatically
configured to use the port that was allocated.
By default, MongoDB 2.6.10 will be used. This can be configured using
the spring.embedded-mongodb.version property. Mongo's sync delay
feature is enabled by default. This can be configured using the
spring.embedded-mongobd.features property.
Closes gh-2002
Expose acknowledgment mode, concurrency, prefecth and transaction size
settings in configuration for the default
`RabbitListenerContainerFactory`.
Closes gh-3479
Previously, an item could only have a 'deprecated' boolean flag to
indicate that the property is deprecated. It is desirable to provide an
additional description for the deprecation as well as the name of the
property to use instead.
The `deprecated` boolean flag is now supported. Instead, a `deprecated`
object can be specified with two optional attributes: `reason` to provide
an explanation for the deprecation and `replacement` to refer to the
property that should be used instead. If none of them is present, an
empty deprecation object should be set.
For backward compatibility, the `deprecated` field is still set.
Deprecation information can only set via manual meta-data.
Closes gh-3449
This commit adds a new property, spring.jackson.time-zone, that can be
used to configure the time zone that Jackson uses when configuring
dates. It affects the serialisation of both JDK and Joda date types.
Closes gh-3505
We envision that IDE will support auto-completion for known types in the
future, for instance Charset, MimeType, Resource and Locale. Some of our
own configuration keys use a raw String type whereas they actually
represent a higher-level concept.
We now make sure to expose these with a better type, if applicable.
Closes gh-2898
It is not possible to put `@Order` on nested `@Configuration` classes and
there is no ordering guarantee of them anyway. Previously, we relied on
the declaration order to check if the `test-connection` flag should apply
to an existing `JavaMailSenderImpl`. It turns out at the
`JavaMailSenderImpl` bean was not created at that time and so the
evaluation was wrongly failing.
To make that more explicit, that code is now in its own
auto-configuration with an explicit `@AutoConfigureAfter` declaration.
Since the JNDI support could be affected by the exact same issue, it has
been restored to its own package private configuration class that is
processed before the `MailSenderAutoConfiguration` content is evaluated.
Closes gh-3478
Never inject a transaction manager (user can create his own
"rabbitListenerContainerFactory" bean if he wants an actual
non-JTA transaction manager.
See gh-3432
If set *and* there is a transaction manager in the context, then the
listener container created by Spring Boot will use the transaction
manager to execute the listeners.
Fixes gh-3432 (by virtue of not requiring a JtaTransactionManager any
more).
Liquibase has a `changeLog` property that is definitely used as a
`Resource` but cannot be defined as such as the original String value
should be kept against an API we don't control.
Update the tests also to make it more clear that if hints are added
against a property that is detected automatically, said property still
keeps all its auto-discovered capabilities.
Closes gh-3457
Replace the enum provider by a more general purpose provider that can
substitute the type of the property for the purpose of auto-completing
the values.
"handle-as" can be used for enums but for any type that the IDE
understands such as locale, charset, mime-type and Spring's resource
abstraction.
Closes gh-3457
The `strategy` group is not detected in the meta-data because the
Strategy inner class is not defined at the "right" level in the
hierarchy.
For now, `@NestedConfigurationProperty` was added to workaround the
issue. Once gh-3454 is solved, we should remove them.
Add support for the following server properties which can be used to
configure the session:
server.session.tracking-modes
server.session.cookie.name
server.session.cookie.domain
server.session.cookie.path
server.session.cookie.comment
server.session.cookie.http-only
server.session.cookie.secure
server.session.cookie.max-age
In addition `server.session-timeout` is now deprecated and has been
replaced with `server.session.timeout`.
Fixes gh-3240
Unfortunately, we have no other choice to flip the ignoreUnknownFields
attribute of `SecurityProperties` has many different target are now set
for that namespace outside the class. See gh-3445 for a potential way
to improve that.
Closes gh-3327
Ensure that FlywayAutoConfiguration and LiquibaseAutoConfiguration occur
after HibernateJpaAutoConfiguration so that the DependsOnPostProcessor
condition can correctly check for a LocalContainerEntityManagerFactory
bean.
Fixes gh-3437
Update the `ManagementServerPort` detection logic to attempt direct
property resolution before looking for a local property bean
definition. Bean definitions provided by auto-configuration classes
are ignored.
This change allow `OnManagementMvcCondition` to use the
`ManagementServerPort` to determine when `EndpointWebMvcConfiguration`
should apply (removing the need to create a temporary context).
See gh-3345
Use AbstractTemplateViewResolverProperties as the base class for
GroovyTemplateProperties since the Spring GroovyMarkupViewResolver is
an AbstractTemplateViewResolver.
The auto-configuration for Groovy is now more aligned with the existing
Freemarker and Velocity auto-configuration, with a `resourceLoaderPath`
property being used instead of `prefix`.
Fixes gh-3365
Closes gh-3374
If a `JavaMailSenderImpl` is available, check that the underlying mail
server is available on startup. Add a `spring.mail.test-connection`
property to control this behaviour.
Closes gh-3408
If a JtaTransactionManager is present, it is associated with the
auto-created JmsListenerContainerFactory. However, if no such transaction
manager is present, local transaction support is not enabled.
This gives a default situation where the message is acknowledged even
before the listener is invoked. We now make sure to turn on local JMS
transactions if no JtaTransactionManager is present.
Fixes gh-3393
Previously, JacksonHttpMessageConvertersConfiguration would configure a
general-purpose MappingJackson2HttpMessageConverter only if there was
no existing MappingJackson2HttpMessageConverter in the application
context. This was problematic when a
TypeConstrainedMappingJackson2HttpMessageConverter bean was present.
Such a bean is only capable of performing conversion for a specific
type, and therefore is no substitute for a general purpose converter,
yet its presence was causing the auto-configuration of a general
purpose converters to be turned off. This would leave Spring MVC’s
default converter being used for application/json requests which would
not honour the user’s Jackson configuration.
This commit enhances @ConditionalOnMissingBean so that the annotation
can be used to specify one or more types that should be ignored when
searching for beans. This allows the
TypeConstrainedMappingJackson2HttpMessageConverter beans that are
published by Spring Data REST to be ignored such that the
general-purpose MappingJackson2HttpMessageConverter is still
auto-configured.
Fixes gh-2914
Update MustacheViewResolver so that buildView() is called to create
the MustacheView. This sets fields such as `contentType` and allows us
to remove explicit setApplicationContext() and setServletContext()
calls.
Fixes gh-3265
GzipFilterProperties uses HttpMethod so GzipFilterAutoConfiguration,
which uses GzipFilterProperties, needs to be conditional on HttpMethod
being on the classpath.
Closes gh-3362
There is a new spring.factories entry for
org.springframework.boot.actuate.autoconfigure.EndpointWebMvcConfiguration
which loads extra beans into the MVC config for the Actuator.
If the management context is a child context all the beans go in the
child (except the Spring Security filter still). A big bonus is that
you can add WebConfigurerAdapters to configure static resources etc.
A new component called ManagementContextResolver can be used to
locate the ApplicationContext for the MVC endpoints.
Fixes gh-3345
By default, Jetty uses a singleton shutdown thread, registered as a
shutdown hook, to stop its components. This single thread breaks the
restart logic in devtools as a second restart causes a second attempt to
start the singleton shutdown thread which fails with an
IllegalStateException. This processing is unnecessary in a Spring Boot
application as the application context’s lifecycle when ensure that
Jetty is shutdown.
This commit updates the embedded Jetty container to remove its
components from Jetty’s shutdown thread. This leaves the thread with
no components to manage at which point it removes its registration as a
shutdown hook.
Closes gh-3343
This commit improves support of the Resource Handling features
introduced in Spring Framework 4.1. Those features add new ways to
resolve and transform static resources in applications.
See [this blog
post](https://spring.io/blog/2014/07/24/spring-framework-4-1-handling-static-web-resources)
for more details.
The `ResourceUrlEncodinFilter` is added for compatible template engines:
Velocity and Thymeleaf. It assists them with rewriting the URLs of
static resources when rendering templates.
New keys are added in the `ResourceProperties` in order to configure
the Resource Handling chain. `ResourceResolvers` and
`ResourceTransformers` are registered accordingly in
`WebMvcAutoConfiguration`.
Here is an example of enabling a `ContentVersionStrategy` on all
static resources, meaning their names will be changed for cache
busting purposes by adding a content hash at the end of the file name.
Like "/js/jquery.js -> /js/jquery-872ca6a9fdda9e2c1516a84cff5c3bc6.js".
```
spring.resources.chain.enabled:true
spring.resources.chain.strategy.content.enabled:true
spring.resources.chain.strategy.content.paths:/**
```
Closes gh-1604
Closes gh-3123
Previously, an address that ended in a "/" would result in the virtual
host being an empty string. This was inconsistent with setVirtualHost
which would map an empty string to "/".
This commit updates the address parsing logic to call setVirtualHost
rather than assigning the value directly to this.virtualHost. This
ensures that the special handling for an empty string is applied
consistently.
Closes gh-3304
Update ElasticsearchAutoConfiguration to allow `http.enabled` and
`node.local` settings to be specified by ElasticsearchProperties.
Fixes gh-2805
Closes gh-2913
Add auto-configuration support for Apache Artemis which was formed when
HornetQ was donated to the Apache Foundation. The majority of this code
is based on the HornetQ auto-configuration.
Fixes gh-3154
Closes gh-3246
This commit adds support for automatically configuring Spring Session.
In a web application when both Spring Session and Spring Data Redis
are on the classpath, Spring Session's Redis Http Session support
will be auto-configured. The max inactive interval for Redis-backed
sessions can be configured via the environment using the existing
server.session-timeout property.
Closes gh-2318
Migrate `spring.view.prefix` and `spring.view.suffix` to
`spring.mvc.view.prefix` and `spring.mvc.view.suffix` respectively. The
former properties are still handled in a backward compatible way and are
defined as deprecated in the meta-data.
Closes gh-3250
Improve SpringApplicationAdminMXBean to expose additional information:
* Whether the application uses an embedded container
* The properties exposed by the `Environment`
This allows to know if the application is web-based and the HTTP port
on which it is running.
Closes gh-3067
Update MongoAutoConfiguration to create a `MongoClient` bean rather than
`Mongo` and update `MongoDataAutoConfiguration` to remove the call to
the deprecated `SimpleMongoDbFactory`.
Fixes gh-3105
Closes gh-3126
Add a new `spring.mvc.async.request-timeout` property which can be used
to configure AsyncSupportConfigurer.setDefaultTimeout(..).
Fixes gh-2900
Closes gh-3236
Create an EmbeddedVelocityToolboxView which supports loading toolbox.xml
files from the application classpath as well as the ServletContext. The
VelocityAutoConfiguration class has been updated to use the new view.
This change allows the `spring.velocity.toolbox-config-location`
property to work with embedded servlet containers.
Fixes gh-2912
CacheConfigFileCondition was not properly tested, leading to various
potential source of errors (that last one being gh-3233). This condition
is now tested properly.
This is related to 38cca9c but for the Rabbit support. Update
RabbitAnnotationDrivenConfiguration to only associate a JTA transaction
manager, if any.
Closes gh-3222
Make sure that the EhCache support is triggered if
`spring.cache.ehcache.config` is set and the cache type is set to `auto`.
Same thing for Hazelcast.
Closes gh-3227
It can just catch all exceptions from the remote /user endpoint
because in a resource server it needs to throw `InvalidTokenException`
and in an SSO setting it will never be called.
Fixes gh-3205
Previously, spring.groovy.template.configuration.* was mapped onto both
GroovyTemplateProperties.configuration and GroovyMarkupConfigurer. The
former being a Map and the latter being specific type with getters and
setters. This clash caused problems with the IDE support.
GroovyTemplateProperties.configuration appeared to be dead code so it
was removed in 326bdf2. Unfortunately this broke the use of
spring.groovy.template.configuration.* properties as
GroovyTemplateProperties uses a prefix of spring.groovy.template and it
no longer had a configuration property.
This commit addresses the problem by updating GroovyTemplateProperties
to ignore unknown fields. This allows
spring.groovy.template.configuration.* properties to be used and bound
to GroovyMarkupConfigurer without reintroducing the clash which prompted
the initial change.
Closes gh-3198
The JMS MessageListenerContainer supports the PlatformTransactionManager
abstraction with either a `JmsTransactionManager` for local transactions
or `JtaTransactionManager` for distributed transactions. The former is
kind of deprecated (`setTransacted` should be used instead). In any case,
any other `PlatformTransactionManager` implementation is not supported.
Update JmsAnnotationDrivenConfiguration to only associated a JTA
transaction manager, if any.
Closes gh-3150
hibernate.ejb.naming_strategy_delegator and hibernate.ejb.naming_strategy
cannot be used at the same time but Boot sets the latter automatically.
We now only set the naming strategy if no delegator has been specified
via configuration
Closes gh-3149
Only affects the default AuthenticationManagerBuilder (so when users
are not overriding the default global user details). Makes the
UserDetailsService effectively available as it would be if we used
AuthenticationManagerBuilder.inMemoryAuthentication() as a
shared object in the HttpSecurity.
Fixes gh-3152
Add an explicit link to the `RedisAutoConfiguration` to make sure it is
applied before the cache counter-part. Request the general
`redisTemplate` so that non String-values can be handled by default as
well.
See gh-2633
Remove `spring.cache.config` as it is too generic and does not express
enough what is configured. This property is replaced by cache library
specific properties, that is `spring.cache.ehcache.config`,
`spring.cache.hazelcast.config`, `spring.cache.infinispan.config` and
`spring.cache.jcache.config`.
See gh-2633
Allow SSL to be configured via standard configuration as well as the
requestedHeartbeat. Switch to RabbitConnectionFactoryBean.
Closes gh-2655, gh-2676
User can enable OAuth2 SSO by declaring the intent (@EnableOAuth2Sso)
and also configuring the client properties (spring.oauth2.client.*).
The spring.oauth2.sso.* are only needed to change the path for the
login (defaults to /login) - any other security configuration for the
protected resources can be added in a WebSecurityConfigurerAdapter
which carries the @EnableOAuth2Sso annotation.
* Automatically spin up Authorization Server and Resource Server
* Automatically configures method level security included OAuth2Expression handler
* Wrote extensive unit tests verifying default behavior as well as the auto-configuration backing off when custom Authorization/Resource servers are included
* Created org.springframework.boot.security.oauth2 subpackage to contain it
* Can also disable either resource of authorization server completely with a single property for each
* Print out the auto-generated secrets and other settings
* Added spring-boot-sample-secure-oauth2 to provide a sample that can be run and poked with curl as well as some automated tests.
* Make users ask for which servers to install by adding @Enable*
* User has to @EnableGlobalMethodSecurity instead of using properties files
Add Spring Security OAuth2 support to Spring Boot CLI
* Triggered from either @EnableAuthorizationServer or @EnableResourceServer
* Needs to have @EnableGlobalMethodSecurity to allow picking the annotation model.
* By default, comes with import support for @PreAuthorize, @PreFilter, @PostAuthorize, and @PostFilter via a single start import
* Also need import support for the enable annotations mentioned above.
* Added extra test case and sample (oauth2.groovy)
- Apply project’s code formatting and conventions
- Don’t use the IO and worker thread configuration when creating the
worker for the AccessLogReceiver. The IO and worker thread
configuration is for HTTP request processing and a worker in its
default configuration should be sufficient for the access log
receiver.
- Don’t use a temporary directory as the default for the access log
directory. A temporary directory makes (some) sense for Tomcat as it
requires a directory for its basedir. Undertow has no such
requirement and using a temporary directory makes it hard to locate
the logs. The default has been updated to a directory named logs,
created in the current working directory.
- Document the new properties in the application properties appendix
Closes gh-3014
This commit adds support for configuring Undertow's access log via the
environment using the following properties:
server.undertow.access-log-enabled
server.undertow.access-log-pattern
server.undertow.access-log-dir
See gh-3014
Previously, JacksonAutoConfiguration would register any Jackson Module
beans with every ObjectMapper found in the application context. This
was not consistent with the rest of the Jackson auto-configuration,
which is only applied to ObjectMappers that are created or configured
via the auto-configured Jackson2ObjectMapperBuilder.
This commit removes the code that registers Jackson Module beans with
every ObjectMapper. Such beans will still be registered with
ObjectMappers created or configured using the auto-configured
Jackson2ObjectMapperBuilder. This aligns the configuration of Module
with the rest of the ObjectMapper configuration and makes it possible
for users to create an ObjectMapper bean and still have complete control
over the modules that are registered with it.
Closes gh-2489
A recent change to the internals of RequestMappingHandlerMapping
broke to Spring Mobile-related tests as they were using reflection
to verify that the configuration had been applied correctly.
This commit makes the tests more robust by using the Java API to
access the interceptors for a request and verify that the expected
interceptor is present. To further simplify the tests, the unnecessary
use of an embedded servlet container factory has also been removed.
SpringApplicationLifecycle provides basic lifecycle operations on the
current Spring Boot application (that is checking if the application has
fully started and gracefully terminate the app). It can be registered as
an MBean of the platform MBean server if a specific property is set.
The Maven plugin uses that MBean to check that the application is ready
before ending the "start" phase. It uses it to trigger a proper shutdown
of the application during the "stop" phase.
If the process has to be forked, the platform MBean server is exposed on
a configurable port so that the maven plugin can connect to it.
Such change permits the maven plugin to integrate a classical integration
test scenario where the "start" goal is invoked during the
pre-integration phase and the "stop" goal during the post-integration
phase.
Closes gh-2525
Allow the display-name of the application to be customized when deployed
in an embedded container via the `server.display-name` property.
Closes gh-2600
Updated to the `EmbeddedCacheManager` interface and added support for
default cache configuration.
Added dependencies management for the JCache support with tests
Fixes gh-2906, see gh-2633
Include auto-configuration support for Infinispan. It is possible
to specify the caches to create via `spring.cache.cache-names`.
Provider also allow to set configuration file via `spring.cache.config`.
See gh-2633
Work in 1b3efd4 actually introduced a regression: if a CacheManager is
created via a custom configuration file, it is no longer post-processed.
This commit makes sure to also customize a CacheManager that was
created that way.
See gh-2848
Expose the underlying cache infrastructure bean if Boot auto-configures
it. This is the case for ehCache, hazelcast and JCache. This change has
two side effects:
1. It is now possible to customize the underlying cache infrastructure
and let Boot only wrap it in the Spring's CacheManager abstraction. No
customizations are applied if the caching-specific service is customized
2. Such infrastructure is disposed when the application terminates as
it is now defined as `@Bean` and both `close()` and `shutdown()` methods
are invoked if present on the target type.
While the latter can be troublesome, we feel that a particular cache
instance is not meant to be shared and must be disposed when the
application terminates.
Closes gh-2848
This commit adds support for configuring the JSP servlet’s init
parameters via the environment using server.jsp-servlet.init-parameters.*.
As part of this change the configuration of registerJspServlet and
jspServletClassName have been moved onto a new type, JspServlet, and the
existing setters on ConfigurableEmbeddedServletContainer have been
deprecated. In addition to providing a model for configuring the JSP
servlet that’s consistent with the model for other configuration (SSL,
for example), this change also means that the class name and whether or
not the servlet is registered at all can now also be configured via the
environment.
Closes gh-2825
While this is a breaking change, continuing with Spring Social
Facebook 1.1.x is also broken as it is no longer compatible with
Facebook's API. Upgrading to 2.0.1.RELEASE may require some changes
to be made to users' applications, but it will allow their
applications to use the Facebook API once again.
Closes gh-2837
In addition to the changes already made in 1.2.x, this commit updates
the tests in spring-boot-actuator to ensure that any Elasticsearch
data files are written into the target directory. This avoids problems
when switching branches caused by different versions of Elasticsearch
trying to read the files.
By default, Elasticsearch writes it data to ./data. This led to data
being left on the filesystem after a mvn clean which could cause
failures when moving between branches that use different versions of
Elasticsearch.
This commit updates the tests for the Elasticsearch sample and
the Elasticsearch auto-configuration classes to write the
Elasticsearch data and logs into the target directory.
Remove the configuration map defined in `GroovyTemplateProperties` which
isn't used. Ironically, that configuration map was exposed with the exact
same prefix as `GroovyMarkupConfigurer`, which broke IDEs support since
two entries had the exact same prefix.
Fixes gh-2840
SpringApplicationLifecycle provides lifecycle operations on the current
Spring Boot application. It can be registered as an MBean of the platform
MBean server if a specific property is set. Besides, the JMX name can
also be customized via a property in case more than one Spring Boot
application is started in the same process.
The Maven plugin uses that MBean to check that the application is ready
before ending the "start" phase. It uses it to trigger a proper shutdown
of the application during the "stop" phase.
If the process has to be forked, the platform MBean server is exposed on
a configurable port so that the maven plugin can connect to it.
Such change permits the maven plugin to integrate a classical integration
test scenario where the "start" goal is invoked during the
pre-integration phase and the "stop" goal during the post-integration
phase.
Closes gh-2525
To allow us to determine the type that Spring Integration’s
GatewayProxyFactoryBean will create, the bean definition created by
MessagingGatewayRegistrar needs to set the factoryBeanObjectType
attribute. The current implementation of BeanTypeRegistry requires the
attribute’s value to be a Class, however this would require Spring
Integration’s namespace handler to load the class and class loading
should be avoided in namespace handlers.
This commit updates BeanTypeRegistry so that it supports both Class and
String values for the factoryBeanObjectType. If the value is a String
it will interpret it as a class name and attempt to load it.
See gh-2811
Provide a TransactionTemplate if one PlatformTransactionManager is
present.
Relocated the jta support as a nested package of the new transaction
package that hosts the transaction template auto-configuration. To avoid
package tangles, links between auto-configurations have been reversed.
Closes gh-2464
Closes gh-2809
Update FlywayAutoConfiguration to support pluggable migration
strategies. Rather than always calling flyway.migrate(), users can now
provide a FlywayMigrationStrategy @Bean to call whatever methods they
wish.
Fixes gh-1814
This commit updates Spring Boot to use Spring Security 4. As a result
of this, the coordinates of Thmyeleaf's Spring Security extra, for
which dependency management and auto-configuration is provided, have
been updated to the Spring Security 4 variant.
Closes gh-2727
The versions in the dependency management for the various datastore
dependencies have been aligned with those used by Spring Data Fowler.
The Data REST tests and sample application has been updated to configure
the base path in favour of the deprecated base uri property
Closes gh-2673
This commit adds support for configuring an ObjectMapper's
serialization inclusion using the environment via the
spring.jackson.serialization-inclusion property. The property's value
should be one of the values on the JsonInclude.Include enumeration.
Relaxed binding of the property value to the enum is supported. For
example:
spring.jackson.serialization-inclusion: non_null
Closes gh-2532
Previously GsonHttpMessageConvertersConfiguration was unconditional
with its nested configuration class being
@ConditionalOnClass(Gson.class). This led to the unnecessary
registration of the GsonHttpMessageConvertersConfiguration bean when
Gson isn't on the classpath.
This commit moves the condition up onto the outer class so that no
Gson-related beans are created when Gson is not on the classpath.
Closes gh-2778
Add a new ConditionalOnSingleCandidate condition that determines if the
condition should match only if autowiring by type is guaranteed to
succeed. Used by auto-configuration that relies on a single candidate of
a given type (for instance, the JdbcTemplate auto-configuration relies on
the presence of a DataSource).
Such wiring by type will succeed if only one bean of that type is present
or if one matching instance is flagged "primary" amongst the candidates.
ConditionalOnSingleCandidate is a basic version of ConditionalOnBean that
only accepts a single type and does not determine a defaut based on its
presence on a bean definition.
Closes gh-1702
According to the spec, specifying a custom URI when retrieving a
`javax.cache.CacheManager` might be used as a way to transmit the
location of a custom configuration file to initialize the underlying
cache manager.
If `spring.cache.config` is set, we use that information to retrieve a
CacheManager with that configuration file. Unfortunately, hazelcast does
not support this feature so we are setting the property key it expects
instead.
See https://github.com/hazelcast/hazelcast/issues/4943
Closes gh-2743
Previously, EhCacheCacheConfiguration could be triggered even if the
ehcache library is not present. This commit adds the missing
`ConditionalOnType` that now guards the configuration properly.
See gh-2633
Certain cache manager implementations are located in the
spring-context-support module that isn't pulled automatically.
As a result, the related cache auto-configurations should make sure that
the relevant CacheManager implementation is available.
See gh-2633
Prior to this commit, the auto-configuration report (both in its logged
form and the actuator endpoint) listed the positive and negative matches
but did not list the classes, if any, that the user had excluded.
This commit updates the logged report and the actuator endpoint to
expose a list of the excluded class names configured via the exclude
attribute on @EnableAutoConfiguration.
Closes gh-2085
Tomcat uses the strings “on” and “off” to enable and disable
compression. YAML interprets on as true and off as false, leaving
ServerProperties.Tomcat.compression configured with “true” and “false”
respectively. One solution is to use “on” rather than on and “off”
rather than off in the YAML file but users may not realise that they
need to do so.
This commit updates the connector customiser that configures compression
to map “true” to “on” and “false” to “off”.
Closes gh-2737
Include auto-configuration support for EhCache with auto-detection of
the default `ehcache.xml` at the root of the classpath. EhCache
configuration can also be set via `spring.cache.config`.
See gh-2633
Add support for cache manager auto-configuration that is triggered when
the `EnableCaching` annotation is added to a Spring Boot application.
A new "spring.cache" set of configuration keys is also provided. The
"spring.cache.mode" allows the user to specify the cache provider that
should be auto-configured. If no explicit configuration is provided,
the environment is checked for the best suited cache implementation,
that is:
- Generic if at least one `Cache` bean is defined in the context.
- Hazelcast if either a default configuration file is present or the
`spring.cache.config` property is set.
- JCache if one JSR-107 provider is present
- Redis if a `RedisTemplate` is defined in the context
- Guava
- Simple as a fallback option, using concurrent maps
- NoOp (that is, no cache) if the mode is set to "none"
If the provider supports it, it is possible to specify the caches
to create on startup via `spring.cache.cache-names`. If the provider
relies on a configuration file and a custom one needs to be used
`spring.cache.config` can be set to such custom resource.
If more than one JSR-107 provider is present, it is possible to force
the provider to use by setting the mode to `jcache` and specifying the
fully qualified class name of the CachingProvider to use via
`spring.cache.jcache.provider`.
See gh-2633
SmartApplicationListener has been superseded by GenericEventListener as
of Spring Framework 4.2. It will be eventually deprecated and removed.
Migrate our event listeners to use the new contract.
Closes gh-2576
Previously, SpringBootWebSecurityConfiguration required a web
application and @EnableWebSecurity to be on the classpath.
@EnableWebSecurity is in spring-security-config so this could lead
to the configuration being active when spring-security-web isn't
on the classpath but the rest of Spring Security is.
This commit updates SpringBootWebSecurityConfiguration to also make it
conditional on a class in spring-security-web.
Fixes gh-2717
Spring Framework’s ParamterizedRowMapper has been deprecated since
3.1 and has been removed in 4.2. Spring Batch currently relies on
ParameterizedRowMapper, making it incompatible with 4.2. To allow us to
build successfully against 4.2, this commit ignores Spring Boot’s tests
that use Spring Batch’s JDBC support.
See gh-2575
In Spring Framework 4.1, @Order on a @Configuration class had no effect.
This allowed us to use it on auto-configuration classes to control
the ordering of auto-configuration classes without it having any
broader implications for configuration class ordering.
Spring Framework 4.2 now honours @Order on @Configuration classes. This
breaks a number of tests where we were relying on the order that the
classes were passed to register when evaluating various bean conditions.
This commit replaces the use of @Order on auto-configuration classes
with a new annotation, @AutoConfigureOrder. The new annotation is
handled by AutoConfigurationSorter where it’s used to order
auto-configuration classes. This allows us to order auto-configuration
classes without the unwanted side-effect of this also affecting the
general ordering of configuration classes.
See gh-2575
Previously, only a handful of properties could be set when
auto-configuring an Elasticsearch client. This commit introduces support
for configuring arbitrary properties using the
spring.data.elasticsearch.properties prefix. For example,
client.transport.sniff can be configured using
spring.data.elasticsearch.properties.client.transport.sniff.
Closes gh-1838
Previously, a TransportClient sniff property could not be configured
while using Spring Boot’s Elasticsearch auto-configuration. This commit
adds a new property, spring.data.elasticsearch.client-transport-sniff,
that can be used to configure the TransportClient while continuing to
use the auto-configuration support.
Closes gh-1838
In ActiveMQ 5.11 the signature of
PooledConnectionFactory.setConnectionFactory has changed. It now takes
an Object rather than a ConnectionFactory. This change is not binary
backwards compatible so it causes a NoSuchMethodError as we compile
against 5.10.
This commit updates ActiveMQConnectionFactoryConfiguration to call
the setConnectionFactory method reflectively, looking for both the
ConnectionFactory and Object variants.
Closes gh-2640
Unfortunately it still has to happen in a @PostConstruct (otherwise
JPA never sees the schema in time), but we can delay a bit by not
using @Autowired. Appears to fix the Spring Cloud problem
(https://github.com/spring-cloud/spring-cloud-config/issues/105).
Fixes gh-2658
We currently officially support Jackson 2.4, but some users wish to
use Jackson 2.5. This causes a failure as JacksonAutoConfiguration
depends on JacksonJodaFormat which exists in 2.4 but not in 2.5. This
commit updates JodaDataTimeJacksonConfiguration to make it conditional
on JacksonJodaFormat being on the classpath. This means that Jackson
2.5 users will not have configurable DateTime formatting
(added in 201fb5e5) but things will generally work once again.
Closes gh-2573
Previously, MongoProperties did not consider the configuration of a
custom authentication database when creating a MongoClient. This
commit updates MongoProperties to use the authentication database
when it is configured, falling back to the normal database when it is
not configured.
Closes gh-2562
Update ElasticsearchAutoConfiguration to ensure that local nodes are
closed when the context is closed. Prior to this commit the close()
method of the Client would be called which had no effect for local
Nodes.
Fixes gh-2480
Rename RepositoryRestMvcBootConfiguration to
SpringBootRepositoryRestMvcConfiguration so that it follows the same
naming pattern as other custom Spring Boot configurations.
See gh-2392
We allow the serialization format of dates to be configured using
spring.jackson.date-format. However, this property only applies to
java.util.Date instances and has no effect on a Joda DateTime.
This commit updates our auto-configuration for Jackson to allow
the format string that is used to serialize a Joda DateTime to be
configured. A new property, spring.jackson.joda-date-time-format has
been introduced. When configured, it is used to configure the
serialization format for a Joda DateTime. When it is not configured,
we fall back to using spring.jackson.date-format. If this fails,
either because the format string is incompatible (unlikely) or because
the user's configured the fully-qualified name of a DateFormat class,
a warning is logged encouraging the use of
spring.jackson.joda-date-time-format.
Fixes gh-2225
Prior to this commit, Module beans were registered with all
ObjectMapper beans, but were not registered with the auto-configured
Jackson2ObjectMapperBuilder. This meant that any ObjectMapper created
with the builder but not exposed as a bean would not have the Module
beans registered with it. One such ObjectMapper is the one used by the
auto-configured MappingJackson2XmlHttpMessageConverter. This caused
XML (de)serialization to be different to JSON (de)serialization.
This commit updates JacksonAutoConfiguration to register all of the
application context's Module beans with the auto-configured
Jackson2ObjectMapperBuilder. This ensures consistent configuration
of any ObjectMapper that's created using the builder, irrespective of
whether or not that ObjectMapper is also exposed as a bean, and
also ensures that (de)serialization of JSON and XML is consistent.
See gh-2327
Since the BasicAuthenticationEntryPoint does its own
challenge when authentication fails, we need to add that
entry point in the SpringBootWebSecurityConfiguration
explicitly.
Fixes gh-2483
If an application defines a custom RepositoryRestMvcConfiguration, all
Spring Boot defaults are lots. While this sounds sensible, it can be
confusing as Spring Boot exposes properties (`spring.data.rest.*`) that
are no longer honored.
RepositoryRestMvcBootConfiguration is now public and can be used as an
extension point for those who need to customize the Spring Data REST
configuration and keep boot's specific defaults.
Fixes gh-2392
Update ConditionEvaluationReport so that, whenever a negative outcome
is added for a source, any existing outcomes for inner classes of that
source are updated with a non-matching outcome that indicates that the
outer configuration did not match.
Conditions are evaluated in two phases; PARSE_CONFIGURATION first and
REGISTER_BEAN second. If a parent class’s conditions match in
PARSE_CONFIGURATION then its inner classes will have their
PARSE_CONFIGURATION conditions evaluated. If they all match, the inner
class will be reported as a positive match in the auto-configuration
report even if the outer class does not match as a result of the
subsequent evaluation of a REGISTER_BEAN condition.
Fixes gh-2122
Tomcat 8's default DataSource implemention is an MBean. Previously,
when such a DataSource was consumed from JNDI and an MBeanExporter had
been auto-configured an attempt would be made to export this MBean to
the MBean server. This would fail due to Tomcat having already
registered the MBean.
This commit updates JndiDataSourceAutoConfiguration to instruct the
MBeanExporter (if there is one) not to export a DataSource MBean
that's been retrieved from JNDI. The assumption is that any MBean in
JNDI will have already been registered with the MBean server by the
same infrastructure that registered it with JNDI.
Fixes gh-2397
Stephane Nicoll
Phillip Webb
Kirill Vlasov
Andy Wilkinson
Jacob Swanson
Artur Konczak
Eddú Meléndez
mnhock
Johnny Lim
Dave Syer
Jean de Klerk
Spring Buildmaster
cornelcreanga@yahoo.com
Bohuslav Burghardt
awgtek
Kyle Lieber
Vedran Pavic
Marten Deinum
Benedikt Ritter
Alexander Tokarev
mackeprm
Michael Stummvoll
Julien Dubois
Fabricio Colombo
Paweł Doleciński
Pei-Tang Huang
james
Barry Lagerweij
Rob Winch
madorb
Eric Fenderbosch
Martin Lippert
Joao Pedro Evangelista
Eric Bottard
jhernan
Johannes Stelzer
Henryk Konsek
Josh Thornhill
Ivan Sopov
Brian Clozel
cohee016
Andreas Ahlenstorf
Kamil Szymanski
dgomesbr
Sebastien Deleuze
Greg Turnquist
Marcos Barbero
Craig Walls
Raphael Ackermann
Maciej Walkowiak