SecurityAutoConfiguration, via its import of
AuthenticationManagerConfiguration, requires spring-security-config
to be on the classpath as AuthenticationManagerConfiguration extends
GlobalAuthenticationConfigurerAdapter from spring-security-config.
This commit makes SecurityAutoConfiguration conditional on the
presence of GlobalAuthenticationConfigurerAdapter so that the
auto-configuration will be disabled in its absence rather than causing
an app to fail to start.
Closes gh-2046
This commit adds support to the CLI for launching a custom
SpringApplication implementation. The class that is launched can be
configured using the spring.application.class.name System property
or the SPRING_APPLICATION_CLASS_NAME environment variable with the
former taking priority.
Closes gh-2030
When the user provides their own AuthenticationManager we do a lazy
initialization and didn't (till now) inject the AuthenticationEventPublisher
Fixes gh-2033
Shares the /health endpoint request mapping between security config
and MVC dispatcher. Generalizes so that instead of a marker
interface (AnonymouslyAccessibleMvcEndpoint), an MvcEndpoint
signals that it wants to control its own access rules by adding
a Principal to the @RequestMapping method parameters (more @MVC).
Fixes gh-2015 slightly differently
The changes in 3bb598a overload the health endpoint's sensitive
property such that it's now considered sensitive if management
security is enabled. When an endpoint is sensitive anonymous
access is prevented. This breaks the health endpoint which should
return a filtered view of the server's health when it's accessed
anonymously rather than rejecting the request.
This commit introduces AnonymouslyAccessibleMvcEndpoint, a marker
extension of the MvcEndpoint interface. It is implemented by
HealthMvcEndpoint. ManagementSecurityAutoConfiguration has been
updated to allow anonymous access to endpoints that aren't sensitive
or that implement AnonymouslyAccessibleMvcEndpoint.
Fixes gh-2015
Previously, any property defined in a @Deprecated class were not marked
as deprecated as only the getter or field was inspected for the
annotation.
An additional check on the class has been added to handle this case.
Fixes gh-2014
Set the field javadoc of many properties that are managed via
configuration so that the "description" field is available in the
meta-data.
Closes gh-1808
Previously, the host had to have a custom value for the configuration
of the port or credentials (username and password) to take effect. This
meant, for example, that you couldn’t just set the port or just set the
username and password while using the default host.
This commit allows the port or username and password to be configured
without also configuring the host. The default host (localhost) and
port (27017) are retained.
Fixes gh-2008
Previously, when @EnableAutoConfiguration was used in multiple packages,
the last @EnableAutoConfiguration that was processed would
win and only its package would be stored as an auto-configuration
package.
This commit updates AutoConfigurationPackages to allow multiple package
name registrations. AutoConfigurationPackages.set(…) has been altered to
augment the constructor arguments of the BeanDefinition registered for
the initial call to the method so that the packages handed to the method
call will be added to the bean definition and not replace the previous
ones. The method has been renamed register(…) to reflect the changed
behavior.
Closes gh-1994
before checking isEnabled(). It is explicitly constructed as null
in ManagementServerProperties to prevent class not found errors
at runtime when Security is not on the classpath.
Fixes gh-2003, fixes gh-2004
Spring MVC drives the postHandle method on any interceptors after the
response has been sent to the client. This meant that there was a
race between the test receiving the response and asserting that the
interceptor had been driven and Spring MVC driving the interceptor.
This commit updates the interceptor to use a CountDownLatch to track
whether or not it's been called. The test now waits for up to 30
seconds for the latch to be decremented.
Closes gh-1997
In a properties file, a backslash is used as an escape character for
the line terminator sequence to allow values to be split across
multiple lines. When a backslash is used elsewhere they're stripped
out of the property's value.
This commit updates .properties-based examples for configuring
server.tomcat.internal-proxies to escape the backslahes so that they
are retained in the property's value at runtime.
See gh-1989
By default, when /health is accessed anonymously, the details are
stripped, i.e. the response will only indicate UP or DOWN. Furthermore
the response is cached for a configurable period to prevent a denial
of service attack.
This commit adds a configuration property,
endpoints.health.restrict-anonymous-access, that can be set to false
to allow full anonymous access to /health. When full access is
allowed, the details will be included in the response and the response
will not be cached.
Closes gh-1977
Previously, TestInterceptor used an int to keep a count of how often
it had been called. The count was incremented on one thread and
read on another thread. This lead to intermittent test failures as the
field was not declared volatile and a stale value would sometimes be
returned.
This commit updates TestInterceptor to use an AtomicInteger that's
held in a final field. This ensures that getCount() will not return
stale values and also ensures that the count can safely be incremented
concurrently.
Closes gh-1997
Andy Wilkinson
Dave Syer
Phillip Webb
Stephane Nicoll
Oliver Gierke
Spencer Gibb
Sjoerd Mulder
Andrea Vacondio