The InteractiveAuthenticationSuccessEvent is always shadowed by a
regulat AuthenticationSuccessEvent, so there's no need to listen for
all AbstractAuthenticationSuccessEvents.
Fixes gh-4355
This way the MetricCopyExporter can make a sensible choice about
what to do with counter metrics, and cache the latest values, so that
they can be properly incremented.
Fixes gh-4305
Previously, if security.ignored was set to none and the error controller
was disabled, there would be no paths to ignore and we would call
IgnoredRequestConfigurer.antMatchers with an empty array. While a bit
pointless, this had no effect on Spring Security’s configuration.
This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty
array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As
Spring Boot configures its ignored paths with highest precedence this
means that security is now disabled for every path.
This commit updates both the management security and application
security configuration to avoid calling antMatchers with an empty
array, thereby ensuring that we don’t inadvertently ignore every path.
Even if the change to Spring Security is reverted we can keep this
change. The behaviour will remain the same and, arguably, it makes the
intent of our configuration clearer.
Closes gh-4345
[1] 8663ac4173
The latest Spring Framework 4.2.3 snapshots appear to be trimming
whitespace as part of the binding process. This commit updates the
test's expectations accordingly.
Previously, NamePatternFilter looked for “*”, “$”, “^”, or “+” when
trying to identify a string as being a regular expression. This meant
that it missed the use of a character class ([a-z], for example). This
commit adds “[“} to the list of characters that are considered to be
part of a regular expression.
Closes gh-4233
Previously, the `PORTFILE` system property was not checked if the
`EmbeddedServerPortFileWriter` was created using the default constructor.
This had the effect to prevent overriding of the port file when this
listener is created without any file or via `META-INF/spring.factories`.
Closes gh-4254
Previously, the Actuator’s endpoints did not specify a produces
attribute on their request mappings. With Jackson’s XML binding on the
classpath, this would lead to requests made by a browser receiving
application/xml responses (due to the Accept header indicating that
application/xml is preferred). This was problematic as some of the
response payloads were not legal xml. Problems included XML tags
beginning with ‘\’ or containing ‘#’.
This commit updates the endpoints to specify that they produce
application/json. The environment and metrics endpoints have also been
updated so that always return a JSON object, even when they are
returning a single entry. This consistency avoids problems where
clients may not consider a single scalar value to be legal JSON.
Closes gh-2449
Update EndpointWebMvcAutoConfiguration to no longer catch and ignore
EmbeddedServletContainerExceptions. Since commit 764e34b9, starting a
management on a different port is not even attempted when running in a
classic servlet container. This means that the catch/log logic (which
was originally added in 45315a97) is no longer necessary, and only
serves to hide genuine problems.
Fixes gh-4064
Update TraceWebFilter to optionally trace more details from the
HttpServletRequest/HttpServletResponse. The `management.trace.include`
property can be used to change what aspects are logged.
Closes gh-3948
Previously, EndpointWebMvcChildContextConfiguration would attempt to
create a /error endpoint, irrespective of whether or not the parent
had such an endpoint. If the endpoint was disabled in the parent this
would cause a failure due to the absence of an ErrorAttributes bean.
This commit updates EndpointWebMvcChildContextConfiguration to make
the creation of its /error endpoint conditional on the existence of
an ErrorAttributes bean.
Closes gh-4164
Previously, MetricsFilter would treat async requests the same as
sync requests and would record their response status as soon as the
request had been processed by the filter chain. This would result in a
200 response being recorded and the actual response status produced by
the async processing being ignored. Furthermore, the time that was
recorded for the request would not include the time take for any async processing.
This commit updates MetricsFilter to check whether or not an async
request has been started before it records the metrics for the request.
In the event of an async request having been started no metrics are
recorded. Instead, the StopWatch is stored in a request attribute that
is then retrieved during the filtering of the request’s async
dispatch(es). Once the async processing has completed (isAsyncStarted()
returns false), the StopWatch is stopped, removed from the request’s
attributes and the metrics for the request are recorded.
Closes gh-4098
Update EndpointWebMvcAutoConfiguration to log exception details at DEBUG
in addition to the WARNING message when the child context fails to
start.
See gh-4064
Pull up functionality from EndpointMvcAdapter to a new
AbstractEndpointMvcAdapter which doesn't define any @RequestMappings and
update HealthMvcEndpoint to make use of it.
We need to be a bit cautious about whether Spring Security is on
the classpath or not, but if it is we can test for the admin role
(as specified in `management.security.role`).
Fixes gh-4060
This change applies only to "standard" MVC endpoints (not the extended
ones like /env and /jolokia which already have this feature). Allows
users to supply an endpoints.{name}.path.
Fixes gh-2790
Update ManagementWebSecurityAutoConfiguration to reinstate lazy creation
of EndpointHandlerMapping from the EndpointPathRequestMatcher.
Fixes a regression introduced in eb2984781 and picked up my one of the
sample integration tests.
Fixes gh-4059
Stephane Nicoll
Dave Syer
Andy Wilkinson
Johnny Lim
Phillip Webb
Spring Buildmaster
Wallace Wadge
Marten Deinum