There are some notable differences in the behavior of Spring
Security's reactive and servlet-based web security. Notably,
Servlet-based web security (`@EnableWebSecurity`) works without
any authentication manager, rejecting requests as not authorized.
By contrast reactive-based web security (`@EnableWebFluxSecurity`)
fails to start up when there's no authentication manager, either
provided directly as a bean or derived from a
ReactiveUserDetailsService. There are also further differences at
runtime where empty Monos from all ReactiveAuthenticationManagers
results in an internal error and a 500 response whereas a similar
situation in the servlet implementation results in a 401.
Previously, to accommodate these differences in behavior, Spring
Boot's auto-configuration would behave differently. In the Servlet
case, web security would be enabled whenever the necessary
dependencies were on the classpath. In the reactive case, web
security would back off in the absence of an authentication manager
to prevent a start up failure. While this difference is rooted in
Spring Security, it is undesirable and something that we want to
avoid Spring Boot users being exposed to where possible.
Unfortunately, the situation is more likely to occur than before
as ReactiveUserDetailsServiceAutoConfiguration now backs off more
readily (gh-35338). This makes it more likely that the context will
contain neither a reactive authetication manager not a reactive
user details service.
This commit reworks the auto-configurations related to reactive
security. ReactiveSecurityAutoConfiguration will now auto-configure
an "empty" reactive authentication manager that denies access through
Mono.error in the absence of a ReactiveAuthenticationManager,
ReactiveUserDetailsService, or SecurityWebFilterChain. The last of
these is to allow for the situation where a filter chain has been
defined with an authentication manager configured directly on it.
This configuration of an authentication manager allows
`@EnableWebFluxSecurity` to be auto-configured more readily,
removing one of the differences between reactive- and Servlet-based
security.
Corresponding updates to the auto-configurations for reactive OAuth2
support have also been made. They no longer try to auto-configure
`@EnableWebFluxSecurity`, relying instead upon
ReactiveSecurityAutoConfiguration, which they are ordered before, to
do that instead.
Closes gh-38713
The stream auto-configuration is tested in RabbitStreamConfigurationTests,
and excluding it prevents the creation of the "rabbitStreamEnvironment"
Environment bean, which delays the application context close by 1 second
because it has to wait for some Netty resources to gracefully shut down.
Closes gh-38750
Following the changes in gh-37504, the reactive resource server
auto-configuration could enable WebFlux security in situations where
it was otherwise in active. This could then result in an application
failing to start as no authentication manager is available.
This commit updates the configurations that enable WebFlux security
so that they fully back off unless their related configurations are
active. Previously, only the configuration of the
SecurityWebFilterChain would back off. This has been expanded to
cover `@EnableWebFluxSecurity` as well. This has required splitting
the configuration classes up so that the condition evaluation order
can be controlled more precisely. We need to ensure that the JWT
decoder bean or the opaque token introspector bean has been defined
before evaluation of the conditions for `@EnableWebFluxSecurity`.
Without this control, the import through `@EnableWebFluxSecurity` in
one location where the conditions do not matchcan prevent a
successful import in another where they do.
Fixes gh-38713
Prior to this commit, we set in gh-37388 the ObservationRegistry on the
auto-configured JmsTemplate bean. This enables observations and context
propagation when sending JMS messages.
This commit applies the same to the `DefaultJmsListenerContainerFactory`
and the `DefaultJmsListenerContainerFactoryConfigurer`, in order to
enable observations on `@JmsListener` annotated methods.
This commit also refactors the support implemented in gh-37388 to avoid
relying on a bean post processor and instead set the observation
registry directly in the main auto-configuration: while Micrometer core
is an actuator-only dependency, Micrometer Observation API is a compile
dependnecy for spring-jms itself and there is no need to separate
concerns there.
Fixes gh-38613
Prior to this commit, some properties in the `spring.webflux.multipart`
namespace were ignored for the streaming use case because those were not
supported in streaming mode with `PartEvent`.
As of Spring Framework 6.1, the `max-parts` and
`max-disk-usage-per-part` properties can be supported and this commit
maps those properties accordingly.
Fixes gh-37642
Update `LiquibaseProperties` and `LiquibaseAutoConfiguration` to
support the recently added `setShowSummary` and
`setShowSummaryOutput` methods.
See gh-38274
Rename `KeyVerifier` to `CertificateMatcher` and refactor some
of the internals. This commit also adds test helper classes to
help simplify some of the tests.
See gh-38173
Move `KeyVerifier` to spring-boot-autoconfigure to reduce the
public API required in `PemSslStoreBundle`.
This commit also moves the verify property so that is can be set
per store.
Closes gh-38173
Andy Wilkinson
Moritz Halbritter
Donghun Shin
Lars Uffmann
Brian Clozel
Johnny Lim
Phillip Webb
Moritz Halbritter
Brian Clozel
Andy Wilkinson
Claudio Nave
Yanming Zhou
Eddú Meléndez
Scott Frederick
Zhiyang.Wang1