Update endpoint code to provide cleaner separation of concerns.
Specifically, the top level endpoint package is no longer aware of
the fact that JMX and HTTP are ultimately used to expose endpoints.
Caching concerns have also been abstracted behind a general purpose
`OperationMethodInvokerAdvisor` interface.
Configuration properties have been refined to further enforce
separation. The `management.endpoint.<name>` prefix provides
configuration for a single endpoint (including enable and cache
time-to-live). These properties are now technology agnostic (they
don't include `web` or `jmx` sub properties).
The `management.endpoints.<technology>` prefix provide exposure specific
configuration. For example, `management.endpoints.web.path-mapping`
allow endpoint URLs to be changed.
Endpoint enabled/disabled logic has been simplified so that endpoints
can't be disabled per exposure technology. Instead a filter based
approach is used to allow refinement of what endpoints are exposed over
a given technology.
Fixes gh-10176
- Modifying dependencies to starter-web with tomcat exclusion plus
alternative servlet container instead of manual dependency on
spring-webmvc as it is the preferrable way to use alternative servlet
container
- Previously RestTemplate with ssl was configured manually in tests - now
it rellies on autoconfiguration - changed this for multi-connector test
and added test to ensure that ssl autoconfiguration is working
- Most samples with alterntative servlet containers used some kind of
service reading property and returning default since it wasn't
configured - removed it, since it is not specific to using alternative
servlet containers.
See gh-10548
Following some changes in the latest snapshot this includes:
- Some updates to oauth2 client auto-config
- Security auto-config no longer relies on GlobalAuthenticationConfigurerAdapter
- Remove reactive security starter
Closes gh-10704
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("status", "info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
.requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()
Closes gh-7958
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.
Closes gh-7958
This commit migrates the Actuator onto the new endpoint infrastruture.
In addition to the existing support for accessing the endpoints via
JMX and HTTP using Spring MVC, support for access via HTTP using
Jersey and WebFlux has been added. This includes using a separate
management port where we now spin up an additional, appropriately
configured servlet or reactive web server to expose the management
context on a different HTTP port to the main application.
Closes gh-2921
Closes gh-5389
Closes gh-9796
Thymeleaf 3.0 implements the Spring 5.0 view infrastructure for WebMVC
and the new WebFlux framework. This commit adds auto-configuration for
the WebFlux support.
In that process, the configuration property for `spring.thymeleaf` has
been changed to add `spring.thymeleaf.servlet` and
`spring.thymeleaf.reactive` for MVC/WebFlux specific properties.
Now that the `spring-boot-starter-thymeleaf` does not only support
Spring MVC, the transitive dependency on `spring-boot-starter-web` is
removed from it.
Fixes gh-8124
Rework `org.springframework.boot.context.embedded` to relocate classes
to `org.springframework.boot.web`. Packages are now organized around
the following areas:
Packages for shared concerns, for example the `WebServer` interface
to start/stop a server and the common configuration elements:
- org.springframework.boot.web.context
- org.springframework.boot.web.server
Servlet specific packages:
- org.springframework.boot.web.servlet.server
- org.springframework.boot.web.servlet.context
- org.springframework.boot.web.servlet.filter
Reactive specific packages:
- org.springframework.boot.web.reactive.context
- org.springframework.boot.web.reactive.server
Embedded server implementations (both reactive and servlet):
- org.springframework.boot.web.embedded
In addition:
- Rename `EmbeddedServletContainerFactory` to `ServletWebServerFactory`
to align with the `ReactiveWebServerFactory`.
- Rename `EmbeddedWebApplicationContext` to
`ServletWebServerApplicationContext` and
- Rename `EmbeddedReactiveWebApplicationContext` to
`ReactiveWebServerApplicationContext`.
- Add checkstyle rules to restrict imports.
- Fixup all affected code to use the correct imports and local names.
Fixes gh-8532
Update management security to require an `ACTUATOR` role rather than
`ADMIN` by default. This should reduce the risk of users accidentally
exposing actuator endpoints because they happen to use a role named
`ADMIN`.
Fixes gh-7569
Phillip Webb
Spring Buildmaster
Stephane Nicoll
Andy Wilkinson
Madhura Bhave
Ivan Sopov
Brian Clozel