Previously, the auto-configuration for embedded Mongo did not specify
a bind IP so Mongo was started without one. This would lead to Mongo
binding to all available network interfaces. This caused some friction
with the Windows firewall as it would ask for permission every time
embedded Mongo was launched.
This commit updates the auto-configuration to use
spring.data.mongodb.host to configure the bind IP for embedded Mongo.
If spring.data.mongodb.host is null, the auto-configuration will use
the loopback address instead.
Closes gh-4630
Previously, disabling SecurityAutoConfiguration could cause
SecurityFilterAutoConfiguration to fail if Spring Security’s filter
chain bean existing in the context. SecurityFilterAutoConfiguration
relies on SecurityProperties which is created by
SecurityAutoConfiguration. When SecurityAutoConfiguration is disabled,
there’s no SecurityProperties bean so SecurityFilterAutoConfiguration
would fail due to the missing dependency.
This commit updates SecurityFilterAutoConfiguration to create a
SecurityProperties bean if one does not already exist.
Closes gh-4525
A dependency on the Servlet API (the filter's dispatcher types) causes
a failure when Spring Security is used in a non-web application.
This commit removes the dependency on javax.servlet.DispatcherType
in favour of using a Set of Strings. SecurityFilterAutoConfiguration,
which is only enabled for web applications, is the responsible for
converting each String to a DispatcherType.
Closes gh-4505
This commit adds a new property, security.filter-dispatcher-types
that can be used to configure the dispatcher types of Spring
Security's filter chain. The default remains unchanged.
Closes gh-4505
Previously, JerseyAutoConfiguration was a WebApplicationInitializer.
This was problematic as auto-configuration classes should not be ordered
(they should use AutoConfigureBefore etc instead) but the web
application initializer needs to be ordered so that it can run early and
configure Jersey before it runs.
This commit has moved the WebApplicationInitializer implementation into
a separate class so that it can be ordered independently of the
auto-configuration class. Note that the new class must be public for
the servlet container (Tomcat at least) to be able to instantiate it.
Closes gh-4527
The need to set the order of ResourceServerConfiguration was
a bad assumption. The value of the order seems strange as well
(-10), and a comment explaining it makes no sense (a resource
server normally wants its filter *after* not *before* the existing
auth server filter). Removing the bean post processor didn't
fail any tests.
In case there are multiple resource servers in the same context
there was also a problem that they ended up with the same order.
Previously, the `spring.datasource.name` property was ignored when Spring
Boot configures an embedded data source with a connection pool.
`EmbeddedDatabaseConnection` is now aligned to the purely embedded case
to take that property into account.
Closes gh-4586
The SsoSecurityConfigurer that gets added when a user has a custom
WebSecurityConfigurer with @EnableOAuth2Sso is quite opinionated, and
this is preventing users from custimizing the exception handling in the
customized UI security. This change makes it less opinionated, using
request matchers to configure the default instead of ovewriting the
single authentication entry point.
Also adds an entry point responding with a 401 for XHR clients (just like
the vanilla HTTP Basic auth).
Fixes gh-4629
Add a `spring.mvc.static-path-pattern` property which can be used to
configure the path pattern used to serve static resources.
Fixes gh-4444
Closes gh-4448
Update MongoProperties to use `MongoCredential.createCredential` rather
than `MongoCredential.createMongoCRCredential`. This allows connections
to Mongo 3.0 servers to authenticate using the SCRAM-SHA-1 mechanism.
Closes gh-4237
Make sure that the general Hazelcast auto-configuration is processed
before the cache auto-configuration. This was supposed to be fixed and
tested in 721b5a2 but unfortunately the `@AutoConfigureAfter` annotation
was placed on a regular `@Configuration` class (which has no effect).
The tests were passing because the ordering is actually hardcoded in the
test. The relevant tests now use `ImportAutoConfiguration` that simulates
the same order as the one use by the actual application.
Closes gh-4389
Commit 8e0a94f introduced a post processor that adds an explicit link
between the `HazelcastInstance` and the `EntityManagerFactory` so that
Hazelcast is fully initialized before Hibernate actually kicks in.
Unfortunately, the conditions that were implemented to register this post
processor are wrong and any app that has both JPA and Hazelcast support
blows up if no bean with name `hazelcastInstance` is defined.
This commit fixes the situation and reworks the configuration in a
separate auto-configuration that runs after the Hazelcast and JPA support
and check both the presence of an `EntityManagerFactory` and a bean of
name `hazelcastInstance`. If any of those conditions does not apply the
post processor is no longer registered.
Closes gh-4158
Add a BackgroundPreinitializer to trigger early initialization in a
background thread of time consuming tasks. By moving certain
initialization tasks to background thread and triggering them early
we can improve the critical path when the application starts. For
example, Tomcat's MBeanFactory class parses several XML files when
first loaded. If we trigger the load in a background thread it completes
before Tomcat actually needs to use it.
The initial set of initializers included with this commit are:
- Tomcat MBeanFactory
- javax.validation
- Spring's AllEncompassingFormHttpMessageConverter
See gh-4252
Allows users to configure "allowed" file extensions for controller
mappings, so that browsers will not switch to downloading "f.txt"
(part of the recent RFD attack fixes in Spring MVC).
See gh-4220
We can expect that occasionally a user clicks on a login link when
the token is expired. If the UserInfoTokenServices tries to
authenticate the user at that point, it can retain the option to
refresh the expired token if we preserve the state. Since the
state is in session scope all we need to do is to check that the
token that is being checked has the same value as the one in the
OAuth2ClientContext and re-use the context if it is.
Fixes gh-4251
Update `EnableAutoConfigurationImportSelector` to directly use the
RelaxedDataBinder when obtaining excludes. This removes the need for
the additional getProperties method on RelaxedPropertyResolver.
See gh-4352
`spring.application.exclude` is retrieved via the
`RelaxedPropertyResolver` API explicitly and it does not have any
standard API to retrieve a list of values. As a consequence that property
could only be specified as a comma-separated value.
This felt convoluted in YAML. `RelaxedPropertyResolver` has now a
`getProperties` method that works with both comma-separated value and
index elements (i.e. list).
Closes gh-4352
Previously, if security.ignored was set to none and the error controller
was disabled, there would be no paths to ignore and we would call
IgnoredRequestConfigurer.antMatchers with an empty array. While a bit
pointless, this had no effect on Spring Security’s configuration.
This behaviour has changed in the latest 4.0.3 snapshots [1]. An empty
array passed to IgnoredRequestConfigurer.antMatchers now maps to /**. As
Spring Boot configures its ignored paths with highest precedence this
means that security is now disabled for every path.
This commit updates both the management security and application
security configuration to avoid calling antMatchers with an empty
array, thereby ensuring that we don’t inadvertently ignore every path.
Even if the change to Spring Security is reverted we can keep this
change. The behaviour will remain the same and, arguably, it makes the
intent of our configuration clearer.
Closes gh-4345
[1] 8663ac4173
The PROPERTIES creator mode has the unfortunate side-effect of stopping
mixins from working. This commit updates the auto-configured module to
use the DEFAULT creator mode instead.
Closes gh-4336
mnhock
Johnny Lim
Andy Wilkinson
Stephane Nicoll
Dave Syer
Jean de Klerk
Spring Buildmaster
Phillip Webb
Eddú Meléndez
cornelcreanga@yahoo.com
Bohuslav Burghardt
awgtek