Fix package tangle by changing `ApplicationContextFactory.DEFAULT` to
use `spring.factories` to discover implementations rather than needing
direct access to our own `ApplicationContext` classes.
Closes gh-30272
This works around spring-projects/spring-framework#28298. The bug
means that when a @Configuration class is annotated with
@ConfigurationProperties any bean defined by a static @Bean method
is considered to be annotated with @ConfigurationProperties.
See gh-30068
- Adds a new @DisableOnOs annotation, which is inspired from JUnit5s
@DisableOnOs annotation. This new annotation supports the architecture
and is repeatable
Closes gh-30082
This commit clarifies the build as a test needs inject-api and it works
only by side effect as another library has repackaged this API.
Closes gh-29990
Prior to this change, SpringApplication would register contexts to
SpringApplicationShutdownHook and only deregister them when they're
properly closed. A failed refresh attempt does not deregister the
context from the shutdown hook.
When a test suite runs lots of tests failing because of failed contexts,
this can build up and consume lots of resources.
This commit fixes this leak and deregisters failed contexts.
Fixes gh-29874
The regular expression in the new test is intended to match the
documented [1] ABNF for a media type:
type-name = reg-name
subtype-name = reg-name
reg-name = 1*127reg-name-chars
reg-name-chars = ALPHA / DIGIT / "!" /
"#" / "$" / "&" / "." /
"+" / "-" / "^" / "_"
Closes gh-29746
[1] https://datatracker.ietf.org/doc/html/rfc4288#section-4.2
Previously, the error page security filter passed the request's URI
to the privilege evaluator. This was incorrect in applications with
a custom context path as the privilege evaluator must be passed a
path that does not include the context path and the request URI
includes the context path.
This commit updates the filter to use UrlPathHelper's
pathWithinApplication instead. The path within the application does
not include the context path. In addition, pathWithinAppliation
also correctly handles applications configured with a servlet
mapping other than the default of /.
Closes gh-29299
Co-Authored-By: Andy Wilkinson <wilkinsona@vmware.com>
This commit updates DatabaseInitializationDependencyConfigurer so that
it does not inject the Environment anymore. Doing so in such a low-level
callback can lead to early resolution of factory beans. Rather, this
commit uses the EnvironmentAware callback that short-circuit dependency
resolution.
Closes gh-29475
Update `ConfigDataEnvironmentContributor.isActive` so that unbound
imports are no longer considered active. Prior to this commit, any
`ConfigDataEnvironmentContributor` that had `null` properties was
considered active. This is incorrect for `Kind.UNBOUND_IMPORT`
contributors since we haven't yet bound the `spring.config.*`
properties.
The `ConfigDataEnvironmentContributorPlaceholdersResolver` has been
updated to handle the refined logic. A placeholder can now be resolved
from the current contributor, or from an unbound contributor by binding
it on the fly.
Fixes gh-29386
Refine the logic introduced in 64270eca to use a side-effect free
Environment implementation rather than converting the Environment early.
Early conversion can cause condition evaluation issues if
`src/test/resources/application.properties` files are bound to the
`SpringApplication`. Specifically the `spring.main.web-application-type`
property can change the `Environment` type which must happen before
conditions are evaluated.
Fixes gh-29169
Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.
This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.
Fixes gh-28953
When `setUseCodeAsDefaultMessage(true)` was set on a message source,
attempting to interpolate the default message returned from the message
source would result in the code being unusable by upstream message
resolvers.
Fixes gh-28930
Phillip Webb
Stephane Nicoll
Guirong Hu
Andy Wilkinson
qxo
Moritz Halbritter
dugenkui03
Chris Hut
izeye
Vikey Chen
Moritz Halbritter
Madhura Bhave
gcoppex
Brian Clozel
Yanming Zhou
Lachlan Roberts
Scott Frederick
Artur Signell
Leo Li