Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.
This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.
Fixes gh-28953
When `setUseCodeAsDefaultMessage(true)` was set on a message source,
attempting to interpolate the default message returned from the message
source would result in the code being unusable by upstream message
resolvers.
Fixes gh-28930
Update `ErrorPageSecurityFilter` to defensively check that the
`DispatcherType` is `ERROR`. Although this check isn't necessary
for regular applications, it is needed if MockMvc is being used.
Fixes gh-28759
This commit aligns `SpringBootTest`s to also use `ApplicationEnvironment`
instead of `StandardEnvironment`. This prevents the side-effect of active
profiles from `@ActiveProfiles` from being added to the environment when
doGetActiveProfiles is called. In this case, calling `addActiveProfiles()`
in the environment post processor would result in `@ActiveProfiles` being
added to the environment first, resulting in the wrong order.
The additional call to `setActiveProfiles()` is also not necessary when using
ApplicationEnvironment because that call was put in place to prevent the side-effect
which `ApplicationEnvironment` does not have.
Fixes gh-28530
The charset "default" is an alias for US-ASCII, not the JVM's default
charset. This commit updates the built-in Logback configuration to
use Charset.defaultCharset().name() in place of "default" in the
Java-based configuration. In the XML-based configuration where
Charset.defaultCharset().name() cannot be called, we emulate its
behaviour [1] by using the file.encoding system property, falling back
to UTF-8 when it's not set.
Fixes gh-27230
[1] 19be6113dd/jdk/src/share/classes/java/nio/charset/Charset.java (L604-L617)
Update Tomcat, Jetty and Undertow `ServletWebServerFactory`
implementations so that they can write SameSite cookie attributes.
The session cookie will be customized whenever the
`server.servlet.session.cookie.same-site` property is set.
Other cookies can be customized with the new `CookieSameSiteSupplier`
interface which can be registered using `@Bean` methods.
Closes gh-20971
Co-authored-by Andy Wilkinson <wilkinsona@vmware.com>
Relocate the recently introduced `spring.webflux.session` properties
to `server.reactive.session` and create a unified `Cookie` properties
class.
Reactive session properties now mirror the existing
`server.servlet.session` properties and better reflect the fact that
they are related to the server and not just for WebFlux.
See gh-26714
While still present and marked as deprecated, the getPassword()
method on UCP's PoolDataSource has been implemented to throw a
NoSuchMethodError making it useless for our purposes.
This commit updates DataSourceBuilder to avoid using the getter. This
means that a password must now be provided when trying to derive a
new DataSource from an existing PoolDataSource.
Closes gh-28127
Add `MutuallyExclusiveConfigurationPropertiesException` and a related
failure analyzer so that a nice message can be displayed if more than
one mutually exclusive property is defined.
Closes gh-28121
Co-authored-by: Phillip Webb <pwebb@vmware.com>
Previously, the detector for AbstractDataSourceInitializers used the
default detector order. This resulted in the initializers detected
initializers running before Flyway. Constrastingly, the detector for
DataSourceScriptDatabaseInitializers uses a custom order so its
detected initializers would run after Flyway.
This commit aligns the order of the detector for
AbstractDataSourceInitializers with the order of the detector for
DataSourceScriptDatabaseInitializers. This ensures that script-based
initialization runs in the same order with respect to Flyway,
irrespective of which initializer implementation is driving it.
Fixes gh-28079
Previously, SpringApplicationShutdownHook would always register a
shutdown hook, even if SpringApplication was configured not to
use a shutdown hook, such as in a war deployment. This could
result in a memory leak when the war was undeployed. The shutdown
hook registered by SpringApplicationShutdownHook would remain
registered, pinning the web application's class loader in memory.
This commit updates SpringApplicationShutdownHook so that it
registers a shutdown hook with the JVM lazily, upon registeration
of the first application context.
Fixes gh-27987
This commit reworks the configuration properties registrar to use
RootBeanDefinition and a standard attribute rather than relying on
a package private sub-class. This allows other components to inspect
the metadata if necessary.
Closes gh-27821
Stephane Nicoll
Madhura Bhave
Andy Wilkinson
Phillip Webb
Scott Frederick
Stefano Cordio
Artur Signell
Leo Li
izeye
Guillaume Husta
fml2
dreis2211
Susmitha
smoothbear
bono007
Julien Dubois
Henning Pöttker