This commit disables support for evaluating SpEL expressions from
untrusted sources by default. Specifically, this applies to the
SpEL-based 'selector' header support in WebSocket messaging, which
includes the DefaultSubscriptionRegistry and the classes used to
configure the 'selector' header name (SimpleBrokerMessageHandler and
SimpleBrokerRegistration).
The selector header support remains in place but will have to be
explicitly enabled beginning with Spring Framework 6.1.
For example, a custom implementation of WebSocketMessageBrokerConfigurer
can override the configureMessageBroker() method and configure the
selector header name as follows.
registry.enableSimpleBroker().setSelectorHeaderName("selector");
Closes gh-30550
* use forEach and putIfAbsent to copy headers in DefaultClientRequestBuilder
* use forEach in ReactorClientHttpRequest and ReactorNetty2ClientHttpRequest
* circumvent ReadOnlyHttpHeaders.entrySet()
* ensure the fast path to LinkedCaseInsensitiveMap for forEach and putIfAbsent exists
Closes gh-29972
In some application setups, the WebSocket server does not transmit
the disconnect message to the client, so that the client has no idea
that the established connection has been terminated.
This issue arises when the application uses SimpleBrokerMessageHandler
and the error handler is set to the instance of
StompSubProtocolErrorHandler or an extended class that does not
override the handleErrorMessageToClient method.
The commit fixes disconnect message population so that
`java.lang.IllegalArgumentException: No StompHeaderAccessor` exception
is not thrown in the handleErrorMessageToClient method in
StompSubProtocolErrorHandler class.
See gh-30120
This commit refactors some AssertJ assertions into more idiomatic and
readable ones. Using the dedicated assertion instead of a generic one
will produce more meaningful error messages.
For instance, consider collection size:
```
// expected: 5 but was: 2
assertThat(collection.size()).equals(5);
// Expected size: 5 but was: 2 in: [1, 2]
assertThat(collection).hasSize(5);
```
Closes gh-30104
The `echoWebSocketHandler()` method is not defined in the
`WebSocketConfigurer` interface and should therefore be annotated with
`@Bean` instead of `@Override`.
Closes gh-30183
Reflective getHeaders calls to be revisited; see GitHub issue #8938 in Jetty project.
HttpOutput optimization commented out still in order to avoid alpha build dependency.
See gh-29575
This commit removes specific version info from Jackson codecs and
converters, in favor of generic info or removing the version information
all together.
See gh-29508
This commit reverts changes to AbstractCacheManager since iterating
over the caches in a for-loop and a stream is duplicated effort.
This commit reverts changes to DefaultRenderingResponseBuilder,
RouterFunctions, and OriginHandshakeInterceptor since order matters for
those use cases: they were originally based on the semantics of
LinkedHashSet or LinkedHashMap; whereas, Set.copyOf() and Map.copyOf()
do not provide any guarantees regarding ordering.
This commit also applies analogous changes to "sibling" implementations
across Servlet mocks as well as Web MVC and WebFlux.
See gh-29321
Includes corresponding build upgrade to Tomcat 10.1.1 and Undertow 2.3.0
(while retaining runtime compatibility with Tomcat 10.0 and Undertow 2.2)
Closes gh-29435
Closes gh-29436
This commit deprecates ListenableFuture in favor of CompletableFuture.
ListenableFuture was introduced in Spring Framework 4.0, when
CompletableFuture was not yet available. Spring now requires JDK 17, so
having our own type no longer seems necessary.
Major changes in this commit include:
- Deprecation of ListenableFuture and related types
(ListenableFutureCallback, SettableListenableFuture, etc.)
- Deprecation of AsyncListenableTaskExecutor in favor of default methods
in AsyncTaskExecutor (submitCompletable).
- AsyncHandlerMethodReturnValueHandler now has toCompletableFuture
instead of toListenableFuture.
- WebSocketClient now has execute methods, which do the same as
doHandshake, but return CompletableFutures (cf. the reactive
WebSocketClient).
All other changes
- add an overloaded method that takes a CompletableFuture parameter
instead of ListenableFuture, and/or
- add a method with a 'Async' suffix that returns a CompletableFuture
instead of a ListenableFuture (connectAsync, sendAsync).
Closes gh-27780
SockJsServiceRegistration#setSupressCors name contains a typo. It is
now deprecated in favor of a correctly spelled method, setSuppressCors.
See gh-28853
This commit deprecates all methods in org.springframework.scheduling
that use
- Date, in favor of variants that take an Instant.
- long & TimeUnit, in favor of variants that take a Duration.
Closes: gh-28714
Includes deprecation of NestedServletException, whereas NestedCheckedException and NestedRuntimeException remain as base classes with several convenience methods.
Closes gh-25162
A static nested class does not keep an implicit reference to its
enclosing instance.
This prevents a common cause of memory leaks and uses less memory per
instance of the class.
Closes gh-28433
This commit contains changes made because of the introduction of
HttpStatusCode. In general, methods that used to return a HttpStatus
now return HttpStatusCode instead, and methods that returned raw status
codes are now deprecated.
See gh-28214
Juergen Hoeller
Sam Brannen
Sébastien Deleuze
James Yuzawa
Johnny Lim
rstoyanchev
Aleksandrs Jansons
Krzysztof Krasoń
ghostg00
Anatolii Zhmaiev
Sam Brannen
Aashay Chapatwala
Arjen Poutsma
divcon
Andy Wilkinson
Kulwant Singh
Adam Ostrožlík
npriebe
Stephane Nicoll
Marc Wrobel
CodeInDreams
evgeny.bovykin
a.yazychyan