To address CVE-2025-48976 and CVE-2025-48988, Tomcat 10.1.42 has
introduced two new configuration settings – maxPartCount and
maxPartHeaderSize. The default values for these configuration
settings have proven hard to get right and some applications have
had to increase the default limits. To ease their configuration in
Spring Boot, this commit introduces configuration properties for
the new settings:
- server.tomcat.max-part-count (maxPartCount)
- server.tomcat.max-part-header-size (maxPartHeaderSize)
The defaults are aligned with those of Tomcat 10.1.42
(10 and 512 bytes respectively).
Closes gh-45869
This commit updates the conditions in Neo4jReactiveDataAutoConfiguration
so that it gracefully backs off if certain beans are not present, rather
than assuming its sibling Neo4jDataAutoConfiguration has run.
Closes gh-44930
Prior to this commit, certain rules, like BeanPostProcessor,
did not work with external classes. This commit ensures that
ArchRules are executed within a context ClassLoader that includes
all classes from the compile classpath.
See gh-45202
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
This commit updates jOOQ's DefaultExceptionTranslatorExecuteListener to
fallback on Spring Framework's default if no dbName is available.
See gh-44954
Signed-off-by: Dennis Melzer <dennis.melzer@de.bosch.com>
Update auto-configured `IntegrationMBeanExporter` to be created from
a static method since it's a post-processor. Relevant injection now
occurs by overriding the `afterSingletonsInstantiated()` method.
Closes gh-45186
Prior to this change, introspection of the auto-configuration could
fail due to insufficient protection against missing classes.
This commit introduces an extra class-level check for Nimbus's
JWKSource which ensures that the auto-configuration backs off if
nimbus-jose-jwt has been excluded. It also introduces an inner-class
for the case where spring-security-oauth2-jose is not on the
classpath. This ensures that the method defining the jwtDecoder bean
does not cause an introspection failure when JwtDecoder is missing.
Closes gh-45177
Previously, the post-processing of HikariDataSource to apply custom
connection details would trigger an NPE in Hikari if those details
supplied a null driverClassName.
This commit avoids the problem by only setting the driverClassName
when it is non-null.
Closes gh-44997
Update CassandraRepositoriesAutoConfigurationTests to use the correct
'spring.data.cassandra.repositories.type' property.
See gh-44942
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
Prior to this commit, the SSL file hot reloading feature would
create file watchers for all configured locations and would resolve
symbolic links if they're found as registrations.
This arrangement would work for typical Let's Encrypt setups, but
would not get notified of consecutive changes for k8s setups.
Kubernetes uses a mix of symlinks and atomic file moves to update
secrets.
This commit not only tracks changes to symlinks targets, but also
to the original symlink.
Closes gh-44807
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
[brian.clozel@broadcom.com: apply code conventions]
Signed-off-by: Brian Clozel <brian.clozel@broadcom.com>
1. Rename `TestConfiguration` to `TestJpaConfiguration` and remove unnecessary reference.
2. Use `withBean` instead of `withUserConfiguration` to avoid new configuration class.
3. Use kebab-case for configuration key
See gh-44800
Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
This commit updates DataSourceTransactionManagerAutoConfiguration to
explicitly states it should run after DataSourceAutoConfiguration.
Closes gh-44810
This commit isolates JmsAutoConfiguration tests so that they do not
rely on an actual broker. Some tests that are no longer relevant have
been adapted as well.
Closes gh-44734
Andy Wilkinson
Yanming Zhou
Stéphane Nicoll
Tran Ngoc Nhan
Johnny Lim
Phillip Webb
Dmytro Nosan
Dennis Melzer