To address CVE-2025-48976 and CVE-2025-48988, Tomcat 10.1.42 has
introduced two new configuration settings – maxPartCount and
maxPartHeaderSize. The default values for these configuration
settings have proven hard to get right and some applications have
had to increase the default limits. To ease their configuration in
Spring Boot, this commit introduces configuration properties for
the new settings:
- server.tomcat.max-part-count (maxPartCount)
- server.tomcat.max-part-header-size (maxPartHeaderSize)
The defaults are aligned with those of Tomcat 10.1.42
(10 and 512 bytes respectively).
Closes gh-45869
Update `ClientHttpConnectorAutoConfiguration` with a condition to ensure
that `ClientHttpConnectorBuilder.detect` will return a result. Prior
to this commit, when using a JDK without `java.net.http.HttpClient`
access the auto-configuration would fail.
Fixes gh-45955
This commit replaces the use of ConfigurationProperties in
ValidationAutoConfiguration by an explicit environment check, as it
was already the case for the spring.aop.proxy-target-class property.
Closes gh-45618
Update `IgnoredCloudFoundryPathsWebSecurityConfiguration` to use a
`SecurityFilterChain` and `permit...` methods rather than
`ignoring()` which is no longer recommended.
Fixes gh-32622
Previously, OAuth2 client auto-configuration was managed by a single
class:
- OAuth2ClientAutoConfiguration for servlet apps
- ReactiveOAuth2ClientAutoConfiguration for reactive apps
OAuth2ClientAutoConfiguration being for servlet apps meant that
a blocking OAuth2 client was not availabile in a non-web application.
The auto-configuration classes did two things:
- Auto-configured beans that are specific to server-side web security
that uses an OAuth2 client
- Auto-configured OAuth2 client beans that may be used client- or
server-side
Combining these two things into a single auto-configuration class
meant that you could not choose to use one or the other. For example,
you may want to make use of an OAuth2 client in a web application
without also using OAuth2 client-based web security.
This commit restructures the auto-configuration to address these
problems. There are now two auto-configurations for non-reactive apps:
- OAuth2ClientAutoConfiguration
- OAuth2ClientWebSecurityAutoConfiguration
and two auto-configurations for reactive apps:
- ReactiveOAuth2ClientAutoConfiguration
- ReactiveOAuth2ClientWebSecurityAutoConfiguration
This separation allows one to be used without the other. Furthermore,
the conditions have been updated so that, for example, the blocking
OAuth2 client is available in a non-web application.
Closes gh-40997
Closes gh-44906
Co-authored-by: Moritz Halbritter <moritz.halbritter@broadcom.com>
This commit updates the conditions in Neo4jReactiveDataAutoConfiguration
so that it gracefully backs off if certain beans are not present, rather
than assuming its sibling Neo4jDataAutoConfiguration has run.
Closes gh-44930
Prior to this commit, certain rules, like BeanPostProcessor,
did not work with external classes. This commit ensures that
ArchRules are executed within a context ClassLoader that includes
all classes from the compile classpath.
See gh-45202
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
This commit updates jOOQ's DefaultExceptionTranslatorExecuteListener to
fallback on Spring Framework's default if no dbName is available.
See gh-44954
Signed-off-by: Dennis Melzer <dennis.melzer@de.bosch.com>
Refine `RestClientAutoConfiguration` conditional so that it
applies in reactive web applications if virtual threads are
active and a task executor is configured.
See gh-44952
Signed-off-by: Dmitry Sulman <dmitry.sulman@gmail.com>
Prior to this commit, RestClientSsl always used the
default settings from ClientHttpRequestFactorySettings, overriding any
user-defined settings (e.g., HttpClientProperties).
With this commit, RestClientSsl now respects and uses
ClientHttpRequestFactorySettings when they are provided.
See gh-44979
Signed-off-by: Dmytro Nosan <dimanosan@gmail.com>
Update auto-configured `IntegrationMBeanExporter` to be created from
a static method since it's a post-processor. Relevant injection now
occurs by overriding the `afterSingletonsInstantiated()` method.
Closes gh-45186
Prior to this change, introspection of the auto-configuration could
fail due to insufficient protection against missing classes.
This commit introduces an extra class-level check for Nimbus's
JWKSource which ensures that the auto-configuration backs off if
nimbus-jose-jwt has been excluded. It also introduces an inner-class
for the case where spring-security-oauth2-jose is not on the
classpath. This ensures that the method defining the jwtDecoder bean
does not cause an introspection failure when JwtDecoder is missing.
Closes gh-45177
Phillip Webb
Moritz Halbritter
Andy Wilkinson
Stéphane Nicoll
wonyongg
Yanming Zhou
Peksa
Tran Ngoc Nhan
Johnny Lim
Dmytro Nosan
Dennis Melzer
Dmitry Sulman