This uses no-op implementations for the SdkTracerProvider,
SdkLoggerProvider and SdkMeterProvider, but still configures the
propagators.
Additionally, it doesn't create the tracing and logging beans which
would be superfluous for a disabled SDK.
Closes gh-49564
Prior to this commit, `EndpointRequest` exposed factory methods for
creating security matchers in the context of Actuator endpoints. This is
using the popular pattern matching approach for security matchers.
Such matchers are not as focused as method-level security and will match
the endpoint path itself (`"actuator/endpoint"`) as well as everything
beneath it (`"actuator/endpoint/**"`).
This commit improves the Javadoc and reference documentation to make
this behavior more explicit.
Closes gh-49520
Refactor `spring-boot-security-oauth2-authorization-server` to separate
core authorization server auto-configuration from Spring Security web
auto-configuration.
This update should allow authorization server auto-configuration
outside or a reactive or servlet web application.
Closes gh-43978
This commit deprecates both `RootUriTemplateHandler` and
`RootUriBuilderFactory` types, along their usage in places like
`RestTemplateBuilder`.
`RestTemplateBuilder#rootUri` is now deprecated in favor of
`RestTemplateBuilder#baseUri`, which leverages Framework's
`DefaultUriBuilderFactory`.
Closes gh-48350
Update `RestClientAutoConfiguration` to ensure that it applies after
`HttpMessageConvertersAutoConfiguration`.
Prior to this commit, the `HttpMessageConvertersRestClientCustomizer`
bean might not get created due to the `@ConditionalOnBean` guard not
finding any `ClientHttpMessageConvertersCustomizer` beans.
Since the issue is surprising hard to replicate in a unit test, a new
smoke test has been added to ensure the problem doesn't return.
Fixes gh-49223
Tomcat 9.0.115, 10.1.52, and 11.0.18 include a breaking change [1] to
how ciphers are configured when using HTTPS. Previously, a single
setting was used but this has now been split in two; the existing
ciphers setting for TLSv1.2 ciphers and a new ciperSuites setting for
TLSv1.3. As part of this split, the behavior of the ciphers setting
has been changed such that any TLSv1.3 ciphers are ignored and a
warning is logged.
This change in Tomcat is problematic without also making some changes
in Boot. If we had done nothing, a user that had configured only
TLSv1.3 cipers would have them all ignored, leaving their SSL
connection unexpectedly using all of the default ciphers which may be
less secure.
This commit adapts to the breaking change in Tomcat by taking the
user's list of ciphers and splitting into into TLSv1.2 and TLSv1.3
ciphers before passing them into Tomcat's two settings (ciphers and
cipherSuites respectively). This is done defensively for backwards
compatibility. If the methods to identify and configure the TLSv1.3
ciphers are not present, we assume that we're running with an earlier
version of Tomcat and fall back to passing them all into the ciphers
setting as we did previously.
Closes gh-49143
[1] 9abf6bddb2
Apoorv Darshan
Moritz Halbritter
Jonatan Ivanov
Andy Wilkinson
itsmevichu
Brian Clozel
Stéphane Nicoll
Emanuel Rabina
Phillip Webb
Tommy Ludwig
Eddú Meléndez