- Modifying dependencies to starter-web with tomcat exclusion plus
alternative servlet container instead of manual dependency on
spring-webmvc as it is the preferrable way to use alternative servlet
container
- Previously RestTemplate with ssl was configured manually in tests - now
it rellies on autoconfiguration - changed this for multi-connector test
and added test to ensure that ssl autoconfiguration is working
- Most samples with alterntative servlet containers used some kind of
service reading property and returning default since it wasn't
configured - removed it, since it is not specific to using alternative
servlet containers.
See gh-10548
Update the security request matchers so that a bean is no longer needed
when the matcher is used. Matchers can now be build by starting from
the `EndpointRequest` or `StaticResourceRequest` classes. For example:
http.authorizeRequests()
.requestMatchers(EndpointRequest.to("status", "info")).permitAll()
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ACTUATOR")
.requestMatchers(StaticResourceRequest.toCommonLocations()).permitAll()
Closes gh-7958
This commit combines security autoconfigurations for
management endpoints and the rest of the application. By default,
if Spring Security is on the classpath, it turns on @EnableWebSecurity.
In the presence of another WebSecurityConfigurerAdapter this backs off
completely. A default AuthenticationManager is also provided with a user
and generated password. This can be turned off by specifying a bean of
type AuthenticationManager, AuthenticationProvider or UserDetailsService.
Closes gh-7958
Rework `org.springframework.boot.context.embedded` to relocate classes
to `org.springframework.boot.web`. Packages are now organized around
the following areas:
Packages for shared concerns, for example the `WebServer` interface
to start/stop a server and the common configuration elements:
- org.springframework.boot.web.context
- org.springframework.boot.web.server
Servlet specific packages:
- org.springframework.boot.web.servlet.server
- org.springframework.boot.web.servlet.context
- org.springframework.boot.web.servlet.filter
Reactive specific packages:
- org.springframework.boot.web.reactive.context
- org.springframework.boot.web.reactive.server
Embedded server implementations (both reactive and servlet):
- org.springframework.boot.web.embedded
In addition:
- Rename `EmbeddedServletContainerFactory` to `ServletWebServerFactory`
to align with the `ReactiveWebServerFactory`.
- Rename `EmbeddedWebApplicationContext` to
`ServletWebServerApplicationContext` and
- Rename `EmbeddedReactiveWebApplicationContext` to
`ReactiveWebServerApplicationContext`.
- Add checkstyle rules to restrict imports.
- Fixup all affected code to use the correct imports and local names.
Fixes gh-8532
Move the @LocalServerPort to org.springframework.boot.context.embedded
since it's only really useful when working with embedded servlet
containers.
See gh-5822
Rework the new testing support so that @SpringApplicationTest can be
used for standard integration tests, web integration tests with a
mock Servlet environment and web integration tests with an embedded
servlet container. This means that it a replacement for 1.3's
@IntegrationTest and @WebIntegrationTest and allows all
SpringApplication testing to be configured using a common annotation.
The old @IntegrationTest and @WebIntegrationTest along with their
supporting classes have been reinstated to their previous form (while
remaining deprecated). This should ensure that they continue to work
in 1.4 exactly as they did in 1.3 giving users a smooth path to
@SpringApplicationTest.
See gh-5477
The InteractiveAuthenticationSuccessEvent is always shadowed by a
regulat AuthenticationSuccessEvent, so there's no need to listen for
all AbstractAuthenticationSuccessEvents.
Fixes gh-4355
Given that Spring Boot uses java config accross the board, a new `value`
attribute is now aliased to the existing `classes` attribute such that
one could write the following:
@SpringApplicationConfiguration(MyConfig.class)
public class MyTest {}
Closes gh-3635
There was too much state really in the old implementation of
AuthenticationManagerConfiguration, and it was leading occasionally
to null pointers when method A assumed that method B had already
been called and it hadn't. This change manages to concentrate all the
references to an AuthenticationManagerBuilder into a single method
call, removoing the need for storing it at all.
Fixes gh-1556
It needs to run as soon as the DataSource is available really otherwise
anything else that depends on the DataSource (like Security JDBC
initializers) might fail when it tries to use it.
One change from 1.1.1 is that if you have a schema.sql you had better
make sure your data.sql talks to the same tables. In 1.1.1 you could
sometimes get away with letting Hibernate initialize the tables for
your data.sql and *also* have a schema.sql. This was fragile and doomed
to fail eventually if the DataSourceInitializer somehow got
initialized earlier (e.g. through a @DependsOn), so in the spririt
of honesty being the best policy we explicitly disallow it now.
Fixes gh-1115
There were some residual issues to do with the changes to the implementation
of security.basic.enabled=false. It was a good idea to have a filetr chain
triggered by the flag being off because it smooths the way for user-defined
filter chains to use the Boot AuthenticationManager (as a first step at least),
but it wasn't a goog idea to add any actual secuity features to that filter.
E.g. if it has HSTS then even an app like Sagan that has some secure endpoints
that it manages itself and the rest is unsecured has issues because it can't
accept connections over HTTP even on unsecure endpoints.
TODO: find a way for security.ssl_enabled=true to apply to only the user-
defined security filter (maybe not possible or worth the effort, since they
can inject a SecurityProperties if they need it?).
See gh-928
Madhura Bhave
Phillip Webb
Stephane Nicoll
Ivan Sopov
Andy Wilkinson
Dave Syer
Huang YunKun
Rob Baily
Phillip Webb
Dave Syer
Javier Gayoso