If there is more than one DataSource and the non-primary bean-name is
'datasource' an incorrect metric name is chosen.
The metrics are named datasource.active and not datasource.xxx.active. To
avoid this, the shortening of the bean-name only occurs if the bean-name
is longer than 'datasource'.
See gh-2320
Previously each endpoint was secured for path, path/, and path.*.
This meant that a request to path/foo was not secured. This commit
secures path/** to ensure that requests to a nested endpoint path are
also secured.
Fixes gh-2476
Update InMemoryAuditEventRepository to consider the date when searching
for events. Also switch to a circular buffer implementation and update
the capacity to limit the total number of items rather than limiting
per principal.
Fixes gh-2291
Update AbstractEndpoint to correctly support the `endpoints.enabled`
property. Also fix EnvironmentEnpoint which would previously prevent
the Environment from being set.
Fixes gh-2264
Closes gh-2265
Update WebMvcAutoConfiguration so that the RequestMappingHandlerMapping
bean is @Primary. Prior to this commit a NoUniqueBeanDefinitionException
would be thrown then using the MvcUriComponentsBuilder.
Fixes gh-2237
Update ManagementSecurityAutoConfiguration so that MVC Endpoints that
have Principal arguments are not treated in any special way. This
restores Spring Boot 1.1.x behavior where the 'sensitive' flag is used
to determine access rules.
The HealthMvcEndpoint still uses the Principal (when available) to
determine if full status information can be displayed. It now also
explicitly checks the environment for `endpoints.health.sensitive`
to determine if the user has opted-out and requires complete health
details.
The health MVC endpoint should now work as follows:
* Default configuration - No login is required, full information is only
displayed if a Principal is available.
* endpoints.health.sensitive=true - Login is required, full information
is displayed.
* endpoints.health.sensitive=false - Login is not required, full
information is displayed.
Fixes gh-2211
Add Ordered interface to all EmbeddedServletContainerCustomizers with
a value of 0. Prior to this commit it was difficult for a user to
define a customizer that would be applied before ours, even if they
implemented Ordered or added @Order annotations.
Fixes gh-2123
ManagementSecurityAutoConfiguration fully relies on the presence of a
web environment, yet the configuration class itself was not guarded by
`@ConditionalOnWebApplication` (while nested config where).
This turned out to be a problem for command-line applications using
spring security (i.e. CRaSH integration).
Fixes gh-2112
The method 'injectIntoSecurityFilter' added In 3c1e48c assumes that
Spring security is in the classpath so any management endpoints that are
deployed on a different port requires Spring Security all the sudden.
This commit separates the creating of the EndpointHandlerMapping in two
mutually exclusive @Configuration: one that is triggered if Spring
Security is not in the classpath and one that is triggered if Spring
Security is in the classpath. The latter apply the security filter in the
endpoint mapping if it exists.
Fixes gh-2124
The move of health.* keys to management.health.* broke them as they
are not defined as configuration keys and `ManagementServerProperties`
is strict on the whole management namespace.
This commit updates the tests to actually include that properties class
and relax the "ignoreUnknownFields" condition so that extra attributes
can be defined on the "management" namespace.
Fixes gh-2115
Update AbstractEndpoint so that the `enable` property is optional and
when it not specified the `endpoints.enabled` property will be used.
This allows users to switch the way that endpoints are enabled. Rather
than opting-out specific endpoint enablement the `endpoints.enabled`
property can be set to `false` and specific endpoints can be opted-in.
Fixes gh-2102
Since AbstractHandlerMethodMapping.getHandlerMap() is final it can't
be cglibbed and a proxy will barf if you try and call that method.
The RequestMappingEndpoint can be protected simply by defensively
checking if the mapping is a proxy before trying to inspect it.
Drop the setAdditionalProperties method from ShellProperties to ensure
that it is not included in the meta-data JSON. The additional properties
are usually wired in using @Autowired and it is pretty unlikely that
anyone is using the setter directly.
Fixes gh-2055
Shares the /health endpoint request mapping between security config
and MVC dispatcher. Generalizes so that instead of a marker
interface (AnonymouslyAccessibleMvcEndpoint), an MvcEndpoint
signals that it wants to control its own access rules by adding
a Principal to the @RequestMapping method parameters (more @MVC).
Fixes gh-2015 slightly differently
The changes in 3bb598a overload the health endpoint's sensitive
property such that it's now considered sensitive if management
security is enabled. When an endpoint is sensitive anonymous
access is prevented. This breaks the health endpoint which should
return a filtered view of the server's health when it's accessed
anonymously rather than rejecting the request.
This commit introduces AnonymouslyAccessibleMvcEndpoint, a marker
extension of the MvcEndpoint interface. It is implemented by
HealthMvcEndpoint. ManagementSecurityAutoConfiguration has been
updated to allow anonymous access to endpoints that aren't sensitive
or that implement AnonymouslyAccessibleMvcEndpoint.
Fixes gh-2015
Set the field javadoc of many properties that are managed via
configuration so that the "description" field is available in the
meta-data.
Closes gh-1808
Phillip Webb
Johannes Stelzer
Andy Wilkinson
Stephane Nicoll
Spring Buildmaster
Mathieu Bernatet
Dave Syer
izeye
Alex Panchenko