The management security autoconfiguration wanted to come last in the chain
but that won't suit the fallback that was already in place for gh-568. This
change re-orders the autoconfig so that @EnableWebSecurity is still added
if the user sets security.basic.enabled=false and includes the actuator
endpoints.
Fixes gh-568
We can't support (yet) embedded containers inside a deployed war (class
loader conflicts are inevitable, really). Until we figure out a way to
do it, we should just log a warning and advise the user to switch to
JMX for the actuator endpoints.
See gh-552
Remove README files that have been since been migrated to the reference
documentation. Also updated remaining markdown files to asciidoctor to
save having a mix of different formats.
Fixed gh-503
The management.contextPath property should now be respected in a
secure application, whether or not the management.port is different.
Added some test cases in the sample to verify.
Fixes gh-469
Rename ConfigurableEmbeddedServletContainerFactory to
ConfigurableEmbeddedServletContainer and extract
AbstractConfigurableEmbeddedServletContainer from
AbstractEmbeddedServletContainerFactory.
There's no explicit support for older Servlet specs in Spring Boot,
but we can at least make it easy for others to provide such
support by not adding stuff to the context when in an older container.
Some assumptions were being made in tests, e.g. about
there being an AuthenticationManager @Bean, which were
false with the new Security 3.2.1 updates from Rob.
Also parent-child contexts with the actuator were
problematic because they didn't exclude the web configuration
for the management security in the parent context.
Fixes gh-244
Also change strategy for defaulting of Authentication. Spring
Boot authentication defaults are now encapsulated and can easily
be overridden by a user defined AuthenticationManager.
Error pages are a feature of the servlet spec but there is no Java API for
registering them in the spec. This filter works around that by accepting error page
registrations from Spring Boot's EmbeddedServletContainerCustomizer (any beans
of that type in the context will be applied to this container).
In addition the ErrorController interface was enhanced to provide callers
the option to suppress logging.
Fixes gh-410
The default executor for publishing metrics was a single
thread (native JDK) ExecutorService with a non-daemon thread.
Changed it to a Spring-managed thread pool of size 1, which
is then shutdown with e ApplicationContext automatically.
Fixes gh-388
Update `EndpointWebMvcAutoConfiguration` to use '-1' to indicate that
the management context should be disabled. This brings consistency
between the server settings and the management settings and allows '0'
to be used to pick a random port.
Fixed gh-311
