- [new] Allow to disable Jackson exception mappers as they may disclose technical info to REST clients.
Set
rest.exceptionMapping.jacksonandrest.exceptionMapping.detailedUserMessagetofalse. The exception will go through the default exception mapper, which logs them. To avoid this provide your own exception mapper.
- [new] Java 21 support.
- [new] Support for
jakarta.inject.*while retainingjavax.inject.*compatibility. - [nfo] Other
jakarta.*packages are not supported yet. - [chg] Update javassist to 3.30.2-GA
- [chg] Update guice to 6.0.0
- [chg] Update guava to 33.1.0
- [chg] Update typetools to 0.6.3
- [chg] Update shiro to 1.13.0
- [chg] Update Undertow to 2.2.31.Final
- [chg] Update Jersey to 2.42
- [chg] Update Hibernate Validator to 6.1.7.Final
- [new]
@PostConstructsupport was extended to non-singletons.@PreDestroyis still limited to singletons per design (only singletons instances are known and tracked by the lifecycle manager).
- [new] Support JSON and YAML expansion in configuration. Use a
myKey|jsonormyKey|yamlas key syntax. The suffix will be removed and the value will be replaced by the parsed subtree. Useful for parsing JSON structures passed by cloud platforms. - [new] The
SEEDSTACK_PROFILESenvironment variable can now be used to specify comma-separated configuration profiles to enable. These profiles will be added to the profiles already defined in theseedstack.profilessystem property if any. - [new] If config option
rest.diagnosticResourceis set totrue, the diagnostic report will be available as a JSON representation at/seedstack/diagnostic. Do not enable permanently in production. Default isfalse.
- [fix] Class
UsernamePasswordTokenwas incorrectly removed fromseed-security-specs.
- [new] Java 15 support
- [new] The
checktool analyzes and show discrepancies between configuration files (actual config) and configuration objects (expected config). - [chg] Move main entrypoint logic from
SeedMain.main()toSeed.launch(), allowing custom main methods in addition to the built-inSeedMain. - [chg] Upgrade Shiro to 1.7.1 (fixes CVE-2020-11989, CVE-2020-17510, CVE-2020-1957, CVE-2020-13933 and CVE-2019-12422).
- [chg] Upgrade Guice to 5.0.1
- [chg] Upgrade Jersey to 2.34
- [chg] Upgrade Javassist to 3.27.0-GA
- [chg] Upgrade Guava to 30.1.1-jre
- [chg] Upgrade Coffig to 3.1.7
- [fix] Detection of color output under recent versions of IntelliJ.
- [fix] Fix configuration evaluation (macros, functions, ...) in
classessection ( see #283).
- [brk] Config functions that find available ports now take a port name as argument so they can return the same port for
each evaluation (example:
$availableTcpPort()becomes$availableTcpPort('web')). - [new] Support for configuration of Undertow handlers using
undertow-handlers.conffile (at the root of the classpath by default). - [new] Security realms can now return direct user permissions, not attached to any role.
- [chg] Enable a detailed user message by default for internal and security exceptions during REST requests.
- [fix] Fixed test annotations that were not fully detected when repeated:
@ConfigurationProperty,@KernelParameterand@SystemProperty.
- [brk] Generic session options moved from
web.server.sessionstoweb.sessions. - [brk] Static resources options moved from
web.staticResourcestoweb.static. - [brk] Default session timeout with embedded servers is now defined by the
web.server.defaultSessionTimeoutoption. - [new] Add
web.sessions.cookieconfiguration options to set Web session cookie details. - [new] Support JSR-250
@PostConstructand@PreDestroyannotations on singletons (in addition to AutoCloseableclose()method). - [new] Add
SeedInterceptorAPI to declare method interceptors without coupling to Guice implementation. - [fix] Ensure that JVM-wide base configuration is refreshed between tests.
- [fix] Allow JAX-RS components to be instantiated without Guice as a fallback (Jersey 2).
- [fix] Default session timeout for Undertow was incorrect. It is now 20 minutes.
- [chg] Better error messages for security realm exceptions.
- [new] Support for programmatic login through
SecuritySupportinterface (no need for Shiro-specific code anymore). - [chg] Obtaining principals by type now honors inheritance (instead of returning principals of the exact specified type).
- [chg] Principals are no longer required to be serializable.
- [chg]
AbstractTransactionManageris now scoped as package. - [fix] Security authentication and authorization caches are now disabled by default (avoiding to keep credentials indefinitely in memory).
- [new] Introduce the
diagtool to manually write a diagnostic report to standard output or in a file. - [new] Enable configuration of Undertow error pages for specific HTTP codes or exceptions as well as a default error
page (
web.server.errorPagesconfig). - [new] SSL truststore can be configured separately from the master keystore (if no configuration it will default to the Java default truststore).
- [new] A custom X509KeyManager can now be configured to allow control of the chosen key material during SSL handshake.
- [brk] Plain file X509 certificates (outside a keystore) can no longer be configured as it is less secure and not so useful.
- [fix] Remove NullPointerException a Undertow shutdown if the it had not started properly before.
- [new] The
@Provideannotation allows to register JSR-330 providers for producing injectable instances of a specific type.
- [fix] Fix Jansi loading on unsupported platforms.
- [chg] Better logging of detected configuration resources.
- [chg] Allow configuration through
seedstack.config.*system properties to override any other configuration source.
- [chg] JSON home resource is now disabled by default.
- [chg] Adaptively supports all Bean Validation specification levels.
- [chg] During integration tests with Undertow, launch the application in a separate thread.
- [new] Support for the
web.server.welcomeFileswith Undertow. Default value isindex.html. - [new] Support for file logging configuration when using LogBack. Enable by setting
logging.file.enabledtotrue. - [chg] Filter priorities updated: resource filter has -2000 priority, and Jersey filter has -1000 priority.
- [new] Automatic detection and activation of Freemarker Jersey feature from project dependencies.
- [chg] Classes implementing
LifecycleListenerare no longer singleton by default (add@Singletonon the class to force it). - [chg] Classes implementing
LifecycleListenercan be ordered by applying the@Priorityannotation on them. - [fix] Normalize context path with Undertow (force a starting slash and remove any terminal slash).
- [brk] Configuration property
web.runtime.baseUrlwas renamed toruntime.web.baseUrlproperty. - [brk] Configuration property
web.runtime.protocolwas renamed toruntime.web.server.protocolproperty. - [brk] Configuration property
web.runtime.hostwas renamed toruntime.web.server.hostproperty. - [brk] Configuration property
web.runtime.portwas renamed toruntime.web.server.portproperty. - [brk] Configuration property
web.runtime.contextPathwas renamed toruntime.web.servlet.contextPathproperty. - [brk] Configuration property
web.runtime.virtualServerNamewas renamed toruntime.web.servlet.virtualServerNameproperty. - [brk] Configuration property
runtime.web.baseUrldo NOT end with a slash anymore (useruntime.web.baseUrlSlashif needed). - [new] Configuration property
runtime.rest.baseUrlprovides the base path for JAX-RS resources ( andruntime.rest.baseUrlSlashwith a terminal slash). - [chg] Built and tested with OpenJDK 11 (minimum Java version still being 8).
- [fix] Fix the
web.runtime.baseUrldynamic configuration property when running with Undertow and having a context path set.
- [new] Add the ability to specify the session timeout in embedded Web server
configuration (
web.server.sessions.timeoutconfiguration property). - [fix] Integration testing decorators were instantiated before the kernel in PER_TEST launch mode.
- [fix] Throw an explicit error when applying the
@Loggingannotation on a field type other thanorg.slf4j.Logger.
- [fix] Fix HTTP headers sent when the NO_CACHE policy is applied on a JAX-RS resource (the default).
- [new] Add
noCheckoption to thexsrffilter to only generate the token without checking it (use asxsrf[noCheck]in filter config).
- [new] Bean Validation 2.0 support through Hibernate Validator 6 implementation.
- [fix] Add missing
@Injectannotation onorg.seedstack.seed.security.internal.realms.X509CertificateRealmconstructor. - [chg] X509-based authentication will use the subject
X500Principalas identity if nouidattribute is available ( instead of the whole chain). - [chg] X509-based authentication will use the subject certificate (first in the chain) as credentials (instead of the whole chain).
- [new] X509-based authentication will now (re-)check the subject certificate validity.
- [new] Enable security session periodic validation (expiration check) when outside a Servlet environment.
- [chg] Authorization cache will now use the primary principal as key.
- [chg] Also support proxy exclusions without wildcard (
*.somedomain.com,.somedomain.comandsomedomain.comare all supported). - [chg] Moved provided
javax.annotation.Nullabletoorg.seedstack.seed.Nullableto avoid module clashes in Java 9+. - [chg] Various dependency improvements for Java9+ modules.
- [fix] Prevent the session regeneration mechanism to create a session when none exists.
- [fix] Fix bug preventing proper invalidation of the Shiro authentication cache.
- [fix] Downgrade requirement on Servlet API to 3.0 (for old Web containers).
- [chg] Update Arquillian to 1.4.0.
- [new] Support for Servlet 4.
- [fix] Detect if JAXB is available before enabling its support for JAX-RS.
- [chg] Update Undertow to 2.0.6.
- [new] Add an implementation of
javax.annotation.Nullableavoiding the need of an additional dependency for null injection. - [chg] Remove the need for
jaxb-apidependency forseed-rest-jersey2module under Java 9. - [chg] Update Guice to 4.2.0.
- [chg] Update Guava to 25.0.
- [new] Java 9 compatibility.
- [new] JAX-RS 2.1 support.
- [new] Support for serializing/de-serializing
java.util.stream.Streamfrom JAX-RS resources. - [new] Support for custom constraint validator injection.
- [new] Integration testing now uses SeedStack launchers to execute the tested application.
- [new] Ability to choose the tested application launcher with
@LaunchWith - [new] Ability to define/override system properties for integration testing with
@SystemProperty. - [new] Ability to define/override kernel parameters for integration testing with
@KernelParameter. - [new] Ability to define/override configuration for integration testing with
@ConfigurationProperty. - [new] Ability to select configuration profiles for integration testing with
@ConfigurationProfiles. - [new] Ability to specify launch arguments for integration testing with
@Arguments. - [new] Run Web integration tests with undertow by combining
@RunWith(SeedITRunner.class)and@LaunchWithUndertow. - [brk] The integration testing API has been refactored to support other testing frameworks.
- [fix] Defer JNDI lookup through
@Resourceannotation until the instance containing the injection is created.
- [new] Add configuration watching for local files and automatic refresh after change (enable by setting config
property
config.watchto true). - [fix] Fix
configtool NullPointerException when dumping a config tree with generics and no null value. - [fix] Fix exception when a
@CliCommand-annotated class inherits from a base class.
- [fix] Undertow-based applications would not refresh after a startup failure.
- [new] Validation exceptions on REST resources are automatically mapped to a detailed response.
- [new] A
@RequiresCrudPermissionsannotation allows to add permission checks based on the detected CRUD action of the called method. - [new] SPI
CrudActionResolverhas been added to security to allow for resolving the CRUD action of a particular method. - [new] Provides the ability to configure some Shiro implementation classes:
SubjectDAO,SubjectFactory,SubjectContext,Authenticator,AuthenticationStrategy,CacheManagerandSessionStorageEvaluator. - [new] A JAX-RS implementation of
CrudActionResolverdetects the CRUD action based upon the JAX-RS annotations. - [new] Basic support for refreshing Web applications served with Undertow.
- [fix] Prevent session fixation issue by regenerating the session (if any) upon successful login.
- [fix] Make
SimplePrincipalProviderserializable. - [chg] Security sessions are now enabled by default.
- [brk] Data import/export API has been removed and replaced by a newer API into business framework.
- [new] Configuration dump (
configtool) now dumps inner properties for maps, collections, arrays and complex objects. - [new] Add
beforeInitialization()andafterInitialization()methods onSeedInitializerinterface. - [new] Add
isRemembered()onSecuritySupportinterface.
- [new] Print a default banner at startup in case of missing custom
banner.txt. - [new] Add
application.colorOuputconfiguration property to force the color output mode (AUTODETECT, PASSTHROUGH, ENABLE, DISABLE). - [new] Any singleton implementing
AutoCloseablewill have itsclose()method invoked at application shutdown (can be ignored with @Ignore). - [new] Overriding Guice modules can be installed by using
@Install(override = true). - [new] The
@Bindannotation allows to easily define arbitrary bindings by annotating implementations. - [new] The
@ITBindand@ITInstallannotations have been updated to allow the same options as@Bindand@Install. - [new] Can now read transaction metadata from JTA 1.2
@Transactionalannotation. - [new] Web session tracking mode is now set to COOKIE by default (a
web.sessionTrackingModeconfiguration option allows to change it). - [new] Add
security.web.successUrlandsecurity.web.logoutUrlconfiguration options to configure redirection after, respectively, successful login and logout. - [new] Add
security.web.formconfiguration object to configure form-based authentication. - [brk] Deprecated
expand()method oforg.seedstack.seed.rest.hal.Linkhas been removed (use getHref() instead). - [fix] Avoid NullPointerException when an exception occurs in a
NOT_SUPPORTEDlocal transaction. - [chg] Overriding an more general class configuration attribute with a more specific null-valued one, completely removes the attribute.
- [chg] HTTP/2 is enabled by default with Undertow.
- [chg] Update Guice to 4.1.0.
- [chg] Update Shiro to 1.4.0.
- [chg] Update Jersey to 2.25.1.
- [chg] Update Hibernate validator to 5.4.1.Final.
- [chg] Update Commons CLI to 1.4.
- [chg] Update Undertow to 1.4.14.
- [new] Add
SeedInitializerinterface that is called at SeedStack JVM-wide initialization and close (can be used to do early initialization). - [new] Tools can now be run in two modes: with the minimal set of plugins (minimal) or with all plugins loaded (full).
- [fix] Fix StackOverflowError under Tomcat in Eclipse WTP when auto-configuring Logback.
- [fix] Fix resolution of
WEB-INF/classesunder Tomcat 8 when using resource overlay (PreResources, PostResources). - [fix] Properly logout subject when testing with
@WithUser. - [fix] Prevent WebResourceFilter from serving files under
/WEB-INF, allowing JSP to be served correctly. - [fix] Fix NPE when a filter or a servlet wa*s already registered by the container.
- [chg] Default diagnostic dump changed from JSON to YAML.
- [chg] Using the application classloader to load properties for additional JNDI contexts (paths should not start
with
/anymore). - [chg] Configuration properties files are now mapped in depth (the dot-notation in the property key is used to create intermediary tree nodes).
- [new] Configuration can be sourced from properties files (
application.propertiesandMETA-INF/configuration/*.properties). - [new] The
effective-configtool dumps the aggregated global configuration tree of the application. - [new] The
crypttool crypts values using the master key store. - [new] Support for configuration profiles (specify profiles with system property
seedstack.profiles). - [new] Sensitive information is hidden in configuration dumps (properties named
passwd,password,pwd, system properties and environment variables) - [new] Ported security cache from version 2.3.4.
- [new] Ported Jersey2 cache control from version 2.3.3.
- [fix] Fix mishandling of override scanned configuration files.
- [fix] Configuration was incorrectly refreshed at every access.
- [chg] coffig: 2.0.0
- [chg] shed: 1.0.1
- [fix] Fix
ClassNotFoundExceptioninCliConfigdue to wrong import.
- [fix] Application name was not reflecting application id change when no custom name specified.
- [fix] Remove irrelevant log info about the disabled data security when no EL present.
- [fix] Properly notify test initialization failures to JUnit.
- [chg] Inject a default value in fields annotated with
@Configurationif they are null in the first place. - [chg] Update coffig to 1.1.0.
- [new] New configuration system based on Coffig library.
- [new] Tooling support allows to launch tools from the command-line (-Dseedstack.tool=) or from the SeedStack maven plugin.
- [new] The
configtool dumps the current configuration options for the application. - [new] The
errorstool dumps all current error messages available in the application. - [new] Kernel parameter
seedstack.autodetectModulesallows to control if module detection should be done (true/false) . - [new] HTTP(S) proxy automatic detection or explicit configuration support.
- [brk] Java 8 is now required.
- [brk] Classic configuration system based on props has been removed in favor of a YAML configuration (amongst others).
- [brk] Configuration keys have been shortened and renamed.
- [brk] The
passwordconfiguration lookup has been replaced by the$decryptconfiguration function. - [brk] Jersey 1 implementation of JAX-RS has been removed.
- [brk] Class
org.seedstack.seed.cli.SeedRunnerwas renamed toorg.seedstack.seed.cli.CliLauncherand its main method has been removed (useorg.seedstack.seed.core.SeedMaininstead). - [brk] The
transaction,elandcryptomodules are merged intocoremodule. - [brk] The
shellmodule is now an add-on. - [brk] Even when only one transaction handler is present, it is no longer automatically used (an explicit resource must always be specified for the transaction).
- [brk] The default value of the
@Configurationannotationmandatoryargument has been changed tofalse. - [brk] The
defaultValueattribute of the@Configurationannotation has been removed. Pre-initialize fields if a default value is needed. - [brk] The package
org.seedstack.seed.core.utilshas been removed in favor of the 'shed' utility library. - [brk] Annotation resolution strategy has been unified for all SeedStack annotations and can exhibit minor differences with prior strategies.
- [new] Add security cache for authentication (enabled by default, can be disabled
with
org.seedstack.seed.security.cache.authentication.enabled = false) - [new] Add security cache for authorization (enabled by default, can be disabled
with
org.seedstack.seed.security.cache.authorization.enabled = false)
- [fix] JAX-RS resources were not decorated with cache busting headers when using Jersey2 implementation.
- [fix] Jersey2 module did not honor the
@CacheControlannotation. - [brk]
@ResourceFilteringannotation is specific to Jersey1 and has been moved to packageorg.seedstack.seed.rest.jersey1accordingly.
- [fix] Fix colors under Windows command-line
- [fix] Fix wrong priority of CORS filter which was below security filter.
- [fix] Fix binding of
X509CertificateFilterwhich was bound multiple times.
- [chg] Annotated WebSockets are now registered programatically as it allows injection of the configurator class.
- [fix] Catch exception thrown by the JAnsi library when used on an unsupported OS (i.e. not linux/windows/osx).
- [new] Full compatibility with Java 8.
- [new] Interface
LifecycleListenerprovides the ability to execute code upon application startup and shutdown. - [new] Global facade (class
Seed) for kernel creation and disposal. - [new] Auto-configuration of Logback when it is in use and no
logback.xmlfile exists. - [new] Best-effort to detect console color output in various runtime environments.
- [new] Ability to print a custom banner upon startup by providing a
banner.txtfile in the default package. - [chg] Update to official Guice 4.0 (not using Sisu-Guice anymore).
- [chg] Improve log traces on startup errors.
- [chg] Better default log format.
- [chg] Update parent pom to 2.4.0
- [chg] Update
commons-configurationto 1.10. - [chg] Update
commons-clito 1.3.1. - [chg] Update
shiroto 1.2.4. - [chg] Update
undertowto 1.3.19.Final. - [chg] Update
joddto 3.6.6. - [chg] Update
metricsto 3.1.2. - [chg] Update
jersey1to 1.19.1. - [chg] Update
jersey2to 2.22.2. - [fix] Correctly injects
@Logging-annotated inherited loggers.
- [new] Fully-injectable and interceptable servlets, filters and listeners.
- [new] Full compatibility with asynchronous servlets and filters.
- [new] Ability to programatically register servlets, filters and listeners.
- [chg] WebSocket support, previously in
seed-web-websocketmodule is merged intoseed-web-coremodule. - [brk] Compatibility with Servlet 2.5 is dropped.
- [brk] Custom Servlet annotations (
@WebServlet,@WebFilterand@WebListener) are dropped in favor or standard ones.
- [new] Full support for JAX-RS 2 asynchronous resources.
- [new] Detection of BeanParam classes in HAL scanner.
- [chg] Automatically prepends the servlet context path to generated HAL links.
- [new] Add support for Expression Language 3
- [fix] Correctly take inheritance into account in expected IT exceptions
- [chg] Update Tomcat version to 8.0.32 for Arquillian tests.
- [new] Support configuration of Jersey 2 features. Automatically enable multipart and JSP features if detected on the classpath.
- [new] Add multipart feature as a dependency of Jersey 2 module, enabling it by default.
- [fix] Fix the
@Ignoreannotation which was not working anymore in version 2.1.0.
- [chg]
RelRegistryautomatically prepends the servlet context path to generated HAL links.
- [new] JAX-RS 2 support through Jersey 2.
- [new] Applications can launch in a Servlet 3+ environment without web.xml file.
- [brk] Remove the
org.seedstack.seed.web.DelegateServletContextListenerinterface which can be replaced by native servlet listeners.
- [chg] Disable storage of security sessions by default (can be re-enabled by
setting
org.seedstack.seed.security.sessions.enabledto true) - [chg] Sets the default security session timeout to 15 minutes (instead of 30 minutes before) when sessions are enabled
- [new] Security session timeout can be changed with the
org.seedstack.seed.security.sessions.timeoutproperty (in seconds). - [new] Add an anti-XSRF security filter (named
xsrf) which can be used in Web security filter chains to prevent XSRF attacks.
- [brk] Merged dedicated test modules into with their core implementation.
- [brk] Merged multiple testing modules into a unique one named
seed-testing. - [brk] Simplified the naming convention of all modules by getting rid of the
supportword. - [brk] Simplified the framework by factoring-out numerous modules as SeedStack add-ons (http://seedstack.org/addons/).
- [new] Final version of cryptography support in the
seed-cryptomodule.
- [brk] Changed the SPI of integration testing plugins.
- [new] Added Undertow embedded-server support in
seed-web-undertowmodule. - [brk] Moved Jersey 1 implementation in its own module
seed-rest-jersey1.
- [new] Initial Open-Source release.