SpringBoot 2.6 Release Notes

Spring Boot 2.6 Release Notes · spring-projects/spring-boot Wiki

Deprecations from Spring Boot 2.4

Classes, methods and properties that were deprecated in Spring Boot 2.4 have been removed in this release. Please ensure that you aren’t calling deprecated methods before upgrading.

Circular References Prohibited by Default

생성자 주입을 통한 순환 사이클은 기본적으로 에러가 발생되지만

application 설정으로 허용 가능하도록 변경됨

spring.main.allow-circular-references=true

PathPattern Based Path Matching Strategy for Spring MVC

pathPattern에서 같은 값을 연속해서 설정했을 경우 이전 버전까지는 마지막 값으로 처리가 되었으나 2.6부터는 에러가 발생되며 워닝으로 표시된다.

만약 이전 버전의 설정을 유지하고 싶다면 아래 셋팅을 application 설정에 추가하면 된다.

spring.mvc.pathmatch.matching-strategy=ant_path_matcher

Actuator Env InfoContributor Disabled by Default

Actuator Env info 정보를 application 설정에 추가하더라도 기본적으로 노출되지 않도록 변경 되었으며 원할 경우 application 설정 값으로 변경 가능하도록 변경됨

management.info.env.enabled=true

Application Startup

The spring.boot.application.running
startup step logged to ApplicationStartup
has been renamed to spring.boot.application.ready
. If you are processing files generated from FlightRecorderApplicationStartup
or BufferingApplicationStartup
you will need to use the new name.

→ ApplicationStartup과 관련된 property 이름이 running에서 ready로 변경됨

Web Resources Configuration

Injecting Resources directly no longer works as this configuration has been harmonized in WebProperties. If you need to access this information, you need to inject WebProperties instead.

→ 2.5까지는 record를 사용할 경우 setter가 존재하지 않아 @ConstructorBinding Annotation을 통해 주입시켜주었으나 2.6 부터는 사용하지 않아도 처리됨

@ConfigurationProperties("blogger.author")
// @ConstructorBinding 
public record AuthorProperties(String firstName, String lastName, String email) {
}

SameSite Cookie Attribute Servlet Support

You can now configure SameSite attributes on session cookies for servlet applications using the server.servlet.session.cookie.same-site property. This works with auto-configured Tomcat, Jetty and Undertow servers.

In addition, the CookieSameSiteSupplier interface can be used if you want to apply a SameSite attribute to other cookies. See the updated documentation for more details and some example code.

→ SameSite 속성을 CookieSameSiteSupplier 를 @Bean으로 선언하여 쿠키별로 속성 컨트롤 가능하다.

• SameSite 사전 지식

A cookie with "SameSite=Strict" will only be sent with a same-site request. 
A cookie with "SameSite=Lax" will be sent with a same-site request, or a cross-site top-level navigation with a "safe" HTTP method.
A cookie with "SameSite=None" will be sent with both same-site and cross-site requests.

SameSite의 정확한 기준

작년에 SameSite에 대해 처음 알았을땐 사실 도메인에 대한 기준에 별 관심이 없어서 그냥 지나쳤었는데, 최근에 이와 관련해서 테스트해보고 여러 의견을 나눠본 결과.. 매우 중요했단 사실을 알게 됬습니다.

요점은 www.google.com과 aaa.google.com, 즉 서브 도메인만 다른 경우 SameSite인가? 이고 결론은 SameSite 입니다. 다만 하나 알고가야할건 Public suffix에 명시된 최상위 도메인을 기준으로 SameSite를 식별한다는 점 입니다. 그래서, 1.google.com과 2.google.com은 SameSite이지만, 1.github.io 와 2.github.io는 Cross-site 입니다.

• Default Session Settings

server.servlet.session.cookie.same-site=lax

• Customize SameSite Cookie Settings

@Bean
public CookieSameSiteSupplier cookieSameSiteSupplier() {
    return CookieSameSiteSupplier.ofStrict().whenHasName("mycookie");
}

Pluggable Sanitization Rules

Spring Boot sanitizes sensitive values present in the /env and /configprops endpoints. While it was possible to configure which properties get sanitized via configuration properties, users might want to apply sanitization rules based on which PropertySource the property originated from. For example, Spring Cloud Vault uses vault to store encrypted values and load them into the Spring environment. Since all values are encrypted, it would make sense to blank the values of every key in an entire property source. Such sanitization customizations can be configured by adding a @Bean of type SanitizingFunction.

→ actuator에 노출되는 program arguments 값을 SanitizingFunction Bean 설정을 통해 커스터마이징 할 수 있다.

• Program Arguments

--api.secret=password --api.version=1.0

• SanitizingFunction Bean

@Bean
public SanitizingFunction sanitizingFunction() {
    return data -> data.getPropertySource().getName().equals(CommandLinePropertySource.COMMAND_LINE_PROPERTY_SOURCE_NAME)
            ? data.withValue("this is top secret!") : data;
}

• Actuator

Java Runtime Information

The info endpoint can now expose Java Runtime information under the java key, as shown in the following example:

"java": {
    "vendor": "Eclipse Adoptium",
    "version": "17.0.2",
    "runtime": {
      "name": "OpenJDK Runtime Environment",
      "version": "17.0.2+8"
    },
    "jvm": {
      "name": "OpenJDK 64-Bit Server VM",
      "vendor": "Eclipse Adoptium",
      "version": "17.0.2+8"
    }
  }

To expose this information in the info endpoint’s response, set the management.info.java.enabled property to true.

→ management.info.java.enabled 속성을 추가하면 actuator/info에서 java 정보가 확인 가능하다.

Build Info Property Exclusions

It’s now possible to exclude specific properties from being added to the build-info.properties file generated by the Spring Boot Maven or Gradle plugin.

Maven users can exclude the standard group, artifact, name, version or time properties using the <excludeInfoProperties> tag. For example, to exclude the version property the following configuration can be used:

<configuration>
	<excludeInfoProperties>
		<excludeInfoProperty>version</excludeInfoProperty>
	</excludeInfoProperties>
</configuration>

→ build-info.properties 파일을 생성시 제외할 속성을 지정할 수 있다.

MessageSource-based Interpolation of Bean Validation Messages

The application’s MessageSource is now used when resolving {parameters} in constraint messages. This allows you to use your application’s messages.properties files for Bean Validation messages. Once the parameters have been resolved, message interpolation is completed using Bean Validation’s default interpolator.

→ message 설정에 있는 속성 값을 validation annotation에 바인딩하여 사용 가능하다.

• Properties

spring.web.locale=ko_KR

• Validation Annotation

@NotEmpty(message = "{post.title.notEmpty}")
private String title;

Using WebTestClient for Testing Spring MVC

Developers could use WebTestClient to test WebFlux apps in mock environments, or any Spring web app against live servers. This change also enables WebTestClient for Spring MVC in mock environments: classes annotated with @AutoConfigureMockMvc can get injected a WebTestClient. This makes our support complete, you can now use a single API to drive all your web tests!

→ Webflux 환경에서도 WebTestClient가 지원 가능해졌다.

@WebMvcTest(PostController.class)
class PostControllerTest {

    @Autowired
    private WebTestClient webTestClient;

    @Test
    void findAllPosts() {
        webTestClient
                .get()
                .uri("/posts")
                .exchange()
                .expectStatus().isOk()
                .expectBody().jsonPath("$.size()", Matchers.is(3));
    }

Appendices

https://www.youtube.com/watch?v=4L4LEnawcO8

• SameSite Cookie