Permalink
Commits on Feb 11, 2016
  1. fix: security breaches in admin modules

    a-peyrard committed Feb 11, 2016
    Some of the endpoints in the admin modules were not checking the role
    of the user, even some of them was permitting to be accessed by anonymous
    users.
    
    In order to fix those problems:
    - all admin endpoints are from now on checking that the user has the `restx-admin` role.
    - a filter will check all the requests on `/@/*` and only allow users with `restx-admin`
    to pass through (except for `/@/ui/*` and `/@/webjars/*` in order to be able to serve
    static content for the admin ui, like the authentication page).
    If this filter is causing problem, and you want to personally handle the security filter, it might
    be disabled, using this deactivation key `restx.activation::restx.RestxFilter::adminRoleFilter` like this:
    ```java
    System.setProperty("restx.activation::restx.RestxFilter::adminRoleFilter", "false");
    ```
    
    Another small problem was the listing of all endpoints, when no routes was found. So even if this
    functionality can be very useful during development, it is not production friendly, as it might help
    attackers to know all the endpoints defined in the system.
    So a route matching all requests, with a low priority is provided when the `restx.mode` is `prod` (the priority
    for this route is `100000`).
    This point was discussed in #234 and on ggroup https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/restx/PYBsEtLN1mE/dh0wdIWK_uYJ
    If you want to stay with the old behavior, you can deactivate this route with the
    activation key `restx.activation::restx.RestxRoute::productionNotFoundHandler` like this:
    ```java
    System.setProperty("restx.activation::restx.RestxRoute::productionNotFoundHandler", "false");
    ```
Commits on Feb 10, 2016
  1. provides a default route to handle 404 response in prod mode

    a-peyrard committed Feb 10, 2016
    The factory was listing all the existing endpoints if no route was
    found for a request. By defining this new route, which match all
    kind of request, we will bypass the `RestxMainRouterFactory`.
    This route is only activated in "prod" mode, as the listing might
    be useful during development.
  2. add a security check to all admin endpoints

    a-peyrard committed Feb 10, 2016
    Either using the `@RoleAllowed` annotation, or by calling the
    `RestxSecurityManager`
  3. filter all requests to admin endpoints

    a-peyrard committed Feb 10, 2016
    The user must be authenticated, and have the admin role.
    Some requests are excluded from the filter, permitting to serve
    the static contents (html/js/css...) for the admin ui.
Commits on Jun 8, 2015
  1. fix: exception when watcher services are closed

    a-peyrard committed Jun 8, 2015
    When watcher are closed and there is still a running thread waiting for some event,
    an java.nio.file.ClosedWatchServiceException is thrown. According to the
    javadoc (https://docs.oracle.com/javase/7/docs/api/java/nio/file/WatchService.html#take%28%29)
    this is the expected behavior, so we don't need to propagate this exception outside the thread.
Commits on Apr 21, 2015
  1. Merge pull request #195 from a-peyrard/closeable-mongo-client

    a-peyrard committed Apr 21, 2015
    adds a closeable extension to MongoClient (fixes #193)
Commits on Apr 19, 2015
  1. adds a closeable extension to MongoClient (fixes #193)

    a-peyrard committed Apr 19, 2015
    MongoClient provides a close method but does not implement the AutoCloseable
    interface. And the restx factory during its 'close' process is calling close
    methods on every components implementing the AutoCloseable interface.
    
    So the solution for this problem is to override MongoClient in order to implement
    the AutoCloseable interface.
Commits on Apr 1, 2015
  1. Merge pull request #175 from a-peyrard/better-cold-classes

    a-peyrard committed Apr 1, 2015
    Better cold classes management. fix #160
  2. change cold classes separator from ':' to ','

    a-peyrard committed Mar 29, 2015
    As a trim is done of tokens of the splitted string, property might be defined like that:
    restx.cold.classes="foo.bar.MyFxirColdClass, foo.bar.MySecondColdClass,or.whithout.Spaces"
Commits on Mar 15, 2015
  1. introduces annotation processor for @Cold

    a-peyrard committed Mar 15, 2015
    This annotation processor will produces a "cold-classes.list" file,
    containing the list of all classes annotated with @Cold.
  2. adds an abstract class for resources generation in AP

    a-peyrard committed Mar 15, 2015
    In factory annotation processor a class was used to generate the
    machine service file.
    This process use from now on the abstract class ResourceDeclaration
    defined in RestxAbstractProcessor.
    
    Like this other processors having the same need, might also use the
    ResourceDeclaration class.
  3. introduces @Cold annotation

    a-peyrard committed Mar 15, 2015
    This annotation permits to declare the class as cold. Once declared
    the class will not be part of the hot-reloading mechanism.
  4. permits to declare cold classes in a resource file

    a-peyrard committed Mar 15, 2015
    Using a resource `META-INF/cold-classes.list` permits to declare a list
    of cold classes.
    The file must contain a fqcn per line.
    
    Mind that this file will be read only once, so new cold classes declaration will
    requires a restart of the application.
  5. introduces ColdClasses helper class

    a-peyrard committed Mar 15, 2015
    Currently only one method is defined, a method to extract cold classes
    from a string. The string needs to contain fqcn separated by the ':'
    character.
  6. introduces restx.cold.classes property

    a-peyrard committed Mar 15, 2015
    This property contains a string with all FQCN of cold classes, separated by ':'.
    
    This property might be specified using System.properties like that:
    ```
    System.setProperty("restx.cold.classes", "foo.ColdClass1:bar.ColdClass2");
    ```
    It meant that `foo.ColdClass1` and `bar.ColdClass2` must be ignored by hot-reload
    mechanism.
    
    As cold classes are supposed to be used by components, they must be loaded with the same classloader
    as the one used for components, that's why the classloader used to initialize the factory's components
    is kept, and re-used to transform cold classes FQCN into real classes.
Commits on Mar 8, 2015
  1. adds full inheritance tree in cold classes

    a-peyrard committed Mar 8, 2015
    Instead of just adding the component class, also adds its inherited classes.
  2. Adds method to get inherited classes

    a-peyrard committed Feb 15, 2015
    This method recursively analyse a class to get all its super classes, and
    all its interfaces
Commits on Feb 23, 2015
  1. Merge pull request #166 from a-peyrard/more-types

    a-peyrard committed Feb 23, 2015
    TypeReference and utility methods
  2. in TypesTest use more explicit names for classes

    a-peyrard committed Feb 23, 2015
    Some classes are just defined to make some assertion in
    isAssignableFrom test cases, some names have been refactored
    to be more explicit.
Commits on Feb 22, 2015
  1. adds Types.isAssignableFrom

    a-peyrard committed Feb 22, 2015
    This method permits to check if a type is assignable from another one,
    like the Class.isAssignableFrom is doing for classes.
    
    WIP: Test cases in method isAssignableFrom_should_return_true_if_first_type_is_a_super_type_of_second_type
    should be split into small test cases for a better readability.
Commits on Feb 20, 2015
  1. adds Types.getRawType method

    a-peyrard committed Feb 20, 2015
    It permits to extract the raw type of a Type.
    It only manages instances of Class, ParameterizedType and GenericArrayType though.
  2. introduces TypeReference abstract class

    a-peyrard committed Feb 20, 2015
    This class permits to extract generics Type.
Commits on Feb 19, 2015
  1. Merge pull request #165 from a-peyrard/file-watch-event-coalescor

    a-peyrard committed Feb 19, 2015
    breaking: Introduces FileWatchEventCoalescor
    
    fix #161
Commits on Feb 18, 2015
  1. [breaking] EventCoalescor is now abstract and generified

    a-peyrard committed Feb 18, 2015
    The default implementation, the old EventCoalescor, is implemented as
    a private static inner class of the EventCoalescor, it's an implementation
    called "generic". It might be built, using the factory method:
    "EventCoalescor.generic"
    
    So FileWatchEventCoalescor inherit from EventCoalescor for the type FileWatchEvent.
  2. Introduces a new coalescor for FileWatchEvent only

    a-peyrard committed Feb 17, 2015
    This coalescor will merge events for a same file, not only
    if the event is the same than the previous one, but also with some rules:
    - DELETE + CREATE => MODIFY
    - CREATE + MODIFY => CREATE
    - CREATE + DELETE => discarded
Commits on Feb 12, 2015
  1. fix: JongoCollectionFactory wrong canBuild condition

    a-peyrard committed Feb 12, 2015
    The condition made in canBuild method was responding true for a class
    extending JongoCollection, but the factory can only provides JongoCollection.
  2. Merge pull request #156 from a-peyrard/asClass-parameter-for-Component

    a-peyrard committed Feb 12, 2015
    It allows to use the optional parameter asClass in @component annotation to define the injection class that will be used for the component.
Commits on Feb 11, 2015
  1. Allows asClass in conditional components

    a-peyrard committed Feb 11, 2015
    Modify the parameter given to the template, in order to manage forced
    types.
  2. In @component use void.class to mark default

    a-peyrard committed Feb 2, 2015
    The Component class itself was used to mark the default value (as null
    is not allowed). "void.class" seems to be a little bit more correct, as
    it means that it does, the default is nothing.
  3. Adds asClass parameter for Component annotation

    a-peyrard committed Feb 1, 2015
    This parameter permits to force the class used to register the component,
    for example a Component can register itself on one of its implemented interface:
    ````
    @component(asClass = MyInterface.class)
    public class MyImplementation implements MyInterface {
    ...
    ````
    
    It was doable using Provides annotation in a module, but was missing when the Component annotation
    was used.
    
    WIP: Manage conditional component, they use another template, and method in the annotation processor.
Commits on Feb 9, 2015
  1. Merge pull request #154 from a-peyrard/use-when-in-modules

    a-peyrard committed Feb 9, 2015
    It permits to use @when annotation in module classes, on provided component, or directly on the whole module class.
Commits on Feb 8, 2015