-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring Cloud activates unexpected profiles when some conditions met #1285
Comments
It should not be too hard to fix this, and I would like to raise a PR for it. |
… some conditions met
Hi @ryanjbaxter @spencergibb, would you please help check and advise? |
Can you try setting |
Yep, thanks. I tried this config in bootstrap.yml, this could possibly solve quite some problems. However, it would not prevent the merge of
Let me know your opnions. :) |
Can you provide a sample that reproduces this? When I use your sample it behaves as expected when using |
Our expectation:
Reproduced ground truth:
Full log below:
What's more, if we try to add spring-boot-actuator and trigger /actuator/refresh, we would see order changed after refresh.
If we miss
This is just a quick sample for the wrong 'merge' behaviour, the profile should not be necessarily only from environment variable. |
Can you try using Spring Cloud 2022.0.4? |
I tried Spring Boot 3.1.4 + Spring Cloud 2022.0.4 which points to Comparing code snippets of
Then, we could have below 2 problems to answer:
|
The reason for the different behaviors between branches is that there was a bad merge, all the branches should be identical. I added some comments to your PR |
Do you need me to raise another PR to sync methods |
No I will merge the changes forward |
BTW, once this fix is applied, you do not really need to have |
This is a pretty bad bug as outlined in "Potential Hazard" above - can 3.1.8 be kicked out soon? |
We are planning a release towards the end of December |
According to 3.1. Adding Active Profiles:
Hence, I would expect spring.profiles.active can only introduce profiles in property source with highest priority, while spring.profiles.include can accept any profiles from all valid property sources.
3.1.6 is the last version that holds above rules. Since 3.1.7, profiles under spring.profiles.active from all property sources are merged, which does not follow the existing behaviours.
I have quickly written a demo and detailed descriptions for this issue here.
Trigger Conditions:
Buggy Behaviour
Instead of accepting "prod" and "secure" profiles only, it accepts local profile as well.
Potential Hazard
In this demostration project, 2 beans of AuthManager would be candidates to use - LocalBypassAuthManager should only be used in local development environment due to some reasons (say something cannot be installed locally but should not impact your BAU functional implementation), while NormalAuthManager should be applied in any valid remote environment - especially Production. In this case, both "prod" and "local" profiles are activated and hence the illegal bean of LocalBypassAuthManager will be used in Production making any authentication tokens bypass and become valid.
The text was updated successfully, but these errors were encountered: