By default we now discard all Set-Cookie and Cookie headers. User
can manipulate it per route via zuul.routes.*.sensitiveHeaders, or
globally via zuul.ignoredHeaders.
Latest Eureka from Netflix uses a different HTTP client, and it
ignores the HTTP basic credentials in a service URL. This change
partially restores the old behaviour by providing an interceptor
(ClientFilter) that has a single, global username/password
taken from the first serviceUrl that contains credentials.
Fixes gh-849
Any client that wants to can include it back again, but generally
it only causes problems (XML returned from apps instead of
JSON by Spring MVC for instance). In general it only causes problems
for services whose clients use "Accept: application/xml,*/*", for
instance (like a browser).
See gh-306
Eureka now has the option (maybe always there) to not register
and that's a sensible default in the bootstrap phase (when we
might not know the port yet).
This reverts commit 3f34ccc8fb. We
need to discuss a bit more (that thread local is probably unavoidable
given the design of Feign, but I don't like it yet).
See gh-841
Spring MVC Feign Contract did not support parameter name fallback
for the #value() attributes of known parameter annotations. Makes
this feature available when the interface has been compiled with
the Java 8 -parameters compiler arg
Fixes gh-835
Supports Spring REST parameter annotations considered
only #value() members without respecting @AliasFor meta-annotations.
Address by passing a Spring-synthesized annotation to individual
AnnotatedParameterProcessors. This approach has the benefit of impacting
present as well as any future implementations alike.
Fixes gh-828
The super class deals with syncing to peers, so we need that
call. It still delegates to the other register method and seems
to work just fine without the override.
Fixes gh-838
User can exclude headers (generally in responses is most useful)
by configuring them, or calling a setter in ZuulProperties.
If Spring Security is on the classpath we add a few headers
automatically, corresponding to the ones that would be added
by Spring Security in the remote backend anyway (so they are not
added twice). Nothing is actually removed, so if the remote
service doesn't add those headers, we don't change anything.
The X-Application-Context header is also added to the hard coded
list of ignored headers, because it isn't relevant in the
gateway (and leaks information about the remote service).
Fixes gh-819
Otherwise there can be duplicate beans with the same type and different
names, becasue the autoconfig does not (for some reason) use
@EnableConfigurationProperties to create the ServerProperties bean.
It isn't an issue until someone writes some autoconfig that itself
imports the ZuulConfiguration (i.e. regular concious users of
@EnableZuulServer do not see any problems and hence no tests fail
here or in integration projects).
Fixes gh-821
Also does not rename another one because it fails (see gh-804). The
bug can be fixed in feign (https://github.com/Netflix/feign/pull/324),
and if that gets merged and released we can revert some of the recent
changes to the apache load balancer here.
Dave Syer
Spencer Gibb
Matt Benson
Andreas Kluth
Nicolas Byl
Marcin Grzejszczak
Marcin Grzejszczak