All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Backend: Hardened configuration of actuator and improved configuration documentation around it
- Backend: Include H2 in-memory database only when using bootRun (Gradle: developmentOnly) and not when deploying as it is only for local development. Real database drivers (e.g. postgres JDBC) for production should be included using implementation.
- Backend: Configure HTTP Security Header permission policy with .permissionsPolicyHeader as .permissionPolicy is deprecated
- Backend: Spring Boot 3.4.3, Spring Modulith 1.3.2, Hibernate 6.6.8.Final
- Backend: Gradle Plugins: Spring Dependency Plugin 1.1.7, Spotless 7.0.2, CycloneDX 2.1.0, Ben Names Update Plugin 0.52.0
- Backend: Build tool Gradle 8.12, BouncyCastle 1.80
- Backend: OIDC: Support extraction of claims from IdToken, EndUser Endpoint and end user attributes. Claims are converted to Granted Authorities (roles) thart can natively be used in Spring for authorizing access
- Frontend: Angular 19.1.1
- Container: Remove JDK parameter for generational ZGC as it will be anyway the only possible in upcoming JDKs.
- Backend: update to Spring Boot 3.4.1, Hibernate 6.6.4.Final, Spring Modulith 1.3.1
- Backend: enable Gradle Configuration Cache
- Frontend: update to nodejs 22 LTS for the build process
- Frontend: Update Angular 19.0.5
- Backend: Update to Gradle 8.11.1, Gradle Plugin CycloneDX 1.10.0, Dependencies: H2 2.3.232, Hibernate 6.6.1.Final, Spring Boot 3.3.4, Spring Modulith 1.2.3
- Backend: Automated redirect from HTTP to HTTPs using requireChannel/requireSecure in SpringBoot for any request. Note: This is complementary to a content-security-policy (CSP) with upgrade-insecure-requests. Both should be used.
- Frontend: Documentation: Change links to the new Angular.dev web page
- Frontend: Update Angular 19.0.0
- Frontend: add support for Typedoc
- Backend: Sanitze data transfer object (DTOs) (e.g. product,order) to avoid that they contain malicious HTML/scripts. This is based on the OWASP HTML Java Sanitizer. See also the documentation. Note: The frontend in additions uses Angular mechanism for sanitization and content-security-policies (CSP) without unsafe-* and trusted types.
- Frontend: Update to Angular 18.1.x
- Backend: Update to Spring Boot 3.3.2, Spring Modulith 1.2.2
- Backend: Update to Gradle 8.9, Spring Gradle Dependency Plugin 1.1.6, h2 2.3.230
- Backend: Make options for CSP script-src and style-src nonce more configurable. See documentation.
- Backend: Register the BouncyCastleProvider for security algorithms (needed for SAML authentication). See ./backend/src/main/java/eu/zuinnote/example/springwebdemo/SpringwebdemoApplication.java.
- Backend: Added CycloneDX Gradle Plugin to support Software Bill of Material (SBOM). See also how you can expose SBOMs in Spring Actuator
- Backend: Upgraded to Gradle 8.8
- Backend: Change content security policy (CSP) to use upgrade-insecure-requests, because block-all-mixed-content has been deprecated.
- Backend: Refactor SecurityConfiguration to avoid redundant code
- Backend/Frontend: CSP remove unsafe-inline from script-src and style-src and replace it with a nonce-based security mechanism. This includes in the Backend a filter SPACspNonceFilter.java that inejcts the nonce in the headers when requesting the Angular root component ("/") or directly an Angular frontend component ("/ui/*).
- Backend: Updated Spring Boot to 3.3.0, Spring Modulith 1.2.0, Hibernate 6.5.2.Final, Disruptor 4.0.0
- Frontend: Upgrade to Angular 18
- Backend: Updated Spring Boot to 3.2.5, Bouncycastle to 1.78.1
- Initial version of the application with documentation