Kuali Rice Development
  1. Kuali Rice Development
  2. KULRICE-14049

Review Impact of Updating Spring 3.2.10 to 3.2.12

    Details

    • Type: Task Task
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.2
    • Component/s: Development
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Similar issues:
      KULRICE-946Document the technical changes of the recent JTA updates and the impact to client devs
      KULRICE-2516Updates to support KFS Spring context merge
      KULRICE-11635Analyze upgrade to Spring 4.x
      KULRICE-4096Remove TypedArrayList, use Spring's AutoPopulatingList in its stead
      KULRICE-6072Technical Guide: Review & Update Global Chapter
      KULRICE-6066User's Guide: Review & Update Global Chapter
      KULRICE-6067User's Guide: Review & Update KEN Chapter
      KULRICE-6068User's Guide: Review & Update KEW Chapter
      KULRICE-6070 User's Guide: Review & Update KNS Chapter
      KULRICE-6071User's Guide: Review & Update KSB Chapter
    • Rice Team:
      Middleware
    • Sprint:
      Middleware 2.5.2 Sprint 1
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes
    • Story Points:
      3

      Description

      KC Performance issues could be helped with the changes available in the 3.2.12 release of Spring. We normally do not update versions unless critical. Interested to see the impact if the update was applied to the 2.5.2 version of Rice.

        Activity

        Hide
        Corey Pedersen (Inactive) added a comment -

        This includes update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack (SPR-12100)

        Show
        Corey Pedersen (Inactive) added a comment - This includes update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack (SPR-12100)
        Hide
        Corey Pedersen (Inactive) added a comment -

        Dependency tree does not show conflicts on HttpComponents to 4.3.5

        Show
        Corey Pedersen (Inactive) added a comment - Dependency tree does not show conflicts on HttpComponents to 4.3.5
        Hide
        Corey Pedersen (Inactive) added a comment -

        Looks to me like a clean update.

        SPRING FRAMEWORK CHANGELOG
        ===========================
        http://www.spring.io
        
        
        Changes in version 3.2.12 (2014-11-11)
        -------------------------------------
        
        fixed directory traversal with static resource handling (CVE-2014-3625) (SPR-12354)
        log context cache statistics in the TestContext framework (SPR-12409)
        fixed ConfigurationClassUtils fails to introspect inner classes with dot name syntax (SPR-12390)
        fixed ResponseStatusExceptionResolver does not get a MessageSource injected in the MVC Java config (SPR-12380)
        fixed NPE inTilesConfigurer when no definitions found (SPR-12363)
        fixed @Import in another annotation results in double scan (SPR-12334)
        fixed private @Scheduled methods end up on 'empty' proxy instance in case of CGLIB auto-proxying (SPR-12308)
        fixed Provider<...> declaration for @Value method argument fails with TypeMismatchException (SPR-12297)
        fixed DataSourceTransactionManager closes JDBC connection on doBegin failure but leaves it attached to transaction object (SPR-12280)
        fixed web Async responses force concurrentResult.toString() call (SPR-12253)
        fixed LiveBeansView.generateJson generates invalid JSON when resources already double-quoted (SPR-12252)
        allow for further locking optimizations for the retrieval of non-singleton beans (SPR-12250)
        improved error messages for MockRestServiceServer (SPR-12230)
        allow spring HTTP clients to enforce RFC 6265 (cookies in a single header) (SPR-12196)
        fixed @Qualifier resolution with Spring Batch parent/child context arrangement (SPR-12191)
        improved Scheduled/JmsListenerAnnotationBeanPostProcessor to not scan every scoped instance (SPR-12189)
        fixed HttpHeaders should accept empty Content-Type header (SPR-12173)
        add log warning for single optional constructor when no default constructor to fall back to (SPR-12161)
        fixed util:map does not recognize the attribute of value-type (SPR-10994)
        removed outdated ContextLoaderServlet from the documentation reference (SPR-7725)
        
        Changes in version 3.2.11 (2014-09-04)
        -------------------------------------
        
        fixed cachingConnectionFactory should catch exceptions on logical close (SPR-12148)
        allow Cache.get(Object key, Class<T> type) to be more explicit about what to do in case of a type mismatch (SPR-12145)
        fixed plain FactoryBean declaration on @Bean method leads to early call (pre injection) (SPR-12141)
        fixed performance issue on ResolvableType cache (SPR-12122)
        fixed GuavaCacheManager ignores cache specification due to eager initialization of internal cache map with static cache names (SPR-12120)
        fixed mockMvc security filters causes FileUploadException: the request was rejected because no multipart boundary was found (SPR-12114)
        fixed ServerEndpointExporter causes application context refresh to fail with an NPE when used in a Spring Boot app (SPR-12109)
        update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack (SPR-12100)
        fixed shallowEtagHeaderFilter doesn't support Servlet 3.1 setContentLengthLong (SPR-12097)
        exclude spring-framework-bom artifacts from release distributions (SPR-12087)
        include all source artifacts in published sources jars (SPR-12085)
        fixed BeanNameViewResolver should not try to use non-View beans (SPR-12079)
        updated tiles 3 TilesViewResolver to accept custom TilesView subclasses (SPR-12075)
        fixed includeFilters and excludeFilters of @ComponentScan cause failures when used in meta-annotations (SPR-12065)
        allow AbstractTypeHierarchyTraversingFilter to be more lenient when loading types (SPR-12042)
        fixed incorrect documentation for AbstractAnnotationConfigDispatcherServletInitializer.getServletConfigClasses() (SPR-12028)
        fixed ConcurrentMapCacheManager has interdependent setters (SPR-12026)
        fixed documentation typo (SPR-12020)
        fixed Spring may invoke @Bean methods too early in case of a circular reference (SPR-12018)
        fixed RestTemplate with InputStreamResource does not work if Content-Length is not set (SPR-12017)
        fixed AbstractMessageListenerContainer#doExecuteListener can cause a dropped message if using CLIENT_ACKNOWLEDGE and the container is stopped and subsequently started again. (SPR-12015)
        fixed exceptions thrown during AbstractApplicationContext.refresh() not being logged right when they are caught (SPR-12010)
        fixed changes to AbstractApplicationEventMulticaster in 3.2.9 break HttpSessionEventPublisher in Google AppEngine Runtime (SPR-12002)
        fixed NPE in SelectedValueComparator with null bound value (SPR-12001)
        fixed StaxStreamXMLReader ignores significant whitespace (SPR-12000)
        fixed user destinations docs are missing the brokerPrefix (SPR-11992)
        revert (SPR-11973) when bugfix verified in JDK 1.8.0_20 (SPR-11974)
        fixed UriComponentsBuilder.fromUriString may not parse correctly when there is no path (SPR-11970)
        fixed getBean(Object.class) fails when introspecting Environment bean (SPR-10542)
        fixed injecting EXTENDED @PersistenceContext into JUnit 4 test class causes NoSuchBeanDefinitionException (SPR-8834)
        fixed XmlBeanDefinitionReader runs 10x slower due to resetBeanDefinition check (SPR-8318)
        remove outdated IDE, JIRA and Tomcat references (SPR-7521)
        
        
        Show
        Corey Pedersen (Inactive) added a comment - Looks to me like a clean update. SPRING FRAMEWORK CHANGELOG =========================== http: //www.spring.io Changes in version 3.2.12 (2014-11-11) ------------------------------------- fixed directory traversal with static resource handling (CVE-2014-3625) (SPR-12354) log context cache statistics in the TestContext framework (SPR-12409) fixed ConfigurationClassUtils fails to introspect inner classes with dot name syntax (SPR-12390) fixed ResponseStatusExceptionResolver does not get a MessageSource injected in the MVC Java config (SPR-12380) fixed NPE inTilesConfigurer when no definitions found (SPR-12363) fixed @Import in another annotation results in double scan (SPR-12334) fixed private @Scheduled methods end up on 'empty' proxy instance in case of CGLIB auto-proxying (SPR-12308) fixed Provider<...> declaration for @Value method argument fails with TypeMismatchException (SPR-12297) fixed DataSourceTransactionManager closes JDBC connection on doBegin failure but leaves it attached to transaction object (SPR-12280) fixed web Async responses force concurrentResult.toString() call (SPR-12253) fixed LiveBeansView.generateJson generates invalid JSON when resources already double -quoted (SPR-12252) allow for further locking optimizations for the retrieval of non-singleton beans (SPR-12250) improved error messages for MockRestServiceServer (SPR-12230) allow spring HTTP clients to enforce RFC 6265 (cookies in a single header) (SPR-12196) fixed @Qualifier resolution with Spring Batch parent/child context arrangement (SPR-12191) improved Scheduled/JmsListenerAnnotationBeanPostProcessor to not scan every scoped instance (SPR-12189) fixed HttpHeaders should accept empty Content-Type header (SPR-12173) add log warning for single optional constructor when no default constructor to fall back to (SPR-12161) fixed util:map does not recognize the attribute of value-type (SPR-10994) removed outdated ContextLoaderServlet from the documentation reference (SPR-7725) Changes in version 3.2.11 (2014-09-04) ------------------------------------- fixed cachingConnectionFactory should catch exceptions on logical close (SPR-12148) allow Cache.get( Object key, Class <T> type) to be more explicit about what to do in case of a type mismatch (SPR-12145) fixed plain FactoryBean declaration on @Bean method leads to early call (pre injection) (SPR-12141) fixed performance issue on ResolvableType cache (SPR-12122) fixed GuavaCacheManager ignores cache specification due to eager initialization of internal cache map with static cache names (SPR-12120) fixed mockMvc security filters causes FileUploadException: the request was rejected because no multipart boundary was found (SPR-12114) fixed ServerEndpointExporter causes application context refresh to fail with an NPE when used in a Spring Boot app (SPR-12109) update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack (SPR-12100) fixed shallowEtagHeaderFilter doesn't support Servlet 3.1 setContentLengthLong (SPR-12097) exclude spring-framework-bom artifacts from release distributions (SPR-12087) include all source artifacts in published sources jars (SPR-12085) fixed BeanNameViewResolver should not try to use non-View beans (SPR-12079) updated tiles 3 TilesViewResolver to accept custom TilesView subclasses (SPR-12075) fixed includeFilters and excludeFilters of @ComponentScan cause failures when used in meta-annotations (SPR-12065) allow AbstractTypeHierarchyTraversingFilter to be more lenient when loading types (SPR-12042) fixed incorrect documentation for AbstractAnnotationConfigDispatcherServletInitializer.getServletConfigClasses() (SPR-12028) fixed ConcurrentMapCacheManager has interdependent setters (SPR-12026) fixed documentation typo (SPR-12020) fixed Spring may invoke @Bean methods too early in case of a circular reference (SPR-12018) fixed RestTemplate with InputStreamResource does not work if Content-Length is not set (SPR-12017) fixed AbstractMessageListenerContainer#doExecuteListener can cause a dropped message if using CLIENT_ACKNOWLEDGE and the container is stopped and subsequently started again. (SPR-12015) fixed exceptions thrown during AbstractApplicationContext.refresh() not being logged right when they are caught (SPR-12010) fixed changes to AbstractApplicationEventMulticaster in 3.2.9 break HttpSessionEventPublisher in Google AppEngine Runtime (SPR-12002) fixed NPE in SelectedValueComparator with null bound value (SPR-12001) fixed StaxStreamXMLReader ignores significant whitespace (SPR-12000) fixed user destinations docs are missing the brokerPrefix (SPR-11992) revert (SPR-11973) when bugfix verified in JDK 1.8.0_20 (SPR-11974) fixed UriComponentsBuilder.fromUriString may not parse correctly when there is no path (SPR-11970) fixed getBean( Object .class) fails when introspecting Environment bean (SPR-10542) fixed injecting EXTENDED @PersistenceContext into JUnit 4 test class causes NoSuchBeanDefinitionException (SPR-8834) fixed XmlBeanDefinitionReader runs 10x slower due to resetBeanDefinition check (SPR-8318) remove outdated IDE, JIRA and Tomcat references (SPR-7521)
        Hide
        Corey Pedersen (Inactive) added a comment -

        @Dan: Could you review the performance after this commit. And we will roll back if update is negative on performance or Tests.

        Show
        Corey Pedersen (Inactive) added a comment - @Dan: Could you review the performance after this commit. And we will roll back if update is negative on performance or Tests.
        Hide
        Corey Pedersen (Inactive) added a comment -

        We should follow up with possible updates of spring-security-core and spring-security-ldap to 3.2.5

        Show
        Corey Pedersen (Inactive) added a comment - We should follow up with possible updates of spring-security-core and spring-security-ldap to 3.2.5
        Hide
        Corey Pedersen (Inactive) added a comment -

        No issues detected with update. KC will review performance.

        Show
        Corey Pedersen (Inactive) added a comment - No issues detected with update. KC will review performance.

          People

          • Assignee:
            Corey Pedersen (Inactive)
            Reporter:
            Martin Taylor (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Agile

                Structure Helper Panel