Fields to be obfuscated in audits of outbound (http-verbs) calls can be customised with httpclient.audit.fieldMaskPattern configuration.
-
Cross built for Scala 3 and 2.13. Scala 2.12 has been dropped.
-
Long deprecated classes have been removed. These have just changed packages, so the functionality is still available. Apart from the following, which can just be removed from configuration:
play.http.filters = "uk.gov.hmrc.play.bootstrap.backend.filters.BackendFilters" play.http.filters = "uk.gov.hmrc.play.bootstrap.frontend.filters.FrontendFilters"
-
uk.gov.hmrc.play.bootstrap.frontend.http.FrontendErrorHandlersupports asynchronous rendering.It will need an
ExecutionContextinjecting and thestandardErrorTemplateandnotFoundTemplatefunctions now returnFutures. If you're not rendering asyncronously, you can just wrap the previous implementation inFuture.successThe request param now takes
RequestHeaderrather thanRequest[_]since the request body is not actually available. This may require similar changes in view templates.uk.gov.hmrc.play.bootstrap.frontend.http.LegacyFrontendErrorHandlerexists to ease the upgrade, since it can simply be extended instead. However it is deprecated, and will eventually be removed. -
HttpVerbs has been bumped to
15.0.0whereHttpClienthas been deprecated in favour orHttpClientV2. This will need enabling withplay.modules.enabled += "uk.gov.hmrc.play.bootstrap.HttpClientV2Module"
application-json-logger.xmlhas been included. Since it is customised by configuration (byLoggerModule) it is no longer required in services.
JsonErrorHandlerhas been updated to allow downgrading log the level of401status code error messages fromERRORtoWARNwith thebootstrap.errorHandler.warnOnly.statusCodesconfiguration.
AuthRedirectshas been removed from Play 2.9/3.0 builds. You will need to inline anything that is still needed.
- Injected
RegistryMetricsis ensured to be the same asMetrics.defaultRegistry. Previously it would be a new one created on demand, meaning clients would have to injectMetricsinstead.
- Supports Play 2.8, Play 2.9, Play 3.0
- Play 3.0:
- Uses
apache.org.pekkoinstead ofakka. - The artefact organisation has changed from
com.typesafe.playtoorg.playframework- use this to register the pluginsbt-plugin.
- Uses
- Drops kenshoo
metrics-playand uses an inline version ofMetricsFilter.- If you need to access
com.codahale.metrics.MetricRegistrythen inject this directly, rather than injectingcom.kenshoo.play.metrics.Metricsand callingdefaultRegistry. - The following route can be removed.
It is not used for deployed services, the metrics are collected by the Graphite integration.
GET /admin/metrics @com.kenshoo.play.metrics.MetricsController.metrics
- If you need to access
- Updates playframework for play-28 to 2.8.21
- Deprecate
SafeRedirectUrlpublic constructor
- Updates playframework to 2.8.20
- Updates the Allowlist Filter
- removes all references to Akamai
- provides a allowlist filter implementation and no longer extends the play-allowlist-filter library
- new error handling and logging for configuration errors.
- updated config values
bootstrap.filters.allowlist.destinationis now obsolete usebootstrap.filters.allowlist.redirectUrlWhenDeniedinsteadbootstrap.filters.allowlist.ipsis now an arraybootstrap.filters.allowlist.excludedis now an array- exclusions can, optionally, be defined with http methods in config, for example,
METHOD:/path - exclusions now support a trailing wildcard, for example,
/path/*excludes everything below /path - frontend.conf includes a
/ping/pingexclusion atbootstrap.filters.allowlist.excluded[0]
-
Updates default configuration in frontend.conf and backend.conf.
The following modules are enabled by default:
- uk.gov.hmrc.play.audit.AuditModule
- uk.gov.hmrc.play.bootstrap.graphite.GraphiteMetricsModule
- uk.gov.hmrc.play.bootstrap.frontend.FrontendModule
They can be disabled by adding to
play.modules.disabledif required. -
play.filters.csp.directivesfor frontends- Tightens the play defaults slightly by removing
'unsafe-eval'fromscript-src - Adds
report-uri
- Tightens the play defaults slightly by removing
-
Improves default values for
microservice.metrics.graphite
Updates http-verbs to fix case insensitivity of returned headers for Scala 2.13.
Updates playframework to 2.8.18
More MDC data loss fixes.
The AllowlistFilter is added by default but now requires explicit enabling.
You will need to replace play.filters.enabled += "uk.gov.hmrc.play.bootstrap.frontend.filters.AllowlistFilter" with bootstrap.filters.allowlist.enabled = true
SessionIdFilteris enabled infrontend.confby default.
Any explicit addition of this filter can now be removed.
It's position by default ensures the sessionId is available to all auditing in the first request, something which isn't true if the filter is added manually at the end of the filter chain.
-
MDCFilteris now a trait.FrontendMdcFilterandBackendMdcFilterwill be bound accordingly to ensure the the data is populated consistently. -
http-verbsandplay-auditinghave been updated to fix some MDC data loss.
Crypto has been updated to version 7.0.0.
If clients are using json-encryption, they should ensure they are using at least version 5.0.0, or crypto-play-xx instead for compatibility.
See crypto.
Note, commons-codec is no longer provided as a transitive dependency, and will need adding explicitly if clients require it.
WithDefaultFormBinding has been removed. WithUnsafeDefaultFormBinding should be used instead.
Http-verbs has been updated to version 14.0.0, which adds HttpClientV2. See http-verbs for details.
http-verbs's HookData has been updated to identify when audit data has been truncated. This should have little impact on clients as long as they rely on bootstrap-play to provide compatible versions of http-verbs and play-auditing.
AuditFilters have been updated to identify when audit data has been truncated. Most clients will be using the provided AuditFilters and should not be impacted.
Builds update dependencies to Play 2.8.15 and Jackson 2.12.6. Also drops support for using bindFormRequest with application/json and
application/multipart content types - if this is required, add with WithUrlEncodedAndMultipartFormBinding or with WithDefaultFormBinding to your
controller.
Note, that in unit tests, you will need to use withFormUrlEncodedBody rather than withJsonBody. And also ensure you are setting the correct HTTP Method, otherwise you may fall foul of CORS checks. e.g.
FakeRequest().withMethod("POST").withFormUrlEncodedBody("username" -> username)Please speak to PlatOps if you have issues.
Builds for Scala 2.13 in addition to 2.12
Adds the following configuration for JsonErrorHandler:
bootstrap.errorHandler.suppress4xxErrorMessagesbootstrap.errorHandler.suppress5xxErrorMessages
It is expected that suppression will be disabled for at least development, since they provide valuable feedback, but verbose messages can be suppressed if required.
Drops support for Play 2.6 and Play 2.7. Only Play 2.8 is supported.
Adds uk.gov.hmrc.play.bootstrap.LoggerModule.
This has been enabled by default in backend.conf and frontend.conf, but it can be disabled with play.modules.disabled += "uk.gov.hmrc.play.bootstrap.LoggerModule" in your application.conf if required.
The LoggerModule will pick up logger.$loggername configuration (e.g. logger.uk.gov.hmrc = DEBUG) in any configuration file, not just in System.properties. The configuration will be applied, regardless of whether they have been defined in your logback file.
e.g. default values will suffice in your logback file without preping to use a System property:
<logger name="uk.gov" level="${logger.uk.gov:-WARN}"/>
can be replaced with
<logger name="uk.gov" level="WARN"/>
And to enable a bespoke logger, not present in the logback file, you can just turn on with configuration.
e.g. -Dlogger.uk.gov.test=DEBUG will set logger uk.gov.test to DEBUG without having to make a new build with updated logback file first.
Added Identity Verification (IV) CL250 support via auth-client 5.6, see May 2021 Tech Blog Post on this.
Http-verbs has been bumped to major version 13.0.0. See http-verbs for details.
The following configuration has been renamed, the previous keys are invalid and will need to be updated.
| Invalid config key | Should now be |
|---|---|
| auditing.auditExtraHeaders | auditing.auditSentHeaders |
FrontendFilters and BackendFilters have been deprecated. The preferred way to set filters is via play.filters.enabled.
The motivation for this is to allow configuration of default Play filters via play.filters.enabled as per the Play documentation, and improve visibility of which filters are actually being used.
If you are using play.http.filters = uk.gov.hmrc.play.bootstrap.backend.filters.BackendFilters, you will only need to remove this setting, since backend.conf has defined play.filters.enabled to the same filters.
If you are using play.http.filters = uk.gov.hmrc.play.bootstrap.frontend.filters.FrontendFilters, you will need to remove this setting, but also change the following configurations:
| Deprecated config key | Change |
|---|---|
security.headers.filter.enabled=true |
Just remove - this is the default |
security.headers.filter.enabled=false |
Replace with play.filters.disabled += "play.filters.headers.SecurityHeadersFilter" |
bootstrap.filters.csrf.enabled=true |
Just remove - this is the default |
bootstrap.filters.csrf.enabled=false |
Replace with play.filters.disabled += "play.filters.csrf.CSRFFilter" |
bootstrap.filters.sessionId.enabled=true |
Replace with play.filters.enabled += "uk.gov.hmrc.play.bootstrap.frontend.filters.SessionIdFilter" |
bootstrap.filters.sessionId.enabled=false |
Just remove - this is the default |
bootstrap.filters.allowlist.enabled=true |
Still required |
bootstrap.filters.allowlist.enabled=false |
Just remove - this is the default |
If you have set play.http.filters to a custom filter, we recommend that you remove this, and use play.filters.enabled instead. You can append extra filters with play.filters.enabled += or remove filters with play.filters.disabled += .
If you are using a custom filter which injects the play.api.http.EnabledFilters, or are already using the default play.api.http.EnabledFilters, then pay extra attention since the default play.filters.enabled has now been defined differently by bootstrap.
Http-verbs has been bumped to major version 12.0.0. See http-verbs for details.
The following configuration has been renamed, the previous keys are invalid and will need to be updated.
| Invalid config key | Should now be |
|---|---|
| httpHeadersWhitelist | bootstrap.http.headersAllowlist |
| bootstrap.filters.whitelist.enabled | bootstrap.filters.allowlist.enabled |
| bootstrap.filters.whitelist.destination | bootstrap.filters.allowlist.destination |
| bootstrap.filters.whitelist.excluded | bootstrap.filters.allowlist.excluded |
| bootstrap.filters.whitelist.ips | bootstrap.filters.allowlist.ips |
| auditing.auditExtraHeaders | auditing.auditSentHeaders |
run.mode configuration will now have no effect.
Bootstrap configuration which previously supported a RunMode prefix now should be specified without the prefix. These are:
| Invalid Prod/Dev/Test prefix | Should now be |
|---|---|
| Prod.microservice.services | microservice.services |
| Prod.microservice.metrics | microservice.metrics |
| Prod.auditing | auditing |
This applies to application.conf and any configuration overrides
Note: Environment.Mode still works as before, and some libraries may still use that as a prefix in their keys.
It was deprecated in 2017, and the original use-cases no longer appear valid.
If you still need the functionality offered by this filter, please copy the code from bootstrap-play-26 into your own codebase (including the tests) and take ownership of it.