Accounted for feedback
Incorporated suggested changes from a review.
This commit is contained in:
Jay Bryant
parent
a6d0719177
commit
93893ded53
|
|
@ -1,254 +0,0 @@
|
|||
From 006b9b960797d279b31cf8c8d16f1549c5632b2c Mon Sep 17 00:00:00 2001
|
||||
From: Rob Winch <rwinch@users.noreply.github.com>
|
||||
Date: Mon, 26 Apr 2021 16:50:35 -0500
|
||||
Subject: [PATCH 1/3] master->main
|
||||
|
||||
Closes gh-9683
|
||||
---
|
||||
.github/workflows/continuous-integration-workflow.yml | 10 +++++-----
|
||||
CONTRIBUTING.adoc | 6 +++---
|
||||
README.adoc | 6 +++---
|
||||
.../org/springframework/gradle/sagan/SaganApi.java | 2 +-
|
||||
docs/guides/spring-security-docs-guides.gradle | 2 +-
|
||||
docs/guides/src/docs/asciidoc/Guardfile | 2 +-
|
||||
docs/manual/spring-security-docs-manual.gradle | 2 +-
|
||||
.../src/docs/asciidoc/_includes/about/community.adoc | 2 +-
|
||||
.../src/docs/asciidoc/_includes/reactive/x509.adoc | 2 +-
|
||||
.../asciidoc/_includes/servlet/appendix/namespace.adoc | 2 +-
|
||||
.../_includes/servlet/integrations/servlet-api.adoc | 1 -
|
||||
.../_includes/servlet/integrations/websocket.adoc | 2 --
|
||||
.../_includes/servlet/java-configuration/index.adoc | 2 +-
|
||||
.../_includes/servlet/kotlin-configuration/index.adoc | 2 +-
|
||||
14 files changed, 20 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
|
||||
index 58358c6e59..65201e4596 100644
|
||||
--- a/.github/workflows/continuous-integration-workflow.yml
|
||||
+++ b/.github/workflows/continuous-integration-workflow.yml
|
||||
@@ -3,7 +3,7 @@ name: CI
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- - master
|
||||
+ - main
|
||||
schedule:
|
||||
- cron: '0 10 * * *' # Once per day at 10am UTC
|
||||
workflow_dispatch: # Manual trigger
|
||||
@@ -102,16 +102,16 @@ jobs:
|
||||
uses: actions/setup-java@v1
|
||||
with:
|
||||
java-version: '11'
|
||||
- - name: Run Sonar on given (non-master) branch
|
||||
- if: ${{ github.ref != 'refs/heads/master' }}
|
||||
+ - name: Run Sonar on given (non-main) branch
|
||||
+ if: ${{ github.ref != 'refs/heads/main' }}
|
||||
run: |
|
||||
export BRANCH=${GITHUB_REF#refs/heads/}
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
export GRADLE_ENTERPRISE_ACCESS_KEY="$GRADLE_ENTERPRISE_SECRET_ACCESS_KEY"
|
||||
./gradlew sonarqube -PartifactoryUsername="$ARTIFACTORY_USERNAME" -PartifactoryPassword="$ARTIFACTORY_PASSWORD" -PexcludeProjects='**/samples/**' -Dsonar.projectKey="spring-security-${GITHUB_REF#refs/heads/}" -Dsonar.projectName="spring-security-${GITHUB_REF#refs/heads/}" -Dsonar.host.url="$SONAR_URL" -Dsonar.login="$SONAR_TOKEN" --stacktrace
|
||||
- - name: Run Sonar on master
|
||||
- if: ${{ github.ref == 'refs/heads/master' }}
|
||||
+ - name: Run Sonar on main
|
||||
+ if: ${{ github.ref == 'refs/heads/main' }}
|
||||
run: |
|
||||
export GRADLE_ENTERPRISE_CACHE_USERNAME="$GRADLE_ENTERPRISE_CACHE_USER"
|
||||
export GRADLE_ENTERPRISE_CACHE_PASSWORD="$GRADLE_ENTERPRISE_CACHE_PASSWORD"
|
||||
diff --git a/CONTRIBUTING.adoc b/CONTRIBUTING.adoc
|
||||
index e951f69040..0599fb99ec 100644
|
||||
--- a/CONTRIBUTING.adoc
|
||||
+++ b/CONTRIBUTING.adoc
|
||||
@@ -4,7 +4,7 @@ _Please refer back to this document as a checklist before issuing any pull reque
|
||||
|
||||
= Code of Conduct
|
||||
|
||||
-Please see our https://github.com/spring-projects/.github/blob/master/CODE_OF_CONDUCT.md[code of conduct].
|
||||
+Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct].
|
||||
|
||||
= Similar but different
|
||||
|
||||
@@ -43,9 +43,9 @@ If you're considering anything more than correcting a typo or fixing a minor bug
|
||||
|
||||
If you have not previously done so, please fill out and submit the https://cla.pivotal.io/sign/spring[Contributor License Agreement].
|
||||
|
||||
-= Create your branch from master
|
||||
+= Create your branch from main
|
||||
|
||||
-Create your topic branch to be submitted as a pull request from master. The Spring team will consider your pull request for backporting on a case-by-case basis; you don't need to worry about submitting anything for backporting.
|
||||
+Create your topic branch to be submitted as a pull request from main. The Spring team will consider your pull request for backporting on a case-by-case basis; you don't need to worry about submitting anything for backporting.
|
||||
|
||||
= Use short branch names
|
||||
|
||||
diff --git a/README.adoc b/README.adoc
|
||||
index 4fda007d1a..6cb3f95061 100644
|
||||
--- a/README.adoc
|
||||
+++ b/README.adoc
|
||||
@@ -1,6 +1,6 @@
|
||||
image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]
|
||||
|
||||
-image:https://github.com/spring-projects/spring-security/workflows/CI/badge.svg?branch=master["Build Status", link="https://github.com/spring-projects/spring-security/actions?query=workflow%3ACI"]
|
||||
+image:https://github.com/spring-projects/spring-security/workflows/CI/badge.svg?branch=main["Build Status", link="https://github.com/spring-projects/spring-security/actions?query=workflow%3ACI"]
|
||||
|
||||
image:https://img.shields.io/badge/Revved%20up%20by-Gradle%20Enterprise-06A0CE?logo=Gradle&labelColor=02303A["Revved up by Gradle Enterprise", link="https://ge.spring.io/scans?search.rootProjectNames=spring-security"]
|
||||
|
||||
@@ -12,7 +12,7 @@ a minimum and also requires Java 8.
|
||||
For a detailed list of features and access to the latest release, please visit https://spring.io/projects[Spring projects].
|
||||
|
||||
== Code of Conduct
|
||||
-Please see our https://github.com/spring-projects/.github/blob/master/CODE_OF_CONDUCT.md[code of conduct]
|
||||
+Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct]
|
||||
|
||||
== Downloading Artifacts
|
||||
See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#getting[Getting Spring Security] for how to obtain Spring Security.
|
||||
@@ -60,7 +60,7 @@ Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring
|
||||
https://spring.io/services[Commercial support] is available too.
|
||||
|
||||
== Contributing
|
||||
-https://help.github.com/articles/creating-a-pull-request[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.adoc[contributor guidelines] for details.
|
||||
+https://help.github.com/articles/creating-a-pull-request[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/main/CONTRIBUTING.adoc[contributor guidelines] for details.
|
||||
|
||||
== License
|
||||
Spring Security is Open Source software released under the
|
||||
diff --git a/buildSrc/src/main/java/org/springframework/gradle/sagan/SaganApi.java b/buildSrc/src/main/java/org/springframework/gradle/sagan/SaganApi.java
|
||||
index d40f296c20..24eeb3111c 100644
|
||||
--- a/buildSrc/src/main/java/org/springframework/gradle/sagan/SaganApi.java
|
||||
+++ b/buildSrc/src/main/java/org/springframework/gradle/sagan/SaganApi.java
|
||||
@@ -23,7 +23,7 @@ import java.io.IOException;
|
||||
import java.util.Base64;
|
||||
|
||||
/**
|
||||
- * Implements necessary calls to the Sagan API See https://github.com/spring-io/sagan/blob/master/sagan-site/src/docs/asciidoc/index.adoc
|
||||
+ * Implements necessary calls to the Sagan API See https://spring.io/restdocs/index.html
|
||||
*/
|
||||
public class SaganApi {
|
||||
private String baseUrl = "https://spring.io/api";
|
||||
diff --git a/docs/guides/spring-security-docs-guides.gradle b/docs/guides/spring-security-docs-guides.gradle
|
||||
index 6c337c030a..8876dddd93 100644
|
||||
--- a/docs/guides/spring-security-docs-guides.gradle
|
||||
+++ b/docs/guides/spring-security-docs-guides.gradle
|
||||
@@ -28,7 +28,7 @@ ext.spec = copySpec {
|
||||
}
|
||||
|
||||
def getDownloadUrl() {
|
||||
- snapshotBuild ? "https://github.com/spring-projects/spring-security/archive/master.zip" : "https://github.com/spring-projects/spring-security/archive/${project.version}.zip"
|
||||
+ snapshotBuild ? "https://github.com/spring-projects/spring-security/archive/main.zip" : "https://github.com/spring-projects/spring-security/archive/${project.version}.zip"
|
||||
}
|
||||
|
||||
|
||||
diff --git a/docs/guides/src/docs/asciidoc/Guardfile b/docs/guides/src/docs/asciidoc/Guardfile
|
||||
index ec57b640f2..1075c0114c 100644
|
||||
--- a/docs/guides/src/docs/asciidoc/Guardfile
|
||||
+++ b/docs/guides/src/docs/asciidoc/Guardfile
|
||||
@@ -5,7 +5,7 @@ guard 'shell' do
|
||||
watch(/^.*\.asc$/) {|m|
|
||||
Asciidoctor.render_file(m[0], :to_dir => "build/", :safe => Asciidoctor::SafeMode::UNSAFE, :attributes=> {'toc' => '', 'idprefix' => '', 'idseparator' => '-', 'copycss' => '', 'icons' => 'font', 'source-highlighter' => 'prettify', 'sectanchors' => '', 'toc-placement' => 'preamble', 'revnumber' => '3.2.0.CI-SNAPSHOT',
|
||||
'spring-security-version' => '3.2.0.CI-SNAPSHOT',
|
||||
- 'download-url' => 'https://github.com/spring-projects/spring-security/archive/master.zip',
|
||||
+ 'download-url' => 'https://github.com/spring-projects/spring-security/archive/main.zip',
|
||||
'include-maven-repository' => '_includes/maven-repository-snapshot.asc' })
|
||||
}
|
||||
end
|
||||
diff --git a/docs/manual/spring-security-docs-manual.gradle b/docs/manual/spring-security-docs-manual.gradle
|
||||
index a0a2ececd9..75c245f7de 100644
|
||||
--- a/docs/manual/spring-security-docs-manual.gradle
|
||||
+++ b/docs/manual/spring-security-docs-manual.gradle
|
||||
@@ -14,7 +14,7 @@ asciidoctor {
|
||||
}
|
||||
|
||||
asciidoctorj {
|
||||
- def ghTag = snapshotBuild ? 'master' : project.version
|
||||
+ def ghTag = snapshotBuild ? 'main' : project.version
|
||||
def ghUrl = "https://github.com/spring-projects/spring-security/tree/$ghTag"
|
||||
attributes 'spring-security-version' : project.version,
|
||||
'spring-boot-version' : springBootVersion,
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/about/community.adoc b/docs/manual/src/docs/asciidoc/_includes/about/community.adoc
|
||||
index dc83c0c68c..893d17727b 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/about/community.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/about/community.adoc
|
||||
@@ -19,7 +19,7 @@ The following are some of the best ways to get help:
|
||||
== Becoming Involved
|
||||
We welcome your involvement in the Spring Security project.
|
||||
There are many ways to contribute, including answering questions on Stack Overflow, writing new code, improving existing code, assisting with documentation, developing samples or tutorials, reporting bugs, or simply making suggestions.
|
||||
-For more information, see our https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.adoc[Contributing] documentation.
|
||||
+For more information, see our https://github.com/spring-projects/spring-security/blob/main/CONTRIBUTING.adoc[Contributing] documentation.
|
||||
|
||||
[[community-source]]
|
||||
== Source Code
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc
|
||||
index 4dc59526cc..694b905093 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc
|
||||
@@ -49,4 +49,4 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
|
||||
|
||||
In this example, a username is extracted from the OU field of a client certificate instead of CN, and account lookup using `ReactiveUserDetailsService` is not performed at all. Instead, if the provided certificate issued to an OU named "Trusted Org Unit", a request will be authenticated.
|
||||
|
||||
-For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, please refer to https://github.com/spring-projects/spring-security/tree/master/samples/boot/webflux-x509.
|
||||
+For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, please refer to https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
|
||||
index a9e321ff59..87d802ca8e 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
|
||||
@@ -4,7 +4,7 @@ This appendix provides a reference to the elements available in the security nam
|
||||
If you haven't used the namespace before, please read the <<ns-config,introductory chapter>> on namespace configuration, as this is intended as a supplement to the information there.
|
||||
Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose.
|
||||
The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema.
|
||||
-If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/master/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
|
||||
+If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
|
||||
|
||||
[[nsa-web]]
|
||||
=== Web Application Security
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/servlet-api.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/servlet-api.adoc
|
||||
index e57d545c15..5e4077c3f9 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/servlet-api.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/servlet-api.adoc
|
||||
@@ -1,7 +1,6 @@
|
||||
[[servletapi]]
|
||||
== Servlet API integration
|
||||
This section describes how Spring Security is integrated with the Servlet API.
|
||||
-The https://github.com/spring-projects/spring-security/tree/master/samples/xml/servletapi[servletapi-xml] sample application demonstrates the usage of each of these methods.
|
||||
|
||||
|
||||
[[servletapi-25]]
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc
|
||||
index fcd99840d9..ffcf46b5a4 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/integrations/websocket.adoc
|
||||
@@ -4,8 +4,6 @@
|
||||
Spring Security 4 added support for securing https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html[Spring's WebSocket support].
|
||||
This section describes how to use Spring Security's WebSocket support.
|
||||
|
||||
-NOTE: You can find a complete working sample of WebSocket security at https://github.com/spring-projects/spring-session/tree/master/spring-session-samples/spring-session-sample-boot-websocket.
|
||||
-
|
||||
.Direct JSR-356 Support
|
||||
****
|
||||
Spring Security does not provide direct JSR-356 support because doing so would provide little value.
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc
|
||||
index 6367f402f6..3ba5432ddc 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/java-configuration/index.adoc
|
||||
@@ -7,7 +7,7 @@ Since Spring Security 3.2 there has been Spring Security Java Configuration supp
|
||||
|
||||
If you are familiar with the <<ns-config>> then you should find quite a few similarities between it and the Security Java Configuration support.
|
||||
|
||||
-NOTE: Spring Security provides https://github.com/spring-projects/spring-security/tree/master/samples/javaconfig[lots of sample applications] which demonstrate the use of Spring Security Java Configuration.
|
||||
+NOTE: Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration[lots of sample applications] which demonstrate the use of Spring Security Java Configuration.
|
||||
|
||||
== Hello Web Security Java Configuration
|
||||
|
||||
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc
|
||||
index 2e38e0ec35..767ab7ed80 100644
|
||||
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc
|
||||
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/kotlin-configuration/index.adoc
|
||||
@@ -4,7 +4,7 @@
|
||||
Spring Security Kotlin Configuration support has been available since Spring Security 5.3.
|
||||
It enables users to easily configure Spring Security using a native Kotlin DSL.
|
||||
|
||||
-NOTE: Spring Security provides https://github.com/spring-projects/spring-security/tree/master/samples/boot/kotlin[a sample application] which demonstrates the use of Spring Security Kotlin Configuration.
|
||||
+NOTE: Spring Security provides https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/kotlin/hello-security[a sample application] which demonstrates the use of Spring Security Kotlin Configuration.
|
||||
|
||||
[[kotlin-config-httpsecurity]]
|
||||
== HttpSecurity
|
||||
--
|
||||
2.24.1
|
||||
|
||||
|
|
@ -1,271 +0,0 @@
|
|||
From e2993d93e109c1a3c9020b7ea9efb6e556751ed4 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Vitale <ThomasVitale@users.noreply.github.com>
|
||||
Date: Mon, 26 Apr 2021 18:13:20 +0200
|
||||
Subject: [PATCH 2/3] Make Csrf cookie secure flag configurable (WebFlux)
|
||||
|
||||
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.
|
||||
|
||||
Closes gh-9678
|
||||
---
|
||||
.../csrf/CookieServerCsrfTokenRepository.java | 30 ++++--
|
||||
.../CookieServerCsrfTokenRepositoryTests.java | 100 ++++++++++++++++--
|
||||
2 files changed, 113 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
|
||||
index 5910ff3e45..bc3a20e711 100644
|
||||
--- a/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
|
||||
+++ b/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright 2002-2019 the original author or authors.
|
||||
+ * Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -34,6 +34,7 @@ import org.springframework.web.server.ServerWebExchange;
|
||||
* AngularJS. When using with AngularJS be sure to use {@link #withHttpOnlyFalse()} .
|
||||
*
|
||||
* @author Eric Deandrea
|
||||
+ * @author Thomas Vitale
|
||||
* @since 5.1
|
||||
*/
|
||||
public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository {
|
||||
@@ -54,6 +55,8 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
||||
|
||||
private boolean cookieHttpOnly = true;
|
||||
|
||||
+ private Boolean secure;
|
||||
+
|
||||
/**
|
||||
* Factory method to conveniently create an instance that has
|
||||
* {@link #setCookieHttpOnly(boolean)} set to false.
|
||||
@@ -75,11 +78,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
||||
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token) {
|
||||
return Mono.fromRunnable(() -> {
|
||||
String tokenValue = (token != null) ? token.getToken() : "";
|
||||
- int maxAge = !tokenValue.isEmpty() ? -1 : 0;
|
||||
- String path = (this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest());
|
||||
- boolean secure = exchange.getRequest().getSslInfo() != null;
|
||||
- ResponseCookie cookie = ResponseCookie.from(this.cookieName, tokenValue).domain(this.cookieDomain)
|
||||
- .httpOnly(this.cookieHttpOnly).maxAge(maxAge).path(path).secure(secure).build();
|
||||
+ // @formatter:off
|
||||
+ ResponseCookie cookie = ResponseCookie
|
||||
+ .from(this.cookieName, tokenValue)
|
||||
+ .domain(this.cookieDomain)
|
||||
+ .httpOnly(this.cookieHttpOnly)
|
||||
+ .maxAge(!tokenValue.isEmpty() ? -1 : 0)
|
||||
+ .path((this.cookiePath != null) ? this.cookiePath : getRequestContext(exchange.getRequest()))
|
||||
+ .secure((this.secure != null) ? this.secure : (exchange.getRequest().getSslInfo() != null))
|
||||
+ .build();
|
||||
+ // @formatter:on
|
||||
exchange.getResponse().addCookie(cookie);
|
||||
});
|
||||
}
|
||||
@@ -146,6 +154,16 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
|
||||
this.cookieDomain = cookieDomain;
|
||||
}
|
||||
|
||||
+ /**
|
||||
+ * Sets the cookie secure flag. If not set, the value depends on
|
||||
+ * {@link ServerHttpRequest#getSslInfo()}.
|
||||
+ * @param secure The value for the secure flag
|
||||
+ * @since 5.5
|
||||
+ */
|
||||
+ public void setSecure(boolean secure) {
|
||||
+ this.secure = secure;
|
||||
+ }
|
||||
+
|
||||
private CsrfToken createCsrfToken() {
|
||||
return createCsrfToken(createNewToken());
|
||||
}
|
||||
diff --git a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
|
||||
index d16f131920..7160337053 100644
|
||||
--- a/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
|
||||
+++ b/web/src/test/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepositoryTests.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright 2002-2018 the original author or authors.
|
||||
+ * Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,12 +16,15 @@
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
+import java.security.cert.X509Certificate;
|
||||
import java.time.Duration;
|
||||
|
||||
+import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.http.HttpCookie;
|
||||
import org.springframework.http.ResponseCookie;
|
||||
+import org.springframework.http.server.reactive.SslInfo;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.util.StringUtils;
|
||||
@@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* @author Eric Deandrea
|
||||
+ * @author Thomas Vitale
|
||||
* @since 5.1
|
||||
*/
|
||||
public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
- private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri"));
|
||||
+ private CookieServerCsrfTokenRepository csrfTokenRepository;
|
||||
|
||||
- private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
+ private MockServerHttpRequest.BaseBuilder<?> request;
|
||||
|
||||
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
|
||||
|
||||
@@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
private String expectedCookieValue = "csrfToken";
|
||||
|
||||
+ @Before
|
||||
+ public void setUp() {
|
||||
+ this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
|
||||
+ this.request = MockServerHttpRequest.get("/someUri");
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void generateTokenWhenDefaultThenDefaults() {
|
||||
generateTokenAndAssertExpectedValues();
|
||||
@@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
@Test
|
||||
public void saveTokenWhenNoSubscriptionThenNotWritten() {
|
||||
- this.csrfTokenRepository.saveToken(this.exchange, createToken());
|
||||
- assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken());
|
||||
+ assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
saveAndAssertExpectedValues(createToken());
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void saveTokenWhenSslInfoPresentThenSecure() {
|
||||
+ this.request.sslInfo(new MockSslInfo());
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ assertThat(cookie).isNotNull();
|
||||
+ assertThat(cookie.isSecure()).isTrue();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void saveTokenWhenSslInfoNullThenNotSecure() {
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ assertThat(cookie).isNotNull();
|
||||
+ assertThat(cookie.isSecure()).isFalse();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void saveTokenWhenSecureFlagTrueThenSecure() {
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.setSecure(true);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ assertThat(cookie).isNotNull();
|
||||
+ assertThat(cookie.isSecure()).isTrue();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void saveTokenWhenSecureFlagFalseThenNotSecure() {
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.setSecure(false);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ assertThat(cookie).isNotNull();
|
||||
+ assertThat(cookie.isSecure()).isFalse();
|
||||
+ }
|
||||
+
|
||||
+ @Test
|
||||
+ public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.request.sslInfo(new MockSslInfo());
|
||||
+ this.csrfTokenRepository.setSecure(false);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, createToken()).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ assertThat(cookie).isNotNull();
|
||||
+ assertThat(cookie.isSecure()).isFalse();
|
||||
+ }
|
||||
+
|
||||
@Test
|
||||
public void loadTokenWhenCookieExistThenTokenFound() {
|
||||
loadAndAssertExpectedValues();
|
||||
@@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
|
||||
@Test
|
||||
public void loadTokenWhenNoCookiesThenNullToken() {
|
||||
- CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
assertThat(csrfToken).isNull();
|
||||
}
|
||||
|
||||
@@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
private void loadAndAssertExpectedValues() {
|
||||
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
|
||||
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
|
||||
- this.exchange = MockServerWebExchange.from(request);
|
||||
- CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(request);
|
||||
+ CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
|
||||
if (StringUtils.hasText(this.expectedCookieValue)) {
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
@@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
this.expectedMaxAge = Duration.ofSeconds(0);
|
||||
this.expectedCookieValue = "";
|
||||
}
|
||||
- this.csrfTokenRepository.saveToken(this.exchange, token).block();
|
||||
- ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ this.csrfTokenRepository.saveToken(exchange, token).block();
|
||||
+ ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
|
||||
assertThat(cookie).isNotNull();
|
||||
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
|
||||
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
|
||||
@@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
}
|
||||
|
||||
private void generateTokenAndAssertExpectedValues() {
|
||||
- CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block();
|
||||
+ MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
|
||||
+ CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
|
||||
assertThat(csrfToken).isNotNull();
|
||||
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
|
||||
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
|
||||
@@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
|
||||
return new DefaultCsrfToken(headerName, parameterName, tokenValue);
|
||||
}
|
||||
|
||||
+ static class MockSslInfo implements SslInfo {
|
||||
+
|
||||
+ @Override
|
||||
+ public String getSessionId() {
|
||||
+ return "sessionId";
|
||||
+ }
|
||||
+
|
||||
+ @Override
|
||||
+ public X509Certificate[] getPeerCertificates() {
|
||||
+ return new X509Certificate[] {};
|
||||
+ }
|
||||
+
|
||||
+ }
|
||||
+
|
||||
}
|
||||
--
|
||||
2.24.1
|
||||
|
||||
23196
0003-Editing-pass.patch
23196
0003-Editing-pass.patch
File diff suppressed because it is too large
Load Diff
|
|
@ -9,7 +9,7 @@ Typically, `PasswordEncoder` is used for storing a password that needs to be com
|
|||
== Password Storage History
|
||||
|
||||
Throughout the years, the standard mechanism for storing passwords has evolved.
|
||||
In the beginning, passwords were stored in plain text.
|
||||
In the beginning, passwords were stored in plaintext.
|
||||
The passwords were assumed to be safe because the data store the passwords were saved in required credentials to access it.
|
||||
However, malicious users were able to find ways to get large "`data dumps`" of usernames and passwords by using attacks such as SQL Injection.
|
||||
As more and more user credentials became public, security experts realized that we needed to do more to protect users' passwords.
|
||||
|
|
@ -189,8 +189,8 @@ By default, the result of invoking `matches(CharSequence, String)` with a passwo
|
|||
This behavior can be customized by using `DelegatingPasswordEncoder.setDefaultPasswordEncoderForMatches(PasswordEncoder)`.
|
||||
|
||||
By using the `id`, we can match on any password encoding but encode passwords by using the most modern password encoding.
|
||||
This is important, because unlike encryption, password hashes are designed so that there is no simple way to recover the plain text.
|
||||
Since there is no way to recover the plain text, it is difficult to migrate the passwords.
|
||||
This is important, because unlike encryption, password hashes are designed so that there is no simple way to recover the plaintext.
|
||||
Since there is no way to recover the plaintext, it is difficult to migrate the passwords.
|
||||
While it is simple for users to migrate `NoOpPasswordEncoder`, we chose to include it by default to make it simple for the getting-started experience.
|
||||
|
||||
[[authentication-password-storage-dep-getting-started]]
|
||||
|
|
|
|||
|
|
@ -246,7 +246,7 @@ Content-Security-Policy-Report-Only: script-src 'self' https://trustedscripts.ex
|
|||
----
|
||||
====
|
||||
|
||||
If the site violates this policy, by attempting to load a script from evil.com, the user-agent sends a violation report to the declared URL specified by the `report-uri` directive but still lets the violating resource load.
|
||||
If the site violates this policy, by attempting to load a script from `evil.example.com`, the user-agent sends a violation report to the declared URL specified by the `report-uri` directive but still lets the violating resource load.
|
||||
|
||||
Applying Content Security Policy to a web application is often a non-trivial undertaking.
|
||||
The following resources may provide further assistance in developing effective security policies for your site:
|
||||
|
|
|
|||
|
|
@ -6,9 +6,9 @@ This section provides details on how form based authentication works within Spri
|
|||
// FIXME: describe authenticationentrypoint, authenticationfailurehandler, authenticationsuccesshandler
|
||||
|
||||
This section examines how form-based login works within Spring Security.
|
||||
First, we see how the user is redirected to the log in form:
|
||||
First, we see how the user is redirected to the login form:
|
||||
|
||||
.Redirecting to the Log In Page
|
||||
.Redirecting to the Login Page
|
||||
image::{figures}/loginurlauthenticationentrypoint.png[]
|
||||
|
||||
The preceding figure builds off our <<servlet-securityfilterchain,`SecurityFilterChain`>> diagram.
|
||||
|
|
@ -22,7 +22,7 @@ In most cases, the `AuthenticationEntryPoint` is an instance of {security-api-ur
|
|||
|
||||
image:{icondir}/number_4.png[] The browser requests the login page to which it was redirected.
|
||||
|
||||
image:{icondir}/number_5.png[] Something within the application must <<servlet-authentication-form-custom,render the log in page>>.
|
||||
image:{icondir}/number_5.png[] Something within the application must <<servlet-authentication-form-custom,render the login page>>.
|
||||
|
||||
[[servlet-authentication-usernamepasswordauthenticationfilter]]
|
||||
When the username and password are submitted, the `UsernamePasswordAuthenticationFilter` authenticates the username and password.
|
||||
|
|
@ -49,7 +49,7 @@ See the {security-api-url}springframework/security/web/authentication/Authentica
|
|||
|
||||
image:{icondir}/number_4.png[] If authentication is successful, then __Success__.
|
||||
|
||||
. `SessionAuthenticationStrategy` is notified of a new log in.
|
||||
. `SessionAuthenticationStrategy` is notified of a new login.
|
||||
See the {security-api-url}springframework/security/web/authentication/session/SessionAuthenticationStrategy.html[`SessionAuthenticationStrategy`] interface in the Javadoc.
|
||||
. The <<servlet-authentication-authentication>> is set on the <<servlet-authentication-securitycontextholder>>.
|
||||
See the {security-api-url}springframework/security/web/context/SecurityContextPersistenceFilter.html[`SecurityContextPersistenceFilter`] class in the Javadoc.
|
||||
|
|
@ -64,7 +64,7 @@ By default, Spring Security form login is enabled.
|
|||
However, as soon as any servlet-based configuration is provided, form based login must be explicitly provided.
|
||||
The following example shows a minimal, explicit Java configuration:
|
||||
|
||||
.Form LogIn
|
||||
.Form Login
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
|
|
@ -103,7 +103,7 @@ Most production applications require a custom login form.
|
|||
[[servlet-authentication-form-custom]]
|
||||
The following configuration demonstrates how to provide a custom login form.
|
||||
|
||||
.Custom Log In Form Configuration
|
||||
.Custom Login Form Configuration
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
|
|
@ -187,7 +187,7 @@ There are a few key points about the default HTML form:
|
|||
* If the HTTP parameter named `error` is found, it indicates the user failed to provide a valid username or password.
|
||||
* If the HTTP parameter named `logout` is found, it indicates the user has logged out successfully.
|
||||
|
||||
Many users do not need much more than to customize the log in page.
|
||||
Many users do not need much more than to customize the login page.
|
||||
However, if needed, you can customize everything shown earlier with additional configuration.
|
||||
|
||||
[[servlet-authentication-form-custom-controller]]
|
||||
|
|
|
|||
|
|
@ -52,11 +52,10 @@ Note that this configuration is parallels the XML namespace configuration:
|
|||
|
||||
We can configure multiple HttpSecurity instances, just as we can have multiple `<http>` blocks.
|
||||
The key is to extend the `WebSecurityConfigurerAdapter` multiple times.
|
||||
The following example has a different configuration for URL's that start with `/api/`:
|
||||
The following example has a different configuration for URL's that start with `/api/`:
|
||||
|
||||
// The source is Kotlin, but we specify Java to get code formatting. At present, Asciidoctor doesnt' have a Kotlin formatter.
|
||||
====
|
||||
[source,java]
|
||||
[source,kotlin]
|
||||
----
|
||||
@EnableWebSecurity
|
||||
class MultiHttpSecurityConfig {
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
:figures: images/servlet/oauth2
|
||||
:icondir: images/icons
|
||||
|
||||
Spring Security supports protecting endpoints BY using two forms of OAuth 2.0 https://tools.ietf.org/html/rfc6750.html[Bearer Tokens]:
|
||||
Spring Security supports protecting endpoints by using two forms of OAuth 2.0 https://tools.ietf.org/html/rfc6750.html[Bearer Tokens]:
|
||||
|
||||
* https://tools.ietf.org/html/rfc7519[JWT]
|
||||
* Opaque Tokens
|
||||
|
|
@ -1485,7 +1485,7 @@ This startup process is quite a bit simpler than for JWTs, since no endpoints ne
|
|||
Once the application has started, Resource Server tries to process any request containing an `Authorization: Bearer` header:
|
||||
|
||||
====
|
||||
[source,text]
|
||||
[source,http]
|
||||
----
|
||||
GET / HTTP/1.1
|
||||
Authorization: Bearer some-token-value # Resource Server will process this
|
||||
|
|
@ -3026,7 +3026,7 @@ In these circumstances, Resource Server throws an `InvalidBearerTokenException`.
|
|||
Like other exceptions, this results in an OAuth 2.0 Bearer Token error response:
|
||||
|
||||
====
|
||||
[source,text]
|
||||
[source,http]
|
||||
----
|
||||
HTTP/1.1 401 Unauthorized
|
||||
WWW-Authenticate: Bearer error_code="invalid_token", error_description="Unsupported algorithm of none", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
|
||||
|
|
|
|||
Loading…
Reference in New Issue