1. Removed comment about not changing field name in a
serialized object as this is true for all fields in a
Java-serialize POJO
2. Added example value for the constructor that demonstrates
the relationship between a role and an authority
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
1. Add Javadoc to state that role is prefixed.
2. Rename constructor argument from `role` to `authority` for better readability.
Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
This commit adds support for Jackson 3 which has the following
major differences with the Jackson 2 one:
- jackson subpackage instead of jackson2
- Jackson type prefix instead of Jackson2
- JsonMapper instead of ObjectMapper
- For configuration, JsonMapper.Builder instead of ObjectMapper
since the latter is now immutable
- Remove custom support for unmodifiable collections
- Use safe default typing via a PolymorphicTypeValidator
Jackson 3 changes compared to Jackson 2 are documented in
https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a
and
https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md.
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
Since RC1 is right around the corner, let's change the API
footprint as little as possible by using reflection to check
if a class has declared toBuilder themselves. If they have, we
can assume that that class's builder will produce that class.
Issue gh-18052
This reverts commit 95644fb73c, reversing
changes made to fbf7bb3be1.
Reverting this commit will allow us more time to
consider the ideal way to add this support to the public API.
Leaving the Builder in Authentication allows
authentication implementations to implement Builder
without needing to implement BuildableAuthentication.
Issue gh-18052
This commit consolidates logic common to applying one
authenticaiton to another. Specifically, it will copy the
authorities in one authentication into the builder instance
of another.
Closes gh-18053
This allows the authorization logic to be relaxed so that if RequiredFactor
only has an authority specified, then the GrantedAuthority can be of any
type.
Closes gh-18031
Previously GrantedAuthorities had an implicit package tangle because it
was located in ~.core and FactorGrantedAuthority is in ~.core.authority
and FactorGrantedAuthority's authority property was implicitly expected
to be constants found in `GrantedAuthorities`.
This commit moves the constants to the FactorGrantedAuthority which
resolves this tangle. It wasn't initially done because
FactorGrantedAuthority did not exist at that time.
Closes gh-18030
This commit adds AuthorizationManager<T> additionalAuthorization to
DefaultAuthorizationManagerFactory which can be used for multi factor
authorization.
There is a builder that allows for creating an instance that requires
static additional authorities, but for more advanced cases users can
inject an additionalAuthorization that looks up if the user has settings
that enable additional required authorities.
The builder can later be updated to support checking that a particular
authority was granted within a specified amount of time.
Issue gh-17900
It would be better to introduce parameter types for
principal and credentials into Authentication.Builder
at the same time as doing so for Authentication
Issue gh-17861
This commit allows a default implementation of
Authentication.Builder that performs the builder
operations. In this way, authorities and other previous
authentication material can still be effectively be
propagated in the event a custom authentication does
not implement the method.
Issue gh-17861
Given that the filters are the level at which the
SecurityContextHolder is consulted, this commit moves
the operation that ProviderManager was doing into each
authentication filter.
Issue gh-17862
- Added remaining properties
- Removed apply method since Spring Security isn't using
it right now
- Made builders extensible since the authentications are
extensible
Issue gh-17861
Joe Grandja
Josh Cummings
Andrey Litvitski
Yanming Zhou
Rob Winch
Sébastien Deleuze
parthokr