root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 21 Packages Projects Releases Wiki Activity
19,809 Commits 47 Branches 367 Tags 124 MiB
Commit Graph

19809 Commits

Author SHA1 Message Date
github-actions[bot] e616688f56 Release 7.0.0-RC1 2025-10-20 17:26:08 +00:00
github-actions[bot] 56a23d9ddc Release 6.5.6
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Test Against Snapshots (17, 17) (push) Waiting to run Details
CI / Test Against Snapshots (21-ea, 21) (push) Waiting to run Details
CI / Check Samples (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Waiting to run Details
2025-10-20 17:17:40 +00:00
github-actions[bot] dc5aed9b5f Release 6.4.12
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Test Against Snapshots (17, 17) (push) Waiting to run Details
CI / Test Against Snapshots (21-ea, 21) (push) Waiting to run Details
CI / Check Samples (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Waiting to run Details
2025-10-20 17:17:37 +00:00
Josh Cummings 9c7b34a48b Favor Relative Redirects by Default 
Closes gh-16300
 2025-10-20 10:25:17 -06:00
Josh Cummings d5d7fd414d Update What's New 2025-10-20 10:25:17 -06:00
Rob Winch 491a3e8f68
Update to Spring LDAP 4.0.0-RC1 
Closes gh-18086
 2025-10-20 09:35:15 -05:00
Rob Winch 43d20ea91f
Update to Spring Data 2025.1.0-RC1 
Closes gh-18085
 2025-10-20 09:35:14 -05:00
Rob Winch 24241d0384
Update to Spring Framework 7.0.0-RC1 
Closes gh-18084
 2025-10-20 09:35:14 -05:00
dependabot[bot] cb8c2b090c Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.19 to 1.5.20.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.19...v_1.5.20)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-20 09:17:01 -05:00
Rob Winch e94de4d0e3
Merge branch '6.5.x' 2025-10-20 09:16:23 -05:00
Rob Winch cb994aad6c
Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 2025-10-20 09:15:32 -05:00
Rob Winch 6f6ee0c060
Bump org.springframework.data:spring-data-bom from 2024.1.10 to 2024.1.11 2025-10-20 09:15:30 -05:00
Rob Winch 9cecc2cf09
Merge branch '6.4.x' into 6.5.x 2025-10-20 09:15:18 -05:00
Rob Winch f19c9c8625
Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 2025-10-20 09:14:31 -05:00
Rob Winch 95abf61c88
Refine Jackson 3 format description 2025-10-20 09:11:22 -05:00
Joe Grandja 22cbb13f7d Add comments to SQL-scripts to ensure robust timezone handling 
Issue https://github.com/spring-projects/spring-authorization-server/pull/2217
 2025-10-20 07:12:50 -04:00
Joe Grandja fc8b6b5863 Return PAR endpoint metadata only when enabled 
Issue https://github.com/spring-projects/spring-authorization-server/issues/2219
 2025-10-20 06:06:24 -04:00
dependabot[bot] 8b89e31e3d
Bump org.springframework.data:spring-data-bom 
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.10 to 2024.1.11.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.10...2024.1.11)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-20 03:18:26 +00:00
dependabot[bot] 67b15be917
Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.19 to 1.5.20.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.19...v_1.5.20)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-20 03:18:21 +00:00
dependabot[bot] 217a29e6ba
Bump org.springframework.data:spring-data-bom 
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.10 to 2024.1.11.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.10...2024.1.11)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-20 03:12:54 +00:00
dependabot[bot] b2d6380633
Bump ch.qos.logback:logback-classic from 1.5.19 to 1.5.20 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.19 to 1.5.20.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.19...v_1.5.20)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-20 03:12:45 +00:00
Rob Winch 9dc27bee03 Link to gh-18077
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Waiting to run Details
2025-10-19 17:03:19 -05:00
Rob Winch a181733365 Encapsulate GenericHttpMessageConverterAdapter 
This will allow its removal in gh-18073
 2025-10-19 17:03:19 -05:00
Rob Winch 51e8f8f1c6 Deprecate WebAuthnAuthenticationFilter.setConverter(GenericHttpMessageConverter) 
This makes sense given that Framework's new Jackson support is a
SmartHttpMessageConverter. Additionally,
GenericHttpMessageConverterAdapter is now package private to encapsulate
it.

Issue gh-18073
 2025-10-19 17:03:19 -05:00
Rob Winch d309f1887e Remove Extra Blank Line from CoreJacksonModule 2025-10-19 17:03:19 -05:00
Rob Winch 5e851e0b26 Remove JdbcOAuth2AuthorizationService.Mapper 
- We should not introduce an unnecessary public API
  - It would need to be removed when Jackson 2 support was removed, but
    was required to configure Jackson 3 support
  - There are already existing interfaces that could be used
- OAuth2AuthorizationRowMapper & OAuth2AuthorizationParametersMapper had
  unnecessary breaking changes by removing getter/setter for ObjectMapper
- To prevent NoClassDefFoundErrors all optional (Jackson) dependencies
  need to be on different classes & we wish to preserve the existing
  accessors for ObjectMapper which is this uses subclasses
- With added TestAuthenticationTokenMixin support, no need to explicitly
  add it in tests
 2025-10-19 17:03:19 -05:00
Rob Winch 803936cfbe JacksonDelegate uses SecurityJacksonModules 2025-10-19 17:03:19 -05:00
Rob Winch 50568da1e5 Add Jackson 3 TestingAuthenticationToken Support 
Without this many of the tests fail when using Jackson 3
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 8f8a25533a Refine documentation for Jackson 3 
This commit refines the documentation by:
 - Updating Jackson documentation for Jackson 3
 - Removing the outdated documentation in servlet
 - Adding migration guidelines

Closes gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 137f8fd670 Add support for JacksonJsonHttpMessageConverter 
This commit introduces classpath checks and instantiation of
JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging
a new GenericHttpMessageConverterAdapter which allows to adapt
SmartHttpMessageConverter to GenericHttpMessageConverter.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 702a177e25 Add webauthn Jackson 3 support and deprecate Jackson 2 one 
Since this module was already using the jackson sub-package for Jackson 2
support, both Jackson 2 and Jackson 3 support lives in the same subpackage
and the former package-private classes has been renamed with a Jackson2
qualifier.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 48854c3ac9 Deprecate Jackson 2 support 
This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 65a14d6c6d Add Jackson 3 support 
This commit adds support for Jackson 3 which has the following
major differences with the Jackson 2 one:
 - jackson subpackage instead of jackson2
 - Jackson type prefix instead of Jackson2
 - JsonMapper instead of ObjectMapper
 - For configuration, JsonMapper.Builder instead of ObjectMapper
   since the latter is now immutable
 - Remove custom support for unmodifiable collections
 - Use safe default typing via a PolymorphicTypeValidator

Jackson 3 changes compared to Jackson 2 are documented in
https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a
and
https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md.

This commit does not cover webauthn which is a special case (uses
jackson sub-package for Jackson 2 support) which will be handled in
a distinct commit.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 916a687b29 Add Jackson 3 BOM 
See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze 762fcbb516 Add .kotlin/ to .gitignore 
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00
Joe Grandja fc795a81d4 PAR uses requested scopes on consent
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Has been cancelled Details 
Issue https://github.com/spring-projects/spring-authorization-server/pull/2182
 2025-10-17 16:14:31 -04:00
Josh Cummings 4bc319883b Address Nullability 2025-10-17 14:03:15 -06:00
dependabot[bot] cb7a6292b7 Bump io.spring.nullability:io.spring.nullability.gradle.plugin 
Bumps [io.spring.nullability:io.spring.nullability.gradle.plugin](https://github.com/spring-gradle-plugins/nullability-plugin) from 0.0.5 to 0.0.6.
- [Release notes](https://github.com/spring-gradle-plugins/nullability-plugin/releases)
- [Commits](https://github.com/spring-gradle-plugins/nullability-plugin/compare/v0.0.5...v0.0.6)

---
updated-dependencies:
- dependency-name: io.spring.nullability:io.spring.nullability.gradle.plugin
  dependency-version: 0.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 14:03:15 -06:00
Josh Cummings bbf6a4e786 Merge branch '6.5.x' 2025-10-17 13:50:05 -06:00
Josh Cummings ba2619cb8a Merge remote-tracking branch 'origin/6.4.x' into 6.5.x
CodeQL Advanced / codeql-analysis-call (push) Has been cancelled Details
CI / Build (17, ubuntu-latest) (push) Has been cancelled Details
CI / Build (17, windows-latest) (push) Has been cancelled Details
CI / Test Against Snapshots (17, 17) (push) Has been cancelled Details
CI / Test Against Snapshots (21-ea, 21) (push) Has been cancelled Details
CI / Check Samples (push) Has been cancelled Details
Deploy Docs / build (push) Has been cancelled Details
CI / Deploy Artifacts (push) Has been cancelled Details
CI / Deploy Docs (push) Has been cancelled Details
CI / Deploy Schema (push) Has been cancelled Details
CI / Perform Release (push) Has been cancelled Details
CI / Send Notification (push) Has been cancelled Details
2025-10-17 13:49:54 -06:00
dependabot[bot] 43c53c3b78 Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12
CodeQL Advanced / codeql-analysis-call (push) Has been cancelled Details
CI / Build (17, ubuntu-latest) (push) Has been cancelled Details
CI / Build (17, windows-latest) (push) Has been cancelled Details
CI / Test Against Snapshots (17, 17) (push) Has been cancelled Details
CI / Test Against Snapshots (21-ea, 21) (push) Has been cancelled Details
CI / Check Samples (push) Has been cancelled Details
Deploy Docs / build (push) Has been cancelled Details
CI / Deploy Artifacts (push) Has been cancelled Details
CI / Deploy Docs (push) Has been cancelled Details
CI / Deploy Schema (push) Has been cancelled Details
CI / Perform Release (push) Has been cancelled Details
CI / Send Notification (push) Has been cancelled Details 
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.11 to 6.2.12.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.11...v6.2.12)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 13:48:50 -06:00
dependabot[bot] b1e16cd147 Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.14 to 3.2.15.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.14...3.2.15)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 13:48:30 -06:00
dependabot[bot] 9961e6d56c Bump org.springframework:spring-framework-bom from 6.2.11 to 6.2.12 
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.11 to 6.2.12.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.11...v6.2.12)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 13:48:13 -06:00
dependabot[bot] cbad2ff5ca Bump org.springframework.ldap:spring-ldap-core from 3.2.14 to 3.2.15 
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.14 to 3.2.15.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.14...3.2.15)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 13:47:56 -06:00
dependabot[bot] 63c8b0faa3 Bump org.springframework.ldap:spring-ldap-core from 3.2.13 to 3.2.15 
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.13 to 3.2.15.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.13...3.2.15)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-17 13:46:16 -06:00
Josh Cummings a435175723 Clean Up Generic Typing in Builder 
Issue gh-17997
 2025-10-17 11:13:00 -06:00
Joe Grandja 4b810a8971 Disallow usage of the openid scope in device authorization requests 
Issue https://github.com/spring-projects/spring-authorization-server/pull/2177
 2025-10-17 11:41:30 -04:00
Joe Grandja 0d261e9c32 Remove setOidcUserMapper() in OidcUserService and OidcReactiveOAuth2UserService
CodeQL Advanced / codeql-analysis-call (push) Waiting to run Details
CI / Build (17, ubuntu-latest) (push) Waiting to run Details
CI / Build (17, windows-latest) (push) Waiting to run Details
CI / Deploy Artifacts (push) Blocked by required conditions Details
CI / Deploy Docs (push) Blocked by required conditions Details
CI / Deploy Schema (push) Blocked by required conditions Details
CI / Perform Release (push) Blocked by required conditions Details
CI / Send Notification (push) Blocked by required conditions Details
Deploy Docs / build (push) Waiting to run Details 
Closes gh-18060
 2025-10-16 16:29:52 -04:00
Josh Cummings c5e141ad07 Change JavaDoc to FactorGrantedAuthority 
Issue gh-18030
 2025-10-16 14:00:43 -06:00
Josh Cummings ba42b9c4cc Update Documentation for All-Factor Propagation 
Issue gh-18000
 2025-10-16 13:41:46 -06:00