b731623b3a
Fix checkstyle errors with @Deprecated
2024-08-19 10:55:58 -03:00
b92ed92548
Fix checkstyle errors with @Deprecated
2024-08-19 10:55:28 -03:00
912062d307
Merge branch '6.2.x' into 6.3.x
2024-08-19 09:11:10 -03:00
79fb0113c8
Bump io-spring-javaformat from 0.0.42 to 0.0.43
...
Bumps `io-spring-javaformat` from 0.0.42 to 0.0.43.
Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases )
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)
Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases )
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)
---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
dependency-type: direct:production
update-type: version-update:semver-patch
...
---
Manual updates:
- Adhere to rule where `@Deprecated` annotations and `@deprecated` javadoc comments MUST
be used together
Signed-off-by: dependabot[bot] <support@github.com>
2024-08-19 09:11:05 -03:00
2caf1fb6b4
Bump io-spring-javaformat from 0.0.42 to 0.0.43
...
Bumps `io-spring-javaformat` from 0.0.42 to 0.0.43.
Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases )
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)
Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases )
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)
---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
dependency-type: direct:production
update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
dependency-type: direct:production
update-type: version-update:semver-patch
...
---
Manual updates:
- Adhere to rule where `@Deprecated` annotations and `@deprecated` javadoc comments MUST
be used together
Signed-off-by: dependabot[bot] <support@github.com>
2024-08-19 09:08:24 -03:00
ed16c86115
Improve @CurrentSecurityContext meta-annotations
...
Closes gh-15551
2024-08-13 13:18:15 -06:00
59ec1f6480
Revert "Polish AuthorizationAdvisorProxyFactory advisor configuration"
...
This commit had some unintended consequences when the advisor
interceptor was published in a Spring Boot application. As such,
15497 will be reopened to investigate. In the meantime, this commit
reverts the previous change so as to allow the build to pass.
Issue gh-15497
2024-08-12 10:12:14 -06:00
08b8b09066
Update Copyright
...
Issue gh-15286
2024-08-10 11:48:14 -06:00
2b33f6f04a
Add Config Tests for AuthenticationPrincipal Templates
...
Issue gh-15286
2024-08-10 11:46:51 -06:00
e40c98e6d7
Deprecate PrePostTemplateDefaults
...
Since there is nothing specific to configuring pre/post
annotations, there is no need for the extra class.
If a need like this does arise in the future,
either AnnotationTemplateExpressionDefaults can be sub-
classed, or it can have introduced a Map field holding
custom properties.
Issue gh-15286
2024-08-10 11:46:51 -06:00
2c02d8aec7
Update Copyright
2024-08-10 11:46:51 -06:00
895978c818
Auto config AuthenticationPrincipalArgumentResolver When AnnotationTemplateExpressionDefaults bean is Present
2024-08-10 11:46:51 -06:00
71f40f2bc4
Merge branch '6.3.x'
...
Use explicit types instead of var
Closes gh-155537
2024-08-08 15:30:16 -05:00
3b8cdc323f
Remove unused method
2024-08-08 15:29:41 -05:00
109da2719f
Use explicit types everywhere instead of var
2024-08-08 15:29:41 -05:00
02cca6f737
Polish AuthorizationAdvisorProxyFactory advisor configuration
...
Closes gh-15497
2024-08-07 10:09:51 -06:00
816ebe38b5
Add OpenSAML to Config Build
...
Issue gh-11658
2024-08-06 18:14:12 -06:00
1da383b360
Add OpenSAML 5 Support
...
Issue gh-11658
2024-08-06 18:14:11 -06:00
78a0173cc1
Use OpenSAML API for web
...
Issue gh-11658
2024-08-06 18:14:11 -06:00
51fc05630d
Use OpenSAML API for web.authentication.logout
...
Issue gh-11658
2024-08-06 18:14:10 -06:00
ff9a925e88
Use OpenSAML API for metadata
...
Issue gh-11658
2024-08-06 18:14:10 -06:00
416859e70e
Use OpenSAML API in authentication.logout
...
Issue gh-11658
2024-08-06 18:14:10 -06:00
bc8ba7f3b7
Inline CSS for default login and logout page
...
- Remove the dependency on Bootstrap CSS. Results in faster load times, no failures
in air-gapped or offline scenarios, and no dependency on an external CDN that may
go away some day.
2024-08-05 09:27:18 -05:00
37a2812d1a
Mimic Annotation Fallback Logic
...
For backward compatibility, this commit changes the annotation traversal
logic to match what is found in PrePostAnnotationSecurityMetadataSource.
This reverts gh-13783 which is a feature that unfortunately regressess
pre-existing behavior like that found in gh-15352. As such, that
functionality has been removed.
Issue gh-15352
2024-07-31 16:17:42 -06:00
f20ae1a71c
Revert gh-13783
...
This feature unfortunately regresses pre-existing behavior
like that found in gh-15352. As such, this functionality
has been removed.
Closes gh-15352
2024-07-31 16:16:34 -06:00
304685521c
Fix tags order
2024-07-29 15:35:48 -03:00
8231b8a03b
Merge branch '6.3.x'
2024-07-29 14:56:16 -03:00
c1b3b329af
Merge branch '6.2.x' into 6.3.x
2024-07-29 14:56:09 -03:00
3d4bcf1b44
fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource
...
- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
2024-07-29 14:55:55 -03:00
98af8d1123
Add permissionsPolicyHeader
...
This method is a replacement of `permissionsPolicy(Customizer)` that returns its own configurer instead of `HeadersConfigurer`.
Closes gh-14803
2024-07-29 09:26:42 -03:00
9d8888c5f0
Use AssertingPartyMetadata
...
Issue gh-15394
2024-07-19 18:48:23 -07:00
fdcf3c6df9
Merge branch '6.3.x'
2024-07-18 15:51:21 -06:00
ba714d78ab
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15440
2024-07-18 15:51:10 -06:00
3daeeb8789
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15439
2024-07-18 15:50:58 -06:00
dab48d25b0
Improve Error Message When Registration Missing
...
Closes gh-15363
2024-07-18 15:50:41 -06:00
796e4d6b6c
Add query parameter support for authn requests
...
Closes gh-15017
2024-07-13 23:57:57 -06:00
8ee497f4c5
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15410
2024-07-12 11:04:08 -06:00
7422a1134a
Allow logout+jwt JWT type
...
Closes gh-15003
2024-07-12 10:03:40 -07:00
773e86701e
Add ParameterRequestMatcher
...
Closes gh-15342
2024-07-02 15:17:54 -06:00
aa9c1bab67
Upgrade to Spring Framework 6.2.0-M4
...
Closes gh-15266
2024-06-18 14:07:05 -03:00
0e7566ede3
Adjust any-request check
...
Storing the request matcher outside of the for loop means that
if one of the SecurityFilterChain instances is not of type
DefaultSecurityFilterChain, then the error may print out an
earlier request matcher instead of the current one.
Instead, this commit changes to print out the entire filter chain
so that it can be inside of the for loop, regardless of type.
Issue gh-15220
2024-06-17 14:34:03 -06:00
4c780bf8d4
Add support checking AnyRequestMatcher securityFilterChains
...
Closes gh-15220
2024-06-17 13:05:36 -06:00
7eaab95639
Polish gh-15237
2024-06-13 16:05:15 -05:00
4e52eda0f5
Add support configuring OAuth2AuthorizationRequestResolver as bean
...
Closes gh-15236
2024-06-13 16:05:15 -05:00
b4c8fdf91d
Add missing @Test annotation
2024-06-10 15:43:52 -03:00
7c43fc111f
Support RoleHierarchy Bean in authorizeHttpRequests Kotlin DSL
...
Closes gh-15136
2024-06-10 15:41:28 -03:00
4ca0de9c2d
Sync XSD with RncToXsd Task
2024-06-06 15:17:56 -06:00
a7f9ccb6d6
Use GrantedAuthorityDefaults Bean in Kotlin DSL
...
Closes gh-15171
2024-06-06 15:16:32 -06:00
87ee464dce
Merge branch '6.3.x'
2024-06-06 13:36:39 -06:00
22c7b8760a
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15211
2024-06-06 13:36:20 -06:00
f231ea277d
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15210
2024-06-06 13:35:56 -06:00
6aabd768a8
Pick MvcRequestMatcher for MockMvc requests
...
Closes gh-13849
2024-06-06 13:17:43 -06:00
81abc453fe
Merge branch '6.3.x'
2024-06-03 17:43:12 -06:00
0aed8df549
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15197
2024-06-03 17:42:58 -06:00
d6228e0882
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15196
2024-06-03 17:42:25 -06:00
cdd626644e
Use Request-Level Servlet Context
...
Spring Security cannot use the ServletContext attached
to the ApplicationContext since there may be child
ApplicationContext's with their own ServletContext.
Because of that, it is necessary to always use the
ServletContext attached to the request.
Closes gh-14418
2024-06-03 17:41:51 -06:00
5a798e93f1
Polish MVC Tests
...
Issue gh-14418
2024-06-03 17:41:51 -06:00
9101bf1f7d
Allow logout+jwt JWT type
...
Closes gh-15003
2024-05-31 14:41:05 -06:00
f104d1aeea
Update Copyright
...
PR gh-15013
2024-05-31 12:39:17 -06:00
3b7f714f00
Add SecurityContextRepository to Kotlin Reactive DSL
2024-05-31 12:38:17 -06:00
c89647a56e
Deprecate shouldFilterAllDispatcherTypes from Kotlin DSL
...
Issue gh-12138
2024-05-27 09:00:54 -03:00
9f44f3b79a
Deprecate authorizeRequests from Kotlin DSL
...
Closes gh-15173
2024-05-27 08:51:32 -03:00
f6ea99d8a3
Prepare for Spring Security 6.4
...
Closes gh-15155
2024-05-24 11:41:28 -03:00
ddcaeb5c20
Serialize objects from 6.3.x
...
Issue gh-3737
2024-05-24 09:47:29 -03:00
08f11f06ab
Revert unnecessary commits from main
...
Issue gh-15016
2024-05-08 13:49:18 -03:00
b3c7f3ff19
Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision
...
Issue gh-7395
2024-04-30 08:38:03 -03:00
47775f5167
Merge branch '6.2.x'
2024-04-26 17:09:29 -06:00
29d3b438b9
Merge branch '6.1.x' into 6.2.x
2024-04-26 17:09:17 -06:00
1ecb036fba
Merge branch '5.8.x' into 6.1.x
2024-04-26 17:09:05 -06:00
0e211382ee
Remove useBase64 parameter
2024-04-26 17:05:49 -06:00
11421c6385
Merge branch '6.2.x'
2024-04-25 14:03:27 -06:00
664dfd9b45
Defer Anonymous Filter Construction
...
By delaying when the AnonymousAuthenticationFilter is constructed,
it's now possible to call the principal and filter methods inside
of a custom DSL implementation.
This does not extend to setting the key or the authentication provider
though, as these must be set during the init phase.
Closes gh-14941
2024-04-25 14:03:10 -06:00
7ddc00521e
Improve logging for Global Authentication
...
Closes gh-14663
2024-04-25 11:35:59 -06:00
2bcbef1695
Add Saml2Logout DSL Support
...
Closes gh-14935
2024-04-22 11:12:45 -06:00
a4dbf458ab
Add relying-party-registrations#id
...
Closes gh-14487
2024-04-18 12:56:56 -06:00
2fbbcc4bd0
Polish Method Authorization Denied Handling
...
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method
Issue gh-14601
2024-04-12 15:55:25 -03:00
fd891d8fe3
Add proxyBeanMethods=false
...
Addresses too early creation warning of a configuration imported by
ReactiveOAuth2ClientConfiguration.
Closes gh-14900
2024-04-12 11:17:41 -05:00
61eba00654
Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
...
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.
Issue gh-7395
2024-04-10 14:58:01 -03:00
8d914ef145
Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
...
Issue gh-14601
2024-04-08 14:42:13 -03:00
75197ca531
inject PasswordEncoder into DaoAuthenticationProvider constructor
...
Closes gh-14691
2024-04-08 09:39:25 -05:00
d6ae058ee1
Merge branch '6.2.x'
...
Closes gh-14866
2024-04-08 11:16:30 -03:00
697d0c9af4
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14865
2024-04-08 11:16:15 -03:00
472c9f8275
Avoid initializing raw bean during runtime in native-images
...
Closes gh-14825
2024-04-08 11:11:23 -03:00
61e93ee68b
Merge branch '6.2.x'
2024-04-04 14:56:32 -05:00
16e2bdc9bc
Merge branch '6.1.x' into 6.2.x
2024-04-04 14:55:45 -05:00
c2447ec257
Merge branch '5.8.x' into 6.1.x
2024-04-04 14:55:03 -05:00
39dbd24dcb
Polish gh-14742
2024-04-04 14:51:19 -05:00
bb43174752
Fix Bean Name
...
Issue gh-14480
2024-04-04 13:30:30 -06:00
3f7355abc6
Synthesize all annotation attributes
...
Issue gh-14601
2024-04-04 13:30:29 -06:00
33ebd5405a
Removed dataSource null validation
...
Fixed data source validation
2024-04-04 14:21:18 -05:00
6f07d63938
Support SpEL Returning AuthorizationDecision
...
Closes gh-14598
2024-04-04 11:32:00 -06:00
0a9c482f62
Revert "Support SpEL Returning AuthorizationDecision"
...
This reverts commit 77f2977c55
2024-04-04 11:31:45 -06:00
77f2977c55
Support SpEL Returning AuthorizationDecision
...
Closes gh-14599
2024-04-04 09:52:15 -07:00
d85857f905
Add Authorization Denied Handlers for Method Security
...
Closes gh-14601
2024-04-03 09:25:12 -03:00
ff19f04fca
Add JwtValidators append to default
...
Implemented simplified creation of default OAuth2TokenValidator with additional validators.
Closes gh-14831
2024-04-02 14:41:35 -07:00
7d66525e23
Add Compromised Password Checker
...
Closes gh-7395
2024-04-01 09:48:07 -03:00
abf9dc165a
Merge branch '6.2.x'
2024-03-26 10:55:48 -05:00
614123e6f9
Update tests that fail on Windows
...
Issue gh-14609
2024-03-26 10:49:47 -05:00
44033cd8b9
Make Internal Logout URI Configurable
...
Closes gh-14609
2024-03-22 16:31:44 -06:00
e18ec48134
Fix Test
...
Issue gh-14553
2024-03-22 16:31:42 -06:00
662cfed349
Make Internal Logout URI Configurable
...
Closes gh-14609
2024-03-22 16:28:21 -06:00
c95f009b23
Fix Test
...
Issue gh-14553
2024-03-22 16:27:16 -06:00
9898e0e993
Move AuthorizationAdvisorProxyFactory
...
To prevent package tangles
Issue gh-14596
2024-03-22 11:00:39 -06:00
795e44d11f
Add Value-Type Ignore Support
...
Issue gh-14597
2024-03-22 11:00:39 -06:00
ce54a6db18
Add TestAuthentication convenience method
...
Issue gh-14597
2024-03-19 10:27:03 -06:00
d169d5a835
Add AuthorizeReturnObject
...
Closes gh-14597
2024-03-19 10:27:03 -06:00
c611b7e33b
Add AuthorizationProxyFactory Reactive Support
...
Issue gh-14596
2024-03-15 11:44:30 -06:00
f541bce492
Polish AuthorizationAdvisorProxyFactory
...
- Ensure Reasonable Defaults
- Simplify Construction
Issue gh-14596
2024-03-15 11:44:30 -06:00
77c30c431e
Polish tests
...
Issue gh-11783
Issue gh-13763
2024-03-14 15:40:43 -05:00
80a8d3831a
Simplify reactive OAuth2 Client configuration
...
Closes gh-13763
2024-03-14 15:40:43 -05:00
52dfbfb5b3
Add Authorization Proxy Support
...
Closes gh-14596
2024-03-13 14:35:07 -06:00
d6382b83dc
Configure token-exchange via a bean
...
Issue gh-5199
Issue gh-11783
Closes gh-14701
2024-03-07 11:03:10 -06:00
bade66e588
Fix Circular Dependency
...
Closes gh-14674
2024-03-01 14:21:13 -07:00
f8ff056eb6
Update Max Sessions on WebFlux
...
Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler
Issue gh-6192
2024-02-28 10:06:45 -03:00
a5ce8ae87f
Polish Max Sessions on WebFlux
...
This commit changes the PreventLoginServerMaximumSessionsExceededHandler to invalidate the WebSession in addition to throwing the error, this is needed otherwise the session would still be saved with the security context. It also changes the SessionRegistryWebSession to first perform the operation on the delegate and then invoke the needed method on the ReactiveSessionRegistry
Issue gh-6192
2024-02-27 11:12:50 -03:00
c639d0a514
Add AOP Integration Test
...
Closes gh-14637
2024-02-26 13:56:56 -07:00
4d383023cb
Add meta-annotation parameter support
...
Closes gh-14480
2024-02-26 10:50:35 -07:00
347eeb17d5
Merge branch '6.2.x'
2024-02-26 10:17:18 -07:00
2471df4d36
Merge branch '6.1.x' into 6.2.x
2024-02-26 10:17:04 -07:00
27cd9fa86c
Don't Use Deprecated Class
...
Issue gh-14628
2024-02-26 10:06:59 -07:00
093b5572af
Merge branch '6.2.x'
2024-02-22 12:15:42 -07:00
bb6045ebea
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14648
2024-02-22 12:15:17 -07:00
2fdd541ea5
Merge branch '5.8.x' into 6.1.x
...
Closes gh-14647
2024-02-22 12:15:00 -07:00
45c37c4454
Remove duplicate setSecurityContextHolderStrategy
...
Closes gh-14592
2024-02-22 12:14:35 -07:00
21580fd27d
Merge branch '6.2.x'
2024-02-16 13:31:20 -03:00
15306c1007
Merge branch '6.1.x' into 6.2.x
2024-02-16 13:21:15 -03:00
750cb30ce4
Add AuthenticationTrustResolver.isAuthenticated
2024-02-16 13:08:29 -03:00
7f0433c805
Merge branch '6.2.x'
2024-02-12 17:01:38 -07:00
2702a64be7
Use Localhost for Internal Logout Endpoint
...
Closes gh-14553
2024-02-12 17:00:58 -07:00
34526c3e01
Merge branch '6.2.x'
2024-02-12 12:54:29 -07:00
3ab323663a
Do Not Wire Default OidcSessionStrategy without OidcLogoutConfigurer
...
Closes gh-14558
2024-02-12 12:53:48 -07:00
ccb2f06d0d
Partially revert fc658d10
...
OpenIDAuthenticationFilter exists in versions < 6.0
Issue gh-14531
2024-02-07 10:13:34 -03:00
dea6d6b49c
Merge branch '6.2.x'
...
Closes gh-14566
2024-02-07 09:38:10 -03:00
ad96837e59
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14565
2024-02-07 09:38:02 -03:00
ba1068e368
Merge branch '5.8.x' into 6.1.x
...
Closes gh-14564
2024-02-07 09:37:52 -03:00
fc658d10d3
fix security filter sort in javadoc
...
Closes gh-14531
2024-02-07 09:37:01 -03:00
915d68e216
Remove includeExpiredSessions parameter
...
The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter
Issue gh-6192
2024-02-06 10:43:00 -03:00
a282887906
Merge branch '6.2.x'
2024-02-05 15:42:09 -07:00
b43b3b144e
Merge branch '6.1.x' into 6.2.x
2024-02-05 15:41:58 -07:00
ffe9577487
Merge branch '5.8.x' into 6.1.x
2024-02-05 15:41:35 -07:00
7c3a6a567e
Fix Compilation Errors
...
Issue gh-14525
2024-02-05 15:18:31 -07:00
07e0b1dc37
Saml2 LogoutFilter Is Placed Before Common LogoutFilter
...
Closes gh-14525
2024-02-05 15:18:31 -07:00
3a53422478
Fix Failing Test
...
Closes gh-14467
2024-01-29 17:14:30 -07:00
27ebeefb14
Fix Failing Test
...
Closes gh-14467
2024-01-26 11:24:00 -07:00
bdc0bd6b78
Add usernameParameter and passwordParameter to FormLoginDsl
...
Closes gh-14474
2024-01-24 09:56:38 -03:00
3f65f600de
Use AuthorizationEventPublisher Bean
...
- For Jsr250MethodInterceptor and SecuredMethodInterceptor
Closes gh-14401
2024-01-17 17:40:38 -07:00
1daa9e27e2
Merge branch '6.2.x'
2024-01-05 15:17:01 -03:00
e2bab7b7ef
Add .serialized suffix and consider them as binary in Git
...
Issue gh-3737
2024-01-05 15:14:22 -03:00
85177c0178
Merge branch '6.2.x'
...
Closes gh-14408
2024-01-05 14:22:49 -03:00
4fb6a33d36
Verify Serializable Objects Are Deserializable Between Minor Versions
...
This commit introduces a test that verifies that Spring Security domain classes that implements Serializable and have the same serialVersionUID as SpringSecurityCoreVersion#SERIAL_VERSION_UID can be deserialized between minor versions.
This commit also introduces another test that should be used to generate the files containing the serialized content of the objects.
Closes gh-3737
2024-01-05 12:00:02 -03:00
eeb2f5d108
Merge branch '6.2.x'
2023-12-28 12:56:52 -06:00
428a3a2703
Merge branch '6.1.x' into 6.2.x
2023-12-28 12:56:36 -06:00
3beb583207
Merge branch '5.8.x' into 6.1.x
2023-12-28 12:56:25 -06:00
16dc6be3c8
Update copyright year
...
Issue gh-14329
2023-12-28 12:54:29 -06:00
c88aaedb48
Updated broken documentation link in javadocs
2023-12-28 12:54:29 -06:00
707588f870
Merge branch '6.2.x'
2023-12-26 15:58:51 -03:00
d385b53e3c
Merge branch '6.1.x' into 6.2.x
2023-12-26 15:58:39 -03:00
92af758f1f
Make springSecurityHandlerMappingIntrospectorBeanDefinitionRegistryPostProcessor passive
...
Instead of excluding the bean from AOT processing, we avoid redefining the beans if they are present or in the expected state.
Issue gh-14362
2023-12-26 15:58:16 -03:00
778a63a763
Revert "Exclude SpringSecurityHandlerMappingIntrospectorBeanDefinitionRegistryPostProcessor from AOT processing"
...
This reverts commit 8a93178da7
2023-12-26 15:10:15 -03:00
5ad34d1f92
Merge branch '6.2.x'
...
Closes gh-14381
2023-12-26 11:20:51 -03:00
dd20f0694d
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14380
2023-12-26 11:20:41 -03:00
7cd626fe25
Fix FilterChainProxy cannot be found when @EnableWebSecurity(debug = true)
...
Closes gh-14370
2023-12-26 11:20:09 -03:00
08d764dc84
Merge branch '6.2.x'
...
Closes gh-14378
2023-12-26 10:42:45 -03:00
f95cda6be7
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14377
2023-12-26 10:42:37 -03:00
364bc10e78
Add hints for CompositeFilterChainProxy
...
Closes gh-14359
2023-12-26 10:41:56 -03:00
a628384d20
Merge branch '6.2.x'
...
Closes gh-14368
2023-12-22 08:40:24 -03:00
737678c66e
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14367
2023-12-22 08:40:15 -03:00
8a93178da7
Exclude SpringSecurityHandlerMappingIntrospectorBeanDefinitionRegistryPostProcessor from AOT processing
...
Closes gh-14362
2023-12-22 08:40:07 -03:00
ec02c22459
Add Request Path Extraction Support
...
Closes gh-13256
2023-12-19 18:15:49 -07:00
99218db84a
Add order offset to @EnableMethodSecurity
...
Closes gh-13214
2023-12-19 17:57:24 -07:00
c19f3d9d06
Merge branch '6.2.x'
2023-12-18 15:19:54 -07:00
74860c4aff
Merge branch '6.1.x' into 6.2.x
2023-12-18 15:19:48 -07:00
fbafe41991
Merge branch '5.8.x' into 6.1.x
2023-12-18 15:19:40 -07:00
b7f10cd50a
Merge branch '6.2.x'
2023-12-18 15:19:07 -07:00
b031a4c0f6
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14350
2023-12-18 15:18:48 -07:00
e058b559b8
Polish Method Security Eager-Loading
...
Issue gh-11596
2023-12-18 15:18:09 -07:00
9a5d991383
Address eager-loading of infrastructure beans
...
Closes gh-11596
2023-12-18 15:16:00 -07:00
33800c0124
Address eager-loading of infrastructure beans
...
Closes gh-11596
2023-12-18 14:25:48 -07:00
fc007aa373
Check OpenSAML Version in XML Support
...
Closes gh-12483
2023-12-18 11:51:15 -07:00
d7a9a19161
Merge branch '6.2.x'
2023-12-18 11:47:39 -07:00
03e48905c7
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14346
2023-12-18 11:47:23 -07:00
b855ccdb09
Merge branch '5.8.x' into 6.1.x
...
Closes gh-14345
2023-12-18 11:46:04 -07:00
eaaa813ede
Fix header value typo
...
Closes gh-11948
2023-12-18 10:42:50 -07:00
8a34e32a24
Polish IpAddressAuthorizationManager
...
Closes gh-10577
2023-12-15 16:54:58 -07:00
ea7c720ce7
Add hasIpAddress to Kotlin DSL
...
Closes gh-10577
2023-12-15 16:54:58 -07:00
9f33d43097
Merge branch '6.2.x'
...
Use CompositeFilterChainProxy
2023-12-15 01:17:14 -06:00
c7047add5d
Merge branch '6.1.x' into 6.2.x
...
Use CompositeFilterChainProxy
2023-12-15 01:16:21 -06:00
142b268a21
Use CompositeFilterChainProxy
...
By extending FilterChainProxy CompositeFilterChainProxy is more passive since
users often depend on the type of the springSecurityFilterChain Bean being
FilterChainProxy (even though it can already be other types - when debug is
enabled).
Issue gh-14128
2023-12-15 01:15:38 -06:00
465642828a
Merge branch '6.2.x'
...
Add HandlerMappingIntrospector Caching
Closes gh-14333
2023-12-14 16:11:08 -06:00
6dd29520b0
Merge branch '6.1.x' into 6.2.x
...
Add HandlerMappingIntrospector Caching
Closes gh-14332
2023-12-14 16:10:50 -06:00
70dfb3d391
Add HandlerMappingIntrospector Caching
...
Closes gh-14128
2023-12-14 16:08:36 -06:00
57ab15127a
Add Max Sessions on WebFlux
...
Closes gh-6192
2023-12-11 09:48:34 -03:00
e6bea1cfa1
Polish RoleHierarchy Bean Usage
...
Issue gh-12783
2023-12-07 16:27:14 -07:00
b76f7c029d
Use available RoleHierachy Bean for MethodSecurity Config
...
Closes gh-12783
2023-12-07 16:27:14 -07:00
bb6b55aca3
Add Not Support
...
Closes gh-14058
2023-12-07 16:24:19 -07:00
d50698a269
Prepare for Spring Security 6.3
...
Closes gh-14210
2023-12-05 15:49:42 -07:00
3ab235cd56
Merge branch '6.1.x'
2023-12-01 15:54:44 -07:00
641722823e
Merge branch '6.0.x' into 6.1.x
2023-12-01 15:45:32 -07:00
f536b2652f
Merge branch '5.8.x' into 6.0.x
2023-12-01 15:45:03 -07:00
c623303ca5
Add Logging
...
Now if the ServletRegistration API available message is shown, it will
also be accompanied with a startup warning in the logs.
Closes gh-14221
2023-12-01 12:57:46 -07:00
a98baa7522
Polish ServletRegistration API Deferral
...
Tomcat uses different ServletContext instances from startup- and request-time.
This commit ensures that if the programmatic API isn't available at startup-time,
then use the ServletContext attached to the HttpServletRequest at runtime.
Issue gh-13794
2023-12-01 12:57:45 -07:00
15d9b7824c
Merge branch '6.1.x'
2023-11-17 12:27:31 -07:00
d958787561
Merge branch '6.0.x' into 6.1.x
2023-11-17 12:27:04 -07:00
12f074b8ce
Merge branch '5.8.x' into 6.0.x
2023-11-17 12:25:13 -07:00
d961307044
Polish RequestMatcher Description
...
Issue gh-13794
2023-11-17 12:24:38 -07:00
4131a38f9e
Revert "Add forServletPattern"
...
This reverts commit 762319b6be
2023-11-17 12:02:14 -07:00
5958828113
Merge branch '6.1.x'
2023-11-17 12:01:57 -07:00
aa1a022605
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14165
2023-11-17 11:46:20 -07:00
c6c6eb4d66
Merge branch '5.8.x' into 6.0.x
...
Closes gh-14164
2023-11-17 11:45:59 -07:00
4ca54683ae
Defer requestMatchers Validation to Runtime
...
Closes gh-13794
2023-11-17 11:23:21 -07:00
00da9c9092
Use assertj assertions
2023-11-17 09:05:38 -03:00
e3ab1c94d7
Use assertj assertions
2023-11-17 09:04:50 -03:00
a7da9491d9
Use assertj assertions
2023-11-17 09:03:36 -03:00
97516727a4
Add Coroutine Support
...
Closes gh-12080
2023-11-15 11:48:37 -07:00
77acaaa3b7
Use bean factory method
...
Closes gh-14094
2023-11-06 12:55:57 -06:00
624dcafcf2
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14085
2023-11-01 12:12:02 -06:00
fa15c975ff
Merge branch '5.8.x' into 6.0.x
...
Closes gh-14084
2023-11-01 12:11:20 -06:00
ffd12ee3b9
Refine requestMatcher Validation Rules
...
Closes gh-14078
2023-10-31 17:08:24 -06:00
447f40949c
Revert unnecessary merges on 6.1.x
...
This commit removes unnecessary main-branch merges starting from
9f8db22b774d6ff49b9ded6ff670d1c823b0079444fad21363
2023-10-31 15:22:15 -05:00
9db33f33c7
Revert unnecessary merges on 6.0.x
...
This commit removes unnecessary main-branch merges starting from
8750608b5b5dce82c48b
2023-10-31 15:11:45 -05:00
96ebab324c
Remove Type Parameter
...
Closes gh-14012
2023-10-13 22:09:16 -06:00
8f829dd1d7
Refine requestMatcher Validation Rules
...
Closes gh-13850
2023-10-12 09:29:08 -06:00
762319b6be
Add forServletPattern
...
Closes gh-13562
2023-10-12 09:29:08 -06:00
07b6c451fd
Merge branch '6.1.x'
...
Closes gh-13884
2023-09-29 11:47:38 -03:00
8adfc9b463
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13883
2023-09-29 11:46:48 -03:00
92c82191c9
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13882
2023-09-29 11:46:00 -03:00
64e2a2ff8b
Apply updated Code Style
...
Closes gh-13881
2023-09-29 11:44:32 -03:00
ff374935fb
Verify ReactorContext when using Virtual Threads
...
Closes gh-12791
2023-09-25 12:01:31 -05:00
d48b8697bd
Fix mockito usage
...
Issue gh-13810
2023-09-19 10:39:04 -05:00
d6ff58bb7f
Update Mockito to 5.5.0
...
Closes gh-13810
2023-09-19 10:39:03 -05:00
0e8d04ab40
Merge branch '6.1.x'
2023-09-19 14:20:25 +01:00
94bba79834
Merge branch '6.0.x' into 6.1.x
2023-09-19 14:20:17 +01:00
0c3f154f38
Merge branch '5.8.x' into 6.0.x
2023-09-19 14:20:01 +01:00
ac04c2e675
Add dependency between rncToXsd and sourcesJar
...
Since processResources is configured directly instead of via the source
set container, an explicit dependency task between rncToXsd and
sourcesJar must be defined.
Issue gh-13845
2023-09-19 14:19:45 +01:00
e63d7fd9e9
Add dependency between rncToXsd and versionlessXsd
...
Since processResources is configured directly instead of via the source
set container, an explicit dependency task between rncToXsd and
versionlessXsd must be defined.
Issue gh-13845
2023-09-19 14:19:33 +01:00
718c470910
Prevent creating duplicate .xsd entries
...
This change removes .xsd entries that would appear in the top level of
the assembled artifacts. This occurred because the output of the
rncToXsd task does not consider the path beneath the resources
directory. To fix this, the processResources task is directly
configured with a copy spec so the required path can be set.
Issue gh-13845
2023-09-19 14:19:19 +01:00
cb33fd7850
Add OIDC Back-Channel Logout Support
...
Closes gh-12570
2023-09-16 15:12:21 -06:00
91c89451e7
Merge branch '6.1.x'
...
Automate spring-security.xsd
Closes gh-13826
2023-09-14 23:44:34 -05:00
7627c2df46
Merge branch '6.0.x' into 6.1.x
...
Automate spring-security.xsd
Closes gh-13825
2023-09-14 23:43:27 -05:00
342735043d
Merge branch '5.8.x' into 6.0.x
...
Automate spring-security.xsd
Closes gh-13824
2023-09-14 23:42:31 -05:00
779541b340
Merge branch '5.7.x' into 5.8.x
...
Automate spring-security.xsd
Closes gh-13823
2023-09-14 23:37:53 -05:00
5b293d2116
Automate spring-security.xsd
...
Closes gh-13819
2023-09-14 16:01:50 -05:00
9a06885247
Merge branch '6.1.x'
...
Closes gh-13815
2023-09-14 14:50:11 +01:00
59a9aa3268
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13814
2023-09-14 14:49:29 +01:00
aeafcc1377
Defer MethodSecurityExpressionHandler Resolution
...
When using Spring Security ACL and compiling to Native, in order to create the '*AuthorizationMethodInterceptor' Proxy beans during build time, Spring tries to resolve the DataSource bean since the DataSource can be a dependency of some AclService implementations, and fails because some required data source properties are not available during build time.
This commit defers the initialization of the MethodSecurityExpressionHandler to the runtime.
Closes gh-12653
2023-09-14 14:48:24 +01:00
f5942aac73
Merge branch '6.1.x'
2023-09-13 14:23:51 +01:00
b4ce77c028
Merge branch '6.0.x' into 6.1.x
2023-09-13 14:23:28 +01:00
48babb7efa
Merge branch '5.8.x' into 6.0.x
2023-09-13 14:23:01 +01:00
620e6e0c34
Add rncToXsd task to resources set
...
This addresses a deprecation warning causing build caching to be
disabled for some tasks. With this change, we tell Gradle that the
rncToXsd task produces output that should be considered a resource.
This clears up ambiguities when computing the task graph.
2023-09-13 13:58:42 +01:00
4ebfa2c804
Use lazy API to configure rncToXsd task
...
This avoids configuring the task eagerly.
2023-09-13 13:58:05 +01:00
9df9cb5aed
refactor: AssertJ best practices
...
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D
Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
92256f0522
Support nested suspend calls for Kotlin coroutines
...
Closes gh-13764
2023-09-05 00:23:30 -05:00
1a45602dbb
Fix mockito usage
2023-09-01 15:27:54 -05:00
ea1ec646b2
Fix test failures related to response headers
...
These tests began failing on snapshots after changes in
Spring Framework's `DispatcherServlet` to reset the response
on an error.
For now, we can have these tests operate with a 200 OK response.
An issue was opened in the spring-framework issuer tracker to
discuss this and address `CorsFilter` (and any other filter) that
writes headers that would be cleared on an error.
See spring-projects/spring-framework#31154
2023-09-01 15:27:54 -05:00
fe5a55fc13
Merge branch '6.1.x'
...
Closes gh-13723
2023-08-20 23:15:57 -06:00
0df1884372
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13722
2023-08-20 23:10:00 -06:00
5fb6f5768c
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13666 in 6.0.x
Closes gh-13721
2023-08-20 23:07:36 -06:00
28f98b3351
Improve Error Message
...
Closes gh-13667
2023-08-20 22:53:57 -06:00
ed96e2cddf
Ignore Unmappable Servlets
...
Closes gh-13666
2023-08-20 22:53:55 -06:00
8d58113b61
Merge branch '6.1.x'
...
Closes gh-13656
2023-08-16 17:54:55 -06:00
d2d1f19133
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13655
2023-08-16 17:54:37 -06:00
ca0140c586
saml2Login Honors AuthenticationProvider bean
...
Closes gh-13654
2023-08-16 17:54:14 -06:00
3ba5cc0e40
Add CSRF Exception
...
Issue gh-13653
2023-08-16 16:54:50 -06:00
87ae2d41b3
Update Mockito Usage
...
Issue gh-13542
2023-08-16 16:30:43 -06:00
985e569685
Polish gh-13608
2023-08-10 17:30:54 -05:00
6353d90047
Add integrity attribute for signin.css
...
Closes gh-13486
2023-08-10 17:30:52 -05:00
5828e4e65c
Simplify OAuth2 Client configuration
...
Issue gh-11783
2023-08-09 14:14:09 -05:00
f3d90b38e2
Add OAuth2AuthorizedClientManager Registrar
2023-08-09 14:14:09 -05:00
75e0068925
Merge branch '6.1.x'
2023-08-07 16:03:55 -06:00
8d4a024809
Update Copyright
...
PR gh-13472
2023-08-07 16:00:56 -06:00
cd6f33c03e
Using putIfAbsent instead of put
2023-08-07 16:00:18 -06:00
12c64a9b1d
Merge branch '6.1.x'
...
Dependencies are resolved from appropriate repositories
Closes gh-13624
2023-08-07 09:55:18 -05:00
d4d715d8e1
Merge branch '6.0.x' into 6.1.x
...
Dependencies are resolved from appropriate repositories
Closes gh-13623
2023-08-07 09:54:27 -05:00
4257a97504
Merge branch '5.8.x' into 6.0.x
...
Dependencies are resolved from appropriate repositories
Closes gh-13622
2023-08-07 09:51:55 -05:00
30bc2634d7
Optimize configuration of project repositories
...
This change applies repository content filtering to configured
repositories, reducing the time spent during dependency resolution.
This fixes an issue where requests for 'org.opensaml',
'net.shibboleth.utilities' and 'net.minidev' dependencies were being
made in the Spring releases repositories, resulting in many failed
requests during dependency resolution and increased resolution times.
Closes gh-13582
2023-08-07 09:51:42 -05:00
33d904d708
Merge branch '6.1.x'
...
Closes gh-13581
2023-07-24 11:32:23 -06:00
442d3fb99d
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13580
2023-07-24 11:31:52 -06:00
ee13216882
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13579
2023-07-24 11:31:29 -06:00
c4f061c63d
Do Not Re-register Method Security Advisors
...
Closes gh-13572
2023-07-24 11:24:03 -06:00
9dc7bdd329
Merge branch '6.1.x'
2023-07-17 11:21:06 -06:00
cf2c8da3d5
Merge branch '6.0.x' into 6.1.x
2023-07-17 11:10:04 -06:00
fe7bee9236
Merge branch '5.8.x' into 6.0.x
2023-07-17 11:09:38 -06:00
bb46a54270
Add DispatcherServlet to Tests
...
Issue gh-13551
2023-07-17 10:58:30 -06:00
df239b6448
Improve RequestMatcher Validation
...
Closes gh-13551
2023-07-17 08:41:30 -06:00
8f5793afb1
Merge branch '6.1.x'
2023-07-17 09:17:10 -03:00
aaa31312bd
Merge branch '6.0.x' into 6.1.x
2023-07-17 09:16:45 -03:00
cbef118026
Merge branch '5.8.x' into 6.0.x
2023-07-17 09:16:20 -03:00
a939f17890
Merge branch '5.7.x' into 5.8.x
2023-07-17 09:15:56 -03:00
fe9bc26bdc
Merge branch '5.6.x' into 5.7.x
2023-07-17 09:13:28 -03:00
7813a9ba26
Use default PathPatternParser instance
2023-07-17 09:12:28 -03:00
b3ad2b0dc5
Don't Mock OAuth2AuthorizedClientRepository
...
Issue gh-13542
Issue gh-13546
2023-07-14 18:44:35 -06:00
b0022a0ae8
Update Mockito Usage
...
Issue gh-13542
2023-07-14 18:44:34 -06:00
cf79af2386
Update Kotlin Test Usage
...
Issue gh-13539
2023-07-14 18:38:58 -06:00
6c3636d780
Update Removed Usages
...
Issue gh-13544
2023-07-14 18:38:58 -06:00
30d09c5192
Merge branch '6.1.x'
...
Closes gh-13495
2023-07-12 14:31:56 -03:00
f62c9d3be6
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13494
2023-07-12 14:31:45 -03:00
933b302979
Fix once-per-request="true" not taking any effect
...
Closes gh-13491
2023-07-12 14:30:18 -03:00
8d0e426654
Generate Shared Test SAML Response
...
Issue gh-13433
2023-07-11 10:36:06 -06:00
f2f19270da
Update to OpenSAML 4.3.0
...
Closes gh-13433
2023-07-10 17:56:42 -06:00
a0540f5c65
Deprecate AbstractConfiguredSecurityBuilder#apply
...
Closes gh-13436
2023-06-30 11:53:47 -03:00
1ff5eb6b57
Add with() method to apply SecurityConfigurerAdapter
...
This method is intended to replace .apply() because it will not be possible to chain configurations when .and() gets removed
Closes gh-13204
2023-06-29 14:52:30 -03:00
4855290a76
Merge branch '6.1.x'
2023-06-29 10:31:25 -06:00
87e07d59da
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13199
2023-06-29 10:08:10 -06:00
1abfd2c801
Only Register as Advisor in Proxy Mode
...
Now that https://github.com/spring-projects/spring-framework/issues/30689
is addressed.
Closes gh-13198
2023-06-29 10:07:11 -06:00
618847418f
Automatically enable .cors() if CorsConfigurationSource bean is present
...
Closes gh-5011
2023-06-23 09:51:46 -03:00
52e12ad64b
Replace deprecated methods
2023-06-22 13:19:55 -06:00
8efdc5c926
Polish Contribution
...
Issue gh-13215
2023-06-22 16:00:47 -03:00
401058d5ff
Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthorityDefaults for custom rolePrefix
...
Closes gh-13215
2023-06-22 16:00:46 -03:00
c5461b17de
EnableMethodSecurity annotation does not get imported when defined as a meta-annotation
...
Closes gh-12870
2023-06-22 15:15:25 -03:00
208fb62db9
Update Deprecated Usage
...
Issue gh-12629
2023-06-22 11:24:25 -06:00
9b603b99ab
Using modern Java features
2023-06-22 11:24:25 -06:00
7e01ebdd92
Remove LazyCsrfTokenRepository usage
...
Closes gh-13194
2023-06-22 11:23:35 -06:00
fb910e2997
Prepare for Spring Security 6.2
...
Closes gh-14316
2023-06-22 11:03:28 -06:00
acf1d34d94
Merge branch '6.0.x'
2023-06-19 11:13:57 -03:00
2686af0c4d
Revert "Only Register as Advisor in Proxy Mode"
...
This reverts commit 35ad1f85
2023-06-19 11:13:39 -03:00
fc1e465fd0
Merge branch '6.0.x'
2023-06-05 13:34:58 -06:00
c053f6f0c6
Make eclipse/vscode project import work
...
- Gradle projects contain cycles which comes from dependencies to
test sources which is not a problem in gradle but eclipse metadata
generation is getting confused. Thus we need settings to relax errors
org.eclipse.jdt.core.circularClasspath=warning
org.eclipse.jdt.core.incompleteClasspath=warning
- Additionally .classpath entries needs to be changes having
without_test_code=false
test=false
- Aspects end up getting source dirs `build/classes/java/main`
and `build/resources/main` which never have sources. Vscode complains
about that, eclipse is fine. Remove those from entries.
- In tests `htmlunit` depends on `xml-apis`. `xml-apis` are now part
of jdk and eclipse complains about that. Excluse these in a gradle build.
- Both eclipse and vscode don't currently work with buildship, due to
project cycles and buildship cannot be configured. It's possible to
create metadata from `eclipse` task manually which then can be imported.
For this we need to disable automatic import in vscode using buildship.
This goes to `.vscode/settings.json` workspace config.
- Then with these changes user can do something like
git clean -fxd && ./gradlew clean build cleanEclipse eclipse -x checkstyleNohttp -x test -x integrationTest
and import projects manually.
2023-06-05 13:34:30 -06:00
a939fa63a1
Merge branch '6.0.x'
...
Closes gh-13282
2023-06-05 16:04:27 -03:00
4e3517e03a
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13281
2023-06-05 16:03:58 -03:00
b47420f8a2
Merge branch '5.7.x' into 5.8.x
...
Closes gh-13280
2023-06-05 16:02:30 -03:00
7250abc185
Does not apply a Configurer when disabled from another DSL
...
Closes gh-13203
2023-06-05 16:01:20 -03:00
537e10cf9c
Improve javadoc adding how to stick with defaults and link to documentation
...
Closes gh-13273
2023-06-02 15:05:17 -03:00
f566ed0afd
Update Symlink for 6.1
...
Issue gh-13131
2023-05-24 14:44:42 -06:00
ff0c82b019
Merge branch '6.0.x'
2023-05-24 14:41:55 -06:00
71703dc371
Update Symlink for 6.0
...
Issue gh-13131
2023-05-24 14:40:50 -06:00
90b37d6d07
Merge branch '5.8.x' into 6.0.x
2023-05-24 14:38:23 -06:00
73cb9862ad
Update Symlink for 5.8
...
Issue gh-13131
2023-05-24 14:37:18 -06:00
be409ada10
Merge branch '6.0.x'
...
Closes gh-13209
2023-05-22 15:43:43 -06:00
7c54c0e4fa
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13208
2023-05-22 15:43:27 -06:00
62ede47d86
Merge branch '5.7.x' into 5.8.x
...
Closes gh-13207
2023-05-22 15:42:36 -06:00
1eefd433b6
Add spring-security.xsd symlink
...
Closes gh-13131
2023-05-22 15:42:02 -06:00
31f1604f66
Merge branch '6.0.x'
...
Closes gh-13199
2023-05-19 16:44:18 -06:00
7efa275abc
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13198
2023-05-19 16:43:57 -06:00
35ad1f857e
Only Register as Advisor in Proxy Mode
...
Closes gh-13160
2023-05-19 16:33:46 -06:00
49366907e2
Merge branch '6.0.x'
...
Closes gh-13183
2023-05-15 17:31:48 -06:00
b438bc5384
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13182
2023-05-15 17:30:14 -06:00
f4915890cc
Use Spec Order for Verifying Signatures
...
Closes gh-12346
2023-05-15 17:24:22 -06:00
5814f614c7
Merge branch '6.0.x'
...
Closes gh-13128
2023-05-02 16:56:37 -06:00
46ad9c122e
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13127
2023-05-02 16:56:06 -06:00
e9a02bc6e9
RememberMeConfigurer Picks Up SecurityContextRepository
...
Closes gh-13104
2023-05-02 16:46:35 -06:00
45efd48b93
Merge branch '6.0.x'
...
Closes gh-13122
2023-05-02 10:13:24 -03:00
69338ecdfa
Only Observe AuthenticationManager if it is not null
...
Closes gh-13084
2023-05-02 10:12:46 -03:00
a44e91d044
fix javadoc typo
2023-04-24 16:41:17 -06:00
f261242db1
Merge branch '5.7.x' into 5.8.x
2023-04-24 16:33:29 -06:00
caa4093619
Fix javadoc for migration from WebSecurityConfigurerAdapter
2023-04-24 16:32:16 -06:00
dd14bbb365
Merge branch '6.0.x'
2023-04-18 12:42:55 -06:00
1e25756ee6
Fix Import Order
2023-04-18 12:42:25 -06:00
68b198f091
Merge branch '6.0.x'
2023-04-18 12:20:44 -06:00
64542b4059
Polish X509 SecurityContextRepository
...
Like Basic and Bearer authentication, X509 is
stateless by default. As such, it is better to not
pick up the global SecurityContextRepository bean.
The better fix is to change the default from
HttpSessionSecurityContextRepository to
RequestAttributeSecurityContextRepository.
Issue gh-13008
2023-04-18 12:18:20 -06:00
c79f04cd11
Merge branch '6.0.x'
...
Closes gh-13063
2023-04-17 17:07:32 -06:00
c3479ddb45
Pick Up SecurityContextRepository
...
Closes gh-13008
2023-04-17 17:06:06 -06:00
04b3d07319
Merge branch '6.0.x'
2023-04-17 07:30:54 -03:00
a484044591
Merge branch '5.8.x' into 6.0.x
2023-04-17 07:29:42 -03:00
6cf8c53aaa
Merge branch '5.7.x' into 5.8.x
2023-04-17 07:16:47 -03:00
2d52fb8e4b
Clear Repository on Logout
2023-04-17 06:47:57 -03:00
82a149207d
Deprecate .and() and non lambda DSL methods
...
Closes gh-12629
2023-04-14 15:50:58 -03:00
1a4a2a9055
Merge branch '5.8.x' into 6.0.x
2023-04-14 13:32:10 -03:00
54117d7d27
Fix test suffix to align with checkstyle
2023-04-14 13:29:15 -03:00
01d1e20dc3
Deprecate shouldFilterAllDispatcherTypes
...
Closes gh-12138
2023-04-13 15:05:10 -03:00
57e134cc5f
Merge branch '6.0.x'
2023-03-22 10:12:28 -03:00
67645b32f4
Merge branch '5.8.x' into 6.0.x
2023-03-22 10:12:11 -03:00
fd65dc6756
Merge branch '5.7.x' into 5.8.x
2023-03-22 10:08:17 -03:00
5eefe9dcff
Fix typo in SessionManagementConfigurer javadoc
2023-03-22 10:07:44 -03:00
ca9139b68f
Merge branch '6.0.x'
2023-03-20 17:02:15 -06:00
cbb4e40166
fix typo in RequestCacheResultMatcher
2023-03-20 17:02:00 -06:00
a4bc0a6f3c
Polish
...
- Add POST /login assertion
- Rearrange test and config class
Issue gh-12552
2023-03-20 14:31:13 -06:00
e2332d9620
Add disable to FormLoginDsl
...
Closes gh-12552
2023-03-20 14:31:13 -06:00
a7562ad950
Update io.spring.javaformat to 0.0.38
...
Closes gh-12891
2023-03-20 10:44:35 -06:00
3ad6c6ce06
Use EntityId-lookup Components
...
Closes gh-12880
2023-03-17 18:00:02 -06:00
46452c0cae
Add saml2Metadata
...
Closes gh-11828
2023-03-17 18:00:02 -06:00
e0284a4503
Fix CAS packages for 4.0.1 and Jasig references
...
Issue gh-11674
2023-03-01 17:21:24 -03:00
b4d3ac6665
Revert "Remove CAS module"
...
This reverts commit caf4c471
2023-03-01 17:21:23 -03:00
f5a4b520d1
Merge branch '6.0.x'
...
Closes gh-12781
2023-02-24 11:04:03 -07:00
bbd31f0e33
Defer ObservationRegistry Lookup
...
Closes gh-12780
2023-02-24 11:03:32 -07:00
963a18a27f
Merge branch '6.0.x'
...
Closes gh-12778
2023-02-23 15:17:47 -03:00
7d22e02593
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12777
2023-02-23 15:17:25 -03:00
97ba596ca3
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12776
2023-02-23 15:17:04 -03:00
1c3ce1e401
Fix entity-id ignored in RelyingPartyRegistration XML config
...
Closes gh-11898
2023-02-23 15:16:40 -03:00
afb5a4ae2c
Merge branch '6.0.x'
...
Closes gh-12688
2023-02-16 14:56:55 -07:00
cedb9fd199
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12687
2023-02-16 14:56:32 -07:00
0baf650f38
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12686
2023-02-16 14:55:22 -07:00
000b4bc495
Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter
...
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.
In particular, this exception can occur when mixing standard and custom DSL to register filters.
The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.
It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.
The error handling is implemented similarly to HttpSecurity#addFilter.
Closes gh-12637
2023-02-16 14:54:44 -07:00
cef13a6a16
Fix Javadoc Type Parameter
2023-02-15 15:31:09 -07:00
c79dac49ca
Fix Typo
2023-02-15 15:31:09 -07:00
d91837eadc
Merge branch '6.0.x'
...
Closes gh-12641
2023-02-07 12:46:42 -07:00
7dd5cc6082
Pick Up Custom SecurityContextRespository
...
Closes gh-12579
2023-02-07 12:46:12 -07:00
c66370c092
Update javadoc in EnableWebSecurity
2023-02-07 12:45:23 -07:00
eb35d3055f
Merge branch '6.0.x'
...
Closes gh-12640
2023-02-07 09:25:33 -03:00
52ed165476
Move classpath checks to class member variable
...
Closes gh-11437
2023-02-07 09:25:06 -03:00
da28a426f2
Merge branch '6.0.x'
...
Closes gh-12625
2023-02-03 14:35:08 -03:00
3572111cf5
Add JwtDecoder hint for oauth2Login
...
Closes gh-12615
2023-02-03 14:34:32 -03:00
59829321a8
Allow configuring SecurityContextRepository for BasicAuthenticationFilter
...
Closes gh-12031
2023-02-03 10:09:16 -06:00
6abbdd3654
Merge branch '6.0.x'
2023-01-26 15:55:41 -06:00
13487be268
Default to XorCsrfChannelInterceptor in 6.0.x
...
Closes gh-12378
2023-01-26 15:45:04 -06:00
1363a4eece
Merge branch '5.8.x' into 6.0.x
2023-01-26 15:44:47 -06:00
1243d1327e
Merge branch '6.0.x'
...
Closes gh-12593
2023-01-26 14:09:19 -07:00
c3563df25a
Include HttpStatusRequestRequestedHandler
...
Closes gh-12548
2023-01-26 14:07:22 -07:00
66711f2365
Add RequestRejectedHandler Test
...
Issue gh-12548
2023-01-26 13:07:16 -07:00
c306df9b46
Add XorCsrfChannelInterceptor
...
Issue gh-12378
2023-01-23 16:00:35 -06:00
d84b8d2d12
AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context
...
Closes gh-12473
2023-01-10 10:54:37 -07:00
e61b17fe13
Merge branch '6.0.x'
...
Closes gh-12514
2023-01-10 10:21:38 -07:00
5b6b3d585f
Change EnableReactiveMethodSecurity Defaults
...
Closes gh-12506
2023-01-10 08:30:52 -07:00
e139f1c2ba
Polish gh-12438
2022-12-22 11:16:19 -05:00
919280b3e4
Allow ServerOAuth2AuthorizationRequestResolver to be set on oauth2 client configuration
...
Closes gh-12430
2022-12-22 10:12:18 -05:00
ca333203aa
Merge branch '6.0.x'
...
Closes gh-12372
2022-12-14 10:30:55 -03:00
7080ea652f
Add hints for ProxyFactoryBean AuthenticationManager
...
Closes gh-12367
2022-12-14 10:16:04 -03:00
03438ffc03
Merge branch '6.0.x'
2022-12-05 14:57:43 -08:00
f1698ec188
Fix removed code by merge
2022-12-05 14:57:28 -08:00
0fdcde2d6f
Merge branch '6.0.x'
2022-12-05 14:42:42 -08:00
2fdf762726
Merge branch '5.8.x' into 6.0.x
2022-12-05 14:41:59 -08:00
7aaa25b88e
Merge branch '5.7.x' into 5.8.x
2022-12-05 14:40:54 -08:00
fc25b87967
Merge branch '5.6.x' into 5.7.x
2022-12-05 14:40:38 -08:00
f39f215140
Replace javadoc with SecurityFilterChain bean definition
2022-12-05 14:40:05 -08:00
a5464ed819
Fix typo in DefaultLoginPageConfigurer Javadoc
...
'isLogoutRequest' seems to have nothing to do here.
2022-12-05 14:31:15 -08:00
e6173f9e5b
Prepare for Spring Security 6.1
2022-11-28 15:47:10 -03:00
e774bd480b
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12261
2022-11-21 10:25:43 -03:00
f561d3784e
Improve deprecation notice in WebSecurityConfigurerAdapter
...
Closes gh-12260
2022-11-21 10:05:08 -03:00
dd9f954ace
Fix tests in CsrfConfigurerTests
...
Closes gh-12241
2022-11-18 14:58:41 -06:00
5da78f44f2
Merge branch '5.8.x'
2022-11-18 14:54:33 -06:00
ea6ce05662
Add configurer tests for CookieCsrfTokenRepository
...
Issue gh-12236
2022-11-18 13:12:59 -06:00
2ed7cff643
Check for existing token before clearing
...
Closes gh-12236
2022-11-18 13:12:59 -06:00
e08ed89403
Polish Span and Meter Names
...
Closes gh-12156
2022-11-17 15:09:52 -07:00
222f8ae1a5
Merge branch '5.8.x'
2022-11-16 16:54:32 -06:00
2301e8ca77
Fix Javadoc in EnableWebSocketSecurity
...
Add missing method name in EnableWebSocketSecurity JavaDoc code example.
2022-11-16 16:51:42 -06:00
c45cd6ec9f
Defer ObservationRegistry Resolution
...
- If Method Security asks for too early, it is no longer
eligible for post-processing. As such, this commit defers loading it until
the first authorization request.
Issue gh-11990
2022-11-09 22:07:57 -07:00
3b5d19c8a4
Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
...
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
72c25332a5
Fix authenticationFailureHandler customization tests
...
Issue gh-12132
2022-11-03 10:32:38 -03:00
fc8e20b89f
Merge branch '5.8.x'
...
Closes gh-12133
2022-11-02 15:49:18 -06:00
3192618220
Add authenticationFailureHandler
...
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer
Closes gh-12132
2022-11-02 15:35:01 -06:00
983f1d4efb
Merge branch '5.8.x'
...
Closes gh-12127
2022-11-01 18:08:08 -06:00
6622e0135a
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12126
2022-11-01 18:06:41 -06:00
6efac34ca7
Merge branch '5.6.x' into 5.7.x
...
Closes gh-12125
2022-11-01 18:06:01 -06:00
5c4362bbc4
Refresh parsers when not found
...
Closes gh-3065
2022-11-01 18:05:15 -06:00
d860775b45
Document Defer load CsrfToken
...
Closes gh-12105
2022-10-28 15:41:25 -05:00
abe68abfe4
Merge remote-tracking branch 'origin/5.8.x'
2022-10-26 17:13:02 -06:00
bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
...
Closes gh-11363
2022-10-26 16:44:23 -06:00
9cb668aec2
SessionManagementConfigurer properly defaults SecurityContextRepository
...
Previously the default was an HttpSessionSecurityContextRepository which
meant that if a stateless authentication occurred the SecurityContext would
be lost on ERROR dispatch.
This commit ensures that the RequestAttributeSecurityContextRepository is
also consulted by default.
Closes gh-12070
2022-10-20 10:57:47 -05:00
a4858d9eaa
Add SpringTestContext.addFilter
...
Add SpringTestContext.addFilter which allows Spring Security's tests
to specify a Filter to be added to the SpringTestContext.
Closes gh-12071
2022-10-20 10:54:24 -05:00
33b492df54
Default to DelegatingSecurityContextRepository
...
Closes gh-12023
Closes gh-12049
2022-10-17 20:04:43 -05:00
bd43c1f28a
Merge branch '5.8.x'
...
# Conflicts:
# web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
# web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
c75ca10900
Add DeferredSecurityContext
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
...
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled
Closes gh-12020
2022-10-13 11:29:15 -05:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
8c610684f3
Instrument Authentication and Authorization
...
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
7c872cf7fd
Merge branch '5.8.x'
2022-10-12 15:02:40 -05:00
440748ec65
Add test support for Xor CSRF tokens
...
Issue gh-4001
2022-10-12 15:02:15 -05:00
27059ced87
Default X-Xss-Protection header value to "0"
...
Closes gh-9631
2022-10-07 17:42:55 -05:00
dcda899c8c
Merge branch '5.8.x'
2022-10-07 17:40:37 -05:00
37fa49b32d
Polish gh-11952
2022-10-07 17:40:12 -05:00
6753f9745e
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
# docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
f462134e87
Add reactive support for BREACH
...
Closes gh-11959
2022-10-07 16:34:17 -05:00
f4ca90e719
Add reactive interfaces for CSRF request handling
...
Issue gh-11959
2022-10-07 16:34:16 -05:00
398f5dee7f
Remove deprecated RequestMatcher methods from Java Configuration
...
Closes gh-11939
2022-10-07 15:26:46 -03:00
9fd195d419
Default to shouldFilterAllDispatcherTypes=true in XML
...
Closes gh-11970
2022-10-07 11:46:20 -03:00
146d3269bc
Merge branch '5.8.x'
...
Closes gh-11971
2022-10-07 10:28:14 -03:00
f3321c256c
Add XML support for shouldFilterAllDispatcherTypes
...
Closes gh-11492
2022-10-07 10:20:32 -03:00
f650ebe545
Merge branch '5.8.x'
2022-10-06 13:50:50 -03:00
8a5aed2983
Add deprecation warning to CsrfDsl#ignoringAntMatchers
...
Issue gh-11347
2022-10-06 13:50:38 -03:00
d6302aabbc
Merge branch '5.8.x'
2022-10-06 13:21:52 -03:00
bc4ad52feb
Add deprecation warning to mvcMatchers methods
...
Issue gh-11347
2022-10-06 13:21:27 -03:00
12b9f2e196
use-authorization-manager defaults to true
...
Closes gh-11929
2022-10-06 08:12:46 -06:00
52ab2303da
Fix failing test
...
Issue gh-11061
2022-10-06 09:28:06 -03:00
c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 23:53:40 -06:00
2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:59 -06:00
7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:58 -06:00
7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:57 -06:00
19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:56 -06:00
0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
...
Issue gh-11061
2022-10-05 23:38:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
b4d13e7726
Polish use-authorization-manager
...
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together
Issue gh-11305
2022-10-05 22:21:09 -06:00
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
...
Issue gh-11665
2022-10-05 22:18:41 -06:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
6bbf20be93
Fix failing tests
...
Issue gh-11952
2022-10-05 14:19:40 -05:00
a7000a053b
Merge branch '5.8.x'
2022-10-05 13:46:26 -05:00
1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
...
Closes gh-11952
2022-10-05 13:35:23 -05:00
c2ed65c67a
Fix failing tests
...
Issue gh-9159
2022-10-05 14:59:33 -03:00
22ba358e57
Merge branch '5.8.x'
2022-10-05 13:44:54 -03:00
bf6e85ec15
Accept String varargs in securityMatcher
...
Issue gh-9159
2022-10-05 13:44:08 -03:00
76d7a85bc0
Use modified classpath test support for tests that depend on the classpath
...
Issue gh-11347
2022-10-04 15:32:19 -03:00
77dcc691b3
Add modified classpath test support
...
Closes gh-11951
2022-10-04 15:32:18 -03:00
5002199be3
Revert "Disable tests that need Spring MVC mocked in classpath"
...
This reverts commit c6978fba7c
2022-10-04 15:32:18 -03:00
35f7e46d05
Remove WebSecurityConfigurerAdapter
...
Closes gh-10902
2022-10-04 15:13:04 -03:00
3bc76815c2
Update csrf.request-handler-ref in 6.0
...
Issue gh-11918
2022-10-04 11:24:54 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
c6978fba7c
Disable tests that need Spring MVC mocked in classpath
...
Issue gh-11347
2022-10-04 08:56:06 -03:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
c847efd3fd
Fix servlet import
...
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
c98de7af2f
Add xss-protection.header-value in 6.0
...
Issue gh-9631
2022-10-03 14:31:04 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
d9a682a414
Polish gh-11896
2022-10-03 10:00:43 -05:00
bf9339d88e
Merge branch '5.8.x'
2022-10-03 09:57:40 -05:00
7f9600ae08
Polish gh-11896
2022-10-03 09:57:08 -05:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
0d58c5180e
Remove Explicit RequestCache Config from DeferHttpSession Tests
...
Issue gh-11757
2022-09-30 21:49:05 -05:00
12a0ccf6de
Remove Explicit CSRF Config from DeferHttpSessionTests
...
Issue gh-11764
2022-09-30 21:49:04 -05:00
617353eaa8
Merge branch '5.8.x'
...
Closes gh-11928
2022-09-30 21:46:26 -05:00
6d56af7b65
SessionManagementDsl.requireExplicitAuthenticationStrategy
2022-09-30 21:37:44 -05:00
76fbca9f46
Merge branch '5.8.x'
2022-09-30 09:50:02 -05:00
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
...
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631
2022-09-30 09:38:08 -05:00
3bfdf6dd0f
Merge branch '5.8.x'
...
Closes gh-11922
2022-09-29 11:21:24 -03:00
cf3349f31a
Configure ContentNegotiationStrategy in HttpSecurityConfiguration
...
Closes gh-11916
2022-09-29 11:21:08 -03:00
506e50bfd0
Move Saml2 Authentication Filters
...
Issue gh-8819
2022-09-26 10:44:27 -06:00
181ee7410b
Change default authority for oauth2Login()
...
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.
* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER
Documentation has been updated to include this implementation detail.
Closes gh-7856
2022-09-26 10:06:31 -05:00
37a160245f
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-23 16:31:21 -06:00
21c0c73878
Remove request-resolver-ref in 6.0
...
Issue gh-11896
2022-09-23 16:04:35 -05:00
bcb21c9384
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
...
Closes gh-11896
2022-09-23 15:09:00 -05:00
3c66ef6305
Change default SecurityContextRepository
...
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026
2022-09-22 17:31:14 -05:00
0efe26c1fd
Merge branch '5.8.x'
...
Closes gh-11894
2022-09-22 13:47:04 -05:00
d94677f87e
CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
...
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892
2022-09-22 11:09:44 -05:00
44b7847258
Fix Import Order
...
Issue gh-8819
2022-09-21 09:08:41 -06:00
70460ca009
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-20 17:44:05 -06:00
61c80bcac5
Move Saml2 Authentication Filters
...
Closes gh-8819
2022-09-20 17:18:05 -06:00
48e31f87e4
Remove Deprecated OpenSAML 3 Support
...
Closes gh-10556
2022-09-20 16:57:38 -06:00
46f402243b
Merge remote-tracking branch 'origin/5.8.x'
2022-09-20 16:11:16 -06:00
3f8503f1b4
Deprecate AccessDecisionManager et al
...
Closes gh-11302
2022-09-20 16:09:59 -06:00
bd18c05a27
Use mock class instead of interface on mock's return
...
Issue gh-11860
2022-09-16 15:57:43 -03:00
1a1a8a7a46
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
2022-09-14 14:11:10 -05:00
45bbd86f7e
HttpSecurityDsl should support apply method
...
Closes gh-11754
2022-09-14 13:58:42 -05:00
1aee40dcca
Polish gh-11665
...
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
2431dd1103
Merge branch '5.8.x'
2022-09-13 17:38:10 -05:00
355ef21117
Polish gh-11665
2022-09-13 16:45:39 -05:00
1efb63387f
Add authentication converter for introspected tokens
...
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).
The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).
The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.
Closes gh-11661
2022-09-13 16:45:36 -05:00
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
...
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
ed41a60aae
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
# config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
# web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
86fbb8db07
Add new interfaces for CSRF request processing
...
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
7bf2d3dc4e
Update DeferHttpSession Tests
...
Closes gh-11764
2022-08-31 14:40:06 -05:00
7d6552b3f4
gh-11772
2022-08-31 13:33:53 -05:00
3de421be3a
Remove setAuthenticationManager from HttpSecurityConfiguration
...
Closes gh-11776
2022-08-31 15:14:45 -03:00
f1b79e08cb
Merge branch '5.8.x'
2022-08-30 13:10:51 -05:00
6b297cc3a3
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 13:10:35 -05:00
3eac274317
Merge branch '5.8.x'
2022-08-30 12:59:19 -05:00
5bdbc3f78d
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 12:53:37 -05:00
2e26e875c8
Remove WebSecurityConfigurerAdapter in Kotlin DSL
...
Issue gh-11277
Closes gh-11646
2022-08-30 12:53:18 -05:00
41ede20712
Add method-security.mode to spring-security-6.0.xsd
2022-08-29 16:05:20 -05:00
2efc8dcd15
Default Require Explicit Save SecurityContext
...
Closes gh-11762
2022-08-29 10:16:04 -05:00
b1fd9af723
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-26 16:01:40 -06:00
0f58620643
Add AspectJ AuthorizationManager Support
...
Closes gh-11326
2022-08-26 15:59:08 -06:00
f84f08c4b9
Default HttpSessionRequestCache.matchingRequestParameterName=continue
...
Closes gh-11757
2022-08-26 14:44:55 -05:00
210693eb6b
Add @Configuration
...
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
84f765a89c
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-25 14:46:48 -06:00
e990174c89
Polish ReactiveMethodSecurity Support
...
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well
Issue gh-9401
Polish
2022-08-25 14:36:03 -06:00
cbb4f40f0c
ReactiveAuthorizationManager + Reactive Method Security
...
Closes gh-9401
2022-08-25 14:35:04 -06:00
670b71363d
Merge branch '5.8.x'
...
Closes gh-11749
2022-08-23 16:03:50 -05:00
2fb625db84
Remove mockito deprecations
...
Issue gh-11748
2022-08-23 15:59:52 -05:00
a8d6c1d21f
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:58:22 -03:00
c7912c551b
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:51:53 -03:00
0aac515737
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
3826fca567
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
888c65a936
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:38:03 -05:00
81d6b6df6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:38:03 -05:00
1de810a565
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:00:47 -05:00
89f8310d6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:00:47 -05:00
63d2f19e2a
Remove default value for access parameter
...
Closes gh-10957
2022-08-18 15:22:08 -03:00
af3d70f130
Remove GlobalMethodSecurityRuntimeHints
...
Closes gh-11714
2022-08-17 08:07:28 -03:00
ba50c50b4b
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11509
2022-08-16 15:14:08 -06:00
5ecd513a57
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11509
2022-08-16 15:12:47 -06:00
5cf42b1f2e
Defer CsrfFilter Session Access
...
Closes gh-11456
2022-08-16 13:48:20 -05:00
8ad20b1768
Add CsrfFilter.csrfRequestAttributeName
...
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
2022-08-16 13:47:31 -05:00
5b64526ba9
Add CsrfFilter.csrfRequestAttributeName
...
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
2022-08-15 17:07:02 -05:00
faf9fb7337
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:46 -05:00
9f00045638
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:30 -05:00
002a770f13
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:12 -05:00
ce778b0e20
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:25:15 -05:00
425b3501b7
Remove `@Configuration` from `@Enable*` Annotations
...
This removes `@Configuration` from all `@Enable` Annotations and explicitly
adds `@Configuration` to wherever the `@Enable*` Annotations are used.
Closes gh-11653
2022-08-09 17:00:24 -05:00
a5069d7e35
Fix Add @Configuration to @Enable*Security Usage
...
Issue gh-6613
2022-08-09 17:00:16 -05:00
2e66b9f6cc
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:44:01 -05:00
efaee4e56b
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:35:49 -05:00
ed58ac7d78
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:49:48 -06:00
9e8a04d414
Polish Tests
...
Issue gh-11657
2022-08-03 17:49:46 -06:00
c2d79fcbd6
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:34:31 -06:00
aa225943d2
Polish Tests
...
Issue gh-11657
2022-08-03 17:34:26 -06:00
f8971742f2
Remove FilterSecurityInterceptor from WebSecurity
...
Closes gh-11325
2022-08-02 15:34:02 -03:00
040111ae9e
Remove Configuration meta-annotation from Enable* annotations
...
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.
Closes gh-6613
Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00
99f768bab9
Polish HttpSecurity
2022-07-29 17:43:00 -05:00
984355e637
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:43:00 -05:00
09173c95d6
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:43:00 -05:00
07ea139ebf
Polish HttpSecurity
2022-07-29 17:42:39 -05:00
67544f36f9
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:39 -05:00
05725af4d8
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:39 -05:00
15f525c614
Polish HttpSecurity
2022-07-29 17:42:20 -05:00
0c0c75ce22
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:20 -05:00
9861769b02
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:20 -05:00
7f2c797086
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:39:56 -03:00
e5ae35ab71
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:39:33 -03:00
a996dfc55b
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:38:50 -03:00
d66ad22652
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:32:44 -03:00
1f26f8c419
Update spring-data-jpa to 3.0.0-M5
...
Closes gh-11540
2022-07-15 14:37:24 -03:00
Daniel Garnier-Moiroux
Marcus Hert Da Coregio
DingHao
Josh Cummings
Rob Winch
baezzys
Max Batischev
Steve Riesenberg
earlgrey02
sheheryarumair
Rob Winch
Andreas Asplund
y-tomida
Geir Hedemark
DingHao
Taehong Kim
Yan Kardziyaka
brunodmartins
DerChris173
kandaguru17
Steve Riesenberg
Eric Haag
Tim te Beek
Olivier Vanekem
Joe Grandja
Seongguk Jeong
Claudio Nave
Evgeniy Cheban
Krzysztof Krason
Janne Valkealahti
lukasz.migdalek
SeasonPan
Ruslan Stelmachenko
Martin Tarjányi
twosom
Clayton Walker
hdeadman
Leonid Rozenblyum
Tobias Meurer
Spas Poptchev
Mitja Kotnik
Guillaume Husta
Jan Marten
Koos Gadellaa
mmoussa_mapfreusa
Daniel Garnier-Moiroux
slam
ch4mpy
Yuriy Savchenko
Igor Bolic
Joshua Sattler