a98baa7522
Polish ServletRegistration API Deferral
...
Tomcat uses different ServletContext instances from startup- and request-time.
This commit ensures that if the programmatic API isn't available at startup-time,
then use the ServletContext attached to the HttpServletRequest at runtime.
Issue gh-13794
2023-12-01 12:57:45 -07:00
15d9b7824c
Merge branch '6.1.x'
2023-11-17 12:27:31 -07:00
d958787561
Merge branch '6.0.x' into 6.1.x
2023-11-17 12:27:04 -07:00
12f074b8ce
Merge branch '5.8.x' into 6.0.x
2023-11-17 12:25:13 -07:00
d961307044
Polish RequestMatcher Description
...
Issue gh-13794
2023-11-17 12:24:38 -07:00
4131a38f9e
Revert "Add forServletPattern"
...
This reverts commit 762319b6be
2023-11-17 12:02:14 -07:00
5958828113
Merge branch '6.1.x'
2023-11-17 12:01:57 -07:00
aa1a022605
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14165
2023-11-17 11:46:20 -07:00
c6c6eb4d66
Merge branch '5.8.x' into 6.0.x
...
Closes gh-14164
2023-11-17 11:45:59 -07:00
4ca54683ae
Defer requestMatchers Validation to Runtime
...
Closes gh-13794
2023-11-17 11:23:21 -07:00
00da9c9092
Use assertj assertions
2023-11-17 09:05:38 -03:00
e3ab1c94d7
Use assertj assertions
2023-11-17 09:04:50 -03:00
a7da9491d9
Use assertj assertions
2023-11-17 09:03:36 -03:00
97516727a4
Add Coroutine Support
...
Closes gh-12080
2023-11-15 11:48:37 -07:00
77acaaa3b7
Use bean factory method
...
Closes gh-14094
2023-11-06 12:55:57 -06:00
624dcafcf2
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14085
2023-11-01 12:12:02 -06:00
fa15c975ff
Merge branch '5.8.x' into 6.0.x
...
Closes gh-14084
2023-11-01 12:11:20 -06:00
ffd12ee3b9
Refine requestMatcher Validation Rules
...
Closes gh-14078
2023-10-31 17:08:24 -06:00
447f40949c
Revert unnecessary merges on 6.1.x
...
This commit removes unnecessary main-branch merges starting from
9f8db22b774d6ff49b9ded6ff670d1c823b0079444fad21363
2023-10-31 15:22:15 -05:00
9db33f33c7
Revert unnecessary merges on 6.0.x
...
This commit removes unnecessary main-branch merges starting from
8750608b5b5dce82c48b
2023-10-31 15:11:45 -05:00
96ebab324c
Remove Type Parameter
...
Closes gh-14012
2023-10-13 22:09:16 -06:00
8f829dd1d7
Refine requestMatcher Validation Rules
...
Closes gh-13850
2023-10-12 09:29:08 -06:00
762319b6be
Add forServletPattern
...
Closes gh-13562
2023-10-12 09:29:08 -06:00
07b6c451fd
Merge branch '6.1.x'
...
Closes gh-13884
2023-09-29 11:47:38 -03:00
8adfc9b463
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13883
2023-09-29 11:46:48 -03:00
92c82191c9
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13882
2023-09-29 11:46:00 -03:00
64e2a2ff8b
Apply updated Code Style
...
Closes gh-13881
2023-09-29 11:44:32 -03:00
ff374935fb
Verify ReactorContext when using Virtual Threads
...
Closes gh-12791
2023-09-25 12:01:31 -05:00
d48b8697bd
Fix mockito usage
...
Issue gh-13810
2023-09-19 10:39:04 -05:00
d6ff58bb7f
Update Mockito to 5.5.0
...
Closes gh-13810
2023-09-19 10:39:03 -05:00
0e8d04ab40
Merge branch '6.1.x'
2023-09-19 14:20:25 +01:00
94bba79834
Merge branch '6.0.x' into 6.1.x
2023-09-19 14:20:17 +01:00
0c3f154f38
Merge branch '5.8.x' into 6.0.x
2023-09-19 14:20:01 +01:00
ac04c2e675
Add dependency between rncToXsd and sourcesJar
...
Since processResources is configured directly instead of via the source
set container, an explicit dependency task between rncToXsd and
sourcesJar must be defined.
Issue gh-13845
2023-09-19 14:19:45 +01:00
e63d7fd9e9
Add dependency between rncToXsd and versionlessXsd
...
Since processResources is configured directly instead of via the source
set container, an explicit dependency task between rncToXsd and
versionlessXsd must be defined.
Issue gh-13845
2023-09-19 14:19:33 +01:00
718c470910
Prevent creating duplicate .xsd entries
...
This change removes .xsd entries that would appear in the top level of
the assembled artifacts. This occurred because the output of the
rncToXsd task does not consider the path beneath the resources
directory. To fix this, the processResources task is directly
configured with a copy spec so the required path can be set.
Issue gh-13845
2023-09-19 14:19:19 +01:00
cb33fd7850
Add OIDC Back-Channel Logout Support
...
Closes gh-12570
2023-09-16 15:12:21 -06:00
91c89451e7
Merge branch '6.1.x'
...
Automate spring-security.xsd
Closes gh-13826
2023-09-14 23:44:34 -05:00
7627c2df46
Merge branch '6.0.x' into 6.1.x
...
Automate spring-security.xsd
Closes gh-13825
2023-09-14 23:43:27 -05:00
342735043d
Merge branch '5.8.x' into 6.0.x
...
Automate spring-security.xsd
Closes gh-13824
2023-09-14 23:42:31 -05:00
779541b340
Merge branch '5.7.x' into 5.8.x
...
Automate spring-security.xsd
Closes gh-13823
2023-09-14 23:37:53 -05:00
5b293d2116
Automate spring-security.xsd
...
Closes gh-13819
2023-09-14 16:01:50 -05:00
9a06885247
Merge branch '6.1.x'
...
Closes gh-13815
2023-09-14 14:50:11 +01:00
59a9aa3268
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13814
2023-09-14 14:49:29 +01:00
aeafcc1377
Defer MethodSecurityExpressionHandler Resolution
...
When using Spring Security ACL and compiling to Native, in order to create the '*AuthorizationMethodInterceptor' Proxy beans during build time, Spring tries to resolve the DataSource bean since the DataSource can be a dependency of some AclService implementations, and fails because some required data source properties are not available during build time.
This commit defers the initialization of the MethodSecurityExpressionHandler to the runtime.
Closes gh-12653
2023-09-14 14:48:24 +01:00
f5942aac73
Merge branch '6.1.x'
2023-09-13 14:23:51 +01:00
b4ce77c028
Merge branch '6.0.x' into 6.1.x
2023-09-13 14:23:28 +01:00
48babb7efa
Merge branch '5.8.x' into 6.0.x
2023-09-13 14:23:01 +01:00
620e6e0c34
Add rncToXsd task to resources set
...
This addresses a deprecation warning causing build caching to be
disabled for some tasks. With this change, we tell Gradle that the
rncToXsd task produces output that should be considered a resource.
This clears up ambiguities when computing the task graph.
2023-09-13 13:58:42 +01:00
4ebfa2c804
Use lazy API to configure rncToXsd task
...
This avoids configuring the task eagerly.
2023-09-13 13:58:05 +01:00
9df9cb5aed
refactor: AssertJ best practices
...
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D
Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
92256f0522
Support nested suspend calls for Kotlin coroutines
...
Closes gh-13764
2023-09-05 00:23:30 -05:00
1a45602dbb
Fix mockito usage
2023-09-01 15:27:54 -05:00
ea1ec646b2
Fix test failures related to response headers
...
These tests began failing on snapshots after changes in
Spring Framework's `DispatcherServlet` to reset the response
on an error.
For now, we can have these tests operate with a 200 OK response.
An issue was opened in the spring-framework issuer tracker to
discuss this and address `CorsFilter` (and any other filter) that
writes headers that would be cleared on an error.
See spring-projects/spring-framework#31154
2023-09-01 15:27:54 -05:00
fe5a55fc13
Merge branch '6.1.x'
...
Closes gh-13723
2023-08-20 23:15:57 -06:00
0df1884372
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13722
2023-08-20 23:10:00 -06:00
5fb6f5768c
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13666 in 6.0.x
Closes gh-13721
2023-08-20 23:07:36 -06:00
28f98b3351
Improve Error Message
...
Closes gh-13667
2023-08-20 22:53:57 -06:00
ed96e2cddf
Ignore Unmappable Servlets
...
Closes gh-13666
2023-08-20 22:53:55 -06:00
8d58113b61
Merge branch '6.1.x'
...
Closes gh-13656
2023-08-16 17:54:55 -06:00
d2d1f19133
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13655
2023-08-16 17:54:37 -06:00
ca0140c586
saml2Login Honors AuthenticationProvider bean
...
Closes gh-13654
2023-08-16 17:54:14 -06:00
3ba5cc0e40
Add CSRF Exception
...
Issue gh-13653
2023-08-16 16:54:50 -06:00
87ae2d41b3
Update Mockito Usage
...
Issue gh-13542
2023-08-16 16:30:43 -06:00
985e569685
Polish gh-13608
2023-08-10 17:30:54 -05:00
6353d90047
Add integrity attribute for signin.css
...
Closes gh-13486
2023-08-10 17:30:52 -05:00
5828e4e65c
Simplify OAuth2 Client configuration
...
Issue gh-11783
2023-08-09 14:14:09 -05:00
f3d90b38e2
Add OAuth2AuthorizedClientManager Registrar
2023-08-09 14:14:09 -05:00
75e0068925
Merge branch '6.1.x'
2023-08-07 16:03:55 -06:00
8d4a024809
Update Copyright
...
PR gh-13472
2023-08-07 16:00:56 -06:00
cd6f33c03e
Using putIfAbsent instead of put
2023-08-07 16:00:18 -06:00
12c64a9b1d
Merge branch '6.1.x'
...
Dependencies are resolved from appropriate repositories
Closes gh-13624
2023-08-07 09:55:18 -05:00
d4d715d8e1
Merge branch '6.0.x' into 6.1.x
...
Dependencies are resolved from appropriate repositories
Closes gh-13623
2023-08-07 09:54:27 -05:00
4257a97504
Merge branch '5.8.x' into 6.0.x
...
Dependencies are resolved from appropriate repositories
Closes gh-13622
2023-08-07 09:51:55 -05:00
30bc2634d7
Optimize configuration of project repositories
...
This change applies repository content filtering to configured
repositories, reducing the time spent during dependency resolution.
This fixes an issue where requests for 'org.opensaml',
'net.shibboleth.utilities' and 'net.minidev' dependencies were being
made in the Spring releases repositories, resulting in many failed
requests during dependency resolution and increased resolution times.
Closes gh-13582
2023-08-07 09:51:42 -05:00
33d904d708
Merge branch '6.1.x'
...
Closes gh-13581
2023-07-24 11:32:23 -06:00
442d3fb99d
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13580
2023-07-24 11:31:52 -06:00
ee13216882
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13579
2023-07-24 11:31:29 -06:00
c4f061c63d
Do Not Re-register Method Security Advisors
...
Closes gh-13572
2023-07-24 11:24:03 -06:00
9dc7bdd329
Merge branch '6.1.x'
2023-07-17 11:21:06 -06:00
cf2c8da3d5
Merge branch '6.0.x' into 6.1.x
2023-07-17 11:10:04 -06:00
fe7bee9236
Merge branch '5.8.x' into 6.0.x
2023-07-17 11:09:38 -06:00
bb46a54270
Add DispatcherServlet to Tests
...
Issue gh-13551
2023-07-17 10:58:30 -06:00
df239b6448
Improve RequestMatcher Validation
...
Closes gh-13551
2023-07-17 08:41:30 -06:00
8f5793afb1
Merge branch '6.1.x'
2023-07-17 09:17:10 -03:00
aaa31312bd
Merge branch '6.0.x' into 6.1.x
2023-07-17 09:16:45 -03:00
cbef118026
Merge branch '5.8.x' into 6.0.x
2023-07-17 09:16:20 -03:00
a939f17890
Merge branch '5.7.x' into 5.8.x
2023-07-17 09:15:56 -03:00
fe9bc26bdc
Merge branch '5.6.x' into 5.7.x
2023-07-17 09:13:28 -03:00
7813a9ba26
Use default PathPatternParser instance
2023-07-17 09:12:28 -03:00
b3ad2b0dc5
Don't Mock OAuth2AuthorizedClientRepository
...
Issue gh-13542
Issue gh-13546
2023-07-14 18:44:35 -06:00
b0022a0ae8
Update Mockito Usage
...
Issue gh-13542
2023-07-14 18:44:34 -06:00
cf79af2386
Update Kotlin Test Usage
...
Issue gh-13539
2023-07-14 18:38:58 -06:00
6c3636d780
Update Removed Usages
...
Issue gh-13544
2023-07-14 18:38:58 -06:00
30d09c5192
Merge branch '6.1.x'
...
Closes gh-13495
2023-07-12 14:31:56 -03:00
f62c9d3be6
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13494
2023-07-12 14:31:45 -03:00
933b302979
Fix once-per-request="true" not taking any effect
...
Closes gh-13491
2023-07-12 14:30:18 -03:00
8d0e426654
Generate Shared Test SAML Response
...
Issue gh-13433
2023-07-11 10:36:06 -06:00
f2f19270da
Update to OpenSAML 4.3.0
...
Closes gh-13433
2023-07-10 17:56:42 -06:00
a0540f5c65
Deprecate AbstractConfiguredSecurityBuilder#apply
...
Closes gh-13436
2023-06-30 11:53:47 -03:00
1ff5eb6b57
Add with() method to apply SecurityConfigurerAdapter
...
This method is intended to replace .apply() because it will not be possible to chain configurations when .and() gets removed
Closes gh-13204
2023-06-29 14:52:30 -03:00
4855290a76
Merge branch '6.1.x'
2023-06-29 10:31:25 -06:00
87e07d59da
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13199
2023-06-29 10:08:10 -06:00
1abfd2c801
Only Register as Advisor in Proxy Mode
...
Now that https://github.com/spring-projects/spring-framework/issues/30689
is addressed.
Closes gh-13198
2023-06-29 10:07:11 -06:00
618847418f
Automatically enable .cors() if CorsConfigurationSource bean is present
...
Closes gh-5011
2023-06-23 09:51:46 -03:00
52e12ad64b
Replace deprecated methods
2023-06-22 13:19:55 -06:00
8efdc5c926
Polish Contribution
...
Issue gh-13215
2023-06-22 16:00:47 -03:00
401058d5ff
Implemented AuthorizeHttpRequestsConfigurer to consider GrantedAuthorityDefaults for custom rolePrefix
...
Closes gh-13215
2023-06-22 16:00:46 -03:00
c5461b17de
EnableMethodSecurity annotation does not get imported when defined as a meta-annotation
...
Closes gh-12870
2023-06-22 15:15:25 -03:00
208fb62db9
Update Deprecated Usage
...
Issue gh-12629
2023-06-22 11:24:25 -06:00
9b603b99ab
Using modern Java features
2023-06-22 11:24:25 -06:00
7e01ebdd92
Remove LazyCsrfTokenRepository usage
...
Closes gh-13194
2023-06-22 11:23:35 -06:00
fb910e2997
Prepare for Spring Security 6.2
...
Closes gh-14316
2023-06-22 11:03:28 -06:00
acf1d34d94
Merge branch '6.0.x'
2023-06-19 11:13:57 -03:00
2686af0c4d
Revert "Only Register as Advisor in Proxy Mode"
...
This reverts commit 35ad1f85
2023-06-19 11:13:39 -03:00
fc1e465fd0
Merge branch '6.0.x'
2023-06-05 13:34:58 -06:00
c053f6f0c6
Make eclipse/vscode project import work
...
- Gradle projects contain cycles which comes from dependencies to
test sources which is not a problem in gradle but eclipse metadata
generation is getting confused. Thus we need settings to relax errors
org.eclipse.jdt.core.circularClasspath=warning
org.eclipse.jdt.core.incompleteClasspath=warning
- Additionally .classpath entries needs to be changes having
without_test_code=false
test=false
- Aspects end up getting source dirs `build/classes/java/main`
and `build/resources/main` which never have sources. Vscode complains
about that, eclipse is fine. Remove those from entries.
- In tests `htmlunit` depends on `xml-apis`. `xml-apis` are now part
of jdk and eclipse complains about that. Excluse these in a gradle build.
- Both eclipse and vscode don't currently work with buildship, due to
project cycles and buildship cannot be configured. It's possible to
create metadata from `eclipse` task manually which then can be imported.
For this we need to disable automatic import in vscode using buildship.
This goes to `.vscode/settings.json` workspace config.
- Then with these changes user can do something like
git clean -fxd && ./gradlew clean build cleanEclipse eclipse -x checkstyleNohttp -x test -x integrationTest
and import projects manually.
2023-06-05 13:34:30 -06:00
a939fa63a1
Merge branch '6.0.x'
...
Closes gh-13282
2023-06-05 16:04:27 -03:00
4e3517e03a
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13281
2023-06-05 16:03:58 -03:00
b47420f8a2
Merge branch '5.7.x' into 5.8.x
...
Closes gh-13280
2023-06-05 16:02:30 -03:00
7250abc185
Does not apply a Configurer when disabled from another DSL
...
Closes gh-13203
2023-06-05 16:01:20 -03:00
537e10cf9c
Improve javadoc adding how to stick with defaults and link to documentation
...
Closes gh-13273
2023-06-02 15:05:17 -03:00
f566ed0afd
Update Symlink for 6.1
...
Issue gh-13131
2023-05-24 14:44:42 -06:00
ff0c82b019
Merge branch '6.0.x'
2023-05-24 14:41:55 -06:00
71703dc371
Update Symlink for 6.0
...
Issue gh-13131
2023-05-24 14:40:50 -06:00
90b37d6d07
Merge branch '5.8.x' into 6.0.x
2023-05-24 14:38:23 -06:00
73cb9862ad
Update Symlink for 5.8
...
Issue gh-13131
2023-05-24 14:37:18 -06:00
be409ada10
Merge branch '6.0.x'
...
Closes gh-13209
2023-05-22 15:43:43 -06:00
7c54c0e4fa
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13208
2023-05-22 15:43:27 -06:00
62ede47d86
Merge branch '5.7.x' into 5.8.x
...
Closes gh-13207
2023-05-22 15:42:36 -06:00
1eefd433b6
Add spring-security.xsd symlink
...
Closes gh-13131
2023-05-22 15:42:02 -06:00
31f1604f66
Merge branch '6.0.x'
...
Closes gh-13199
2023-05-19 16:44:18 -06:00
7efa275abc
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13198
2023-05-19 16:43:57 -06:00
35ad1f857e
Only Register as Advisor in Proxy Mode
...
Closes gh-13160
2023-05-19 16:33:46 -06:00
49366907e2
Merge branch '6.0.x'
...
Closes gh-13183
2023-05-15 17:31:48 -06:00
b438bc5384
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13182
2023-05-15 17:30:14 -06:00
f4915890cc
Use Spec Order for Verifying Signatures
...
Closes gh-12346
2023-05-15 17:24:22 -06:00
5814f614c7
Merge branch '6.0.x'
...
Closes gh-13128
2023-05-02 16:56:37 -06:00
46ad9c122e
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13127
2023-05-02 16:56:06 -06:00
e9a02bc6e9
RememberMeConfigurer Picks Up SecurityContextRepository
...
Closes gh-13104
2023-05-02 16:46:35 -06:00
45efd48b93
Merge branch '6.0.x'
...
Closes gh-13122
2023-05-02 10:13:24 -03:00
69338ecdfa
Only Observe AuthenticationManager if it is not null
...
Closes gh-13084
2023-05-02 10:12:46 -03:00
a44e91d044
fix javadoc typo
2023-04-24 16:41:17 -06:00
f261242db1
Merge branch '5.7.x' into 5.8.x
2023-04-24 16:33:29 -06:00
caa4093619
Fix javadoc for migration from WebSecurityConfigurerAdapter
2023-04-24 16:32:16 -06:00
dd14bbb365
Merge branch '6.0.x'
2023-04-18 12:42:55 -06:00
1e25756ee6
Fix Import Order
2023-04-18 12:42:25 -06:00
68b198f091
Merge branch '6.0.x'
2023-04-18 12:20:44 -06:00
64542b4059
Polish X509 SecurityContextRepository
...
Like Basic and Bearer authentication, X509 is
stateless by default. As such, it is better to not
pick up the global SecurityContextRepository bean.
The better fix is to change the default from
HttpSessionSecurityContextRepository to
RequestAttributeSecurityContextRepository.
Issue gh-13008
2023-04-18 12:18:20 -06:00
c79f04cd11
Merge branch '6.0.x'
...
Closes gh-13063
2023-04-17 17:07:32 -06:00
c3479ddb45
Pick Up SecurityContextRepository
...
Closes gh-13008
2023-04-17 17:06:06 -06:00
04b3d07319
Merge branch '6.0.x'
2023-04-17 07:30:54 -03:00
a484044591
Merge branch '5.8.x' into 6.0.x
2023-04-17 07:29:42 -03:00
6cf8c53aaa
Merge branch '5.7.x' into 5.8.x
2023-04-17 07:16:47 -03:00
2d52fb8e4b
Clear Repository on Logout
2023-04-17 06:47:57 -03:00
82a149207d
Deprecate .and() and non lambda DSL methods
...
Closes gh-12629
2023-04-14 15:50:58 -03:00
1a4a2a9055
Merge branch '5.8.x' into 6.0.x
2023-04-14 13:32:10 -03:00
54117d7d27
Fix test suffix to align with checkstyle
2023-04-14 13:29:15 -03:00
01d1e20dc3
Deprecate shouldFilterAllDispatcherTypes
...
Closes gh-12138
2023-04-13 15:05:10 -03:00
57e134cc5f
Merge branch '6.0.x'
2023-03-22 10:12:28 -03:00
67645b32f4
Merge branch '5.8.x' into 6.0.x
2023-03-22 10:12:11 -03:00
fd65dc6756
Merge branch '5.7.x' into 5.8.x
2023-03-22 10:08:17 -03:00
5eefe9dcff
Fix typo in SessionManagementConfigurer javadoc
2023-03-22 10:07:44 -03:00
ca9139b68f
Merge branch '6.0.x'
2023-03-20 17:02:15 -06:00
cbb4e40166
fix typo in RequestCacheResultMatcher
2023-03-20 17:02:00 -06:00
a4bc0a6f3c
Polish
...
- Add POST /login assertion
- Rearrange test and config class
Issue gh-12552
2023-03-20 14:31:13 -06:00
e2332d9620
Add disable to FormLoginDsl
...
Closes gh-12552
2023-03-20 14:31:13 -06:00
a7562ad950
Update io.spring.javaformat to 0.0.38
...
Closes gh-12891
2023-03-20 10:44:35 -06:00
3ad6c6ce06
Use EntityId-lookup Components
...
Closes gh-12880
2023-03-17 18:00:02 -06:00
46452c0cae
Add saml2Metadata
...
Closes gh-11828
2023-03-17 18:00:02 -06:00
e0284a4503
Fix CAS packages for 4.0.1 and Jasig references
...
Issue gh-11674
2023-03-01 17:21:24 -03:00
b4d3ac6665
Revert "Remove CAS module"
...
This reverts commit caf4c471
2023-03-01 17:21:23 -03:00
f5a4b520d1
Merge branch '6.0.x'
...
Closes gh-12781
2023-02-24 11:04:03 -07:00
bbd31f0e33
Defer ObservationRegistry Lookup
...
Closes gh-12780
2023-02-24 11:03:32 -07:00
963a18a27f
Merge branch '6.0.x'
...
Closes gh-12778
2023-02-23 15:17:47 -03:00
7d22e02593
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12777
2023-02-23 15:17:25 -03:00
97ba596ca3
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12776
2023-02-23 15:17:04 -03:00
1c3ce1e401
Fix entity-id ignored in RelyingPartyRegistration XML config
...
Closes gh-11898
2023-02-23 15:16:40 -03:00
afb5a4ae2c
Merge branch '6.0.x'
...
Closes gh-12688
2023-02-16 14:56:55 -07:00
cedb9fd199
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12687
2023-02-16 14:56:32 -07:00
0baf650f38
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12686
2023-02-16 14:55:22 -07:00
000b4bc495
Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter
...
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.
In particular, this exception can occur when mixing standard and custom DSL to register filters.
The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.
It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.
The error handling is implemented similarly to HttpSecurity#addFilter.
Closes gh-12637
2023-02-16 14:54:44 -07:00
cef13a6a16
Fix Javadoc Type Parameter
2023-02-15 15:31:09 -07:00
c79dac49ca
Fix Typo
2023-02-15 15:31:09 -07:00
d91837eadc
Merge branch '6.0.x'
...
Closes gh-12641
2023-02-07 12:46:42 -07:00
7dd5cc6082
Pick Up Custom SecurityContextRespository
...
Closes gh-12579
2023-02-07 12:46:12 -07:00
c66370c092
Update javadoc in EnableWebSecurity
2023-02-07 12:45:23 -07:00
eb35d3055f
Merge branch '6.0.x'
...
Closes gh-12640
2023-02-07 09:25:33 -03:00
52ed165476
Move classpath checks to class member variable
...
Closes gh-11437
2023-02-07 09:25:06 -03:00
da28a426f2
Merge branch '6.0.x'
...
Closes gh-12625
2023-02-03 14:35:08 -03:00
3572111cf5
Add JwtDecoder hint for oauth2Login
...
Closes gh-12615
2023-02-03 14:34:32 -03:00
59829321a8
Allow configuring SecurityContextRepository for BasicAuthenticationFilter
...
Closes gh-12031
2023-02-03 10:09:16 -06:00
6abbdd3654
Merge branch '6.0.x'
2023-01-26 15:55:41 -06:00
13487be268
Default to XorCsrfChannelInterceptor in 6.0.x
...
Closes gh-12378
2023-01-26 15:45:04 -06:00
1363a4eece
Merge branch '5.8.x' into 6.0.x
2023-01-26 15:44:47 -06:00
1243d1327e
Merge branch '6.0.x'
...
Closes gh-12593
2023-01-26 14:09:19 -07:00
c3563df25a
Include HttpStatusRequestRequestedHandler
...
Closes gh-12548
2023-01-26 14:07:22 -07:00
66711f2365
Add RequestRejectedHandler Test
...
Issue gh-12548
2023-01-26 13:07:16 -07:00
c306df9b46
Add XorCsrfChannelInterceptor
...
Issue gh-12378
2023-01-23 16:00:35 -06:00
d84b8d2d12
AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context
...
Closes gh-12473
2023-01-10 10:54:37 -07:00
e61b17fe13
Merge branch '6.0.x'
...
Closes gh-12514
2023-01-10 10:21:38 -07:00
5b6b3d585f
Change EnableReactiveMethodSecurity Defaults
...
Closes gh-12506
2023-01-10 08:30:52 -07:00
e139f1c2ba
Polish gh-12438
2022-12-22 11:16:19 -05:00
919280b3e4
Allow ServerOAuth2AuthorizationRequestResolver to be set on oauth2 client configuration
...
Closes gh-12430
2022-12-22 10:12:18 -05:00
ca333203aa
Merge branch '6.0.x'
...
Closes gh-12372
2022-12-14 10:30:55 -03:00
7080ea652f
Add hints for ProxyFactoryBean AuthenticationManager
...
Closes gh-12367
2022-12-14 10:16:04 -03:00
03438ffc03
Merge branch '6.0.x'
2022-12-05 14:57:43 -08:00
f1698ec188
Fix removed code by merge
2022-12-05 14:57:28 -08:00
0fdcde2d6f
Merge branch '6.0.x'
2022-12-05 14:42:42 -08:00
2fdf762726
Merge branch '5.8.x' into 6.0.x
2022-12-05 14:41:59 -08:00
7aaa25b88e
Merge branch '5.7.x' into 5.8.x
2022-12-05 14:40:54 -08:00
fc25b87967
Merge branch '5.6.x' into 5.7.x
2022-12-05 14:40:38 -08:00
f39f215140
Replace javadoc with SecurityFilterChain bean definition
2022-12-05 14:40:05 -08:00
a5464ed819
Fix typo in DefaultLoginPageConfigurer Javadoc
...
'isLogoutRequest' seems to have nothing to do here.
2022-12-05 14:31:15 -08:00
e6173f9e5b
Prepare for Spring Security 6.1
2022-11-28 15:47:10 -03:00
e774bd480b
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12261
2022-11-21 10:25:43 -03:00
f561d3784e
Improve deprecation notice in WebSecurityConfigurerAdapter
...
Closes gh-12260
2022-11-21 10:05:08 -03:00
dd9f954ace
Fix tests in CsrfConfigurerTests
...
Closes gh-12241
2022-11-18 14:58:41 -06:00
5da78f44f2
Merge branch '5.8.x'
2022-11-18 14:54:33 -06:00
ea6ce05662
Add configurer tests for CookieCsrfTokenRepository
...
Issue gh-12236
2022-11-18 13:12:59 -06:00
2ed7cff643
Check for existing token before clearing
...
Closes gh-12236
2022-11-18 13:12:59 -06:00
e08ed89403
Polish Span and Meter Names
...
Closes gh-12156
2022-11-17 15:09:52 -07:00
222f8ae1a5
Merge branch '5.8.x'
2022-11-16 16:54:32 -06:00
2301e8ca77
Fix Javadoc in EnableWebSocketSecurity
...
Add missing method name in EnableWebSocketSecurity JavaDoc code example.
2022-11-16 16:51:42 -06:00
c45cd6ec9f
Defer ObservationRegistry Resolution
...
- If Method Security asks for too early, it is no longer
eligible for post-processing. As such, this commit defers loading it until
the first authorization request.
Issue gh-11990
2022-11-09 22:07:57 -07:00
3b5d19c8a4
Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
...
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
72c25332a5
Fix authenticationFailureHandler customization tests
...
Issue gh-12132
2022-11-03 10:32:38 -03:00
fc8e20b89f
Merge branch '5.8.x'
...
Closes gh-12133
2022-11-02 15:49:18 -06:00
3192618220
Add authenticationFailureHandler
...
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer
Closes gh-12132
2022-11-02 15:35:01 -06:00
983f1d4efb
Merge branch '5.8.x'
...
Closes gh-12127
2022-11-01 18:08:08 -06:00
6622e0135a
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12126
2022-11-01 18:06:41 -06:00
6efac34ca7
Merge branch '5.6.x' into 5.7.x
...
Closes gh-12125
2022-11-01 18:06:01 -06:00
5c4362bbc4
Refresh parsers when not found
...
Closes gh-3065
2022-11-01 18:05:15 -06:00
d860775b45
Document Defer load CsrfToken
...
Closes gh-12105
2022-10-28 15:41:25 -05:00
abe68abfe4
Merge remote-tracking branch 'origin/5.8.x'
2022-10-26 17:13:02 -06:00
bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
...
Closes gh-11363
2022-10-26 16:44:23 -06:00
9cb668aec2
SessionManagementConfigurer properly defaults SecurityContextRepository
...
Previously the default was an HttpSessionSecurityContextRepository which
meant that if a stateless authentication occurred the SecurityContext would
be lost on ERROR dispatch.
This commit ensures that the RequestAttributeSecurityContextRepository is
also consulted by default.
Closes gh-12070
2022-10-20 10:57:47 -05:00
a4858d9eaa
Add SpringTestContext.addFilter
...
Add SpringTestContext.addFilter which allows Spring Security's tests
to specify a Filter to be added to the SpringTestContext.
Closes gh-12071
2022-10-20 10:54:24 -05:00
33b492df54
Default to DelegatingSecurityContextRepository
...
Closes gh-12023
Closes gh-12049
2022-10-17 20:04:43 -05:00
bd43c1f28a
Merge branch '5.8.x'
...
# Conflicts:
# web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
# web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
c75ca10900
Add DeferredSecurityContext
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
...
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled
Closes gh-12020
2022-10-13 11:29:15 -05:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
8c610684f3
Instrument Authentication and Authorization
...
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
7c872cf7fd
Merge branch '5.8.x'
2022-10-12 15:02:40 -05:00
440748ec65
Add test support for Xor CSRF tokens
...
Issue gh-4001
2022-10-12 15:02:15 -05:00
27059ced87
Default X-Xss-Protection header value to "0"
...
Closes gh-9631
2022-10-07 17:42:55 -05:00
dcda899c8c
Merge branch '5.8.x'
2022-10-07 17:40:37 -05:00
37fa49b32d
Polish gh-11952
2022-10-07 17:40:12 -05:00
6753f9745e
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
# docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
f462134e87
Add reactive support for BREACH
...
Closes gh-11959
2022-10-07 16:34:17 -05:00
f4ca90e719
Add reactive interfaces for CSRF request handling
...
Issue gh-11959
2022-10-07 16:34:16 -05:00
398f5dee7f
Remove deprecated RequestMatcher methods from Java Configuration
...
Closes gh-11939
2022-10-07 15:26:46 -03:00
9fd195d419
Default to shouldFilterAllDispatcherTypes=true in XML
...
Closes gh-11970
2022-10-07 11:46:20 -03:00
146d3269bc
Merge branch '5.8.x'
...
Closes gh-11971
2022-10-07 10:28:14 -03:00
f3321c256c
Add XML support for shouldFilterAllDispatcherTypes
...
Closes gh-11492
2022-10-07 10:20:32 -03:00
f650ebe545
Merge branch '5.8.x'
2022-10-06 13:50:50 -03:00
8a5aed2983
Add deprecation warning to CsrfDsl#ignoringAntMatchers
...
Issue gh-11347
2022-10-06 13:50:38 -03:00
d6302aabbc
Merge branch '5.8.x'
2022-10-06 13:21:52 -03:00
bc4ad52feb
Add deprecation warning to mvcMatchers methods
...
Issue gh-11347
2022-10-06 13:21:27 -03:00
12b9f2e196
use-authorization-manager defaults to true
...
Closes gh-11929
2022-10-06 08:12:46 -06:00
52ab2303da
Fix failing test
...
Issue gh-11061
2022-10-06 09:28:06 -03:00
c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 23:53:40 -06:00
2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:59 -06:00
7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:58 -06:00
7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:57 -06:00
19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:56 -06:00
0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
...
Issue gh-11061
2022-10-05 23:38:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
b4d13e7726
Polish use-authorization-manager
...
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together
Issue gh-11305
2022-10-05 22:21:09 -06:00
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
...
Issue gh-11665
2022-10-05 22:18:41 -06:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
6bbf20be93
Fix failing tests
...
Issue gh-11952
2022-10-05 14:19:40 -05:00
a7000a053b
Merge branch '5.8.x'
2022-10-05 13:46:26 -05:00
1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
...
Closes gh-11952
2022-10-05 13:35:23 -05:00
c2ed65c67a
Fix failing tests
...
Issue gh-9159
2022-10-05 14:59:33 -03:00
22ba358e57
Merge branch '5.8.x'
2022-10-05 13:44:54 -03:00
bf6e85ec15
Accept String varargs in securityMatcher
...
Issue gh-9159
2022-10-05 13:44:08 -03:00
76d7a85bc0
Use modified classpath test support for tests that depend on the classpath
...
Issue gh-11347
2022-10-04 15:32:19 -03:00
77dcc691b3
Add modified classpath test support
...
Closes gh-11951
2022-10-04 15:32:18 -03:00
5002199be3
Revert "Disable tests that need Spring MVC mocked in classpath"
...
This reverts commit c6978fba7c
2022-10-04 15:32:18 -03:00
35f7e46d05
Remove WebSecurityConfigurerAdapter
...
Closes gh-10902
2022-10-04 15:13:04 -03:00
3bc76815c2
Update csrf.request-handler-ref in 6.0
...
Issue gh-11918
2022-10-04 11:24:54 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
c6978fba7c
Disable tests that need Spring MVC mocked in classpath
...
Issue gh-11347
2022-10-04 08:56:06 -03:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
c847efd3fd
Fix servlet import
...
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
c98de7af2f
Add xss-protection.header-value in 6.0
...
Issue gh-9631
2022-10-03 14:31:04 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
d9a682a414
Polish gh-11896
2022-10-03 10:00:43 -05:00
bf9339d88e
Merge branch '5.8.x'
2022-10-03 09:57:40 -05:00
7f9600ae08
Polish gh-11896
2022-10-03 09:57:08 -05:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
0d58c5180e
Remove Explicit RequestCache Config from DeferHttpSession Tests
...
Issue gh-11757
2022-09-30 21:49:05 -05:00
12a0ccf6de
Remove Explicit CSRF Config from DeferHttpSessionTests
...
Issue gh-11764
2022-09-30 21:49:04 -05:00
617353eaa8
Merge branch '5.8.x'
...
Closes gh-11928
2022-09-30 21:46:26 -05:00
6d56af7b65
SessionManagementDsl.requireExplicitAuthenticationStrategy
2022-09-30 21:37:44 -05:00
76fbca9f46
Merge branch '5.8.x'
2022-09-30 09:50:02 -05:00
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
...
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631
2022-09-30 09:38:08 -05:00
3bfdf6dd0f
Merge branch '5.8.x'
...
Closes gh-11922
2022-09-29 11:21:24 -03:00
cf3349f31a
Configure ContentNegotiationStrategy in HttpSecurityConfiguration
...
Closes gh-11916
2022-09-29 11:21:08 -03:00
506e50bfd0
Move Saml2 Authentication Filters
...
Issue gh-8819
2022-09-26 10:44:27 -06:00
181ee7410b
Change default authority for oauth2Login()
...
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.
* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER
Documentation has been updated to include this implementation detail.
Closes gh-7856
2022-09-26 10:06:31 -05:00
37a160245f
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-23 16:31:21 -06:00
21c0c73878
Remove request-resolver-ref in 6.0
...
Issue gh-11896
2022-09-23 16:04:35 -05:00
bcb21c9384
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
...
Closes gh-11896
2022-09-23 15:09:00 -05:00
3c66ef6305
Change default SecurityContextRepository
...
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026
2022-09-22 17:31:14 -05:00
0efe26c1fd
Merge branch '5.8.x'
...
Closes gh-11894
2022-09-22 13:47:04 -05:00
d94677f87e
CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
...
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892
2022-09-22 11:09:44 -05:00
44b7847258
Fix Import Order
...
Issue gh-8819
2022-09-21 09:08:41 -06:00
70460ca009
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-20 17:44:05 -06:00
61c80bcac5
Move Saml2 Authentication Filters
...
Closes gh-8819
2022-09-20 17:18:05 -06:00
48e31f87e4
Remove Deprecated OpenSAML 3 Support
...
Closes gh-10556
2022-09-20 16:57:38 -06:00
46f402243b
Merge remote-tracking branch 'origin/5.8.x'
2022-09-20 16:11:16 -06:00
3f8503f1b4
Deprecate AccessDecisionManager et al
...
Closes gh-11302
2022-09-20 16:09:59 -06:00
bd18c05a27
Use mock class instead of interface on mock's return
...
Issue gh-11860
2022-09-16 15:57:43 -03:00
1a1a8a7a46
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
2022-09-14 14:11:10 -05:00
45bbd86f7e
HttpSecurityDsl should support apply method
...
Closes gh-11754
2022-09-14 13:58:42 -05:00
1aee40dcca
Polish gh-11665
...
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
2431dd1103
Merge branch '5.8.x'
2022-09-13 17:38:10 -05:00
355ef21117
Polish gh-11665
2022-09-13 16:45:39 -05:00
1efb63387f
Add authentication converter for introspected tokens
...
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).
The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).
The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.
Closes gh-11661
2022-09-13 16:45:36 -05:00
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
...
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
ed41a60aae
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
# config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
# web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
86fbb8db07
Add new interfaces for CSRF request processing
...
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
7bf2d3dc4e
Update DeferHttpSession Tests
...
Closes gh-11764
2022-08-31 14:40:06 -05:00
7d6552b3f4
gh-11772
2022-08-31 13:33:53 -05:00
3de421be3a
Remove setAuthenticationManager from HttpSecurityConfiguration
...
Closes gh-11776
2022-08-31 15:14:45 -03:00
f1b79e08cb
Merge branch '5.8.x'
2022-08-30 13:10:51 -05:00
6b297cc3a3
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 13:10:35 -05:00
3eac274317
Merge branch '5.8.x'
2022-08-30 12:59:19 -05:00
5bdbc3f78d
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 12:53:37 -05:00
2e26e875c8
Remove WebSecurityConfigurerAdapter in Kotlin DSL
...
Issue gh-11277
Closes gh-11646
2022-08-30 12:53:18 -05:00
41ede20712
Add method-security.mode to spring-security-6.0.xsd
2022-08-29 16:05:20 -05:00
2efc8dcd15
Default Require Explicit Save SecurityContext
...
Closes gh-11762
2022-08-29 10:16:04 -05:00
b1fd9af723
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-26 16:01:40 -06:00
0f58620643
Add AspectJ AuthorizationManager Support
...
Closes gh-11326
2022-08-26 15:59:08 -06:00
f84f08c4b9
Default HttpSessionRequestCache.matchingRequestParameterName=continue
...
Closes gh-11757
2022-08-26 14:44:55 -05:00
210693eb6b
Add @Configuration
...
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
84f765a89c
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-25 14:46:48 -06:00
e990174c89
Polish ReactiveMethodSecurity Support
...
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well
Issue gh-9401
Polish
2022-08-25 14:36:03 -06:00
cbb4f40f0c
ReactiveAuthorizationManager + Reactive Method Security
...
Closes gh-9401
2022-08-25 14:35:04 -06:00
670b71363d
Merge branch '5.8.x'
...
Closes gh-11749
2022-08-23 16:03:50 -05:00
2fb625db84
Remove mockito deprecations
...
Issue gh-11748
2022-08-23 15:59:52 -05:00
a8d6c1d21f
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:58:22 -03:00
c7912c551b
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:51:53 -03:00
0aac515737
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
3826fca567
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
888c65a936
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:38:03 -05:00
81d6b6df6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:38:03 -05:00
1de810a565
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:00:47 -05:00
89f8310d6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:00:47 -05:00
63d2f19e2a
Remove default value for access parameter
...
Closes gh-10957
2022-08-18 15:22:08 -03:00
af3d70f130
Remove GlobalMethodSecurityRuntimeHints
...
Closes gh-11714
2022-08-17 08:07:28 -03:00
ba50c50b4b
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11509
2022-08-16 15:14:08 -06:00
5ecd513a57
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11509
2022-08-16 15:12:47 -06:00
5cf42b1f2e
Defer CsrfFilter Session Access
...
Closes gh-11456
2022-08-16 13:48:20 -05:00
8ad20b1768
Add CsrfFilter.csrfRequestAttributeName
...
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
2022-08-16 13:47:31 -05:00
5b64526ba9
Add CsrfFilter.csrfRequestAttributeName
...
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
2022-08-15 17:07:02 -05:00
faf9fb7337
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:46 -05:00
9f00045638
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:30 -05:00
002a770f13
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:26:12 -05:00
ce778b0e20
NamespaceLdapAuthenticationProviderTests use Dynamic Port
...
Closes gh-11710
2022-08-15 15:25:15 -05:00
425b3501b7
Remove `@Configuration` from `@Enable*` Annotations
...
This removes `@Configuration` from all `@Enable` Annotations and explicitly
adds `@Configuration` to wherever the `@Enable*` Annotations are used.
Closes gh-11653
2022-08-09 17:00:24 -05:00
a5069d7e35
Fix Add @Configuration to @Enable*Security Usage
...
Issue gh-6613
2022-08-09 17:00:16 -05:00
2e66b9f6cc
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:44:01 -05:00
efaee4e56b
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:35:49 -05:00
ed58ac7d78
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:49:48 -06:00
9e8a04d414
Polish Tests
...
Issue gh-11657
2022-08-03 17:49:46 -06:00
c2d79fcbd6
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:34:31 -06:00
aa225943d2
Polish Tests
...
Issue gh-11657
2022-08-03 17:34:26 -06:00
f8971742f2
Remove FilterSecurityInterceptor from WebSecurity
...
Closes gh-11325
2022-08-02 15:34:02 -03:00
040111ae9e
Remove Configuration meta-annotation from Enable* annotations
...
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.
Closes gh-6613
Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00
99f768bab9
Polish HttpSecurity
2022-07-29 17:43:00 -05:00
984355e637
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:43:00 -05:00
09173c95d6
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:43:00 -05:00
07ea139ebf
Polish HttpSecurity
2022-07-29 17:42:39 -05:00
67544f36f9
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:39 -05:00
05725af4d8
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:39 -05:00
15f525c614
Polish HttpSecurity
2022-07-29 17:42:20 -05:00
0c0c75ce22
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:20 -05:00
9861769b02
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:20 -05:00
7f2c797086
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:39:56 -03:00
e5ae35ab71
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:39:33 -03:00
a996dfc55b
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:38:50 -03:00
d66ad22652
Add Deprecated annotation to WebSecurity#securityInterceptor
...
Closes gh-11634
2022-07-27 14:32:44 -03:00
1f26f8c419
Update spring-data-jpa to 3.0.0-M5
...
Closes gh-11540
2022-07-15 14:37:24 -03:00
0c14a36ad6
Update Kotlin to 1.7.10
...
Closes gh-11374, gh-11534
2022-07-15 14:10:52 -03:00
d27322c9e0
Polish HttpSecurity Formatting
...
Issue gh-11360
2022-07-14 13:00:08 -06:00
c4b0e9bd74
Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11360
2022-07-14 13:00:07 -06:00
5dff157755
Polish HttpSecurity Formatting
...
Issue gh-11360
2022-07-14 12:50:40 -06:00
400cd60368
Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
...
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous
Closes gh-11360
2022-07-14 12:48:39 -06:00
42683693c0
Remove deprecated CustomUserTypesOAuth2UserService
...
Closes gh-11511
2022-07-14 14:28:41 -04:00
35fc437559
Add AuthorizationManager for protect-pointcut
...
Closes gh-11323
2022-07-14 09:25:49 -06:00
9b43316f4d
Polish InterceptMethodsBeanDefinitionDecorator
...
Issue gh-11328
2022-07-14 09:25:16 -06:00
a3326fc0ee
Remove deprecated implicit authorization grant type
...
Closes gh-11506
2022-07-14 10:05:15 -04:00
624fdfa731
Add AuthorizationManager for protect-pointcut
...
Closes gh-11323
2022-07-13 17:58:16 -06:00
51475e2583
Polish InterceptMethodsBeanDefinitionDecorator
...
Issue gh-11328
2022-07-13 17:57:38 -06:00
d3b8bacc3c
Polish InterceptMethodsBeanDefinitionDecorator
2022-07-13 11:38:50 -05:00
d85abc7bbb
Update javadoc in CommonOAuth2Provider
...
Closes gh-11490
2022-07-13 11:20:04 -04:00
7abea4a964
Add RuntimeHints suffix for RuntimeHintsRegistrar
...
Closes gh-11497
2022-07-13 10:14:43 -03:00
177baba8c9
RuntimeHintsPredicates moved to predicate package
2022-07-12 16:00:50 -04:00
6455e98745
FilterSecurityInterceptor applies to every request by default
...
Closes gh-11466
2022-07-12 10:53:03 -03:00
60652afb32
Polish InterceptMethodsBeanDefinitionDecorator
...
Issue gh-11328
2022-07-11 16:54:59 -06:00
7560a32460
Polish InterceptMethodsBeanDefinitionDecorator
...
Issue gh-11328
2022-07-11 16:39:41 -06:00
d2d5313bba
Fix Formatting
...
Issue gh-11327
2022-07-08 09:21:53 -05:00
c9a3d21b9b
Add Configuration Test
...
Issue gh-11327
2022-07-07 14:46:37 -06:00
e8a7b654b4
Add Configuration Test
...
Issue gh-11327
2022-07-07 14:42:07 -06:00
01ffc93062
Add AuthorizationFilter to filter chain validator
...
Closes gh-11327
2022-07-07 14:40:53 -06:00
ec8c13392c
Clarify variable names
...
Issue gh-11327
2022-07-07 14:26:40 -06:00
d27d431bbc
Add AuthorizationFilter to filter chain validator
...
Closes gh-11327
2022-07-07 13:52:36 -06:00
cdafa4ee21
Clarify variable names
...
Issue gh-11327
2022-07-07 13:38:42 -06:00
0c48b6bc7f
Use relative schema location for tests
...
Issue gh-11328
Issue gh-11353
Issue gh-11365
2022-07-07 13:03:20 -05:00
696da87478
Use relative schema location for tests
...
Issue gh-11328
Issue gh-11353
Issue gh-11365
2022-07-07 13:00:04 -05:00
148c926de0
Support AuthorizationManager for intercept-methods Element
...
Closes gh-11328
2022-07-06 13:01:57 -06:00
74a007dc91
Support AuthorizationManager for intercept-methods Element
...
Closes gh-11328
2022-07-06 12:54:05 -06:00
d96b4a0463
Set the useTrailingSlashMatch to true for tests
...
The Spring MVC changed the default behavior for trailing slash match
with https://github.com/spring-projects/spring-framework/issues/28552 .
This causes failures in Spring Security's tests.
Setting the `useTrailingSlashMatch` to `true` ensures that Spring
Security will work for users who have modified the default configuration.
Specifing the request mapper with trailing slash path ensures that the tests
are successful when default behavior is used.
Closes gh-11451
2022-07-05 11:29:36 -06:00
05b788d1ac
Use SecurityContextHolderStrategy for Concurrency Filter
...
Issue gh-11060
Issue gh-11061
2022-06-28 15:33:05 -06:00
03a5c3b08a
Use SecurityContextHolderStrategy for Concurrency Filter
...
Issue gh-11060
Issue gh-11061
2022-06-28 15:32:05 -06:00
d24a89ad53
Pick up SecurityContextHolderStrategy for WebClient integration
...
Issue gh-11061
2022-06-28 15:07:16 -06:00
e8723f1f43
Pick up SecurityContextHolderStrategy for WebClient integration
...
Issue gh-11061
2022-06-28 14:58:53 -06:00
a218d3e140
Use SecurityContextHolderStrategy for Async Requests
...
Issue gh-11060
Issue gh-11061
2022-06-28 14:56:55 -06:00
27de315e5e
Use SecurityContextHolderStrategy for Async Requests
...
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
83b3bb3209
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
...
Issue gh-11060
Issue gh-11061
2022-06-28 12:10:07 -06:00
97cb2a7d91
Polish SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-28 12:09:56 -06:00
98995f2225
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
...
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
b3be35da31
Polish SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-28 12:04:37 -06:00
944f565c16
Use SecurityContextHolderStrategy for Remember-me
...
Issue gh-11060
Isuse gh-11061
2022-06-28 11:09:38 -06:00
4a2d77d3f2
Use SecurityContextHolderStrategy for Remember-me
...
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
b316a3217b
Add SecurityContextHolderStrategy for Jaas
...
Issue gh-11060
Issue gh-11061
2022-06-28 09:35:54 -06:00
ee66850aed
Add SecurityContextHolderStrategy for Jaas
...
Issue gh-11060
Issue gh-11061
2022-06-28 09:26:05 -06:00
bffe08465a
Add SecurityContextHolderStrategy XML Configuration for Messaging
...
Issue gh-11061
2022-06-27 16:24:27 -06:00
484f35ca39
Add SecurityContextHolderStrategy Java Configuration for Messaging
...
Issue gh-11061
2022-06-27 16:17:29 -06:00
74167d62b1
Add SecurityContextHolderStrategy XML Configuration for Messaging
...
Issue gh-11061
2022-06-27 15:55:28 -06:00
9292a13146
Add SecurityContextHolderStrategy Java Configuration for Messaging
...
Issue gh-11061
2022-06-27 15:55:28 -06:00
5e4e7abf15
Add SecurityContextHolderStrategy XML Configuration for Method Security
...
Issue gh-11061
2022-06-27 13:40:55 -06:00
74d646f569
Add SecurityContextHolderStrategy Java Configuration for Method Security
...
Issue gh-11061
2022-06-27 13:17:46 -06:00
ef29d3944e
Polish SecurityContextHolderStrategy Java Configuration for Defaults
...
Issue gh-11061
2022-06-27 13:17:44 -06:00
c29b91cec7
Polish SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-27 13:17:43 -06:00
652c35db2f
Add SecurityContextHolderStrategy XML Configuration for OAuth2
...
Issue gh-11061
2022-06-27 13:05:13 -06:00
1d22316574
Add SecurityContextHolderStrategy Java Configuration for OAuth2
...
Issue gh-11061
2022-06-27 13:05:13 -06:00
6c16ac101a
Add SecurityContextHolderStrategy XML Configuration for Saml2
...
Issue gh-11061
2022-06-27 13:05:12 -06:00
97253c9293
Add SecurityContextHolderStrategy Java Configuration for Saml2
...
Issue gh-11061
2022-06-27 13:05:11 -06:00
9cd7c7b046
Add SecurityContextHolderStrategy XML Configuration for Method Security
...
Issue gh-11061
2022-06-27 13:05:07 -06:00
da57bac061
Add SecurityContextHolderStrategy Java Configuration for Method Security
...
Issue gh-11061
2022-06-27 13:03:11 -06:00
fa0086d3b0
Polish SecurityContextHolderStrategy Java Configuration for Defaults
...
Issue gh-11061
2022-06-27 13:01:22 -06:00
8d681b3b80
Polish SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-27 13:00:20 -06:00
a8c30f79e6
Add Core, MVC and MethodSecurity runtime hints
...
Closes gh-11431
2022-06-27 09:25:49 -03:00
150b81d008
Add SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-17 12:21:10 -06:00
ce218c78f9
Add SecurityContextHolderStrategy Java Configuration for Defaults
...
Issue gh-11061
2022-06-17 11:58:38 -06:00
2a70707c35
Add SecurityContextHolderStrategy XML Configuration for Defaults
...
Issue gh-11061
2022-06-17 11:28:10 -06:00
2c09a300b6
Add SecurityContextHolderStrategy Java Configuration for Defaults
...
Issue gh-11061
2022-06-17 11:28:10 -06:00
79c2b8709b
Allow form login when single OAuth2 Provider is configured
...
Closes gh-6802
2022-06-15 14:05:55 -05:00
a061191bd2
Allow form login when single OAuth2 Provider is configured
...
Closes gh-6802
2022-06-15 13:42:06 -05:00
d18291676f
Update copyright year
...
Issue gh-11372
2022-06-15 13:14:07 -05:00
c7df39a3e6
Fix tests using root cause for exception messages
...
Closes gh-11372
2022-06-14 17:12:15 -05:00
3ca4b06612
Support multiple SingleLogoutService bindings.
...
Closes gh-11286
2022-06-09 12:56:16 -06:00
89989722d0
Support multiple SingleLogoutService bindings.
...
Closes gh-11286
2022-06-09 12:50:33 -06:00
f4049c18b1
add SAML authentication request support to login configurer
...
Closes gh-8873
2022-06-06 08:05:33 -06:00
4d65d96b8a
Fix saml2Tests always running after a single test
...
This commit makes the check task depend on the saml2Tests task.
The test task was also configured to run after saml2Tests, to make sure that the
compileTestJava runs after the compileSaml2TestJava
Issue gh-10816
2022-06-03 11:22:46 -03:00
3dd54bcda7
Run SAML 2.0 tests in an exclusive task
...
Issue gh-10816
2022-06-02 19:24:42 +02:00
23903b5f18
Use Reflection to instantiate OpenSAML4 classes
...
Because the OpenSAML4 classes are compiled using Java 11, we have to rely on reflection to instante those classes since the config module should be compatible with Java 8
Issue gh-10816
2022-06-02 19:24:42 +02:00
ccb1f68bfe
Fix member variable using Java 9+ feature
...
This causes compile errors when trying to build using JDK 8
Issue gh-10695
2022-06-02 19:24:42 +02:00
4c2401a576
Revert "Make source code compatible with JDK 8"
...
This reverts commit 60ed3602f6
2022-06-02 19:24:42 +02:00
9683856956
Polish InterceptUrlConfigTests
...
Issue gh-11305
2022-05-31 16:05:17 -06:00
38d481eba6
Make Internal Class Package-Private
...
Issue gh-11305
2022-05-31 16:04:26 -06:00
d994ddc9b8
Polish InterceptUrlConfigTests
...
Issue gh-11305
2022-05-31 16:04:02 -06:00
2afa9313eb
Use AuthorizationManager in <http>
...
Closes gh-11305
2022-05-31 16:01:41 -06:00
9dbd1f3e25
Use AuthorizationManager in <http>
...
Closes gh-11305
2022-05-31 15:10:00 -06:00
e125a76687
Fix rnc typo
...
Issue gh-11076
2022-05-27 17:06:02 -06:00
7c0ba58019
Fix rnc typo
...
Issue gh-11076
2022-05-27 16:59:23 -06:00
f4c0fcb5ef
Add AuthorizationManager to Messaging
...
Closes gh-11076
2022-05-27 13:35:19 -06:00
8a03d1fcec
Add AuthorizationManager to Messaging
...
Closes gh-11076
2022-05-27 12:20:48 -06:00
649428b49a
Use Base64 encoder with no CRLF in output for SAML 2.0 messages
...
Closes gh-11262
2022-05-25 12:06:27 -06:00
d0da160007
Use Base64 encoder with no CRLF in output for SAML 2.0 messages
...
Closes gh-11262
2022-05-25 12:02:13 -06:00
16664dcdbd
Use Base64 encoder with no CRLF in output for SAML 2.0 messages
...
Closes gh-11262
2022-05-25 11:43:50 -06:00
f2d6ead398
Use Base64 encoder with no CRLF in output for SAML 2.0 messages
...
Closes gh-11262
2022-05-25 11:42:54 -06:00
5cbc1a47da
Use original query string to verify signature
...
Closes gh-11235
2022-05-23 15:30:07 -06:00
88f9529329
Correctly encode query parameters
...
Issue gh-11235
2022-05-23 15:30:01 -06:00
b51c71c3b3
Use original query string to verify signature
...
Closes gh-11235
2022-05-23 13:56:28 -06:00
5adb6e25a3
Correctly encode query parameters
...
Issue gh-11235
2022-05-20 17:46:40 -06:00
0814136ee8
Polish WebExpressionAuthorizationManager
...
- Add support for request variables
- Added additional tests
Issue gh-11105
2022-05-13 14:14:42 -06:00
c4766e64fe
Add AuthorizationManager that uses ExpressionHandler
...
Closes gh-11105
2022-05-13 14:05:34 -06:00
ffaf5b4e61
Polish WebExpressionAuthorizationManager
...
- Add support for request variables
- Added additional tests
Issue gh-11105
2022-05-13 13:53:38 -06:00
07b0be3f42
Add AuthorizationManager that uses ExpressionHandler
...
Closes gh-11105
2022-05-13 13:52:49 -06:00
f34ea188e2
RequestRejectedException is 400 by Default
...
Closes gh-7568
2022-05-12 10:32:27 -05:00
806e05855c
Replace removed context-related operators
...
Closes gh-11194
2022-05-10 14:58:02 -03:00
dc2bd2b4f8
Update copyright headers
...
Issue gh-10956
2022-05-06 14:33:59 -03:00
de9b7b4fb8
Fix mvcMatchers overriding previous paths
...
Closes gh-10956
2022-05-06 14:33:59 -03:00
18c220c870
Update copyright headers
...
Issue gh-10956
2022-05-06 14:26:29 -03:00
18345feeed
Fix mvcMatchers overriding previous paths
...
Closes gh-10956
2022-05-06 14:26:29 -03:00
e45dcb3ab2
Update copyright headers
...
Issue gh-10956
2022-05-06 14:18:42 -03:00
d3a451fffb
Fix mvcMatchers overriding previous paths
...
Closes gh-10956
2022-05-06 14:18:36 -03:00
d86ed6f523
Update copyright headers
...
Issue gh-10956
2022-05-06 14:14:16 -03:00
1959c25a03
Fix mvcMatchers overriding previous paths
...
Closes gh-10956
2022-05-06 14:11:37 -03:00
995b2918bb
Remove SAML Deprecations
...
Closes gh-11077
2022-05-06 10:15:42 -03:00
7b6fd598d0
Multiple <authentication-manager> Do Not Duplicate Alias
...
Previously, two authentication managers with different ids would duplicate
the alias to the global authentication manager. This would cause failures
for when allowBeanDefinitionOverriding = false.
This commit ensures that if the global authentication manager alias is
already set, then it is not set again. This means the first
<authentication-manager> will be used as the global AuthenticationManager.
Closes gh-8767
2022-05-03 14:57:22 -05:00
6420cf28a9
Multiple <authentication-manager> Do Not Duplicate Alias
...
Previously, two authentication managers with different ids would duplicate
the alias to the global authentication manager. This would cause failures
for when allowBeanDefinitionOverriding = false.
This commit ensures that if the global authentication manager alias is
already set, then it is not set again. This means the first
<authentication-manager> will be used as the global AuthenticationManager.
Closes gh-8767
2022-05-03 14:52:22 -05:00
dec0d97ef0
Multiple <authentication-manager> Do Not Duplicate Alias
...
Previously, two authentication managers with different ids would duplicate
the alias to the global authentication manager. This would cause failures
for when allowBeanDefinitionOverriding = false.
This commit ensures that if the global authentication manager alias is
already set, then it is not set again. This means the first
<authentication-manager> will be used as the global AuthenticationManager.
Closes gh-8767
2022-05-03 14:50:56 -05:00
4ebd37ae77
Add 5.8 Support
2022-05-03 09:04:34 -06:00
397ccbc1c8
Add 5.7 Schema
2022-05-03 09:03:50 -06:00
0e9228d10a
Prepare for Spring Security 5.8
2022-05-02 16:34:23 -06:00
48ac100a92
Remove WebSecurityConfigurerAdapter from Kotlin tests
...
Issue gh-10902
2022-04-28 16:13:35 +02:00
736f439bb5
Detect UserDetailsService bean in X509 configuration
...
Closes gh-11174
2022-04-28 14:48:40 +02:00
9dd393cb9c
Update remember me Javadocs
...
Describe the new behaviour for retrieving the UserDetailsService
Issue gh-11170
2022-04-28 14:48:29 +02:00
5ac5edc2e6
Detect UserDetailsService bean in X509 configuration
...
Closes gh-11174
2022-04-28 14:47:18 +02:00
d40c15e09e
Update remember me Javadocs
...
Describe the new behaviour for retrieving the UserDetailsService
Issue gh-11170
2022-04-28 14:13:52 +02:00
a0232ed135
Add shouldFilterAllDispatcherTypes to Kotlin DSL
...
Closes gh-11153
2022-04-28 08:34:48 -03:00
e94adedb94
Add shouldFilterAllDispatcherTypes to Kotlin DSL
...
Closes gh-11153
2022-04-28 08:19:20 -03:00
ac06057cf6
Detect UserDetailsService bean in remember me
...
Closes gh-11170
2022-04-28 12:44:27 +02:00
8e34cedcfe
Detect UserDetailsService bean in remember me
...
Closes gh-11170
2022-04-28 12:43:13 +02:00
7dc4364f43
Fix Kotlin mockk test compatibility
...
Issue gh-11039
2022-04-26 18:13:29 +02:00
558bb161c5
Security Context Dsl
...
Closes gh-11039
2022-04-26 17:38:00 +02:00
a3e7e54b70
Security Context Dsl
...
Closes gh-11039
2022-04-26 17:34:44 +02:00
9a57b42786
Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Issue gh-10908
2022-04-25 09:53:20 -03:00
9d378103b0
Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Issue gh-10908
2022-04-25 09:43:50 -03:00
23594b3d01
Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Issue gh-10908
2022-04-25 09:42:00 -03:00
e79b6b3ac8
Default SecurityContextHolderFilter
...
Closes gh-11110
2022-04-15 14:59:38 -05:00
9a9a43a0c0
ForceEagerSessionCreationFilter
...
Closes gh-11109
2022-04-15 14:18:25 -05:00
aaf78330b1
ForceEagerSessionCreationFilter
...
Closes gh-11109
2022-04-15 14:16:35 -05:00
5367524030
Change the default of shouldFilterAllDispatchTypes to true
...
Closes gh-11107
2022-04-14 16:30:42 -03:00
84b5c76a7b
Add Option to Filter All Dispatcher Types
...
Closes gh-11092
2022-04-14 16:10:36 -03:00
7fea639a43
Add Option to Filter All Dispatcher Types
...
Closes gh-11092
2022-04-14 15:58:00 -03:00
c6ad72004e
Revert "Pick up AuthorizationManager Bean"
...
This reverts commit 4ca5346871
2022-04-12 09:58:30 -06:00
147ab42440
Revert "Pick up AuthorizationManager Bean"
...
This reverts commit 32b83aae63
2022-04-12 09:32:09 -06:00
50f8df6f07
Use HttpStatusCode
...
Closes gh-11091
2022-04-11 09:19:56 -03:00
39b0620a84
Add DisableUrlRewritingFilter
...
Closes gh-11084
2022-04-08 16:13:44 -05:00
7be32872e9
Add DisableUrlRewritingFilter
...
Closes gh-11084
2022-04-08 16:13:24 -05:00
4ca5346871
Pick up AuthorizationManager Bean
...
Closes gh-11067
Closes gh-11068
2022-04-08 11:42:37 -06:00
32b83aae63
Pick up AuthorizationManager Bean
...
Closes gh-11067
Closes gh-11068
2022-04-08 10:08:33 -06:00
b39f213e64
Revert "Add AuthorizationManager to Messaging"
...
This reverts commit 77a6e014a9
2022-04-07 17:39:34 -06:00
77a6e014a9
Add AuthorizationManager to Messaging
...
Closes gh-11076
2022-04-07 17:39:10 -06:00
be434e1540
Add Default Test to HttpBasicConfigurerTests
...
Issue gh-10973
2022-04-05 17:32:13 -06:00
f09652d447
Polish Saml2LoginConfigurerTests
...
Issue gh-10973
2022-04-05 17:32:13 -06:00
66213e5b2e
Add Default Test to HttpBasicConfigurerTests
...
Issue gh-10973
2022-04-05 17:11:39 -06:00
47c8676be7
Polish Saml2LoginConfigurerTests
...
Issue gh-10973
2022-04-05 17:11:38 -06:00
1edfa07d27
Use RequestMatcherEntry
...
Closes gh-11046
2022-03-30 14:40:06 -06:00
c175118f62
Use RequestMatcherEntry
...
Closes gh-11046
2022-03-30 14:31:11 -06:00
bdd5f86526
Polish Authorization Event Support
...
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support
Issue gh-9288
2022-03-29 16:37:21 -06:00
fa574c8785
Simplify PrePostMethodSecurityConfiguration
...
Issue gh-9288
2022-03-29 16:22:42 -06:00
061f69eb70
Polish Authorization Event Support
...
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support
Issue gh-9288
2022-03-29 16:03:19 -06:00
a43677d36a
Simplify PrePostMethodSecurityConfiguration
...
Issue gh-9288
2022-03-29 15:44:16 -06:00
e176d764ba
Add SecurityContextRepository.loadContext(HttpServletRequest)
...
This allows loading the SecurityContext lazily, without the need for the
response, and does not attempt to automatically save the request when
the response is comitted.
Closes gh-11028
2022-03-25 14:38:37 -05:00
67fd46bfa6
Add SecurityContextRepository.loadContext(HttpServletRequest)
...
This allows loading the SecurityContext lazily, without the need for the
response, and does not attempt to automatically save the request when
the response is comitted.
Closes gh-11028
2022-03-25 14:21:52 -05:00
446ab5047c
Add authorizeHttpRequests to Kotlin DSL
...
Closes gh-10481
2022-03-22 09:39:06 -06:00
3016ed0067
Fix typos in Kotlin DSL docs
...
Issue gh-10481
2022-03-22 08:27:29 -06:00
ca00b1415b
Add authorizeHttpRequests to Kotlin DSL
...
Closes gh-10481
2022-03-22 08:26:41 -06:00
932ff4f5c4
Fix typos in Kotlin DSL docs
...
Issue gh-10481
2022-03-22 08:26:41 -06:00
8aa7029d07
Fix checkstyle errors
...
Issue gh-10989
2022-03-18 22:53:29 -05:00
972039e65c
Add SecurityContextHolderFilter
...
Closes gh-9635
2022-03-12 13:31:04 -06:00
f9619cef68
Extract createSecurityContextRepository()
...
Extract out method in preparation for adding SecurityContextHolderFilter
configuration.
Issue gh-9635
2022-03-12 13:23:47 -06:00
87ed31a99c
Add SecurityContextHolderFilter
...
Closes gh-9635
2022-03-11 17:22:23 -06:00
dbcb5004b4
Extract createSecurityContextRepository()
...
Extract out method in preparation for adding SecurityContextHolderFilter
configuration.
Issue gh-9635
2022-03-11 17:21:49 -06:00
abd33389be
Add UsernamePasswordAuthenticationToken factory methods
...
- unauthenticated factory method
- authenticated factory method
- test for unauthenticated factory method
- test for authenticated factory method
- make existing constructor protected
- use newly factory methods in rest of the project
- update copyright dates
Closes gh-10790
2022-03-09 15:49:29 -07:00
ac9c29b2a0
Add UsernamePasswordAuthenticationToken factory methods
...
- unauthenticated factory method
- authenticated factory method
- test for unauthenticated factory method
- test for authenticated factory method
- make existing constructor protected
- use newly factory methods in rest of the project
- update copyright dates
Closes gh-10790
2022-03-09 15:23:35 -07:00
1762a4ce70
Add SAML 2.0 Single Logout XML Support
...
Closes gh-10842
2022-03-09 10:48:34 -03:00
1cbe7a75d3
Add SAML 2.0 Login XML Support
...
Closes gh-9012
2022-03-09 10:40:26 -03:00
93d4fd3559
Add SAML 2.0 Single Logout XML Support
...
Closes gh-10842
2022-03-09 09:18:01 -03:00
73f839312d
Add SAML 2.0 Login XML Support
...
Closes gh-9012
2022-03-09 09:18:01 -03:00
963251314b
Replace Apache Commons Base64 Decoding
...
Issue gh-10923
2022-03-02 16:40:11 -07:00
5b9a45de01
Replace Apache Commons Base64 Decoding
...
Issue gh-10923
2022-03-02 16:30:21 -07:00
7a02bd14c1
Replace Apache Commons Base64 Decoding
...
Issue gh-10923
2022-03-02 16:19:03 -07:00
8cc18fa9dc
OAuth2AuthorizedClientArgumentResolver resolves ReactiveOAuth2AuthorizedClientManager
...
Closes gh-10846
2022-02-28 15:31:22 -07:00
3aa7a65cb4
OAuth2AuthorizedClientArgumentResolver resolves ReactiveOAuth2AuthorizedClientManager
...
Closes gh-10846
2022-02-28 15:30:19 -07:00
eca32b4812
Upgrade to Kotlin 1.6.20-M1
...
Closes gh-10687
2022-02-22 08:51:27 -03:00
606bd120fb
Deprecate WebSecurityConfigurerAdapter
...
Closes gh-10822
2022-02-17 12:25:14 +01:00
e97c643870
Deprecate WebSecurityConfigurerAdapter
...
Closes gh-10822
2022-02-17 12:13:50 +01:00
9f9fbb395f
Apply configurers from spring.factories to HttpSecurity bean
...
Closes gh-10814
2022-02-09 14:42:04 +01:00
c2635ba6bf
Apply configurers from spring.factories to HttpSecurity bean
...
Closes gh-10814
2022-02-09 14:40:57 +01:00
f53c65b3a0
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 15:07:29 -07:00
0be772ff5b
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 15:07:29 -07:00
84616543a3
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 14:58:20 -07:00
6ae651bd67
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 14:58:20 -07:00
cbd87fac89
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 14:50:28 -07:00
01ed617d5f
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 14:50:19 -07:00
5a2556879a
Add Saml2AuthenticationRequestResolver
...
Closes gh-10355
2022-01-24 16:18:33 -07:00
d538423f98
Add Saml2AuthenticationRequestResolver
...
Closes gh-10355
2022-01-24 15:09:45 -07:00
f94090a59b
Remove spring-security-openid
...
Closes gh-10773
2022-01-21 16:55:19 -06:00
4f3072b3d9
Exclude javax from hibernate dependency
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
13c467734a
Remove javax.transaction
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
c01b2b946b
Additional removal of javax.inject
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
58090c37ea
jsr250-api -> jakarta.annotation-api
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
04f3bbcefa
javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
c67ee6f2a8
javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
5902b46e9b
Remove jcl-over-slf4j
...
Issue gh-10499
# Conflicts:
# dependencies/spring-security-dependencies.gradle
2022-01-19 15:32:01 -06:00
62449d6fa2
Remove commons-logging
...
Closes gh-10499
2022-01-19 15:31:22 -06:00
11df19406b
Remove javax.inject
...
Issue gh-10501
2022-01-19 14:49:47 -06:00
44bc953a39
Remove jcl-over-slf4j
...
Issue gh-10499
2022-01-19 14:40:56 -06:00
95b4a3742b
Remove commons-logging
...
Closes gh-10499
2022-01-19 14:40:54 -06:00
ba922dcdf0
Exclude javax from hibernate dependency
...
Issue gh-10501
2022-01-19 14:35:25 -06:00
27e1a2ca69
Remove javax.transaction
...
Issue gh-10501
2022-01-19 14:35:05 -06:00
9d4ecc9c37
Additional removal of javax.inject
...
Issue gh-10501
2022-01-19 14:34:45 -06:00
678c386834
jsr250-api -> jakarta.annotation-api
...
Issue gh-10501
2022-01-19 14:34:32 -06:00
0e8c03401b
javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
...
Issue gh-10501
2022-01-19 14:34:16 -06:00
8f64bb6c8c
javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
...
Issue gh-10501
2022-01-19 14:33:53 -06:00
f8e14683f6
Remove jcl-over-slf4j
...
Issue gh-10499
2022-01-19 14:33:46 -06:00
3c641dee75
Remove commons-logging
...
Closes gh-10499
2022-01-19 14:33:44 -06:00
6b56071c08
Add LDAP factory beans
...
Issue gh-10138
2022-01-18 15:21:15 +01:00
a537b636c1
Add LDAP factory beans
...
Issue gh-10138
2022-01-18 15:11:30 +01:00
feff747669
Polish multiple RequestRejectedHandlers support
...
Issue gh-10603
2022-01-14 17:21:04 -07:00
27cfb9c89d
Support multiple RequestRejectedHandler beans
...
Closes gh-10603
2022-01-14 17:21:00 -07:00
75f25bff82
Polish multiple RequestRejectedHandlers support
...
Issue gh-10603
2022-01-14 16:49:38 -07:00
4ea57f3e3f
Support multiple RequestRejectedHandler beans
...
Closes gh-10603
2022-01-14 16:46:15 -07:00
4a976faea3
Fix remaining failing tests
...
Issue gh-10702
2022-01-13 13:53:04 -03:00
7fd0530009
Change Kotlin tests that are using mockkObject with a lambda interface implementation
...
Closes gh-10702
2022-01-13 11:38:44 -03:00
9cfafdaa43
Upgrade to Kotlin 1.6.10
...
Closes gh-10350
2022-01-13 08:44:57 -03:00
e1cb375fbf
Make source code compatible with JDK 8
...
Closes gh-10695
2022-01-12 16:39:50 -03:00
60ed3602f6
Make source code compatible with JDK 8
...
Closes gh-10695
2022-01-11 09:19:41 -03:00
6c5fd38a3f
Fix typo
2022-01-10 16:24:53 +01:00
1ab0705b47
Fix typo
2022-01-10 16:17:42 +01:00
994e93741b
Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
...
Closes gh-10554
2022-01-05 14:06:47 -03:00
d884d9a461
Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
...
Closes gh-10554
2021-12-13 09:19:41 -03:00
18427b6411
Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
...
Closes gh-10554
2021-12-13 08:57:30 -03:00
81a9302045
Polish enableSessionUrlRewriting Clarification
...
Closes gh-7644
2021-12-09 12:16:01 -07:00
c1b0e5930a
Clarify behaviour of enableSessionUrlRewriting
...
See #3087
2021-12-09 12:16:01 -07:00
cd8983d4e5
Polish enableSessionUrlRewriting Clarification
...
Closes gh-7644
2021-12-09 12:14:40 -07:00
5598688fa6
Clarify behaviour of enableSessionUrlRewriting
...
See #3087
2021-12-09 12:06:30 -07:00
0beb725259
Add Cross Origin Policies headers
...
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers
Closes gh-9385, gh-10118
2021-12-08 11:07:09 +01:00
65426a40ec
Add Cross Origin Policies headers
...
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers
Closes gh-9385, gh-10118
2021-12-07 17:23:06 +01:00
263665ad55
Prevent using both authorizeRequests and authorizeHttpRequests
...
Closes gh-10573
2021-12-06 15:54:28 -03:00
ed3b0fbaad
Prevent using both authorizeRequests and authorizeHttpRequests
...
Closes gh-10573
2021-12-06 15:47:49 -03:00
df0f6f83af
Polish gh-9597
2021-12-02 17:44:47 -06:00
925d531cbe
Set details on authentication token created by HttpServlet3RequestFactory
...
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.
This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.
Closes gh-9579
2021-12-02 17:44:46 -06:00
d37ff18b69
Polish gh-9597
2021-12-02 17:24:17 -06:00
c57fc309c2
Set details on authentication token created by HttpServlet3RequestFactory
...
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.
This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.
Closes gh-9579
2021-12-02 17:24:17 -06:00
074e38d565
Add missing since
...
Issue gh-7765
2021-12-02 12:09:57 -06:00
3af619d565
Add hasIpAddress to Reactive Kotlin DSL
...
Closes gh-10571
2021-12-02 12:01:11 -06:00
be802f57ba
Add hasIpAddress to Reactive Kotlin DSL
...
Closes gh-10571
2021-12-02 18:13:01 +01:00
176f7b2b04
Add missing since
...
Issue gh-7765
2021-12-02 18:13:01 +01:00
a68411566e
Polish Memory Leak Mitigation
...
Issue gh-9841
2021-11-30 15:33:47 -07:00
2bc643d6c8
Address SecurityContextHolder memory leak
...
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.
Closes gh-9841
2021-11-30 15:33:39 -07:00
a3a9de1b9b
PermitAllSupport supports AuthorizeHttpRequestsConfigurer
...
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.
Closes gh-10482
2021-11-30 15:17:22 -07:00
72109e2921
PermitAllSupport supports AuthorizeHttpRequestsConfigurer
...
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.
Closes gh-10482
2021-11-30 15:00:04 -07:00
78857c62f4
Polish Memory Leak Mitigation
...
Issue gh-9841
2021-11-30 14:29:18 -07:00
809ff883b0
Address SecurityContextHolder memory leak
...
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.
Closes gh-9841
2021-11-30 14:29:18 -07:00
43317c5a61
Support IP whitelist for Spring Security Webflux
...
Closes gh-7765
2021-11-30 15:27:58 -06:00
9f51240bf1
Support IP whitelist for Spring Security Webflux
...
Closes gh-7765
2021-11-30 13:59:55 -06:00
ba5a68ec63
Polish LdapAuthenticationPopulator Support
...
PR gh-9276
2021-11-19 12:19:43 -07:00
ae08608011
LdapAuthoritiesPopulator should be postProcessed
...
To enable customizations through withObjectPostProcessor
2021-11-19 12:03:44 -07:00
4bc55769a3
Import cleanup
...
Issue gh-10333
2021-11-19 11:46:08 -07:00
4f186f2c1f
Move Dsl files to annotation Package
...
Closes gh-10333
2021-11-19 11:46:08 -07:00
25feedb870
Fix removal of framework deprecated code
...
Issue https://github.com/spring-projects/spring-framework/issues/27686
2021-11-19 13:06:13 -03:00
e85958f65c
Fix CsrfConfigurer default AccessDeniedHandler consistency
...
Fix when AccessDeniedHandler is specified per RequestMatcher on
ExceptionHandlingConfigurer.
This introduces evolutions on :
- CsrfConfigurer#getDefaultAccessDeniedHandler,
to retrieve an AccessDeniedHandler similar to the one used by
ExceptionHandlingConfigurer.
- OAuth2ResourceServerConfigurer#accessDeniedHandler, to continue to
handle CsrfException with the default AccessDeniedHandler implementation
Fixes: gh-6511
2021-11-16 14:25:03 -06:00
4318a51971
Fix CsrfConfigurer default AccessDeniedHandler consistency
...
Fix when AccessDeniedHandler is specified per RequestMatcher on
ExceptionHandlingConfigurer.
This introduces evolutions on :
- CsrfConfigurer#getDefaultAccessDeniedHandler,
to retrieve an AccessDeniedHandler similar to the one used by
ExceptionHandlingConfigurer.
- OAuth2ResourceServerConfigurer#accessDeniedHandler, to continue to
handle CsrfException with the default AccessDeniedHandler implementation
Fixes: gh-6511
2021-11-16 14:22:35 -06:00
0aa75e04b7
Fix imports for ChannelSecurityConfigurerTests
...
gh-7997
2021-11-16 14:07:53 -06:00
2e4c6c3bf1
Avoid using SpEL to change the meaning of the injection point
...
This commit removes the use of SpEL expression and replaces it with an
explicit call to the underlying method.
2021-11-16 13:53:29 -06:00
61ee4e5a76
Avoid using SpEL to change the meaning of the injection point
...
This commit removes the use of SpEL expression and replaces it with an
explicit call to the underlying method.
2021-11-16 13:53:00 -06:00
ef25304a30
Add RedirectStrategy customization to ChannelSecurityConfigurer for RetryWith classes
2021-11-16 13:44:34 -06:00
aa0f788f59
Add RedirectStrategy customization to ChannelSecurityConfigurer for RetryWith classes
2021-11-16 13:44:18 -06:00
7b15098570
Update Spring Security to 5.7
...
Closes gh-10509
2021-11-15 17:10:00 -07:00
76ebbb84f7
Separate Namespace Servlet Docs
...
Issue gh-10367
2021-11-05 12:45:46 -06:00
869e379099
Separate Namespace Servlet Docs
...
Issue gh-10367
2021-11-01 17:49:15 -06:00
caf4c47105
Remove CAS module
...
Closes gh-10441
2021-11-01 09:02:43 -03:00
db60df2f9c
Update to Spring Framework 6.0
...
Issue gh-10360
2021-11-01 09:02:42 -03:00
b2e6c60d94
Remove remoting technologies support
...
Closes gh-10366
2021-11-01 09:02:42 -03:00
010f719344
Upgrade to JDK 17
...
Closes gh-10343
2021-11-01 09:02:42 -03:00
12f3e908b0
Update to Spring Security 6.0
2021-11-01 09:02:41 -03:00
2f1638ec57
Fix javadoc
...
Closes gh-10382
2021-10-22 11:20:37 -03:00
cb70b6a39b
Fixed invalid usage of & tag in Javadocs
2021-10-21 11:47:04 +02:00
04b47c5928
Fixed various broken links in Javadocs
2021-10-21 11:47:04 +02:00
a188138715
Javadocs author tag doesn't work in methods
2021-10-21 11:47:04 +02:00
6b26032ce7
Fixed invalid usege of > tag in Javadocs
2021-10-21 11:47:04 +02:00
f836897190
Checkstyle Fixes
...
- Javadoc tag ordering
- Private constructors before inner classes
Issue gh-10394
2021-10-18 21:03:35 -05:00
6db58cbf8a
Conditionally resolve bearer token from request parameters
...
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.
This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).
Closes gh-10326
2021-10-13 17:10:50 -05:00
33708e61fb
Add postProcess support to Saml2LogoutConfigurer
...
Closes gh-10311
2021-10-13 12:05:48 -06:00
fbb7691be4
Polish SecurityNamespaceHandler Tests
...
Issue gh-8974
2021-10-13 11:50:14 -06:00
8daa6ec1fd
SecurityNamespaceHandler: update schema version to 5.6
...
Closes gh-8974
2021-10-13 11:49:57 -06:00
ba8844a67e
Deprecate Kotlin methods that don't use reified types
...
Closes gh-10365
2021-10-13 10:16:37 +02:00
02b2fcc6f0
Restore ManagementConfigurationPlugin
...
Issue gh-9615
2021-10-05 11:23:29 -03:00
d2e5f2ae0d
Update Gradle to 7.2
...
Closes gh-9615
2021-10-04 15:19:40 -03:00
7112ee3eaa
Allow SAML 2.0 loginProcessingURL without registrationId
...
Closes gh-10176
2021-10-04 09:54:40 -03:00
e36e2b2a97
Move Saml2AuthnRequestRepository to web package
...
Moving to solve package tangles
Issue gh-9185
2021-09-29 14:10:39 -03:00
3b64cdfc03
Fix XsdDocumentedTests
...
Issue gh-5835
2021-09-24 10:25:26 -05:00
c3ba2332da
Wire BeanResolver into DefaultMethodSecurityExpressionHandler
...
Closes gh-10305
2021-09-22 14:14:29 -06:00
7b599d4770
Share JWKSource Instances
...
Closes gh-10312
2021-09-22 13:28:08 -06:00
0364518b69
Update Saml2LoginConfigurer to pick up Saml2AuthenticationTokenConverter bean
...
Closes gh-10268
2021-09-17 08:13:19 -03:00
1e76b11b3c
Remove duplicate entry from test LDIF file
...
Closes gh-10274
2021-09-16 10:26:06 +02:00
4f06fc6ed1
Add Saml2LogoutConfigurer
...
Closes gh-9497
2021-09-13 16:39:48 -06:00
6488295cad
Add RelyingPartyRegistrationResolver
...
Closes gh-9486
2021-09-13 16:39:48 -06:00
58d50888df
Fix return type to allow further security config
2021-09-13 15:31:02 -03:00
f2b2e6002f
Replace static "ROLE_" with customized role prefix
...
Fix gh-4134
2021-09-09 11:48:25 -06:00
3ab6bee856
Make method static to prevent circular dependency error
...
Workaround for circular dependency between ServerHttpSecurityConfiguration and WebFluxConfigurationSupport.
Closes gh-10076
2021-08-11 13:46:45 +02:00
662ab10416
Fix test getting stuck
...
The tests are getting stuck when running a single test class and the mock is performed in a static variable inside an inner class
Issue gh-6025
2021-07-27 14:55:53 -06:00
16e17d242e
Add Saml2AuthenticationRequestRepository
...
Closes gh-9185
2021-07-27 14:55:53 -06:00
6b68a6d62b
Apply rnc2Xsd
...
Issue gh-8657
2021-07-27 13:22:42 -06:00
6370906ead
Add SpringOpaqueTokenIntrospector
...
Closes gh-9354
2021-07-26 10:50:50 -06:00
d1dfb2b9ee
Improve OpenSAML Version Check
...
Closes gh-10077
2021-07-26 10:42:40 -06:00
5c8fb254c2
Add AuthenticationDetailsSource to OAuth2 Login Kotlin DSL
...
Closes gh-9838
2021-07-16 15:42:00 +02:00
b1612b1283
Add AuthenticationDetailsSource to Form Login Kotlin DSL
...
Closes gh-9837
2021-07-16 15:42:00 +02:00
f73f213f50
Remove DependencySetPlugin
...
Closes gh-10070
2021-07-12 15:31:38 -05:00
342884e851
kotlin uses @ExtendWith(SpringTestContextExtension::class)
...
cd config/src/test/kotlin
rg 'SpringTestContext' -l | xargs sed -i '/^import org.junit.jupiter.api.Test/a import org.junit.jupiter.api.extension.ExtendWith'
rg 'SpringTestContext' -l | xargs sed -i '/^import org.springframework.security.config.test.SpringTestContext/a import org.springframework.security.config.test.SpringTestContextExtension'
rg 'SpringTestContext' -l | xargs sed -i '/^class .*/i @ExtendWith(SpringTestContextExtension::class)'
2021-07-09 15:57:21 -05:00
cc732bda3b
Use @ExtendWith(SpringExtension::class)
2021-07-09 15:57:21 -05:00
3b3ccb962d
Fix @Test(expected =
2021-07-09 15:57:21 -05:00
2bd55f0f62
@Test to JUnit 5 for kotlin
...
rg -g "*.kt" "import org.junit.Test" -l | xargs sed -i 's/import org.junit.Test/import org.junit.jupiter.api.Test/'
2021-07-09 15:57:21 -05:00
e251abb1ae
more import cleanup
2021-07-09 14:49:47 -05:00
3c4e15264c
Add @ExtendWith(SpringTestContextExtension.class)
...
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' --files-without-match | xargs sed -i '/^public class/i @ExtendWith(SpringTestContextExtension.class)'
2021-07-09 14:49:46 -05:00
7dfd169ece
Add import ExtendWith
...
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' --files-without-match | xargs sed -i '/^import org.junit.jupiter.api.Test;/a import org.junit.jupiter.api.extension.ExtendWith;'
2021-07-09 14:49:45 -05:00
e4b09f62f0
Add SpringTestContextExtension to existing ExtendWith
...
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' -l | xargs sed -E -i 's/@ExtendWith\((.*)\)/@ExtendWith({ \1, SpringTestContextExtension.class })/'
2021-07-09 14:49:42 -05:00
5133340bf8
Add import SpringTestContextExtension
...
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs sed -i '/^import org.springframework.security.config.test.SpringTestContext;/a import org.springframework.security.config.test.SpringTestContextExtension;'
2021-07-09 14:47:54 -05:00
60078df62a
remove @Rule
...
rg '@Rule' -g '!buildSrc/**' -l | xargs sed -i '/@Rule/d'
rg 'import org.junit.Rule' -g '!buildSrc/**' -l | xargs sed -i '/import org.junit.Rule/d'
2021-07-09 14:46:51 -05:00
671040bb27
SpringTestRule to SpringTestContext
...
rg 'new SpringTestRule()' -l | xargs sed -i 's/new SpringTestRule()/new SpringTestContext(this)/'
rg 'val spring = SpringTestRule()' -l | xargs sed -i 's/val spring = SpringTestRule()/val spring = SpringTestContext(this)/'
2021-07-09 14:41:51 -05:00
e8c44e6390
Add SpringTestContextExtension
2021-07-09 14:35:10 -05:00
b6ff4d3674
Fix mockito UnnecessaryStubbingException
2021-07-09 14:35:10 -05:00
2a62c4d976
Fix NamespaceHttpInterceptUrlTests
2021-07-09 14:32:52 -05:00
3e93b024d6
openrewrite Junit Migration
2021-07-09 14:32:52 -05:00
79054093c9
Add AuthenticationManager to Kotlin ServerHttpSecurityDsl
...
Closes gh-10053
2021-07-09 10:34:57 +02:00
14240b2559
Remove Powermock
...
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.
Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.
Closes gh-6025
2021-07-08 12:35:32 -05:00
6a09ffe113
Add AuthenticationManager to Kotlin JwtDsl
...
Closes gh-10045
2021-07-08 13:50:09 +02:00
5c8e409d98
Add AuthenticationManager to Kotlin OpaqueTokenDsl
...
Closes gh-10044
2021-07-08 12:46:50 +02:00
b4f76b2314
Fix typo in Saml2Dsl
2021-07-08 12:03:29 +02:00
585788ad0a
Add AuthenticationManager to HttpSecurity
...
Closes gh-10040
2021-07-07 15:44:42 +02:00
d121ab9565
Support A Well-Known URL for Changing Passwords
...
Closes gh-8657
2021-07-01 16:57:53 -06:00
e91cacfdaf
Polish no-parameter authorizeHttpRequests
...
- Cleaned up JavaDoc
- Updated implementation to align with no-parameter authorizeRequests
- Updated test names and content for clarity, specifically identified
tests that target no-parameter authorizeHttpRequests with noParameter in
the name
- Switched order of methods to match others in HttpSecurity
- Updated copyright year
Issue gh-9498
2021-06-28 15:45:24 -06:00
3820f0f3a3
Add no-parameter authorizeHttpRequests method
...
Closes gh-9498
2021-06-28 15:34:49 -06:00
fe99c3b83b
https://stackoverflow.com/questions/67520600/redirect-to-different-page-after-login-based-on-user-role-with-spring-security/67531436#67531436
...
Closes gh-7282
2021-06-28 11:48:07 +02:00
94a3adb928
Apply DefaultLoginPageConfigurer before logout
...
If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.
Closes gh-9973
2021-06-24 10:26:13 +02:00
dfd0047f0b
Disable default logout page when logout disabled
...
Closes gh-9475
2021-06-17 16:38:23 +02:00
b44d0fb319
Load ReactiveJwtAuthenticationConverter bean in OAuth2 Resource Server config
...
When a bean of type ReactiveJwtAuthenticationConverter is defined,
the OAuth2 Resource Server configuration will use it automatically
when no other converter is defined through the DSL.
Closes gh-9698
2021-06-15 14:22:15 -06:00
aeed286e8a
Add AuthenticationManager to saml2Login Kotlin DSL
...
Closes gh-9905
2021-06-15 09:53:53 +02:00
9d2db89838
Fix Adding Filter Relative to Custom Filter
...
Closes gh-9787
2021-06-14 14:37:21 -03:00
65239e93f9
Update Copyright Header
...
Issue gh-9845
2021-06-09 11:33:48 -06:00
5b49433ed1
Add GlobalMethodSecurityConfiguration Test
...
Issue gh-9845
2021-06-09 09:29:52 -06:00
7a233c41f0
Some infrastructure beans are not marked properly
...
Added missing infrastructure role to methodSecurityMetadataSource bean
and move the post processing of the defaultMethodExpressionHandler to
the end of afterSingletonsInstantiated.
Closes gh-9845
2021-06-09 09:28:55 -06:00
3074ad4136
Migrate Kotlin tests from java Mockito to Mockk
...
Closes gh-9785
2021-06-07 13:13:31 +02:00
204a32aba8
Replace < and > with < and > in Javadoc
...
Closes gh-9847
2021-06-04 12:26:07 +03:00
68f91edbb8
Make XsdDocumentedTests Parsing More Lenient
...
Closes gh-9830
2021-05-27 18:37:14 -05:00
8400b841e9
Improve XsdDocumentedTests Error Message
...
This makes it easier to compare the expected and actual values.
Closes gh-9829
2021-05-27 18:37:02 -05:00
fa77f4c8ff
Deprecate feature-policy where not already deprecated
...
Issue gh-9262
2021-05-19 10:04:09 +02:00
be903b8e25
Cleanup unused import
2021-05-19 10:04:09 +02:00
1728b06b30
Ensure Kotlin 1.3 compatibility
...
Closes gh-9765
2021-05-19 10:04:08 +02:00
67e5c05a47
Polish AuthorizationManager Method Security
...
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @Configuration classes, one for each set of
authorization annotations
Issue gh-9289
2021-05-18 17:34:04 -06:00
84e2e80915
Consider AuthorizationManager for Method Security
...
Closes gh-9289
2021-05-18 17:34:04 -06:00
d203235567
Update to Spring Security 5.6
...
Closes gh-9695
2021-05-18 10:45:17 -06:00
4d251157b2
opensaml4MainCompile
2021-05-17 23:21:17 -05:00
eda38b8f88
opensaml fixes
2021-05-17 15:51:55 -05:00
e5a652e749
Update to Kotlin 1.5.0
...
Closes gh-9763
2021-05-17 10:30:26 -05:00
e51ca79954
Document Jwt Client Authentication support
...
Closes gh-9578
2021-05-14 22:58:44 -04:00
f874a12ddb
Document jwt-bearer authorization grant
...
Closes gh-9580
2021-05-14 14:48:37 -04:00
ca2bc4feb3
Bump Schema Version
...
Closes gh-9694
2021-04-29 16:52:29 -06:00
4d564ffb50
Update AuthorizationManager references
...
Issue gh-9692
2021-04-28 11:58:30 -06:00
17cfc6ade3
Inline ResourceKeyConverterAdapter
...
Closes gh-9689
Closes gh-9626
2021-04-28 09:39:12 -06:00
de0cd11a72
Fix PreAuthorize when returning Kotlin Flow
...
Closes gh-9676
2021-04-28 12:33:18 +02:00
53e94bca45
Add oauth2Login() tests
...
Issue gh-9548 gh-9660 gh-9266
2021-04-20 08:37:19 -04:00
5afeaa3ce7
WebFlux httpBasic() matches on XHR requests
...
Closes gh-9660
2021-04-20 08:36:42 -04:00
a31a855146
Fix HttpSecurity.addFilter* Ordering
...
Closes gh-9633
2021-04-14 17:47:31 -05:00
2b4b856b32
Limit oauth2Login() links to redirect-based flows
...
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.
Closes gh-9457
2021-04-14 05:02:30 -04:00
163b5943ca
Revert AuthorizationManager Method Security
2021-04-12 15:53:22 -06:00
404a6c5674
Revert "Publish CsrfTokenRepository as shared object"
...
This reverts commit d19ff12813
2021-04-12 14:43:37 -06:00
4e81bbe386
Revert "Add Saml2LogoutConfigurer"
...
This reverts commit 6f52baba29
2021-04-12 14:43:19 -06:00
6f52baba29
Add Saml2LogoutConfigurer
...
Closes gh-9497
2021-04-10 00:25:34 -06:00
d19ff12813
Publish CsrfTokenRepository as shared object
...
Closes gh-9595
2021-04-10 00:25:34 -06:00
df8abcfae7
Use Interceptors instead of Advice
...
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization
Issue gh-9289
2021-04-09 18:45:31 -06:00
6828987b4b
Add AfterMethodAuthorizationManager
...
- Removes the need to keep MethodAuthorizationContext#returnObject
in sync with other method parameters
- Restores MethodAuthorizationContext's immutability
Closes gh-9591
2021-04-09 18:43:56 -06:00
2b494ebc5f
Polish AOP Structure
...
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes
Issue gh-9289
2021-04-09 17:46:33 -06:00
62d77ec97e
Add GrantedAuthorityDefaults to Expression Handler
...
Issue gh-9289
2021-04-09 17:46:33 -06:00
68cf74468c
Add check for custom advice
...
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified
Issue gh-9289
2021-04-09 17:46:33 -06:00
45376b359b
Adjust Packaging
...
Issue gh-9289
2021-04-09 17:46:32 -06:00
20778f727b
Consider AuthorizationManager for Method Security
...
Closes gh-9289
2021-04-09 17:46:32 -06:00
7ded671858
Refactor AuthenticationDetailsSource support
...
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle
Closes gh-9576
2021-04-09 12:41:16 -06:00
e03fe7f089
Add coroutine support to pre/post authorize
...
Closes gh-8143
2021-04-09 19:33:06 +02:00
60d3db5798
add management platform(project(":spring-security-dependencies"))
...
Closes gh-9540
2021-04-05 10:36:36 -05:00
1a76ee7442
Update Gradle configuration names
...
Closes gh-9540
2021-04-05 10:36:36 -05:00
0f3df3e714
Consider Order on SecurityFilterChain bean definitions
...
Closes gh-9154
2021-03-24 11:02:29 +02:00
f5fe64cd5b
Fix typo
2021-03-24 11:00:37 +02:00
d0d0a8d958
Add OpenSAML 4 Support
...
Closes gh-9095
2021-03-23 19:07:23 -06:00
4a492846f1
Revert "Lock dependencies for 2.5.0-M3"
...
This reverts commit f05cc6269c
2021-03-15 23:18:45 +01:00
f05cc6269c
Lock dependencies for 2.5.0-M3
2021-03-15 11:00:19 +01:00
b774e91734
Polish BearerTokenAuthenticationConverter
...
Issue gh-8840
2021-03-12 15:05:06 -07:00
31f310fd22
Add BearerTokenAuthenticationConverter
...
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.
Closes gh-8840
2021-03-12 15:05:06 -07:00
92b3a7b01b
Clarify in .csrf() enables CSRF protection
...
Closes gh-9489
2021-03-05 16:11:12 +01:00
cf2bb62442
Fix typo in doc
2021-03-05 14:09:30 +01:00
f3fa8e8800
Polish
...
Issue gh-9310
2021-03-02 12:04:22 -07:00
6e41246a2b
Throw Saml2AuthenticationException
...
Closes gh-9310
2021-03-02 12:04:22 -07:00
857830f695
Add RememberMeDsl
...
Issue: gh-9319
2021-02-22 09:15:40 +01:00
f129410ff9
Add Java 8 Polyfill for Apache DS tests
...
Closes gh-9416
2021-02-17 11:53:51 -07:00
c4be1c6a56
Revert "Lock Dependencies"
...
This reverts commit a85caa4098
2021-02-11 15:49:59 -07:00
a85caa4098
Lock Dependencies
2021-02-11 15:00:38 -07:00
ccb3b02888
Bearer Token Server-side Errors Return 500
...
Closes gh-9395
2021-02-10 12:35:34 -07:00
ca5e303308
Fix Test Configuration
...
- Typo in PlaceholderConfig was causing Windows builds to
resolve the CLASSPATH environment variable
Closes gh-9421
2021-02-10 11:31:30 -07:00
3e1616c311
Remove BearerTokenAuthenticationWebFilter
...
Closes gh-9377
2021-01-26 10:23:17 -07:00
76229cfab7
Migrate SAML 2.0 Tests and Docs to PCFOne
...
Issue gh-9362
2021-01-22 15:14:03 -07:00
43a071a89e
Add WebFlux oauth2Login with formLogin test
...
Closes gh-9326
2021-01-20 15:04:06 -05:00
65d3b0d71c
Add ResourceKeyConverterAdapter
...
Simplifies publishing RsaKeyConverters with
@ConfigurationPropertiesBinding
Issue gh-9316
2021-01-15 22:15:56 -07:00
f4d78d00ef
Extend CorsDsl with CorsConfigurationSource property
...
Issue: gh-9314
2021-01-13 10:22:07 +01:00
8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods
...
Closes gh-9284
2021-01-09 21:42:16 +03:00
8cefc8a792
Fix bug with multiple AuthenticationManager beans
...
Closes gh-9256
2021-01-06 16:26:26 +01:00
337d24e6db
Update Copyright Messages
...
Issue gh-9202
2021-01-05 15:30:51 -07:00
Josh Cummings
Marcus Hert Da Coregio
Steve Riesenberg
Eric Haag
Rob Winch
Tim te Beek
Olivier Vanekem
Joe Grandja
Seongguk Jeong
Claudio Nave
kandaguru17
Evgeniy Cheban
Krzysztof Krason
Janne Valkealahti
lukasz.migdalek
SeasonPan
Ruslan Stelmachenko
Martin Tarjányi
twosom
Clayton Walker
hdeadman
Leonid Rozenblyum
Tobias Meurer
Spas Poptchev
Mitja Kotnik
Guillaume Husta
Jan Marten
Koos Gadellaa
mmoussa_mapfreusa
Daniel Garnier-Moiroux
Daniel Garnier-Moiroux
slam
ch4mpy
Yuriy Savchenko
Igor Bolic
Joshua Sattler
Anbu Sampath
Jared Rufer
Houssem BELHADJ AHMED
Juny Tse
Eleftheria Stein
nor-ek
m0k045e
Manuel Jordan
Adam Ostrožlík
heowc
James Howe
Karl Tinawi
Hiroshi Shirosaki
Igor Pelesic
Guirong Hu
Filip Hanik
« Christophe
Stephane Nicoll
Onur Kagan Ozcan
Emil Sierżęga
Philipp Neuschwander
Gaurav Tiwari
Emil Sierżęga
Derek Van Blerkom
Yanming Zhou
Abdul Al-Faraj
Nick McKinney
sdratler1
/usr/local/ΕΨΗΕΛΩΝ
Thomas Vitale
Kay-Uwe Janssen
theexiile1305
Denis Washington
Eleftheria Stein
Jeongjin Kim
wonwoo
Han YanJing
Ivan Pavlov
Ihor Ilkevych