4ce7cde155
Add Firewall for WebFlux
...
Closes gh-15967
2024-10-21 08:46:13 -05:00
f689257dc4
Fix unused import
2024-10-21 00:28:57 -05:00
8a0a5e2647
Format
2024-10-21 00:17:51 -05:00
c461abd5da
Remove unnecessary WebauthnJackson2Module usage
...
HttpMessageConverterAuthenticationSuccessHandler does not need to use
WebauthnJacksonModule
2024-10-21 00:16:31 -05:00
6d7df007dd
Remove non-ascii characters
...
Attempt fix windows format error
2024-10-21 00:15:58 -05:00
5736f0897e
Remove imports for Javadoc Only Usage
2024-10-21 00:08:12 -05:00
0bb406aaab
Run format again
2024-10-20 23:35:50 -05:00
7f26e54d07
Remove §
...
See if this fixes format in windows
2024-10-20 23:30:40 -05:00
b0e8730d70
Add Passkeys Support
...
Closes gh-13305
2024-10-20 22:54:53 -05:00
472c315ac3
Add Since to setSessionAuthenticaitonStrategy
...
Issue gh-2253
2024-10-15 15:09:36 -06:00
7f537241e7
Use SessionAuthenticationStrategy for Remember-Me authentication
...
Closes gh-2253
2024-10-15 14:07:07 -07:00
d37d41c130
Polish One-Time Token API Names and Doc
...
The names of variables and methods have been adjusted in accordance with the names of the one-time token login API components.
Issue gh-15114
2024-10-15 14:04:56 -07:00
c40334317d
Polish One-Time Token Component Names
...
Aligning parts of speech so that names are using nouns/verbs
where comparable components are using nouns/verbs.
Issue gh-15114
2024-10-14 14:07:47 -06:00
b8aa78829c
Improve readability of empty collection checks
2024-10-14 12:16:39 -07:00
31bdaf720d
Remove redundant keyword
2024-10-14 11:51:35 -07:00
31f8caec5f
Polish diamond operator usage
2024-10-14 11:51:35 -07:00
9ce5a76e8c
Polish AuthorizationManager#authorize
...
Issue gh-14843
2024-10-14 11:48:57 -07:00
e7644925f8
Add AuthorizationResult support for AuthorizationManager
...
Closes gh-14843
2024-10-14 11:48:57 -07:00
702538ebce
AuthorizationEventPublisher Accepts AuthorizationResult
...
Closes gh-15915
Co-authored-by: Max Batischev <mblancer@mail.ru>
2024-10-14 11:48:57 -07:00
b26f2af5d5
Polish
...
Formatting as well as adding a missing defer
Issue gh-15699
2024-10-07 16:39:54 -07:00
2ca2e56383
Add Reactive One-Time Token Login support
...
Closes gh-15699
2024-10-07 16:39:54 -07:00
de104e22b7
Update javaDoc for DefaultOneTimeTokenSubmitPageGeneratingFilter
2024-10-02 15:31:43 -05:00
7fcb42b537
Fix typo of createDefaultRequestMacher in WebSessionServerRequestCache
...
createDefaultRequestMacher -> createDefaultRequestMatcher
2024-09-30 15:24:40 -07:00
a88a7744ed
Require GeneratedOneTimeTokenHandler on constructor
...
Issue gh-15114
2024-09-17 08:21:26 -03:00
7e41785dfc
Remove trailing spaces in default UIs
...
- Default UIs had blank lines with only spaces. These get deleted by the
spring-javaformat plugin. In order to avoid this behavior, an extra \s
had been inserted in the tests. The reason for those \s is not obvious.
- This commit cleans up the \s but changing the HTML templates.
2024-09-11 10:44:45 -07:00
98975a9b83
Add runtime hints for CSS resource
2024-09-10 12:46:13 -07:00
2405a5b680
Remove CssUtils
2024-09-10 12:46:13 -07:00
c1b9035544
Use static CSS in OneTimeToken default UI
2024-09-10 12:46:13 -07:00
e958ff2d4a
Use static CSS in reactive default UI
2024-09-10 12:46:13 -07:00
45d53973ab
Serve static content (css, js) for reactive default UIs from DefaultResourcesWebFilter
2024-09-10 12:46:13 -07:00
11616a1d78
Use static CSS in servlet default UI
2024-09-10 12:46:13 -07:00
c5c5cd5ed0
Serve static content (css, js) for default UIs from DefaultResourcesFilter
2024-09-10 12:46:13 -07:00
2ff29dc229
Throw AuthorizationDeniedException when AuthorizationResult is available
...
Closes gh-15706
2024-09-10 09:14:50 -03:00
4660e042d9
Remove unused <script> and <noscript> tags in One-Time-Token submit page
2024-09-06 09:13:30 -03:00
528d739a60
Use contextPath in One-Time-Token default submit UI
2024-09-06 09:13:30 -03:00
ef31ae1a98
Render One Time Token UIs using lightweight templates
2024-09-05 15:02:42 -07:00
a642a1bb66
Render reactive default UIs using lightweight templates
2024-09-05 15:02:42 -07:00
8d47906191
Render default UIs using lightweight templates
2024-09-05 15:02:42 -07:00
33495441b5
Hardcode ott-username input name in DefaultLoginPageGeneratingFilter
...
- GenerateOneTimeTokenFilter uses `"username"`, the default UI should use the same parameter name
2024-09-05 09:42:45 -03:00
00e4a8fb54
Add support for One-Time Token Login
...
Closes gh-15114
2024-09-03 10:07:56 -03:00
5c56bddbdd
Polish log message
2024-09-03 09:43:37 -03:00
008cbc2cae
Add cookie customizer to CookieRequestCache and CookieServerRequestCache
...
Issue gh-15204
2024-09-03 09:41:30 -03:00
626610a975
Polish Annotation API
...
Rename to a class that isn't focused on the synthesis implementation detail.
Also add Security to the front of the name to clarify that it is only intended
for security annotations, reminiscent of SecurityMetadataSource.
Refine method signatures to better articulate supported use cases.
Issue gh-15286
2024-08-30 08:51:49 -06:00
095929f6e8
Include FilterChain in SessionInformationExpiredEvent
...
Closes gh-14077
2024-08-29 13:12:27 -03:00
ed16c86115
Improve @CurrentSecurityContext meta-annotations
...
Closes gh-15551
2024-08-13 13:18:15 -06:00
08b8b09066
Update Copyright
...
Issue gh-15286
2024-08-10 11:48:14 -06:00
2c02d8aec7
Update Copyright
2024-08-10 11:46:51 -06:00
9aaf959400
Improve @AuthenticationPrincipal meta-annotations
...
Closes gh-15286
2024-08-10 11:46:51 -06:00
bc8ba7f3b7
Inline CSS for default login and logout page
...
- Remove the dependency on Bootstrap CSS. Results in faster load times, no failures
in air-gapped or offline scenarios, and no dependency on an external CDN that may
go away some day.
2024-08-05 09:27:18 -05:00
4169c0cf36
Publish Constants for Firewall Header and Parameter Predicates
...
Introduced public static final Predicates for allowed header names,
header values, parameter names, and parameter values for building
expressions.
Closes gh-13639
2024-07-18 17:24:38 -07:00
773e86701e
Add ParameterRequestMatcher
...
Closes gh-15342
2024-07-02 15:17:54 -06:00
9f0b2a29ee
Merge branch '6.3.x'
2024-07-01 11:43:19 -06:00
8917cdb404
Improve Performance of IPv4 Check
...
Closes gh-15324
2024-07-01 11:40:28 -06:00
44f9396bad
Add support remember-me cookie customization
...
Closes gh-14990
2024-06-05 11:47:20 -03:00
1e4aff2bdb
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15186
2024-05-31 19:02:31 -05:00
3fc7b6e921
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15185
2024-05-31 18:34:14 -05:00
dcb8c563e8
Fix ArrayIndexOutOfBoundsException
...
Issue gh-13310
Closes gh-15184
2024-05-31 18:12:21 -05:00
7288fecc24
Verify ipAddress Not A Hostname
...
Closes gh-15172
2024-05-30 17:50:56 -06:00
6956ed693c
Polish DefaultSecurityFilterChain Logs
...
Reuse String manipulation logic in Spring Framework
Compress whitespace
Closes gh-15096
2024-05-23 12:20:14 -06:00
ac9bdf5cbf
Change DefaultSecurityFilterChain logging to DEBUG level and simplify filter log
...
- Change DefaultSecurityFilterChain logging level from INFO to DEBUG to align with FilterChainProxy.
- Log filter class names instead of the toString() of filter.
2024-05-23 12:02:35 -06:00
0acf6cca6e
Merge branch '6.2.x'
...
Closes gh-15149
2024-05-23 14:05:06 -03:00
47ad405063
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15148
2024-05-23 14:04:35 -03:00
c7b739eb3f
Fix broken link to jaspan article
...
Closes gh-14358
2024-05-23 14:04:10 -03:00
927840fe88
Do Not Invalidate Current Session When It Is Registered
...
Closes gh-15066
2024-05-14 10:01:54 -03:00
08f11f06ab
Revert unnecessary commits from main
...
Issue gh-15016
2024-05-08 13:49:18 -03:00
b3c7f3ff19
Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision
...
Issue gh-7395
2024-04-30 08:38:03 -03:00
36cd48474d
Merge branch '6.2.x'
2024-04-17 17:01:24 -06:00
3887f33f81
Merge branch '6.1.x' into 6.2.x
2024-04-17 17:01:03 -06:00
61df8e493d
Merge branch '5.8.x' into 6.1.x
2024-04-17 17:00:24 -06:00
470e2c5c97
Address Build Issues
...
Issue gh-14837
2024-04-17 16:59:40 -06:00
ff473313df
Merge branch '6.2.x'
2024-04-17 16:45:47 -06:00
f16a434f0c
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14922
2024-04-17 16:45:30 -06:00
ade45771b2
Merge branch '5.8.x' into 6.1.x
...
Closes gh-14921
2024-04-17 16:44:50 -06:00
657760af5b
Improve Logging
...
Closes gh-14837
2024-04-17 16:43:29 -06:00
61eba00654
Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
...
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.
Issue gh-7395
2024-04-10 14:58:01 -03:00
f689f3c3fc
Fix continueOnError default value in java doc
...
Closes gh-14870
2024-04-10 13:28:06 -03:00
7faae83ebb
docs: fix typo
2024-04-08 14:44:12 -03:00
c439cfef0f
Merge branch '6.1.x' into 6.2.x
2024-03-21 17:24:34 -06:00
ce9f1821b1
Improve logging in AuthenticationWebFilter
...
Closes #14091
2024-03-21 17:24:10 -06:00
091976fffb
Improve logging in AuthenticationWebFilter
...
Closes #14091
2024-03-21 17:22:35 -06:00
c0928bf198
Add DelegatingAuthenticationConverter
...
Closes gh-14644
2024-03-13 14:33:45 -06:00
8885707674
Add DelegatingServerAuthenticationConverter
...
Closes gh-14644
2024-03-05 08:21:59 -07:00
bd345fb2a8
Polish gh-11758
2024-02-29 12:15:30 -06:00
5c5503924b
Add SwitchUserGrantedAuthorityMixIn
...
Closes gh-11775
2024-02-29 11:07:21 -06:00
f8ff056eb6
Update Max Sessions on WebFlux
...
Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler
Issue gh-6192
2024-02-28 10:06:45 -03:00
a5ce8ae87f
Polish Max Sessions on WebFlux
...
This commit changes the PreventLoginServerMaximumSessionsExceededHandler to invalidate the WebSession in addition to throwing the error, this is needed otherwise the session would still be saved with the security context. It also changes the SessionRegistryWebSession to first perform the operation on the delegate and then invoke the needed method on the ReactiveSessionRegistry
Issue gh-6192
2024-02-27 11:12:50 -03:00
4d039e515f
Merge branch '6.2.x'
2024-02-22 13:21:22 -07:00
9c48546883
Merge branch '6.1.x' into 6.2.x
2024-02-22 13:21:14 -07:00
7f106f0419
Merge branch '5.8.x' into 6.1.x
2024-02-22 13:20:29 -07:00
5f80468de3
Updated copyright date
2024-02-22 13:19:05 -07:00
2f762fefe1
Allow tab in HTTP header values.
...
Closes gh-14573
2024-02-22 13:19:05 -07:00
21580fd27d
Merge branch '6.2.x'
2024-02-16 13:31:20 -03:00
15306c1007
Merge branch '6.1.x' into 6.2.x
2024-02-16 13:21:15 -03:00
750cb30ce4
Add AuthenticationTrustResolver.isAuthenticated
2024-02-16 13:08:29 -03:00
aa8178af65
Merge branch '6.2.x'
2024-02-07 08:53:16 -07:00
0cadabfa89
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14568
2024-02-07 08:52:47 -07:00
75fdcd10f7
Use synchronized
...
Closes gh-14445
2024-02-07 08:48:49 -07:00
915d68e216
Remove includeExpiredSessions parameter
...
The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter
Issue gh-6192
2024-02-06 10:43:00 -03:00
c1adeef0da
Add validation IpAddressMatcher
...
Closes gh-13621
2024-01-30 17:16:18 -07:00
6e1bcfed11
Add argument resolver for SecurityContext
...
Closes gh-13425
2024-01-29 17:30:38 -07:00
a808c139ad
Enhance IpAddressMatcher performance
...
Closes gh-14493
Signed-off-by: ahmd-nabil <ahm3dnabil99@gmail.com>
2024-01-29 17:28:19 -07:00
6df9ef5ba6
Fix wrong class name in JavaDoc
...
In the `ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.Builder` class the JavaDoc comments mention the wrong class name. This commit fixes this.
2024-01-19 09:29:07 -07:00
06278157fa
Merge branch '6.2.x'
...
Closes gh-14471
2024-01-17 16:16:40 -03:00
148e0b41d2
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14470
2024-01-17 16:16:27 -03:00
ce5f5e6e33
Add native hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken
...
Closes gh-14397
2024-01-17 16:14:59 -03:00
d7a9a19161
Merge branch '6.2.x'
2023-12-18 11:47:39 -07:00
03e48905c7
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14346
2023-12-18 11:47:23 -07:00
b855ccdb09
Merge branch '5.8.x' into 6.1.x
...
Closes gh-14345
2023-12-18 11:46:04 -07:00
eaaa813ede
Fix header value typo
...
Closes gh-11948
2023-12-18 10:42:50 -07:00
8a34e32a24
Polish IpAddressAuthorizationManager
...
Closes gh-10577
2023-12-15 16:54:58 -07:00
ea7c720ce7
Add hasIpAddress to Kotlin DSL
...
Closes gh-10577
2023-12-15 16:54:58 -07:00
465642828a
Merge branch '6.2.x'
...
Add HandlerMappingIntrospector Caching
Closes gh-14333
2023-12-14 16:11:08 -06:00
6dd29520b0
Merge branch '6.1.x' into 6.2.x
...
Add HandlerMappingIntrospector Caching
Closes gh-14332
2023-12-14 16:10:50 -06:00
70dfb3d391
Add HandlerMappingIntrospector Caching
...
Closes gh-14128
2023-12-14 16:08:36 -06:00
57ab15127a
Add Max Sessions on WebFlux
...
Closes gh-6192
2023-12-11 09:48:34 -03:00
cad6689659
Merge remote-tracking branch 'origin/6.1.x'
2023-11-15 09:28:28 -07:00
187ef0e1a8
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14146
2023-11-15 09:26:59 -07:00
18530c8dcd
Add PhasedObservation
...
Observation itself does not protect against start and stop being called
multiple times. This commit aligns all observation instances to instead
use an implementation that does have these guards in place.
Closes gh-14082
2023-11-15 09:22:41 -07:00
e920bfb3a2
Merge branch '6.1.x'
...
Closes gh-14138
2023-11-14 10:56:57 -03:00
921afba134
Use addCookie instead of addHeader in CookieCsrfTokenRepository
...
By using addCookie we make sure that configured Tomcat's CookieProcessors are invoked
Closes gh-14131
2023-11-14 10:56:24 -03:00
621ab3e7cb
Merge remote-tracking branch 'origin/6.1.x'
2023-11-07 17:33:09 -07:00
bcef8f98aa
Merge branch '6.0.x' into 6.1.x
...
Closes gh-14117
2023-11-07 17:32:51 -07:00
4990373cf9
Merge branch '5.8.x' into 6.0.x
...
Closes gh-14116
2023-11-07 17:22:36 -07:00
52675c80b3
Check For Null Exception Message
...
Closes gh-13768
2023-11-07 17:19:35 -07:00
d0a5ada2da
Fix formatting
2023-10-31 15:38:44 -05:00
447f40949c
Revert unnecessary merges on 6.1.x
...
This commit removes unnecessary main-branch merges starting from
9f8db22b774d6ff49b9ded6ff670d1c823b0079444fad21363
2023-10-31 15:22:15 -05:00
9db33f33c7
Revert unnecessary merges on 6.0.x
...
This commit removes unnecessary main-branch merges starting from
8750608b5b5dce82c48b
2023-10-31 15:11:45 -05:00
318dec845a
Update obsolete comment reference (former name of the class)
2023-10-31 09:48:43 -03:00
ed6ff670d1
Add Test
...
Issue gh-13660
2023-10-30 17:49:58 -06:00
4d6ff49b9d
Removed dash from micrometer metric label
...
Closes gh-13660
2023-10-30 17:49:58 -06:00
5dce82c48b
Close Both Observations
...
Depending on when a request is cancelled, the before and after observation
starts and stops may be called out of order due to the order in
which their doOnCancel handlers are invoked.
To address this, the before filter-wrapper now always closes both the
before observation and the after observation. Since the before filter-
wrapper wraps the entire request, this ensures that either that was
started is stopped, and either that has not been started yet cannot
inadvertently be started by any unexpected ordering of events that
follows.
Closes gh-14031
2023-10-30 16:32:11 -06:00
d9399dfda0
Allow redirect status code to be customized
...
Closes gh-12797
2023-10-16 13:55:52 -06:00
2638555e53
Allow redirect strategy to be customized
...
Closes gh-12795
2023-10-16 13:55:52 -06:00
7e9d707c7d
Allow customize the AuthenticationConverter in BasicAuthenticationFilter
...
Closes gh-13988
2023-10-11 08:42:45 -03:00
cef882b84e
Merge branch '6.1.x'
2023-10-02 18:11:50 -06:00
d8eadd2207
Replace deprecated method
...
Replace HttpMethod.resolve() to HttpMethod.valueOf()
2023-10-02 17:49:39 -06:00
07b6c451fd
Merge branch '6.1.x'
...
Closes gh-13884
2023-09-29 11:47:38 -03:00
8adfc9b463
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13883
2023-09-29 11:46:48 -03:00
92c82191c9
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13882
2023-09-29 11:46:00 -03:00
64e2a2ff8b
Apply updated Code Style
...
Closes gh-13881
2023-09-29 11:44:32 -03:00
ff374935fb
Verify ReactorContext when using Virtual Threads
...
Closes gh-12791
2023-09-25 12:01:31 -05:00
ecf8467cac
Fix tests on JDK 21
...
Issue gh-12790
Issue gh-13811
2023-09-19 10:39:04 -05:00
d48b8697bd
Fix mockito usage
...
Issue gh-13810
2023-09-19 10:39:04 -05:00
d6ff58bb7f
Update Mockito to 5.5.0
...
Closes gh-13810
2023-09-19 10:39:03 -05:00
a052e2effb
Merge branch '6.1.x'
...
Closes gh-13821
2023-09-14 21:26:05 +01:00
7fcf44f8d9
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13820
2023-09-14 21:25:48 +01:00
18e88366d2
Resolve The matchingRequestParameterName From The Query String
...
Prior to this commit, the ServletRequest#getParameter method was used in order to verify if the matchingRequestParameterName was present in the request. That method has some side effects like interfering in the execution of the ServletRequest#getInputStream and ServletRequest#getReader method when the request is an HTTP POST (if those methods are invoked after getParameter, or vice-versa, the content won't be available). This commit makes that we only use the query string to check for the parameter, avoiding draining the request's input stream.
Closes gh-13731
2023-09-14 21:25:25 +01:00
2a1cf98b80
Update Copyright and Formatting
...
Issue gh-13615
2023-09-12 16:20:28 -06:00
5e715c5297
Improve StrictHttpFirewall Error Messaging
...
Better error strings for invalid header and parameter values.
Closes gh-13615
2023-09-12 16:20:28 -06:00
9df9cb5aed
refactor: AssertJ best practices
...
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D
Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
36a488a360
Merge branch '6.1.x'
...
Closes gh-13797
2023-09-12 16:22:31 +01:00
b80a1de9fa
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13796
2023-09-12 16:22:04 +01:00
db37bdfe94
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13795
2023-09-12 16:21:48 +01:00
ce012a4661
CookieRequestCache Should Preserve Request Locale
...
Closes gh-13792
2023-09-12 16:21:27 +01:00
d23b231ac3
Merge branch '6.1.x'
...
Closes gh-13760
2023-08-31 10:16:30 -03:00
b64d5395c5
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13759
2023-08-31 10:16:07 -03:00
629540f9d8
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13758
2023-08-31 10:12:59 -03:00
96d1763fc4
WWW-Authenticate header should not be added twice
...
Closes gh-13737
2023-08-31 10:07:10 -03:00
0d70a7f508
Merge branch '6.1.x'
...
Closes gh-13748
2023-08-28 17:04:25 -06:00
a4d8c62ad7
withHttpOnlyCookie defaults to false
...
Closes gh-13659
2023-08-28 16:58:28 -06:00
985e569685
Polish gh-13608
2023-08-10 17:30:54 -05:00
6353d90047
Add integrity attribute for signin.css
...
Closes gh-13486
2023-08-10 17:30:52 -05:00
82c0ddc56d
Polish
...
- Add Reactive equivalent
- Update copyright
Issue gh-13310
2023-08-07 17:57:02 -06:00
e21da061d3
Suppress ArrayIndexOutOfBoundsException in XorCsrfTokenRequestAttributeHandler
...
Closes gh-13310
2023-08-07 17:57:02 -06:00
75e0068925
Merge branch '6.1.x'
2023-08-07 16:03:55 -06:00
bcd4dcc15c
Refactor equals method
...
Using the accessor method for fields instead of directly access
2023-08-07 16:00:18 -06:00
ea19f82b8a
Using pattern matching for instanceof
2023-08-07 16:00:18 -06:00
beab899c3d
Fix Import Order
2023-08-07 15:56:38 -06:00
94c80bc2c6
Remove redundant code.
2023-08-07 15:01:52 -06:00
0d4e3f939a
Clean up SavedRequestAwareWrapper and related test
2023-08-07 14:56:39 -06:00
07f737b989
Return content-type from saved request
2023-08-07 14:56:39 -06:00
8f5793afb1
Merge branch '6.1.x'
2023-07-17 09:17:10 -03:00
aaa31312bd
Merge branch '6.0.x' into 6.1.x
2023-07-17 09:16:45 -03:00
cbef118026
Merge branch '5.8.x' into 6.0.x
2023-07-17 09:16:20 -03:00
a939f17890
Merge branch '5.7.x' into 5.8.x
2023-07-17 09:15:56 -03:00
fe9bc26bdc
Merge branch '5.6.x' into 5.7.x
2023-07-17 09:13:28 -03:00
7813a9ba26
Use default PathPatternParser instance
2023-07-17 09:12:28 -03:00
b0022a0ae8
Update Mockito Usage
...
Issue gh-13542
2023-07-14 18:44:34 -06:00
6c3636d780
Update Removed Usages
...
Issue gh-13544
2023-07-14 18:38:58 -06:00
1637b5c071
Merge branch '6.1.x'
...
Closes gh-13483
2023-07-10 16:18:02 -06:00
c58e0dd113
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13482
2023-07-10 16:17:13 -06:00
83c0f4231e
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13481
2023-07-10 16:13:04 -06:00
40d61743b9
Replace Existing Continue Parameter
...
Closes gh-13438
2023-07-10 16:12:05 -06:00
72698680e2
Merge branch '6.1.x'
...
Closes gh-13466
2023-07-07 14:36:08 -03:00
230977d7ef
Merge branch '6.0.x' into 6.1.x
...
Closes gh-13465
2023-07-07 14:35:52 -03:00
863aa5f65f
Fix Documented Default Value for AuthorizationFilter properties
...
Closes gh-13456
2023-07-07 14:35:11 -03:00
2dee6218b5
Create NoOpAccessDeniedHandler
...
Closes gh-13109
2023-06-27 14:44:40 -03:00
e35faa84f7
Create NoOpAuthenticationEntryPoint
...
Closes gh-13107
2023-06-27 14:44:40 -03:00
52e12ad64b
Replace deprecated methods
2023-06-22 13:19:55 -06:00
0cefb27928
Simplify RequestMatcherDelegatingAuthorizationManager.Builder matcher registration
...
Closes gh-11624
2023-06-22 16:07:30 -03:00
dd469ac2a0
Assert is missing object. It was useless before Spring Framework 6.1, and will not compile on 6.1
2023-06-22 12:11:40 -06:00
9b603b99ab
Using modern Java features
2023-06-22 11:24:25 -06:00
7e01ebdd92
Remove LazyCsrfTokenRepository usage
...
Closes gh-13194
2023-06-22 11:23:35 -06:00
aeeed6c368
Merge branch '6.0.x'
...
Closes gh-13279
2023-06-05 12:49:09 -06:00
45683349a4
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13278
2023-06-05 12:48:43 -06:00
9ac286e8ea
Merge branch '5.7.x' into 5.8.x
...
Closes gh-13231
2023-06-05 12:47:23 -06:00
06e58e4c34
Update JavaDoc of BasicAuthenticationFilter
...
Remove deprecated hint to use Digest Auth in favor of Basic Auth.
2023-06-05 12:46:30 -06:00
bb7c7d3554
Merge branch '6.0.x'
2023-05-24 15:00:44 -03:00
ce5aa9e694
Merge branch '5.8.x' into 6.0.x
2023-05-24 15:00:17 -03:00
f8e39336cb
Merge branch '5.7.x' into 5.8.x
2023-05-24 14:59:27 -03:00
a53cbb838b
Polish
...
Issue gh-13155
2023-05-24 14:59:16 -03:00
8287289bcb
Fix XContentTypeOptionsServerHttpHeadersWriter
...
set constant value to X-Content-Type-Options
Closes gh-13155
2023-05-24 14:59:14 -03:00
17a58194c1
Merge branch '6.0.x'
2023-05-18 09:33:12 -06:00
4c5bf3bdf5
Polish
...
Use StringUtils#hasText
PR gh-13179
2023-05-18 09:17:02 -06:00
af233a2a00
Use consistent list of micrometer tags in web observation handler
...
The tag `spring.security.reached.filter.name` is only set if a
filter-name is available, otherwise the tag is omitted entirely. This
leads to issues with metric-exporters that don't support dynamic tags,
but rather expect tag-names of a metric to be always the same. The most
prominent example is the Prometheus-exporter.
Instead of omitting the tag if no filer-name is set, a none-value is
applied instead, making the tag-list consistent in all cases
Closes gh-13179
2023-05-18 09:17:02 -06:00
a4e13c520b
Merge branch '6.0.x'
...
Closes gh-13150
2023-05-10 16:15:13 -06:00
e033e347b4
Remove Redundant Close
...
Closes gh-12787
2023-05-10 16:12:34 -06:00
cdcc2d31d1
Merge branch '6.0.x'
...
Closes gh-13145
2023-05-08 14:19:15 -06:00
5d903b5b71
Enforce start happens-before stop
...
Closes gh-13133
2023-05-08 14:07:05 -06:00
07b884a2cb
Add Set-Cookie header value for XSRF-TOKEN
...
This commit fixes an issue where using HttpServletResponse#setHeader
causes previous header values to be overwritten.
Closes gh-13075
2023-04-25 15:15:02 -05:00
04b3d07319
Merge branch '6.0.x'
2023-04-17 07:30:54 -03:00
a484044591
Merge branch '5.8.x' into 6.0.x
2023-04-17 07:29:42 -03:00
6cf8c53aaa
Merge branch '5.7.x' into 5.8.x
2023-04-17 07:16:47 -03:00
2d52fb8e4b
Clear Repository on Logout
2023-04-17 06:47:57 -03:00
01d1e20dc3
Deprecate shouldFilterAllDispatcherTypes
...
Closes gh-12138
2023-04-13 15:05:10 -03:00
02345b97ff
Polish Observation Event Names
...
Issue gh-12811
2023-04-11 19:10:27 -06:00
59ba7f5388
Shorten Observation Event Names
...
Closes gh-12811
2023-04-11 19:10:27 -06:00
b3c83440bd
Merge branch '6.0.x'
...
Closes gh-13001
2023-04-11 17:09:21 -06:00
4813ec1e09
Merge branch '5.8.x' into 6.0.x
...
Closes gh-13000
2023-04-11 17:08:54 -06:00
dad1fba1bf
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12999
2023-04-11 17:02:16 -06:00
442faccb5f
Avoid NPE in FilterInvocation
...
Handle unknown headers in dummy request wrapper.
Closes gh-12998
2023-04-11 17:01:59 -06:00
d3c22a0de3
Merge branch '6.0.x'
...
Closes gh-12934
2023-03-27 16:31:29 -06:00
6db2b0dcd0
Align Filter Chain Observability Lineage
...
Closes gh-12849
2023-03-27 16:30:32 -06:00
6791f3208e
Add factory class for RequestMatcher composition
...
Closes gh-12751
2023-03-27 16:26:23 -06:00
ff06108572
Merge branch '6.0.x'
...
Closes gh-12920
2023-03-22 08:55:38 -03:00
177514b6c5
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12919
2023-03-22 08:54:57 -03:00
8d664bc4c2
DelegatingSecurityContextRepository should call loadContext
...
Closes gh-12314
2023-03-22 08:53:19 -03:00
5e8c68187b
Merge branch '6.0.x'
2023-03-20 16:29:08 -06:00
3fbb64db96
Fix javax package
2023-03-20 16:28:52 -06:00
229325a0bb
Merge branch '5.8.x' into 6.0.x
2023-03-20 16:22:23 -06:00
a74008cc79
Merge branch '5.7.x' into 5.8.x
2023-03-20 16:20:46 -06:00
3d7e22a4e9
Add test to SimpleUrlAuthenticationSuccessHandlerTests
2023-03-20 16:20:30 -06:00
391f00af1d
Merge branch '6.0.x'
...
Closes gh-12910
2023-03-20 16:10:57 -06:00
6935045172
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12909
2023-03-20 16:10:35 -06:00
abd51f7b63
Polished DefaultLoginPageGeneratingFilterTests Validation
...
Closes gh-12694
2023-03-20 15:31:59 -06:00
9bba1a1c6b
Propagate Variables in And and OrRequestMatcher
...
Closes gh-12847
2023-03-17 18:00:02 -06:00
dd9ab953e3
Merge branch '6.0.x'
...
Closes gh-12837
2023-03-07 13:29:07 -03:00
cdc0fa0e5b
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12836
2023-03-07 13:28:31 -03:00
2e92dad761
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12835
2023-03-07 13:27:57 -03:00
84cca81edf
Use HttpSessionSecurityContextRepository by default in SwitchUserFilter
...
Closes gh-12834
2023-03-07 13:27:18 -03:00
69606fd5a2
Merge branch '6.0.x'
...
Closes gh-12831
2023-03-06 12:47:55 -07:00
c06e604278
Address Observability Thread Safety
...
Closes gh-12829
2023-03-06 12:46:23 -07:00
28d353d731
Extract errorMessage from generateLoginPageHtml
2023-02-15 17:18:26 -07:00
ae23e3f5f4
Use instanceof pattern matching in initAuthFilter
2023-02-15 17:18:26 -07:00
99eacf2f0b
Change private static method to private methods
2023-02-15 17:18:26 -07:00
1ca4781923
Merge branch '6.0.x'
2023-02-14 08:25:29 -07:00
8ca726f4fa
Specify query string
...
Issue gh-12665
2023-02-14 08:24:07 -07:00
e7d65966fd
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12671
2023-02-14 08:01:31 -07:00
0d4c619648
Include continue in query string
...
Closes gh-12665
2023-02-14 08:00:19 -07:00
073dab3bf6
Refactor SavedCookie for Cookie's deprecated method
...
Closes gh-12454
2023-02-01 12:33:45 -07:00
a855b33535
fix typo in RememberMeAuthenticationFilter
2023-02-01 12:33:45 -07:00
6abbdd3654
Merge branch '6.0.x'
2023-01-26 15:55:41 -06:00
1363a4eece
Merge branch '5.8.x' into 6.0.x
2023-01-26 15:44:47 -06:00
c306df9b46
Add XorCsrfChannelInterceptor
...
Issue gh-12378
2023-01-23 16:00:35 -06:00
879770a0f6
Polish AbstractAuthenticationTargetUrlHandler
...
Issue gh-12344
2023-01-18 08:30:57 -07:00
6b8a778da8
Rework determineTargetUrl for Readability
...
Closes gh-12344
2023-01-18 08:30:57 -07:00
58e948a781
Test AbstractAuthenticationTargetUrlRequestHandler
...
Issue gh-12344
2023-01-18 08:30:57 -07:00
62b58d2c92
Polish gh-12530
2023-01-17 15:05:56 -06:00
c77c76e722
Relax final modifiers on AbstractRememberMeServices methods
...
Closes gh-12145
2023-01-17 15:05:09 -06:00
f9d674cb10
Merge branch '6.0.x'
...
Closes gh-12525
2023-01-11 10:14:01 -07:00
4d2dab9b6b
Lookup Parent Observation
...
Closes gh-12524
2023-01-11 10:13:33 -07:00
5f89f39627
Merge branch '6.0.x'
...
Closes gh-12515
2023-01-10 11:34:34 -06:00
4e80338a9b
Polish gh-12466
2023-01-10 11:31:51 -06:00
2c8854bb7f
Adjusts setRequestHandler javadoc in CsrfFilter
...
Adjusts setRequestHandler method javadoc in CsrfFilter class to reflect
changes in 6.0.
In 6.0, the default CsrfTokenRequestHandler changed to
XorCsrfTokenRequestAttributeHandler, however, the javadoc for the
setRequestHandler method still said it was
CsrfTokenRequestAttributeHandler.
This change adjusts the information to make it more accurate, because,
although XorCsrfTokenRequestAttributeHandler is a subclass of
CsrfTokenRequestAttributeHandler, the behavior is quite different.
Closes gh-12464
2023-01-10 11:31:51 -06:00
556891b4fa
Merge branch '6.0.x'
...
Closes gh-12512
2023-01-10 09:43:05 -03:00
d1fc789ae2
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12511
2023-01-10 09:42:48 -03:00
ae46032ced
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12510
2023-01-10 09:39:40 -03:00
ffdb397830
Save the SecurityContext when switching user
...
Closes gh-12504
2023-01-10 09:27:56 -03:00
f3ce04e59a
Merge branch '6.0.x'
...
Closes gh-12493
2023-01-06 11:15:03 -07:00
c308e4665a
Polish Event Name
...
Provide a name with no spaces separate from the human-friendly
one with spaces.
Closes gh-12490
2023-01-06 11:13:11 -07:00
c0fe74869f
Merge branch '6.0.x'
...
Closes gh-12484
2023-01-04 10:54:10 -07:00
27b3f4d403
Adjusts setRequestHandler javadoc in CsrfWebFilter
...
Adjusts setRequestHandler method javadoc in CsrfWebFilter class to reflect changes in 6.0.
In 6.0, the default ServerCsrfTokenRequestHandler changed to XorServerCsrfTokenRequestAttributeHandler, however, the javadoc for the setRequestHandler method still said it was ServerCsrfTokenRequestAttributeHandler.
This change adjusts the information to make it more accurate, because, although XorServerCsrfTokenRequestAttributeHandler is a subclass of ServerCsrfTokenRequestAttributeHandler, the behavior is quite different.
Closes gh-12465
2023-01-04 10:53:47 -07:00
c2d0ea3694
Merge branch '6.0.x'
...
Closes gh-12369
2022-12-12 16:55:32 -03:00
898c36287c
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12368
2022-12-12 16:55:14 -03:00
99d6d21554
Apply SecurityContextHolderFilter to all dispatcher types
...
Closes gh-11962
2022-12-12 11:45:24 -08:00
886d1ffec2
Remove Deprecated Usage
...
Issue gh-12086
2022-12-05 11:00:57 -07:00
8ef2fc3837
Format
...
Issue gh-12086
2022-12-05 10:51:42 -07:00
8717b7544a
Perform JUnit 5 clean up tasks
...
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests
Issue gh-12086
2022-12-05 10:51:41 -07:00
b79ba89eeb
Add setCookieCustomizer to csrf token repository
...
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and
setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties
to the ResponseCookieBuilder without having to add new setter methods.
Closes gh-12086
2022-12-05 10:51:40 -07:00
701f754e37
Cast FilterChainObservationContext Safely
...
Closes gh-12268
2022-11-29 16:24:56 -07:00
fd547321e8
Default to XorCsrfTokenRequestAttributeHandler
...
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.
Issue gh-11960
Closes gh-12235
2022-11-18 22:50:26 -06:00
5da78f44f2
Merge branch '5.8.x'
2022-11-18 14:54:33 -06:00
2ed7cff643
Check for existing token before clearing
...
Closes gh-12236
2022-11-18 13:12:59 -06:00
24860d9fb0
Observe Filter Start and Stop
...
Issue gh-11911
2022-11-17 15:11:29 -07:00
e08ed89403
Polish Span and Meter Names
...
Closes gh-12156
2022-11-17 15:09:52 -07:00
063f06e7bf
Register FilterChainProxy for all dispatcher types
...
Closes gh-12180
2022-11-16 09:55:21 -03:00
1a3be83084
Merge branch '5.8.x'
...
Closes gh-12185
2022-11-09 12:28:37 -06:00
57b163bb78
Polish gh-12141
2022-11-09 12:19:43 -06:00
2a261e0583
Add Jakarta WebSocket 2.1 test dependency to spring-security-web
...
Issue gh-12148
2022-11-08 09:54:34 -03:00
3b5d19c8a4
Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
...
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
36f668dd9c
Merge branch '5.8.x'
...
Closes gh-12142
2022-11-04 18:12:34 -05:00
6b0ed0205b
Re-generate tokens in CookieCsrfTokenRepository
...
Fixes support for re-generating tokens within a request such as when
CsrfAuthenticationStrategy removes a null token and saves an empty
cookie value on the response.
Closes gh-12141
2022-11-04 18:10:15 -05:00
801ceb0832
Merge branch '5.8.x'
2022-10-31 08:58:14 -05:00
66f2f1cde7
Merge branch '5.7.x' into 5.8.x
2022-10-31 08:55:03 -05:00
2915a70bf7
Merge branch '5.6.x' into 5.7.x
2022-10-28 13:05:48 -05:00
6530777742
Merge branch '5.5.x' into 5.6.x
...
Closes gh-dry-run
2022-10-28 11:31:50 -05:00
1f481aafff
Fix AuthorizationFilter incorrectly extending OncePerRequestFilter
...
Closes gh-12102
2022-10-28 11:29:35 -05:00
d651da5ac3
Merge remote-tracking branch 'origin/5.8.x'
...
Closes gh-12077
2022-10-24 16:54:03 -06:00
dd30694979
Merge remote-tracking branch 'origin/5.7.x' into 5.8.x
...
Closes gh-12076
2022-10-24 16:46:08 -06:00
2b426872a3
Use InetSocketAddress#getHostString
...
Sometimes InetSocketAddress#getAddress#getHostAddress retuns null.
In that case, call InetSocketAddress#getHostString instead.
There is no performance loss since IpAddressMatcher#matches attemptsi
to re-parse and resolve the address anyway.
Closes gh-11888
2022-10-24 16:32:19 -06:00
8554e70c09
Remove deprecated loadContext(request)
...
Closes gh-12048
2022-10-17 20:13:51 -05:00
e238b721bb
Fix imports in DelegatingSecurityContextRepository
...
Issue gh-12023
2022-10-17 19:36:25 -05:00
bd43c1f28a
Merge branch '5.8.x'
...
# Conflicts:
# web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
# web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
acc35aeb18
Add DelegatingSecurityContextRepository
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
c75ca10900
Add DeferredSecurityContext
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
f4cc27c375
Change Default for (Server)AuthenticationEntryPointFailureHandler
...
Closes gh-9429
2022-10-13 20:03:03 -06:00
5afc7cb04f
Merge remote-tracking branch 'origin/5.8.x'
2022-10-13 19:48:05 -06:00
099aaa33ff
Remove Deprecation Markers
...
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.
Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.
At that time, BearerTokenAuthenticationFilter can change to use
the handler.
Closes gh-11932
2022-10-13 19:47:22 -06:00
200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter
...
Issue gh-11932, gh-9429
(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.
BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
2022-10-13 19:25:04 -06:00
9090f62d9b
Merge branch '5.8.x'
2022-10-13 16:46:53 -05:00
56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext>
...
Closes gh-11900
2022-10-13 16:44:48 -05:00
45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled
...
Closes gh-12019
2022-10-13 11:29:16 -05:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
6026f9f70f
Merge branch '5.8.x'
2022-10-13 06:31:37 -04:00
185991a606
Revert "Add default AuthorizationManager"
...
This reverts commit 4ddec07d0e
2022-10-13 06:18:00 -04:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
9b43950e13
Merge branch '5.8.x'
2022-10-12 13:14:20 -05:00
8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:31:56 -05:00
804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:30:40 -05:00
05e4a1dd20
Cache Xor CsrfToken
...
Closes gh-11988
2022-10-12 12:30:40 -05:00
c5e35bf32e
Merge branch '5.8.x'
...
Closes gh-11978
2022-10-10 09:24:50 -03:00
4b6fed0667
Add static factory method to AntPathRequestMather and RegexRequestMatcher
...
Closes gh-11938
2022-10-10 09:24:15 -03:00
27059ced87
Default X-Xss-Protection header value to "0"
...
Closes gh-9631
2022-10-07 17:42:55 -05:00
6753f9745e
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
# docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
f462134e87
Add reactive support for BREACH
...
Closes gh-11959
2022-10-07 16:34:17 -05:00
f4ca90e719
Add reactive interfaces for CSRF request handling
...
Issue gh-11959
2022-10-07 16:34:16 -05:00
c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
353ca76973
Merge remote-tracking branch 'origin/5.8.x'
2022-10-06 00:01:40 -06:00
380a6a2564
Polish SecurityContextHolderStrategy Usage
...
- Add to HttpSessionSecurityContextRepository#saveContext
Issue gh-11060
2022-10-05 23:59:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler
...
Issue gh-11105
2022-10-05 21:47:14 -06:00
eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 21:45:26 -06:00
4ddec07d0e
Add default AuthorizationManager
...
Closes gh-11963
2022-10-05 21:37:41 -06:00
ee9449dbfe
Fix tests for deferred CSRF tokens
...
Issue gh-4001
2022-10-05 16:10:36 -05:00
521cdfd738
Use correct servlet imports
...
Issue gh-4001
2022-10-05 16:10:35 -05:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
Rob Winch
Josh Cummings
xhaggi
Max Batischev
kwonyonghyun
Tran Ngoc Nhan
John Niang
Marcus Hert Da Coregio
Daniel Garnier-Moiroux
Florian Bernard
Ilpyo-Yang
DingHao
baezzys
Max Batischev
Steve Riesenberg
Joaquin Santana
erie0210
Thomas Hagelberg
Markus Heiden
Christian Becker
Rob Winch
Federico Herrera
Nermin Karapandzic
ahmd-nabil
sonallux
brunodmartins
Steve Riesenberg
Martin Lukas
Duje
Mark Chesney
Seongguk Jeong
Bjorn Harvold
Tim te Beek
Olivier Vanekem
Kevin2Jordan
1993heqiang
Jonas Bamberger
Claudio Nave
Evgeniy Cheban
Cedomir Igaly
Krzysztof Krason
Kandaguru17
Christoph Zuleger
joerg-richter-5234
Dennis Frommknecht
bvn13
Christian Marck
Christian Schuster
twosom
Dayan Kodippily
Onur Kagan Ozcan
Wellington Domiciano
Alex Montoya
David Becker
Daniel Garnier-Moiroux
Joe Grandja