root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity
19,341 Commits 48 Branches 362 Tags 122 MiB
Commit Graph

19341 Commits

Author SHA1 Message Date
Josh Cummings 44fef786aa Pick Up SecurityContextHolderStrategy Bean 
This commit provides the SecurityContextHolderStrategy bean to
ProviderManager instances that the HttpSecurity DSL constructs.

Issue gh-17862
 2025-09-09 14:49:13 -06:00
Josh Cummings 8468c6a805 Propagate Previous Factor to Next One 
This commit allows looking up the current authentication and applying
it to the latest authentication. This is specifically handy when
collecting authorities gained from each authentication factor.

Issue gh-17862
 2025-09-09 14:49:13 -06:00
Josh Cummings a201a2b862 Add Authentication.Builder 
This commit adds a new default method to Authentication
for the purposes of creating a Builder based on the current
authentication, allowing other authentications to be
applied to it as a composite.

It also adds Builders for each one of the authentication
result classes.

Issue gh-17861
 2025-09-09 14:49:13 -06:00
Steve Riesenberg eeb4574bb3 Add AuthorizationManagerFactory 
Signed-off-by: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com>
 2025-09-09 15:36:49 -05:00
blake_bauman a4f813ab29 Support Multiple ServerLogoutHandlers 
This commit adds support to ServerHttpSecurity for registering
multiple ServerLogoutHandlers. This is handy so that an application
does not need to re-supply any handlers already configured by
the DSL.

Signed-off-by: blake_bauman <blake_bauman@apple.com>
 2025-09-05 11:47:54 -06:00
Rob Winch 686f8398dd
Merge branch '6.5.x' 2025-09-04 22:40:45 -05:00
Rob Winch 653f22d4a1
Merge branch '6.4.x' into 6.5.x 2025-09-04 22:40:08 -05:00
Rob Winch f54c293078
Bump org.springframework.data:spring-data-bom from 2024.1.8 to 2024.1.9 2025-09-04 22:39:33 -05:00
Rob Winch 34fccf45c2
Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE 2025-09-04 22:39:31 -05:00
Rob Winch f840ee06eb
Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final 2025-09-04 22:39:29 -05:00
Rob Winch 8429c23108
Bump io.micrometer:micrometer-observation from 1.14.9 to 1.14.10 2025-09-04 22:38:50 -05:00
Rob Winch 97f3567702
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final 2025-09-04 22:38:46 -05:00
dependabot[bot] 2cfdcb9d95 Bump org-opensaml5 from 5.1.5 to 5.1.6 
Bumps `org-opensaml5` from 5.1.5 to 5.1.6.

Updates `org.opensaml:opensaml-saml-api` from 5.1.5 to 5.1.6

Updates `org.opensaml:opensaml-saml-impl` from 5.1.5 to 5.1.6

---
updated-dependencies:
- dependency-name: org.opensaml:opensaml-saml-api
  dependency-version: 5.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.opensaml:opensaml-saml-impl
  dependency-version: 5.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-04 22:37:50 -05:00
dependabot[bot] 3c344ff491 Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.5.RELEASE to 0.29.6.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.5.RELEASE...0.29.6.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.6.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-04 22:37:36 -05:00
Josh Cummings f30cc9c5a9
Update to PropertySourcesPlaceholderConfigurer 
This commit replaces deprecated usage of PropertyPlaceholderConfigurer
in favor of PropertySourcesPlaceholderConfigurer
 2025-09-04 11:32:04 -06:00
Josh Cummings c64b086878
Add SecurityAssertions 
This commit introduces a simple, internal test API for
verifying aspects of an Authentication, like its name
and authorities.

Closes gh-17844
 2025-09-03 17:53:42 -06:00
Josh Cummings de10e08348
Make withRoles Check Only Roles 
This commit clarifies the semantics of withRoles,
which is to check the role-based authorities in an
authentication.

Closes gh-17843
 2025-09-03 17:53:41 -06:00
Josh Cummings bd119ac411
Implement Equals and HashCode 
Internally, RequestMatcher is sometimes used as a key to a
HashMap. Accordingly, each implementation should implement
equals and hashCode.

Closes gh-17842
 2025-09-03 17:48:50 -06:00
Rob Winch 24ffda28d8
Fixes for webauthn tests after JSpecify 
Issue gh-17839
 2025-09-03 14:44:58 -05:00
Rob Winch 6a84f96930
Enable Null checking in spring-security-test via JSpecify 
Closes gh-17840
 2025-09-03 12:59:46 -05:00
Rob Winch 194be8ffb6
Checkstyle fixes for webauthn JSpecify 
Issue gh-17839
 2025-09-03 12:58:27 -05:00
Rob Winch 47b4b155da
Add security-nullability to webauthn 
Issue gh-17839
 2025-09-03 12:17:56 -05:00
Rob Winch 0a991a91ce
Enable Null checking in spring-security-webauthn via JSpecify 
Closes gh-17839
 2025-09-03 12:06:53 -05:00
dependabot[bot] d2e934ca54
Bump org.hibernate.orm:hibernate-core from 6.6.26.Final to 6.6.28.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.26.Final to 6.6.28.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.28/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.26...6.6.28)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.28.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-03 00:33:27 +00:00
dependabot[bot] fee4d08de3
Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.5.RELEASE to 0.29.6.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.5.RELEASE...0.29.6.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.6.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-02 23:19:43 +00:00
Josh Cummings 3dbcf266e9
Merge branch '6.5.x' 2025-09-02 16:45:30 -06:00
Josh Cummings eeb67650ee
Deprecate RequiresChannelDsl 
Issue gh-16680
 2025-09-02 16:41:39 -06:00
dependabot[bot] b4fc01194f
Bump org.hibernate.orm:hibernate-core from 6.6.23.Final to 6.6.28.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.23.Final to 6.6.28.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.28/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.23...6.6.28)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.28.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-02 22:32:54 +00:00
Josh Cummings 3534b74945
Replace InteractiveAuthenticationSuccessEvent 7.0.x Sample 
Given that 7e3bf9662c changes
the InteractiveAuthenticationSuccessEvent serialization sample,
this commit syncs up the 7.0.x version to match.

Closes gh-16276
 2025-09-02 14:18:25 -06:00
Josh Cummings dc0ab4c805
Merge branch '6.5.x' 2025-09-02 14:15:20 -06:00
Josh Cummings c982753d46
Replace InteractiveAuthenticationSuccessEvent 6.5.x Sample 
Given that 7e3bf9662c changes
the InteractiveAuthenticationSuccessEvent serialization sample,
this commit syncs up the 6.5.x version to match.

Issue gh-16276
 2025-09-02 14:14:13 -06:00
Fridolin Jackstadt 910df479be Provider Default Timeouts For JWK Retrieval 
Issue gh-14269

Signed-off-by: Fridolin Jackstadt <fridolin.jackstadt@unic.com>
 2025-09-02 08:51:10 -06:00
Rob Winch 9866435946
Fix security-nullability plugin in taglibs 
Issue gh-17828
 2025-08-30 20:44:29 -05:00
Rob Winch 5370f1190f
Enable Null checking in spring-security-taglibs via JSpecify 
Closes gh-17828
 2025-08-30 20:40:34 -05:00
Rob Winch f13d8d5c75
Fix Nullability in WebInvocationPrivilegeEvaluator 
Issue gh-17535
 2025-08-30 20:38:58 -05:00
Rob Winch 1216ee598f
Enable Null checking in spring-security-rsocket via JSpecify 
Closes gh-16882
 2025-08-30 20:04:32 -05:00
Rob Winch a4a4908d71
Enable Null checking in spring-security-cas via JSpecify 
Closes gh-16882
 2025-08-30 11:22:30 -05:00
Josh Cummings 0ff9f10696
Merge branch '6.4.x' into 6.5.x 2025-08-30 10:00:45 -06:00
Josh Cummings 7e3bf9662c
Polish InteractiveAuthenticationSuccessEvent Sample 
The sample better matches a value that would be used in the constructor

Issue gh-16276
 2025-08-30 10:00:24 -06:00
Rob Winch be64c67af5
Enable Null checking in spring-security-web via JSpecify 
Closes gh-16882
 2025-08-29 16:17:49 -05:00
Rob Winch a58f3282d9
Fix config/src/test/kotlin nullability for web 
Issue gh-17535
 2025-08-29 15:46:08 -05:00
Rob Winch c2ba662b91
Enable Null checking in spring-security-web via JSpecify 
Closes gh-17535
 2025-08-29 15:06:48 -05:00
Rob Winch 49f308adb0
Use Supplier<? extends @Nullable Authentication> 
Previously Supplier<@Nullable Authentication> was used. This prevented
Supplier<Authentication> from being used. The code now uses
Supplier<? extends @Nullable Authentication> which allows for both
Supplier<@Nullable Authentication> and Supplier<Authentication>.

Closes gh-17814
 2025-08-29 09:46:58 -05:00
Josh Cummings 4cbe8de7ea Polish RSocket Anonymous Support 
Changed the DSL method name to anonymous to align with jwt.
Since basicAuthenication is deprecated, we don't need to
align with its naming convention.

Also added a since attribute to the method.

Issue gh-17132
 2025-08-26 17:33:40 -06:00
Andrey Litvitski 559b73b39f Add Disabling Anonymous Authentication in RSocketSecurity 
Closes: gh-17132

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>

1

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>

1

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2025-08-26 17:33:40 -06:00
Andrey Litvitski 3278f3a410 Add discoverJwsAlgorithms() in NimbusJwtDecoder 
Closes: gh-17785
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2025-08-26 17:07:47 -06:00
Josh Cummings 36f1de945f
Add OneTimeTokenAuthentication 
Closes gh-17799
 2025-08-22 15:46:54 -06:00
Josh Cummings 6663eea65f
Polish OTT Tests 
Improve tests so that they do not rely on OneTimeTokenAuthenticationToken
as the concrete type.

Issue gh-17799
 2025-08-22 15:46:53 -06:00
Josh Cummings 89b2f9cf54
Improve Test Runnability in IDE 
In some configurations, Configuration classes with static elements
may cause a test to hang. This commit changes JeeConfigurerTests
test configuration classes to use mock beans instead of referencing
them as static fields.
 2025-08-22 15:46:53 -06:00
Josh Cummings 0e39685b9c Merge branch '6.5.x' 2025-08-22 12:40:41 -06:00