Merge branch '6.4.x'

Closes gh-16788
Closes gh-16789
Closes gh-16790
Closes gh-16791
Closes gh-16792
This commit is contained in:
Steve Riesenberg 2025-03-20 14:47:07 -05:00
commit 3ebcbd4375
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
7 changed files with 20 additions and 9 deletions

View File

@ -133,7 +133,7 @@
*** xref:servlet/appendix/faq.adoc[FAQ] *** xref:servlet/appendix/faq.adoc[FAQ]
* xref:reactive/index.adoc[Reactive Applications] * xref:reactive/index.adoc[Reactive Applications]
** xref:reactive/getting-started.adoc[Getting Started] ** xref:reactive/getting-started.adoc[Getting Started]
** Authentication ** xref:reactive/authentication/index.adoc[Authentication]
*** xref:reactive/authentication/x509.adoc[X.509 Authentication] *** xref:reactive/authentication/x509.adoc[X.509 Authentication]
*** xref:reactive/authentication/logout.adoc[Logout] *** xref:reactive/authentication/logout.adoc[Logout]
*** Session Management *** Session Management

View File

@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
Spring Security provides built-in support for authenticating users. Spring Security provides built-in support for authenticating users.
This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments. This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack. Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.

View File

@ -0,0 +1,3 @@
[[webflux-authentication]]
= Authentication
:page-section-summary-toc: 1

View File

@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true) Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
[[nsa-http-authorization-manager-ref]] [[nsa-http-authorization-manager-ref]]
* **access-decision-manager-ref** * **use-authorization-manager**
Use this AuthorizationManager instead of deriving one from <intercept-url> elements Use this AuthorizationManager instead of deriving one from <intercept-url> elements
[[nsa-http-access-decision-manager-ref]] [[nsa-http-access-decision-manager-ref]]

View File

@ -2,4 +2,4 @@
= Spring MVC Test Integration = Spring MVC Test Integration
:page-section-summary-toc: 1 :page-section-summary-toc: 1
Spring Security provides comprehensive integration with https://docs.spring.io/spring-framework/reference/testing/mockmvc.html[Spring Testing MockMVC] Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -245,7 +245,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
* be used to create an Authentication for saving.</li> * be used to create an Authentication for saving.</li>
* </ul> * </ul>
* @param authorizedClient the {@link OAuth2AuthorizedClient} to use. * @param authorizedClient the {@link OAuth2AuthorizedClient} to use.
* @return the {@link Consumer} to populate the * @return the {@link Consumer} to populate the attributes
*/ */
public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) { public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient); return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient);

View File

@ -29,6 +29,9 @@ public interface WebInvocationPrivilegeEvaluator {
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI. * object is allowed to invoke the supplied URI.
* <p>
* Note this will only match authorization rules that don't require a certain
* {@code HttpMethod}.
* @param uri the URI excluding the context path (a default context path setting will * @param uri the URI excluding the context path (a default context path setting will
* be used) * be used)
*/ */
@ -36,13 +39,18 @@ public interface WebInvocationPrivilegeEvaluator {
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI, with the given . * object is allowed to invoke the supplied URI, with the given parameters.
* <p> * <p>
* Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt> * Note:
* <ul>
* <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
* disregards the <code>contextPath</code> when evaluating which secure object * disregards the <code>contextPath</code> when evaluating which secure object
* metadata applies to a given request URI, so generally the <code>contextPath</code> * metadata applies to a given request URI, so generally the <code>contextPath</code>
* is unimportant unless you are using a custom * is unimportant unless you are using a custom
* <code>FilterInvocationSecurityMetadataSource</code>. * <code>FilterInvocationSecurityMetadataSource</code>.</li>
* <li>this will only match authorization rules that don't require a certain
* {@code HttpMethod}.</li>
* </ul>
* @param uri the URI excluding the context path * @param uri the URI excluding the context path
* @param contextPath the context path (may be null). * @param contextPath the context path (may be null).
* @param method the HTTP method (or null, for any method) * @param method the HTTP method (or null, for any method)