Merge branch '5.8.x'

Closes gh-11937
2022-10-03 11:43:22 -03:00 · 2022-10-03 11:43:22 -03:00 · 5f2744db33
parent 80f6bdf50b 64a19de4dc
commit 5f2744db33
6 changed files with 28 additions and 2 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@ -266,7 +266,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link HpkpConfig} for additional customizations
 	 *
 	 * @since 4.1
 	 * @deprecated see <a href=
 	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
 	 * and Public Key Pinning</a> for more context
 	 */
 	@Deprecated
 	public HpkpConfig httpPublicKeyPinning() {
 		return this.hpkp.enable();
 	}
@ -277,7 +281,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @param hpkpCustomizer the {@link Customizer} to provide more options for the
 	 * {@link HpkpConfig}
 	 * @return the {@link HeadersConfigurer} for additional customizations
 	 * @deprecated see <a href=
 	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
 	 * and Public Key Pinning</a> for more context
 	 */
 	@Deprecated
 	public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HpkpConfig> hpkpCustomizer) {
 		hpkpCustomizer.customize(this.hpkp.enable());
 		return HeadersConfigurer.this;
@ -1040,6 +1048,12 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	}
 	/**
 	 * @deprecated see <a href=
 	 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
 	 * and Public Key Pinning</a> for more context
 	 */
 	@Deprecated
 	public final class HpkpConfig {
 		private HpkpHeaderWriter writer;
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt
@ -117,7 +117,9 @@ class HeadersDsl {
     * href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
     *
     * @param hpkpConfig the customization to apply to the header
     * @deprecated see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
     */
    @Deprecated(message = "as of 5.8 with no replacement")
    fun httpPublicKeyPinning(hpkpConfig: HttpPublicKeyPinningDsl.() -> Unit) {
        this.hpkp = HttpPublicKeyPinningDsl().apply(hpkpConfig).get()
    }
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/headers/HttpPublicKeyPinningDsl.kt
@ -33,8 +33,10 @@ import org.springframework.security.config.annotation.web.configurers.HeadersCon
 * @property reportOnly if true, the browser should not terminate the connection with
 * the server.
 * @property reportUri the URI to which the browser should report pin validation failures.
 * @deprecated see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
 */
@HeadersSecurityMarker
@Deprecated(message = "as of 5.8 with no replacement")
 class HttpPublicKeyPinningDsl {
    var pins: Map<String, String>? = null
    var maxAgeInSeconds: Long? = null
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
@ -1193,6 +1193,7 @@ cors-options.attlist &=
 	attribute configuration-source-ref {xsd:token}?
 hpkp =
 	## Deprecated. The HPKP header no longer works in modern browsers, see <a href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate and Public Key Pinning</a> for more context
 	## Adds support for HTTP Public Key Pinning (HPKP).
 	element hpkp {hpkp.pins,hpkp.attlist}
 hpkp.pins =
--- a/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
@ -3373,7 +3373,10 @@
  </xs:attributeGroup>
  <xs:element name="hpkp">
      <xs:annotation>
-         <xs:documentation>Adds support for HTTP Public Key Pinning (HPKP).
+         <xs:documentation>Deprecated. The HPKP header no longer works in modern browsers, see &lt;a
                href="https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning"&gt;Certificate
                and Public Key Pinning&lt;/a&gt; for more context Adds support for HTTP Public Key Pinning
                (HPKP).
                </xs:documentation>
      </xs:annotation>
      <xs:complexType>
@ -3875,4 +3878,4 @@
         <xs:enumeration value="LAST"/>
      </xs:restriction>
  </xs:simpleType>
-</xs:schema>
+</xs:schema>
--- a/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java
+++ b/web/src/main/java/org/springframework/security/web/header/writers/HpkpHeaderWriter.java
@ -109,7 +109,11 @@ import org.springframework.util.Assert;
 * @author Tim Ysewyn
 * @author Ankur Pathak
 * @since 4.1
 * @deprecated see <a href=
 * "https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning">Certificate
 * and Public Key Pinning</a> for more context
 */
@Deprecated
 public final class HpkpHeaderWriter implements HeaderWriter {
 	private static final long DEFAULT_MAX_AGE_SECONDS = 5184000;