From 75b537f99ace74eaf5e1fc2eda4d76b90c42e8b4 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Tue, 11 Mar 2025 23:09:26 +0700 Subject: [PATCH 1/5] Fix WebFlux authentication reference link Closes gh-16702 Signed-off-by: Tran Ngoc Nhan --- docs/modules/ROOT/nav.adoc | 2 +- docs/modules/ROOT/pages/features/authentication/index.adoc | 2 +- docs/modules/ROOT/pages/reactive/authentication/index.adoc | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 docs/modules/ROOT/pages/reactive/authentication/index.adoc diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index 403771d274..37052965b8 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -128,7 +128,7 @@ *** xref:servlet/appendix/faq.adoc[FAQ] * xref:reactive/index.adoc[Reactive Applications] ** xref:reactive/getting-started.adoc[Getting Started] -** Authentication +** xref:reactive/authentication/index.adoc[Authentication] *** xref:reactive/authentication/x509.adoc[X.509 Authentication] *** xref:reactive/authentication/logout.adoc[Logout] *** Session Management diff --git a/docs/modules/ROOT/pages/features/authentication/index.adoc b/docs/modules/ROOT/pages/features/authentication/index.adoc index 6d02574e50..d542fed535 100644 --- a/docs/modules/ROOT/pages/features/authentication/index.adoc +++ b/docs/modules/ROOT/pages/features/authentication/index.adoc @@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat Spring Security provides built-in support for authenticating users. This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments. -Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack. +Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack. diff --git a/docs/modules/ROOT/pages/reactive/authentication/index.adoc b/docs/modules/ROOT/pages/reactive/authentication/index.adoc new file mode 100644 index 0000000000..a8c7f92f75 --- /dev/null +++ b/docs/modules/ROOT/pages/reactive/authentication/index.adoc @@ -0,0 +1,3 @@ +[[webflux-authentication]] += Authentication +:page-section-summary-toc: 1 \ No newline at end of file From daf8cfe8d223261950ade46d907a69090c5f6b7a Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Tue, 11 Mar 2025 23:31:27 +0700 Subject: [PATCH 2/5] Fix Spring Framework reference link Closes gh-16699 Signed-off-by: Tran Ngoc Nhan --- docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc b/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc index 49d97c46a6..67450d9b5d 100644 --- a/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc +++ b/docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc @@ -2,4 +2,4 @@ = Spring MVC Test Integration :page-section-summary-toc: 1 -Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test] +Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test] From af40d7e35afb37236ed2be98edce7b491443c791 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Thu, 20 Mar 2025 08:48:53 +0700 Subject: [PATCH 3/5] Fix typo Closes gh-16776 Signed-off-by: Tran Ngoc Nhan --- docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc index 59e48e0986..1a137e8c97 100644 --- a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc +++ b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc @@ -34,7 +34,7 @@ The attributes on the `` element control some of the properties on the cor Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true) [[nsa-http-authorization-manager-ref]] -* **access-decision-manager-ref** +* **use-authorization-manager** Use this AuthorizationManager instead of deriving one from elements [[nsa-http-access-decision-manager-ref]] From a53ca7c3d058e32521069a8b570a690537eecb45 Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Sat, 8 Feb 2025 11:07:18 +0700 Subject: [PATCH 4/5] Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc Closes gh-16555 Signed-off-by: Tran Ngoc Nhan --- .../ServerOAuth2AuthorizedClientExchangeFilterFunction.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java index 0736c4ac25..ca20a6d7cf 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2024 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -245,7 +245,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements * be used to create an Authentication for saving. * * @param authorizedClient the {@link OAuth2AuthorizedClient} to use. - * @return the {@link Consumer} to populate the + * @return the {@link Consumer} to populate the attributes */ public static Consumer> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) { return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient); From ab6e9d2d1f63a84344bac67a9773dd6018b2f94b Mon Sep 17 00:00:00 2001 From: Tran Ngoc Nhan Date: Fri, 7 Feb 2025 07:29:49 +0700 Subject: [PATCH 5/5] Clarify WebInvocationPrivilegeEvaluator JavaDoc Closes gh-16529 Signed-off-by: Tran Ngoc Nhan --- .../access/WebInvocationPrivilegeEvaluator.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java index 521346ef2f..131cb7d147 100644 --- a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java +++ b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java @@ -29,6 +29,9 @@ public interface WebInvocationPrivilegeEvaluator { /** * Determines whether the user represented by the supplied Authentication * object is allowed to invoke the supplied URI. + *

+ * Note this will only match authorization rules that don't require a certain + * {@code HttpMethod}. * @param uri the URI excluding the context path (a default context path setting will * be used) */ @@ -36,13 +39,18 @@ public interface WebInvocationPrivilegeEvaluator { /** * Determines whether the user represented by the supplied Authentication - * object is allowed to invoke the supplied URI, with the given . + * object is allowed to invoke the supplied URI, with the given parameters. *

- * Note the default implementation of FilterInvocationSecurityMetadataSource + * Note: + *

    + *
  • The default implementation of FilterInvocationSecurityMetadataSource * disregards the contextPath when evaluating which secure object * metadata applies to a given request URI, so generally the contextPath * is unimportant unless you are using a custom - * FilterInvocationSecurityMetadataSource. + * FilterInvocationSecurityMetadataSource.
    • + *
  • this will only match authorization rules that don't require a certain + * {@code HttpMethod}.
    • + *
* @param uri the URI excluding the context path * @param contextPath the context path (may be null). * @param method the HTTP method (or null, for any method)