Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-31 14:48:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.3.x' into 6.4.x

Browse Source 
Closes gh-16782
Closes gh-16783
Closes gh-16784
Closes gh-16785
Closes gh-16786
This commit is contained in:
Steve Riesenberg 2025-03-20 14:46:18 -05:00
commit 96cfbd1e6c
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
7 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/modules/ROOT/nav.adoc
View File

@ -132,7 +132,7 @@
*** xref:servlet/appendix/faq.adoc[FAQ] *** xref:servlet/appendix/faq.adoc[FAQ]
* xref:reactive/index.adoc[Reactive Applications] * xref:reactive/index.adoc[Reactive Applications]
** xref:reactive/getting-started.adoc[Getting Started] ** xref:reactive/getting-started.adoc[Getting Started]
** Authentication ** xref:reactive/authentication/index.adoc[Authentication]
*** xref:reactive/authentication/x509.adoc[X.509 Authentication] *** xref:reactive/authentication/x509.adoc[X.509 Authentication]
*** xref:reactive/authentication/logout.adoc[Logout] *** xref:reactive/authentication/logout.adoc[Logout]
*** Session Management *** Session Management

2
docs/modules/ROOT/pages/features/authentication/index.adoc
View File

@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
Spring Security provides built-in support for authenticating users. Spring Security provides built-in support for authenticating users.
This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments. This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack. Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.

3
docs/modules/ROOT/pages/reactive/authentication/index.adoc Normal file
View File

@ -0,0 +1,3 @@
[[webflux-authentication]]
= Authentication
:page-section-summary-toc: 1

2
docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
View File

@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true) Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
[[nsa-http-authorization-manager-ref]] [[nsa-http-authorization-manager-ref]]
* **access-decision-manager-ref** * **use-authorization-manager**
Use this AuthorizationManager instead of deriving one from <intercept-url> elements Use this AuthorizationManager instead of deriving one from <intercept-url> elements
[[nsa-http-access-decision-manager-ref]] [[nsa-http-access-decision-manager-ref]]

2
docs/modules/ROOT/pages/servlet/test/mockmvc/index.adoc
View File

@ -2,4 +2,4 @@
= Spring MVC Test Integration = Spring MVC Test Integration
:page-section-summary-toc: 1 :page-section-summary-toc: 1
Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test] Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]

4
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -245,7 +245,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
* be used to create an Authentication for saving.</li> * be used to create an Authentication for saving.</li>
* </ul> * </ul>
* @param authorizedClient the {@link OAuth2AuthorizedClient} to use. * @param authorizedClient the {@link OAuth2AuthorizedClient} to use.
* @return the {@link Consumer} to populate the * @return the {@link Consumer} to populate the attributes
*/ */
public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) { public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient); return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient);

14
web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
View File

@ -29,6 +29,9 @@ public interface WebInvocationPrivilegeEvaluator {
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI. * object is allowed to invoke the supplied URI.
* <p>
* Note this will only match authorization rules that don't require a certain
* {@code HttpMethod}.
* @param uri the URI excluding the context path (a default context path setting will * @param uri the URI excluding the context path (a default context path setting will
* be used) * be used)
*/ */
@ -36,13 +39,18 @@ public interface WebInvocationPrivilegeEvaluator {
/** /**
* Determines whether the user represented by the supplied <tt>Authentication</tt> * Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI, with the given . * object is allowed to invoke the supplied URI, with the given parameters.
* <p> * <p>
* Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt> * Note:
* <ul>
* <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
* disregards the <code>contextPath</code> when evaluating which secure object * disregards the <code>contextPath</code> when evaluating which secure object
* metadata applies to a given request URI, so generally the <code>contextPath</code> * metadata applies to a given request URI, so generally the <code>contextPath</code>
* is unimportant unless you are using a custom * is unimportant unless you are using a custom
* <code>FilterInvocationSecurityMetadataSource</code>. * <code>FilterInvocationSecurityMetadataSource</code>.</li>
* <li>this will only match authorization rules that don't require a certain
* {@code HttpMethod}.</li>
* </ul>
* @param uri the URI excluding the context path * @param uri the URI excluding the context path
* @param contextPath the context path (may be null). * @param contextPath the context path (may be null).
* @param method the HTTP method (or null, for any method) * @param method the HTTP method (or null, for any method)