Historically, Spring Security tests have set the servlet path
to indicate the path of a MockHttpServletRequest. This was needed
for AntPath and MvcRequestMatcher to correctly match the
specified request path.
This can leave MockHttpServletRequest in an inconsistent state
since requestURI is null while servletPath has a value.
For example, PathPatternRequestMatcher does not use the servlet path.
For tests to continue working both before and after the migration
from AntPath/MvcRequestMatcher to PathPatternRequestMatcher, the
mock requests should have a consistent representation of path
in getRequestURI and getServletPath.
This commit updates classes to use TestMockHttpServletRequests,
which ensures that the given path is applied to the servletPath and
requestURI, while also overriding with contextPath, servletPath,
and pathInfo when necessary.
This commit formats authorizeHttpRequests blocks
to use the same parameter name and places the
reference on the same line as the parameter.
Issue gh-13067
This commit changes all auhorizeRequests
declarations to use the same variable name
and declare the lambda parameter and reference
on the same line.
Issue gh-13067
This commit removes all and() methods that have been
deprecated in the HttpSecurity DSL with the exception
of featurePolicy, which will be removed when that
feature is removed. Note that since featurePolicy
does not have a lambda equivalent, the and support
needs to remain for the moment.
Issue gh-13067
Replaces repeated if-else string comparisons with a Set.contains() check
for known WebSocket handshake handler class names in MessageSecurityPostProcessor.
Improves readability and maintainability without changing behavior.
Signed-off-by: Wonpyo Hong <evga7@naver.com>
This commit separates the authentication principal, the assertion details,
and the relying party tenant into separate components. This allows the
principal to be completely decoupled from how Spring Security triggers and
processes SLO.
Specifically, it adds Saml2AssertionAuthentication, a new authentication
implementation that allows an Object principal and a Saml2ResponseAssertionAccessor
credential. It also moves the relying party registration id from
Saml2AuthenticatedPrincipal to Saml2AssertionAuthentication.
As such, Saml2AuthenticatedPrincipal is now deprecated in favor of
placing its assertion components in Saml2ResponseAssertionAccessor and
the relying party registration id in Saml2AssertionAuthentication.
Closes gh-10820
- Moved to BearerTokenAuthenticationFilter constructor to align with
AuthenticationFilter
- Undeprecated BearerTokenResolver to reduce number of migration scenarios
- Updated to 7.0 schema
- Added migration docs
Issue gh-14750
In tests, we want to both test that functionality works and also
demonstrate common or expected usage, where possible. It is likely
incorrect to use @Order(0) for a target visitor as this states that
it should take precedence over all Spring Security visitors defined
at a lower precedence.
Also, it appears this may have been added this way because of a mock
visitor that appears to be unused by any tests. Further, when an
application has multiple visitors, they should use the TargetVisitor.of
method to publish one bean with the order determined by the order
of the method parameters instead of having two separate beans.
This commit removes the @Order(0) annotation and also the mock
visitor, deferring to the natural ordering afforded by the
framework.
Issue gh-15994
NimbusJwtDecoder and NimbusReactiveJwtDecoder now use
Spring Security's JwtTypeValidator by default instead
of Nimbus's type validator.
Closes gh-17181
Now that NimbusReactiveOpaqueTokenIntrospector is
deprecated, this commit changes the Spring
Security default to now use SpringReactiveOpaqueTokenIntrospector.
Issue gh-15988
Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
