Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-03-01 00:24:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,442 Commits 51 Branches 373 Tags
Commit Graph

2117 Commits

Author SHA1 Message Date
Robert Winch
9cc3161055
Merge Add Missing OnCommitedResponseWrapper Header Overrides 2026-02-24 19:51:53 -06:00
Robert Winch
6898de8003
Merge Add Missing OnCommitedResponseWrapper Header Overrides 2026-02-24 19:49:38 -06:00
Robert Winch
1dae9aa459
Add Missing OnCommitedResponseWrapper Header Overrides 
Spring Security's `OnCommitedResponseWrapper` does not override the `setHeader`, `setIntHeader`, `addIntHeader`
methods. This means that if the `Content-Length` response header is specified using any of those methods then
the response body length is not tracked and can be committed before the response headers are written.

Spring Security should override the missing methods and track `Content-Length` as is already done for `addHeader`.

This issue is the underlying problem for spring-projects/spring-framework#36381

Closes gh-18797
 2026-02-24 19:46:29 -06:00
Robert Winch
d31ca7a758 Fix SecurityContextLogoutHandler.logout @param response Javadoc (cannot be null) 
Closes gh-18357
 2026-02-24 10:06:04 -06:00
Rob Winch
4d0627e6c0
Merge pull request #18721 from coehgns/main 
Add tests for PathPatternRequestMatcher request path caching
 2026-02-23 11:58:27 -06:00
Josh Long
2dd2863550 aot improvements 
Signed-off-by: Josh Long <54473+joshlong@users.noreply.github.com>
 2026-02-20 17:28:35 -06:00
Minu Kim
18068c9099 fix compile warning in spring-security-test 
Signed-off-by: Minu Kim <kmw106933@naver.com>
 2026-02-19 14:26:20 -06:00
Robert Winch
cc6a005aa5 Add InetAddressMatcher 
Co-authored-by: Gábor Vaspöri <gabor.vaspori@gmail.com>
Co-authored-by: Kian Jamali <kianjamali123@gmail.com>
Co-authored-by: Rossen Stoyanchev <rstoyanchev@users.noreply.github.com>
 2026-02-19 11:44:19 -06:00
Tran Ngoc Nhan
dbf7f4cfe5 Remove unused @Nullable 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-19 10:56:54 -06:00
Tran Ngoc Nhan
dc8ed8b168 Fix checkstyle 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
17933ddab3 Resolve feedback 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
9323775c5f Update javadoc and apply StringUtils#hasLength 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
4cc5f543ab Add author 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
67bc1d8d4a Polish some methods 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
17b5cdde55 Remove redundant check and exception 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Tran Ngoc Nhan
21bef947b0 Use String#isEmpty 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-02-17 16:59:55 -07:00
Andrey Litvitski
6fcca39500 Mark CsrfTokenRequestAttributeHandler#setCsrfRequestAttributeName as Nullable 
Closes: gh-18617

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-02-17 16:57:15 -07:00
coehgns
0d3a5d210a Add tests for PathPatternRequestMatcher path caching 
Verify parsed request path is cleared when matcher parses it, and preserved when already present.

Signed-off-by: coehgns <modooboiroo@gmail.com>
 2026-02-12 11:13:02 +09:00
Robert Winch
74b93a19f6
Externalize java-toolchain configuration 
We should not use subprojects to perform configuration becaause it
does not allow for lazy loading and it can cause ordering problems.
In this case, the toolchain was not being used but instead it was
using the JAVA_HOME.

By splitting the configuration into a plugin and applying it to each
project it fixes the toolchain configuration
 2026-01-26 22:06:36 -06:00
Robert Winch
ea8bd1a01d
Merge branch '7.0.x' 
Closes gh-18595
 2026-01-26 12:17:24 -06:00
Robert Winch
6dd6e8ebb1
Merge branch '6.5.x' into 7.0.x 
Closes gh-18235
 2026-01-26 12:06:19 -06:00
Garvit Joshi
edd82ba82c gh-18234: Create SHA-1 MessageDigest for every new check request 
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
 2026-01-26 11:06:25 -06:00
Robert Winch
d7fbf3673a
Fix consistency with Nullability Usage 
Issue gh-18564
 2026-01-23 10:42:53 -06:00
Robert Winch
9f8ac34c3b Remove @NullUnmarked 
Closes gh-18491
 2026-01-21 14:11:25 -06:00
Soumik Sarker
3f66d8b770 Fix format 
Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
 2026-01-21 14:11:25 -06:00
Soumik Sarker
ea26031a4d Fix format 
Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
 2026-01-21 14:11:25 -06:00
Soumik Sarker
b1d98491cf Removed nullUnmarked annotation from observability web classes 
Fixes #17815

Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
 2026-01-21 14:11:25 -06:00
Robert Winch
35d103843b
Externalize java-toolchain configuration 
We should not use subprojects to perform configuration becaause it
does not allow for lazy loading and it can cause ordering problems.
In this case, the toolchain was not being used but instead it was
using the JAVA_HOME.

By splitting the configuration into a plugin and applying it to each
project it fixes the toolchain configuration
 2026-01-16 16:54:00 -06:00
Robert Winch
0993e5735e
Add missing @NullMarked 
Closes gh-18514
 2026-01-16 14:53:16 -06:00
Robert Winch
048b6bdd88
Update to JDK 25 (release = 17) 
This commit updates the build to use JDK 25 while remaining compatable with JDK 17.

Note that we must update our JAAS related tests to use release=25 due to the disabling of
the Security Manager. See
https://docs.oracle.com/en/java/javase/25/security/security-manager-is-permanently-disabled.html

Closes gh-18512
 2026-01-16 11:25:59 -06:00
Josh Cummings
3336f5f2ec Merge branch '7.0.x' 2026-01-14 14:47:31 -07:00
Josh Cummings
d2ed8321b4 Merge branch '6.5.x' into 7.0.x 2026-01-14 14:46:36 -07:00
Guillaume Husta
dd1f097131 Add @FunctionalInterface to RequestMatcher 
Add `@FunctionalInterface` to `RequestMatcher`.

According to the documentation, it is a FunctionalInterface.

See: https://docs.spring.io/spring-security/reference/6.5/servlet/authorization/authorize-http-requests.html#match-by-custom

Signed-off-by: Guillaume Husta <guillaume.husta@gmail.com>
 2026-01-14 14:45:22 -07:00
Robert Winch
ec06f08bb6
Merge branch '7.0.x' 2026-01-12 13:38:52 -06:00
Andrey Litvitski
13f6286e04 Use DefaultParameterNameDiscoverer#getSharedInstance 
Closes: gh-18330

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-01-12 13:37:32 -06:00
rigu1
0a6883c586 Fix Javadoc warnings in spring-security-web 
* Use <code> tags for external references in DelegatingMissingAuthorityAccessDeniedHandler and SwitchUserWebFilter
* Fix typo in SessionAuthenticationException
* Apply javadoc-warnings-error plugin

Closes gh-18468

Signed-off-by: rigu1 <dlsrbtla@gmail.com>
 2026-01-12 13:24:47 -06:00
Tran Ngoc Nhan
d20c88ecef Format code 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Tran Ngoc Nhan
79815e044e Fix typos 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Soumik Sarker
244b5a16be Added test scope for NPE in RequestMethod 
Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
 2025-12-01 18:06:42 -06:00
Josh Cummings
5662e17370 Add Nullable Annotations 
Added Nullable to methods that may return a null value

Closes gh-18046
 2025-11-04 15:08:12 -07:00
Rob Winch
aaf738f7ac
MFA is now Opt In 
This commit ensures that MFA is only performed when users opt in. By
doing so, we allow users to decide if they will opt into the semantics
of merging two Authentication instances.

Closes gh-18126
 2025-11-03 22:42:27 -06:00
Rob Winch
ccd39a23c9
Only perform MFA if Authentication.getName() is the same 
Closes gh-18112
 2025-11-03 22:42:27 -06:00
Josh Cummings
793820acfa Remove Authority Copying From Reactive 
We will re-address this when adding factors to
ReactiveAuthenticationManager implementations.

Issue gh-2603
 2025-11-03 13:31:30 -07:00
Josh Cummings
fb701e4615 Merge remote-tracking branch 'origin/6.5.x' 2025-10-20 17:10:05 -06:00
Josh Cummings
1c112005fa Don't Attempt to Generate Token Without Valid Token Request 
Closes gh-18088

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2025-10-20 17:09:43 -06:00
Marcus Hert da Coregio
e0a71eb00e Fix GenerateOneTimeTokenRequestResolver ignored if username param not present 
Signed-off-by: Marcus Hert da Coregio <marcusdacoregio@gmail.com>
 2025-10-20 17:09:43 -06:00
Andrey Litvitski
9b61533db2 Mark GrantedAuthority#getAuthority as @Nullable 
Closes: gh-17999

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2025-10-20 15:22:24 -06:00
Josh Cummings
9c7b34a48b Favor Relative Redirects by Default 
Closes gh-16300
 2025-10-20 10:25:17 -06:00
Rob Winch
51e8f8f1c6 Deprecate WebAuthnAuthenticationFilter.setConverter(GenericHttpMessageConverter) 
This makes sense given that Framework's new Jackson support is a
SmartHttpMessageConverter. Additionally,
GenericHttpMessageConverterAdapter is now package private to encapsulate
it.

Issue gh-18073
 2025-10-19 17:03:19 -05:00
Sébastien Deleuze
137f8fd670 Add support for JacksonJsonHttpMessageConverter 
This commit introduces classpath checks and instantiation of
JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging
a new GenericHttpMessageConverterAdapter which allows to adapt
SmartHttpMessageConverter to GenericHttpMessageConverter.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
 2025-10-19 17:03:19 -05:00