Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-03-30 14:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,667 Commits 49 Branches 376 Tags
Commit Graph

20667 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Winch
0ef8a4ff27 Update to Spring Framework 7.0.7-SNAPSHOT 
Necessary to pick up Spring Framework's `PreFlightRequestFilter`

Issue gh-18926
 2026-03-25 16:04:42 -04:00
Josh Cummings
c749ead5f1 Publish KDoc for the Kotlin DSL 
Applies Dokka to any subproject using security-kotlin via DocsPlugin,
aggregates KDoc alongside Javadoc in syncAntoraAttachments, and adds
a Kotlin API entry to the reference docs navigation.

Closes gh-18968

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-25 13:58:38 -06:00
Josh Cummings
622f75d346 Move Antora Tasks into DocsPlugin 
All Spring projects using io.spring.convention.docs are also using Antora,
so these tasks belong in the convention rather than each project's build script.

Issue gh-18968
 2026-03-25 13:58:38 -06:00
Joe Grandja
db67f36492 Fix ID Token auth_time validation (reactive) 
Issue gh-18839 gh-17246
 2026-03-25 14:28:00 -04:00
Joe Grandja
a8281a9c62 Merge branch '7.0.x' 2026-03-25 13:23:11 -04:00
Joe Grandja
65cf2586c5 Merge branch '6.5.x' into 7.0.x 
Closes gh-18978
 2026-03-25 12:40:43 -04:00
Joe Grandja
6e683f2286 Fix ID Token auth_time validation 
Closes gh-18839
 2026-03-25 11:33:55 -04:00
dependabot[bot]
f6f3b697fe Bump com.nimbusds:oauth2-oidc-sdk from 11.34 to 11.35 
Bumps [com.nimbusds:oauth2-oidc-sdk](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) from 11.34 to 11.35.
- [Changelog](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt)
- [Commits](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/branches/compare/11.35..11.34)

---
updated-dependencies:
- dependency-name: com.nimbusds:oauth2-oidc-sdk
  dependency-version: '11.35'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-25 03:17:16 +00:00
Josh Cummings
2c2666065f
Merge branch '7.0.x' 2026-03-24 13:39:37 -06:00
Josh Cummings
bae4cdd765
Adjust for Nullability 
Issue gh-18973

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-24 13:39:27 -06:00
Josh Cummings
2a8976f2f0 Merge branch '7.0.x' 2026-03-23 18:13:15 -06:00
Josh Cummings
a7c3e842d6 Merge branch '6.5.x' into 7.0.x 2026-03-23 18:12:36 -06:00
Josh Cummings
b6e24db68c Return Mono.empty on Empty POST 
Closes gh-18973

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-23 18:12:21 -06:00
Josh Cummings
5100bf3db9 Merge branch '7.0.x' 2026-03-23 17:53:41 -06:00
Josh Cummings
7dea8b8ca2 Merge branch '6.5.x' into 7.0.x 2026-03-23 17:53:14 -06:00
Daniel Garnier-Moiroux
aeb5fc1fb0 Fix HttpSessionRequestCache#getMatchingRequest query string parsing 
- URL parsing changed in framework 6.2, and fails when path contains a % sign.
- The HttpSessionRequestCache only needs to inspect the query string, not the full URL.

Fixes gh-16656

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
 2026-03-23 17:52:17 -06:00
Eric Haag
91199e7202 Gracefully handle detached HEAD in branch version check 
Previously, the `CheckExpectedBranchVersionPlugin` would crash the Gradle
configuration phase if the project was in a detached HEAD state or not
in a Git repository, e.g., downloaded as a ZIP.

This commit refactors the plugin to be lazy and adopts several Gradle best
practices:

- Prevents build crashes on Git failures by gracefully catching non-zero
  exit codes, e.g., when checked out in a detached HEAD state.
- Moves the branch validation out of the task's main execution action
  and into an `onlyIf` predicate, allowing Gradle to skip the task
  entirely instead of executing an early return. This makes the skip
  outcome and reason visible in a Build Scan, rather than making it
  appear as if it executed.
- Defers the Git `exec` call to the execution phase using a lazy provider.
- Makes the task configuration cache compatible by avoiding illegal
  `Project` access inside the execution-time `onlyIf` closure.
- Improves user-facing logs and adds actionable bypass instructions when
  the project version doesn't match the branch version.

Signed-off-by: Eric Haag <ehaag@gradle.com>
 2026-03-23 14:49:58 -04:00
Andrey Litvitski
2fda37de53 Fix equals nullability annotations for jspecify compliance 
In this commit, we added `@Nullable` to equals methods of classes that
support `jspecify` for consistency with other Spring projects and to
avoid bugs that caused other Spring projects to do this natively.

Closes: gh-18929, gh-18927

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-23 09:25:57 -06:00
Andreas Asplund
330c565178 Implement equals and hashCode closes gh-18882 
Signed-off-by: Andreas Asplund <andreas@asplund.biz>
 2026-03-23 08:06:31 -06:00
Joe Grandja
1db0d4f83d Enable null-safety in spring-security-oauth2-authorization-server 
Closes gh-18937
 2026-03-23 05:07:14 -04:00
Joe Grandja
fe24bd3d0c Remove checkstyle suppressions for spring-security-oauth2-authorization-server 
Issue gh-18937
 2026-03-23 05:06:59 -04:00
dependabot[bot]
e6df831943 Bump com.fasterxml.jackson:jackson-bom from 2.21.1 to 2.21.2 
Bumps [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.21.1 to 2.21.2.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.21.1...jackson-bom-2.21.2)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.21.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-23 03:19:04 +00:00
Josh Cummings
f35b4aa518 Merge branch '7.0.x' 2026-03-20 21:28:22 -06:00
Josh Cummings
4542f58be7 Merge branch '6.5.x' into 7.0.x 2026-03-20 21:27:04 -06:00
Tran Ngoc Nhan
62f33d3fcf Add equals and hashCode to HttpMethodRequestMatcher 
Closes gh-18911

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-03-20 21:22:20 -06:00
Bae Jihong
e9f331c30c Add test code for setAuthorizationManagerFactory 
- add test for setAuthorizationManagerFactory that is a alternative to setTrustResolver and setDefaultRolePrefix

Closes gh-18412

Signed-off-by: Bae Jihong <dasog@naver.com>
 2026-03-20 20:16:54 -06:00
Bae Jihong
bc4cc434fe Refactor code to remove compiler warnings 
- replace setTrustResolver with setAuthorizationManagerFactory in MethodSecurityExpressionRootTests
- resolve raw type warning in ExpressionBasedMessageSecurityMetadataSourceFactoryTests

Closes gh-18412

Signed-off-by: Bae Jihong <dasog@naver.com>
 2026-03-20 20:16:54 -06:00
Bae Jihong
5a694869fa Add @SupressWarnings(deprecation) for existing functions 
- add @SupressWarnings(deprecation) because of deprecated part in logic

Closes gh-18412

Signed-off-by: Bae Jihong <dasog@naver.com>
 2026-03-20 20:16:54 -06:00
Bae Jihong
ee06badcb6 Add @SuppressWarnings(unchecked, rawtypes) on functions in deprecated class 
Closes gh-18412

Signed-off-by: Bae Jihong <dasog@naver.com>
 2026-03-20 20:16:54 -06:00
Bae Jihong
9b108df1dc Add @SuppressWarnings(deprecation) on tests 
- add on tests for deprecated class
- add on tests for specific deprecated function

Closes gh-18412

Signed-off-by: Bae Jihong <dasog@naver.com>
 2026-03-20 20:16:54 -06:00
Josh Cummings
d76fb7f2e6 Polish WebAttributes ApplicationContext Support 
Closes gh-8843

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-20 16:44:40 -06:00
wonderfulrosemari
846794d31b Prefer dispatcher context for authorize tag beans 
Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
 2026-03-20 16:44:40 -06:00
Josh Cummings
c000477c37 Polish Clarify @WithSecurityContext thread scope 2026-03-20 16:43:21 -06:00
wonderfulrosemari
2a013ffaa2 Clarify @WithSecurityContext thread scope 
Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
 2026-03-20 16:43:21 -06:00
Josh Cummings
ea05089443 Polish Formatting 
Closes gh-18381

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-20 15:38:27 -06:00
Giacomo Baso
7b282c3a17 Relax client_id validation in AtJwtBuilder 
RFC 9068 requires that access token JWTs include the `client_id`
claim, but it does not require resource servers to validate it against
a specific value.

Relates to gh-18381

Signed-off-by: Giacomo Baso <gbaso@users.noreply.github.com>
 2026-03-20 15:38:27 -06:00
Josh Cummings
78015d251c Merge branch '7.0.x' 2026-03-20 15:28:44 -06:00
Josh Cummings
956561e143 Merge branch '6.5.x' into 7.0.x 2026-03-20 15:28:36 -06:00
Rob Winch
9fed1ac8c3 New line per sentence 
Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>
 2026-03-20 15:28:21 -06:00
Josh Cummings
9dbe3bdcc0 Polish Session Management Persistence Docs 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-20 15:28:21 -06:00
sankranti
d547ae0181 Fix defaults description in Session Management doc 
Corrected that starting from Spring Security 6
security context is not automatically saved by default.

Signed-off-by: sankranti <sankranty@gmail.com>
 2026-03-20 15:28:21 -06:00
Josh Cummings
e88cb81a7a Merge branch '7.0.x' 2026-03-20 15:22:56 -06:00
dependabot[bot]
b8b1278e1f Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs 
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.7 to 1.14.9.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.7...v1.14.9)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-20 15:22:06 -06:00
dependabot[bot]
381047e386 Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15 
Bumps [spring-io/spring-security-release-tools](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](729fed56d4...b92832ecbc)

---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools
  dependency-version: 1.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-20 15:21:53 -06:00
Josh Cummings
fbbbd46bee Update asciidoctor-extensions to 1.0.0-alpha.18 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-20 21:21:22 +00:00
Josh Cummings
fe0d7de41b Update LDAP Nullability Checkstyle Rules 
Issue gh-17818

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-20 15:21:02 -06:00
Josh Cummings
c2fd0f23fe Merge branch '7.0.x' 2026-03-20 15:00:15 -06:00
Josh Cummings
8abffbd0df Merge branch '6.5.x' into 7.0.x 2026-03-20 15:00:02 -06:00
dependabot[bot]
376b40a735 Bump io.spring.gradle:spring-security-release-plugin 
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.14...v1.0.15)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-20 14:58:20 -06:00
dependabot[bot]
89fa1cbdd2 Bump spring-io/spring-security-release-tools/.github/workflows/build.yml 
Bumps [spring-io/spring-security-release-tools/.github/workflows/build.yml](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](729fed56d4...b92832ecbc)

---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/build.yml
  dependency-version: 1.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-20 14:57:09 -06:00