Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-24 11:18:45 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,620 Commits 44 Branches 362 Tags
Commit Graph

19620 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Grandja
1213dbe76f Fix checkstyle 2025-10-09 13:51:50 -04:00
Joe Grandja
3656e7ad8c Add tests to OAuth2AuthorizationServerJackson2ModuleTests 2025-10-09 13:23:38 -04:00
Joe Grandja
1cca9c5822 Enable PKCE by default in authorization server 
Closes gh-18020
 2025-10-09 09:51:17 -04:00
Joe Grandja
469ed09645 Allow setting Clock in OAuth2TokenGenerator implementations 
Closes gh-18017
 2025-10-07 16:34:43 -04:00
Joe Grandja
1d7f4c3b11 Polish javadoc for ClientSettings.requireAuthorizationConsent 
Issue gh-18016
 2025-10-07 11:29:10 -04:00
Joe Grandja
baa3b287d6 Add Predicate for authorizationConsentRequired for device code grant 
Introduces customizable Predicate to determine if user consent is
required in device authorization flows. Previously, device consent
handling used fixed logic. Now applications can define custom logic
for skipping or displaying consent pages.

Adds OAuth2DeviceVerificationAuthenticationContext and updates
OAuth2DeviceVerificationAuthenticationProvider with
setAuthorizationConsentRequired method.

Fixes gh-18016

Signed-off-by: Dinesh Gupta <dineshgupta630@outlook.com>
 2025-10-07 11:13:30 -04:00
dependabot[bot]
d5c5bb234c Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs 
Bumps [antora](https://gitlab.com/antora/antora) from 3.2.0-alpha.9 to 3.2.0-alpha.10.
- [Changelog](https://gitlab.com/antora/antora/blob/main/CHANGELOG.adoc)
- [Commits](https://gitlab.com/antora/antora/compare/v3.2.0-alpha.9...v3.2.0-alpha.10)

---
updated-dependencies:
- dependency-name: antora
  dependency-version: 3.2.0-alpha.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 14:01:08 -05:00
Rob Winch
83da86a358
DefaultLoginPageGeneratingFilter uses List 
This fixes an ordering problem with query parameters of the tests.

Issue gh-18002
 2025-10-06 09:34:06 -05:00
dependabot[bot]
71e6d81910 Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.6.RELEASE to 0.29.7.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.6.RELEASE...0.29.7.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.7.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 09:29:57 -05:00
dependabot[bot]
16475d3453 Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 09:15:25 -05:00
Rob Winch
3f84e96711
Bump io.mockk:mockk from 1.14.5 to 1.14.6 2025-10-06 09:13:16 -05:00
Rob Winch
1c870f25e9
Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.4 to 0.0.5 2025-10-06 09:13:12 -05:00
Rob Winch
79e2d4b688
Merge branch '6.5.x' 2025-10-06 09:12:06 -05:00
Rob Winch
9f8ebdcf4d
Merge branch '6.4.x' into 6.5.x 2025-10-06 09:11:56 -05:00
Rob Winch
8ce38af608
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 2025-10-06 09:11:20 -05:00
Rob Winch
607b1dfffe
Bump io.mockk:mockk from 1.14.5 to 1.14.6 2025-10-06 09:11:17 -05:00
Rob Winch
904f5157fa
Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE 2025-10-06 09:11:15 -05:00
Rob Winch
f57c9ffcbb
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 2025-10-06 09:10:34 -05:00
dependabot[bot]
b7f40a4e08
Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.29.Final to 6.6.31.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.31/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.29...6.6.31)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.31.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 03:21:28 +00:00
dependabot[bot]
dd7f809564
Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.29.Final to 6.6.31.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.31/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.29...6.6.31)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.31.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 03:13:36 +00:00
Joe Grandja
51fe7ff737 Return device_code grant metadata when enabled 
Issue gh-17998
 2025-10-04 05:38:11 -04:00
Rob Winch
9595d37c14
Integration Test for DefaultLoginPageGeneratingFilterTests 
Add a minimal test to ensure that
DelegatingMissingAuthorityAccessDeniedHandler and
DefaultLoginPageGeneratingFilterTests work together properly.

Issue gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch
2473378fcd
Use RequiredFactorErrors 
Closes gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch
d1ff983c11
Add AllFactorsAuthorizationManager 
Closes gh-17997
 2025-10-03 15:20:03 -05:00
Rob Winch
3f74991ce9
Authentication adds FactorGrantedAuthority 
Closes gh-18001
 2025-10-03 15:20:03 -05:00
Rob Winch
ce36fc1e76
Add FactorGrantedAuthority 
Closes gh-17996
 2025-10-03 15:20:00 -05:00
Joe Grandja
477a456d6c Disable device_code grant by default 
Closes gh-17998
 2025-10-03 14:10:13 -04:00
Joe Grandja
4dfef1483d Polish gh-17507 2025-10-03 13:09:09 -04:00
Rohan Naik
8c65dc93f2 Enable PKCE by default 
Closes gh-17507

Signed-off-by: Rohan Naik <rohan.nn1203@gmail.com>
 2025-10-03 13:08:04 -04:00
dependabot[bot]
0f40f694b8
Bump io.spring.nullability:io.spring.nullability.gradle.plugin 
Bumps [io.spring.nullability:io.spring.nullability.gradle.plugin](https://github.com/spring-gradle-plugins/nullability-plugin) from 0.0.4 to 0.0.5.
- [Release notes](https://github.com/spring-gradle-plugins/nullability-plugin/releases)
- [Commits](https://github.com/spring-gradle-plugins/nullability-plugin/compare/v0.0.4...v0.0.5)

---
updated-dependencies:
- dependency-name: io.spring.nullability:io.spring.nullability.gradle.plugin
  dependency-version: 0.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-03 03:08:45 +00:00
Joe Grandja
54aae36f98 Add support for OAuth 2.0 Protected Resource Metadata 
Closes gh-17244
 2025-10-02 14:50:17 -04:00
dependabot[bot]
564726adea
Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.6.RELEASE to 0.29.7.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.6.RELEASE...0.29.7.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.7.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:19:11 +00:00
dependabot[bot]
c1375b857a
Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:17:57 +00:00
dependabot[bot]
c5a335ac91
Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:08:25 +00:00
Rob Winch
64c9e3e210
Prevent Dupliate GrantedAuthority#getAuthority() 
If the GrantedAuthority is not equal, but contains a duplicate
GrantedAuthority#getAuthority() then at the time of authentication,
the Filter or WebFilter will duplicate the GrantedAuthority which leads
to a memory leak. This is important to avoid for when we add support for
a GrantedAuthority that might have an issuedAt attribute. If it is too
old, then we'd want only the new GrantedAuthority to be added and the old
instance to be removed. However, the two GrantedAuthority instances
will not be equal because the issuedAt will not be equal.

Closes gh-17981
 2025-10-01 15:37:23 -05:00
Rob Winch
c9010345b9
Add TestingAuthenticationToken(principal,credential,grantedAuthorities...) 
Closes gh-17980
 2025-10-01 13:05:56 -05:00
Joe Grandja
681e166be8 Remove default HttpSecurity.securityMatcher() for authorization server 
Closes gh-17965
 2025-10-01 11:45:21 -04:00
dependabot[bot]
dc5962af16
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:55 +00:00
dependabot[bot]
70da545463
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:01 +00:00
Rob Winch
7f10897de3
SecurityMockMvcResultMatchers.withAuthorities(String...) 
Closes gh-17974
 2025-09-30 10:39:14 -05:00
Rob Winch
0e99324c43
Merge branch '6.5.x' 2025-09-29 13:44:37 -05:00
Rob Winch
cf9568fe09
Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 2025-09-29 13:43:45 -05:00
dependabot[bot]
7409133cc0
Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5...rel/v5.5.1)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-29 03:26:33 +00:00
Joe Grandja
f3761aff99 Add support for OAuth 2.0 Dynamic Client Registration Protocol 
Closes gh-17964
 2025-09-25 16:33:16 -04:00
Rob Winch
667cd4aa7c
Remove unnecessary throws Exception from spring-security-config 
Closes gh-17957
 2025-09-25 11:50:13 -05:00
Rob Winch
be20201bf7
FACTOR uses defaultEntryPoint when possible 
Previously they used addEntryPointFor(entryPoint, AnyRequestMatcher.INSTANCE) to
work around gh-17955. They now can use defaultEntryPoint which is more concise.

Issue gh-gh-17955
 2025-09-25 11:18:20 -05:00
Rob Winch
029e31ebe8
DelegatingAuthenticationEntryPoint.Builder allows just defaultEntryPoint 
Previously build threw an Exception when entryPoints was empty and
defaultEntryPoint was specified.

This commit changes build to return the defaultEntryPoint instead.

Closes gh-17955
 2025-09-25 09:45:52 -05:00
Josh Cummings
ad6fe4fdc3
Polish MFA Samples 
This commit removes unneeded AuthorizationManagerFactory
implementations, simplifies the custom AuthorizationManagerFactory
example, and updates usage of hasAllAuthorities.

Issue gh-17934
 2025-09-24 17:54:59 -06:00
Rob Winch
f652920bb3
Add @EnableGlobalMultiFactorAuthentication 
Closes gh-17954
 2025-09-24 14:47:26 -05:00
Rob Winch
e33e4d80a9
Fix Antora Warnings in servlet/authentication/adaptive.adoc 
Issue gh-2603
 2025-09-24 13:05:50 -05:00