Added an implementation of HeaderWriter for Clear-Site-Data HTTP
response header as welll as an implementation of LogoutHanlder
that accepts an implementation of HeaderWriter to write headers.
- Added ClearSiteDataHeaderWriter and HeaderWriterLogoutHandler
that implements HeaderWriter and LogoutHandler respectively
- Added unit tests for both implementations's behaviours
- Integration tests for HeaderWriterLogoutHandler that uses
ClearSiteDataHeaderWriter
- Updated the documentation to include link to
HeaderWriterLogoutHandler
Fixes gh-4187
- Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
- PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
- Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
- ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret
Fixes gh-6446
In the Java config tests, there is a simplified way to configure
Spring, and that is with SpringTestRule.
Also, test names typically follow the when-then convention.
Issue: gh-6501
OAuth2ClientProperties.Registration (which captures .properties and
.yml for OAuth2 Client) has a member `scope` but not `scopes`. Samples
and documentation were using `scopes` and have now been updated to use
`scope`.
Fixes gh-6510
When we used the oauth2Client directive and requested an endpoint that
required client authorization on the authorization server, the
SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after
creating the authorized client we were redirected to the root page ("/").
Now we are storing the session attribute and getting redirected back to
the original URI as expected.
Note that the attribute is stored only when a
ClientAuthorizationRequiredException is thrown in the chain, we dont
want to store it as a response to the
/oauth2/authorization/{registrationId} endpoint, since we would end
up in an infinite loop
Fixes gh-6341
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests
Fixes: gh-6423
1. Preload support in Servlet Security(XML & Java)
2. Preload support in Reactive Security
3. Test for preload support in Servlet Security
4. Test for preload support in Reactive Security
Fixes: gh-6312
Rafiullah Hamedy
Stephen Doxsee
Josh Cummings
Ankur Pathak
Rob Winch
Zhanwei Wang
Joe Grandja
RusZh
Fabien Arrault
James
James
Gerardo Roza
Bryan Kelly
Nick Bromfield
Aanuoluwapo Otitoola
Andy Wilkinson
Denis Washington
guo fei
Mohammad Sadeq Dousti