Commit Graph

142 Commits

Author SHA1 Message Date
Marcus Da Coregio 7aaa25b88e Merge branch '5.7.x' into 5.8.x 2022-12-05 14:40:54 -08:00
Marcus Da Coregio fc25b87967 Merge branch '5.6.x' into 5.7.x 2022-12-05 14:40:38 -08:00
Sellami 626e53d121 Fix: Replace tenantRepository with tenants 2022-12-05 14:31:24 -08:00
Marcus Da Coregio d2b33a2583 Fix docs
Closes gh-11396
2022-12-05 12:25:26 -08:00
Marcus Da Coregio 5db7ac4ce3 Merge branch '5.7.x' into 5.8.x
Closes gh-12286
2022-11-24 08:48:05 -03:00
Marcus Da Coregio 9b3f834bff Merge branch '5.6.x' into 5.7.x
Closes gh-12285
2022-11-24 08:47:46 -03:00
Marcus Da Coregio 70bfc39418 Fix AuthorizationFilter diagram in docs
Closes gh-12274
2022-11-24 08:46:16 -03:00
Steve Riesenberg 9071f10759
Document DelegatingSecurityContextRepository
Closes gh-12069
2022-11-09 12:19:43 -06:00
Marcus Da Coregio 4d646a2978 Merge branch '5.7.x' into 5.8.x 2022-11-03 08:23:26 -03:00
Marcus Da Coregio 067fc1678c Merge branch '5.6.x' into 5.7.x 2022-11-03 08:22:09 -03:00
Rivaldi 01a37dd678 Fix typo
(cherry picked from commit 20e89e3eca0823bfa329b5de80448bac1f5e0f30)
2022-11-03 08:21:48 -03:00
Márk Kővári aad01447c3 docs: fix realm typo 2022-11-03 08:21:26 -03:00
Josh Cummings d29ab8bcae
Merge branch '5.7.x' into 5.8.x 2022-11-01 13:43:40 -06:00
Josh Cummings c94e33b6c8
Merge branch '5.6.x' into 5.7.x 2022-11-01 13:42:35 -06:00
Ger Roza 8315545144 Update RP-Initiated Logout target URLs.
The URLs we're using are not actually pointing to the OIDC RP-Initiated Logout Specs.

Fixes: gh-12081
2022-11-01 12:35:39 -06:00
Josh Cummings c5badbc631
Add AccessDecisionManager Preparation Steps
Issue gh-11337
2022-10-31 15:25:05 -06:00
Rob Winch aac1261f0c Document Migration to SecurityContextHolderFilter
Closes gh-12098
2022-10-27 15:12:45 -05:00
Rob Winch c17e258a6f Document Saved Requests
Closes gh-12088
2022-10-26 14:22:30 -05:00
Josh Cummings 04fa5af794
Add Missing Doc Header
The EnableMethodSecurity section
2022-10-25 14:41:11 -06:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher
Closes gh-11938
2022-10-10 09:24:15 -03:00
Marcus Da Coregio f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Steve Riesenberg dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Marcus Da Coregio ace8caa182 Remove mvcMatchers usage from docs
Issue gh-11347
2022-10-05 13:19:37 -03:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Steve Riesenberg 46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Rob Winch d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Steve Riesenberg 355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy 1efb63387f
Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Steve Riesenberg 86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Marcus Da Coregio ff6fd78d64 Merge branch '5.7.x' into 5.8.x 2022-09-01 09:39:10 -03:00
Marcus Da Coregio 0a08a23423 Merge branch '5.6.x' into 5.7.x 2022-09-01 09:38:33 -03:00
Underground Hill 8b74bf9742 Updated reference to architecture page
In the context of Servlet Authentication page, "Architecture" should probably link to "Servlet Authentication Architecture" page
2022-09-01 09:38:10 -03:00
he1ex-tG 568277f8bc
Mistake in Kotlin code representation is fixed 2022-08-29 15:11:10 -05:00
Josh Cummings 0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Rob Winch 89f8310d6c Add Explicit SessionAuthenticationStrategy Option
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.

This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.

Closes gh-11455
2022-08-18 17:00:47 -05:00
Rob Winch 5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Igor Bolic efaee4e56b Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:35:49 -05:00
Marcus Da Coregio f45c4d4b8e Add SHA256 as an algorithm option for Remember Me token hashing
Closes gh-8549
2022-07-15 10:41:03 -03:00
Marcus Da Coregio 57d6ab7134 Improve docs on dispatcherTypeMatcher
Closes gh-11467
2022-07-14 09:13:46 -03:00
Josh Cummings 624fdfa731
Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-13 17:58:16 -06:00
Tim te Beek ce67fb08fd
Clearly end sentence in note before next sentence 2022-07-11 17:38:44 -06:00
Tim te Beek 6e63278ab9
Use Collection<ConfigAttribute> in examples
To match `org.springframework.security.access.ConfigAttribute`.
2022-07-11 17:38:44 -06:00
Josh Cummings 74a007dc91
Support AuthorizationManager for intercept-methods Element
Closes gh-11328
2022-07-06 12:54:05 -06:00
Josh Cummings 74167d62b1
Add SecurityContextHolderStrategy XML Configuration for Messaging
Issue gh-11061
2022-06-27 15:55:28 -06:00
Josh Cummings 9cd7c7b046
Add SecurityContextHolderStrategy XML Configuration for Method Security
Issue gh-11061
2022-06-27 13:05:07 -06:00
Josh Cummings 2a70707c35 Add SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-17 11:28:10 -06:00
sKai.fun a3e996a66b Fix title render issue of Digest Authentication document
Closes gh-11272
2022-06-01 17:33:41 -05:00
sKai.fun 953b54f63d Fix title render issue of Digest Authentication document
Closes gh-11272
2022-06-01 15:15:03 -05:00