Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-12-14 12:03:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
18,483 Commits 60 Branches 367 Tags
Commit Graph

3038 Commits

Author SHA1 Message Date
Tran Ngoc Nhan
c2c84c4243 Update HttpSecurity javadoc 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2025-06-17 13:31:24 -05:00
Evgeniy Cheban
b0cecb37d2 Replace deprecated #check calls with #authorize 
Closes gh-16936

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2025-06-12 11:11:49 -06:00
Rob Winch
7bf2730a53 Add x509@principal-extractor-ref 
Enables customizing the X500PrincipalExtractor
 2025-06-12 12:09:20 -05:00
Rob Winch
88ed4a5ccf Use principalExtractor reference instead of properties 2025-06-12 12:09:20 -05:00
Max Batischev
aba437d469 Add Support SubjectX500PrincipalExtractor 
Closes gh-16980

Signed-off-by: Max Batischev <mblancer@mail.ru>
 2025-06-12 12:09:20 -05:00
Josh Cummings
9b724377ce Rework Saml2 Authentication Statement 
This commit separates the authentication principal, the assertion details,
and the relying party tenant into separate components. This allows the
principal to be completely decoupled from how Spring Security triggers and
processes SLO.

Specifically, it adds Saml2AssertionAuthentication, a new authentication
implementation that allows an Object principal and a Saml2ResponseAssertionAccessor
credential. It also moves the relying party registration id from
Saml2AuthenticatedPrincipal to Saml2AssertionAuthentication.

As such, Saml2AuthenticatedPrincipal is now deprecated in favor of
placing its assertion components in Saml2ResponseAssertionAccessor and
the relying party registration id in Saml2AssertionAuthentication.

Closes gh-10820
 2025-06-10 17:21:03 -06:00
Christian Schuster
36c7b91fb9 SAML 2.0 Single Logout Uses Saml2AuthenticationInfo 
This allows SLO to be triggered without the authentication
principal needing to implement a given interface.

Issue gh-10820
 2025-06-10 17:21:03 -06:00
Josh Cummings
aa3135169d Polish Documentation 
Closes gh-14635
 2025-06-09 16:49:36 -06:00
Liviu Gheorghe
3ddf201d66 Updated Copyrights 
Signed-off-by: Liviu Gheorghe <liviu.gheorghe.ro@gmail.com>
 2025-06-09 16:45:24 -06:00
1livv
edfd7b9b43 Addressed review comments 
Signed-off-by: Liviu Gheorghe <liviu.gheorghe.ro@gmail.com>
 2025-06-09 16:45:24 -06:00
1livv
358f6c96b5 Update config tests 
Signed-off-by: Liviu Gheorghe <liviu.gheorghe.ro@gmail.com>
 2025-06-09 16:45:24 -06:00
Joe Grandja
2e913d2af9 Merge branch '6.5.x' 2025-06-05 16:22:35 -04:00
Joe Grandja
dab989d7c3 Fix NPE with DPoP tokenAuthenticationManager 
Closes gh-17172
 2025-06-05 16:06:55 -04:00
Josh Cummings
c8b843c4c5
Merge branch '6.5.x' 2025-06-05 12:36:53 -06:00
damable-nuvolex
3b12e758d3
Fix inconsistent constructor declaration 
Closes gh-16325

Signed-off-by: damable-nuvolex <damable@nuvolex.com>
 2025-06-05 12:36:27 -06:00
Josh Cummings
eaab42a73c Polish BearerTokenAuthenticationConverter Support 
- Moved to BearerTokenAuthenticationFilter constructor to align with
AuthenticationFilter
- Undeprecated BearerTokenResolver to reduce number of migration scenarios
- Updated to 7.0 schema
- Added migration docs

Issue gh-14750
 2025-06-04 18:17:17 -06:00
Max Batischev
4967f3feee Add Support BearerTokenAuthenticationConverter 
Closes gh-14750

Signed-off-by: Max Batischev <mblancer@mail.ru>
 2025-06-04 18:17:17 -06:00
Josh Cummings
3f0326d3f1
Merge remote-tracking branch 'origin/6.5.x' 2025-06-04 12:49:12 -06:00
Evgeniy Cheban
33ae1711a7 Set Precedence Order for Spring MVC TargetVisitor 
Closes gh-17185

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2025-06-04 12:47:36 -06:00
Josh Cummings
195f933438
Allow Default Ordering for TargetVisitor 
In tests, we want to both test that functionality works and also
demonstrate common or expected usage, where possible. It is likely
incorrect to use @Order(0) for a target visitor as this states that
it should take precedence over all Spring Security visitors defined
at a lower precedence.

Also, it appears this may have been added this way because of a mock
visitor that appears to be unused by any tests. Further, when an
application has multiple visitors, they should use the TargetVisitor.of
method to publish one bean with the order determined by the order
of the method parameters instead of having two separate beans.

This commit removes the @Order(0) annotation and also the mock
visitor, deferring to the natural ordering afforded by the
framework.

Issue gh-15994
 2025-06-02 13:41:21 -06:00
Evgeniy Cheban
fd4f06a66e Support Spring Data container types for AuthorizeReturnObject 
Closes gh-15994

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2025-05-29 17:05:27 -06:00
Josh Cummings
6d3b54df21
Change Type Validation Default 
NimbusJwtDecoder and NimbusReactiveJwtDecoder now use
Spring Security's JwtTypeValidator by default instead
of Nimbus's type validator.

Closes gh-17181
 2025-05-28 16:11:13 -06:00
Yanming Zhou
42790403da Use SpringReactiveOpaqueTokenIntrospector 
Now that NimbusReactiveOpaqueTokenIntrospector is
deprecated, this commit changes the Spring
Security default to now use SpringReactiveOpaqueTokenIntrospector.

Issue gh-15988

Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
 2025-05-27 14:25:31 -06:00
Josh Cummings
596449d882 Polish 
Issue gh-14149
 2025-05-27 11:44:33 -06:00
Felix Hagemans
1a4de49977 Create CsrfCustomizer for SPA configuration 
Closes gh-14149

Signed-off-by: Felix Hagemans <felixhagemans@gmail.com>
 2025-05-27 11:44:33 -06:00
Josh Cummings
52394c1f07 Propagate Any AccessDeniedException 
Any time a response handler throws an exception, we want to
propagate an underlying AccessDeniedException if their is one.

Issue gh-16058
 2025-05-23 15:18:01 -06:00
Evgeniy Cheban
fae61b9426 Propagate AccessDeniedException for Authorized Objects Returned from a Controller 
Closes gh-16058

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2025-05-23 15:18:01 -06:00
dae won
8612e952fe Make AuthorizationProxyFactory#proxy Generic 
Closes gh-16706

Signed-off-by: dae won <eodnjs01477@gmail.com>
 2025-05-23 14:48:11 -06:00
Max Batischev
f4b8e2421a Add Support Credentialless COEP Header 
Closes gh-16991

Signed-off-by: Max Batischev <mblancer@mail.ru>
 2025-05-23 14:45:59 -06:00
Josh Cummings
97923ebfaf Merge branch '6.5.x' 2025-05-21 16:47:45 -06:00
Josh Cummings
4bf03bde5b Merge branch '6.4.x' into 6.5.x 2025-05-21 16:47:25 -06:00
Josh Cummings
3186e8df84 Merge remote-tracking branch 'origin/6.3.x' into 6.4.x 2025-05-21 16:46:54 -06:00
Andrey Litvitski
4048b2bd7d Use HttpStatus in BackChannel Logout Filters 
Closes gh-17125

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2025-05-21 16:45:46 -06:00
Tran Ngoc Nhan
a511171309 Add test and update javadoc for CommonOAuth2Provider 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2025-05-13 12:45:38 -06:00
Joe Grandja
44303d2c80 Polish gh-17080 2025-05-13 14:36:44 -04:00
Joe Grandja
a265ac6ae7 Polish gh-17080 2025-05-13 14:35:23 -04:00
Joe Grandja
ba7be9c8b9 Merge branch '6.5.x' 2025-05-09 16:14:34 -04:00
Joe Grandja
e3c39f02bc Add documentation for DPoP support 
Closes gh-17072
 2025-05-09 16:02:14 -04:00
Rob Winch
693a5beb24
Format CommonOAuth2Provider 2025-05-07 14:55:04 -05:00
kiruthiga1793
23e7c9eeaa
Add Twitter/X to CommonOAuth2Provider 
Signed-off-by: kiruthiga1793 <pkiruthiga93@gmail.com>
 2025-05-07 11:24:29 -05:00
Rob Winch
506a801f29
Merge branch '6.5.x' 
- WebAuthnConfigurer Code Cleanup

Closes gh-17063
 2025-05-06 15:22:36 -05:00
Max Batischev
66e614cb0b WebAuthnConfigurer Code Cleanup 
Signed-off-by: Max Batischev <mblancer@mail.ru>
 2025-05-06 15:20:08 -05:00
Max Batischev
421fcaee12 Add Assertions To WebAuthnConfigurer 
Signed-off-by: Max Batischev <mblancer@mail.ru>
 2025-05-06 15:20:08 -05:00
Rob Winch
b453840c0a
HttpHeaders no longer a MultiValueMap 
Closes gh-17060
 2025-05-06 13:27:13 -05:00
Rob Winch
3976e7d456
BodyInserters.fromObject -> fromProducer 
Closes gh-17055
 2025-05-06 13:26:16 -05:00
Rob Winch
b467c47ed5
ClientRequest.method->create 
ClientRequest.method was deprecated in favor of the create method

Closes gh-17054
 2025-05-06 13:26:15 -05:00
Rob Winch
11105a5c51
UriComponentsBuilder.fromHttpUrl->fromUriString 
The fromHttpUrl method is deprecated and replaced with fromUriString

Closes gh-
 2025-05-06 13:26:15 -05:00
Rob Winch
38a9aa1da9
Remove Deprecated PathMatchConfigurer usage 
Closes gh-17052
 2025-05-06 13:26:15 -05:00
Rob Winch
222faae1cb
Add junit-jupiter-engine 
This fixes some of the compatability problems that can happen
with newer versions of junit
 2025-05-06 13:26:15 -05:00
Rob Winch
5abbcecccc
Update to 7.0.0-SNAPSHOT 
Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>
 2025-05-06 13:26:14 -05:00