Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-24 07:37:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
14,528 Commits 34 Branches 337 Tags
Commit Graph

1658 Commits

Author SHA1 Message Date
Steve Riesenberg
9b43950e13
Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg
8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg
804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg
05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Marcus Da Coregio
c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio
4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux
27059ced87
Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg
6753f9745e
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00
Steve Riesenberg
f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio
c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present 
Closes gh-11899
 2022-10-06 09:12:04 -03:00
Josh Cummings
353ca76973
Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings
380a6a2564
Polish SecurityContextHolderStrategy Usage 
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
 2022-10-05 23:59:14 -06:00
Josh Cummings
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings
f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler 
Issue gh-11105
 2022-10-05 21:47:14 -06:00
Josh Cummings
eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 21:45:26 -06:00
Josh Cummings
4ddec07d0e
Add default AuthorizationManager 
Closes gh-11963
 2022-10-05 21:37:41 -06:00
Steve Riesenberg
ee9449dbfe
Fix tests for deferred CSRF tokens 
Issue gh-4001
 2022-10-05 16:10:36 -05:00
Steve Riesenberg
521cdfd738
Use correct servlet imports 
Issue gh-4001
 2022-10-05 16:10:35 -05:00
Steve Riesenberg
8b490de08d
Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg
dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg
5de6da890b
Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Steve Riesenberg
7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio
ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Marcus Da Coregio
5f2744db33 Merge branch '5.8.x' 
Closes gh-11937
 2022-10-03 11:43:22 -03:00
Marcus Da Coregio
64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Rob Winch
4479cefade Default Require Explicit Session Management = true 
Closes gh-11763
 2022-09-30 21:49:05 -05:00
Steve Riesenberg
76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
 2022-09-30 09:38:08 -05:00
Steve Riesenberg
e0e6467d9b
Remove UsernamePasswordAuthenticationToken check 
This commit reverts 21dd050d7b69bf3a8efdb46100893d151fe8b15e.

Closes gh-10347
 2022-09-29 15:25:53 -05:00
shazin
1e0e9a2c98
Allow authenticationIsRequired to be overridden 
Issue gh-10347
 2022-09-29 15:25:53 -05:00
Steve Riesenberg
bcb21c9384
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 2022-09-23 15:39:43 -05:00
Steve Riesenberg
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver 
Closes gh-11896
 2022-09-23 15:09:00 -05:00
Steve Riesenberg
3c66ef6305
Change default SecurityContextRepository 
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
 2022-09-22 17:31:14 -05:00
Steve Riesenberg
ccac34b07c
Merge branch '5.8.x' 2022-09-22 16:45:48 -05:00
Steve Riesenberg
d140d95305
Fix assertion in NullSecurityContextRepository 
Issue gh-11060
 2022-09-22 15:33:22 -05:00
Steve Riesenberg
5d757919a2
Add SecurityContextHolderStrategy to new repository 
In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.

Issue gh-11060
Closes gh-11895
 2022-09-22 15:33:21 -05:00
Rob Winch
0efe26c1fd Merge branch '5.8.x' 
Closes gh-11894
 2022-09-22 13:47:04 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler 
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
 2022-09-22 11:09:44 -05:00
Josh Cummings
2a487ae7f8
Updated hashcode and equals 
Closes gh-4133
 2022-09-20 16:36:37 -06:00
Josh Cummings
46f402243b
Merge remote-tracking branch 'origin/5.8.x' 2022-09-20 16:11:16 -06:00
Josh Cummings
3f8503f1b4
Deprecate AccessDecisionManager et al 
Closes gh-11302
 2022-09-20 16:09:59 -06:00
Steve Riesenberg
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf 
Issue gh-11764
Issue gh-4001
 2022-09-06 12:28:52 -05:00
Steve Riesenberg
ed41a60aae
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
 2022-09-06 11:51:55 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing 
Issue gh-4001
Issue gh-11456
 2022-09-06 11:43:33 -05:00
Rob Winch
8cb97a090b Default CsrfFilter.csrfRequestAttributeName = _csrf 2022-08-31 14:26:26 -05:00
Steve Riesenberg
0aa5850d22
Fix formatting 
Issue gh-11762
 2022-08-29 16:26:30 -05:00