415a674edc
AnonymousAuthenticationFilter Avoids Eager SecurityContext Access
...
Previously AnonymousAuthenticationFilter accessed the SecurityContext to
determine if anonymous authentication needed setup eagerly. Now this is done
lazily to avoid unnecessary access to the SecurityContext which in turn avoids
unnecessary HTTP Session access.
Closes gh-11457
2022-07-05 15:34:21 -05:00
28c0d1459c
Request Cache supports matchingRequestParameterName
2022-07-01 16:35:06 -05:00
5357cb8c95
Use SecurityContextHolderStrategy for NullSecurityContextRepository
...
Issue gh-11060
2022-06-28 15:32:20 -06:00
03a5c3b08a
Use SecurityContextHolderStrategy for Concurrency Filter
...
Issue gh-11060
Issue gh-11061
2022-06-28 15:32:05 -06:00
27de315e5e
Use SecurityContextHolderStrategy for Async Requests
...
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
135e602472
Use SecurityContextHolderStrategy for Digest
...
Issue gh-11060
2022-06-28 13:54:29 -06:00
e1c211c11f
Use SecurityContextHolderStrategy for Switch User
...
Issue gh-11060
2022-06-28 13:34:04 -06:00
98995f2225
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
...
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
4a2d77d3f2
Use SecurityContextHolderStrategy for Remember-me
...
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
ee66850aed
Add SecurityContextHolderStrategy for Jaas
...
Issue gh-11060
Issue gh-11061
2022-06-28 09:26:05 -06:00
0fee05d023
Use SecurityContextHolderStrategy for AuthenticationFilter
...
Issue gh-11060
2022-06-27 16:26:42 -06:00
772f29e063
Polish SecurityContextHolderStrategy for Defaults
...
gh-11060
2022-06-27 13:00:24 -06:00
1ac1271972
Adds the ability to set the CSRF Token cookie max age value
...
Closes gh-11432
2022-06-24 16:42:05 -06:00
d32f74d19d
SecurityContextHolder Deferred SecurityContext
...
Closes gh-10913
2022-06-17 17:03:19 -05:00
29db051f7a
Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
...
Closes gh-11390
2022-06-17 14:52:35 -05:00
591d1edc7d
Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
...
Closes gh-11390
2022-06-17 14:52:01 -05:00
31e25b115e
Add SecurityContextHolderStrategy to Default Components
...
Issue gh-11060
2022-06-17 11:28:10 -06:00
29ba67b6d7
Remove dependency on commons-codec by using java.util.Base64
...
Closes gh-11318
2022-06-09 06:50:01 -06:00
e97c5a533b
Reverse content type check
...
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.
closes gh-11204
Closes gh-11205
2022-06-06 15:47:35 -05:00
d882bfcf2b
Reverse content type check
...
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.
closes gh-11204
Closes gh-11205
2022-06-06 15:47:14 -05:00
cf69cdf008
Reverse content type check
...
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.
closes gh-11204
Closes gh-11205
2022-06-06 15:46:28 -05:00
362f15534e
createEvaluationContext should defer lookup of Authentication
...
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication
Closes gh-9667
2022-05-18 17:34:14 -06:00
7d97839235
StrictHttpFirewall allows CJKV characters
...
Closes gh-11264
2022-05-18 09:53:29 -05:00
66d1cd592a
StrictHttpFirewall allows CJKV characters
...
Closes gh-11264
2022-05-18 09:04:46 -05:00
077c9e0b3e
StrictHttpFirewall allows CJKV characters
...
Closes gh-11264
2022-05-18 08:56:57 -05:00
e2eed33eca
Add StrictHttpFirewall.allow* new lines and separators
...
Issue gh-11264
2022-05-17 22:24:31 -05:00
5bf478e72e
Fix Formatting
...
Issue gh-11264
2022-05-17 16:16:02 -05:00
e0a6a9efa9
StrictHttpFirewall allows CJKV characters
...
Issue gh-11264
2022-05-17 15:53:18 -05:00
538252cf07
AntRegexRequestMatcher Optimization
...
Closes gh-11234
2022-05-16 10:22:30 -05:00
04ca7ef91b
Extract rejectNonPrintableAsciiCharactersInFieldName
...
Closes gh-11234
2022-05-16 10:22:30 -05:00
c6461d61ba
AntRegexRequestMatcher Optimization
...
Closes gh-11234
2022-05-16 10:18:12 -05:00
4405cf18f3
Extract rejectNonPrintableAsciiCharactersInFieldName
...
Closes gh-11234
2022-05-16 10:18:11 -05:00
70863952ae
AntRegexRequestMatcher Optimization
...
Closes gh-11234
2022-05-16 10:17:44 -05:00
af95be34c6
Extract rejectNonPrintableAsciiCharactersInFieldName
...
Closes gh-11234
2022-05-16 10:17:44 -05:00
ee28896f42
AntRegexRequestMatcher Optimization
...
Closes gh-11234
2022-05-16 10:17:26 -05:00
6b823fb27e
Extract rejectNonPrintableAsciiCharactersInFieldName
...
Closes gh-11234
2022-05-16 10:17:26 -05:00
ffaf5b4e61
Polish WebExpressionAuthorizationManager
...
- Add support for request variables
- Added additional tests
Issue gh-11105
2022-05-13 13:53:38 -06:00
07b0be3f42
Add AuthorizationManager that uses ExpressionHandler
...
Closes gh-11105
2022-05-13 13:52:49 -06:00
ce86f4e4b5
Polish ServerWebExchangeDelegatingServerHttpHeadersWriter
...
Issue gh-11073
2022-05-06 09:51:28 -03:00
57cededd49
Add DelegatingServerHttpHeadersWriter
...
Servlet Spring Security has DelegatingRequestMatcherHeaderWriter
the reactive world of Spring Security was missing a class to
conditionally write headers.
Closes gh-11073
2022-05-06 09:51:28 -03:00
67830f4111
Fix WebSessionReactiveSecurityRepository Supports Cache
...
Fix the checkstyle for this feature
Closes gh-8422
2022-05-03 21:10:07 -05:00
768267c131
Fix WebSessionReactiveSecurityRepository Supports Cache
...
Fix the checkstyle for this feature
Closes gh-8422
2022-05-03 21:09:41 -05:00
dbe7e37f2b
WebSessionReactiveSecurityRepository Supports Cache
2022-05-03 16:40:51 -05:00
c6eaa05fc5
WebSessionReactiveSecurityRepository Supports Cache
2022-05-03 16:40:38 -05:00
aaf78330b1
ForceEagerSessionCreationFilter
...
Closes gh-11109
2022-04-15 14:16:35 -05:00
7fea639a43
Add Option to Filter All Dispatcher Types
...
Closes gh-11092
2022-04-14 15:58:00 -03:00
3a9b080bbe
Deprecate loadContext(RequestResponseHolder)
...
Fix gh-11032
2022-04-12 16:36:08 -05:00
39b0620a84
Add DisableUrlRewritingFilter
...
Closes gh-11084
2022-04-08 16:13:44 -05:00
725a57fccc
Remove blocking call from ExceptionTranslationWebFilter
...
This also means that the exception message is no longer retrieved from a MessageSource. This is consistent with the other WebFilters.
Closes gh-10864
2022-04-05 13:12:17 +02:00
c175118f62
Use RequestMatcherEntry
...
Closes gh-11046
2022-03-30 14:31:11 -06:00
061f69eb70
Polish Authorization Event Support
...
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support
Issue gh-9288
2022-03-29 16:03:19 -06:00
bd9434882f
Add authorization events
...
Closes gh-9288
2022-03-29 15:44:21 -06:00
9792e2a0fa
Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Closes gh-10908
2022-03-28 10:21:15 -03:00
c67632225d
Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Closes gh-10908
2022-03-28 10:13:40 -03:00
6c52c52a68
Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Closes gh-10908
2022-03-28 09:45:23 -03:00
67fd46bfa6
Add SecurityContextRepository.loadContext(HttpServletRequest)
...
This allows loading the SecurityContext lazily, without the need for the
response, and does not attempt to automatically save the request when
the response is comitted.
Closes gh-11028
2022-03-25 14:21:52 -05:00
8940719dbb
HttpSessionSecurityContextRepository support null HttpServletResponse
...
Closes gh-11029
2022-03-25 13:01:40 -05:00
987ee2e67a
Polish gh-10911
2022-03-17 12:53:56 -05:00
1b29c43a11
Use configurable charset in ServerHttpBasicAuthenticationConverter
...
Closes gh-10903
2022-03-17 12:53:55 -05:00
7955e5ac52
Polish UsernamePasswordAuthenticationFilter method
...
Closes gh-10970
2022-03-16 16:29:40 +01:00
87ed31a99c
Add SecurityContextHolderFilter
...
Closes gh-9635
2022-03-11 17:22:23 -06:00
ac9c29b2a0
Add UsernamePasswordAuthenticationToken factory methods
...
- unauthenticated factory method
- authenticated factory method
- test for unauthenticated factory method
- test for authenticated factory method
- make existing constructor protected
- use newly factory methods in rest of the project
- update copyright dates
Closes gh-10790
2022-03-09 15:23:35 -07:00
636f3e1d5d
AbstractPreAuthenticatedProcessingFilter.securityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
e6b6104b52
DigestAuthenticationFilter.securityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
9b0cd5a0a8
BasicAuthenticationFilter.setSecurityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
120f2a356f
RememberMeAuthenticationFilter.securityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
014c471ff1
AuthenticationFilter.securityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
f11cb988a9
AbstractAuthenticationProcessingFilter.securityContextRepository
...
Issue gh-10953
2022-03-09 15:33:42 -06:00
44508df940
AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains
...
Closes gh-10950
2022-03-09 15:38:11 -03:00
70b67cd2f1
AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains
...
Closes gh-10950
2022-03-09 15:22:21 -03:00
980e0466a7
AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains
...
Closes gh-10950
2022-03-09 15:21:37 -03:00
65ec2659c4
HttpSessionSecurityContextRepository saves with original response
...
Previously, the HttpSessionSecurityContextRepository unnecessarily required
the HttpServletResponse from the HttpReqeustResponseHolder passed into
loadContext. This meant code that wanted to save a SecurityContext had to
have a reference to the original HttpRequestResponseHolder. Often that
implied that the code that saves the SecurityContext must also load the
SecurityContext.
This change allows any request / response to be used to save the
SecurityContext which means any code can save the SecurityContext not just
the code that loaded it. This sets up the code to be permit requiring
explicit saves. Using the request/response from the
HttpRequestResponseHolder is only necessary for implicit saves.
Closes gh-10947
2022-03-09 10:17:15 -06:00
b9f79543c5
Add RequestAttributeSecurityContextRepository
...
Closes gh-10918
2022-03-07 14:52:24 -06:00
f0c548cee7
Invert Log Messages
...
Closes gh-10909
2022-02-28 13:17:01 -07:00
efd5fc745c
Invert Log Messages
...
Closes gh-10909
2022-02-28 13:10:06 -07:00
371389580b
Update JavaDoc
...
Issue gh-10564
2022-02-15 12:57:32 -07:00
0fb6840db3
Make WebAuthenticationDetails constructor public
...
Closes gh-10564
2022-02-15 12:57:32 -07:00
a09f6e15ad
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 15:22:49 -07:00
7e0302be5c
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 15:22:49 -07:00
f53c65b3a0
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 15:07:29 -07:00
0be772ff5b
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 15:07:29 -07:00
cbd87fac89
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 14:50:28 -07:00
01ed617d5f
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 14:50:19 -07:00
70fa8b1fdb
Add Support for @Transient SecurityContext
...
Closes gh-9995
2022-02-03 09:45:51 -06:00
893b651aea
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext
...
Closes gh-10779
2022-01-31 09:57:34 -03:00
a041e7c943
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext
...
Closes gh-10779
2022-01-31 09:50:17 -03:00
1c10c10f73
RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext
...
Closes gh-10779
2022-01-31 09:43:18 -03:00
9baf1134c7
Add Request-based AuthenticationManagerResolvers
...
Closes gh-6762
2022-01-26 09:09:02 -07:00
04f3bbcefa
javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
c67ee6f2a8
javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
...
Issue gh-10501
2022-01-19 15:32:12 -06:00
0e8c03401b
javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
...
Issue gh-10501
2022-01-19 14:34:16 -06:00
8f64bb6c8c
javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
...
Issue gh-10501
2022-01-19 14:33:53 -06:00
7435da6bbf
Add serialVersionUID to DefaultSavedRequest and SavedCookie
...
Closes gh-10594
2022-01-18 09:26:56 -03:00
75f25bff82
Polish multiple RequestRejectedHandlers support
...
Issue gh-10603
2022-01-14 16:49:38 -07:00
4ea57f3e3f
Support multiple RequestRejectedHandler beans
...
Closes gh-10603
2022-01-14 16:46:15 -07:00
ca353d6781
Use noNullElements
...
Collection#contains(null) does not work for all collection types
Closes gh-10703
2022-01-14 15:19:13 -07:00
6c5ac0d8ec
Use noNullElements
...
Collection#contains(null) does not work for all collection types
Closes gh-10703
2022-01-14 15:09:21 -07:00
aaaf7d3523
Use noNullElements
...
Collection#contains(null) does not work for all collection types
Closes gh-10703
2022-01-14 15:08:38 -07:00
1ab0705b47
Fix typo
2022-01-10 16:17:42 +01:00
60595f2801
Fix @since tag
...
Issue gh-10590, gh-10554
2022-01-06 13:22:58 -03:00
Rob Winch
Josh Cummings
Alonso Araya Calvo
j3graham
Zhivko Delchev
Evgeniy Cheban
Marcus Da Coregio
David Herberth
Eleftheria Stein
Parikshit Dutta
Steve Riesenberg
David Kirstein
ShinDongHun1
Norbert Nowak
Yuriy Savchenko
Manuel Jordan
Juan Carlos
Adam Ostrožlík
heowc