Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-30 22:28:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
17,767 Commits 48 Branches 362 Tags
Commit Graph

1770 Commits

Author SHA1 Message Date
Shawn Biesan
a919b4e916 Remove servlet getHeader check and test 
Fixes: gh-6265
 2018-12-18 13:25:10 -07:00
finke-ba
9c7cab835f Add conditionally servlet based support for spring security web jackson module. 2018-12-18 14:21:31 -06:00
Dongmin Shin
3230cd653c Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository 
Fixes: gh-6261
 2018-12-17 12:56:33 -07:00
Dongmin Shin
733a380bc7 Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter 
Fixes: gh-6260
 2018-12-17 12:52:59 -07:00
Rob Winch
a90c217446 Fix LoginPageGeneratingWebFilter Markup 
Fixes: gh-6295
 2018-12-17 11:15:59 -06:00
Ian He
9818da79fe Fix DefaultLoginPageGeneratingFilter Markup 
the `</h3>` should be `</h2>`.
 2018-12-17 10:50:03 -06:00
Dongmin Shin
fc802e1a7c Remove Servlet 2.5 and 3.0 Support for Remember Me and CSRF 
Fixes: gh-6263, Fixes: gh-6262
 2018-12-14 06:47:21 -07:00
Dongmin Shin
0d2af416aa Add cookieDomain to CookieCsrfTokenRepository 
Fixes: gh-4315
 2018-12-13 15:01:24 -07:00
Ankur Pathak
2b369cfe98 Added support for Anonymous Authentication 
1. Created new WebFilter AnonymousAuthenticationWebFilter to
for anonymous authentication
2. Created class AnonymousSpec, method anonymous to configure
anonymous authentication in ServerHttpSecurity
3. Added ANONYMOUS_AUTHENTICATION order after AUTHENTICATION for
anonymous authentication in SecurityWebFiltersOrder
4. Added tests for anonymous authentication in
AnonymousAuthenticationWebFilterTests and ServerHttpSecurityTests
5. Added support for Controller in WebTestClientBuilder

Fixes: gh-5934
 2018-12-12 16:05:30 -06:00
lmagyar
3c35f4cfab SecurityContextCallableProcessingInterceptor thread visibility fix 
Within class SecurityContextCallableProcessingInterceptor field securityContext should volatile.

Fixes gh-6143
 2018-12-03 15:45:56 -06:00
Bhavik Kumar
90b9cfaf55 Use SpringUtils to check scheme 
Fixes 6183
 2018-11-29 20:42:39 -06:00
John Coyne
7618d236c4 CookieClearingLogoutHandler updates based on comments 
Changed the implementation to use an anonymous function
Issue: gh-6078
 2018-11-26 14:33:08 -06:00
John Coyne
14c2d96c86 Clean up code to conform to basic checkstyle 
Issue: gh-6078
 2018-11-26 14:33:08 -06:00
John Coyne
d05ad19276 CookieClearingLogoutHandler enhancement 
Enabled the ability to pass in an array of Cookies to support clearing cookies on a different path other than the default context path
Issue: gh-6078
 2018-11-26 14:33:08 -06:00
Josh Cummings
8a475e39be Write Security Headers Before Servlet Include 
HeaderWriterFilter wraps request dispatcher so it can write security
headers before the include occurs.

Fixes: gh-5499
 2018-10-31 09:27:25 -05:00
sunflower-seed
2e6ff72c31 Update SubjectDnX509PrincipalExtractor.java 
Added missing asterisk
 2018-10-17 14:56:45 -05:00
Eric Deandrea
b060ec050a Automatically add CsrfServerLogoutHandler if csrf enabled 
The configuration DSL should automatically add CsrfServerLogoutHandler if csrf is enabled

Fixes gh-5337
 2018-09-21 00:59:36 -05:00
Rob Winch
e4597b5213 WebSessionServerRequestCache ignores favicon and html 
Fixes: gh-5874
 2018-09-19 14:28:05 -05:00
Rob Winch
8e4d540bfb Default Log Out Pages Use HTTPS for CSS 
Fixes: gh-5873
 2018-09-19 13:52:35 -05:00
Rob Winch
9c749bf556 Fix SwitchUserFilter matchers 
Fixes: gh-4249
 2018-09-14 09:45:41 -05:00
Rob Winch
8b19f7a71a AntPathRequestMatcher supports UrlPathHelper 
Fixes: gh-5846
 2018-09-14 09:45:41 -05:00
Rob Winch
96d85ad2b5 Polish HttpsRedirectWebFilter 
Issue: gh-5749
 2018-09-07 14:29:46 -05:00
Josh Cummings
2c982a4168 Reactive Redirect to Https 
This introduces the capability to configure Reactive Spring Security
to upgrade requests to HTTPS

Fixes: gh-5749
 2018-09-07 14:25:58 -05:00
Josh Cummings
21e62683ab
Polish Commit on Reactive Http Basic Test 2018-09-07 10:01:11 -06:00
Tim Koopman
6df4dfe47b
Reactive HttpBasic Support For Coloned Passwords 
This makes so that reactive httpBasic supports passwords containing
one or more colons.
 2018-09-07 10:01:11 -06:00
Josh Cummings
1c74706232 Delegating ServerAccessDeniedHandler by exchange 
Fixes: gh-5747
 2018-08-31 10:33:11 -05:00
Vedran Pavic
cb0ba58b58 Fix WhitespaceAfterCheck Checkstyle check 2018-08-27 10:45:35 -05:00
Rob Winch
1640a1f462 Polish ServerAuthenticationConverter 
Fix package tangles

Issue: gh-5338
 2018-08-24 09:44:27 -05:00
Josh Cummings
416a276436
Expose Default Reactive CsrfProtectionMatcher 
Make so that users can augment the default protection logic with
their own.

Fixes: gh-5725
 2018-08-22 13:02:02 -06:00
Rob Winch
f5701b5fe0 Fix OptimizeAntPathRequestMatcher 
Previously the logic for determining if the pathInfo should be appended
was inverted.

This correctly concatenates url + pathInfo if url is a non empty String.

Fixes: gh-5473
 2018-08-21 11:52:55 -05:00
Christoph Dreis
4ccd2f7ebd Optimize AntPathRequestMatcher.getRequestPath() 2018-08-21 11:46:37 -05:00
Vedran Pavic
f382b69507 Add reactive support for Referrer-Policy security header 2018-08-20 10:10:59 -05:00
Vedran Pavic
10621a0f2c Add reactive support for Content-Security-Policy security header 2018-08-20 10:03:42 -05:00
Vedran Pavic
29cfc3dd1d Add reactive support for Feature-Policy security header 
Closes gh-5672
 2018-08-20 09:02:12 -05:00
Rob Winch
f843da1942 Add OAuth2LoginAuthenticationWebFilter 
This is necessary so that the saving of the authorized client occurs
outside of the ReactiveAuthenticationManager. It will allow for
saving with the ServerWebExchange when ReactiveOAuth2AuthorizedClientRepository
is added.

Issue: gh-5621
 2018-08-19 21:11:43 -05:00
Rob Winch
e3eaa99ad0 Polish ServerAuthenticationConverter 
Update changes for ServerAuthenticationConverter to be passive.

Issue: gh-5338
 2018-08-18 19:55:39 -05:00
Eric Deandrea
b6afe66d32 Add ServerAuthenticationConverter interface 
- Adding an ServerAuthenticationConverter interface
- Retro-fitting ServerOAuth2LoginAuthenticationTokenConverter,
 ServerBearerTokenAuthentivationConverter, ServerFormLoginAuthenticationConverter,
 and ServerHttpBasicAuthenticationConverter to implement ServerAuthenticationConverter
- Deprecate existing AuthenticationWebFilter.setAuthenticationConverter
and add overloaded one which takes ServerAuthenticationConverter

Fixes gh-5338
 2018-08-18 19:55:39 -05:00
Vedran Pavic
c6ea447cc0 Add support for Feature-Policy security header 2018-08-16 09:31:02 -05:00
Johnny Lim
68878a1675 Replace isEqualTo(null) with isNull() 2018-08-09 18:04:48 -06:00
Johnny Lim
973af94b42 Fix typo 2018-08-07 22:52:59 -05:00
Rob Winch
0c26d1b98a ServerHttpBasicAuthenticationConverter Validates Scheme Name 
Fixes: gh-5414
 2018-07-31 09:10:23 -05:00
Rob Winch
e3d4d66917 BasicAuthenticationFilter case insenstive 
Fixes: gh-5586
 2018-07-31 09:10:10 -05:00
Rob Winch
afa2d9cbc7 Remove ExchangeFilterFunctions 
Issue: gh-5612
 2018-07-30 15:34:44 -05:00
Rob Winch
262c1a77c6 Remove SecurityHeaders 
We no longer need this since Spring Framework now provides
HttpHeaders.setBearerAuth

Issue: gh-5612
 2018-07-30 15:34:40 -05:00
Rob Winch
483e25f821 HttpSessionRequestCache Allow Any SavedRequest 
Fixes: gh-5585
 2018-07-26 15:14:11 -05:00
Rob Winch
fa0565109b Add SimpleSavedRequest 
Fixes: gh-5581
 2018-07-26 15:14:11 -05:00
Rob Winch
f48404a6a0 Default Log In Pages Use HTTPS for CSS 
Fixes: gh-5539
 2018-07-18 20:06:17 -05:00
Rob Winch
d468d7e6da Cache Control disabled for 304 
Fixes: gh-5534
 2018-07-17 22:13:33 -05:00
Rob Winch
d595098823 Rename @TransientAuthentication to @Transient 
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
 2018-07-16 11:31:10 -05:00
Josh Cummings
28afb4e3d7 Access Denied Handling Defaults 
This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.

This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.

Fixes: gh-5478
 2018-07-16 10:40:46 -05:00