Marcus Hert da Coregio
29f4193529
Adjust createNewSessionIfAllowed to prevent NPE
...
Ensure that isTransientAuthentication reuses the same authentication object from saveContext
Closes gh-8947
2021-05-26 13:46:08 -03:00
Josh Cummings
df6ebc7051
Rename DelegatingAuthorizationManager
...
Closes gh-9692
2021-04-28 09:53:25 -06:00
Thomas Vitale
e2993d93e1
Make Csrf cookie secure flag configurable (WebFlux)
...
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.
Closes gh-9678
2021-04-27 09:34:12 +02:00
Josh Cummings
cb6e4f4a11
Add NPE Guards
...
- Like values, names are only validated if they are not null
Closes gh-9598
2021-04-22 11:22:19 -06:00
Craig Andrews
7dc4de05b1
Add guard around logger.debug statement
...
The log message involves string concatenation, the cost of which should only be incurred if debug logging is enabled
2021-04-16 10:32:58 -06:00
Josh Cummings
4f7d529c5d
Polish Csrf Tests
...
Issue gh-9561
2021-04-09 22:47:31 -06:00
佚名
87ed527023
Add null check in CsrfFilter and CsrfWebFilter
...
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.
When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.
ZiQiang Zhao<1694392889@qq.com>
2021-04-09 21:43:19 -06:00
Rob Winch
f3f1106624
Update io.spring.javaformat to 0.0.27
...
Closes gh-9553
2021-04-05 22:23:59 -05:00
Rob Winch
60d3db5798
add management platform(project(":spring-security-dependencies"))
...
Closes gh-9540
2021-04-05 10:36:36 -05:00
Rob Winch
1a76ee7442
Update Gradle configuration names
...
Closes gh-9540
2021-04-05 10:36:36 -05:00
Eleftheria Stein
4a492846f1
Revert "Lock dependencies for 2.5.0-M3"
...
This reverts commit f05cc6269c
.
2021-03-15 23:18:45 +01:00
Eleftheria Stein
f05cc6269c
Lock dependencies for 2.5.0-M3
2021-03-15 11:00:19 +01:00
Rob Winch
95da12110b
Additional Test for HttpSessionSecurityContextRepository
...
Issue gh-9387
2021-02-11 15:58:29 -07:00
Rob Winch
3116369f02
Optimize HttpSessionSecurityContextRepository
...
Closes gh-9387
2021-02-11 15:58:28 -07:00
Josh Cummings
c4be1c6a56
Revert "Lock Dependencies"
...
This reverts commit a85caa4098
.
2021-02-11 15:49:59 -07:00
Josh Cummings
a85caa4098
Lock Dependencies
2021-02-11 15:00:38 -07:00
Josh Cummings
107f38fff9
Polish Tests
...
Issue gh-9331
2021-02-03 09:05:31 -07:00
happier233
873b9bdbca
Configure CurrentSecurityContextArgumentResolver BeanResolver
...
Closes gh-9331
2021-02-03 09:05:31 -07:00
Evgeniy Cheban
77484018bb
Reconsider AntPathRequestMatcher matching logic
...
Closes gh-9285
2021-01-19 12:02:06 -07:00
Rob Winch
0201c31deb
Fix Checkstyle for CsrfWebFilter
...
Issue gh-9337
2021-01-12 11:37:12 -06:00
Rob Winch
a1083d9a5c
Fix CsrfWebFilter error message when expected CSRF not found
...
Closes gh-9337
2021-01-12 11:18:29 -06:00
Josh Cummings
160a4a3676
Reformat MvcRequestMatcher
...
- Moved related private methods together
Issue gh-9284
2021-01-11 08:28:59 -07:00
Evgeniy Cheban
8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods
...
Closes gh-9284
2021-01-09 21:42:16 +03:00
Zeeshan Adnan
848bd44837
Remove unused code
...
Issue gh-9203
2020-12-18 11:49:52 -07:00
Rob Winch
40e027c56d
Constant Time Comparison for CSRF tokens
...
Closes gh-9291
2020-12-17 15:01:43 -06:00
Josh Cummings
c066e23a86
Add @since attributes
...
Issue gh-8900
2020-12-16 15:58:53 -07:00
Evgeniy Cheban
34b4b1054f
Add AuthorizationManager
...
Closes gh-8900
2020-12-16 15:58:36 -07:00
Nick McKinney
5306d4c4d5
Minor cleanup on Ant / Regex Request Matchers
...
- Removed duplicative code for transforming String into HttpMethod
- Removed an unnecessary array initialization
2020-12-14 14:19:23 +01:00
Nick McKinney
6be25df1db
Introduced DispatcherType request matcher
...
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.
Closes gh-9205
2020-12-14 14:19:23 +01:00
Christophe Gilles
54d3839f63
Add permissionsPolicy http header
2020-12-11 12:32:18 +01:00
Serdar Kuzucu
48ef27b80a
Make assertion messages in CookieCsrfTokenRepository clearer
...
Changes assertion message format from 'X is not null' to
'X cannot be null' since this is more meaningful when the error
occurs and the message is printed in the logs.
Closes gh-9195
2020-12-09 10:45:22 -06:00
Serdar Kuzucu
76e117a67a
Allow maximum age of csrf cookie to be configured
...
Allows maxAge of the generated cookie by CookieCsrfTokenRepository
to be configurable.
Prior to this commit, maximum age was set with a value of -1.
After this commit, it will be configured by the user with an either
positive or negative value. If the user does not provide a value,
it will be set -1.
An IllegalArgumentException will be thrown when
this value is set to zero.
Closes gh-9195
2020-12-09 10:45:22 -06:00
Josh Cummings
f614a8230c
Polish getRemoteUser
...
- Corrected instanceof check
Issue gh-3357
2020-12-03 13:08:40 -07:00
Stephen Joyner
9c373ef4f8
getRemoteUser() returns principal name
...
Closes gh-3357
2020-12-03 13:08:40 -07:00
Eleftheria Stein
7f482eda7d
Fix CookieRequestCache for URL encoded query parameters
...
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request.
Closes gh-9203
2020-11-26 18:16:42 +01:00
Aditya Sekhar
4cc3c25a0e
removed whitespace formatting
2020-11-13 15:01:17 -06:00
Aditya Sekhar
a26975f780
cleanup compatibility method based on spring-projects#8868
2020-11-13 15:01:17 -06:00
zhuang
ff58ac836e
Decode cookie once in AbstractRememberMeServices
...
Issue gh-9192
2020-11-09 08:14:20 -05:00
Eleftheria Stein
34a21cd80c
Fix formatting
2020-11-09 13:46:09 +01:00
Eleftheria Stein
5661e06e9c
Fix typo UserDetailService -> UserDetailsService
2020-11-09 13:13:32 +01:00
Arnaud Mergey
2b9efccc50
Implement MessageSourceAware where missing
...
Closes gh-8951
2020-11-05 10:57:33 -07:00
Joe Grandja
b95e1aa209
Revert "Lock dependencies for 5.5.0-M1"
...
This reverts commit 25a7482c8c
.
2020-11-03 19:53:28 -05:00
Rob Winch
25a7482c8c
Lock dependencies for 5.5.0-M1
2020-10-30 17:52:03 -05:00
Alexander Polozov
a362ab53bc
Change guard expressions order
...
Check of allowed user sessions count moved to head for avoid unnecessary fetching all user sessions.
2020-10-27 09:49:29 -04:00
Phillip Webb
c502312719
Replace expected @Test attributes with AssertJ
...
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
20baa7d409
Replace ExpectedException @Rules with AssertJ
...
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
910b81928f
Replace try/catch with AssertJ
...
Replace manual try/catch/fail blocks with AssertJ calls.
2020-09-22 16:13:51 -06:00
Tomoki Tsubaki
65f788532e
Fix broken Mono chain
...
This commit restore broken Mono chain in WebSessionServerCsrfTokenRepository.generateToken(ServerWebExchange).
Closes gh-9017
2020-09-16 09:53:23 -06:00
Tomoki Tsubaki
2c297fbd63
Create the CSRF token on the bounded elactic scheduler
...
The CSRF token is generated by UUID.randomUUID() which is I/O blocking operation.
This commit changes the subscriber thread to the bounded elactic scheduler.
Closes gh-9018
2020-09-16 08:48:00 -06:00
Joe Grandja
7b1f574769
Revert "Lock Dependency Versions for 5.4.0"
...
This reverts commit 3d0e459182
.
2020-09-09 18:14:12 -04:00