Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-17 14:30:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,523 Commits 62 Branches 376 Tags
Commit Graph

1083 Commits

Author SHA1 Message Date
Josh Cummings
2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2 
Issue gh-11061
 2022-10-05 23:50:59 -06:00
Josh Cummings
7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2 
Issue gh-11061
 2022-10-05 23:50:58 -06:00
Josh Cummings
7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:57 -06:00
Josh Cummings
19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:56 -06:00
Josh Cummings
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests 
Issue gh-11665
 2022-10-05 22:18:41 -06:00
Steve Riesenberg
8b490de08d
Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg
dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Marcus Da Coregio
c2ed65c67a Fix failing tests 
Issue gh-9159
 2022-10-05 14:59:33 -03:00
Marcus Da Coregio
76d7a85bc0 Use modified classpath test support for tests that depend on the classpath 
Issue gh-11347
 2022-10-04 15:32:19 -03:00
Marcus Da Coregio
77dcc691b3 Add modified classpath test support 
Closes gh-11951
 2022-10-04 15:32:18 -03:00
Marcus Da Coregio
5002199be3 Revert "Disable tests that need Spring MVC mocked in classpath" 
This reverts commit c6978fba7c53c5bec765dba672b0ccb084e3048f.
 2022-10-04 15:32:18 -03:00
Marcus Da Coregio
35f7e46d05 Remove WebSecurityConfigurerAdapter 
Closes gh-10902
 2022-10-04 15:13:04 -03:00
Steve Riesenberg
5de6da890b
Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Marcus Da Coregio
c6978fba7c Disable tests that need Spring MVC mocked in classpath 
Issue gh-11347
 2022-10-04 08:56:06 -03:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Steve Riesenberg
c847efd3fd
Fix servlet import 
Issue gh-11347
Issue gh-9159
 2022-10-03 15:10:56 -05:00
Steve Riesenberg
7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio
ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Rob Winch
4479cefade Default Require Explicit Session Management = true 
Closes gh-11763
 2022-09-30 21:49:05 -05:00
Rob Winch
12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests 
Issue gh-11764
 2022-09-30 21:49:04 -05:00
Steve Riesenberg
76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
 2022-09-30 09:38:08 -05:00
Marcus Da Coregio
3bfdf6dd0f Merge branch '5.8.x' 
Closes gh-11922
 2022-09-29 11:21:24 -03:00
Marcus Da Coregio
cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration 
Closes gh-11916
 2022-09-29 11:21:08 -03:00
Josh Cummings
506e50bfd0
Move Saml2 Authentication Filters 
Issue gh-8819
 2022-09-26 10:44:27 -06:00
Steve Riesenberg
181ee7410b
Change default authority for oauth2Login() 
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
 2022-09-26 10:06:31 -05:00
Josh Cummings
37a160245f
Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-23 16:31:21 -06:00
Steve Riesenberg
bcb21c9384
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 2022-09-23 15:39:43 -05:00
Steve Riesenberg
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver 
Closes gh-11896
 2022-09-23 15:09:00 -05:00
Steve Riesenberg
3c66ef6305
Change default SecurityContextRepository 
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
 2022-09-22 17:31:14 -05:00
Rob Winch
0efe26c1fd Merge branch '5.8.x' 
Closes gh-11894
 2022-09-22 13:47:04 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler 
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
 2022-09-22 11:09:44 -05:00
Josh Cummings
44b7847258
Fix Import Order 
Issue gh-8819
 2022-09-21 09:08:41 -06:00
Josh Cummings
70460ca009
Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-20 17:44:05 -06:00
Rob Winch
48e31f87e4 Remove Deprecated OpenSAML 3 Support 
Closes gh-10556
 2022-09-20 16:57:38 -06:00
Steve Riesenberg
1aee40dcca
Polish gh-11665 
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
 2022-09-14 10:41:42 -05:00
Steve Riesenberg
2431dd1103
Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg
355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f
Add authentication converter for introspected tokens 
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
 2022-09-13 16:45:36 -05:00
Steve Riesenberg
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf 
Issue gh-11764
Issue gh-4001
 2022-09-06 12:28:52 -05:00
Steve Riesenberg
ed41a60aae
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
 2022-09-06 11:51:55 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing 
Issue gh-4001
Issue gh-11456
 2022-09-06 11:43:33 -05:00
Rob Winch
7bf2d3dc4e Update DeferHttpSession Tests 
Closes gh-11764
 2022-08-31 14:40:06 -05:00
Rob Winch
2efc8dcd15 Default Require Explicit Save SecurityContext 
Closes gh-11762
 2022-08-29 10:16:04 -05:00
Josh Cummings
b1fd9af723
Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-26 16:01:40 -06:00
Josh Cummings
0f58620643 Add AspectJ AuthorizationManager Support 
Closes gh-11326
 2022-08-26 15:59:08 -06:00
Rob Winch
f84f08c4b9 Default HttpSessionRequestCache.matchingRequestParameterName=continue 
Closes gh-11757
 2022-08-26 14:44:55 -05:00