Commit Graph

3016 Commits

Author SHA1 Message Date
Marcus Hert Da Coregio 08f11f06ab Revert unnecessary commits from main
Issue gh-15016
2024-05-08 13:49:18 -03:00
Marcus Hert Da Coregio 2fbbcc4bd0 Polish Method Authorization Denied Handling
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method

Issue gh-14601
2024-04-12 15:55:25 -03:00
Josh Cummings 933ef67637
Polish AuthorizationDeniedException Handling
Issue gh-14600
2024-04-11 14:30:00 -06:00
Josh Cummings 50b85aea0d Handle SpEL AuthorizationDeniedExceptions
Closes gh-14600
2024-04-10 15:36:23 -07:00
Marcus Hert Da Coregio 61eba00654 Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.

Issue gh-7395
2024-04-10 14:58:01 -03:00
Marcus Hert Da Coregio 8d914ef145 Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
Issue gh-14601
2024-04-08 14:42:13 -03:00
Josh Cummings c8e5fbf21b
Fix Package Tangle
Issue gh-14598
2024-04-05 16:48:52 -06:00
YunByungil e5f7453690 fix: variable naming convention
Changed the variable name from MAX_INTITEM_LENGTH to MAX_INT_ITEM_LENGTH to adhere to naming conventions
2024-04-05 15:05:32 -07:00
Josh Cummings 3f7355abc6
Synthesize all annotation attributes
Issue gh-14601
2024-04-04 13:30:29 -06:00
Josh Cummings 6f07d63938
Support SpEL Returning AuthorizationDecision
Closes gh-14598
2024-04-04 11:32:00 -06:00
Josh Cummings 0a9c482f62
Revert "Support SpEL Returning AuthorizationDecision"
This reverts commit 77f2977c55.
2024-04-04 11:31:45 -06:00
Josh Cummings 77f2977c55 Support SpEL Returning AuthorizationDecision
Closes gh-14599
2024-04-04 09:52:15 -07:00
Marcus Hert Da Coregio d85857f905 Add Authorization Denied Handlers for Method Security
Closes gh-14601
2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 19d66c0b8a Introduce AuthorizationResult 2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 7d66525e23 Add Compromised Password Checker
Closes gh-7395
2024-04-01 09:48:07 -03:00
Josh Cummings 148776309f
Merge branch '6.2.x' 2024-03-22 14:33:57 -06:00
Josh Cummings afcce0c277
Merge branch '6.1.x' into 6.2.x
Closes gh-14795
2024-03-22 14:33:44 -06:00
Josh Cummings 7162046144
Remove Reference to MethodInvocationResult
Closes gh-14794
2024-03-22 14:33:23 -06:00
Ali-Hassan 04799c5aac Update AuthenticationProvider JavaDoc
Authentication is an interface, not a class. So, it's not correct
to say "instance of the Authentication class".
2024-03-22 11:27:58 -06:00
Josh Cummings e1c5dc0e66 Polish JavaDoc
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings 9898e0e993 Move AuthorizationAdvisorProxyFactory
To prevent package tangles

Issue gh-14596
2024-03-22 11:00:39 -06:00
Josh Cummings 12ea8a5738 Add Supplier Support
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings 795e44d11f Add Value-Type Ignore Support
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings ce54a6db18 Add TestAuthentication convenience method
Issue gh-14597
2024-03-19 10:27:03 -06:00
Josh Cummings d169d5a835 Add AuthorizeReturnObject
Closes gh-14597
2024-03-19 10:27:03 -06:00
Marcus Hert Da Coregio a8a9341f2e Merge branch '6.2.x'
Closes gh-14667
2024-03-18 06:43:37 -03:00
Marcus Hert Da Coregio a972338e1d Merge branch '6.1.x' into 6.2.x
Closes gh-14666
2024-03-18 06:43:09 -03:00
Marcus Hert Da Coregio f84c4ea583 Merge branch '5.8.x' into 6.1.x
Closes gh-14665
2024-03-18 06:42:43 -03:00
Marcus Hert Da Coregio 2c9dc08e43 Merge branch '5.7.x' into 5.8.x
Closes gh-14664
2024-03-18 06:40:34 -03:00
Marcus Hert Da Coregio 5a7f12f1a9 Check for null Authentication
Closes gh-14715
2024-03-18 06:39:08 -03:00
Josh Cummings c611b7e33b
Add AuthorizationProxyFactory Reactive Support
Issue gh-14596
2024-03-15 11:44:30 -06:00
Josh Cummings f541bce492
Polish AuthorizationAdvisorProxyFactory
- Ensure Reasonable Defaults
- Simplify Construction

Issue gh-14596
2024-03-15 11:44:30 -06:00
Josh Cummings 52dfbfb5b3 Add Authorization Proxy Support
Closes gh-14596
2024-03-13 14:35:07 -06:00
Marcus Hert Da Coregio d17cbf4342 Merge branch '6.2.x'
Closes gh-14724
2024-03-12 10:19:05 -03:00
Marcus Hert Da Coregio 940efe76fc Merge branch '6.1.x' into 6.2.x
Closes gh-14723
2024-03-12 10:18:51 -03:00
Marcus Hert Da Coregio 8fe0303bad Merge branch '5.8.x' into 6.1.x
Closes gh-14722
2024-03-12 10:18:33 -03:00
Marcus Hert Da Coregio 8f42c86a57 Use AuthorizationInterceptorsOrder for Post Authorize Method Interceptors
Closes gh-14720
2024-03-12 10:17:45 -03:00
Josh Cummings c5a4405c54 Polish JavaDoc
Issue gh-14521
2024-02-26 10:59:54 -07:00
ruabtmh 09010f3f51 Add ContinueOnError Support For Failed Authentications
Closes gh-14521
2024-02-26 10:59:54 -07:00
Josh Cummings 4d383023cb Add meta-annotation parameter support
Closes gh-14480
2024-02-26 10:50:35 -07:00
Marcus Hert Da Coregio 21580fd27d Merge branch '6.2.x' 2024-02-16 13:31:20 -03:00
Marcus Hert Da Coregio 15306c1007 Merge branch '6.1.x' into 6.2.x 2024-02-16 13:21:15 -03:00
Rob Winch 750cb30ce4 Add AuthenticationTrustResolver.isAuthenticated 2024-02-16 13:08:29 -03:00
Marcus Hert Da Coregio 915d68e216 Remove includeExpiredSessions parameter
The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter

Issue gh-6192
2024-02-06 10:43:00 -03:00
DingHao b0da37d4fa Have Method Security Start at Target Class
Closes gh-13783
2024-02-01 09:33:25 -07:00
Sam Brannen 2b7d296994 Revise AuthorizationAnnotationUtils
This commit revises AuthorizationAnnotationUtils as follows.

- Removes code duplication by treating both Class and Method as
  AnnotatedElement.

- Avoids duplicated annotation searches by processing merged
  annotations in a single Stream instead of first using the
  MergedAnnotations API to find possible duplicates and then again
  searching for a single annotation via AnnotationUtils (which
  effectively performs the same search using the MergedAnnotations API
  internally).

- Uses `.distinct()` within the Stream to avoid the need for the
  workaround introduced in gh-13625. Note that the semantics here
  result in duplicate "equivalent" annotations being ignored. In other
  words, if @⁠PreAuthorize("hasRole('someRole')") is present multiple
  times as a meta-annotation, no exception will be thrown and the first
  such annotation found will be used.

- Improves the error message when competing annotations are found by
  including the competing annotations in the error message.

- Updates AuthorizationAnnotationUtilsTests to cover all known,
  supported use cases.

- Configures correct role in @⁠RequireUserRole.

Please note this commit uses
`.map(MergedAnnotation::withNonMergedAttributes)` to retain backward
compatibility with previous versions of Spring Security. However, that
line can be deleted if the Spring Security team decides that it wishes
to support merged annotation attributes via custom composed
annotations. If that decision is made, the
composedMergedAnnotationsAreNotSupported() test should be renamed and
updated as explained in the comment in that method.

See gh-13625
See https://github.com/spring-projects/spring-framework/issues/31803
2024-01-18 07:42:58 -07:00
Marcus Hert Da Coregio 85177c0178 Merge branch '6.2.x'
Closes gh-14408
2024-01-05 14:22:49 -03:00
Steve Riesenberg a32cd66179
Polish gh-14263 2023-12-26 11:56:42 -06:00
Federico Herrera 10e0f98d5e
Add doc and javadoc for CachingUserDetailsService
Close gh-10914
2023-12-26 10:57:58 -06:00
Taehong Kim ec02c22459 Add Request Path Extraction Support
Closes gh-13256
2023-12-19 18:15:49 -07:00