Commit Graph

2449 Commits

Author SHA1 Message Date
Josh Cummings fc8e20b89f
Merge branch '5.8.x'
Closes gh-12133
2022-11-02 15:49:18 -06:00
Josh Cummings 3192618220
Add authenticationFailureHandler
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer

Closes gh-12132
2022-11-02 15:35:01 -06:00
Josh Cummings 983f1d4efb
Merge branch '5.8.x'
Closes gh-12127
2022-11-01 18:08:08 -06:00
Josh Cummings 6622e0135a
Merge branch '5.7.x' into 5.8.x
Closes gh-12126
2022-11-01 18:06:41 -06:00
Josh Cummings 6efac34ca7
Merge branch '5.6.x' into 5.7.x
Closes gh-12125
2022-11-01 18:06:01 -06:00
Koos Gadellaa 5c4362bbc4
Refresh parsers when not found
Closes gh-3065
2022-11-01 18:05:15 -06:00
Rob Winch d860775b45 Document Defer load CsrfToken
Closes gh-12105
2022-10-28 15:41:25 -05:00
Josh Cummings abe68abfe4
Merge remote-tracking branch 'origin/5.8.x' 2022-10-26 17:13:02 -06:00
mmoussa_mapfreusa bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
Closes gh-11363
2022-10-26 16:44:23 -06:00
Rob Winch 9cb668aec2 SessionManagementConfigurer properly defaults SecurityContextRepository
Previously the default was an HttpSessionSecurityContextRepository which
meant that if a stateless authentication occurred the SecurityContext would
be lost on ERROR dispatch.

This commit ensures that the RequestAttributeSecurityContextRepository is
also consulted by default.

Closes gh-12070
2022-10-20 10:57:47 -05:00
Rob Winch a4858d9eaa Add SpringTestContext.addFilter
Add SpringTestContext.addFilter which allows Spring Security's tests
to specify a Filter to be added to the SpringTestContext.

Closes gh-12071
2022-10-20 10:54:24 -05:00
Steve Riesenberg 33b492df54
Default to DelegatingSecurityContextRepository
Closes gh-12023
Closes gh-12049
2022-10-17 20:04:43 -05:00
Steve Riesenberg bd43c1f28a
Merge branch '5.8.x'
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
Steve Riesenberg c75ca10900
Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg 819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled

Closes gh-12020
2022-10-13 11:29:15 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny
Closes gh-11958
2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
Closes gh-11960
2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
Issue gh-11960
2022-10-13 09:39:55 -05:00
Josh Cummings 2713075d08
Mark Observations with Firewall Failures
Closes gh-11994
2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b
Mark Observations with CSRF Failures
Closes gh-11993
2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd
Instrument Filter Chain
Closes gh-11911
2022-10-12 20:32:22 -06:00
Josh Cummings 8c610684f3
Instrument Authentication and Authorization
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
Steve Riesenberg 7c872cf7fd
Merge branch '5.8.x' 2022-10-12 15:02:40 -05:00
Steve Riesenberg 440748ec65
Add test support for Xor CSRF tokens
Issue gh-4001
2022-10-12 15:02:15 -05:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0"
Closes gh-9631
2022-10-07 17:42:55 -05:00
Steve Riesenberg dcda899c8c
Merge branch '5.8.x' 2022-10-07 17:40:37 -05:00
Steve Riesenberg 37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio 398f5dee7f Remove deprecated RequestMatcher methods from Java Configuration
Closes gh-11939
2022-10-07 15:26:46 -03:00
Marcus Da Coregio 9fd195d419 Default to shouldFilterAllDispatcherTypes=true in XML
Closes gh-11970
2022-10-07 11:46:20 -03:00
Marcus Da Coregio 146d3269bc Merge branch '5.8.x'
Closes gh-11971
2022-10-07 10:28:14 -03:00
Marcus Da Coregio f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Marcus Da Coregio f650ebe545 Merge branch '5.8.x' 2022-10-06 13:50:50 -03:00
Marcus Da Coregio 8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers
Issue gh-11347
2022-10-06 13:50:38 -03:00
Marcus Da Coregio d6302aabbc Merge branch '5.8.x' 2022-10-06 13:21:52 -03:00
Marcus Da Coregio bc4ad52feb Add deprecation warning to mvcMatchers methods
Issue gh-11347
2022-10-06 13:21:27 -03:00
Josh Cummings 12b9f2e196
use-authorization-manager defaults to true
Closes gh-11929
2022-10-06 08:12:46 -06:00
Marcus Da Coregio 52ab2303da Fix failing test
Issue gh-11061
2022-10-06 09:28:06 -03:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present
Closes gh-11899
2022-10-06 09:12:04 -03:00
Josh Cummings 12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 23:53:40 -06:00
Josh Cummings 2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2
Issue gh-11061
2022-10-05 23:50:59 -06:00
Josh Cummings 7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2
Issue gh-11061
2022-10-05 23:50:58 -06:00
Josh Cummings 7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2
Issue gh-11061
2022-10-05 23:50:57 -06:00
Josh Cummings 19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2
Issue gh-11061
2022-10-05 23:50:56 -06:00
Josh Cummings 0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
Issue gh-11061
2022-10-05 23:38:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings b4d13e7726
Polish use-authorization-manager
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
2022-10-05 22:21:09 -06:00
Josh Cummings 7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
Issue gh-11665
2022-10-05 22:18:41 -06:00
Steve Riesenberg 8b490de08d
Merge branch '5.8.x'
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg 6bbf20be93
Fix failing tests
Issue gh-11952
2022-10-05 14:19:40 -05:00
Steve Riesenberg a7000a053b
Merge branch '5.8.x' 2022-10-05 13:46:26 -05:00
Steve Riesenberg 1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
Closes gh-11952
2022-10-05 13:35:23 -05:00
Marcus Da Coregio c2ed65c67a Fix failing tests
Issue gh-9159
2022-10-05 14:59:33 -03:00
Marcus Da Coregio 22ba358e57 Merge branch '5.8.x' 2022-10-05 13:44:54 -03:00
Marcus Da Coregio bf6e85ec15 Accept String varargs in securityMatcher
Issue gh-9159
2022-10-05 13:44:08 -03:00
Marcus Da Coregio 76d7a85bc0 Use modified classpath test support for tests that depend on the classpath
Issue gh-11347
2022-10-04 15:32:19 -03:00
Marcus Da Coregio 77dcc691b3 Add modified classpath test support
Closes gh-11951
2022-10-04 15:32:18 -03:00
Marcus Da Coregio 5002199be3 Revert "Disable tests that need Spring MVC mocked in classpath"
This reverts commit c6978fba7c.
2022-10-04 15:32:18 -03:00
Marcus Da Coregio 35f7e46d05 Remove WebSecurityConfigurerAdapter
Closes gh-10902
2022-10-04 15:13:04 -03:00
Steve Riesenberg 3bc76815c2
Update csrf.request-handler-ref in 6.0
Issue gh-11918
2022-10-04 11:24:54 -05:00
Steve Riesenberg 5de6da890b
Merge branch '5.8.x'
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
Marcus Da Coregio c6978fba7c Disable tests that need Spring MVC mocked in classpath
Issue gh-11347
2022-10-04 08:56:06 -03:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Steve Riesenberg c847efd3fd
Fix servlet import
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
Steve Riesenberg c98de7af2f
Add xss-protection.header-value in 6.0
Issue gh-9631
2022-10-03 14:31:04 -05:00
Steve Riesenberg 7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x'
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Steve Riesenberg d9a682a414
Polish gh-11896 2022-10-03 10:00:43 -05:00
Steve Riesenberg bf9339d88e
Merge branch '5.8.x' 2022-10-03 09:57:40 -05:00
Steve Riesenberg 7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x'
Closes gh-11937
2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true
Closes gh-11763
2022-09-30 21:49:05 -05:00
Rob Winch 0d58c5180e Remove Explicit RequestCache Config from DeferHttpSession Tests
Issue gh-11757
2022-09-30 21:49:05 -05:00
Rob Winch 12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests
Issue gh-11764
2022-09-30 21:49:04 -05:00
Rob Winch 617353eaa8 Merge branch '5.8.x'
Closes gh-11928
2022-09-30 21:46:26 -05:00
Rob Winch 6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Steve Riesenberg 76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux 93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Marcus Da Coregio 3bfdf6dd0f Merge branch '5.8.x'
Closes gh-11922
2022-09-29 11:21:24 -03:00
Marcus Da Coregio cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration
Closes gh-11916
2022-09-29 11:21:08 -03:00
Josh Cummings 506e50bfd0
Move Saml2 Authentication Filters
Issue gh-8819
2022-09-26 10:44:27 -06:00
Steve Riesenberg 181ee7410b
Change default authority for oauth2Login()
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
2022-09-26 10:06:31 -05:00
Josh Cummings 37a160245f
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-23 16:31:21 -06:00
Steve Riesenberg 21c0c73878
Remove request-resolver-ref in 6.0
Issue gh-11896
2022-09-23 16:04:35 -05:00
Steve Riesenberg bcb21c9384
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
Steve Riesenberg 46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Steve Riesenberg 3c66ef6305
Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
2022-09-22 17:31:14 -05:00
Rob Winch 0efe26c1fd Merge branch '5.8.x'
Closes gh-11894
2022-09-22 13:47:04 -05:00
Rob Winch d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Josh Cummings 44b7847258
Fix Import Order
Issue gh-8819
2022-09-21 09:08:41 -06:00
Josh Cummings 70460ca009
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-20 17:44:05 -06:00
Josh Cummings 61c80bcac5
Move Saml2 Authentication Filters
Closes gh-8819
2022-09-20 17:18:05 -06:00
Rob Winch 48e31f87e4 Remove Deprecated OpenSAML 3 Support
Closes gh-10556
2022-09-20 16:57:38 -06:00
Josh Cummings 46f402243b
Merge remote-tracking branch 'origin/5.8.x' 2022-09-20 16:11:16 -06:00
Josh Cummings 3f8503f1b4
Deprecate AccessDecisionManager et al
Closes gh-11302
2022-09-20 16:09:59 -06:00
Marcus Da Coregio bd18c05a27 Use mock class instead of interface on mock's return
Issue gh-11860
2022-09-16 15:57:43 -03:00
Steve Riesenberg 1a1a8a7a46
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
2022-09-14 14:11:10 -05:00
slam 45bbd86f7e
HttpSecurityDsl should support apply method
Closes gh-11754
2022-09-14 13:58:42 -05:00
Steve Riesenberg 1aee40dcca
Polish gh-11665
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
Steve Riesenberg 2431dd1103
Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg 355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy 1efb63387f
Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Steve Riesenberg 088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
Steve Riesenberg ed41a60aae
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
Steve Riesenberg 86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Rob Winch 7bf2d3dc4e Update DeferHttpSession Tests
Closes gh-11764
2022-08-31 14:40:06 -05:00
ch4mpy 7d6552b3f4 gh-11772 2022-08-31 13:33:53 -05:00
Marcus Da Coregio 3de421be3a Remove setAuthenticationManager from HttpSecurityConfiguration
Closes gh-11776
2022-08-31 15:14:45 -03:00
Steve Riesenberg f1b79e08cb
Merge branch '5.8.x' 2022-08-30 13:10:51 -05:00
Steve Riesenberg 6b297cc3a3
Polish javadoc in Kotlin DSL
Issue gh-11646
2022-08-30 13:10:35 -05:00
Steve Riesenberg 3eac274317
Merge branch '5.8.x' 2022-08-30 12:59:19 -05:00
Steve Riesenberg 5bdbc3f78d
Polish javadoc in Kotlin DSL
Issue gh-11646
2022-08-30 12:53:37 -05:00
Steve Riesenberg 2e26e875c8
Remove WebSecurityConfigurerAdapter in Kotlin DSL
Issue gh-11277
Closes gh-11646
2022-08-30 12:53:18 -05:00
Steve Riesenberg 41ede20712
Add method-security.mode to spring-security-6.0.xsd 2022-08-29 16:05:20 -05:00
Rob Winch 2efc8dcd15 Default Require Explicit Save SecurityContext
Closes gh-11762
2022-08-29 10:16:04 -05:00
Josh Cummings b1fd9af723
Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-26 16:01:40 -06:00
Josh Cummings 0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Rob Winch f84f08c4b9 Default HttpSessionRequestCache.matchingRequestParameterName=continue
Closes gh-11757
2022-08-26 14:44:55 -05:00
Josh Cummings 210693eb6b
Add @Configuration
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
Josh Cummings 84f765a89c
Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-25 14:46:48 -06:00
Josh Cummings e990174c89
Polish ReactiveMethodSecurity Support
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish
2022-08-25 14:36:03 -06:00
Evgeniy Cheban cbb4f40f0c ReactiveAuthorizationManager + Reactive Method Security
Closes gh-9401
2022-08-25 14:35:04 -06:00
Rob Winch 670b71363d Merge branch '5.8.x'
Closes gh-11749
2022-08-23 16:03:50 -05:00
Rob Winch 2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Marcus Da Coregio a8d6c1d21f Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:58:22 -03:00
Marcus Da Coregio c7912c551b Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:51:53 -03:00
Marcus Da Coregio 0aac515737 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
Marcus Da Coregio 3826fca567 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
Rob Winch 888c65a936 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:38:03 -05:00
Rob Winch 81d6b6df6c Add Explicit SessionAuthenticationStrategy Option
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.

This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.

Closes gh-11455
2022-08-18 17:38:03 -05:00
Rob Winch 1de810a565 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:00:47 -05:00
Rob Winch 89f8310d6c Add Explicit SessionAuthenticationStrategy Option
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.

This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.

Closes gh-11455
2022-08-18 17:00:47 -05:00
Yuriy Savchenko 63d2f19e2a Remove default value for access parameter
Closes gh-10957
2022-08-18 15:22:08 -03:00
Marcus Da Coregio af3d70f130 Remove GlobalMethodSecurityRuntimeHints
Closes gh-11714
2022-08-17 08:07:28 -03:00
Evgeniy Cheban ba50c50b4b
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:14:08 -06:00
Evgeniy Cheban 5ecd513a57 Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:12:47 -06:00
Rob Winch 5cf42b1f2e Defer CsrfFilter Session Access
Closes gh-11456
2022-08-16 13:48:20 -05:00
Rob Winch 8ad20b1768 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-16 13:47:31 -05:00
Rob Winch 5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch faf9fb7337 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:46 -05:00
Rob Winch 9f00045638 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:30 -05:00
Rob Winch 002a770f13 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:12 -05:00
Rob Winch ce778b0e20 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:25:15 -05:00
Rob Winch 425b3501b7 Remove `@Configuration` from `@Enable*` Annotations
This removes `@Configuration` from all `@Enable` Annotations and explicitly
adds `@Configuration` to wherever the `@Enable*` Annotations are used.

Closes gh-11653
2022-08-09 17:00:24 -05:00
Rob Winch a5069d7e35 Fix Add @Configuration to @Enable*Security Usage
Issue gh-6613
2022-08-09 17:00:16 -05:00
Igor Bolic 2e66b9f6cc Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:44:01 -05:00
Igor Bolic efaee4e56b Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:35:49 -05:00
Josh Cummings ed58ac7d78
Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:49:48 -06:00
Josh Cummings 9e8a04d414
Polish Tests
Issue gh-11657
2022-08-03 17:49:46 -06:00
Josh Cummings c2d79fcbd6
Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:34:31 -06:00
Josh Cummings aa225943d2
Polish Tests
Issue gh-11657
2022-08-03 17:34:26 -06:00
Marcus Da Coregio f8971742f2 Remove FilterSecurityInterceptor from WebSecurity
Closes gh-11325
2022-08-02 15:34:02 -03:00
Joshua Sattler 040111ae9e Remove Configuration meta-annotation from Enable* annotations
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.

Closes gh-6613

Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00
Steve Riesenberg 99f768bab9 Polish HttpSecurity 2022-07-29 17:43:00 -05:00
Steve Riesenberg 984355e637 Remove references to WebSecurityConfigurerAdapter
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer

Closes gh-11288
2022-07-29 17:43:00 -05:00
Steve Riesenberg 09173c95d6 Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
Closes gh-11277
2022-07-29 17:43:00 -05:00
Steve Riesenberg 07ea139ebf Polish HttpSecurity 2022-07-29 17:42:39 -05:00
Steve Riesenberg 67544f36f9 Remove references to WebSecurityConfigurerAdapter
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer

Closes gh-11288
2022-07-29 17:42:39 -05:00
Steve Riesenberg 05725af4d8 Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
Closes gh-11277
2022-07-29 17:42:39 -05:00
Steve Riesenberg 15f525c614 Polish HttpSecurity 2022-07-29 17:42:20 -05:00
Steve Riesenberg 0c0c75ce22 Remove references to WebSecurityConfigurerAdapter
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer

Closes gh-11288
2022-07-29 17:42:20 -05:00
Steve Riesenberg 9861769b02 Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
Closes gh-11277
2022-07-29 17:42:20 -05:00
Marcus Da Coregio 7f2c797086 Add Deprecated annotation to WebSecurity#securityInterceptor
Closes gh-11634
2022-07-27 14:39:56 -03:00
Marcus Da Coregio e5ae35ab71 Add Deprecated annotation to WebSecurity#securityInterceptor
Closes gh-11634
2022-07-27 14:39:33 -03:00
Marcus Da Coregio a996dfc55b Add Deprecated annotation to WebSecurity#securityInterceptor
Closes gh-11634
2022-07-27 14:38:50 -03:00
Marcus Da Coregio d66ad22652 Add Deprecated annotation to WebSecurity#securityInterceptor
Closes gh-11634
2022-07-27 14:32:44 -03:00
Marcus Da Coregio 1f26f8c419 Update spring-data-jpa to 3.0.0-M5
Closes gh-11540
2022-07-15 14:37:24 -03:00
Anbu Sampath 0c14a36ad6 Update Kotlin to 1.7.10
Closes gh-11374, gh-11534
2022-07-15 14:10:52 -03:00
Josh Cummings d27322c9e0
Polish HttpSecurity Formatting
Issue gh-11360
2022-07-14 13:00:08 -06:00
Evgeniy Cheban c4b0e9bd74
Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11360
2022-07-14 13:00:07 -06:00
Josh Cummings 5dff157755
Polish HttpSecurity Formatting
Issue gh-11360
2022-07-14 12:50:40 -06:00
Evgeniy Cheban 400cd60368 Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11360
2022-07-14 12:48:39 -06:00
Joe Grandja 42683693c0 Remove deprecated CustomUserTypesOAuth2UserService
Closes gh-11511
2022-07-14 14:28:41 -04:00
Josh Cummings 35fc437559
Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-14 09:25:49 -06:00
Josh Cummings 9b43316f4d
Polish InterceptMethodsBeanDefinitionDecorator
Issue gh-11328
2022-07-14 09:25:16 -06:00
Joe Grandja a3326fc0ee Remove deprecated implicit authorization grant type
Closes gh-11506
2022-07-14 10:05:15 -04:00
Josh Cummings 624fdfa731
Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-13 17:58:16 -06:00
Josh Cummings 51475e2583
Polish InterceptMethodsBeanDefinitionDecorator
Issue gh-11328
2022-07-13 17:57:38 -06:00
Steve Riesenberg d3b8bacc3c
Polish InterceptMethodsBeanDefinitionDecorator 2022-07-13 11:38:50 -05:00
Joe Grandja d85abc7bbb Update javadoc in CommonOAuth2Provider
Closes gh-11490
2022-07-13 11:20:04 -04:00
Marcus Da Coregio 7abea4a964 Add RuntimeHints suffix for RuntimeHintsRegistrar
Closes gh-11497
2022-07-13 10:14:43 -03:00
Joe Grandja 177baba8c9 RuntimeHintsPredicates moved to predicate package 2022-07-12 16:00:50 -04:00
Marcus Da Coregio 6455e98745 FilterSecurityInterceptor applies to every request by default
Closes gh-11466
2022-07-12 10:53:03 -03:00
Josh Cummings 60652afb32
Polish InterceptMethodsBeanDefinitionDecorator
Issue gh-11328
2022-07-11 16:54:59 -06:00
Josh Cummings 7560a32460
Polish InterceptMethodsBeanDefinitionDecorator
Issue gh-11328
2022-07-11 16:39:41 -06:00
Rob Winch d2d5313bba Fix Formatting
Issue gh-11327
2022-07-08 09:21:53 -05:00
Josh Cummings c9a3d21b9b
Add Configuration Test
Issue gh-11327
2022-07-07 14:46:37 -06:00
Josh Cummings e8a7b654b4
Add Configuration Test
Issue gh-11327
2022-07-07 14:42:07 -06:00
Josh Cummings 01ffc93062
Add AuthorizationFilter to filter chain validator
Closes gh-11327
2022-07-07 14:40:53 -06:00
Josh Cummings ec8c13392c
Clarify variable names
Issue gh-11327
2022-07-07 14:26:40 -06:00
Josh Cummings d27d431bbc
Add AuthorizationFilter to filter chain validator
Closes gh-11327
2022-07-07 13:52:36 -06:00
Josh Cummings cdafa4ee21
Clarify variable names
Issue gh-11327
2022-07-07 13:38:42 -06:00
Steve Riesenberg 0c48b6bc7f
Use relative schema location for tests
Issue gh-11328
Issue gh-11353
Issue gh-11365
2022-07-07 13:03:20 -05:00
Steve Riesenberg 696da87478 Use relative schema location for tests
Issue gh-11328
Issue gh-11353
Issue gh-11365
2022-07-07 13:00:04 -05:00
Josh Cummings 148c926de0
Support AuthorizationManager for intercept-methods Element
Closes gh-11328
2022-07-06 13:01:57 -06:00
Josh Cummings 74a007dc91
Support AuthorizationManager for intercept-methods Element
Closes gh-11328
2022-07-06 12:54:05 -06:00
Igor Bolic d96b4a0463 Set the useTrailingSlashMatch to true for tests
The Spring MVC changed the default behavior for trailing slash match
with https://github.com/spring-projects/spring-framework/issues/28552.
This causes failures in Spring Security's tests.

Setting the `useTrailingSlashMatch` to `true` ensures that Spring
Security will work for users who have modified the default configuration.
Specifing the request mapper with trailing slash path ensures that the tests
are successful when default behavior is used.

Closes gh-11451
2022-07-05 11:29:36 -06:00
Josh Cummings 05b788d1ac
Use SecurityContextHolderStrategy for Concurrency Filter
Issue gh-11060
Issue gh-11061
2022-06-28 15:33:05 -06:00
Josh Cummings 03a5c3b08a
Use SecurityContextHolderStrategy for Concurrency Filter
Issue gh-11060
Issue gh-11061
2022-06-28 15:32:05 -06:00
Josh Cummings d24a89ad53
Pick up SecurityContextHolderStrategy for WebClient integration
Issue gh-11061
2022-06-28 15:07:16 -06:00
Josh Cummings e8723f1f43
Pick up SecurityContextHolderStrategy for WebClient integration
Issue gh-11061
2022-06-28 14:58:53 -06:00
Josh Cummings a218d3e140
Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:56:55 -06:00
Josh Cummings 27de315e5e
Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
Josh Cummings 83b3bb3209
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:10:07 -06:00
Josh Cummings 97cb2a7d91
Polish SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-28 12:09:56 -06:00
Josh Cummings 98995f2225
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
Josh Cummings b3be35da31
Polish SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-28 12:04:37 -06:00
Josh Cummings 944f565c16
Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:09:38 -06:00
Josh Cummings 4a2d77d3f2
Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
Josh Cummings b316a3217b
Add SecurityContextHolderStrategy for Jaas
Issue gh-11060
Issue gh-11061
2022-06-28 09:35:54 -06:00
Josh Cummings ee66850aed
Add SecurityContextHolderStrategy for Jaas
Issue gh-11060
Issue gh-11061
2022-06-28 09:26:05 -06:00
Josh Cummings bffe08465a
Add SecurityContextHolderStrategy XML Configuration for Messaging
Issue gh-11061
2022-06-27 16:24:27 -06:00
Josh Cummings 484f35ca39
Add SecurityContextHolderStrategy Java Configuration for Messaging
Issue gh-11061
2022-06-27 16:17:29 -06:00
Josh Cummings 74167d62b1
Add SecurityContextHolderStrategy XML Configuration for Messaging
Issue gh-11061
2022-06-27 15:55:28 -06:00
Josh Cummings 9292a13146
Add SecurityContextHolderStrategy Java Configuration for Messaging
Issue gh-11061
2022-06-27 15:55:28 -06:00
Josh Cummings 5e4e7abf15
Add SecurityContextHolderStrategy XML Configuration for Method Security
Issue gh-11061
2022-06-27 13:40:55 -06:00
Josh Cummings 74d646f569
Add SecurityContextHolderStrategy Java Configuration for Method Security
Issue gh-11061
2022-06-27 13:17:46 -06:00
Josh Cummings ef29d3944e
Polish SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-27 13:17:44 -06:00
Josh Cummings c29b91cec7
Polish SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-27 13:17:43 -06:00
Josh Cummings 652c35db2f
Add SecurityContextHolderStrategy XML Configuration for OAuth2
Issue gh-11061
2022-06-27 13:05:13 -06:00
Josh Cummings 1d22316574
Add SecurityContextHolderStrategy Java Configuration for OAuth2
Issue gh-11061
2022-06-27 13:05:13 -06:00
Josh Cummings 6c16ac101a
Add SecurityContextHolderStrategy XML Configuration for Saml2
Issue gh-11061
2022-06-27 13:05:12 -06:00
Josh Cummings 97253c9293
Add SecurityContextHolderStrategy Java Configuration for Saml2
Issue gh-11061
2022-06-27 13:05:11 -06:00
Josh Cummings 9cd7c7b046
Add SecurityContextHolderStrategy XML Configuration for Method Security
Issue gh-11061
2022-06-27 13:05:07 -06:00
Josh Cummings da57bac061
Add SecurityContextHolderStrategy Java Configuration for Method Security
Issue gh-11061
2022-06-27 13:03:11 -06:00
Josh Cummings fa0086d3b0
Polish SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-27 13:01:22 -06:00
Josh Cummings 8d681b3b80
Polish SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-27 13:00:20 -06:00
Marcus Da Coregio a8c30f79e6 Add Core, MVC and MethodSecurity runtime hints
Closes gh-11431
2022-06-27 09:25:49 -03:00
Josh Cummings 150b81d008
Add SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-17 12:21:10 -06:00
Josh Cummings ce218c78f9
Add SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-17 11:58:38 -06:00
Josh Cummings 2a70707c35 Add SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-17 11:28:10 -06:00
Josh Cummings 2c09a300b6 Add SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-17 11:28:10 -06:00
Steve Riesenberg 79c2b8709b
Allow form login when single OAuth2 Provider is configured
Closes gh-6802
2022-06-15 14:05:55 -05:00
Steve Riesenberg a061191bd2 Allow form login when single OAuth2 Provider is configured
Closes gh-6802
2022-06-15 13:42:06 -05:00
Steve Riesenberg d18291676f
Update copyright year
Issue gh-11372
2022-06-15 13:14:07 -05:00
Steve Riesenberg c7df39a3e6
Fix tests using root cause for exception messages
Closes gh-11372
2022-06-14 17:12:15 -05:00
Jared Rufer 3ca4b06612
Support multiple SingleLogoutService bindings.
Closes gh-11286
2022-06-09 12:56:16 -06:00
Jared Rufer 89989722d0 Support multiple SingleLogoutService bindings.
Closes gh-11286
2022-06-09 12:50:33 -06:00
Houssem BELHADJ AHMED f4049c18b1 add SAML authentication request support to login configurer
Closes gh-8873
2022-06-06 08:05:33 -06:00
Marcus Da Coregio 4d65d96b8a Fix saml2Tests always running after a single test
This commit makes the check task depend on the saml2Tests task.
The test task was also configured to run after saml2Tests, to make sure that the
compileTestJava runs after the compileSaml2TestJava

Issue gh-10816
2022-06-03 11:22:46 -03:00
Marcus Da Coregio 3dd54bcda7 Run SAML 2.0 tests in an exclusive task
Issue gh-10816
2022-06-02 19:24:42 +02:00
Marcus Da Coregio 23903b5f18 Use Reflection to instantiate OpenSAML4 classes
Because the OpenSAML4 classes are compiled using Java 11, we have to rely on reflection to instante those classes since the config module should be compatible with Java 8

Issue gh-10816
2022-06-02 19:24:42 +02:00
Marcus Da Coregio ccb1f68bfe Fix member variable using Java 9+ feature
This causes compile errors when trying to build using JDK 8

Issue gh-10695
2022-06-02 19:24:42 +02:00
Marcus Da Coregio 4c2401a576 Revert "Make source code compatible with JDK 8"
This reverts commit 60ed3602f6.
2022-06-02 19:24:42 +02:00