Commit Graph

1949 Commits

Author SHA1 Message Date
Rob Winch 87ed31a99c Add SecurityContextHolderFilter
Closes gh-9635
2022-03-11 17:22:23 -06:00
Rob Winch dbcb5004b4 Extract createSecurityContextRepository()
Extract out method in preparation for adding SecurityContextHolderFilter
configuration.

Issue gh-9635
2022-03-11 17:21:49 -06:00
Norbert Nowak ac9c29b2a0 Add UsernamePasswordAuthenticationToken factory methods
- unauthenticated factory method
 - authenticated factory method
 - test for unauthenticated factory method
 - test for authenticated factory method
 - make existing constructor protected
 - use newly factory methods in rest of the project
 - update copyright dates

Closes gh-10790
2022-03-09 15:23:35 -07:00
Marcus Da Coregio 93d4fd3559 Add SAML 2.0 Single Logout XML Support
Closes gh-10842
2022-03-09 09:18:01 -03:00
Marcus Da Coregio 73f839312d Add SAML 2.0 Login XML Support
Closes gh-9012
2022-03-09 09:18:01 -03:00
Josh Cummings 7a02bd14c1 Replace Apache Commons Base64 Decoding
Issue gh-10923
2022-03-02 16:19:03 -07:00
m0k045e 3aa7a65cb4 OAuth2AuthorizedClientArgumentResolver resolves ReactiveOAuth2AuthorizedClientManager
Closes gh-10846
2022-02-28 15:30:19 -07:00
Eleftheria Stein e97c643870 Deprecate WebSecurityConfigurerAdapter
Closes gh-10822
2022-02-17 12:13:50 +01:00
Eleftheria Stein c2635ba6bf Apply configurers from spring.factories to HttpSecurity bean
Closes gh-10814
2022-02-09 14:40:57 +01:00
Josh Cummings cbd87fac89 Polish ignoring() log messaging
- Public API remains unchanged

Issue gh-9334
2022-02-07 14:50:28 -07:00
Manuel Jordan 01ed617d5f Print ignore message DefaultSecurityFilterChain
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334
2022-02-07 14:50:19 -07:00
Josh Cummings d538423f98 Add Saml2AuthenticationRequestResolver
Closes gh-10355
2022-01-24 15:09:45 -07:00
Rob Winch ba922dcdf0 Exclude javax from hibernate dependency
Issue gh-10501
2022-01-19 14:35:25 -06:00
Rob Winch 27e1a2ca69 Remove javax.transaction
Issue gh-10501
2022-01-19 14:35:05 -06:00
Rob Winch 9d4ecc9c37 Additional removal of javax.inject
Issue gh-10501
2022-01-19 14:34:45 -06:00
Rob Winch 678c386834 jsr250-api -> jakarta.annotation-api
Issue gh-10501
2022-01-19 14:34:32 -06:00
Rob Winch 0e8c03401b javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
Issue gh-10501
2022-01-19 14:34:16 -06:00
Rob Winch 8f64bb6c8c javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
Issue gh-10501
2022-01-19 14:33:53 -06:00
Rob Winch f8e14683f6 Remove jcl-over-slf4j
Issue gh-10499
2022-01-19 14:33:46 -06:00
Rob Winch 3c641dee75 Remove commons-logging
Closes gh-10499
2022-01-19 14:33:44 -06:00
Eleftheria Stein a537b636c1 Add LDAP factory beans
Issue gh-10138
2022-01-18 15:11:30 +01:00
Josh Cummings 75f25bff82 Polish multiple RequestRejectedHandlers support
Issue gh-10603
2022-01-14 16:49:38 -07:00
Adam Ostrožlík 4ea57f3e3f Support multiple RequestRejectedHandler beans
Closes gh-10603
2022-01-14 16:46:15 -07:00
Marcus Da Coregio 60ed3602f6 Make source code compatible with JDK 8
Closes gh-10695
2022-01-11 09:19:41 -03:00
heowc 1ab0705b47 Fix typo 2022-01-10 16:17:42 +01:00
Marcus Da Coregio 18427b6411 Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
Closes gh-10554
2021-12-13 08:57:30 -03:00
Josh Cummings cd8983d4e5 Polish enableSessionUrlRewriting Clarification
Closes gh-7644
2021-12-09 12:14:40 -07:00
James Howe 5598688fa6 Clarify behaviour of enableSessionUrlRewriting
See #3087
2021-12-09 12:06:30 -07:00
Marcus Da Coregio 65426a40ec Add Cross Origin Policies headers
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers

Closes gh-9385, gh-10118
2021-12-07 17:23:06 +01:00
Marcus Da Coregio ed3b0fbaad Prevent using both authorizeRequests and authorizeHttpRequests
Closes gh-10573
2021-12-06 15:47:49 -03:00
Steve Riesenberg df0f6f83af Polish gh-9597 2021-12-02 17:44:47 -06:00
Karl Tinawi 925d531cbe Set details on authentication token created by HttpServlet3RequestFactory
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.

Closes gh-9579
2021-12-02 17:44:46 -06:00
Steve Riesenberg 074e38d565 Add missing since
Issue gh-7765
2021-12-02 12:09:57 -06:00
Steve Riesenberg 3af619d565 Add hasIpAddress to Reactive Kotlin DSL
Closes gh-10571
2021-12-02 12:01:11 -06:00
Josh Cummings a68411566e Polish Memory Leak Mitigation
Issue gh-9841
2021-11-30 15:33:47 -07:00
Hiroshi Shirosaki 2bc643d6c8 Address SecurityContextHolder memory leak
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.

Closes gh-9841
2021-11-30 15:33:39 -07:00
Igor Pelesic a3a9de1b9b PermitAllSupport supports AuthorizeHttpRequestsConfigurer
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.

Closes gh-10482
2021-11-30 15:17:22 -07:00
Guirong Hu 43317c5a61 Support IP whitelist for Spring Security Webflux
Closes gh-7765
2021-11-30 15:27:58 -06:00
« Christophe 4318a51971 Fix CsrfConfigurer default AccessDeniedHandler consistency
Fix when AccessDeniedHandler is specified per RequestMatcher on
ExceptionHandlingConfigurer.

This introduces evolutions on :
- CsrfConfigurer#getDefaultAccessDeniedHandler,
to retrieve an AccessDeniedHandler similar to the one used by
ExceptionHandlingConfigurer.
- OAuth2ResourceServerConfigurer#accessDeniedHandler, to continue to
handle CsrfException with the default AccessDeniedHandler implementation

Fixes: gh-6511
2021-11-16 14:22:35 -06:00
Stephane Nicoll 61ee4e5a76 Avoid using SpEL to change the meaning of the injection point
This commit removes the use of SpEL expression and replaces it with an
explicit call to the underlying method.
2021-11-16 13:53:00 -06:00
Onur Kagan Ozcan aa0f788f59 Add RedirectStrategy customization to ChannelSecurityConfigurer for RetryWith classes 2021-11-16 13:44:18 -06:00
Josh Cummings 7b15098570 Update Spring Security to 5.7
Closes gh-10509
2021-11-15 17:10:00 -07:00
Josh Cummings 76ebbb84f7 Separate Namespace Servlet Docs
Issue gh-10367
2021-11-05 12:45:46 -06:00
Marcus Da Coregio 2f1638ec57 Fix javadoc
Closes gh-10382
2021-10-22 11:20:37 -03:00
Emil Sierżęga cb70b6a39b Fixed invalid usage of & tag in Javadocs 2021-10-21 11:47:04 +02:00
Emil Sierżęga 04b47c5928 Fixed various broken links in Javadocs 2021-10-21 11:47:04 +02:00
Emil Sierżęga a188138715 Javadocs author tag doesn't work in methods 2021-10-21 11:47:04 +02:00
Emil Sierżęga 6b26032ce7 Fixed invalid usege of > tag in Javadocs 2021-10-21 11:47:04 +02:00
Rob Winch f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Philipp Neuschwander 6db58cbf8a Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
2021-10-13 17:10:50 -05:00
Gaurav Tiwari 33708e61fb Add postProcess support to Saml2LogoutConfigurer
Closes gh-10311
2021-10-13 12:05:48 -06:00
Josh Cummings fbb7691be4 Polish SecurityNamespaceHandler Tests
Issue gh-8974
2021-10-13 11:50:14 -06:00
Emil Sierżęga 8daa6ec1fd SecurityNamespaceHandler: update schema version to 5.6
Closes gh-8974
2021-10-13 11:49:57 -06:00
Eleftheria Stein ba8844a67e Deprecate Kotlin methods that don't use reified types
Closes gh-10365
2021-10-13 10:16:37 +02:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
Marcus Da Coregio 7112ee3eaa Allow SAML 2.0 loginProcessingURL without registrationId
Closes gh-10176
2021-10-04 09:54:40 -03:00
Marcus Da Coregio e36e2b2a97 Move Saml2AuthnRequestRepository to web package
Moving to solve package tangles

Issue gh-9185
2021-09-29 14:10:39 -03:00
Rob Winch 3b64cdfc03 Fix XsdDocumentedTests
Issue gh-5835
2021-09-24 10:25:26 -05:00
Josh Cummings c3ba2332da Wire BeanResolver into DefaultMethodSecurityExpressionHandler
Closes gh-10305
2021-09-22 14:14:29 -06:00
Josh Cummings 7b599d4770 Share JWKSource Instances
Closes gh-10312
2021-09-22 13:28:08 -06:00
Marcus Da Coregio 0364518b69 Update Saml2LoginConfigurer to pick up Saml2AuthenticationTokenConverter bean
Closes gh-10268
2021-09-17 08:13:19 -03:00
Eleftheria Stein 1e76b11b3c Remove duplicate entry from test LDIF file
Closes gh-10274
2021-09-16 10:26:06 +02:00
Josh Cummings 4f06fc6ed1 Add Saml2LogoutConfigurer
Closes gh-9497
2021-09-13 16:39:48 -06:00
Josh Cummings 6488295cad Add RelyingPartyRegistrationResolver
Closes gh-9486
2021-09-13 16:39:48 -06:00
Derek Van Blerkom 58d50888df Fix return type to allow further security config 2021-09-13 15:31:02 -03:00
Yanming Zhou f2b2e6002f Replace static "ROLE_" with customized role prefix
Fix gh-4134
2021-09-09 11:48:25 -06:00
Eleftheria Stein 3ab6bee856 Make method static to prevent circular dependency error
Workaround for circular dependency between ServerHttpSecurityConfiguration and WebFluxConfigurationSupport.

Closes gh-10076
2021-08-11 13:46:45 +02:00
Marcus Da Coregio 662ab10416 Fix test getting stuck
The tests are getting stuck when running a single test class and the mock is performed in a static variable inside an inner class

Issue gh-6025
2021-07-27 14:55:53 -06:00
Marcus Da Coregio 16e17d242e Add Saml2AuthenticationRequestRepository
Closes gh-9185
2021-07-27 14:55:53 -06:00
Josh Cummings 6b68a6d62b
Apply rnc2Xsd
Issue gh-8657
2021-07-27 13:22:42 -06:00
Josh Cummings 6370906ead
Add SpringOpaqueTokenIntrospector
Closes gh-9354
2021-07-26 10:50:50 -06:00
Abdul Al-Faraj d1dfb2b9ee Improve OpenSAML Version Check
Closes gh-10077
2021-07-26 10:42:40 -06:00
Nick McKinney 5c8fb254c2 Add AuthenticationDetailsSource to OAuth2 Login Kotlin DSL
Closes gh-9838
2021-07-16 15:42:00 +02:00
Nick McKinney b1612b1283 Add AuthenticationDetailsSource to Form Login Kotlin DSL
Closes gh-9837
2021-07-16 15:42:00 +02:00
Rob Winch f73f213f50 Remove DependencySetPlugin
Closes gh-10070
2021-07-12 15:31:38 -05:00
Rob Winch 342884e851 kotlin uses @ExtendWith(SpringTestContextExtension::class)
cd config/src/test/kotlin
rg 'SpringTestContext' -l | xargs sed -i '/^import org.junit.jupiter.api.Test/a import org.junit.jupiter.api.extension.ExtendWith'
rg 'SpringTestContext' -l | xargs sed -i '/^import org.springframework.security.config.test.SpringTestContext/a import org.springframework.security.config.test.SpringTestContextExtension'
rg 'SpringTestContext' -l | xargs sed -i '/^class .*/i @ExtendWith(SpringTestContextExtension::class)'
2021-07-09 15:57:21 -05:00
Rob Winch cc732bda3b Use @ExtendWith(SpringExtension::class) 2021-07-09 15:57:21 -05:00
Rob Winch 3b3ccb962d Fix @Test(expected = 2021-07-09 15:57:21 -05:00
Rob Winch 2bd55f0f62 @Test to JUnit 5 for kotlin
rg -g "*.kt" "import org.junit.Test" -l | xargs sed -i 's/import org.junit.Test/import org.junit.jupiter.api.Test/'
2021-07-09 15:57:21 -05:00
Rob Winch e251abb1ae more import cleanup 2021-07-09 14:49:47 -05:00
Rob Winch 3c4e15264c Add @ExtendWith(SpringTestContextExtension.class)
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' --files-without-match | xargs sed -i '/^public class/i @ExtendWith(SpringTestContextExtension.class)'
2021-07-09 14:49:46 -05:00
Rob Winch 7dfd169ece Add import ExtendWith
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' --files-without-match | xargs sed -i '/^import org.junit.jupiter.api.Test;/a import org.junit.jupiter.api.extension.ExtendWith;'
2021-07-09 14:49:45 -05:00
Rob Winch e4b09f62f0 Add SpringTestContextExtension to existing ExtendWith
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs rg '@ExtendWith' -l | xargs sed -E -i 's/@ExtendWith\((.*)\)/@ExtendWith({ \1, SpringTestContextExtension.class })/'
2021-07-09 14:49:42 -05:00
Rob Winch 5133340bf8 Add import SpringTestContextExtension
rg 'import org.springframework.security.config.test.SpringTestContext' -l -g "*.java" | xargs sed -i '/^import org.springframework.security.config.test.SpringTestContext;/a import org.springframework.security.config.test.SpringTestContextExtension;'
2021-07-09 14:47:54 -05:00
Rob Winch 60078df62a remove @Rule
rg '@Rule' -g '!buildSrc/**' -l | xargs sed -i '/@Rule/d'
rg 'import org.junit.Rule' -g '!buildSrc/**' -l | xargs sed -i '/import org.junit.Rule/d'
2021-07-09 14:46:51 -05:00
Rob Winch 671040bb27 SpringTestRule to SpringTestContext
rg 'new SpringTestRule()' -l | xargs sed -i 's/new SpringTestRule()/new SpringTestContext(this)/'
rg 'val spring = SpringTestRule()' -l | xargs sed -i 's/val spring = SpringTestRule()/val spring = SpringTestContext(this)/'
2021-07-09 14:41:51 -05:00
Rob Winch e8c44e6390 Add SpringTestContextExtension 2021-07-09 14:35:10 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 2a62c4d976 Fix NamespaceHttpInterceptUrlTests 2021-07-09 14:32:52 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Eleftheria Stein 79054093c9 Add AuthenticationManager to Kotlin ServerHttpSecurityDsl
Closes gh-10053
2021-07-09 10:34:57 +02:00
Rob Winch 14240b2559 Remove Powermock
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
2021-07-08 12:35:32 -05:00
Eleftheria Stein 6a09ffe113 Add AuthenticationManager to Kotlin JwtDsl
Closes gh-10045
2021-07-08 13:50:09 +02:00
Eleftheria Stein 5c8e409d98 Add AuthenticationManager to Kotlin OpaqueTokenDsl
Closes gh-10044
2021-07-08 12:46:50 +02:00
Eleftheria Stein b4f76b2314 Fix typo in Saml2Dsl 2021-07-08 12:03:29 +02:00
Eleftheria Stein 585788ad0a Add AuthenticationManager to HttpSecurity
Closes gh-10040
2021-07-07 15:44:42 +02:00
Evgeniy Cheban d121ab9565 Support A Well-Known URL for Changing Passwords
Closes gh-8657
2021-07-01 16:57:53 -06:00
Josh Cummings e91cacfdaf
Polish no-parameter authorizeHttpRequests
- Cleaned up JavaDoc
- Updated implementation to align with no-parameter authorizeRequests
- Updated test names and content for clarity, specifically identified
tests that target no-parameter authorizeHttpRequests with noParameter in
the name
- Switched order of methods to match others in HttpSecurity
- Updated copyright year

Issue gh-9498
2021-06-28 15:45:24 -06:00
sdratler1 3820f0f3a3
Add no-parameter authorizeHttpRequests method
Closes gh-9498
2021-06-28 15:34:49 -06:00
/usr/local/ΕΨΗΕΛΩΝ fe99c3b83b
https://stackoverflow.com/questions/67520600/redirect-to-different-page-after-login-based-on-user-role-with-spring-security/67531436#67531436
Closes gh-7282
2021-06-28 11:48:07 +02:00
Eleftheria Stein 94a3adb928 Apply DefaultLoginPageConfigurer before logout
If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.

Closes gh-9973
2021-06-24 10:26:13 +02:00
Eleftheria Stein dfd0047f0b Disable default logout page when logout disabled
Closes gh-9475
2021-06-17 16:38:23 +02:00
Thomas Vitale b44d0fb319 Load ReactiveJwtAuthenticationConverter bean in OAuth2 Resource Server config
When a bean of type ReactiveJwtAuthenticationConverter is defined,
the OAuth2 Resource Server configuration will use it automatically
when no other converter is defined through the DSL.

Closes gh-9698
2021-06-15 14:22:15 -06:00
Eleftheria Stein aeed286e8a Add AuthenticationManager to saml2Login Kotlin DSL
Closes gh-9905
2021-06-15 09:53:53 +02:00
Marcus Hert da Coregio 9d2db89838 Fix Adding Filter Relative to Custom Filter
Closes gh-9787
2021-06-14 14:37:21 -03:00
Josh Cummings 65239e93f9
Update Copyright Header
Issue gh-9845
2021-06-09 11:33:48 -06:00
Josh Cummings 5b49433ed1
Add GlobalMethodSecurityConfiguration Test
Issue gh-9845
2021-06-09 09:29:52 -06:00
Kay-Uwe Janssen 7a233c41f0 Some infrastructure beans are not marked properly
Added missing infrastructure role to methodSecurityMetadataSource bean
and move the post processing of the defaultMethodExpressionHandler to
the end of afterSingletonsInstantiated.

Closes gh-9845
2021-06-09 09:28:55 -06:00
theexiile1305 3074ad4136 Migrate Kotlin tests from java Mockito to Mockk
Closes gh-9785
2021-06-07 13:13:31 +02:00
Eleftheria Stein 204a32aba8 Replace < and > with &lt and &gt in Javadoc
Closes gh-9847
2021-06-04 12:26:07 +03:00
Rob Winch 68f91edbb8 Make XsdDocumentedTests Parsing More Lenient
Closes gh-9830
2021-05-27 18:37:14 -05:00
Rob Winch 8400b841e9 Improve XsdDocumentedTests Error Message
This makes it easier to compare the expected and actual values.

Closes gh-9829
2021-05-27 18:37:02 -05:00
Eleftheria Stein fa77f4c8ff Deprecate feature-policy where not already deprecated
Issue gh-9262
2021-05-19 10:04:09 +02:00
Eleftheria Stein be903b8e25 Cleanup unused import 2021-05-19 10:04:09 +02:00
Eleftheria Stein 1728b06b30 Ensure Kotlin 1.3 compatibility
Closes gh-9765
2021-05-19 10:04:08 +02:00
Josh Cummings 67e5c05a47 Polish AuthorizationManager Method Security
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @Configuration classes, one for each set of
authorization annotations

Issue gh-9289
2021-05-18 17:34:04 -06:00
Evgeniy Cheban 84e2e80915 Consider AuthorizationManager for Method Security
Closes gh-9289
2021-05-18 17:34:04 -06:00
Josh Cummings d203235567
Update to Spring Security 5.6
Closes gh-9695
2021-05-18 10:45:17 -06:00
Rob Winch 4d251157b2 opensaml4MainCompile 2021-05-17 23:21:17 -05:00
Rob Winch eda38b8f88 opensaml fixes 2021-05-17 15:51:55 -05:00
Rob Winch e5a652e749 Update to Kotlin 1.5.0
Closes gh-9763
2021-05-17 10:30:26 -05:00
Joe Grandja e51ca79954 Document Jwt Client Authentication support
Closes gh-9578
2021-05-14 22:58:44 -04:00
Joe Grandja f874a12ddb Document jwt-bearer authorization grant
Closes gh-9580
2021-05-14 14:48:37 -04:00
Josh Cummings ca2bc4feb3
Bump Schema Version
Closes gh-9694
2021-04-29 16:52:29 -06:00
Josh Cummings 4d564ffb50
Update AuthorizationManager references
Issue gh-9692
2021-04-28 11:58:30 -06:00
Josh Cummings 17cfc6ade3
Inline ResourceKeyConverterAdapter
Closes gh-9689
Closes gh-9626
2021-04-28 09:39:12 -06:00
Eleftheria Stein de0cd11a72 Fix PreAuthorize when returning Kotlin Flow
Closes gh-9676
2021-04-28 12:33:18 +02:00
Joe Grandja 53e94bca45 Add oauth2Login() tests
Issue gh-9548 gh-9660 gh-9266
2021-04-20 08:37:19 -04:00
Joe Grandja 5afeaa3ce7 WebFlux httpBasic() matches on XHR requests
Closes gh-9660
2021-04-20 08:36:42 -04:00
Rob Winch a31a855146 Fix HttpSecurity.addFilter* Ordering
Closes gh-9633
2021-04-14 17:47:31 -05:00
Denis Washington 2b4b856b32 Limit oauth2Login() links to redirect-based flows
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
2021-04-14 05:02:30 -04:00
Josh Cummings 163b5943ca
Revert AuthorizationManager Method Security 2021-04-12 15:53:22 -06:00
Josh Cummings 404a6c5674
Revert "Publish CsrfTokenRepository as shared object"
This reverts commit d19ff12813.
2021-04-12 14:43:37 -06:00
Josh Cummings 4e81bbe386
Revert "Add Saml2LogoutConfigurer"
This reverts commit 6f52baba29.
2021-04-12 14:43:19 -06:00
Josh Cummings 6f52baba29
Add Saml2LogoutConfigurer
Closes gh-9497
2021-04-10 00:25:34 -06:00
Josh Cummings d19ff12813
Publish CsrfTokenRepository as shared object
Closes gh-9595
2021-04-10 00:25:34 -06:00
Josh Cummings df8abcfae7
Use Interceptors instead of Advice
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization

Issue gh-9289
2021-04-09 18:45:31 -06:00
Josh Cummings 6828987b4b
Add AfterMethodAuthorizationManager
- Removes the need to keep MethodAuthorizationContext#returnObject
in sync with other method parameters
- Restores MethodAuthorizationContext's immutability

Closes gh-9591
2021-04-09 18:43:56 -06:00
Josh Cummings 2b494ebc5f
Polish AOP Structure
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings 62d77ec97e
Add GrantedAuthorityDefaults to Expression Handler
Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings 68cf74468c
Add check for custom advice
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings 45376b359b
Adjust Packaging
Issue gh-9289
2021-04-09 17:46:32 -06:00
Evgeniy Cheban 20778f727b
Consider AuthorizationManager for Method Security
Closes gh-9289
2021-04-09 17:46:32 -06:00
Josh Cummings 7ded671858
Refactor AuthenticationDetailsSource support
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
2021-04-09 12:41:16 -06:00
Eleftheria Stein e03fe7f089 Add coroutine support to pre/post authorize
Closes gh-8143
2021-04-09 19:33:06 +02:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies"))
Closes gh-9540
2021-04-05 10:36:36 -05:00
Rob Winch 1a76ee7442 Update Gradle configuration names
Closes gh-9540
2021-04-05 10:36:36 -05:00
Eleftheria Stein 0f3df3e714 Consider Order on SecurityFilterChain bean definitions
Closes gh-9154
2021-03-24 11:02:29 +02:00
Eleftheria Stein f5fe64cd5b Fix typo 2021-03-24 11:00:37 +02:00