c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
353ca76973
Merge remote-tracking branch 'origin/5.8.x'
2022-10-06 00:01:40 -06:00
380a6a2564
Polish SecurityContextHolderStrategy Usage
...
- Add to HttpSessionSecurityContextRepository#saveContext
Issue gh-11060
2022-10-05 23:59:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler
...
Issue gh-11105
2022-10-05 21:47:14 -06:00
eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 21:45:26 -06:00
4ddec07d0e
Add default AuthorizationManager
...
Closes gh-11963
2022-10-05 21:37:41 -06:00
ee9449dbfe
Fix tests for deferred CSRF tokens
...
Issue gh-4001
2022-10-05 16:10:36 -05:00
521cdfd738
Use correct servlet imports
...
Issue gh-4001
2022-10-05 16:10:35 -05:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
76fbca9f46
Merge branch '5.8.x'
2022-09-30 09:50:02 -05:00
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
...
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631
2022-09-30 09:38:08 -05:00
e0e6467d9b
Remove UsernamePasswordAuthenticationToken check
...
This commit reverts 21dd050d7b
2022-09-29 15:25:53 -05:00
1e0e9a2c98
Allow authenticationIsRequired to be overridden
...
Issue gh-10347
2022-09-29 15:25:53 -05:00
bcb21c9384
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
...
Closes gh-11896
2022-09-23 15:09:00 -05:00
3c66ef6305
Change default SecurityContextRepository
...
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026
2022-09-22 17:31:14 -05:00
ccac34b07c
Merge branch '5.8.x'
2022-09-22 16:45:48 -05:00
d140d95305
Fix assertion in NullSecurityContextRepository
...
Issue gh-11060
2022-09-22 15:33:22 -05:00
5d757919a2
Add SecurityContextHolderStrategy to new repository
...
In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.
Issue gh-11060
Closes gh-11895
2022-09-22 15:33:21 -05:00
0efe26c1fd
Merge branch '5.8.x'
...
Closes gh-11894
2022-09-22 13:47:04 -05:00
d94677f87e
CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
...
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892
2022-09-22 11:09:44 -05:00
2a487ae7f8
Updated hashcode and equals
...
Closes gh-4133
2022-09-20 16:36:37 -06:00
46f402243b
Merge remote-tracking branch 'origin/5.8.x'
2022-09-20 16:11:16 -06:00
3f8503f1b4
Deprecate AccessDecisionManager et al
...
Closes gh-11302
2022-09-20 16:09:59 -06:00
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
...
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
ed41a60aae
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
# config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
# web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
86fbb8db07
Add new interfaces for CSRF request processing
...
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
8cb97a090b
Default CsrfFilter.csrfRequestAttributeName = _csrf
2022-08-31 14:26:26 -05:00
0aa5850d22
Fix formatting
...
Issue gh-11762
2022-08-29 16:26:30 -05:00
2efc8dcd15
Default Require Explicit Save SecurityContext
...
Closes gh-11762
2022-08-29 10:16:04 -05:00
f84f08c4b9
Default HttpSessionRequestCache.matchingRequestParameterName=continue
...
Closes gh-11757
2022-08-26 14:44:55 -05:00
b28efbc4b8
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-25 15:44:31 -06:00
a5351f3d89
LogoutPageGeneratingWebFilter Uses Context Path
...
Closes gh-11716
2022-08-25 15:36:04 -06:00
76c39fa490
Merge branch '5.8.x'
...
Closes gh-11750
2022-08-24 16:47:08 -05:00
4ff0724c87
slight improvement in HttpSessionRequestCache
...
Closes gh-11666
2022-08-24 16:44:23 -05:00
670b71363d
Merge branch '5.8.x'
...
Closes gh-11749
2022-08-23 16:03:50 -05:00
2fb625db84
Remove mockito deprecations
...
Issue gh-11748
2022-08-23 15:59:52 -05:00
1d555b62e3
Fix IP address parse error msg in IpAddressMatcher
...
There is no whitespace between error message and IP address value `IpAddressMatcher#parseAddress()`
If IP value is wrong, then error text looks like `Failed to parse addressi.am.ip`.
There should be some separator between those two text tokens.
Also wrapped the address value with single quotes.
Will this add any confusion for the caller?
Or colon and `"Failed to parse address: $value` looks better?
2022-08-18 10:40:38 -06:00
8ad20b1768
Add CsrfFilter.csrfRequestAttributeName
...
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
2022-08-16 13:47:31 -05:00
Marcus Da Coregio
Josh Cummings
Steve Riesenberg
Daniel Garnier-Moiroux
Rob Winch
Daniel Garnier-Moiroux
shazin
Bert Vanwolleghem
shinD
cyb3r4nt