Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-21 22:05:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
9,985 Commits 33 Branches 337 Tags
Commit Graph

1171 Commits

Author SHA1 Message Date
Marcus Hert da Coregio
2a7998d0fc Adjust createNewSessionIfAllowed to prevent NPE 
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
 2021-05-26 10:36:44 -06:00
César Revert
cf74ad3a52 Anonymous in ExceptionTranslationWebFilter 
The ExceptionTranslationWebFilter does not support correctly when
anonymous authentication is enabled. With this enabled provoked always
the execution of the access denied handler, and with this fix it
behaves like the ExceptionTranslationFilter (servlet), executing the
access denied handler only if the principal is not empty and neither
anonymous.

Closes gh-9130
 2021-05-26 09:17:41 -05:00
Craig Andrews
a7fbae8355 Add test for RequestedUrlRedirectInvalidSessionStrategy 2021-05-26 09:11:38 -05:00
Craig Andrews
0e6d47b082 Add guard around debug logging involving string concatenation 2021-05-26 09:11:38 -05:00
Craig Andrews
0af74ce134 Use ServletUriComponentsBuilder instead of UrlPathHelper 2021-05-26 09:11:38 -05:00
Craig Andrews
2bcd4627fa Eliminate use of Optional 2021-05-26 09:11:38 -05:00
Craig Andrews
10a264c144 Add RequestedUrlRedirectInvalidSessionStrategy implemention of InvalidSessionStrategy 
Performs a redirect to the original request URL when an invalid requested session is detected.

In effect, when a user's session times out, the user is redirected to URL they originally requested instead of some fixed URL.
 2021-05-26 09:11:38 -05:00
Josh Cummings
df6ebc7051
Rename DelegatingAuthorizationManager 
Closes gh-9692
 2021-04-28 09:53:25 -06:00
Thomas Vitale
e2993d93e1 Make Csrf cookie secure flag configurable (WebFlux) 
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.

Closes gh-9678
 2021-04-27 09:34:12 +02:00
Josh Cummings
cb6e4f4a11
Add NPE Guards 
- Like values, names are only validated if they are not null

Closes gh-9598
 2021-04-22 11:22:19 -06:00
Craig Andrews
7dc4de05b1 Add guard around logger.debug statement 
The log message involves string concatenation, the cost of which should only be incurred if debug logging is enabled
 2021-04-16 10:32:58 -06:00
Josh Cummings
4f7d529c5d
Polish Csrf Tests 
Issue gh-9561
 2021-04-09 22:47:31 -06:00
佚名
87ed527023
Add null check in CsrfFilter and CsrfWebFilter 
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>
 2021-04-09 21:43:19 -06:00
Rob Winch
f3f1106624 Update io.spring.javaformat to 0.0.27 
Closes gh-9553
 2021-04-05 22:23:59 -05:00
Rob Winch
60d3db5798 add management platform(project(":spring-security-dependencies")) 
Closes gh-9540
 2021-04-05 10:36:36 -05:00
Rob Winch
1a76ee7442 Update Gradle configuration names 
Closes gh-9540
 2021-04-05 10:36:36 -05:00
Eleftheria Stein
4a492846f1 Revert "Lock dependencies for 2.5.0-M3" 
This reverts commit f05cc6269c8f4c9531d512ed7939a37d94a815e4.
 2021-03-15 23:18:45 +01:00
Eleftheria Stein
f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Rob Winch
95da12110b
Additional Test for HttpSessionSecurityContextRepository 
Issue gh-9387
 2021-02-11 15:58:29 -07:00
Rob Winch
3116369f02
Optimize HttpSessionSecurityContextRepository 
Closes gh-9387
 2021-02-11 15:58:28 -07:00
Josh Cummings
c4be1c6a56
Revert "Lock Dependencies" 
This reverts commit a85caa4098589b0080d75e428f0d262090b6a1f1.
 2021-02-11 15:49:59 -07:00
Josh Cummings
a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Josh Cummings
107f38fff9
Polish Tests 
Issue gh-9331
 2021-02-03 09:05:31 -07:00
happier233
873b9bdbca
Configure CurrentSecurityContextArgumentResolver BeanResolver 
Closes gh-9331
 2021-02-03 09:05:31 -07:00
Evgeniy Cheban
77484018bb Reconsider AntPathRequestMatcher matching logic 
Closes gh-9285
 2021-01-19 12:02:06 -07:00
Rob Winch
0201c31deb Fix Checkstyle for CsrfWebFilter 
Issue gh-9337
 2021-01-12 11:37:12 -06:00
Rob Winch
a1083d9a5c Fix CsrfWebFilter error message when expected CSRF not found 
Closes gh-9337
 2021-01-12 11:18:29 -06:00
Josh Cummings
160a4a3676
Reformat MvcRequestMatcher 
- Moved related private methods together

Issue gh-9284
 2021-01-11 08:28:59 -07:00
Evgeniy Cheban
8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods 
Closes gh-9284
 2021-01-09 21:42:16 +03:00
Zeeshan Adnan
848bd44837
Remove unused code 
Issue gh-9203
 2020-12-18 11:49:52 -07:00
Rob Winch
40e027c56d Constant Time Comparison for CSRF tokens 
Closes gh-9291
 2020-12-17 15:01:43 -06:00
Josh Cummings
c066e23a86
Add @since attributes 
Issue gh-8900
 2020-12-16 15:58:53 -07:00
Evgeniy Cheban
34b4b1054f Add AuthorizationManager 
Closes gh-8900
 2020-12-16 15:58:36 -07:00
Nick McKinney
5306d4c4d5 Minor cleanup on Ant / Regex Request Matchers 
- Removed duplicative code for transforming String into HttpMethod
 - Removed an unnecessary array initialization
 2020-12-14 14:19:23 +01:00
Nick McKinney
6be25df1db Introduced DispatcherType request matcher 
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes gh-9205
 2020-12-14 14:19:23 +01:00
Christophe Gilles
54d3839f63 Add permissionsPolicy http header 2020-12-11 12:32:18 +01:00
Serdar Kuzucu
48ef27b80a Make assertion messages in CookieCsrfTokenRepository clearer 
Changes assertion message format from 'X is not null' to
'X cannot be null' since this is more meaningful when the error
occurs and the message is printed in the logs.

Closes gh-9195
 2020-12-09 10:45:22 -06:00
Serdar Kuzucu
76e117a67a Allow maximum age of csrf cookie to be configured 
Allows maxAge of the generated cookie by CookieCsrfTokenRepository
to be configurable.

Prior to this commit, maximum age was set with a value of -1.

After this commit, it will be configured by the user with an either
positive or negative value. If the user does not provide a value,
it will be set -1.

An IllegalArgumentException will be thrown when
this value is set to zero.

Closes gh-9195
 2020-12-09 10:45:22 -06:00
Josh Cummings
f614a8230c
Polish getRemoteUser 
- Corrected instanceof check

Issue gh-3357
 2020-12-03 13:08:40 -07:00
Stephen Joyner
9c373ef4f8
getRemoteUser() returns principal name 
Closes gh-3357
 2020-12-03 13:08:40 -07:00
Eleftheria Stein
7f482eda7d Fix CookieRequestCache for URL encoded query parameters 
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request.

Closes gh-9203
 2020-11-26 18:16:42 +01:00
Aditya Sekhar
4cc3c25a0e removed whitespace formatting 2020-11-13 15:01:17 -06:00
Aditya Sekhar
a26975f780 cleanup compatibility method based on spring-projects#8868 2020-11-13 15:01:17 -06:00
zhuang
ff58ac836e
Decode cookie once in AbstractRememberMeServices 
Issue gh-9192
 2020-11-09 08:14:20 -05:00
Eleftheria Stein
34a21cd80c Fix formatting 2020-11-09 13:46:09 +01:00
Eleftheria Stein
5661e06e9c Fix typo UserDetailService -> UserDetailsService 2020-11-09 13:13:32 +01:00
Arnaud Mergey
2b9efccc50 Implement MessageSourceAware where missing 
Closes gh-8951
 2020-11-05 10:57:33 -07:00
Joe Grandja
b95e1aa209 Revert "Lock dependencies for 5.5.0-M1" 
This reverts commit 25a7482c8c5fb0ee6a08878020ea46d4f90383dc.
 2020-11-03 19:53:28 -05:00
Rob Winch
25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Alexander Polozov
a362ab53bc Change guard expressions order 
Check of allowed user sessions count moved to head for avoid unnecessary fetching all user sessions.
 2020-10-27 09:49:29 -04:00