45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled
...
Closes gh-12019
2022-10-13 11:29:16 -05:00
819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
...
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled
Closes gh-12020
2022-10-13 11:29:15 -05:00
db7732dd4a
Merge remote-tracking branch 'origin/5.8.x'
2022-10-13 10:19:54 -06:00
59c4538798
Update What's New
...
Closes gh-12021
2022-10-13 10:13:20 -06:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
d0653afec3
Remove Duplicate Property
2022-10-13 09:02:35 -06:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
60aa799498
Merge branch '5.8.x'
2022-10-13 09:37:58 -03:00
445833295b
Merge branch '5.7.x' into 5.8.x
2022-10-13 09:37:33 -03:00
0c239813e5
Merge branch '5.6.x' into 5.7.x
2022-10-13 09:36:09 -03:00
717320a9ba
Update org.springframework.data to 2021.2.4
...
Closes gh-12018
2022-10-13 09:30:50 -03:00
601fafd3de
Update org.springframework to 5.3.23
...
Closes gh-12017
2022-10-13 09:30:47 -03:00
0f5c23ab17
Update hibernate-entitymanager to 5.6.12.Final
...
Closes gh-12016
2022-10-13 09:30:43 -03:00
a73b8de0f4
Update org.eclipse.jetty to 9.4.49.v20220914
...
Closes gh-12015
2022-10-13 09:30:40 -03:00
2d7813be6e
Update io.rsocket to 1.1.3
...
Closes gh-12014
2022-10-13 09:30:37 -03:00
655a1e345e
Update io.projectreactor to 2020.0.24
...
Closes gh-12012
2022-10-13 09:30:31 -03:00
4fc00b74a9
Update mockk to 1.12.8
...
Closes gh-12011
2022-10-13 09:30:28 -03:00
0521bb1af5
Update jackson-bom to 2.13.4.20221012
...
Closes gh-12008
2022-10-13 09:30:17 -03:00
4992e8ce62
Update org.springframework.data to 2021.1.8
...
Closes gh-12007
2022-10-13 09:24:21 -03:00
c772daab92
Update org.springframework to 5.3.23
...
Closes gh-12006
2022-10-13 09:24:20 -03:00
45a4a89960
Update hibernate-entitymanager to 5.6.12.Final
...
Closes gh-12005
2022-10-13 09:24:20 -03:00
b43c7e927f
Update org.eclipse.jetty to 9.4.49.v20220914
...
Closes gh-12004
2022-10-13 09:24:20 -03:00
50d23622d0
Update io.rsocket to 1.1.3
...
Closes gh-12003
2022-10-13 09:24:20 -03:00
2c2603ba0f
Update io.projectreactor to 2020.0.24
...
Closes gh-12001
2022-10-13 09:24:20 -03:00
f7f53ea2b7
Update jackson-bom to 2.13.4.20221012
...
Closes gh-11997
2022-10-13 09:22:28 -03:00
db7f52db4e
Add hints to invoke SecurityContextImpl#getAuthentication
...
Closes gh-11987
2022-10-13 09:06:16 -03:00
6026f9f70f
Merge branch '5.8.x'
2022-10-13 06:31:37 -04:00
185991a606
Revert "Add default AuthorizationManager"
...
This reverts commit 4ddec07d0e
2022-10-13 06:18:00 -04:00
fe96a62dfc
Document Observability Support
...
Issue gh-10964
2022-10-12 20:32:25 -06:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
d3d8f7d60f
Mark Observations with Security Context Events
...
Closes gh-11992
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
8c610684f3
Instrument Authentication and Authorization
...
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
827384e386
Add Micrometer Dependency
2022-10-12 19:26:21 -06:00
7c872cf7fd
Merge branch '5.8.x'
2022-10-12 15:02:40 -05:00
440748ec65
Add test support for Xor CSRF tokens
...
Issue gh-4001
2022-10-12 15:02:15 -05:00
9b43950e13
Merge branch '5.8.x'
2022-10-12 13:14:20 -05:00
8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:31:56 -05:00
804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:30:40 -05:00
05e4a1dd20
Cache Xor CsrfToken
...
Closes gh-11988
2022-10-12 12:30:40 -05:00
bf1e622751
Update What's New in 6.0 for PasswordEncoders
...
Issue gh-11985
2022-10-12 08:27:46 -04:00
716aa6df5c
Merge branch '5.8.x'
2022-10-12 07:43:26 -04:00
ffbcaca24a
Update reference for PasswordEncoders
...
Issue gh-10506
2022-10-12 07:32:30 -04:00
ed6a7f7730
Remove deprecated constructors in PasswordEncoders
...
Closes gh-11985
2022-10-12 02:38:25 -04:00
7af111cd33
Merge branch '5.8.x'
2022-10-12 01:28:01 -04:00
c50441b59f
Update default configuration for Pbkdf2PasswordEncoder
...
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html ), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.
Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256
New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256
The default salt length was also updated from 8 to 16.
Closes gh-10506, Closes gh-10489
2022-10-12 00:45:10 -04:00
f8419003eb
Update default configuration for SCryptPasswordEncoder
...
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html ), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1
New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1
The default salt length was also updated from 64 to 16.
Issue gh-10506
2022-10-12 00:14:07 -04:00
2ea62d0f8b
Update default configuration for Argon2PasswordEncoder
...
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html ), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
Previous default configuration:
memory=4, iterations=3, parallelism=1
New default configuration:
memory=16, iterations=2, parallelism=1
Issue gh-10506
2022-10-11 18:04:37 -04:00
Steve Riesenberg
Josh Cummings
Joe Grandja
Marcus Da Coregio