24bb83e2c7
Consistently handle RequestRejectedException if it is wrapped
...
Closes gh-11645
2022-08-09 08:31:45 -03:00
1c4d6ed098
Consistently handle RequestRejectedException if it is wrapped
...
Closes gh-11645
2022-08-09 08:30:15 -03:00
2e66b9f6cc
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:44:01 -05:00
efaee4e56b
Allow customization of redirect strategy
...
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.
Closes gh-11373
2022-08-08 15:35:49 -05:00
c23324e7a7
RequestAttributeSecurityContextRepository never null SecurityContext
...
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext
This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.
Closes gh-11606
2022-08-08 14:14:12 -05:00
269c711a64
RequestAttributeSecurityContextRepository never null SecurityContext
...
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext
This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.
Closes gh-11606
2022-08-08 13:52:56 -05:00
c9f8d2b111
RequestAttributeSecurityContextRepository never null SecurityContext
...
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext
This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.
Closes gh-11606
2022-08-08 13:52:12 -05:00
ed58ac7d78
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:49:48 -06:00
9e8a04d414
Polish Tests
...
Issue gh-11657
2022-08-03 17:49:46 -06:00
c2d79fcbd6
Add Conditions to Generating AuthnRequest
...
Closes gh-11657
2022-08-03 17:34:31 -06:00
aa225943d2
Polish Tests
...
Issue gh-11657
2022-08-03 17:34:26 -06:00
f8971742f2
Remove FilterSecurityInterceptor from WebSecurity
...
Closes gh-11325
2022-08-02 15:34:02 -03:00
508f7d7b8a
Update OpenSamlAuthenticationRequestResolverTests from Junit 4 to Junit 5
2022-08-02 08:02:22 -06:00
947445fcc5
Add ID to Saml2 Post and Redirect Requests
...
Closes gh-11468
2022-08-02 08:02:22 -06:00
040111ae9e
Remove Configuration meta-annotation from Enable* annotations
...
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.
Closes gh-6613
Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00
99f768bab9
Polish HttpSecurity
2022-07-29 17:43:00 -05:00
984355e637
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:43:00 -05:00
09173c95d6
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:43:00 -05:00
07ea139ebf
Polish HttpSecurity
2022-07-29 17:42:39 -05:00
67544f36f9
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:39 -05:00
05725af4d8
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:39 -05:00
15f525c614
Polish HttpSecurity
2022-07-29 17:42:20 -05:00
0c0c75ce22
Remove references to WebSecurityConfigurerAdapter
...
* AbstractAuthenticationFilterConfigurer
* DefaultLoginPageConfigurer
* EnableGlobalAuthentication
* FormLoginConfigurer
* HeadersConfigurer
* HttpSecurity
* OpenIDLoginConfigurer
* RememberMeConfigurer
* WebSecurity
* WebSecurityConfiguration
* WebSecurityConfigurer
* X509Configurer
Closes gh-11288
2022-07-29 17:42:20 -05:00
9861769b02
Remove references to WebSecurityConfigurerAdapter in EnableWebSecurity
...
Closes gh-11277
2022-07-29 17:42:20 -05:00
02459919cc
Skip workflows on forks of spring-security
2022-07-28 15:13:56 -05:00
57d212ddca
Use cache and user.name system property on Windows
2022-07-28 15:13:55 -05:00
539b17f6da
Only run prerequisites job if on upstream repo
2022-07-28 15:13:54 -05:00
37e1ad27fe
Simplify dependency graph
2022-07-28 15:13:53 -05:00
043fdd6f03
Use Spring Gradle Build Action
...
Closes gh-11630
2022-07-28 15:13:52 -05:00
3234e05085
Polish gh-11367
2022-07-28 15:13:51 -05:00
f957e3c051
Set permissions for GitHub actions
...
Restrict the GitHub token permissions only to the required ones; this
way, even if the attackers will succeed in compromising your workflow,
they won’t be able to do much.
- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Closes gh-11367
2022-07-28 15:13:51 -05:00
24033be046
Skip workflows on forks of spring-security
2022-07-28 15:11:09 -05:00
47a5665767
Use cache and user.name system property on Windows
2022-07-28 15:11:08 -05:00
aad60cc6af
Only run prerequisites job if on upstream repo
2022-07-28 15:11:07 -05:00
13e94935ae
Simplify dependency graph
2022-07-28 15:11:06 -05:00
6c29007fac
Use Spring Gradle Build Action
...
Closes gh-11630
2022-07-28 15:11:05 -05:00
6ad567f0fa
Polish gh-11367
2022-07-28 15:11:05 -05:00
8c634f8a9d
Set permissions for GitHub actions
...
Restrict the GitHub token permissions only to the required ones; this
way, even if the attackers will succeed in compromising your workflow,
they won’t be able to do much.
- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Closes gh-11367
2022-07-28 15:11:04 -05:00
4fbbfd2c8b
Skip workflows on forks of spring-security
2022-07-28 15:07:02 -05:00
66da4301fc
Use cache and user.name system property on Windows
2022-07-28 15:07:02 -05:00
8929bd5abc
Only run prerequisites job if on upstream repo
2022-07-28 15:07:02 -05:00
e3d1405f67
Simplify dependency graph
2022-07-28 15:07:02 -05:00
e756a1df19
Use Spring Gradle Build Action
...
Closes gh-11630
2022-07-28 15:07:02 -05:00
81fae2db2c
Polish gh-11367
2022-07-28 15:07:01 -05:00
054a3f0bc0
Set permissions for GitHub actions
...
Restrict the GitHub token permissions only to the required ones; this
way, even if the attackers will succeed in compromising your workflow,
they won’t be able to do much.
- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
Closes gh-11367
2022-07-28 15:07:00 -05:00
9d248c7185
Skip workflows on forks of spring-security
2022-07-28 14:17:42 -05:00
865bf23ecc
Use cache and user.name system property on Windows
2022-07-28 13:00:15 -05:00
4393c2ea02
Add hash-based Content-Security-Policy for SAML pages
...
Closes gh-11631
2022-07-27 18:04:39 -06:00
409998a3fe
Add hash-based Content-Security-Policy for SAML pages
...
Closes gh-11631
2022-07-27 17:59:42 -06:00
f86d30f4a1
Only run prerequisites job if on upstream repo
2022-07-27 16:01:16 -05:00
Marcus Da Coregio
Igor Bolic
Rob Winch
Josh Cummings
Scott Shidlovsky
Joshua Sattler
Steve Riesenberg
naveen
Ulrich Grave