ccbad61ae8
Change blacklist to blocklist
...
Closes gh-8676
2020-06-10 11:49:49 -05:00
ca1252be94
Replace whitelist with allowlist
...
Issue gh-8676
2020-06-10 11:49:21 -05:00
a907026eae
Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive
...
Closes gh-8677
2020-06-10 11:48:56 -05:00
da4b626bf1
OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
...
Issue gh-8609
2020-06-09 17:28:21 -04:00
0a42aa26c8
Mock request with non-standard HTTP method in test
...
Fixes gh-8594
2020-05-26 10:16:56 -04:00
f08ca4e688
Throw exception if URL does not include context path when context relative
...
Issue: gh-8399
2020-05-20 14:02:17 -04:00
dc514b369e
FilterInvocation Support Default Methods on HttpServletRequest
...
Closes gh-8566
2020-05-20 10:13:59 -05:00
bfb401eeed
Create the CSRF token on the bounded elactic scheduler
...
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.
Fixes gh-8128
2020-05-18 11:04:54 -05:00
cd08102b93
Add debug logging
...
Goal is to provide insight to devs on:
- Authentication & Authorization success/failures
- WebSession & SecurityContext
- Request matchers, cache & authn/authz flow
Fixes gh-5758
2020-05-12 09:03:24 -05:00
4473dca022
Polish matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed
...
Issue gh-8149
2020-05-11 17:20:16 -05:00
0f92415395
Fix non-standard HTTP method for CsrfWebFilter
...
Closes gh-8149
2020-05-11 17:19:57 -05:00
6db514a4e2
Update AntPathRequestMatcher.java
...
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
2020-05-11 17:11:22 -04:00
0483b3e042
Polish RequestRejectedHandler
...
Issue gh-5007
2020-05-01 10:51:11 -05:00
b826c798f7
Add RequestRejectedHandler
...
Closes gh-5007
2020-05-01 10:51:01 -05:00
b7d3acc02c
Add constructors to AbstractAuthenticationProcessingFilter
...
Closes gh-8309
2020-04-09 13:53:06 -05:00
6bdd5f710f
Fix example in javadoc of FilterChainProxy
2020-04-07 21:05:12 +03:00
91728ef53b
Fix HttpServlet3RequestFactory Logout Handlers
...
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.
This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.
Closes gh-4760
2020-03-30 17:50:28 -05:00
eed71243cb
SwitchUserFilter Defaults to POST
...
Fixes gh-4183
2020-03-27 13:41:49 -06:00
935c547dde
Fix exception for empty basic auth header token
...
fixes spring-projectsgh-7976
2020-03-16 12:57:13 -04:00
47011eb9e2
Polish transfer session's max inactive interval
...
Issue: gh-2693
2020-03-12 12:11:14 -04:00
02b7d04027
Transfer session's max inactive interval
...
Fixes: gh-2693
2020-03-12 10:11:59 -04:00
b2ea0ba775
Polish SessionIdChangedEvent
...
Add AbstractSessionEvent; clean up license headers and Javadocs
Fixes: gh-5438
2020-03-06 12:04:49 -05:00
5fc6414377
SessionRegistryImpl is now aware of SessionIdChangedEvent
2020-03-06 12:04:01 -05:00
ae532c080c
Add server request cache that uses cookie
...
Fixes: gh-8033
2020-03-05 15:36:47 -05:00
38979b1b09
Add test for ServerRequestCacheWebFilter
2020-03-05 14:57:07 -05:00
2ce9eef95e
Fix typo in AntPathRequestMatcher contructor comment
2020-03-02 07:14:27 -06:00
82cd203791
Remove unnecessary mocking
...
Fixes gh-8012
2020-02-23 19:35:16 -05:00
bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java
...
Issue gh-4939
2020-02-10 10:38:39 -07:00
cb9fd09150
Change AuthenticationWebFilter's constructor
...
Fixes gh-7872
2020-01-31 09:31:28 -07:00
e62fb755e8
Set charset of BasicAuthenticationFilter converter
...
Allow BasicAuthenticationFilter to pick up the given credentials charset.
Fixes: gh-7835
2020-01-23 15:34:35 +01:00
1f6381d970
Set secure on cookie when logging out
...
Mark cookie secure flag to ensure cookie identity is the same
2020-01-13 11:01:33 +01:00
ffccec953f
Fix HttpHeaderWriterWebFilterTests
...
Ensure setComplete() is subscribed to
2020-01-09 14:24:35 -06:00
2015f392ef
Set secure when cancelling remember-me cookie
...
AbstractRememberMeServices is setting remember-me cookie with checking request is secure or secure usage is independently set to a fixed flag.
But when cancelling a cookie, cookie is not being marked secure or not. It produces an inconsistency when using secure flag as a part to identity of cookie.
2019-12-20 16:04:31 +01:00
a8331ba7ed
CompositeServerHttpHeadersWriter Executes Sequentially
...
Fixes gh-7731
2019-12-12 11:23:56 -06:00
64e063d948
switches web authentication principal resolver to use reactive context
...
gh #6598
Signed-off-by: David Herberth <github@dav1d.de>
2019-12-12 15:33:23 +01:00
8e53c3f269
DelegatingServerAuthenticationSuccessHandler Executes Sequentially
...
Fixes gh-7728
2019-12-12 08:32:44 -06:00
73babc3314
DelegatingServerLogoutHandler Executes Sequentially
...
Fixes gh-7723
2019-12-11 15:39:27 -06:00
4d9cee116c
Display general error message when WebFlux oauth2Login() fails
...
Issue gh-5562 gh-6484
2019-12-05 16:54:31 -05:00
796859333f
Log full failed authentication exception in BasicAuthenticationFilter
2019-11-27 14:56:24 +01:00
5f17032ffd
Restore Removed Throws Clauses
...
In a recent clean-up, certain exceptions were removed from various
throws clauses.
This PR re-introduces throws clauses that are important for one of the
following reasons:
1. It's a method on a public interface
2. It's a method clearly designed for inheritance, for example, a
method stub, an abstract method, or indicated as such in the docs.
Fixes gh-7541
2019-10-30 12:13:54 -06:00
635f7e1edd
CsrfWebFilter supports multipart/form-data
...
Fixes gh-7576
2019-10-28 14:06:10 -05:00
b9f122230b
Align javadoc of continueFilterChainOnUnsuccessfulAuthentication with actual behaviour
2019-10-23 14:50:57 -04:00
d26f40f062
DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path.
2019-10-23 09:41:00 -04:00
62c7de03c3
Add RequestMatcher to AbstractPreAuthenticatedProcessingFilter
...
Moved the existing auth check logic to the matcher.
Issue: gh-5928
2019-10-22 16:55:54 -04:00
264daec697
Test context relative URL with multiple schemes
2019-10-16 15:32:02 -04:00
b764af6b9b
CookieServerCsrfTokenRepositoryTests Leading Dot
...
ResponseCookie removed support for having a leading dot in the cookie
domain.
Fixes gh-7500
2019-09-30 08:39:45 -06:00
7949dd492a
Move DelegatingServerAuthenticationSuccessHandlerTests
...
Moved from src/test/groovy to src/test/java
Issue gh-5332
2019-09-27 16:57:43 -06:00
5f905232cb
Polish CurrentSecurityContextArgumentResolvers
...
Fixes gh-7487
2019-09-27 13:19:08 -06:00
00f8991fac
Merge Remove Redudant Throws
...
Fixes gh-7301
2019-09-19 11:04:53 -05:00
034b5e9e93
Introduce LogoutSuccessEvent
...
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.
By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.
This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.
Fixes gh-2900
2019-09-18 10:57:16 -05:00
7576dc44d7
AuthenticationFilter Session Fixation Protection
...
Fixes gh-7446
2019-09-17 08:17:09 -06:00
496a2cdc60
Make AuthenticationFilter methods private
...
Fixes gh-7447
2019-09-17 08:06:21 -06:00
aa12748c9b
Add Request-level CSRF Skip
...
Fixes gh-7367
2019-09-13 19:04:05 +01:00
9f0986a093
Fix javadoc typo for invalid session strategy
2019-09-09 16:51:14 -04:00
08d50868c9
Merge pull request #7260 from fhanik/feature/saml2-sp-mvp
...
Add SAML Service Provider Support
2019-09-05 17:04:14 -07:00
e9a44bc0ce
HttpSecurity.saml2login() - MVP Core Code
...
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:
- Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
- Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
- Supports basic java-configuration via DSL
- Provides an integration sample using Spring Boot
Not implemented with this MVP
- Single Logout
- Dynamic Service Provider Metadata
Fixes gh-6019
2019-09-05 14:40:08 -07:00
2a1f3f6aa7
Remove Package Tangle in HeaderWriterFilter
...
Fixes gh-7380
2019-09-05 16:08:45 -05:00
39e84013f7
ClearSiteDataHeaderWriter Directives
...
Fixes gh-7347
2019-09-03 15:57:10 -06:00
ad0d3e9702
Polish remember me username check
2019-09-03 11:48:46 -04:00
26ae590c68
Check that userdetails for username exists. #7251
2019-09-03 11:48:46 -04:00
f6c650db47
Replace Streams with Loops
...
First version of replacing streams
fix wwwAuthenticate and codestyle
fix errors in implementation to pass tests
Fix review notes
Remove uneccessary final to align with cb
Short circuit way to authorize
Simplify error message, make code readably
Return error while duplicate key found
Delete check for duplicate, checkstyle issues
Return duplicate error
Fixes gh-7154
2019-09-02 15:30:48 -06:00
95511331fa
fix checkstyle
2019-08-26 22:42:26 +02:00
2c2e8e5f24
Remove internal Optional usage in favor of null checks
...
Issue gh-7155
2019-08-26 09:27:40 -04:00
34dd5fea30
Remove redundant throws clauses
...
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
1a233a58c7
Add OnCommittedResponseWrapper.setContentLengthLong
...
Add setContentLengthLong tracking to OnCommittedResponseWrapper in
order to detect commits on servlets that use setContentLengthLong to
announce the entity size they are about to write (as used in the
Apache Tomcat's DefaultServlet).
Fixes gh-7261
2019-08-19 21:14:41 -04:00
4bc231872f
Expire as many sessions as exceed maximum allowed
...
Fixes: gh-7166
2019-08-15 09:48:42 -05:00
9735a718cc
Remove MultiTenantAuthenticationManagerResolver
...
Fixes gh-7259
2019-08-14 11:14:47 -06:00
c1db1aad91
Cleanup Code Style Issues
...
Cleanup Code Style Issues
2019-08-12 13:06:49 -05:00
ec6ca97226
Fix tests
2019-08-11 21:09:10 +02:00
ff1070df36
remove redundant modifiers found by checkstyle
2019-08-10 00:18:56 +02:00
38de737663
Java 8: Statement lambda can be replaced with expression lambda
2019-08-09 16:59:07 -05:00
7b2a7847e5
Java 8: Single Map method can be used
2019-08-09 16:59:07 -05:00
25c06be1eb
Java 7: Identical 'catch' branches in 'try' statement
2019-08-09 16:59:07 -05:00
578d628774
'Collection.toArray()' call style
2019-08-09 16:57:31 -05:00
b388976ac8
fix checkstyle
2019-08-09 02:46:20 +02:00
35bdf1f009
Unnecessary semicolon
2019-08-09 00:43:13 +02:00
d9c1f03b84
Unnecessary interface modifier
2019-08-09 00:42:35 +02:00
40bee457f9
Unnecessary enum modifier
2019-08-09 00:42:07 +02:00
8d0ca14e55
Unnecessary conversion to String
2019-08-09 00:41:46 +02:00
fb39d9c255
Anonymous type can be replaced with lambda
2019-08-08 17:09:09 -04:00
05f42a4995
Remove unused imports
2019-08-08 14:22:31 -04:00
2056834432
Cleanup unnecessary unboxing
...
Unboxing is unnecessary under Java 5 and newer, and can be safely removed.
2019-08-06 10:17:38 -04:00
2306d987e9
Cleanup unnecessary boxing
2019-08-06 10:17:38 -04:00
2055466ad7
Add Javadoc
2019-08-05 19:43:00 -04:00
ddf68821cb
Add RequestMatcher.matcher(HttpServletRequest)
...
Step 3 - Usage of RequestVariablesExtractor or types that are assigned
to AntPathRequestMatcher should be replaced with the new method.
[closes #7148 ]
2019-08-05 19:43:00 -04:00
496579dde2
Add match result for servlet requests
...
Fixes gh-7148
2019-08-05 19:43:00 -04:00
774a2e669c
Polish setAllowedHostnames
...
Added JavaDoc to method, including @since attribute
Issue gh-4310
2019-08-03 19:19:44 -06:00
f712c5598c
Add support for allowedHostnames in StrictHttpFirewall
...
Introduce a new method `setAllowedHostnames` which perform the validation
against untrusted hostnames.
Fixes gh-4310
2019-08-03 21:16:45 -04:00
a5cfd9fdb9
Downgrade AuthenticationFilter modifier
...
Fixes gh-7177
2019-08-03 21:14:33 -04:00
776a4c3760
Use org.mockito.ArgumentMatchers in favor of org.mockito.Matchers
2019-08-03 12:28:37 -04:00
ad2f999c25
Polish BasicAuthenticationConverter
...
This reverts to the old behavior from BasicAuthenticationFilter.
Specifically, if a token has an empty password, it still parses a username
and an empty String password.
Issue gh-7025
2019-08-02 09:04:55 -05:00
d157125c8e
Polish AuthenticationFilter
...
Updated member variable references to be prefixed with "this.".
Fixed typo in authentication manager resolver error message.
Issue: gh-6506
2019-08-01 16:26:54 -06:00
50adb6abcb
Fix javadoc
2019-07-31 15:36:30 -04:00
0b4502b2c5
Remove exceptions from lambda security configuration
...
Fixes: gh-7128
2019-07-30 08:31:37 -05:00
b55322b2cb
Make basic authentication scheme case-insensitive
...
Fixes: gh-7163
2019-07-29 16:30:03 -04:00
f1187bdfc2
issue/6506: AuthenticationConverter implementation
2019-07-23 17:31:21 -05:00
ab6440db10
Throws exception when passed IP address with too long mask
...
Fixes gh-2790
2019-07-19 06:25:58 -04:00
ea54d9014d
DSL nested builder for HTTP security
...
DSL nested builder for HTTP security
Fixes gh-5557
2019-07-12 16:09:19 -05:00
3ea9d376b2
Cleanup explicit type arguments
2019-07-10 09:32:41 -05:00
c5b5cc507c
Cleanup redundant type casts
2019-07-10 09:31:09 -05:00
Rob Winch
Joe Grandja
Eleftheria Stein
Astushi Yoshikawa
cbornet
Mathieu Ouellet
Parikshit Dutta
Artyom Tarynin
Leonard Brünings
Oh Myung Woon
Mustafa Ulu
Josh Cummings
Zeeshan Adnan
Venkata Jaswanth U
AmitB
Joe Grandja
Peter Keller
Onur Kağan Özcan
David Herberth
Filip Hrisafov
Michel Palourdio
Tadaya Tsuyukubo
Filip Hanik
Scott Murphy
kostya05983
Lars Grefer
watsta
Daniel Wegener
Eddú Meléndez
Khy
sbespalov
Clement Ng