14c2d96c86
Clean up code to conform to basic checkstyle
...
Issue: gh-6078
2018-11-26 14:33:08 -06:00
d05ad19276
CookieClearingLogoutHandler enhancement
...
Enabled the ability to pass in an array of Cookies to support clearing cookies on a different path other than the default context path
Issue: gh-6078
2018-11-26 14:33:08 -06:00
8a475e39be
Write Security Headers Before Servlet Include
...
HeaderWriterFilter wraps request dispatcher so it can write security
headers before the include occurs.
Fixes: gh-5499
2018-10-31 09:27:25 -05:00
2e6ff72c31
Update SubjectDnX509PrincipalExtractor.java
...
Added missing asterisk
2018-10-17 14:56:45 -05:00
b060ec050a
Automatically add CsrfServerLogoutHandler if csrf enabled
...
The configuration DSL should automatically add CsrfServerLogoutHandler if csrf is enabled
Fixes gh-5337
2018-09-21 00:59:36 -05:00
e4597b5213
WebSessionServerRequestCache ignores favicon and html
...
Fixes: gh-5874
2018-09-19 14:28:05 -05:00
8e4d540bfb
Default Log Out Pages Use HTTPS for CSS
...
Fixes: gh-5873
2018-09-19 13:52:35 -05:00
9c749bf556
Fix SwitchUserFilter matchers
...
Fixes: gh-4249
2018-09-14 09:45:41 -05:00
8b19f7a71a
AntPathRequestMatcher supports UrlPathHelper
...
Fixes: gh-5846
2018-09-14 09:45:41 -05:00
96d85ad2b5
Polish HttpsRedirectWebFilter
...
Issue: gh-5749
2018-09-07 14:29:46 -05:00
2c982a4168
Reactive Redirect to Https
...
This introduces the capability to configure Reactive Spring Security
to upgrade requests to HTTPS
Fixes: gh-5749
2018-09-07 14:25:58 -05:00
21e62683ab
Polish Commit on Reactive Http Basic Test
2018-09-07 10:01:11 -06:00
6df4dfe47b
Reactive HttpBasic Support For Coloned Passwords
...
This makes so that reactive httpBasic supports passwords containing
one or more colons.
2018-09-07 10:01:11 -06:00
1c74706232
Delegating ServerAccessDeniedHandler by exchange
...
Fixes: gh-5747
2018-08-31 10:33:11 -05:00
cb0ba58b58
Fix WhitespaceAfterCheck Checkstyle check
2018-08-27 10:45:35 -05:00
1640a1f462
Polish ServerAuthenticationConverter
...
Fix package tangles
Issue: gh-5338
2018-08-24 09:44:27 -05:00
416a276436
Expose Default Reactive CsrfProtectionMatcher
...
Make so that users can augment the default protection logic with
their own.
Fixes: gh-5725
2018-08-22 13:02:02 -06:00
f5701b5fe0
Fix OptimizeAntPathRequestMatcher
...
Previously the logic for determining if the pathInfo should be appended
was inverted.
This correctly concatenates url + pathInfo if url is a non empty String.
Fixes: gh-5473
2018-08-21 11:52:55 -05:00
4ccd2f7ebd
Optimize AntPathRequestMatcher.getRequestPath()
2018-08-21 11:46:37 -05:00
f382b69507
Add reactive support for Referrer-Policy security header
2018-08-20 10:10:59 -05:00
10621a0f2c
Add reactive support for Content-Security-Policy security header
2018-08-20 10:03:42 -05:00
29cfc3dd1d
Add reactive support for Feature-Policy security header
...
Closes gh-5672
2018-08-20 09:02:12 -05:00
f843da1942
Add OAuth2LoginAuthenticationWebFilter
...
This is necessary so that the saving of the authorized client occurs
outside of the ReactiveAuthenticationManager. It will allow for
saving with the ServerWebExchange when ReactiveOAuth2AuthorizedClientRepository
is added.
Issue: gh-5621
2018-08-19 21:11:43 -05:00
e3eaa99ad0
Polish ServerAuthenticationConverter
...
Update changes for ServerAuthenticationConverter to be passive.
Issue: gh-5338
2018-08-18 19:55:39 -05:00
b6afe66d32
Add ServerAuthenticationConverter interface
...
- Adding an ServerAuthenticationConverter interface
- Retro-fitting ServerOAuth2LoginAuthenticationTokenConverter,
ServerBearerTokenAuthentivationConverter, ServerFormLoginAuthenticationConverter,
and ServerHttpBasicAuthenticationConverter to implement ServerAuthenticationConverter
- Deprecate existing AuthenticationWebFilter.setAuthenticationConverter
and add overloaded one which takes ServerAuthenticationConverter
Fixes gh-5338
2018-08-18 19:55:39 -05:00
c6ea447cc0
Add support for Feature-Policy security header
2018-08-16 09:31:02 -05:00
68878a1675
Replace isEqualTo(null) with isNull()
2018-08-09 18:04:48 -06:00
973af94b42
Fix typo
2018-08-07 22:52:59 -05:00
0c26d1b98a
ServerHttpBasicAuthenticationConverter Validates Scheme Name
...
Fixes: gh-5414
2018-07-31 09:10:23 -05:00
e3d4d66917
BasicAuthenticationFilter case insenstive
...
Fixes: gh-5586
2018-07-31 09:10:10 -05:00
afa2d9cbc7
Remove ExchangeFilterFunctions
...
Issue: gh-5612
2018-07-30 15:34:44 -05:00
262c1a77c6
Remove SecurityHeaders
...
We no longer need this since Spring Framework now provides
HttpHeaders.setBearerAuth
Issue: gh-5612
2018-07-30 15:34:40 -05:00
483e25f821
HttpSessionRequestCache Allow Any SavedRequest
...
Fixes: gh-5585
2018-07-26 15:14:11 -05:00
fa0565109b
Add SimpleSavedRequest
...
Fixes: gh-5581
2018-07-26 15:14:11 -05:00
f48404a6a0
Default Log In Pages Use HTTPS for CSS
...
Fixes: gh-5539
2018-07-18 20:06:17 -05:00
d468d7e6da
Cache Control disabled for 304
...
Fixes: gh-5534
2018-07-17 22:13:33 -05:00
d595098823
Rename @TransientAuthentication to @Transient
...
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.
Issue: gh-5481
2018-07-16 11:31:10 -05:00
28afb4e3d7
Access Denied Handling Defaults
...
This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.
This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.
Fixes: gh-5478
2018-07-16 10:40:46 -05:00
3c46727be1
Transient Authentication Tokens
...
This commit introduces support for transient authentication tokens
which indicate to the filter chain, specifically the
HttpSessionSecurityContextRepository, whether or not the token ought
to be persisted across requests.
To leverage this, simply annotate any Authentication implementation
with @TransientAuthentication, extend from an Authentication that uses
this annotation, or annotate a custom annotation.
Implementations of SecurityContextRepository may choose to not persist
tokens that are marked with @TransientAuthentication in the same way
that HttpSessionSecurityContextRepository does.
Fixes: gh-5481
2018-07-16 10:40:45 -05:00
a3210c96d9
Default Log Out Page
...
Fixes: gh-5516
2018-07-15 19:45:20 -05:00
05ed028f9d
Modernize Default Log In Page
...
Fixes: gh-5515
2018-07-15 19:43:42 -05:00
c3177a84a3
Override toString() in all RequestMatcher
...
It makes it easier to debug having custom
toString().
Fixes: gh-5446
2018-06-15 11:27:28 -05:00
48ef7c966d
DefaultLoginPageGeneratingFilter escapes OAuth2 ClientRegistrations
...
Fixes gh-5394
2018-05-29 10:14:50 -04:00
b3ca598679
Add WebClient Bearer token support
...
Fixes: gh-5389
2018-05-25 15:17:08 -05:00
6a12415d23
Add DelegatingServerLogoutHandler(List<ServerLogoutHandler> delegates)
...
Issue: gh-4839
2018-05-24 09:44:29 -05:00
8c3fdb3bcf
DelegatingServerLogoutHandler
...
Create a ServerLogoutHandler which delegates to a group of
ServerLogoutHandler implementations.
Fixes gh-4839
2018-05-24 09:39:12 -05:00
73345e7434
Add Cross Site Tracing (XST) & HTTP Method Tampering Protection
...
Fixes: gh-5377
2018-05-24 09:35:40 -05:00
f29e4cf91f
LoginPageGeneratingWebFilter conditionally renders formLogin
...
Issue: gh-4807
2018-05-14 16:38:13 -05:00
7013c6fd76
Add OAuth2LoginSpec
...
Issue: gh-4807
2018-05-11 04:19:50 -05:00
ca9cd20832
Add DelegatingServerAuthenticationSuccessHandler
...
Fixes: gh-5332
2018-05-11 04:19:50 -05:00
d874c4954e
AuthenticationWebFilter handle empty Authentication
...
Fixes: gh-5333
2018-05-11 04:19:50 -05:00
e78457d3a1
Fix checkstyle for CsrfServerLogoutHandlerTests
...
Issue: gh-4840
2018-05-11 04:16:48 -05:00
26f53a20b3
Add CsrfServerLogoutHandler
...
Create a CsrfServerLogoutHandler which invalidates the current CsrfToken
Fixes gh-4840
2018-05-11 04:16:48 -05:00
21750242cf
Add HttpStatusReturningServerLogoutSuccessHandler
...
An HttpStatusReturningServerLogoutSuccessHandler is missing on the
reactive side - essentially the reactive equivalent of
HttpStatusReturningLogoutSuccessHandler.
Fixes gh-5081
2018-05-11 04:03:21 -05:00
bc9f8ec430
Add HttpStatusServerEntryPoint
...
An HttpStatusServerEntryPoint is missing on the
reactive side - essentially the reactive equivalent of
HttpStatusEntryPoint.
Fixes gh-5082
2018-05-11 04:00:49 -05:00
902fc0f657
Fixed confused word in the class javadoc
2018-05-07 16:54:40 -05:00
b3c5bfe4db
CookieServerCsrfTokenRepository fails when cookie is null/empty
...
The CookieServerCsrfTokenRepository fails with an IllegalArgumentException
when a cookie is present but the value is null or empty.
Fixes gh-5315
2018-05-07 16:16:51 -05:00
3ba15a16bf
Polish CookieServerCsrfTokenRepository
...
- Only do work if subscribed to
- use test naming conventions
- Refactor tests to avoid extracting
- Uses String for member names which are not type safe
- Uses long argument list which makes assertions difficult to read
Issue: gh-5083
2018-05-04 16:54:48 -05:00
37b1136c0c
Remove CookieServerCsrfTokenRepository builder methods
...
This is inconsistent with the rest of the code base.
Issue: gh-5083
2018-05-04 16:54:48 -05:00
1eaecc12ec
Add CookieServerCsrfTokenRepository
...
A cookie implementation of ServerCsrfTokenRepository (like CookieCsrfTokenRepository)
is missing. In this implementation it would be nice to allow the setting of the domain as well.
Fixes: gh-5083
2018-05-04 16:54:48 -05:00
0570cebbce
Avoid unnecessary grow of ArrayList
...
Adapted ArrayList size in CacheControlHeadersWriter::createHeaders()
2018-05-04 14:23:31 -05:00
3740d33e64
The HttpHeader's ContentLength is a byte unit
2018-05-04 14:18:03 -05:00
23dd136efb
The HttpHeader's ContentLength is a byte unit
2018-05-04 14:18:03 -05:00
9bb841ac67
ExceptionTranslationFilter does not handle committed responses
...
Fixes: gh-5273
2018-04-30 16:49:51 -05:00
afdefe7b13
Fixes: gh-5190
2018-04-16 17:52:27 -05:00
8fbec3f0f1
Polish NegatedServerWebExchangeMatcher
...
Issue: gh-5170
2018-03-29 21:17:40 -05:00
d83b67e4cb
Add NegatedServerWebExchangeMatcher
...
Fixes: gh-5170
2018-03-29 21:16:11 -05:00
fb7394c1de
Polish Javadoc
...
Fixes: gh-5186
2018-03-29 15:33:57 -05:00
3c07d99b0a
Close quoted expected path in log when matching
2018-03-27 11:14:14 -05:00
d20ed9f5c9
Fix @since for StrictHttpFirewall
2018-03-27 11:01:26 -05:00
d07cfe655d
Use Supplier variants of Assert methods
2018-03-27 10:58:55 -05:00
b1d013e8f0
Fix JDK 9
...
Issue: gh-5160
2018-03-27 09:30:56 -05:00
7e6ed52603
CookieClearingLogoutHandler adds uses contextPath + "/"
...
Fixes: gh-2325
2018-03-19 16:51:22 -05:00
d21338d212
Support errorOnInvalidType for Reactive AuthenticationPrincipal
...
Fixes: gh-5096
2018-03-09 12:05:55 -06:00
a2073b2b91
Support BeanResolver for Reactive AuthenticationPrincipal
...
Fixes: gh-4326
2018-03-09 12:05:55 -06:00
949c7d68b8
Fix StrictHttpFirewall rules
...
Fixes: gh-5044
2018-03-08 21:30:23 -06:00
055a2ca917
Polish Javadoc HttpStatusServerAccessDeniedHandler
2018-03-07 12:35:25 -06:00
9f23212e43
HttpStatusServerAccessDeniedHandler use injected HttpStatus
...
Fixes: gh-5078
2018-03-07 12:35:25 -06:00
8d75554b6b
Lazily Create Throwables
...
Fixes: gh-5040
2018-02-26 16:24:40 -06:00
0fc67f765a
Polish StrictHttpFirewall Javadoc
...
Also cleanup DefaultHttpFirewall Javadoc
Issue: gh-5008
2018-02-15 17:18:28 -06:00
fcf967687b
Add FilterSecurityInterceptor once per request test
...
Issue: gh-4997
2018-02-08 17:11:37 -06:00
40a1281c66
FilterSecurityInterceptor once per request set attr
...
Only set the attribute if once per request is true
2018-02-08 17:10:45 -06:00
ce5fb51b20
Remove Mono.defer in ReactorContextWebFilter
...
Fixes: gh-5010
2018-02-08 16:19:10 -06:00
66298dcf5d
Clean ReactorContextWebFilterTests imports
...
Issue: gh-4962
2018-02-08 16:15:29 -06:00
141e3f581f
ReactorContextWebFilter preserves main Context
...
Previously ReactorContextWebFilter overrode
the main Context.
Fixes: gh-4962
2018-02-08 14:58:08 -06:00
c399987450
Polish StrictHttpFirewall Javadoc
...
Fixes: gh-5008
2018-02-08 14:08:54 -06:00
ea3dd336aa
Cache headers only if no cache headers set
...
Fixes: gh-5004
2018-02-07 14:56:34 -06:00
8b7f772761
Update to Jackson 2.9.4
...
Fixes: gh-4985
2018-02-01 13:45:06 -06:00
0eef5b4b42
Add StrictHttpFirewall
2018-01-24 11:06:08 -06:00
6a0833165a
AuthorizationWebFilter handles null Authentication
...
If the AuthorizationManager used the Authentication and the Authentication
was null the AuthorizationWebFilter would produce a NullPointerException
This commit fixes the test to ensure that Authentication is subscribed to
and ensures that the Authentication is not null
Fixes: gh-4966
2018-01-22 15:16:58 -06:00
921157cdcd
Remove explicit super() calls
2017-12-21 15:11:51 -06:00
57353d18e5
Use diamond type
2017-12-21 15:09:00 -06:00
c16456623f
Remove unused imports
2017-12-20 16:05:38 -06:00
70be0f3619
Mono<CsrfToken> saveToken->Mono<Void>
...
Issue: gh-4856
2017-11-20 16:30:29 -06:00
d55db837e1
CsrfWebFilter places Mono<CsrfToken>
...
Fixes: gh-4855
2017-11-20 16:30:29 -06:00
701933c7f7
Fix copyright start years
...
See gh-4655
See gh-4725
2017-11-17 10:14:32 -06:00
5f518d00e5
Apply Checkstyle EmptyStatementCheck module
...
This commit adds Checkstyle `EmptyStatementCheck` module and aligns code with it.
2017-11-16 20:18:21 -06:00
be397b8b33
WebSessionServerSecurityContextRepository Polish
...
- map(WebSession::getAttributes)
- use Mono.justOrEmpty
Issue: gh-4843
2017-11-16 15:54:33 -06:00
8d30d6110b
WebSessionSecurityContextRepository custom session attribute name
...
Fixes: gh-4843
2017-11-16 15:54:21 -06:00
b7529be3d0
WebSessionSecurityContextRepository changes session id
...
Fixes: gh-4842
2017-11-16 15:46:26 -06:00
John Coyne
Josh Cummings
sunflower-seed
Eric Deandrea
Rob Winch
Tim Koopman
Vedran Pavic
Christoph Dreis
Johnny Lim
Joe Grandja
Artyom Emelyanenko
Alexander Münch
XYUU
Tao Qian
Mark Hobson
json20080301
Eddú Meléndez