Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-19 07:20:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
8,721 Commits 49 Branches 376 Tags
Commit Graph

909 Commits

Author SHA1 Message Date
Marcus Hert da Coregio
02285708eb Adjust createNewSessionIfAllowed to prevent NPE 
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
 2021-05-26 15:13:55 -03:00
Craig Andrews
a85ce9c91f
Add guard around logger.debug statement 
The log message involves string concatenation, the cost of which
should only be incurred if debug logging is enabled

Issue gh-9648
 2021-04-16 10:54:10 -06:00
佚名
22d7043d01
Add null check in CsrfFilter and CsrfWebFilter 
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>

Closes gh-9561
 2021-04-09 21:55:30 -06:00
Rob Winch
419839d05c Optimize HttpSessionSecurityContextRepository 
Closes gh-9387
 2021-02-11 13:00:31 -06:00
Rob Winch
38e9e8ca52 Optimize HttpSessionSecurityContextRepository 
Closes gh-9387
 2021-02-11 13:00:31 -06:00
Josh Cummings
10946e8153
Polish Tests 
Issue gh-9331
 2021-02-03 09:30:27 -07:00
happier233
3cb98ebed0
Configure CurrentSecurityContextArgumentResolver BeanResolver 
Closes gh-9331
 2021-02-03 09:24:22 -07:00
Rob Winch
e6d6b39767 Constant Time Comparison for CSRF tokens 
Closes gh-9291
 2021-01-20 16:17:25 -06:00
Rob Winch
b08075a721 Fix CsrfWebFilter error message when expected CSRF not found 
Closes gh-9337
 2021-01-12 11:30:12 -06:00
Tomoki Tsubaki
e44471331b
Create the CSRF token on the bounded elactic scheduler 
The CSRF token is generated by UUID.randomUUID() which is I/O blocking operation.
This commit changes the subscriber thread to the bounded elactic scheduler.

Closes gh-9018
 2020-09-16 09:01:45 -06:00
Rob Winch
070706d948 LoginPageGeneratingWebFilter honors context path 
Closes gh-8807
 2020-07-07 13:36:35 -05:00
Joe Grandja
38c1e3ffa8 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException 
Issue gh-8609
 2020-06-09 15:27:32 -04:00
Eleftheria Stein
2ebbb6f80a Mock request with non-standard HTTP method in test 
Fixes gh-8594
 2020-05-26 15:38:53 -04:00
cbornet
b6efd5ba76 Create the CSRF token on the bounded elactic scheduler 
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.

Fixes gh-8128
 2020-05-18 11:05:50 -05:00
Artyom Tarynin
9e665388d2 Update AntPathRequestMatcher.java 
Fixes gh-8512
 2020-05-13 17:07:45 -04:00
Rob Winch
06a02ed4bb Fix non-standard HTTP method for CsrfWebFilter 
Closes gh-8452
 2020-05-11 17:28:40 -05:00
Rob Winch
566c25aa10 Fix example in javadoc of FilterChainProxy 
Closes gh-8344
 2020-04-08 09:12:56 -05:00
Rob Winch
0e6e2b2a21 Fix HttpServlet3RequestFactory Logout Handlers 
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.

This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.

Closes gh-4760
 2020-03-30 20:50:12 -05:00
Josh Cummings
034c23d46c
SwitchUserFilter Defaults to POST 
Fixes gh-4183
 2020-03-27 14:25:28 -06:00
Zeeshan Adnan
dfa78804a8 Fix exception for empty basic auth header token 
fixes spring-projectsgh-7976
 2020-03-16 16:05:14 -04:00
AmitB
2ce9eef95e Fix typo in AntPathRequestMatcher contructor comment 2020-03-02 07:14:27 -06:00
Joe Grandja
82cd203791 Remove unnecessary mocking 
Fixes gh-8012
 2020-02-23 19:35:16 -05:00
Josh Cummings
bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java 
Issue gh-4939
 2020-02-10 10:38:39 -07:00
Josh Cummings
cb9fd09150
Change AuthenticationWebFilter's constructor 
Fixes gh-7872
 2020-01-31 09:31:28 -07:00
Peter Keller
e62fb755e8 Set charset of BasicAuthenticationFilter converter 
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
 2020-01-23 15:34:35 +01:00
Onur Kağan Özcan
1f6381d970 Set secure on cookie when logging out 
Mark cookie secure flag to ensure cookie identity is the same
 2020-01-13 11:01:33 +01:00
Rob Winch
ffccec953f Fix HttpHeaderWriterWebFilterTests 
Ensure setComplete() is subscribed to
 2020-01-09 14:24:35 -06:00
Onur Kağan Özcan
2015f392ef Set secure when cancelling remember-me cookie 
AbstractRememberMeServices is setting remember-me cookie with checking request is secure or secure usage is independently set to a fixed flag.
But when cancelling a cookie, cookie is not being marked secure or not. It produces an inconsistency when using secure flag as a part to identity of cookie.
 2019-12-20 16:04:31 +01:00
Rob Winch
a8331ba7ed CompositeServerHttpHeadersWriter Executes Sequentially 
Fixes gh-7731
 2019-12-12 11:23:56 -06:00
David Herberth
64e063d948 switches web authentication principal resolver to use reactive context 
gh #6598

Signed-off-by: David Herberth <github@dav1d.de>
 2019-12-12 15:33:23 +01:00
Rob Winch
8e53c3f269 DelegatingServerAuthenticationSuccessHandler Executes Sequentially 
Fixes gh-7728
 2019-12-12 08:32:44 -06:00
Rob Winch
73babc3314 DelegatingServerLogoutHandler Executes Sequentially 
Fixes gh-7723
 2019-12-11 15:39:27 -06:00
Joe Grandja
4d9cee116c Display general error message when WebFlux oauth2Login() fails 
Issue gh-5562 gh-6484
 2019-12-05 16:54:31 -05:00
Filip Hrisafov
796859333f Log full failed authentication exception in BasicAuthenticationFilter 2019-11-27 14:56:24 +01:00
Josh Cummings
5f17032ffd Restore Removed Throws Clauses 
In a recent clean-up, certain exceptions were removed from various
throws clauses.

This PR re-introduces throws clauses that are important for one of the
following reasons:

1. It's a method on a public interface
2. It's a method clearly designed for inheritance, for example, a
method stub, an abstract method, or indicated as such in the docs.

Fixes gh-7541
 2019-10-30 12:13:54 -06:00
Rob Winch
635f7e1edd CsrfWebFilter supports multipart/form-data 
Fixes gh-7576
 2019-10-28 14:06:10 -05:00
Filip Hrisafov
b9f122230b Align javadoc of continueFilterChainOnUnsuccessfulAuthentication with actual behaviour 2019-10-23 14:50:57 -04:00
Michel Palourdio
d26f40f062 DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path. 2019-10-23 09:41:00 -04:00
Tadaya Tsuyukubo
62c7de03c3 Add RequestMatcher to AbstractPreAuthenticatedProcessingFilter 
Moved the existing auth check logic to the matcher.

Issue: gh-5928
 2019-10-22 16:55:54 -04:00
Eleftheria Stein
264daec697 Test context relative URL with multiple schemes 2019-10-16 15:32:02 -04:00
Josh Cummings
b764af6b9b
CookieServerCsrfTokenRepositoryTests Leading Dot 
ResponseCookie removed support for having a leading dot in the cookie
domain.

Fixes gh-7500
 2019-09-30 08:39:45 -06:00
Josh Cummings
7949dd492a
Move DelegatingServerAuthenticationSuccessHandlerTests 
Moved from src/test/groovy to src/test/java

Issue gh-5332
 2019-09-27 16:57:43 -06:00
Josh Cummings
5f905232cb
Polish CurrentSecurityContextArgumentResolvers 
Fixes gh-7487
 2019-09-27 13:19:08 -06:00
Rob Winch
00f8991fac Merge Remove Redudant Throws 
Fixes gh-7301
 2019-09-19 11:04:53 -05:00
Onur Kagan Ozcan
034b5e9e93 Introduce LogoutSuccessEvent 
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.

By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.

This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.

Fixes gh-2900
 2019-09-18 10:57:16 -05:00
Josh Cummings
7576dc44d7
AuthenticationFilter Session Fixation Protection 
Fixes gh-7446
 2019-09-17 08:17:09 -06:00
Josh Cummings
496a2cdc60
Make AuthenticationFilter methods private 
Fixes gh-7447
 2019-09-17 08:06:21 -06:00
Josh Cummings
aa12748c9b Add Request-level CSRF Skip 
Fixes gh-7367
 2019-09-13 19:04:05 +01:00
Eleftheria Stein
9f0986a093 Fix javadoc typo for invalid session strategy 2019-09-09 16:51:14 -04:00
Filip Hanik
08d50868c9
Merge pull request #7260 from fhanik/feature/saml2-sp-mvp 
Add SAML Service Provider Support
 2019-09-05 17:04:14 -07:00