spring-security

mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-01 15:06:52 +00:00

Author	SHA1	Message	Date
Rob Winch	5fe29f9cd0	Add AllRequiredFactorsAuthorizationManager.anyOf	2026-03-31 15:17:08 -04:00
Robert Winch	ff820a868e	Polish AllRequiredFactorsAuthorizationManager.anyOf - Add validation - Extract to static inner class - Uniqueness determined by Set rather than requiredFactor This is important for the failure with the same RequiredFactor, but a different reason - Add documentation Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>	2026-03-31 14:03:29 -05:00
Evgeniy Cheban	6b09352a93	Add AllRequiredFactorsAuthorizationManager.anyOf Closes gh-18960 Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>	2026-03-31 13:25:02 -05:00
Joe Grandja	12997b6ab6	Polish oauth2-client tests with missing Content-Type header	2026-03-30 13:40:32 -04:00
Rob Winch	8c4cfe83f8	Merge pull request #19006 from rwinch/main-CredentialRecordOwnerAuthorizationManager Merge Add CredentialRecordOwnerAuthorizationManager	2026-03-29 23:45:21 -04:00
Robert Winch	9d047b6edc	Merge CredentialRecordOwnerAuthorizationManager	2026-03-29 22:24:52 -05:00
Robert Winch	c08329c0c5	Merge CredentialRecordOwnerAuthorizationManager	2026-03-29 22:24:21 -05:00
dependabot[bot]	875b076c39	Bump tools.jackson:jackson-bom from 3.1.0 to 3.1.1 Bumps [tools.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 3.1.0 to 3.1.1. - [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-3.1.0...jackson-bom-3.1.1) --- updated-dependencies: - dependency-name: tools.jackson:jackson-bom dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-30 03:19:13 +00:00
dependabot[bot]	c2441e5a58	Bump com.nimbusds:oauth2-oidc-sdk from 11.35 to 11.37 Bumps [com.nimbusds:oauth2-oidc-sdk](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) from 11.35 to 11.37. - [Changelog](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt) - [Commits](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/branches/compare/11.37..11.35) --- updated-dependencies: - dependency-name: com.nimbusds:oauth2-oidc-sdk dependency-version: '11.37' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-30 03:18:42 +00:00
Robert Winch	a856baa6a8	Add CredentialRecordOwnerAuthorizationManager Add CredentialRecordOwnerAuthorizationManager that verifies the credential being deleted is owned by the currently authenticated user. Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter for the delete credential operation, defaulting to deny all, and wire it up in WebAuthnConfigurer. Per the WebAuthn specification [1], credential ids contain at least 16 bytes with at least 100 bits of entropy, making them practically unguessable. The specification also advises that credential ids should be kept private, as exposing them can leak personally identifying information [2]. The CredentialRecordOwnerAuthorizationManager serves as defense in depth: even if a credential id were somehow exposed, an unauthorized user could not delete another user's credential. [1] https://www.w3.org/TR/webauthn-3/#credential-id [2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak	2026-03-29 21:54:27 -05:00
Josh Cummings	036326d70b	Merge branch '7.0.x'	2026-03-27 16:49:33 -06:00
Josh Cummings	611786e4b5	Merge branch '6.5.x' into 7.0.x	2026-03-27 16:49:26 -06:00
Josh Cummings	ac63cf4fa5	Polish CustomAuthorizationManager Docs Issue gh-13967 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>	2026-03-27 16:45:25 -06:00
as1605	f6bb55effb	Fix documentation for Custom Authorization Manager Closes gh-13967 Signed-off-by: as1605 <1605.aditya.singh@gmail.com>	2026-03-27 16:45:25 -06:00
Josh Cummings	c489136515	Merge branch '7.0.x'	2026-03-27 16:40:04 -06:00
Josh Cummings	6020ab8e65	Polish CustomAuthorizationManager Docs Issue gh-13967 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>	2026-03-27 16:36:00 -06:00
as1605	3076367168	Fix documentation for Custom Authorization Manager Closes gh-13967 Signed-off-by: as1605 <1605.aditya.singh@gmail.com>	2026-03-27 16:36:00 -06:00
Josh Cummings	2c32a9a969	Merge branch '7.0.x'	2026-03-27 16:10:36 -06:00
Josh Cummings	721b22d87a	Merge remote-tracking branch 'origin/6.5.x' into 7.0.x	2026-03-27 16:10:18 -06:00
Tran Ngoc Nhan	85b756cb74	Update `FilterChainProxy#getFilters(String)` javadoc Closes gh-18157 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2026-03-27 16:09:50 -06:00
Andrey Litvitski	b92c072501	add tests Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>	2026-03-27 15:26:57 -06:00
Andrey Litvitski	6335caabae	polish Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>	2026-03-27 15:26:57 -06:00
Andrey Litvitski	c3e0b98b7e	Use idiomatic Kotlin in custom filter documentation This will make Kotlin and all users more native and readable. Closes: gh-18967 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>	2026-03-27 15:26:57 -06:00
Ziqin Wang	acbf64a47d	Improve And/Or-RequestMatcher/ServerWebExchangeMatcher API Currently, the List-receiving constructors of AndRequestMatcher, OrRequestMatcher, AndServerWebExchangeMatcher, and OrServerWebExchangeMatcher don't support covariance, which adds obstacles to users of these APIs. For example, one cannot pass a List<PathPatternRequestMatcher> to OrRequestMatcher(List<RequestMatcher>). This commit resolves the aforementioned problem. It should not break existing code. Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>	2026-03-27 15:24:55 -06:00
Joe Kuhel	46e27aa693	Remove compiler warnings in spring-security-web - fix compiler warnings in ServerOneTimeTokenAuthenticationConverter - Replace deprecated API calls to create a OneTimeTokenAuthenticationToken.unauthenticated with OneTimeTokenAuthenticationToken(String token) call - Update HttpMessageConverterAuthenticationSuccessHandler to replace deprecated MappingJackson2HttpMessageConverter with JacksonJsonHttpMessageConverter - Replace updated OneTimeTokenAuthenticationConverter to use non-deprecated OneTimeTokenAuthenticationToken constructor - update tests to remove use of deprecated methods - refactor JdbcTokenRepositoryImpl to remove extension of deprecated JdbcDaoSupport class - enable compile-warnings-error plugin Closes gh-18441 Signed-off-by: Joe Kuhel <4983938+jkuhel@users.noreply.github.com>	2026-03-27 15:14:55 -06:00
dependabot[bot]	441e0fc976	Bump org.apereo.cas.client:cas-client-core from 4.0.4 to 4.1.0 Bumps [org.apereo.cas.client:cas-client-core](https://github.com/apereo/java-cas-client) from 4.0.4 to 4.1.0. - [Release notes](https://github.com/apereo/java-cas-client/releases) - [Commits](https://github.com/apereo/java-cas-client/compare/cas-client-4.0.4...cas-client-4.1.0) --- updated-dependencies: - dependency-name: org.apereo.cas.client:cas-client-core dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 19:45:26 +00:00
Josh Cummings	41efee0d35	Merge branch '7.0.x'	2026-03-27 13:27:15 -06:00
Josh Cummings	0ce76d2c5d	Merge branch '6.5.x' into 7.0.x	2026-03-27 13:27:03 -06:00
dependabot[bot]	66cf02c6b0	Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 Bumps [spring-io/spring-gradle-build-action](https://github.com/spring-io/spring-gradle-build-action) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/spring-io/spring-gradle-build-action/releases) - [Commits](`efc55f07f4...c8668747d7`) --- updated-dependencies: - dependency-name: spring-io/spring-gradle-build-action dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 13:26:10 -06:00
dependabot[bot]	7441ce7f16	Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml Bumps [spring-io/spring-security-release-tools/.github/workflows/perform-release.yml](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15. - [Release notes](https://github.com/spring-io/spring-security-release-tools/releases) - [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc) - [Commits](`729fed56d4...b92832ecbc`) --- updated-dependencies: - dependency-name: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml dependency-version: 1.0.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 13:25:46 -06:00
dependabot[bot]	9dbcd8cf00	Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml Bumps [spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15. - [Release notes](https://github.com/spring-io/spring-security-release-tools/releases) - [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc) - [Commits](`729fed56d4...b92832ecbc`) --- updated-dependencies: - dependency-name: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml dependency-version: 1.0.15 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 13:25:35 -06:00
Josh Cummings	63e0d66811	Merge branch '7.0.x'	2026-03-27 13:23:08 -06:00
Josh Cummings	e6db4418b0	Merge branch '6.5.x' into 7.0.x	2026-03-27 13:22:44 -06:00
Josh Cummings	835d6c1fbd	Add Issuer Validation to withIssuerLocation Snippets Closes gh-19000 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>	2026-03-27 13:22:24 -06:00
Josh Cummings	95b6dc753a	Merge branch '7.0.x'	2026-03-27 12:14:47 -06:00
Josh Cummings	9fb3e14989	Merge branch '6.5.x' into 7.0.x	2026-03-27 12:14:41 -06:00
Josh Cummings	fc90a1ffeb	Merge branch '7.0.x'	2026-03-27 12:13:54 -06:00
Josh Cummings	de14d9684f	Add Reference Docs for DelegatingJwtGrantedAuthoritiesConverter Issue gh-18300 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>	2026-03-27 12:13:49 -06:00
Josh Cummings	2c90edd7b7	Merge branch '6.5.x' into 7.0.x	2026-03-27 12:12:27 -06:00
Josh Cummings	95b2cdf7f4	Clarify JavaDoc Removed note about DelegatingJwtGrantedAuthoritiesConverter from ExpressionJwtGrantedAuthoritiesConverter and further explained in DelegatingJwtGrantedAuthoritiesConverter where it comes in handy. Issue gh-18300 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>	2026-03-27 11:48:56 -06:00
dependabot[bot]	d5d466b0eb	Bump org.jetbrains.dokka from 2.1.0 to 2.2.0 Bumps [org.jetbrains.dokka](https://github.com/Kotlin/dokka) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/Kotlin/dokka/releases) - [Commits](https://github.com/Kotlin/dokka/compare/v2.1.0...v2.2.0) --- updated-dependencies: - dependency-name: org.jetbrains.dokka dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 03:17:45 +00:00
dependabot[bot]	2970d2baf9	Bump org.jetbrains.dokka:dokka-gradle-plugin from 2.1.0 to 2.2.0 Bumps [org.jetbrains.dokka:dokka-gradle-plugin](https://github.com/Kotlin/dokka) from 2.1.0 to 2.2.0. - [Release notes](https://github.com/Kotlin/dokka/releases) - [Commits](https://github.com/Kotlin/dokka/compare/v2.1.0...v2.2.0) --- updated-dependencies: - dependency-name: org.jetbrains.dokka:dokka-gradle-plugin dependency-version: 2.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 03:17:37 +00:00
dependabot[bot]	826f5d6d72	Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 Bumps [spring-io/spring-gradle-build-action](https://github.com/spring-io/spring-gradle-build-action) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/spring-io/spring-gradle-build-action/releases) - [Commits](`efc55f07f4...c8668747d7`) --- updated-dependencies: - dependency-name: spring-io/spring-gradle-build-action dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-27 00:46:59 +00:00
Rob Winch	f0e71a8bc4	Merge pull request #18990 from rwinch/7.0.x-gh-18970-null-oncommitted Merge Handle null value in OnCommittedResponseWrapper header methods	2026-03-26 17:33:33 -04:00
Rob Winch	4704aea72a	Merge pull request #18991 from rwinch/main-gh-18970-null-oncommitted Merge Handle null value in OnCommittedResponseWrapper header methods	2026-03-26 17:31:43 -04:00
Rob Winch	3ecf84855e	Merge pull request #18989 from rwinch/gh-18970-null-oncommitted Merge Handle null value in OnCommittedResponseWrapper header methods	2026-03-26 17:29:33 -04:00
Robert Winch	9f67afee42	Merge Handle null value in OnCommittedResponseWrapper header methods	2026-03-26 15:58:12 -05:00
Robert Winch	2848b95fe0	Merge Handle null value in OnCommittedResponseWrapper header methods	2026-03-26 15:44:49 -05:00
Robert Winch	0039bc0cf0	Handle null value in OnCommittedResponseWrapper header methods Closes gh-18970	2026-03-26 14:50:44 -05:00
dependabot[bot]	aff736903d	Bump picomatch from 2.3.1 to 2.3.2 in /javascript Bumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-25 21:48:06 +00:00

1 2 3 4 5 ...

20728 Commits