e774bd480b
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12261
2022-11-21 10:25:43 -03:00
f561d3784e
Improve deprecation notice in WebSecurityConfigurerAdapter
...
Closes gh-12260
2022-11-21 10:05:08 -03:00
dd9f954ace
Fix tests in CsrfConfigurerTests
...
Closes gh-12241
2022-11-18 14:58:41 -06:00
5da78f44f2
Merge branch '5.8.x'
2022-11-18 14:54:33 -06:00
ea6ce05662
Add configurer tests for CookieCsrfTokenRepository
...
Issue gh-12236
2022-11-18 13:12:59 -06:00
2ed7cff643
Check for existing token before clearing
...
Closes gh-12236
2022-11-18 13:12:59 -06:00
e08ed89403
Polish Span and Meter Names
...
Closes gh-12156
2022-11-17 15:09:52 -07:00
222f8ae1a5
Merge branch '5.8.x'
2022-11-16 16:54:32 -06:00
2301e8ca77
Fix Javadoc in EnableWebSocketSecurity
...
Add missing method name in EnableWebSocketSecurity JavaDoc code example.
2022-11-16 16:51:42 -06:00
c45cd6ec9f
Defer ObservationRegistry Resolution
...
- If Method Security asks for too early, it is no longer
eligible for post-processing. As such, this commit defers loading it until
the first authorization request.
Issue gh-11990
2022-11-09 22:07:57 -07:00
3b5d19c8a4
Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
...
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
72c25332a5
Fix authenticationFailureHandler customization tests
...
Issue gh-12132
2022-11-03 10:32:38 -03:00
fc8e20b89f
Merge branch '5.8.x'
...
Closes gh-12133
2022-11-02 15:49:18 -06:00
3192618220
Add authenticationFailureHandler
...
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer
Closes gh-12132
2022-11-02 15:35:01 -06:00
983f1d4efb
Merge branch '5.8.x'
...
Closes gh-12127
2022-11-01 18:08:08 -06:00
6622e0135a
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12126
2022-11-01 18:06:41 -06:00
6efac34ca7
Merge branch '5.6.x' into 5.7.x
...
Closes gh-12125
2022-11-01 18:06:01 -06:00
5c4362bbc4
Refresh parsers when not found
...
Closes gh-3065
2022-11-01 18:05:15 -06:00
d860775b45
Document Defer load CsrfToken
...
Closes gh-12105
2022-10-28 15:41:25 -05:00
abe68abfe4
Merge remote-tracking branch 'origin/5.8.x'
2022-10-26 17:13:02 -06:00
bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
...
Closes gh-11363
2022-10-26 16:44:23 -06:00
9cb668aec2
SessionManagementConfigurer properly defaults SecurityContextRepository
...
Previously the default was an HttpSessionSecurityContextRepository which
meant that if a stateless authentication occurred the SecurityContext would
be lost on ERROR dispatch.
This commit ensures that the RequestAttributeSecurityContextRepository is
also consulted by default.
Closes gh-12070
2022-10-20 10:57:47 -05:00
a4858d9eaa
Add SpringTestContext.addFilter
...
Add SpringTestContext.addFilter which allows Spring Security's tests
to specify a Filter to be added to the SpringTestContext.
Closes gh-12071
2022-10-20 10:54:24 -05:00
33b492df54
Default to DelegatingSecurityContextRepository
...
Closes gh-12023
Closes gh-12049
2022-10-17 20:04:43 -05:00
bd43c1f28a
Merge branch '5.8.x'
...
# Conflicts:
# web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
# web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
c75ca10900
Add DeferredSecurityContext
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
...
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled
Closes gh-12020
2022-10-13 11:29:15 -05:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
8c610684f3
Instrument Authentication and Authorization
...
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
7c872cf7fd
Merge branch '5.8.x'
2022-10-12 15:02:40 -05:00
440748ec65
Add test support for Xor CSRF tokens
...
Issue gh-4001
2022-10-12 15:02:15 -05:00
27059ced87
Default X-Xss-Protection header value to "0"
...
Closes gh-9631
2022-10-07 17:42:55 -05:00
dcda899c8c
Merge branch '5.8.x'
2022-10-07 17:40:37 -05:00
37fa49b32d
Polish gh-11952
2022-10-07 17:40:12 -05:00
6753f9745e
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
# docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
f462134e87
Add reactive support for BREACH
...
Closes gh-11959
2022-10-07 16:34:17 -05:00
f4ca90e719
Add reactive interfaces for CSRF request handling
...
Issue gh-11959
2022-10-07 16:34:16 -05:00
398f5dee7f
Remove deprecated RequestMatcher methods from Java Configuration
...
Closes gh-11939
2022-10-07 15:26:46 -03:00
9fd195d419
Default to shouldFilterAllDispatcherTypes=true in XML
...
Closes gh-11970
2022-10-07 11:46:20 -03:00
146d3269bc
Merge branch '5.8.x'
...
Closes gh-11971
2022-10-07 10:28:14 -03:00
f3321c256c
Add XML support for shouldFilterAllDispatcherTypes
...
Closes gh-11492
2022-10-07 10:20:32 -03:00
f650ebe545
Merge branch '5.8.x'
2022-10-06 13:50:50 -03:00
8a5aed2983
Add deprecation warning to CsrfDsl#ignoringAntMatchers
...
Issue gh-11347
2022-10-06 13:50:38 -03:00
d6302aabbc
Merge branch '5.8.x'
2022-10-06 13:21:52 -03:00
bc4ad52feb
Add deprecation warning to mvcMatchers methods
...
Issue gh-11347
2022-10-06 13:21:27 -03:00
12b9f2e196
use-authorization-manager defaults to true
...
Closes gh-11929
2022-10-06 08:12:46 -06:00
52ab2303da
Fix failing test
...
Issue gh-11061
2022-10-06 09:28:06 -03:00
c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 23:53:40 -06:00
2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:59 -06:00
7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2
...
Issue gh-11061
2022-10-05 23:50:58 -06:00
7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:57 -06:00
19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2
...
Issue gh-11061
2022-10-05 23:50:56 -06:00
0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
...
Issue gh-11061
2022-10-05 23:38:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
b4d13e7726
Polish use-authorization-manager
...
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together
Issue gh-11305
2022-10-05 22:21:09 -06:00
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
...
Issue gh-11665
2022-10-05 22:18:41 -06:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
6bbf20be93
Fix failing tests
...
Issue gh-11952
2022-10-05 14:19:40 -05:00
a7000a053b
Merge branch '5.8.x'
2022-10-05 13:46:26 -05:00
1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
...
Closes gh-11952
2022-10-05 13:35:23 -05:00
c2ed65c67a
Fix failing tests
...
Issue gh-9159
2022-10-05 14:59:33 -03:00
22ba358e57
Merge branch '5.8.x'
2022-10-05 13:44:54 -03:00
bf6e85ec15
Accept String varargs in securityMatcher
...
Issue gh-9159
2022-10-05 13:44:08 -03:00
76d7a85bc0
Use modified classpath test support for tests that depend on the classpath
...
Issue gh-11347
2022-10-04 15:32:19 -03:00
77dcc691b3
Add modified classpath test support
...
Closes gh-11951
2022-10-04 15:32:18 -03:00
5002199be3
Revert "Disable tests that need Spring MVC mocked in classpath"
...
This reverts commit c6978fba7c
2022-10-04 15:32:18 -03:00
35f7e46d05
Remove WebSecurityConfigurerAdapter
...
Closes gh-10902
2022-10-04 15:13:04 -03:00
3bc76815c2
Update csrf.request-handler-ref in 6.0
...
Issue gh-11918
2022-10-04 11:24:54 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
c6978fba7c
Disable tests that need Spring MVC mocked in classpath
...
Issue gh-11347
2022-10-04 08:56:06 -03:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
c847efd3fd
Fix servlet import
...
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
c98de7af2f
Add xss-protection.header-value in 6.0
...
Issue gh-9631
2022-10-03 14:31:04 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
d9a682a414
Polish gh-11896
2022-10-03 10:00:43 -05:00
bf9339d88e
Merge branch '5.8.x'
2022-10-03 09:57:40 -05:00
7f9600ae08
Polish gh-11896
2022-10-03 09:57:08 -05:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
0d58c5180e
Remove Explicit RequestCache Config from DeferHttpSession Tests
...
Issue gh-11757
2022-09-30 21:49:05 -05:00
12a0ccf6de
Remove Explicit CSRF Config from DeferHttpSessionTests
...
Issue gh-11764
2022-09-30 21:49:04 -05:00
617353eaa8
Merge branch '5.8.x'
...
Closes gh-11928
2022-09-30 21:46:26 -05:00
6d56af7b65
SessionManagementDsl.requireExplicitAuthenticationStrategy
2022-09-30 21:37:44 -05:00
76fbca9f46
Merge branch '5.8.x'
2022-09-30 09:50:02 -05:00
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
...
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631
2022-09-30 09:38:08 -05:00
3bfdf6dd0f
Merge branch '5.8.x'
...
Closes gh-11922
2022-09-29 11:21:24 -03:00
cf3349f31a
Configure ContentNegotiationStrategy in HttpSecurityConfiguration
...
Closes gh-11916
2022-09-29 11:21:08 -03:00
506e50bfd0
Move Saml2 Authentication Filters
...
Issue gh-8819
2022-09-26 10:44:27 -06:00
181ee7410b
Change default authority for oauth2Login()
...
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.
* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER
Documentation has been updated to include this implementation detail.
Closes gh-7856
2022-09-26 10:06:31 -05:00
37a160245f
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-23 16:31:21 -06:00
21c0c73878
Remove request-resolver-ref in 6.0
...
Issue gh-11896
2022-09-23 16:04:35 -05:00
bcb21c9384
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
...
Closes gh-11896
2022-09-23 15:09:00 -05:00
3c66ef6305
Change default SecurityContextRepository
...
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026
2022-09-22 17:31:14 -05:00
0efe26c1fd
Merge branch '5.8.x'
...
Closes gh-11894
2022-09-22 13:47:04 -05:00
d94677f87e
CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
...
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892
2022-09-22 11:09:44 -05:00
44b7847258
Fix Import Order
...
Issue gh-8819
2022-09-21 09:08:41 -06:00
70460ca009
Adjust OAuth2 Resource Server packaging
...
Closes gh-7349
2022-09-20 17:44:05 -06:00
61c80bcac5
Move Saml2 Authentication Filters
...
Closes gh-8819
2022-09-20 17:18:05 -06:00
48e31f87e4
Remove Deprecated OpenSAML 3 Support
...
Closes gh-10556
2022-09-20 16:57:38 -06:00
46f402243b
Merge remote-tracking branch 'origin/5.8.x'
2022-09-20 16:11:16 -06:00
3f8503f1b4
Deprecate AccessDecisionManager et al
...
Closes gh-11302
2022-09-20 16:09:59 -06:00
bd18c05a27
Use mock class instead of interface on mock's return
...
Issue gh-11860
2022-09-16 15:57:43 -03:00
1a1a8a7a46
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
2022-09-14 14:11:10 -05:00
45bbd86f7e
HttpSecurityDsl should support apply method
...
Closes gh-11754
2022-09-14 13:58:42 -05:00
1aee40dcca
Polish gh-11665
...
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
2431dd1103
Merge branch '5.8.x'
2022-09-13 17:38:10 -05:00
355ef21117
Polish gh-11665
2022-09-13 16:45:39 -05:00
1efb63387f
Add authentication converter for introspected tokens
...
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).
The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).
The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.
Closes gh-11661
2022-09-13 16:45:36 -05:00
088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
...
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
ed41a60aae
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
# config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
# web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
86fbb8db07
Add new interfaces for CSRF request processing
...
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
7bf2d3dc4e
Update DeferHttpSession Tests
...
Closes gh-11764
2022-08-31 14:40:06 -05:00
7d6552b3f4
gh-11772
2022-08-31 13:33:53 -05:00
3de421be3a
Remove setAuthenticationManager from HttpSecurityConfiguration
...
Closes gh-11776
2022-08-31 15:14:45 -03:00
f1b79e08cb
Merge branch '5.8.x'
2022-08-30 13:10:51 -05:00
6b297cc3a3
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 13:10:35 -05:00
3eac274317
Merge branch '5.8.x'
2022-08-30 12:59:19 -05:00
5bdbc3f78d
Polish javadoc in Kotlin DSL
...
Issue gh-11646
2022-08-30 12:53:37 -05:00
2e26e875c8
Remove WebSecurityConfigurerAdapter in Kotlin DSL
...
Issue gh-11277
Closes gh-11646
2022-08-30 12:53:18 -05:00
41ede20712
Add method-security.mode to spring-security-6.0.xsd
2022-08-29 16:05:20 -05:00
2efc8dcd15
Default Require Explicit Save SecurityContext
...
Closes gh-11762
2022-08-29 10:16:04 -05:00
b1fd9af723
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-26 16:01:40 -06:00
0f58620643
Add AspectJ AuthorizationManager Support
...
Closes gh-11326
2022-08-26 15:59:08 -06:00
f84f08c4b9
Default HttpSessionRequestCache.matchingRequestParameterName=continue
...
Closes gh-11757
2022-08-26 14:44:55 -05:00
210693eb6b
Add @Configuration
...
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
84f765a89c
Merge remote-tracking branch 'origin/5.8.x' into main
2022-08-25 14:46:48 -06:00
e990174c89
Polish ReactiveMethodSecurity Support
...
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well
Issue gh-9401
Polish
2022-08-25 14:36:03 -06:00
cbb4f40f0c
ReactiveAuthorizationManager + Reactive Method Security
...
Closes gh-9401
2022-08-25 14:35:04 -06:00
670b71363d
Merge branch '5.8.x'
...
Closes gh-11749
2022-08-23 16:03:50 -05:00
2fb625db84
Remove mockito deprecations
...
Issue gh-11748
2022-08-23 15:59:52 -05:00
a8d6c1d21f
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:58:22 -03:00
c7912c551b
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:51:53 -03:00
0aac515737
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
3826fca567
Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
...
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService
Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
888c65a936
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:38:03 -05:00
81d6b6df6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:38:03 -05:00
1de810a565
Add DeferHttpSession*Tests
...
Closes gh-6125
2022-08-18 17:00:47 -05:00
89f8310d6c
Add Explicit SessionAuthenticationStrategy Option
...
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.
This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.
Closes gh-11455
2022-08-18 17:00:47 -05:00
Marcus Da Coregio
Steve Riesenberg
Josh Cummings
Jan Marten
Koos Gadellaa
Rob Winch
mmoussa_mapfreusa
Joe Grandja
Daniel Garnier-Moiroux
Daniel Garnier-Moiroux
slam
ch4mpy
Evgeniy Cheban