Commit Graph

11288 Commits

Author SHA1 Message Date
Rob Winch c1a6cea60a Defer CsrfFilter Session Access
Closes gh-11456
2022-08-16 11:31:27 -05:00
Rob Winch 5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch 666f175225 LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-15 17:07:02 -05:00
Rob Winch faf9fb7337 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:46 -05:00
Rob Winch 9f00045638 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:30 -05:00
Rob Winch 002a770f13 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:12 -05:00
Rob Winch ce778b0e20 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:25:15 -05:00
Rob Winch f33d7253b6 GitHubMilestoneApiTests due_on Uses LocalDate
`GitHubMilestoneApiTests` uses `Instant.now()` for `due_on`. Since
`Instant.now()` is UTC time based,
`isMilestoneDueTodayWhenDueTodayThenTrue` fails when the computer that runs
the test is not the same day as it is in UTC time.

To fix it, `due_on` should be set to an `Instant` based upon the timezone
of the current computer.

Closes gh-11706
2022-08-15 13:04:29 -05:00
Rob Winch d8ae2c8763 GitHubMilestoneApiTests due_on Uses LocalDate
`GitHubMilestoneApiTests` uses `Instant.now()` for `due_on`. Since
`Instant.now()` is UTC time based,
`isMilestoneDueTodayWhenDueTodayThenTrue` fails when the computer that runs
the test is not the same day as it is in UTC time.

To fix it, `due_on` should be set to an `Instant` based upon the timezone
of the current computer.

Closes gh-11706
2022-08-15 13:03:10 -05:00
Rob Winch c7b39eed58 GitHubMilestoneApiTests due_on Uses LocalDate
`GitHubMilestoneApiTests` uses `Instant.now()` for `due_on`. Since
`Instant.now()` is UTC time based,
`isMilestoneDueTodayWhenDueTodayThenTrue` fails when the computer that runs
the test is not the same day as it is in UTC time.

To fix it, `due_on` should be set to an `Instant` based upon the timezone
of the current computer.

Closes gh-11706
2022-08-15 13:02:32 -05:00
Rob Winch 4473c3f7d0 GitHubMilestoneApiTests due_on Uses LocalDate
`GitHubMilestoneApiTests` uses `Instant.now()` for `due_on`. Since
`Instant.now()` is UTC time based,
`isMilestoneDueTodayWhenDueTodayThenTrue` fails when the computer that runs
the test is not the same day as it is in UTC time.

To fix it, `due_on` should be set to an `Instant` based upon the timezone
of the current computer.

Closes gh-11706
2022-08-15 13:01:58 -05:00
github-actions[bot] 1510460a1a Next development version 2022-08-15 16:14:19 +00:00
github-actions[bot] db74e9d128 Next development version 2022-08-15 16:07:33 +00:00
github-actions[bot] c188b70c88 Next development version 2022-08-15 16:06:45 +00:00
github-actions[bot] 4559d269e0 Release 5.6.7 2022-08-15 15:25:05 +00:00
github-actions[bot] 173d74d693 Release 5.7.3 2022-08-15 15:24:54 +00:00
github-actions[bot] 063e56ce8b Release 5.8.0-M2 2022-08-15 15:24:27 +00:00
Josh Cummings 66cb3e02d0
Update org.springframework.data to 2021.2.2
Closes gh-11698
2022-08-11 14:20:52 -06:00
Josh Cummings 74675ef793
Update org.springframework to 5.3.22
Closes gh-11697
2022-08-11 14:20:48 -06:00
Josh Cummings a92ac82c4b
Update jsonassert to 1.5.1
Closes gh-11696
2022-08-11 14:20:45 -06:00
Josh Cummings db638c2a77
Update org.jetbrains.kotlinx to 1.6.4
Closes gh-11695
2022-08-11 14:20:41 -06:00
Josh Cummings f884527c1b
Update hibernate-entitymanager to 5.6.10.Final
Closes gh-11694
2022-08-11 14:20:38 -06:00
Josh Cummings dbd174418f
Update org.eclipse.jetty to 9.4.48.v20220622
Closes gh-11693
2022-08-11 14:20:35 -06:00
Josh Cummings 2eeee99d2e
Update io.projectreactor to 2020.0.22
Closes gh-11691
2022-08-11 14:20:28 -06:00
Josh Cummings e8c56420bf
Update mockk to 1.12.5
Closes gh-11690
2022-08-11 14:20:24 -06:00
Marcus Da Coregio 627809d2dc Update org.springframework.data to 2021.1.6
Closes gh-11686
2022-08-10 14:52:51 -03:00
Marcus Da Coregio 4b1d7e9479 Update org.springframework to 5.3.22
Closes gh-11685
2022-08-10 14:52:51 -03:00
Marcus Da Coregio d9980a4dfe Update jsonassert to 1.5.1
Closes gh-11684
2022-08-10 14:52:51 -03:00
Marcus Da Coregio 8eb7e589eb Update hibernate-entitymanager to 5.6.10.Final
Closes gh-11683
2022-08-10 14:52:51 -03:00
Marcus Da Coregio 0d7dce9d71 Update org.eclipse.jetty to 9.4.48.v20220622
Closes gh-11682
2022-08-10 14:52:51 -03:00
Marcus Da Coregio da09788be9 Update io.projectreactor to 2020.0.22
Closes gh-11680
2022-08-10 14:52:51 -03:00
Rob Winch 425b3501b7 Remove `@Configuration` from `@Enable*` Annotations
This removes `@Configuration` from all `@Enable` Annotations and explicitly
adds `@Configuration` to wherever the `@Enable*` Annotations are used.

Closes gh-11653
2022-08-09 17:00:24 -05:00
Rob Winch a5069d7e35 Fix Add @Configuration to @Enable*Security Usage
Issue gh-6613
2022-08-09 17:00:16 -05:00
Marcus Da Coregio ead587c597 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:42 -03:00
Marcus Da Coregio 6a2ca52aae Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:10 -03:00
Marcus Da Coregio 24bb83e2c7 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:31:45 -03:00
Marcus Da Coregio 1c4d6ed098 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:30:15 -03:00
Igor Bolic 2e66b9f6cc Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:44:01 -05:00
Igor Bolic efaee4e56b Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:35:49 -05:00
Rob Winch c23324e7a7 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 14:14:12 -05:00
Rob Winch 269c711a64 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:56 -05:00
Rob Winch c9f8d2b111 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:12 -05:00
Josh Cummings ed58ac7d78
Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:49:48 -06:00
Josh Cummings 9e8a04d414
Polish Tests
Issue gh-11657
2022-08-03 17:49:46 -06:00
Josh Cummings c2d79fcbd6
Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:34:31 -06:00
Josh Cummings aa225943d2
Polish Tests
Issue gh-11657
2022-08-03 17:34:26 -06:00
Marcus Da Coregio f8971742f2 Remove FilterSecurityInterceptor from WebSecurity
Closes gh-11325
2022-08-02 15:34:02 -03:00
Scott Shidlovsky 508f7d7b8a Update OpenSamlAuthenticationRequestResolverTests from Junit 4 to Junit 5 2022-08-02 08:02:22 -06:00
Scott Shidlovsky 947445fcc5 Add ID to Saml2 Post and Redirect Requests
Closes gh-11468
2022-08-02 08:02:22 -06:00
Joshua Sattler 040111ae9e Remove Configuration meta-annotation from Enable* annotations
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.

Closes gh-6613

Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00