Commit Graph

1324 Commits

Author SHA1 Message Date
Marcus Da Coregio 547056d5cc Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10590
2022-01-05 14:06:47 -03:00
Marcus Da Coregio ba810e468f Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
Closes gh-10554
2022-01-05 14:01:57 -03:00
Marcus Da Coregio 40dfe8f259 Add RequestMatcherEntry 2022-01-05 14:00:47 -03:00
Marcus Da Coregio b448954f43 Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10590
2022-01-05 13:57:36 -03:00
Marcus Da Coregio 18427b6411 Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
Closes gh-10554
2021-12-13 08:57:30 -03:00
Marcus Da Coregio 7e17a00197 Add RequestMatcherEntry 2021-12-13 08:57:30 -03:00
Marcus Da Coregio 53b8cff26f Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10590
2021-12-13 08:57:30 -03:00
Marcus Da Coregio 65426a40ec Add Cross Origin Policies headers
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers

Closes gh-9385, gh-10118
2021-12-07 17:23:06 +01:00
Steve Riesenberg 62e8799a8d Use BDD in tests 2021-12-02 17:44:47 -06:00
Steve Riesenberg df0f6f83af Polish gh-9597 2021-12-02 17:44:47 -06:00
Karl Tinawi 925d531cbe Set details on authentication token created by HttpServlet3RequestFactory
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.

Closes gh-9579
2021-12-02 17:44:46 -06:00
Steve Riesenberg 47b8860681 Update copyright year
Issue gh-10557
2021-12-01 17:36:52 -06:00
Steve Riesenberg c7ffd2513a Update copyright year
Issue gh-10557
2021-12-01 17:36:19 -06:00
Steve Riesenberg bb2d80fea3 Update copyright year
Issue gh-10557
2021-12-01 17:35:43 -06:00
Steve Riesenberg 828cac8889 Fix case sensitive headers comparison
Closes gh-10557
2021-12-01 15:19:33 -06:00
Steve Riesenberg f49c286050 Fix case sensitive headers comparison
Closes gh-10557
2021-12-01 15:05:13 -06:00
Steve Riesenberg b3e0f167ff Fix case sensitive headers comparison
Closes gh-10557
2021-12-01 15:01:06 -06:00
Josh Cummings 1251cde04c Add Missing Since
Issue gh-10482
2021-11-30 15:17:48 -07:00
Igor Pelesic a3a9de1b9b PermitAllSupport supports AuthorizeHttpRequestsConfigurer
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.

Closes gh-10482
2021-11-30 15:17:22 -07:00
Steve Riesenberg 204f0b4599 Polish gh-10007 2021-11-30 15:27:58 -06:00
Guirong Hu 43317c5a61 Support IP whitelist for Spring Security Webflux
Closes gh-7765
2021-11-30 15:27:58 -06:00
Marcus Da Coregio 2bf7a5ae80 Improve log message when no CSRF token found
Closes gh-10436
2021-11-19 08:37:25 -03:00
Rob Winch 96a6fef820 Prevent Save @Transient Authentication with existing HttpSession
Previously, @Transient Authentication would get saved if an existing
HttpSession existed but it shouldn't.

This commit always prevents @Transient Authentication from being saved.

Closes gh-9992
2021-11-16 14:44:49 -06:00
Marcus Da Coregio caad3d57e2 Improve log message when no CSRF token found
Closes gh-10436
2021-10-29 14:06:17 -03:00
Marcus Da Coregio 00f4033b9b Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext
Closes gh-10208
2021-10-22 13:22:12 -03:00
Rob Winch e4a76b0ec9 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-22 10:19:34 -05:00
Emil Sierżęga 04b47c5928 Fixed various broken links in Javadocs 2021-10-21 11:47:04 +02:00
Emil Sierżęga a188138715 Javadocs author tag doesn't work in methods 2021-10-21 11:47:04 +02:00
Rob Winch f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Rob Winch e1f4ec1137 Fix Jackson 2021-10-18 21:03:12 -05:00
Josh Cummings 6e86fab19d Restructure SwitchUserFilter Logs
Issue gh-6311
2021-10-18 13:02:42 -05:00
Marcus Da Coregio faec20bc69 Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext
Closes gh-10208
2021-10-14 09:27:02 -03:00
Josh Cummings 7b98c2ea95 Restructure SwitchUserFilter Logs
Issue gh-6311
2021-10-12 13:32:29 -06:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
Eleftheria Stein 7d81a52780 Allow AuthenticationPrincipal argument type to be primitive
Closes gh-10172
2021-10-04 16:22:21 +02:00
heowc 84d173c310 Fix typo 2021-09-27 10:55:18 -03:00
Bogdan Ilchyshyn a4c088a3b3 Introducing WebSessionServerLogoutHandler
Closes gh-4838
2021-08-16 13:08:35 -06:00
Hiroshi Shirosaki 6f3e346b76 Add SecurityContextHolder#addListener
Closes gh-10032
2021-08-11 17:12:13 -06:00
Josh Cummings b8d51725c7 Immutable SecurityContext
Issue gh-10032
2021-08-11 17:12:13 -06:00
Rob Winch f73f213f50 Remove DependencySetPlugin
Closes gh-10070
2021-07-12 15:31:38 -05:00
Rob Winch f800d2c993 Add hamcrest dependency 2021-07-09 15:57:21 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Rob Winch 14240b2559 Remove Powermock
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
2021-07-08 12:35:32 -05:00
Evgeniy Cheban d121ab9565 Support A Well-Known URL for Changing Passwords
Closes gh-8657
2021-07-01 16:57:53 -06:00
Alexey Markevich 3219fd554d DigestAuthenticationFilter decodes nonce only once
Closes gh-8455
2021-06-18 15:25:00 -04:00
Steve Riesenberg 3bb8e1d200 Remove redundant translations in spring-security-web 2021-06-15 09:18:13 -05:00
Ruben Suarez Alvarez 7cd344acab
Add spanish translation of insufficient authentication and cookie stolen 2021-06-15 09:11:53 -05:00
Josh Cummings ca76c54471
Polish CsrfWebFilterTests
Issue gh-9113
2021-06-04 16:41:08 -06:00
Tomoki Tsubaki 0c8b6df82a
Cache Mono that generate the CSRF token
Closes gh-9113
2021-06-04 16:41:08 -06:00
AlexeyAnufriev baac9e0cf2 Properly clean cookies with context path after logout
Closes gh-8846
2021-06-04 15:42:33 +02:00
Marcus Hert da Coregio 29f4193529 Adjust createNewSessionIfAllowed to prevent NPE
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
2021-05-26 13:46:08 -03:00
Marcus Hert da Coregio 2a7998d0fc Adjust createNewSessionIfAllowed to prevent NPE
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
2021-05-26 10:36:44 -06:00
César Revert cf74ad3a52 Anonymous in ExceptionTranslationWebFilter
The ExceptionTranslationWebFilter does not support correctly when
anonymous authentication is enabled. With this enabled provoked always
the execution of the access denied handler, and with this fix it
behaves like the ExceptionTranslationFilter (servlet), executing the
access denied handler only if the principal is not empty and neither
anonymous.

Closes gh-9130
2021-05-26 09:17:41 -05:00
Craig Andrews a7fbae8355 Add test for RequestedUrlRedirectInvalidSessionStrategy 2021-05-26 09:11:38 -05:00
Craig Andrews 0e6d47b082 Add guard around debug logging involving string concatenation 2021-05-26 09:11:38 -05:00
Craig Andrews 0af74ce134 Use ServletUriComponentsBuilder instead of UrlPathHelper 2021-05-26 09:11:38 -05:00
Craig Andrews 2bcd4627fa Eliminate use of Optional 2021-05-26 09:11:38 -05:00
Craig Andrews 10a264c144 Add RequestedUrlRedirectInvalidSessionStrategy implemention of InvalidSessionStrategy
Performs a redirect to the original request URL when an invalid requested session is detected.

In effect, when a user's session times out, the user is redirected to URL they originally requested instead of some fixed URL.
2021-05-26 09:11:38 -05:00
Josh Cummings df6ebc7051
Rename DelegatingAuthorizationManager
Closes gh-9692
2021-04-28 09:53:25 -06:00
Thomas Vitale e2993d93e1 Make Csrf cookie secure flag configurable (WebFlux)
Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.

Closes gh-9678
2021-04-27 09:34:12 +02:00
Josh Cummings cb6e4f4a11
Add NPE Guards
- Like values, names are only validated if they are not null

Closes gh-9598
2021-04-22 11:22:19 -06:00
Craig Andrews 7dc4de05b1 Add guard around logger.debug statement
The log message involves string concatenation, the cost of which should only be incurred if debug logging is enabled
2021-04-16 10:32:58 -06:00
Josh Cummings 4f7d529c5d
Polish Csrf Tests
Issue gh-9561
2021-04-09 22:47:31 -06:00
佚名 87ed527023
Add null check in CsrfFilter and CsrfWebFilter
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>
2021-04-09 21:43:19 -06:00
Rob Winch f3f1106624 Update io.spring.javaformat to 0.0.27
Closes gh-9553
2021-04-05 22:23:59 -05:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies"))
Closes gh-9540
2021-04-05 10:36:36 -05:00
Rob Winch 1a76ee7442 Update Gradle configuration names
Closes gh-9540
2021-04-05 10:36:36 -05:00
Eleftheria Stein 4a492846f1 Revert "Lock dependencies for 2.5.0-M3"
This reverts commit f05cc6269c.
2021-03-15 23:18:45 +01:00
Eleftheria Stein f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Rob Winch 95da12110b
Additional Test for HttpSessionSecurityContextRepository
Issue gh-9387
2021-02-11 15:58:29 -07:00
Rob Winch 3116369f02
Optimize HttpSessionSecurityContextRepository
Closes gh-9387
2021-02-11 15:58:28 -07:00
Josh Cummings c4be1c6a56
Revert "Lock Dependencies"
This reverts commit a85caa4098.
2021-02-11 15:49:59 -07:00
Josh Cummings a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Josh Cummings 107f38fff9
Polish Tests
Issue gh-9331
2021-02-03 09:05:31 -07:00
happier233 873b9bdbca
Configure CurrentSecurityContextArgumentResolver BeanResolver
Closes gh-9331
2021-02-03 09:05:31 -07:00
Evgeniy Cheban 77484018bb Reconsider AntPathRequestMatcher matching logic
Closes gh-9285
2021-01-19 12:02:06 -07:00
Rob Winch 0201c31deb Fix Checkstyle for CsrfWebFilter
Issue gh-9337
2021-01-12 11:37:12 -06:00
Rob Winch a1083d9a5c Fix CsrfWebFilter error message when expected CSRF not found
Closes gh-9337
2021-01-12 11:18:29 -06:00
Josh Cummings 160a4a3676
Reformat MvcRequestMatcher
- Moved related private methods together

Issue gh-9284
2021-01-11 08:28:59 -07:00
Evgeniy Cheban 8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods
Closes gh-9284
2021-01-09 21:42:16 +03:00
Zeeshan Adnan 848bd44837
Remove unused code
Issue gh-9203
2020-12-18 11:49:52 -07:00
Rob Winch 40e027c56d Constant Time Comparison for CSRF tokens
Closes gh-9291
2020-12-17 15:01:43 -06:00
Josh Cummings c066e23a86
Add @since attributes
Issue gh-8900
2020-12-16 15:58:53 -07:00
Evgeniy Cheban 34b4b1054f Add AuthorizationManager
Closes gh-8900
2020-12-16 15:58:36 -07:00
Nick McKinney 5306d4c4d5 Minor cleanup on Ant / Regex Request Matchers
- Removed duplicative code for transforming String into HttpMethod
 - Removed an unnecessary array initialization
2020-12-14 14:19:23 +01:00
Nick McKinney 6be25df1db Introduced DispatcherType request matcher
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes gh-9205
2020-12-14 14:19:23 +01:00
Christophe Gilles 54d3839f63 Add permissionsPolicy http header 2020-12-11 12:32:18 +01:00
Serdar Kuzucu 48ef27b80a Make assertion messages in CookieCsrfTokenRepository clearer
Changes assertion message format from 'X is not null' to
'X cannot be null' since this is more meaningful when the error
occurs and the message is printed in the logs.

Closes gh-9195
2020-12-09 10:45:22 -06:00
Serdar Kuzucu 76e117a67a Allow maximum age of csrf cookie to be configured
Allows maxAge of the generated cookie by CookieCsrfTokenRepository
to be configurable.

Prior to this commit, maximum age was set with a value of -1.

After this commit, it will be configured by the user with an either
positive or negative value. If the user does not provide a value,
it will be set -1.

An IllegalArgumentException will be thrown when
this value is set to zero.

Closes gh-9195
2020-12-09 10:45:22 -06:00
Josh Cummings f614a8230c
Polish getRemoteUser
- Corrected instanceof check

Issue gh-3357
2020-12-03 13:08:40 -07:00
Stephen Joyner 9c373ef4f8
getRemoteUser() returns principal name
Closes gh-3357
2020-12-03 13:08:40 -07:00
Eleftheria Stein 7f482eda7d Fix CookieRequestCache for URL encoded query parameters
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request.

Closes gh-9203
2020-11-26 18:16:42 +01:00
Aditya Sekhar 4cc3c25a0e removed whitespace formatting 2020-11-13 15:01:17 -06:00
Aditya Sekhar a26975f780 cleanup compatibility method based on spring-projects#8868 2020-11-13 15:01:17 -06:00
zhuang ff58ac836e
Decode cookie once in AbstractRememberMeServices
Issue gh-9192
2020-11-09 08:14:20 -05:00
Eleftheria Stein 34a21cd80c Fix formatting 2020-11-09 13:46:09 +01:00
Eleftheria Stein 5661e06e9c Fix typo UserDetailService -> UserDetailsService 2020-11-09 13:13:32 +01:00
Arnaud Mergey 2b9efccc50 Implement MessageSourceAware where missing
Closes gh-8951
2020-11-05 10:57:33 -07:00
Joe Grandja b95e1aa209 Revert "Lock dependencies for 5.5.0-M1"
This reverts commit 25a7482c8c.
2020-11-03 19:53:28 -05:00
Rob Winch 25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Alexander Polozov a362ab53bc Change guard expressions order
Check of allowed user sessions count moved to head for avoid unnecessary fetching all user sessions.
2020-10-27 09:49:29 -04:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 910b81928f Replace try/catch with AssertJ
Replace manual try/catch/fail blocks with AssertJ calls.
2020-09-22 16:13:51 -06:00
Tomoki Tsubaki 65f788532e Fix broken Mono chain
This commit restore broken Mono chain in WebSessionServerCsrfTokenRepository.generateToken(ServerWebExchange).

Closes gh-9017
2020-09-16 09:53:23 -06:00
Tomoki Tsubaki 2c297fbd63 Create the CSRF token on the bounded elactic scheduler
The CSRF token is generated by UUID.randomUUID() which is I/O blocking operation.
This commit changes the subscriber thread to the bounded elactic scheduler.

Closes gh-9018
2020-09-16 08:48:00 -06:00
Joe Grandja 7b1f574769 Revert "Lock Dependency Versions for 5.4.0"
This reverts commit 3d0e459182.
2020-09-09 18:14:12 -04:00
Joe Grandja 3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Eleftheria Stein-Kousathana 02d1516c56
Restructure BasicAuthenticationFilter Logs
Issue gh-6311
2020-09-02 07:42:03 -06:00
Josh Cummings fa7baf551d
Restructure Logs
Followed common use cases based off of HelloWorld sample:
  - Public endpoint
  - Unauthorized endpoint
  - Undefined endpoint
  - Successful form login
  - Failed form login
  - Post-login redirect

Issue gh-6311
2020-09-02 07:37:59 -06:00
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb ef8f113619 Use assertThat instead of Java assert
Fix `DefaultSavedRequestMixinTests` so that `assertThat` is used rather
than Java's `assert` keyword.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 5bdd757108 Polish spring-security-web main code
Manually polish `spring-security-web` following the formatting
and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb ee661f7b71 Fix whitespace issues in format-off code
Fix a few whitespace issues in format-off code that would
otherwise fail checkstyle.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ec6a4cb3f0 Use consistent equals/hashCode/toString order
Ensure that `equals` `hashCode` and `toString` methods always appear in
the same order. This aligns with the style used in Spring Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 612fb22a7f Remove unnecessary lambda blocks
Remove lambda blocks that aren't needed and replace instead with a
simple expression.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 31ec450d05 Remove superfluous comments
Remove a few comments that previously add noise but don't offer a great
deal of value.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 9a3fa6e812 Simplify boolean returns
Simplify boolean returns of the form:

	if (b) {
		return true;
	} else {
		return false;
	}

to:

	return b;

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb c12ced6aaa Migrate SwitchUserWebFilterTests AssertJ
Replace the JUnit Assertions used in `SwitchUserWebFilterTests` with
AssertJ. This test appears to have been missed during the original
AssertJ migration.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb f1cee9500f Ensure classes are defined in their own files
Ensure that all classes are defined in their own files. Mostly classes
have been changed to inner-types.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 4d487e8dc3 Ensure all files end with a new line
Update all files to ensure that they always end with a new-line
character.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 81fe9fc640 Make all exception classes immutable
Update all exception classes so that they are fully immutable and cannot
be changed once they have been thrown.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 3e700e7571 Remove (non-Javadoc) comments
Search and replace using '(?s)/\*\s*\* \(non-Javadoc\).*?\*/' to remove
all "(non-Javadoc)" comments. These comments used to be added
automatically by Eclipse, but are not really necessary.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b5d499e2eb Remove empty block
Refactor a few classes so that empty blocks are not longer used. For
example, rather than:

	if(x) {
	} else {
		i++;
	}

use:

	if(!x) {
		i++;
	}

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 71bc145ae4 Remove superfluous comments
Use '^\s+//\ \~\ .*$' and '^\s+//\ ============+$' regular expression
searches to remove superfluous comments.

Prior to this commit, many classes would have comments to indicate
blocks of code (such as constructors/methods/instance fields). These
added a lot of noise and weren't all that helpful, especially given
the outline views available in most modern IDEs.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 1d74d556c2 Revert "Lock Dependency Versions for 5.4.0-RC1"
This reverts commit f3a1e5d40c.
2020-08-05 14:59:11 -04:00
Joe Grandja f3a1e5d40c Lock Dependency Versions for 5.4.0-RC1 2020-08-05 13:46:11 -04:00
Artur Otrzonsek b22c50c4a8 Reactive SwitchUserWebFilter for user impersonation
Closes gh-8599
2020-07-22 16:05:31 +02:00
Josh Cummings b61bf49d07
Polish gh-8824 2020-07-21 10:47:37 -06:00
Dávid Kováč 37aa5f9b7c Introduce AuthenticationConverterServerWebExchangeMatcher
AuthenticationConverterServerWebExchangeMatcher is ServerWebExchangeMatcher implementation based on AuthenticationConverter which matches if ServerWebExchange can be converted to Authentication.
It can be used as a matcher where SecurityFilterChain should be matched based on used authentication method.
BearerTokenServerWebExchangeMatcher was replaced by this matcher.

Closes gh-8824
2020-07-21 10:11:57 -06:00
Eleftheria Stein e902be7ab9 Use String to specify custom HTTP method in test
Closes gh-8592
2020-07-21 15:47:11 +02:00
Eleftheria Stein fb936e2780 Polish CookieRequestCacheTests
Issue gh-8817
Issue gh-8820
2020-07-21 15:02:21 +02:00
majian 41f26b768a Improve request matching logic when using cookie
- Repair request cache deleted by mistake
- Fix RequestCache throw exception and error redirect.

Closes gh-8820
Closes gh-8817
2020-07-21 15:02:21 +02:00
Roman Sydorov 896b324722 Updated SimpleSavedRequest#getMethod
Before:
1. SimpleSavedRequest#getMethod returned null
2. SimpleSavedRequest(SavedRequest request) constructor did not set the method field from request

After:
1. SimpleSavedRequest#getMethod returns method property value
2. SimpleSavedRequest(SavedRequest request) constructor sets the method field from request

Closes gh-8675
2020-07-08 14:47:51 -06:00
Rob Winch 09fe6071e1 LoginPageGeneratingWebFilter honors context path
Closes gh-8807
2020-07-07 13:34:55 -05:00
Eleftheria Stein 4fb5ff35db Polish CookieRequestCache
Issue gh-8034
2020-07-02 13:41:37 +02:00
Zeeshan Adnan 9708a2d63f Adds cookie based RequestCache
fixes spring-projectsgh-8034
2020-07-02 07:11:16 -04:00
Josh Cummings 146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2"
This reverts commit 68538897c8.
2020-07-01 13:11:50 -06:00
Josh Cummings 68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
michal e113bd3c01 issue 5414 - configurable secure flag in CookieCsrfTokenRepository
While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).

It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
2020-06-25 14:42:38 -05:00
Craig Andrews c71352c548 Validate headers and parameters in StrictHttpFirewall
Adds methods to configure validation of header names and values and
parameter names and values:
 * setAllowedHeaderNames(Predicate)
 * setAllowedHeaderValues(Predicate)
 * setAllowedParameterNames(Predicate)
 * setAllowedParameterValues(Predicate)

By default, header names, header values, and parameter names that
contain ISO control characters or unassigned unicode characters are
rejected. No parameter value validation is performed by default.

Issue gh-8644
2020-06-24 14:15:46 -06:00
Eleftheria Stein 12d20f99a1 Fix incorrect Javadoc
Closes gh-8744
2020-06-22 13:14:34 +02:00
Eleftheria Stein c854f6b190 Add missing Javadoc
Closes gh-8743
2020-06-22 13:13:32 +02:00
Craig Andrews efb6953017 Reject the NULL character in paths in StrictHttpFirewall
Adds `setAllowNull`
By default, denies null in paths
2020-06-18 10:19:37 -06:00
Rob Winch ccbad61ae8 Change blacklist to blocklist
Closes gh-8676
2020-06-10 11:49:49 -05:00
Rob Winch ca1252be94 Replace whitelist with allowlist
Issue gh-8676
2020-06-10 11:49:21 -05:00
Rob Winch a907026eae Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive
Closes gh-8677
2020-06-10 11:48:56 -05:00
Joe Grandja da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Eleftheria Stein 0a42aa26c8 Mock request with non-standard HTTP method in test
Fixes gh-8594
2020-05-26 10:16:56 -04:00
Astushi Yoshikawa f08ca4e688 Throw exception if URL does not include context path when context relative
Issue: gh-8399
2020-05-20 14:02:17 -04:00
Rob Winch dc514b369e FilterInvocation Support Default Methods on HttpServletRequest
Closes gh-8566
2020-05-20 10:13:59 -05:00
cbornet bfb401eeed Create the CSRF token on the bounded elactic scheduler
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.

Fixes gh-8128
2020-05-18 11:04:54 -05:00
Mathieu Ouellet cd08102b93 Add debug logging
Goal is to provide insight to devs on:
- Authentication & Authorization success/failures
- WebSession & SecurityContext
- Request matchers, cache & authn/authz flow

Fixes gh-5758
2020-05-12 09:03:24 -05:00
Rob Winch 4473dca022 Polish matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed
Issue gh-8149
2020-05-11 17:20:16 -05:00
Parikshit Dutta 0f92415395 Fix non-standard HTTP method for CsrfWebFilter
Closes gh-8149
2020-05-11 17:19:57 -05:00
Artyom Tarynin 6db514a4e2 Update AntPathRequestMatcher.java
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
2020-05-11 17:11:22 -04:00
Joe Grandja 86ca6b013c Unlock dependencies
This reverts commit 206960cf44.
2020-05-06 17:27:35 -04:00
Joe Grandja 206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Rob Winch 0483b3e042 Polish RequestRejectedHandler
Issue gh-5007
2020-05-01 10:51:11 -05:00
Leonard Brünings b826c798f7 Add RequestRejectedHandler
Closes gh-5007
2020-05-01 10:51:01 -05:00
Oh Myung Woon b7d3acc02c Add constructors to AbstractAuthenticationProcessingFilter
Closes gh-8309
2020-04-09 13:53:06 -05:00
Mustafa Ulu 6bdd5f710f
Fix example in javadoc of FilterChainProxy 2020-04-07 21:05:12 +03:00
Rob Winch 91728ef53b Fix HttpServlet3RequestFactory Logout Handlers
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.

This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.

Closes gh-4760
2020-03-30 17:50:28 -05:00
Josh Cummings eed71243cb
SwitchUserFilter Defaults to POST
Fixes gh-4183
2020-03-27 13:41:49 -06:00
Zeeshan Adnan 935c547dde Fix exception for empty basic auth header token
fixes spring-projectsgh-7976
2020-03-16 12:57:13 -04:00
Eleftheria Stein 47011eb9e2 Polish transfer session's max inactive interval
Issue: gh-2693
2020-03-12 12:11:14 -04:00
Venkata Jaswanth U 02b7d04027 Transfer session's max inactive interval
Fixes: gh-2693
2020-03-12 10:11:59 -04:00
Eleftheria Stein b2ea0ba775 Polish SessionIdChangedEvent
Add AbstractSessionEvent; clean up license headers and Javadocs

Fixes: gh-5438
2020-03-06 12:04:49 -05:00
Venkata Jaswanth 5fc6414377 SessionRegistryImpl is now aware of SessionIdChangedEvent 2020-03-06 12:04:01 -05:00
Eleftheria Stein ae532c080c Add server request cache that uses cookie
Fixes: gh-8033
2020-03-05 15:36:47 -05:00
Eleftheria Stein 38979b1b09 Add test for ServerRequestCacheWebFilter 2020-03-05 14:57:07 -05:00
Josh Cummings 6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
This reverts commit 147d7dadd7.
2020-03-04 12:02:48 -07:00
Josh Cummings 147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
AmitB 2ce9eef95e Fix typo in AntPathRequestMatcher contructor comment 2020-03-02 07:14:27 -06:00
Joe Grandja 82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Josh Cummings 5bdf57d1e5
Remove Groovy and Spock Dependencies
Fixes gh-4939
2020-02-10 10:38:40 -07:00
Josh Cummings bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java
Issue gh-4939
2020-02-10 10:38:39 -07:00
Eleftheria Stein 84b8a5abd7 Unlock dependencies for next development version
This reverts commit 064616f1ef.
2020-02-05 15:53:04 +01:00
Eleftheria Stein 064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Josh Cummings cb9fd09150
Change AuthenticationWebFilter's constructor
Fixes gh-7872
2020-01-31 09:31:28 -07:00