Commit Graph

11783 Commits

Author SHA1 Message Date
Marcus Da Coregio f7f53ea2b7 Update jackson-bom to 2.13.4.20221012
Closes gh-11997
2022-10-13 09:22:28 -03:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager"
This reverts commit 4ddec07d0e.
2022-10-13 06:18:00 -04:00
Steve Riesenberg 440748ec65
Add test support for Xor CSRF tokens
Issue gh-4001
2022-10-12 15:02:15 -05:00
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken
Closes gh-11988
2022-10-12 12:30:40 -05:00
Joe Grandja ffbcaca24a Update reference for PasswordEncoders
Issue gh-10506
2022-10-12 07:32:30 -04:00
Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
2022-10-12 00:45:10 -04:00
Joe Grandja f8419003eb Update default configuration for SCryptPasswordEncoder
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1

New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1

The default salt length was also updated from 64 to 16.

Issue gh-10506
2022-10-12 00:14:07 -04:00
Joe Grandja 2ea62d0f8b Update default configuration for Argon2PasswordEncoder
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

Previous default configuration:
memory=4, iterations=3, parallelism=1

New default configuration:
memory=16, iterations=2, parallelism=1

Issue gh-10506
2022-10-11 18:04:37 -04:00
Josh Cummings 8d096554f8
Add AuthorizationEvent
Closes gh-11972
2022-10-10 12:28:57 -06:00
Marcus Da Coregio 6e2e76978f Merge branch '5.7.x' into 5.8.x
Closes gh-11980
2022-10-10 11:01:56 -03:00
Marcus Da Coregio b17ba7cdcc Merge branch '5.6.x' into 5.7.x
Closes gh-11979
2022-10-10 11:01:27 -03:00
Marcus Da Coregio e0f8c711d8 Add default value for cloneOutputDirectory property
Closes gh-11969
2022-10-10 11:00:47 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher
Closes gh-11938
2022-10-10 09:24:15 -03:00
Steve Riesenberg 37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Marcus Da Coregio 8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers
Issue gh-11347
2022-10-06 13:50:38 -03:00
Marcus Da Coregio bc4ad52feb Add deprecation warning to mvcMatchers methods
Issue gh-11347
2022-10-06 13:21:27 -03:00
Josh Cummings 380a6a2564
Polish SecurityContextHolderStrategy Usage
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
2022-10-05 23:59:14 -06:00
Josh Cummings 0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
Issue gh-11061
2022-10-05 23:38:14 -06:00
Josh Cummings b4d13e7726
Polish use-authorization-manager
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
2022-10-05 22:21:09 -06:00
Josh Cummings 7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
Issue gh-11665
2022-10-05 22:18:41 -06:00
Josh Cummings f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler
Issue gh-11105
2022-10-05 21:47:14 -06:00
Josh Cummings 4ddec07d0e
Add default AuthorizationManager
Closes gh-11963
2022-10-05 21:37:41 -06:00
Steve Riesenberg dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Rob Winch a5cc1f0b60 Merge branch '5.7.x' into 5.8.x
Closes gh-11956
2022-10-05 13:58:44 -05:00
Rob Winch 37dd896d4b Merge branch '5.6.x' into 5.7.x
Closes gh-11955
2022-10-05 13:57:25 -05:00
Dan Allen e0843aabb1 automatically manage docs version (with collector) 2022-10-05 13:56:22 -05:00
Steve Riesenberg c1fcf275d9
Update What's New for 5.8
Issue gh-11952
2022-10-05 13:48:18 -05:00
Steve Riesenberg 1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
Closes gh-11952
2022-10-05 13:35:23 -05:00
Marcus Da Coregio bf6e85ec15 Accept String varargs in securityMatcher
Issue gh-9159
2022-10-05 13:44:08 -03:00
Marcus Da Coregio ace8caa182 Remove mvcMatchers usage from docs
Issue gh-11347
2022-10-05 13:19:37 -03:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux bf59d7c374
Update What's New for 5.8 2022-10-03 10:05:25 -05:00
Steve Riesenberg 7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Marcus Da Coregio 7be2eb05d5 Merge branch '5.7.x' into 5.8.x 2022-10-03 10:10:06 -03:00
Marcus Da Coregio cd4ddde779 Merge branch '5.6.x' into 5.7.x 2022-10-03 10:09:42 -03:00
Daniel Garnier-Moiroux 26bb60c567 Add rncToXsd task description to CONTRIBUTING.adoc 2022-10-03 10:09:27 -03:00
Rob Winch 6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Josh Cummings f054505d6d
Support Deferred Contexts
Closes gh-11817
Issue gh-10913
2022-09-30 16:49:47 -06:00
Daniel Garnier-Moiroux 93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Steve Riesenberg 7b1158ddb7
Merge branch '5.7.x' into 5.8.x 2022-09-29 14:09:10 -05:00
Steve Riesenberg 70c61dc1dd
Merge branch '5.6.x' into 5.7.x 2022-09-29 14:08:17 -05:00
Dan Allen c44230ba24
switch to offical Antora plugin for Gradle
- lock version to latest release of Antora 3.1
- rename properties on extension block
- use Node.js version provided by plugin
- remove package.json file
- assign environment variables using environments property on extension block
- use single quotes where possible in build script
- use default setting for log format
2022-09-29 14:05:09 -05:00