Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-30 22:28:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,604 Commits 48 Branches 362 Tags
Commit Graph

965 Commits

Author SHA1 Message Date
Marcus Da Coregio
c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio
4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux
27059ced87
Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg
6753f9745e
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00
Steve Riesenberg
f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Marcus Da Coregio
398f5dee7f Remove deprecated RequestMatcher methods from Java Configuration 
Closes gh-11939
 2022-10-07 15:26:46 -03:00
Marcus Da Coregio
9fd195d419 Default to shouldFilterAllDispatcherTypes=true in XML 
Closes gh-11970
 2022-10-07 11:46:20 -03:00
Marcus Da Coregio
146d3269bc Merge branch '5.8.x' 
Closes gh-11971
 2022-10-07 10:28:14 -03:00
Marcus Da Coregio
f3321c256c Add XML support for shouldFilterAllDispatcherTypes 
Closes gh-11492
 2022-10-07 10:20:32 -03:00
Josh Cummings
12b9f2e196
use-authorization-manager defaults to true 
Closes gh-11929
 2022-10-06 08:12:46 -06:00
Marcus Da Coregio
c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present 
Closes gh-11899
 2022-10-06 09:12:04 -03:00
Steve Riesenberg
8b490de08d
Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg
dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg
c1fcf275d9
Update What's New for 5.8 
Issue gh-11952
 2022-10-05 13:48:18 -05:00
Marcus Da Coregio
38a7bbd2eb Merge branch '5.8.x' 2022-10-05 13:20:12 -03:00
Marcus Da Coregio
ace8caa182 Remove mvcMatchers usage from docs 
Issue gh-11347
 2022-10-05 13:19:37 -03:00
Marcus Da Coregio
35f7e46d05 Remove WebSecurityConfigurerAdapter 
Closes gh-10902
 2022-10-04 15:13:04 -03:00
Steve Riesenberg
5de6da890b
Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Steve Riesenberg
7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio
ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux
bf59d7c374
Update What's New for 5.8 2022-10-03 10:05:25 -05:00
Steve Riesenberg
43a1f8249c
Update What's New for 6.0 2022-09-29 15:57:48 -05:00
Steve Riesenberg
6c6aedf772
Update What's New for 6.0 2022-09-26 10:07:50 -05:00
Steve Riesenberg
181ee7410b
Change default authority for oauth2Login() 
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
 2022-09-26 10:06:31 -05:00
Steve Riesenberg
c0e784b16d
Update What's New for 6.0 2022-09-26 09:48:52 -05:00
Steve Riesenberg
bcb21c9384
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 2022-09-23 15:39:43 -05:00
Steve Riesenberg
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver 
Closes gh-11896
 2022-09-23 15:09:00 -05:00
Rob Winch
0efe26c1fd Merge branch '5.8.x' 
Closes gh-11894
 2022-09-22 13:47:04 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler 
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
 2022-09-22 11:09:44 -05:00
Josh Cummings
70460ca009
Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-20 17:44:05 -06:00
Josh Cummings
61c80bcac5
Move Saml2 Authentication Filters 
Closes gh-8819
 2022-09-20 17:18:05 -06:00
Rob Winch
48e31f87e4 Remove Deprecated OpenSAML 3 Support 
Closes gh-10556
 2022-09-20 16:57:38 -06:00
Marcus Da Coregio
983ca6ea27 Update What's New for 5.8 2022-09-20 08:33:38 -03:00
Marcus Da Coregio
2b4a3a85f9 Update What's New for 6.0 2022-09-20 08:33:11 -03:00
Steve Riesenberg
8f44f74d44
Update What's New for 5.8 2022-09-14 15:13:41 -05:00
Steve Riesenberg
70eea8dc67
Update What's New for 5.8 2022-09-14 14:58:48 -05:00
Steve Riesenberg
2431dd1103
Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg
355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f
Add authentication converter for introspected tokens 
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
 2022-09-13 16:45:36 -05:00
Rob Winch
5ae492b1c1 Add What's New @WithMockUser Supported as Merged Annotation 2022-09-08 09:49:00 -05:00
Rob Winch
d996c2a2c6 Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence) 
This method is insecure. Users should instead encrypt with their database.

Closes gh-8980
 2022-09-07 13:51:58 -05:00
Steve Riesenberg
ed41a60aae
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
 2022-09-06 11:51:55 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing 
Issue gh-4001
Issue gh-11456
 2022-09-06 11:43:33 -05:00
Marcus Da Coregio
e17989d92d Merge branch '5.8.x' 2022-09-01 09:39:33 -03:00
Marcus Da Coregio
ff6fd78d64 Merge branch '5.7.x' into 5.8.x 2022-09-01 09:39:10 -03:00
Marcus Da Coregio
0a08a23423 Merge branch '5.6.x' into 5.7.x 2022-09-01 09:38:33 -03:00
Underground Hill
8b74bf9742 Updated reference to architecture page 
In the context of Servlet Authentication page, "Architecture" should probably link to "Servlet Authentication Architecture" page
 2022-09-01 09:38:10 -03:00