Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
17,238 Commits 32 Branches 333 Tags 109 MiB
Commit Graph

3103 Commits

Author SHA1 Message Date
Marcus Hert Da Coregio 00e4a8fb54 Add support for One-Time Token Login 
Closes gh-15114
 2024-09-03 10:07:56 -03:00
DingHao fd05c5ad76 Remove Advised Methods from Authorization Proxy Objects 
Closes gh-15561
 2024-08-30 10:40:25 -07:00
Josh Cummings 626610a975
Polish Annotation API 
Rename to a class that isn't focused on the synthesis implementation detail.
Also add Security to the front of the name to clarify that it is only intended
for security annotations, reminiscent of SecurityMetadataSource.

Refine method signatures to better articulate supported use cases.

Issue gh-15286
 2024-08-30 08:51:49 -06:00
Josh Cummings cc6de8fa5d
Hide MergedAnnotation Implementation Details 
Issue gh-15286
 2024-08-29 17:27:14 -06:00
DingHao 84fc5a70ee Fix variable targetClassToUse not used 
Closes gh-15567
 2024-08-26 15:49:22 -07:00
Josh Cummings 1118b0ec63
Defer Sorting AuthorizationAdvisors in addAdvisor 
Issue gh-15658
 2024-08-20 17:23:10 -06:00
Josh Cummings 4da13f6091
Merge branch '6.3.x' 2024-08-20 16:47:48 -06:00
Josh Cummings 0cab7c8f15
Defer Sorting AuthorizationAdvisors 
Invoking AnnotationAwareOrderComparator#sort while the
AuthorizationAdvisors are still being computed causes those
advisors to be eagerly instantiated, making components
like ObservationRegistry ineligible for post processing.

This commit defers the sorting of the advisors until
after they are all fully instantiated and available in
the application context.

Closes gh-15658
 2024-08-20 16:47:29 -06:00
Josh Cummings f398be793d
Simplify AuthorizationAdvisorProxyFactory Configuration 
Closes gh-15497
 2024-08-19 12:34:38 -06:00
Marcus Hert Da Coregio 912062d307 Merge branch '6.2.x' into 6.3.x 2024-08-19 09:11:10 -03:00
Daniel Garnier-Moiroux 79fb0113c8 Bump io-spring-javaformat from 0.0.42 to 0.0.43 
Bumps `io-spring-javaformat` from 0.0.42 to 0.0.43.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

---
Manual updates:
- Adhere to rule where `@Deprecated` annotations and `@deprecated` javadoc comments MUST
  be used together

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-19 09:11:05 -03:00
Daniel Garnier-Moiroux 2caf1fb6b4 Bump io-spring-javaformat from 0.0.42 to 0.0.43 
Bumps `io-spring-javaformat` from 0.0.42 to 0.0.43.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.42 to 0.0.43
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](spring-io/spring-javaformat@v0.0.42...v0.0.43)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

---
Manual updates:
- Adhere to rule where `@Deprecated` annotations and `@deprecated` javadoc comments MUST
  be used together

Signed-off-by: dependabot[bot] <support@github.com>
 2024-08-19 09:08:24 -03:00
Rob Winch 13125d0745 Add AuthorizationDeniedException(String) 
Closes gh-15607
 2024-08-14 13:57:07 -05:00
Josh Cummings 59ec1f6480
Revert "Polish AuthorizationAdvisorProxyFactory advisor configuration" 
This commit had some unintended consequences when the advisor
interceptor was published in a Spring Boot application. As such,
15497 will be reopened to investigate. In the meantime, this commit
reverts the previous change so as to allow the build to pass.

Issue gh-15497
 2024-08-12 10:12:14 -06:00
Josh Cummings 08b8b09066
Update Copyright 
Issue gh-15286
 2024-08-10 11:48:14 -06:00
Josh Cummings e40c98e6d7 Deprecate PrePostTemplateDefaults 
Since there is nothing specific to configuring pre/post
annotations, there is no need for the extra class.

If a need like this does arise in the future,
either AnnotationTemplateExpressionDefaults can be sub-
classed, or it can have introduced a Map field holding
custom properties.

Issue gh-15286
 2024-08-10 11:46:51 -06:00
MrJovanovic13 6d657ea3da InMemoryUserDetailsManager preserve user type 
Closes gh-3192
 2024-08-09 10:09:41 -06:00
MrJovanovic13 503d653cea Add InMemoryUserDetailsManager tests 
Tests added:
createUserWhenUserAlreadyExistsThenException
updateUserWhenUserDoesNotExistThenException
loadUserByUsernameWhenUserNullThenException

Issue gh-3192
 2024-08-09 10:09:41 -06:00
Josh Cummings 34d964eb08
Default Handler Resolution to Reflection-Based 
Closes gh-15496
 2024-08-07 14:50:33 -06:00
Josh Cummings de77e054fd
Default Handler Resolution to Reflection-Based 
Closes gh-15496
 2024-08-07 14:34:40 -06:00
Josh Cummings 02cca6f737
Polish AuthorizationAdvisorProxyFactory advisor configuration 
Closes gh-15497
 2024-08-07 10:09:51 -06:00
Josh Cummings 37a2812d1a
Mimic Annotation Fallback Logic 
For backward compatibility, this commit changes the annotation traversal
logic to match what is found in PrePostAnnotationSecurityMetadataSource.

This reverts gh-13783 which is a feature that unfortunately regressess
pre-existing behavior like that found in gh-15352. As such, that
functionality has been removed.

Issue gh-15352
 2024-07-31 16:17:42 -06:00
Josh Cummings 77bce14462
Polish Annotation Test 
This new arrangement of the test better matches the class
hierarchy described by the original ticket.

Issue gh-13234
 2024-07-31 16:17:42 -06:00
Josh Cummings 90335bd0a6
Polish Annotation Test 
This test was made more effective by having it focus on the real
scenario of resolving annotations from the standpoint of a bean
 2024-07-31 16:17:42 -06:00
Josh Cummings f20ae1a71c
Revert gh-13783 
This feature unfortunately regresses pre-existing behavior
like that found in gh-15352. As such, this functionality
has been removed.

Closes gh-15352
 2024-07-31 16:16:34 -06:00
KyeongHoon Lee 4036e910c7 Add @FunctionalInterface to AuthenticationManager 2024-07-18 17:25:44 -07:00
Josh Cummings c736e075c1
Add AnnotationSythesizer API 
Closes gh-13234
Closes gh-13490
Closes gh-15097
 2024-07-18 09:55:17 -06:00
Josh Cummings e3438aa36a
Support AliasFor 
Closes gh-15436
 2024-07-18 09:46:39 -06:00
Josh Cummings 03bcc6776a
Correct Authorization Tests 
Issue gh-9289
 2024-07-18 09:46:38 -06:00
Josh Cummings 56c93afc66
Correct Tests About Conflicting Annotations 
Issue gh-9289
 2024-07-18 09:46:38 -06:00
Juliana Hachmann 9a714424d5 Adds missing translated messages for PT-BR 
Partially fix #spring-projectsgh-9315

Adds Brazilian Portuguese translation missing for following messages in messages_pt_BR.properties;
- ExceptionTranslationFilter.insufficientAuthentication 
- LdapAuthenticationProvider.badLdapConnection
- PersistentTokenBasedRememberMeServices.cookieStolen
 2024-05-31 12:36:52 -06:00
Josh Cummings aa9bf83c6d
Polish Exception Handling 
Issue gh-15093
 2024-05-31 12:34:33 -06:00
Blagoja Stamatovski 63f48167bd Add Kotlin support to PreFilter and PostFilter annotations 
Closes gh-15093
 2024-05-31 12:32:28 -06:00
Hyeon Sung 742c95b1fc Use instanceof Pattern Matching 2024-05-15 08:32:25 -03:00
MrJovanovic13 e932387714 fix docs error 
Closes gh-14978
 2024-05-13 09:28:27 -03:00
Marcus Hert Da Coregio 08f11f06ab Revert unnecessary commits from main 
Issue gh-15016
 2024-05-08 13:49:18 -03:00
Marcus Hert Da Coregio b3c7f3ff19 Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision 
Issue gh-7395
 2024-04-30 08:38:03 -03:00
DingHao 2a6f0cac5a Fix not exist class in java doc 
Closes gh-14954
 2024-04-25 11:37:23 -06:00
Marcus Hert Da Coregio 2fbbcc4bd0 Polish Method Authorization Denied Handling 
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method

Issue gh-14601
 2024-04-12 15:55:25 -03:00
Josh Cummings 933ef67637
Polish AuthorizationDeniedException Handling 
Issue gh-14600
 2024-04-11 14:30:00 -06:00
Josh Cummings 50b85aea0d Handle SpEL AuthorizationDeniedExceptions 
Closes gh-14600
 2024-04-10 15:36:23 -07:00
Marcus Hert Da Coregio 61eba00654 Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web 
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.

Issue gh-7395
 2024-04-10 14:58:01 -03:00
Marcus Hert Da Coregio 8d914ef145 Add @AuthorizationDeniedHandler for Method Authorization Denied Handling 
Issue gh-14601
 2024-04-08 14:42:13 -03:00
Josh Cummings c8e5fbf21b
Fix Package Tangle 
Issue gh-14598
 2024-04-05 16:48:52 -06:00
YunByungil e5f7453690 fix: variable naming convention 
Changed the variable name from MAX_INTITEM_LENGTH to MAX_INT_ITEM_LENGTH to adhere to naming conventions
 2024-04-05 15:05:32 -07:00
Josh Cummings 3f7355abc6
Synthesize all annotation attributes 
Issue gh-14601
 2024-04-04 13:30:29 -06:00
Josh Cummings 6f07d63938
Support SpEL Returning AuthorizationDecision 
Closes gh-14598
 2024-04-04 11:32:00 -06:00
Josh Cummings 0a9c482f62
Revert "Support SpEL Returning AuthorizationDecision" 
This reverts commit 77f2977c55.
 2024-04-04 11:31:45 -06:00
Josh Cummings 77f2977c55 Support SpEL Returning AuthorizationDecision 
Closes gh-14599
 2024-04-04 09:52:15 -07:00
Marcus Hert Da Coregio d85857f905 Add Authorization Denied Handlers for Method Security 
Closes gh-14601
 2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 19d66c0b8a Introduce AuthorizationResult 2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 7d66525e23 Add Compromised Password Checker 
Closes gh-7395
 2024-04-01 09:48:07 -03:00
Josh Cummings 148776309f
Merge branch '6.2.x' 2024-03-22 14:33:57 -06:00
Josh Cummings afcce0c277
Merge branch '6.1.x' into 6.2.x 
Closes gh-14795
 2024-03-22 14:33:44 -06:00
Josh Cummings 7162046144
Remove Reference to MethodInvocationResult 
Closes gh-14794
 2024-03-22 14:33:23 -06:00
Ali-Hassan 04799c5aac Update AuthenticationProvider JavaDoc 
Authentication is an interface, not a class. So, it's not correct
to say "instance of the Authentication class".
 2024-03-22 11:27:58 -06:00
Josh Cummings e1c5dc0e66 Polish JavaDoc 
Issue gh-14597
 2024-03-22 11:00:39 -06:00
Josh Cummings 9898e0e993 Move AuthorizationAdvisorProxyFactory 
To prevent package tangles

Issue gh-14596
 2024-03-22 11:00:39 -06:00
Josh Cummings 12ea8a5738 Add Supplier Support 
Issue gh-14597
 2024-03-22 11:00:39 -06:00
Josh Cummings 795e44d11f Add Value-Type Ignore Support 
Issue gh-14597
 2024-03-22 11:00:39 -06:00
Josh Cummings ce54a6db18 Add TestAuthentication convenience method 
Issue gh-14597
 2024-03-19 10:27:03 -06:00
Josh Cummings d169d5a835 Add AuthorizeReturnObject 
Closes gh-14597
 2024-03-19 10:27:03 -06:00
Marcus Hert Da Coregio a8a9341f2e Merge branch '6.2.x' 
Closes gh-14667
 2024-03-18 06:43:37 -03:00
Marcus Hert Da Coregio a972338e1d Merge branch '6.1.x' into 6.2.x 
Closes gh-14666
 2024-03-18 06:43:09 -03:00
Marcus Hert Da Coregio f84c4ea583 Merge branch '5.8.x' into 6.1.x 
Closes gh-14665
 2024-03-18 06:42:43 -03:00
Marcus Hert Da Coregio 2c9dc08e43 Merge branch '5.7.x' into 5.8.x 
Closes gh-14664
 2024-03-18 06:40:34 -03:00
Marcus Hert Da Coregio 5a7f12f1a9 Check for null Authentication 
Closes gh-14715
 2024-03-18 06:39:08 -03:00
Josh Cummings c611b7e33b
Add AuthorizationProxyFactory Reactive Support 
Issue gh-14596
 2024-03-15 11:44:30 -06:00
Josh Cummings f541bce492
Polish AuthorizationAdvisorProxyFactory 
- Ensure Reasonable Defaults
- Simplify Construction

Issue gh-14596
 2024-03-15 11:44:30 -06:00
Josh Cummings 52dfbfb5b3 Add Authorization Proxy Support 
Closes gh-14596
 2024-03-13 14:35:07 -06:00
Marcus Hert Da Coregio d17cbf4342 Merge branch '6.2.x' 
Closes gh-14724
 2024-03-12 10:19:05 -03:00
Marcus Hert Da Coregio 940efe76fc Merge branch '6.1.x' into 6.2.x 
Closes gh-14723
 2024-03-12 10:18:51 -03:00
Marcus Hert Da Coregio 8fe0303bad Merge branch '5.8.x' into 6.1.x 
Closes gh-14722
 2024-03-12 10:18:33 -03:00
Marcus Hert Da Coregio 8f42c86a57 Use AuthorizationInterceptorsOrder for Post Authorize Method Interceptors 
Closes gh-14720
 2024-03-12 10:17:45 -03:00
Josh Cummings c5a4405c54 Polish JavaDoc 
Issue gh-14521
 2024-02-26 10:59:54 -07:00
ruabtmh 09010f3f51 Add ContinueOnError Support For Failed Authentications 
Closes gh-14521
 2024-02-26 10:59:54 -07:00
Josh Cummings 4d383023cb Add meta-annotation parameter support 
Closes gh-14480
 2024-02-26 10:50:35 -07:00
Marcus Hert Da Coregio 21580fd27d Merge branch '6.2.x' 2024-02-16 13:31:20 -03:00
Marcus Hert Da Coregio 15306c1007 Merge branch '6.1.x' into 6.2.x 2024-02-16 13:21:15 -03:00
Rob Winch 750cb30ce4 Add AuthenticationTrustResolver.isAuthenticated 2024-02-16 13:08:29 -03:00
Marcus Hert Da Coregio 915d68e216 Remove includeExpiredSessions parameter 
The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter

Issue gh-6192
 2024-02-06 10:43:00 -03:00
DingHao b0da37d4fa Have Method Security Start at Target Class 
Closes gh-13783
 2024-02-01 09:33:25 -07:00
Sam Brannen 2b7d296994 Revise AuthorizationAnnotationUtils 
This commit revises AuthorizationAnnotationUtils as follows.

- Removes code duplication by treating both Class and Method as
  AnnotatedElement.

- Avoids duplicated annotation searches by processing merged
  annotations in a single Stream instead of first using the
  MergedAnnotations API to find possible duplicates and then again
  searching for a single annotation via AnnotationUtils (which
  effectively performs the same search using the MergedAnnotations API
  internally).

- Uses `.distinct()` within the Stream to avoid the need for the
  workaround introduced in gh-13625. Note that the semantics here
  result in duplicate "equivalent" annotations being ignored. In other
  words, if @⁠PreAuthorize("hasRole('someRole')") is present multiple
  times as a meta-annotation, no exception will be thrown and the first
  such annotation found will be used.

- Improves the error message when competing annotations are found by
  including the competing annotations in the error message.

- Updates AuthorizationAnnotationUtilsTests to cover all known,
  supported use cases.

- Configures correct role in @⁠RequireUserRole.

Please note this commit uses
`.map(MergedAnnotation::withNonMergedAttributes)` to retain backward
compatibility with previous versions of Spring Security. However, that
line can be deleted if the Spring Security team decides that it wishes
to support merged annotation attributes via custom composed
annotations. If that decision is made, the
composedMergedAnnotationsAreNotSupported() test should be renamed and
updated as explained in the comment in that method.

See gh-13625
See https://github.com/spring-projects/spring-framework/issues/31803
 2024-01-18 07:42:58 -07:00
Marcus Hert Da Coregio 85177c0178 Merge branch '6.2.x' 
Closes gh-14408
 2024-01-05 14:22:49 -03:00
Steve Riesenberg a32cd66179
Polish gh-14263 2023-12-26 11:56:42 -06:00
Federico Herrera 10e0f98d5e
Add doc and javadoc for CachingUserDetailsService 
Close gh-10914
 2023-12-26 10:57:58 -06:00
Taehong Kim ec02c22459 Add Request Path Extraction Support 
Closes gh-13256
 2023-12-19 18:15:49 -07:00
Angel Aguilera 13ad66807e Update messages_es_ES.properties 
Uncomment and translate message property.
 2023-12-14 10:24:19 -06:00
Josh Cummings db7c5d128b
Fix Typos 
Closes gh-14268
 2023-12-11 11:34:52 -07:00
ahmd-nabil dfef781e33 Add default implementation in UserDetails 
Closes gh-14275

Signed-off-by: ahmd-nabil <ahm3dnabil99@gmail.com>
 2023-12-11 11:00:57 -07:00
Marcus Da Coregio 57ab15127a Add Max Sessions on WebFlux 
Closes gh-6192
 2023-12-11 09:48:34 -03:00
Josh Cummings 4a50d5aab3
Merge branch '6.2.x' 2023-12-09 11:52:31 -07:00
Josh Cummings 6e636e6abb
Merge branch '6.1.x' into 6.2.x 
Closes gh-14267
 2023-12-09 11:50:58 -07:00
Josh Cummings 9f90661b6f
Merge branch '5.8.x' into 6.1.x 
Closes gh-14266
 2023-12-09 11:43:04 -07:00
Josh Cummings be11812fe4
Account for Super-super-interface Inheritance 
Closes gh-13625
 2023-12-09 11:41:02 -07:00
Josh Cummings 92be497d24 Polish RoleHierachyImpl#of 
- Change to #fromHierarchy to match naming convention
- Keep existing test methods the same
- Deprecate setHierarchy and default constructor
- Add private Map constructor
- Change Adjust RoleHierarchyBuilder to use Map constructor

Issue gh-13788
 2023-12-08 11:49:50 -07:00
Toshiaki Maki c1b3351569 Add RoleHierarchyImpl#of 
Closes gh-13788
 2023-12-08 11:49:50 -07:00
Josh Cummings bb6b55aca3 Add Not Support 
Closes gh-14058
 2023-12-07 16:24:19 -07:00
Yuriy Savchenko e49ae096e6 Add AuthorizationManager factory methods 
Factory methods to create AuthorizationManager with a configurable default AuthorizationDecision.

Closes gh-13085
 2023-12-07 15:20:08 -07:00
Josh Cummings ee8bc78cbc Polish RoleHierarchyImpl#Builder 
- Added documentation
- Removed withNoRolePrefix for now; let's see how folks
use the minimal API first
- Adjusted class hierarchy to match AuthorizeHttpRequests more
closely
- Adjusted to match Spring Security style guide
- Added needed @since attributes

Issue gh-13300
 2023-12-07 15:18:13 -07:00