Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
13,794 Commits 33 Branches 333 Tags 109 MiB
Commit Graph

1585 Commits

Author SHA1 Message Date
twosom ae23e3f5f4 Use instanceof pattern matching in initAuthFilter 2023-02-15 17:18:26 -07:00
twosom 99eacf2f0b Change private static method to private methods 2023-02-15 17:18:26 -07:00
Josh Cummings 1ca4781923
Merge branch '6.0.x' 2023-02-14 08:25:29 -07:00
Josh Cummings 8ca726f4fa
Specify query string 
Issue gh-12665
 2023-02-14 08:24:07 -07:00
Josh Cummings e7d65966fd
Merge branch '5.8.x' into 6.0.x 
Closes gh-12671
 2023-02-14 08:01:31 -07:00
Josh Cummings 0d4c619648
Include continue in query string 
Closes gh-12665
 2023-02-14 08:00:19 -07:00
twosom 073dab3bf6 Refactor SavedCookie for Cookie's deprecated method 
Closes gh-12454
 2023-02-01 12:33:45 -07:00
twosom a855b33535 fix typo in RememberMeAuthenticationFilter 2023-02-01 12:33:45 -07:00
Steve Riesenberg 6abbdd3654
Merge branch '6.0.x' 2023-01-26 15:55:41 -06:00
Steve Riesenberg 1363a4eece
Merge branch '5.8.x' into 6.0.x 2023-01-26 15:44:47 -06:00
Steve Riesenberg c306df9b46
Add XorCsrfChannelInterceptor 
Issue gh-12378
 2023-01-23 16:00:35 -06:00
Josh Cummings 879770a0f6 Polish AbstractAuthenticationTargetUrlHandler 
Issue gh-12344
 2023-01-18 08:30:57 -07:00
Dayan Kodippily 6b8a778da8 Rework determineTargetUrl for Readability 
Closes gh-12344
 2023-01-18 08:30:57 -07:00
Dayan Kodippily 58e948a781 Test AbstractAuthenticationTargetUrlRequestHandler 
Issue gh-12344
 2023-01-18 08:30:57 -07:00
Steve Riesenberg 62b58d2c92
Polish gh-12530 2023-01-17 15:05:56 -06:00
Onur Kagan Ozcan c77c76e722
Relax final modifiers on AbstractRememberMeServices methods 
Closes gh-12145
 2023-01-17 15:05:09 -06:00
Josh Cummings f9d674cb10
Merge branch '6.0.x' 
Closes gh-12525
 2023-01-11 10:14:01 -07:00
Josh Cummings 4d2dab9b6b
Lookup Parent Observation 
Closes gh-12524
 2023-01-11 10:13:33 -07:00
Steve Riesenberg 5f89f39627
Merge branch '6.0.x' 
Closes gh-12515
 2023-01-10 11:34:34 -06:00
Steve Riesenberg 4e80338a9b
Polish gh-12466 2023-01-10 11:31:51 -06:00
Wellington Domiciano 2c8854bb7f
Adjusts setRequestHandler javadoc in CsrfFilter 
Adjusts setRequestHandler method javadoc in CsrfFilter class to reflect
changes in 6.0.

In 6.0, the default CsrfTokenRequestHandler changed to
XorCsrfTokenRequestAttributeHandler, however, the javadoc for the
setRequestHandler method still said it was
CsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because,
although XorCsrfTokenRequestAttributeHandler is a subclass of
CsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12464
 2023-01-10 11:31:51 -06:00
Marcus Da Coregio 556891b4fa Merge branch '6.0.x' 
Closes gh-12512
 2023-01-10 09:43:05 -03:00
Marcus Da Coregio d1fc789ae2 Merge branch '5.8.x' into 6.0.x 
Closes gh-12511
 2023-01-10 09:42:48 -03:00
Marcus Da Coregio ae46032ced Merge branch '5.7.x' into 5.8.x 
Closes gh-12510
 2023-01-10 09:39:40 -03:00
Marcus Da Coregio ffdb397830 Save the SecurityContext when switching user 
Closes gh-12504
 2023-01-10 09:27:56 -03:00
Josh Cummings f3ce04e59a
Merge branch '6.0.x' 
Closes gh-12493
 2023-01-06 11:15:03 -07:00
Josh Cummings c308e4665a
Polish Event Name 
Provide a name with no spaces separate from the human-friendly
one with spaces.

Closes gh-12490
 2023-01-06 11:13:11 -07:00
Josh Cummings c0fe74869f
Merge branch '6.0.x' 
Closes gh-12484
 2023-01-04 10:54:10 -07:00
Wellington Domiciano 27b3f4d403 Adjusts setRequestHandler javadoc in CsrfWebFilter 
Adjusts setRequestHandler method javadoc in CsrfWebFilter class to reflect changes in 6.0.

In 6.0, the default ServerCsrfTokenRequestHandler changed to XorServerCsrfTokenRequestAttributeHandler, however, the javadoc for the setRequestHandler method still said it was ServerCsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because, although XorServerCsrfTokenRequestAttributeHandler is a subclass of ServerCsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12465
 2023-01-04 10:53:47 -07:00
Marcus Da Coregio c2d0ea3694 Merge branch '6.0.x' 
Closes gh-12369
 2022-12-12 16:55:32 -03:00
Marcus Da Coregio 898c36287c Merge branch '5.8.x' into 6.0.x 
Closes gh-12368
 2022-12-12 16:55:14 -03:00
Marcus Da Coregio 99d6d21554 Apply SecurityContextHolderFilter to all dispatcher types 
Closes gh-11962
 2022-12-12 11:45:24 -08:00
Josh Cummings 886d1ffec2
Remove Deprecated Usage 
Issue gh-12086
 2022-12-05 11:00:57 -07:00
Josh Cummings 8ef2fc3837
Format 
Issue gh-12086
 2022-12-05 10:51:42 -07:00
Alex Montoya 8717b7544a
Perform JUnit 5 clean up tasks 
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests

Issue gh-12086
 2022-12-05 10:51:41 -07:00
Alex Montoya b79ba89eeb
Add setCookieCustomizer to csrf token repository 
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and
setSecure as deprecated.

- Add the method setCookieCustomizer which allows to set properties
to the ResponseCookieBuilder without having to add new setter methods.

Closes gh-12086
 2022-12-05 10:51:40 -07:00
Josh Cummings 701f754e37
Cast FilterChainObservationContext Safely 
Closes gh-12268
 2022-11-29 16:24:56 -07:00
Steve Riesenberg fd547321e8
Default to XorCsrfTokenRequestAttributeHandler 
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
 2022-11-18 22:50:26 -06:00
Steve Riesenberg 5da78f44f2
Merge branch '5.8.x' 2022-11-18 14:54:33 -06:00
Steve Riesenberg 2ed7cff643
Check for existing token before clearing 
Closes gh-12236
 2022-11-18 13:12:59 -06:00
Josh Cummings 24860d9fb0
Observe Filter Start and Stop 
Issue gh-11911
 2022-11-17 15:11:29 -07:00
Josh Cummings e08ed89403 Polish Span and Meter Names 
Closes gh-12156
 2022-11-17 15:09:52 -07:00
Marcus Da Coregio 063f06e7bf Register FilterChainProxy for all dispatcher types 
Closes gh-12180
 2022-11-16 09:55:21 -03:00
Steve Riesenberg 1a3be83084
Merge branch '5.8.x' 
Closes gh-12185
 2022-11-09 12:28:37 -06:00
Steve Riesenberg 57b163bb78
Polish gh-12141 2022-11-09 12:19:43 -06:00
Marcus Da Coregio 2a261e0583 Add Jakarta WebSocket 2.1 test dependency to spring-security-web 
Issue gh-12148
 2022-11-08 09:54:34 -03:00
Marcus Da Coregio 3b5d19c8a4 Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1 
Closes gh-12146
Closes gh-12148
 2022-11-08 08:34:21 -03:00
Steve Riesenberg 36f668dd9c
Merge branch '5.8.x' 
Closes gh-12142
 2022-11-04 18:12:34 -05:00
Steve Riesenberg 6b0ed0205b
Re-generate tokens in CookieCsrfTokenRepository 
Fixes support for re-generating tokens within a request such as when
CsrfAuthenticationStrategy removes a null token and saves an empty
cookie value on the response.

Closes gh-12141
 2022-11-04 18:10:15 -05:00
Steve Riesenberg 801ceb0832
Merge branch '5.8.x' 2022-10-31 08:58:14 -05:00
Steve Riesenberg 66f2f1cde7
Merge branch '5.7.x' into 5.8.x 2022-10-31 08:55:03 -05:00
Steve Riesenberg 2915a70bf7
Merge branch '5.6.x' into 5.7.x 2022-10-28 13:05:48 -05:00
Steve Riesenberg 6530777742
Merge branch '5.5.x' into 5.6.x 
Closes gh-dry-run
 2022-10-28 11:31:50 -05:00
Marcus Da Coregio 1f481aafff
Fix AuthorizationFilter incorrectly extending OncePerRequestFilter 
Closes gh-12102
 2022-10-28 11:29:35 -05:00
Josh Cummings d651da5ac3
Merge remote-tracking branch 'origin/5.8.x' 
Closes gh-12077
 2022-10-24 16:54:03 -06:00
Josh Cummings dd30694979
Merge remote-tracking branch 'origin/5.7.x' into 5.8.x 
Closes gh-12076
 2022-10-24 16:46:08 -06:00
David Becker 2b426872a3
Use InetSocketAddress#getHostString 
Sometimes InetSocketAddress#getAddress#getHostAddress retuns null.
In that case, call InetSocketAddress#getHostString instead.

There is no performance loss since IpAddressMatcher#matches attemptsi
to re-parse and resolve the address anyway.

Closes gh-11888
 2022-10-24 16:32:19 -06:00
Steve Riesenberg 8554e70c09
Remove deprecated loadContext(request) 
Closes gh-12048
 2022-10-17 20:13:51 -05:00
Steve Riesenberg e238b721bb
Fix imports in DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:36:25 -05:00
Steve Riesenberg bd43c1f28a
Merge branch '5.8.x' 
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
 2022-10-17 19:35:27 -05:00
Steve Riesenberg acc35aeb18
Add DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Steve Riesenberg c75ca10900
Add DeferredSecurityContext 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Josh Cummings f4cc27c375
Change Default for (Server)AuthenticationEntryPointFailureHandler 
Closes gh-9429
 2022-10-13 20:03:03 -06:00
Josh Cummings 5afc7cb04f
Merge remote-tracking branch 'origin/5.8.x' 2022-10-13 19:48:05 -06:00
Josh Cummings 099aaa33ff
Remove Deprecation Markers 
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
 2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux 200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter 
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
 2022-10-13 19:25:04 -06:00
Steve Riesenberg 9090f62d9b
Merge branch '5.8.x' 2022-10-13 16:46:53 -05:00
Evgeniy Cheban 56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> 
Closes gh-11900
 2022-10-13 16:44:48 -05:00
Steve Riesenberg 45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled 
Closes gh-12019
 2022-10-13 11:29:16 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny 
Closes gh-11958
 2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890
Default to Xor CSRF tokens in CsrfWebFilter 
Closes gh-11960
 2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter 
Issue gh-11960
 2022-10-13 09:39:55 -05:00
Joe Grandja 6026f9f70f Merge branch '5.8.x' 2022-10-13 06:31:37 -04:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager" 
This reverts commit 4ddec07d0e.
 2022-10-13 06:18:00 -04:00
Josh Cummings 2713075d08
Mark Observations with Firewall Failures 
Closes gh-11994
 2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b
Mark Observations with CSRF Failures 
Closes gh-11993
 2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd
Instrument Filter Chain 
Closes gh-11911
 2022-10-12 20:32:22 -06:00
Steve Riesenberg 9b43950e13
Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Marcus Da Coregio c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present 
Closes gh-11899
 2022-10-06 09:12:04 -03:00
Josh Cummings 353ca76973
Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings 380a6a2564
Polish SecurityContextHolderStrategy Usage 
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
 2022-10-05 23:59:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler 
Issue gh-11105
 2022-10-05 21:47:14 -06:00
Josh Cummings eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 21:45:26 -06:00
Josh Cummings 4ddec07d0e
Add default AuthorizationManager 
Closes gh-11963
 2022-10-05 21:37:41 -06:00
Steve Riesenberg ee9449dbfe
Fix tests for deferred CSRF tokens 
Issue gh-4001
 2022-10-05 16:10:36 -05:00
Steve Riesenberg 521cdfd738
Use correct servlet imports 
Issue gh-4001
 2022-10-05 16:10:35 -05:00
Steve Riesenberg 8b490de08d
Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg 5de6da890b
Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00