Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-24 16:05:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,888 Commits 34 Branches 337 Tags
Commit Graph

11888 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marcus Da Coregio
c772daab92 Update org.springframework to 5.3.23 
Closes gh-12006
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio
45a4a89960 Update hibernate-entitymanager to 5.6.12.Final 
Closes gh-12005
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio
b43c7e927f Update org.eclipse.jetty to 9.4.49.v20220914 
Closes gh-12004
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio
50d23622d0 Update io.rsocket to 1.1.3 
Closes gh-12003
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio
2c2603ba0f Update io.projectreactor to 2020.0.24 
Closes gh-12001
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio
f7f53ea2b7 Update jackson-bom to 2.13.4.20221012 
Closes gh-11997
 2022-10-13 09:22:28 -03:00
Joe Grandja
185991a606 Revert "Add default AuthorizationManager" 
This reverts commit 4ddec07d0e13c2fe994a8720e22215402d49edd5.
 2022-10-13 06:18:00 -04:00
Steve Riesenberg
440748ec65
Add test support for Xor CSRF tokens 
Issue gh-4001
 2022-10-12 15:02:15 -05:00
Steve Riesenberg
8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg
804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg
05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Joe Grandja
ffbcaca24a Update reference for PasswordEncoders 
Issue gh-10506
 2022-10-12 07:32:30 -04:00
Joe Grandja
c50441b59f Update default configuration for Pbkdf2PasswordEncoder 
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
 2022-10-12 00:45:10 -04:00
Joe Grandja
f8419003eb Update default configuration for SCryptPasswordEncoder 
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1

New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1

The default salt length was also updated from 64 to 16.

Issue gh-10506
 2022-10-12 00:14:07 -04:00
Joe Grandja
2ea62d0f8b Update default configuration for Argon2PasswordEncoder 
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

Previous default configuration:
memory=4, iterations=3, parallelism=1

New default configuration:
memory=16, iterations=2, parallelism=1

Issue gh-10506
 2022-10-11 18:04:37 -04:00
Josh Cummings
8d096554f8
Add AuthorizationEvent 
Closes gh-11972
 2022-10-10 12:28:57 -06:00
Marcus Da Coregio
6e2e76978f Merge branch '5.7.x' into 5.8.x 
Closes gh-11980
 2022-10-10 11:01:56 -03:00
Marcus Da Coregio
b17ba7cdcc Merge branch '5.6.x' into 5.7.x 
Closes gh-11979
 2022-10-10 11:01:27 -03:00
Marcus Da Coregio
e0f8c711d8 Add default value for cloneOutputDirectory property 
Closes gh-11969
 2022-10-10 11:00:47 -03:00
Marcus Da Coregio
4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Steve Riesenberg
37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg
f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio
f3321c256c Add XML support for shouldFilterAllDispatcherTypes 
Closes gh-11492
 2022-10-07 10:20:32 -03:00
Marcus Da Coregio
8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers 
Issue gh-11347
 2022-10-06 13:50:38 -03:00
Marcus Da Coregio
bc4ad52feb Add deprecation warning to mvcMatchers methods 
Issue gh-11347
 2022-10-06 13:21:27 -03:00
Josh Cummings
380a6a2564
Polish SecurityContextHolderStrategy Usage 
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
 2022-10-05 23:59:14 -06:00
Josh Cummings
0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy 
Issue gh-11061
 2022-10-05 23:38:14 -06:00
Josh Cummings
b4d13e7726
Polish use-authorization-manager 
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
 2022-10-05 22:21:09 -06:00
Josh Cummings
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests 
Issue gh-11665
 2022-10-05 22:18:41 -06:00
Josh Cummings
f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler 
Issue gh-11105
 2022-10-05 21:47:14 -06:00
Josh Cummings
4ddec07d0e
Add default AuthorizationManager 
Closes gh-11963
 2022-10-05 21:37:41 -06:00
Steve Riesenberg
dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Rob Winch
a5cc1f0b60 Merge branch '5.7.x' into 5.8.x 
Closes gh-11956
 2022-10-05 13:58:44 -05:00
Rob Winch
37dd896d4b Merge branch '5.6.x' into 5.7.x 
Closes gh-11955
 2022-10-05 13:57:25 -05:00
Dan Allen
e0843aabb1 automatically manage docs version (with collector) 2022-10-05 13:56:22 -05:00
Steve Riesenberg
c1fcf275d9
Update What's New for 5.8 
Issue gh-11952
 2022-10-05 13:48:18 -05:00
Steve Riesenberg
1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl 
Closes gh-11952
 2022-10-05 13:35:23 -05:00
Marcus Da Coregio
bf6e85ec15 Accept String varargs in securityMatcher 
Issue gh-9159
 2022-10-05 13:44:08 -03:00
Marcus Da Coregio
ace8caa182 Remove mvcMatchers usage from docs 
Issue gh-11347
 2022-10-05 13:19:37 -03:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux
bf59d7c374
Update What's New for 5.8 2022-10-03 10:05:25 -05:00
Steve Riesenberg
7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio
64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Marcus Da Coregio
7be2eb05d5 Merge branch '5.7.x' into 5.8.x 2022-10-03 10:10:06 -03:00
Marcus Da Coregio
cd4ddde779 Merge branch '5.6.x' into 5.7.x 2022-10-03 10:09:42 -03:00
Daniel Garnier-Moiroux
26bb60c567 Add rncToXsd task description to CONTRIBUTING.adoc 2022-10-03 10:09:27 -03:00
Rob Winch
6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00