814742fef6
Rename ClientRegistration.clientAlias -> registrationId
...
Fixes gh-4575
2017-09-27 09:14:55 -04:00
38be35677d
Add userNameAttributeName to ClientRegistration
...
Fixes gh-4580
2017-09-26 21:55:19 -04:00
0e9b2807bf
Split up NimbusOAuth2UserService
...
Fixes gh-4447
2017-09-26 11:32:49 -04:00
6d26b86792
Add UserDetailsRepositoryResourceFactoryBean.fromString
...
Fixes gh-4566
2017-09-22 20:18:59 -05:00
a4c2073bcd
Add UserDetailsManagerResourceFactoryBean.fromString
...
Fixes gh-4567
2017-09-22 20:18:59 -05:00
bc99f8aff3
Add UserDetailsResourceFactoryBean.fromString
...
Fixes gh-4568
2017-09-22 20:18:59 -05:00
9e719bc313
Drop the `aopalliance:aopalliance` dependency
...
As of Spring 4.3 RC1 the `org.aopalliance` interfaces are once again bundled
with `spring-aop` [1]. Moreover, all modules with a dependency on
`aopalliance:aopalliance` directly or indirectly also depend on `spring-aop`.
This change drops the `aopalliance:aopalliance` dependency in all places it's
declared. Where applicable an explicit dependency on `spring-aop` was added in
its place. (This dependency was already present in most places; in one case the
module didn't require `aopalliance:aopalliance` in the first place.)
The documentation is updated accordingly.
[1] https://jira.spring.io/browse/SPR-13984
2017-09-22 11:11:04 -05:00
8521ca8f94
Polish gh-4560
2017-09-21 17:21:41 -04:00
baa3b6f258
Add utility for loading properties of client types
...
Fixes gh-4560
2017-09-20 22:50:19 -04:00
8a66d0c78d
Polish PermissionEvaluator Autowired into Web Security
...
Issue gh-4077
2017-09-18 16:53:19 -05:00
3bf6bf10de
Configure permissionEvaluator and roleHierarchy by default
...
Implementations of AbstractSecurityExpressionHandler (such as the very commonly used DefaultWebSecurityExpressionHandler) get PermissionEvaluator and RoleHierarchy from the application context (if the application context is provided, and exactly one of such a bean exists in it). This approach matches that used in GlobalMethodSecurityConfiguration, making everything in Spring Security work the same way (including WebSecurity).
Issue gh-4077
2017-09-18 16:35:16 -05:00
f8ee9944ff
Copyright date range
2017-09-18 11:18:46 -05:00
1f4082e754
Fix copyright lines
2017-09-18 11:11:25 -05:00
01d4387f56
Fix empty lines in copyright
2017-09-18 10:53:04 -05:00
3ecf3ea034
Fix double * in Copyright headers
2017-09-18 10:47:26 -05:00
e14af37775
Add LogoutWebFilter
...
Fixes gh-4539
2017-09-13 16:43:04 -05:00
426e24c18e
Polish
...
Formatting changes
2017-09-13 15:31:32 -05:00
65b968f04a
Move servlet-specific classes to 'web' package
...
Fixes gh-4366
2017-09-13 16:13:32 -04:00
0a36359f11
WebFlux HTTP Basic & Form Login Sessions
...
By default both HTTP Basic and form log are enabled. Now HTTP Session will
not be used for HTTP Basic, but will be for form log in.
2017-09-13 14:47:44 -05:00
3d745e63f6
HttpSecurityConfiguration applies all defaults
...
HttpSecurity headers is off by default and relies on
HttpSecurityConfiguration to enable it. This is more consistent with the
other operators
2017-09-12 22:07:12 -05:00
b5edb58050
Polish reactive config
...
Code Checkstyle fixes
2017-09-12 21:56:09 -05:00
8b32b8db74
Polish
...
HeadersBuilder build is protected
2017-09-12 21:51:26 -05:00
d93c774691
Add FormLogin Configuration
...
Fixes gh-4537
2017-09-12 20:40:56 -05:00
a0a0a32bda
Add WebTestClient HtmlUnit Support
...
Fixes gh-4534
2017-09-12 20:40:56 -05:00
8d997fd079
Remove DefaultAuthenticationSuccessHandler
...
We always need to save the user after authentication, so it should be
part of AuthenticationWebFilter
Fixes gh-4524
2017-09-12 20:40:56 -05:00
4ff0b52f74
Remove HttpClientConfig
...
Issue gh-4478
2017-09-12 21:03:40 -04:00
d9bad2bc9d
Mono.currentContext()->subscriberContext()
...
Fixing refactoring by Reactor
2017-09-01 17:20:47 -05:00
be0081290b
EnableWebFluxSecurity uses PasswordEncoder Bean
2017-08-30 10:02:00 -05:00
9f2ea90f0d
Polish HttpSecurity
...
Code Style fixes
2017-08-29 20:34:20 -05:00
51ad53f76a
Remove Optional from Reactive HttpSecurity
2017-08-29 20:30:04 -05:00
20befc3702
Support .and() in Reactive HttpBasic & HeaderBuilder
2017-08-29 20:17:56 -05:00
c4917f359a
Fix for Reactor Refactor
...
- contextStart -> subscriberContext
2017-08-29 08:24:55 -05:00
bc6be86aec
Add in-memory AccessTokenRepository
...
Fixes gh-4508
2017-08-23 17:18:35 -04:00
91b0bd4ba5
Provide oauth2login.tokenEndpoint config
...
Fixes gh-4506
2017-08-23 17:18:01 -04:00
c06975080f
Allow configuring oauth2 authentication handlers
...
Fixes gh-4472
2017-08-23 17:17:34 -04:00
93c2b2533e
Allow configuring request paths for oauth2 filters
...
Fixes gh-4473
2017-08-23 17:17:01 -04:00
416ff3c77a
Add EnableReactiveMethodSecurity
...
Issue gh-4496
2017-08-17 16:42:01 -05:00
b0b9b32c0c
Add AuthenticationReactorContextFilter
...
Fixes gh-4501
2017-08-17 16:42:01 -05:00
e16b8e7976
Fix logback-test.xml
2017-08-17 16:42:01 -05:00
f3737b61e8
Add logback-classic as test dependency
2017-08-17 15:42:39 -05:00
efc3cadd43
Fixed Circular Bean References in Java Config
...
Fixes gh-4489
2017-08-09 16:24:01 -05:00
bfaead6f68
Removal of ParsingPathMatcher
...
Changes needed for the removal of ParsingPathMatcher in Spring Framework
b1440b6816 (diff-972650c759c249004b9725f94b570db3R156)
2017-08-02 11:11:11 -05:00
c872499eee
Enable custom configuration for HTTP client
...
Fixes gh-4477
2017-07-28 16:43:44 -04:00
9b7883fe10
Add WEB_FILTER_CHAIN_FILTER_ORDER
...
Fixes gh-4475
2017-07-27 21:02:38 -05:00
96ae0fe8f8
Expose configuration for authorities mapping
...
Fixes gh-4409
2017-07-12 17:35:16 -04:00
9cfb890207
Use id_token for user authentication
...
Fixes gh-4410
2017-07-07 12:44:26 -04:00
0e100be333
Fix Groovy 2.5 Compile Errors
...
Fixes gh-4415
2017-06-22 13:31:21 -05:00
8130965259
Fixes for changes in SPR-15657
...
Fixes gh-4408
2017-06-20 16:42:24 -05:00
ca6348800e
HttpSecurity.authorizeExchange() allows Method Chaining
...
Fixes gh-4397
2017-06-15 15:50:30 -05:00
9d19b7337e
Ensure Unique Names
...
Issue: gh-4394
2017-06-15 13:00:59 -05:00
fda0220fad
Provide default reactive HttpSecurity
...
Fixes gh-4396
2017-06-15 13:00:19 -05:00
9141a8a7c0
Add Multiple Reactive HttpSecurity
...
Fixes gh-4395
2017-06-15 13:00:19 -05:00
406e1e6951
Extract out HttpSecurityConfiguration
...
Fixes gh-4394
2017-06-15 13:00:19 -05:00
335a01577a
Typo "he" -> "the"
2017-06-15 12:47:41 -05:00
30132892a0
Polish UserDetailsResourceFactoryBean Support
...
Issues: gh-4380 gh-4381 gh-4382
2017-06-13 15:15:21 -05:00
337317a060
WebFlux now uses ParsingPathMatcher
...
Fixes gh-4388
2017-06-09 22:25:45 -05:00
6428cb411e
Add UserDetailsRepositoryResourceFactoryBean
...
Add the ability to easily create a UserDetailsRepository from a Properties
in the standard Spring Security user format.
Fixes gh-4382
2017-06-09 16:07:18 -05:00
4cb77e5386
Add UserDetailsManagerResourceFactoryBean
...
Add the ability to easily create a UserDetailsManager from a Properties
in the standard Spring Security user format.
Fixes gh-4381
2017-06-09 16:07:18 -05:00
256d14ede0
Add UserDetailsResourceFactoryBean
...
Add the ability to create a Collection<UserDetails> from a Properties
Resource using the standard Spring Security user format.
Fixes gh-4380
2017-06-09 16:07:18 -05:00
d09fb5b500
Move UserDetailsRepository to core.userdetails
...
Fixes gh-4383
2017-06-09 16:07:09 -05:00
6c0ecea494
Use java.util.Function instead of Converter
...
Fixes gh-4323
2017-06-01 17:25:39 -04:00
e5eda24054
Add ServerWebExchangeMatcherEntry
2017-05-31 16:13:20 -05:00
68368c87ca
Resolve compile errors -> WebTestClient methods removed
...
Fixes gh-4355
2017-05-25 11:14:29 -04:00
bc141febdb
Demo mock support with RouterFunction
2017-05-23 16:29:30 -05:00
9e6b10ce46
Fix JavaDoc for HeadersConfigurer
...
Corrected copy-paste error.
2017-05-22 00:32:19 +02:00
247635ed92
WebFluxSecurityConfiguration defaults HTTP Basic
...
Fixes gh-4346
2017-05-19 21:50:06 -05:00
1cec497a50
Add method chaining for AuthorizeExchangeBuilder
...
Fixes gh-4345
2017-05-19 21:25:50 -05:00
0428cdd934
Add @EnableWebFluxSecurity
...
Fixes gh-4344
2017-05-19 21:11:42 -05:00
d81b436e5d
Remove pom.xml from build
...
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.
This commit removes the pom.xml files from the build.
Fixes gh-4283
2017-05-11 14:32:36 -05:00
85719fcd64
Use Base64 implementation provided by Java 8
2017-05-10 00:27:36 -05:00
b4f2777755
Add WebFlux
...
Fixes gh-4128
2017-05-10 00:13:02 -05:00
829c386756
Add support for OAuth 2.0 Login
...
Fixes gh-3907
2017-04-28 10:58:59 -04:00
dd6fc48dd8
Standardize Build
...
The build now uses spring build conventions to simplify the build
Fixes gh-4284
2017-04-21 10:55:05 -05:00
5a65da400d
Use ReflectionTestUtils rather than Whitebox
...
This is better because it no longer uses Mockito's internal API
Fixes gh-4305
2017-04-21 10:54:58 -05:00
2ce174dbf0
Update poms to 5.0.0.BUILD-SNAPSHOT
2017-04-07 16:49:50 -04:00
d2524eadfc
Update poms to new to SNAPSHOT version
2017-03-02 09:20:34 -06:00
081f0c4d94
Release version 4.2.2.RELEASE
2017-03-02 07:29:42 +00:00
f3edaa673a
Fix SecurityNamespaceHandler Version Error Message
...
Fixes gh-4210
2017-03-02 00:25:51 -06:00
546d44d6e7
Fix NPE in WebSocketMessageBrokerSecurityBeanDefinitionParser
...
Fixes gh-4112
Closes gh-4194
2017-03-01 23:58:02 -06:00
2ac51c9c7f
Fix class name in comment
2017-03-01 23:31:32 -06:00
9c03571bbb
Use message in all Assert
...
This ensures compatibility with Spring 5.
Fixes gh-4193
2017-01-30 19:58:24 -06:00
7a7ce11ebb
Release version 4.2.1.RELEASE
2016-12-21 17:23:28 +00:00
fc516b55a6
Fix Build Against Spring 5.0.0.BUILD-SNAPSHOT
...
Change Bean definition to static to avoid SPR-12646
Fixes gh-4150
2016-12-08 15:54:46 -06:00
f94399cff9
Polish
2016-11-17 09:49:41 -06:00
24fcb6c45a
Release version 4.2.0.RELEASE
2016-11-09 23:42:11 +00:00
23294c4c57
Add Referrer-Policy header support
...
Fixes gh-4110
2016-11-08 13:21:35 -06:00
97b4cb0b73
Release version 4.2.0.RC1
2016-10-26 02:49:23 +00:00
df3b8bc284
Add Spring MVC test for override cache control
...
Issue gh-3975
2016-10-24 15:57:32 -05:00
f432c04111
Create UserBuilder
...
This commit creates a UserBuilder and updates samples to use it. We do not
leverate it for JdbcUserDetailsManager because it requires the schema to
be created which is difficult with a single bean definition and
unpredicatble ordering. For this, it is still advised to use
AuthenticationManagerBuilder
Fixes gh-4095
2016-10-21 16:42:03 -05:00
94e580fe64
Add Support for Custom Default Configuration in Web Security
...
Fixes gh-4102
2016-10-19 16:15:56 -05:00
af9139b613
Add intercept-url@request-matcher-ref
...
Fixes gh-4097
2016-10-18 22:27:31 -05:00
f019ea89e7
Remove unused lowercase-comparisons from XSD
...
Fixes gh-3932
2016-10-18 22:27:28 -05:00
0d700628dc
Add spring-security-4.2.xsd to spring.schemas
...
Fixes gh-4098
2016-10-18 22:27:22 -05:00
aaa9708b95
Add BeanResolver to AuthenticationPrincipalArgumentResolver
...
Previously @AuthenticationPrincipal's expression attribute didn't support
bean references because the BeanResolver was not set on the SpEL context.
This commit adds a BeanResolver and ensures that the configuration
sets a BeanResolver.
Fixes gh-3949
2016-10-18 19:45:54 -05:00
badb466cc5
AuthenticationConfiguration imports ObjectPostProcessor
...
Fixes gh-4086
2016-10-17 20:00:27 -05:00
1222fc5f10
XML ref to bean
...
Spring 5 removes ref XML attribute in favor of bean XML attribute. This
commit updates all the samples and tests to use bean instead of ref.
Issue gh-4080
2016-10-17 17:00:17 -05:00
08c1f500a7
Version bumps for Spring 5
...
Issue gh-4080
2016-10-17 17:00:17 -05:00
c1b8150439
Release version 4.2.0.M1
2016-09-23 19:39:33 +00:00
b443baef04
Polish GrantedAuthorityDefaults
...
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
ApplicationContextAware
Issue gh-3701
2016-09-22 15:13:05 -05:00
eabeaf35d6
Make single definition of `defaultRolePrefix` and `rolePrefix`
...
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.
Fixes gh-3701
2016-09-21 14:55:41 -05:00
49f7c98c3e
Fix headers@defaults-disabled=true with no children
...
Previously <headers defaults-disabled="true"/> would fail if there were
no children with an IllegalArgumentException. This allows using
defaults-disabled="true" and no children as an alias for disabled="true".
Fixes gh-3986
2016-09-19 14:53:51 -05:00
4cc899feab
Fix Typo in Javadoc
...
Issue gh-4063
2016-09-19 10:09:48 -05:00
6650429283
Polish SessionInformationExpiredStrategy
...
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1
Issue gh-3808
2016-09-15 14:30:52 -05:00
67c9f12964
Configuration of session management strategies
...
This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.
Fixes gh-3794
2016-09-15 11:10:36 -05:00
b88418b94a
Configuration of session management strategies
...
This commit adds an ExpiredSessionStrategy for the ConcurrentSessionFilter
analogous to the InvalidSessionStrategy for the SessionManagementFilter. It also
adds a configuration option for both the InvalidSessionStrategy and
ExpiredSessionStrategy to the XML namespace and Java configuration.
Fixes gh-3794
Fixes gh-3795
2016-09-15 11:10:17 -05:00
4d02a5c0a0
Update pom.xml dependencies
2016-08-30 11:27:29 -05:00
c6366baee2
Remove MvcRequestMatcher.afterPropertiesSet()
...
The validation does not work due to restrictions within the servlet
container. Specifically we cannot access the servlets that are registered.
This commit reverts the validation logic for MvcRequestMatcher to determine
if servletPath is required.
Fixes gh-4027
2016-08-19 14:18:07 -04:00
f8bfe19a98
Fix typo in autowiring warning ( #4026 )
...
Fixes a misleading message that warns about
PermissionEvaluator when MethodSecurityExpressionHandler
should be mentioned instead.
Fixes gh-3402
2016-08-16 08:39:49 -05:00
bb997eecde
Fix defaultMethodExpressionHandler autowiring
...
Previously if a Bean for GlobalMethodSecurityConfiguration's
defaultMethodExpressionHandler was found on a Configuration that also
@Autowired a Bean that enabled method security, the Bean that was
@Autowired would not have security enabled.
This fixes the issue by delaying the lookup of Beans populated on
GlobalMethodSecurityConfiguration's defaultMethodExpressionHandler.
Fixes gh-4020
2016-08-10 23:48:07 -05:00
e080905a79
MvcRequestMatcher servletPath Polish / XML Config
...
Fixes gh-4014
2016-08-09 16:29:30 -05:00
3befb1c8a6
MvcRequestMatcher servletPath / JavaConfig
...
Issue: gh-3987
2016-08-09 16:29:30 -05:00
519c15efb3
Logout is 204 for XMLHttpRequest
...
Fixes gh-3997
2016-08-02 11:26:52 -07:00
c23c7982ca
Add ObjectPostProcessor support for SmartInitializingSingleton
2016-07-21 08:59:17 -05:00
ca170f8479
DummyRequest supports methods for MvcRequestMatcher
...
To support MvcRequestMatcher DummyRequest needs to support
getCharacterEncoding() and getAttribute(String)
2016-07-14 14:18:31 -05:00
ada146244e
Add HttpSecurity.mvcMatcher
...
Fixes gh-3970
2016-07-14 10:50:49 -04:00
945e2e2ad4
Fix NPE requestMatchers().mvcMatchers
...
Fixes gh-3969
2016-07-14 10:50:49 -04:00
80ff267749
Check RememberMe in ExceptionTranslationFilter
...
This commit adds a check for rememberme to the ExceptionTranslationFilter.
Using this when someone isn't fully authenticated he will be prompted with a
login screen and after that will be redirected to the original requested URI.
Fixes gh-2427
2016-07-13 16:58:00 -04:00
1effc1882a
Add CompositeLogoutHandler
...
Fixes gh-3895
2016-07-08 13:30:38 -05:00
885f074ddf
Fix XsdDocumentedTests
2016-07-07 15:05:04 -05:00
e297706e8b
Polish allow unlimitted sessions
...
Update the rnc file
Issue gh-3900
2016-07-07 14:31:40 -05:00
e3ff4130a5
Allow negative values to configure unlimited sessions
2016-07-07 14:29:18 -05:00
50d7d3287f
Add spring-security-4.2.xsd
2016-07-07 14:19:01 -05:00
13b0ddb7e6
Fix test assertions
2016-07-07 13:29:00 -05:00
919f000c80
Release version 4.1.1.RELEASE
2016-07-07 00:57:35 +00:00
310bb39a0d
Fix typo
2016-07-06 16:22:33 -05:00
764a4d8414
Fix Error Message typo
...
Fixes gh-3953
2016-07-06 16:19:29 -05:00
b17870ee07
LogoutConfigurer: only allow suitable http methods
2016-07-06 16:17:11 -05:00
e4c13e3c0e
Add MvcRequestMatcher
...
Fixes gh-3964
2016-07-06 15:47:23 -05:00
13bc70f693
Add CorsFilter support
2016-07-05 14:28:04 -05:00
c935d857eb
Add mvc namespace to XmlApplicationContext
2016-07-01 22:04:55 -05:00
7f3b3a8b59
Polish
...
Issue gh-180
2016-07-01 13:17:52 -05:00
bd5f71bb0d
Polish
...
Fix checkstyle for LDAP JavaConfig Authority mapping
Issue gh-2768
2016-06-21 17:08:37 -05:00
b76e3be822
LDAP Java Config supports GrantedAuthoritiesMapper
...
Fixes gh-2768
2016-06-21 16:43:13 -05:00
26ad1cb4a5
Polish RememberMe Validation
...
Issue gh-3909
2016-06-21 14:57:15 -05:00
87224f62e4
RememberMe JavaConfig Validation
...
Add validation when rememberMeServices and rememberMeCookieName are
provided
Fixes gh-3909
2016-06-21 14:57:01 -05:00
66858e22ad
Disable XMLHttpRequest for formLogin entry point
...
Previously the following:
http http://localhost:8080/user \
"X-Requested-With:XMLHttpRequest" "Accept:text/plain"
Produced a 302 instead of a 401
Fixes gh-3887
2016-06-20 15:30:00 -05:00
39ed7d0eca
Propagate rolePrefix to LdapAuthoritiesPopulator
...
Previous to this commit, custom rolePrefix was not propagated to
LdapAuthoritiesPopulator populating a wrong authority. Now, rolePrefix
is propagated and the authority is as expected.
Fixes gh-3921
2016-06-20 12:44:02 -05:00
a2ead4cf7a
Polish
...
Fixes gh-3892
2016-06-20 12:35:43 -05:00
2d6051625f
Update pom.xml
2016-06-17 14:30:11 -05:00
477573b3bc
Fix @EnableGlobalAuthentication & method seucrity on @Configuration class
...
Fixes gh-3934
2016-06-17 14:05:11 -05:00
fa1c484587
AuthenticationConfiguration.getAuthenticationManager() supports recursion
...
AuthenticationConfiguration.getAuthenticationManager() now supports
recursion. This is necessary in instances where something using
@EnableGlobalAuthentication requires an object using method level security.
Fixes gh-3935
2016-06-17 14:02:36 -05:00
9e3d2e2d99
HTTP Basic default logout ignores text/html
...
This fixes an issue where Chrome sends an accept header of application/xml
which triggers an HTTP 204 to be returned
Fixes gh-3902
2016-06-14 16:27:56 -05:00
d3b3f8e004
Fix WebSecurityConfigurerAdapter Javadoc
...
The constructor's Javadoc was incorrect. This commit
fixes it.
2016-05-23 08:12:50 -05:00
001b05569a
Release version 4.1.0.RELEASE
2016-05-05 04:25:46 +00:00
e68d8bfaea
Clarifies sessionAuthenticationStrategy setter
...
Fixes gh-234
2016-05-02 13:21:58 -05:00
491abf2600
Revert "Fix test for SessionManagementConfigurer"
...
This reverts commit 17b25d1477
2016-05-02 13:21:58 -05:00
0d2b797c2a
Revert "Fix sessionAuthenticationStrategy setter"
...
This reverts commit 8f5d46ad68
2016-05-02 13:21:58 -05:00
17b25d1477
Fix test for SessionManagementConfigurer
...
Fixes gh-234
2016-04-21 16:50:03 -04:00
8f5d46ad68
Fix sessionAuthenticationStrategy setter
...
sessionAuthenticationStrategy was setting sessionFixationAuthenticationStrategy instead
Fixes gh-234
2016-04-21 16:21:54 -04:00
24d0069668
Release version 4.1.0.RC2
2016-04-21 01:47:25 +00:00
Joe Grandja
Rob Winch
Stephan Schroevers
Craig Andrews
stonio
Thomas Darimont
Vedran Pavic
Rob Winch
Spring Buildmaster
Joris Kuipers
Kazuki Miyahara
Johnny Lim
Eddú Meléndez
Fred Cooke
Marten Deinum
novotnyr
Michael J. Simons
Jakob Englisch
Tony Dalbrekt
Sola
didiez