963 Commits

Author SHA1 Message Date
guo fei
c0e66a9ba1 1. add customization support for double forwardslash in StrickHttpFirewall
2. add getEncodedUrlBlacklist() and getDecodedUrlBlacklist() method in StrickHttpFirewall

Fixes gh-6292
2019-01-15 13:42:33 -06:00
Johnny Lim
c94f13a971 Polish tests 2019-01-08 11:16:22 -06:00
Slava Semushin
d8d9abed2a LazyCsrfTokenRepository: fix a typo in javadoc. 2019-01-07 13:35:00 -06:00
Josh Cummings
7a55af246e
Polish tests and javadoc
When using AssertJ, it's easy to commit the following error

assertThat(some boolean condition)

The above actually does nothing. It at least needs to be

assertThat(some boolean condition).isTrue()

This commit refines some assertions that were missing a verify
condition.

Also, one Javadoc was just a little bit confusing, so this
clarifies it.

Issue: gh-6259
2018-12-21 08:47:37 -07:00
Rafael Dominguez
086b105273
Remove Servlet 2.5 Support for Session Fixation
This commit removes existence validation of a method only available in Servlet 3.1.
Spring Framework baseline is Servlet 3.1 so is not longer required.

Fixes: gh-6259
2018-12-21 08:47:37 -07:00
finke-ba
b838f7c7b7 Add WebFlux support for spring security web jackson module.
Fixes: gh-6303
2018-12-19 10:11:17 -06:00
Shawn Biesan
a919b4e916 Remove servlet getHeader check and test
Fixes: gh-6265
2018-12-18 13:25:10 -07:00
finke-ba
9c7cab835f Add conditionally servlet based support for spring security web jackson module. 2018-12-18 14:21:31 -06:00
Dongmin Shin
3230cd653c Remove Servlet Spec 2.5 Support for HttpSessionSecurityContextRepository
Fixes: gh-6261
2018-12-17 12:56:33 -07:00
Dongmin Shin
733a380bc7 Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter
Fixes: gh-6260
2018-12-17 12:52:59 -07:00
Rob Winch
a90c217446 Fix LoginPageGeneratingWebFilter Markup
Fixes: gh-6295
2018-12-17 11:15:59 -06:00
Ian He
9818da79fe Fix DefaultLoginPageGeneratingFilter Markup
the `</h3>` should be `</h2>`.
2018-12-17 10:50:03 -06:00
Dongmin Shin
fc802e1a7c Remove Servlet 2.5 and 3.0 Support for Remember Me and CSRF
Fixes: gh-6263, Fixes: gh-6262
2018-12-14 06:47:21 -07:00
Dongmin Shin
0d2af416aa Add cookieDomain to CookieCsrfTokenRepository
Fixes: gh-4315
2018-12-13 15:01:24 -07:00
Ankur Pathak
2b369cfe98 Added support for Anonymous Authentication
1. Created new WebFilter AnonymousAuthenticationWebFilter to
for anonymous authentication
2. Created class AnonymousSpec, method anonymous to configure
anonymous authentication in ServerHttpSecurity
3. Added ANONYMOUS_AUTHENTICATION order after AUTHENTICATION for
anonymous authentication in SecurityWebFiltersOrder
4. Added tests for anonymous authentication in
AnonymousAuthenticationWebFilterTests and ServerHttpSecurityTests
5. Added support for Controller in WebTestClientBuilder

Fixes: gh-5934
2018-12-12 16:05:30 -06:00
lmagyar
3c35f4cfab SecurityContextCallableProcessingInterceptor thread visibility fix
Within class SecurityContextCallableProcessingInterceptor field securityContext should volatile.

Fixes gh-6143
2018-12-03 15:45:56 -06:00
Bhavik Kumar
90b9cfaf55 Use SpringUtils to check scheme
Fixes 6183
2018-11-29 20:42:39 -06:00
John Coyne
7618d236c4 CookieClearingLogoutHandler updates based on comments
Changed the implementation to use an anonymous function
Issue: gh-6078
2018-11-26 14:33:08 -06:00
John Coyne
14c2d96c86 Clean up code to conform to basic checkstyle
Issue: gh-6078
2018-11-26 14:33:08 -06:00
John Coyne
d05ad19276 CookieClearingLogoutHandler enhancement
Enabled the ability to pass in an array of Cookies to support clearing cookies on a different path other than the default context path
Issue: gh-6078
2018-11-26 14:33:08 -06:00
Josh Cummings
8a475e39be Write Security Headers Before Servlet Include
HeaderWriterFilter wraps request dispatcher so it can write security
headers before the include occurs.

Fixes: gh-5499
2018-10-31 09:27:25 -05:00
sunflower-seed
2e6ff72c31 Update SubjectDnX509PrincipalExtractor.java
Added missing asterisk
2018-10-17 14:56:45 -05:00
Eric Deandrea
b060ec050a Automatically add CsrfServerLogoutHandler if csrf enabled
The configuration DSL should automatically add CsrfServerLogoutHandler if csrf is enabled

Fixes gh-5337
2018-09-21 00:59:36 -05:00
Rob Winch
e4597b5213 WebSessionServerRequestCache ignores favicon and html
Fixes: gh-5874
2018-09-19 14:28:05 -05:00
Rob Winch
8e4d540bfb Default Log Out Pages Use HTTPS for CSS
Fixes: gh-5873
2018-09-19 13:52:35 -05:00
Rob Winch
9c749bf556 Fix SwitchUserFilter matchers
Fixes: gh-4249
2018-09-14 09:45:41 -05:00
Rob Winch
8b19f7a71a AntPathRequestMatcher supports UrlPathHelper
Fixes: gh-5846
2018-09-14 09:45:41 -05:00
Rob Winch
96d85ad2b5 Polish HttpsRedirectWebFilter
Issue: gh-5749
2018-09-07 14:29:46 -05:00
Josh Cummings
2c982a4168 Reactive Redirect to Https
This introduces the capability to configure Reactive Spring Security
to upgrade requests to HTTPS

Fixes: gh-5749
2018-09-07 14:25:58 -05:00
Josh Cummings
21e62683ab
Polish Commit on Reactive Http Basic Test 2018-09-07 10:01:11 -06:00
Tim Koopman
6df4dfe47b
Reactive HttpBasic Support For Coloned Passwords
This makes so that reactive httpBasic supports passwords containing
one or more colons.
2018-09-07 10:01:11 -06:00
Josh Cummings
1c74706232 Delegating ServerAccessDeniedHandler by exchange
Fixes: gh-5747
2018-08-31 10:33:11 -05:00
Vedran Pavic
cb0ba58b58 Fix WhitespaceAfterCheck Checkstyle check 2018-08-27 10:45:35 -05:00
Rob Winch
1640a1f462 Polish ServerAuthenticationConverter
Fix package tangles

Issue: gh-5338
2018-08-24 09:44:27 -05:00
Josh Cummings
416a276436
Expose Default Reactive CsrfProtectionMatcher
Make so that users can augment the default protection logic with
their own.

Fixes: gh-5725
2018-08-22 13:02:02 -06:00
Rob Winch
f5701b5fe0 Fix OptimizeAntPathRequestMatcher
Previously the logic for determining if the pathInfo should be appended
was inverted.

This correctly concatenates url + pathInfo if url is a non empty String.

Fixes: gh-5473
2018-08-21 11:52:55 -05:00
Christoph Dreis
4ccd2f7ebd Optimize AntPathRequestMatcher.getRequestPath() 2018-08-21 11:46:37 -05:00
Vedran Pavic
f382b69507 Add reactive support for Referrer-Policy security header 2018-08-20 10:10:59 -05:00
Vedran Pavic
10621a0f2c Add reactive support for Content-Security-Policy security header 2018-08-20 10:03:42 -05:00
Vedran Pavic
29cfc3dd1d Add reactive support for Feature-Policy security header
Closes gh-5672
2018-08-20 09:02:12 -05:00
Rob Winch
f843da1942 Add OAuth2LoginAuthenticationWebFilter
This is necessary so that the saving of the authorized client occurs
outside of the ReactiveAuthenticationManager. It will allow for
saving with the ServerWebExchange when ReactiveOAuth2AuthorizedClientRepository
is added.

Issue: gh-5621
2018-08-19 21:11:43 -05:00
Rob Winch
e3eaa99ad0 Polish ServerAuthenticationConverter
Update changes for ServerAuthenticationConverter to be passive.

Issue: gh-5338
2018-08-18 19:55:39 -05:00
Eric Deandrea
b6afe66d32 Add ServerAuthenticationConverter interface
- Adding an ServerAuthenticationConverter interface
- Retro-fitting ServerOAuth2LoginAuthenticationTokenConverter,
 ServerBearerTokenAuthentivationConverter, ServerFormLoginAuthenticationConverter,
 and ServerHttpBasicAuthenticationConverter to implement ServerAuthenticationConverter
- Deprecate existing AuthenticationWebFilter.setAuthenticationConverter
and add overloaded one which takes ServerAuthenticationConverter

Fixes gh-5338
2018-08-18 19:55:39 -05:00
Vedran Pavic
c6ea447cc0 Add support for Feature-Policy security header 2018-08-16 09:31:02 -05:00
Johnny Lim
68878a1675 Replace isEqualTo(null) with isNull() 2018-08-09 18:04:48 -06:00
Johnny Lim
973af94b42 Fix typo 2018-08-07 22:52:59 -05:00
Rob Winch
0c26d1b98a ServerHttpBasicAuthenticationConverter Validates Scheme Name
Fixes: gh-5414
2018-07-31 09:10:23 -05:00
Rob Winch
e3d4d66917 BasicAuthenticationFilter case insenstive
Fixes: gh-5586
2018-07-31 09:10:10 -05:00
Rob Winch
afa2d9cbc7 Remove ExchangeFilterFunctions
Issue: gh-5612
2018-07-30 15:34:44 -05:00
Rob Winch
262c1a77c6 Remove SecurityHeaders
We no longer need this since Spring Framework now provides
HttpHeaders.setBearerAuth

Issue: gh-5612
2018-07-30 15:34:40 -05:00