spring-security

Commit Graph

Author	SHA1	Message	Date
Marcus Da Coregio	2c2603ba0f	Update io.projectreactor to 2020.0.24 Closes gh-12001	2022-10-13 09:24:20 -03:00
Marcus Da Coregio	f7f53ea2b7	Update jackson-bom to 2.13.4.20221012 Closes gh-11997	2022-10-13 09:22:28 -03:00
Joe Grandja	185991a606	Revert "Add default AuthorizationManager" This reverts commit `4ddec07d0e`.	2022-10-13 06:18:00 -04:00
Steve Riesenberg	440748ec65	Add test support for Xor CSRF tokens Issue gh-4001	2022-10-12 15:02:15 -05:00
Steve Riesenberg	8bd25f90e4	Polish XorServerCsrfTokenRequestAttributeHandlerTests	2022-10-12 12:31:56 -05:00
Steve Riesenberg	804f20045e	Polish XorCsrfTokenRequestAttributeHandlerTests	2022-10-12 12:30:40 -05:00
Steve Riesenberg	05e4a1dd20	Cache Xor CsrfToken Closes gh-11988	2022-10-12 12:30:40 -05:00
Joe Grandja	ffbcaca24a	Update reference for PasswordEncoders Issue gh-10506	2022-10-12 07:32:30 -04:00
Joe Grandja	c50441b59f	Update default configuration for Pbkdf2PasswordEncoder The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are: If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256. Previous default configuration: algorithm=SHA1, iterations=185000, hashLength=256 New default configuration: algorithm=SHA256, iterations=310000, hashLength=256 The default salt length was also updated from 8 to 16. Closes gh-10506, Closes gh-10489	2022-10-12 00:45:10 -04:00
Joe Grandja	f8419003eb	Update default configuration for SCryptPasswordEncoder The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are: Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1. Previous default configuration: cpuCost=16384, memoryCost=8, parallelism=1 New default configuration: cpuCost=65536, memoryCost=8, parallelism=1 The default salt length was also updated from 64 to 16. Issue gh-10506	2022-10-12 00:14:07 -04:00
Joe Grandja	2ea62d0f8b	Update default configuration for Argon2PasswordEncoder The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are: Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism. Previous default configuration: memory=4, iterations=3, parallelism=1 New default configuration: memory=16, iterations=2, parallelism=1 Issue gh-10506	2022-10-11 18:04:37 -04:00
Josh Cummings	8d096554f8	Add AuthorizationEvent Closes gh-11972	2022-10-10 12:28:57 -06:00
Marcus Da Coregio	6e2e76978f	Merge branch '5.7.x' into 5.8.x Closes gh-11980	2022-10-10 11:01:56 -03:00
Marcus Da Coregio	b17ba7cdcc	Merge branch '5.6.x' into 5.7.x Closes gh-11979	2022-10-10 11:01:27 -03:00
Marcus Da Coregio	e0f8c711d8	Add default value for cloneOutputDirectory property Closes gh-11969	2022-10-10 11:00:47 -03:00
Marcus Da Coregio	4b6fed0667	Add static factory method to AntPathRequestMather and RegexRequestMatcher Closes gh-11938	2022-10-10 09:24:15 -03:00
Steve Riesenberg	37fa49b32d	Polish gh-11952	2022-10-07 17:40:12 -05:00
Steve Riesenberg	f462134e87	Add reactive support for BREACH Closes gh-11959	2022-10-07 16:34:17 -05:00
Steve Riesenberg	f4ca90e719	Add reactive interfaces for CSRF request handling Issue gh-11959	2022-10-07 16:34:16 -05:00
Marcus Da Coregio	f3321c256c	Add XML support for shouldFilterAllDispatcherTypes Closes gh-11492	2022-10-07 10:20:32 -03:00
Marcus Da Coregio	8a5aed2983	Add deprecation warning to CsrfDsl#ignoringAntMatchers Issue gh-11347	2022-10-06 13:50:38 -03:00
Marcus Da Coregio	bc4ad52feb	Add deprecation warning to mvcMatchers methods Issue gh-11347	2022-10-06 13:21:27 -03:00
Josh Cummings	380a6a2564	Polish SecurityContextHolderStrategy Usage - Add to HttpSessionSecurityContextRepository#saveContext Issue gh-11060	2022-10-05 23:59:14 -06:00
Josh Cummings	0c0e298aa7	Polish Saml2 XML Use of SecurityContextHolderStrategy Issue gh-11061	2022-10-05 23:38:14 -06:00
Josh Cummings	b4d13e7726	Polish use-authorization-manager - Use SecurityContextHolderStrategy - Allow empty role prefix - Disallow access-decision-manager-ref and authorization-manager-ref together Issue gh-11305	2022-10-05 22:21:09 -06:00
Josh Cummings	7043ef6ccb	Polish OpaqueTokenAuthenticationConverterTests Issue gh-11665	2022-10-05 22:18:41 -06:00
Josh Cummings	f16d47c7b5	Polish DefaultHttpSecurityExpressionHandler Issue gh-11105	2022-10-05 21:47:14 -06:00
Josh Cummings	4ddec07d0e	Add default AuthorizationManager Closes gh-11963	2022-10-05 21:37:41 -06:00
Steve Riesenberg	dce1c30522	Add support for BREACH Closes gh-4001	2022-10-05 14:21:13 -05:00
Rob Winch	a5cc1f0b60	Merge branch '5.7.x' into 5.8.x Closes gh-11956	2022-10-05 13:58:44 -05:00
Rob Winch	37dd896d4b	Merge branch '5.6.x' into 5.7.x Closes gh-11955	2022-10-05 13:57:25 -05:00
Dan Allen	e0843aabb1	automatically manage docs version (with collector)	2022-10-05 13:56:22 -05:00
Steve Riesenberg	c1fcf275d9	Update What's New for 5.8 Issue gh-11952	2022-10-05 13:48:18 -05:00
Steve Riesenberg	1d706ae13d	Add csrfTokenRequestResolver to CsrfDsl Closes gh-11952	2022-10-05 13:35:23 -05:00
Marcus Da Coregio	bf6e85ec15	Accept String varargs in securityMatcher Issue gh-9159	2022-10-05 13:44:08 -03:00
Marcus Da Coregio	ace8caa182	Remove mvcMatchers usage from docs Issue gh-11347	2022-10-05 13:19:37 -03:00
Steve Riesenberg	475b3bb6bb	Add deferred CsrfTokenRepository.loadDeferredToken * Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken> * Move RepositoryDeferredCsrfToken to top-level and make package-private * Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) * Update CsrfFilter * Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler Issue gh-11892 Closes gh-11918	2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux	0e215a21ad	Add X-Xss-Protection headerValue to XML config Issue gh-9631	2022-10-03 14:29:34 -05:00
Marcus Da Coregio	039e0328e1	Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159	2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux	bf59d7c374	Update What's New for 5.8	2022-10-03 10:05:25 -05:00
Steve Riesenberg	7f9600ae08	Polish gh-11896	2022-10-03 09:57:08 -05:00
Marcus Da Coregio	64a19de4dc	Deprecate HPKP security header Closes gh-10144	2022-10-03 11:36:19 -03:00
Marcus Da Coregio	7be2eb05d5	Merge branch '5.7.x' into 5.8.x	2022-10-03 10:10:06 -03:00
Marcus Da Coregio	cd4ddde779	Merge branch '5.6.x' into 5.7.x	2022-10-03 10:09:42 -03:00
Daniel Garnier-Moiroux	26bb60c567	Add rncToXsd task description to CONTRIBUTING.adoc	2022-10-03 10:09:27 -03:00
Rob Winch	6d56af7b65	SessionManagementDsl.requireExplicitAuthenticationStrategy	2022-09-30 21:37:44 -05:00
Josh Cummings	f054505d6d	Support Deferred Contexts Closes gh-11817 Issue gh-10913	2022-09-30 16:49:47 -06:00
Daniel Garnier-Moiroux	93250013e4	Make X-Xss-Protection configurable through ServerHttpSecurity OWASP recommends using "X-Xss-Protection: 0". The default is currently "X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0". This commits adds the ability to configure the xssProtection header value in ServerHttpSecurity. This commit deprecates the use of "enabled" and "block" booleans to configure XSS protection, as the state "!enabled + block" is invalid. This impacts HttpSecurity. Issue gh-9631	2022-09-30 09:38:08 -05:00
Steve Riesenberg	7b1158ddb7	Merge branch '5.7.x' into 5.8.x	2022-09-29 14:09:10 -05:00
Steve Riesenberg	70c61dc1dd	Merge branch '5.6.x' into 5.7.x	2022-09-29 14:08:17 -05:00

1 2 3 4 5 ...

11784 Commits All Branches Search

11784 Commits

All Branches