Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,795 Commits 32 Branches 333 Tags 109 MiB
Commit Graph

1321 Commits

Author SHA1 Message Date
Josh Cummings a45df2c802 Move OIDC Reactive Packaging 2019-03-19 09:00:46 -06:00
Josh Cummings 8f5493acce Move OIDC Servlet Packaging 2019-03-19 09:00:46 -06:00
Josh Cummings fba31dfb6a Reactive Oidc RP-Initiated Logout 
Issue: gh-5350
 2019-03-19 09:00:46 -06:00
Josh Cummings 248a8c030b Support for OIDC RP-Initiated Logout 
Fixes: gh-5350
 2019-03-19 09:00:46 -06:00
Josh Cummings 9478abebd2 Internalize Nimbus JwtDecoder Builder 
Issue: gh-6010
 2019-03-18 12:32:44 -06:00
Spring Operator b93528138e URL Cleanup 
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).

# Fixed URLs

## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.

* http://www.apache.org/licenses/ with 1 occurrences migrated to:
  https://www.apache.org/licenses/ ([https](https://www.apache.org/licenses/) result 200).
* http://www.apache.org/licenses/LICENSE-2.0 with 2691 occurrences migrated to:
  https://www.apache.org/licenses/LICENSE-2.0 ([https](https://www.apache.org/licenses/LICENSE-2.0) result 200).
* http://www.apache.org/licenses/LICENSE-2.0.html with 2 occurrences migrated to:
  https://www.apache.org/licenses/LICENSE-2.0.html ([https](https://www.apache.org/licenses/LICENSE-2.0.html) result 200).
 2019-03-14 15:46:20 -05:00
Josh Cummings da0f969929
NamespaceExpressionHandlerTests groovy->java 
Issue: gh-4939
 2019-03-11 12:01:51 -06:00
Josh Cummings 9642d33a6b
NamespaceHttpX509Tests groovy->java 
Fixes: gh-4939
 2019-03-06 16:46:06 -07:00
Aanuoluwapo Otitoola ad9dc49d55 OAuth2LoginSpec discovers ReactiveOAuth2AccessTokenResponseClient @Bean 
Fixes: gh-6477
 2019-03-04 15:44:42 -05:00
Rafiullah Hamedy 82d527ed42
Add Support for Clear Site Data on Logout 
Added an implementation of HeaderWriter for Clear-Site-Data HTTP
response header as welll as an implementation of LogoutHanlder
that accepts an implementation of HeaderWriter to write headers.

- Added ClearSiteDataHeaderWriter and HeaderWriterLogoutHandler
that implements HeaderWriter and LogoutHandler respectively
- Added unit tests for both implementations's behaviours
- Integration tests for HeaderWriterLogoutHandler that uses
ClearSiteDataHeaderWriter
- Updated the documentation to include link to
HeaderWriterLogoutHandler

Fixes gh-4187
 2019-02-28 11:01:08 -07:00
Josh Cummings 2b960b074b Polish Eager Header Config Tests 
In the Java config tests, there is a simplified way to configure
Spring, and that is with SpringTestRule.

Also, test names typically follow the when-then convention.

Issue: gh-6501
 2019-02-18 09:24:17 -07:00
Ankur Pathak ac13b55ecd HeaderWriterFilter writes headers at beginning 
Add support for HeaderWriterFilter to write headers at the beginning of the request

Fixes: gh-6501
 2019-02-18 07:43:08 -07:00
Josh Cummings fba25614bf Reactive Opaque Token Support 
Fixes: gh-6513
 2019-02-15 15:59:25 -06:00
Josh Cummings ef9c3e4771 Opaque Token Support 
Fixes: gh-5200
 2019-02-07 12:40:12 -07:00
Joe Grandja 594a169798 Introduce OAuth2AuthorizationRequest.attributes 
Fixes gh-5940
 2019-02-07 11:49:17 -05:00
Josh Cummings 5c2ee09bc3
Favor RestOperations in Resource Server Configurer 
Also polished exposure of the JWK Set Uri for the tests where
MockWebServer is preferred.

Fixes: gh-6104
 2019-01-29 15:43:09 -07:00
Ankur Pathak 8e6bcc1c35 No RequestMatcher After AnyRequest 
Don't allow any type of RequestMatchers
after any request by throwing IllegalStateException

Fixes: gh-6359
 2019-01-25 11:14:33 -07:00
Nick Bromfield b581bb7eae Add new configuration options for OAuth2LoginSpec 
Fixes gh-5598
 2019-01-24 10:37:52 -05:00
Ankur Pathak 2e70d66063 Improve CsrfBeanDefinitionParser xml parsing 
1. CsrfBeanDefinitionParser registers requestDataValueProcessor
if not already registered
2. Created Tests in CsrfBeanDefinitionParserTests

Fixes: gh-6423
 2019-01-22 13:56:20 -06:00
Ankur Pathak ffe602fdbe HTML markup fixed in DefaultLoginPageGeneratingFilter 
Ending div moved  out of condition.

Fixes: gh-6417
 2019-01-22 13:20:35 -06:00
Josh Cummings ca02d8a4f8
NamespaceLogoutTests groovy->java 
Issue: gh-4939
 2019-01-18 16:56:13 -07:00
Josh Cummings e68b6f17de
NamespaceHttpBasicTests groovy->java 
Issue: gh-4939
 2019-01-18 15:41:26 -07:00
Ankur Pathak b7ed919cee Add preload support to Strict-Transport-Security 
1. Preload support in Servlet Security(XML & Java)
2. Preload support in Reactive Security
3. Test for preload support in Servlet Security
4. Test for preload support in Reactive Security

Fixes: gh-6312
 2019-01-16 11:10:06 -06:00
Mohammad Sadeq Dousti d099a62a6f hasRole should not be called on a string with "ROLE_" prefix (#6353) 
Removed "ROLE_" from UrlAuthorizationConfigurer

This fixes IllegalArgumentException: ROLE_ANONYMOUS should not start
with ROLE_ since ROLE_
 2019-01-15 08:59:34 -06:00
Johnny Lim c94f13a971 Polish tests 2019-01-08 11:16:22 -06:00
Josh Cummings 1a02cafe81
NamespaceHttpAnonymousTests groovy->java 
Issue: gh-4939
 2019-01-07 15:04:26 -07:00
Josh Cummings 9b65107922
NamespaceDebugTests groovy->java 
Issue: gh-4939
 2019-01-04 17:53:31 -07:00
Farooq Khan 5f33bbe512 Removed isServlet30 check 2019-01-04 08:27:26 -07:00
Ankur Pathak 6e1db1105b Fixes typo in x,rnc files 
1. Fixes type ammount to amount in *.rnc files
2. Regenerates *.xsd files from *.rnc files

Fixes: gh-6325
 2019-01-02 11:17:02 -07:00
Ankur Pathak f289ef8689 Fixes Documentation Problem 
Fixes documentation problem of Anonymous Authentication
in ServerHttpSecurity

Fixes: gh-6327
 2019-01-02 11:13:18 -07:00
Josh Cummings d77b12d229 authorization_uri Uses UriComponentsBuilder 
Because of this, authorization_uri can now be a fully-qualified url.

Fixes: gh-5760
 2018-12-21 13:23:47 -07:00
Joe Grandja 9c0d78da71 Extract OidcTokenValidator to an OAuth2TokenValidator 
Fixes gh-5930
 2018-12-21 11:06:40 -05:00
Josh Cummings 7a55af246e
Polish tests and javadoc 
When using AssertJ, it's easy to commit the following error

assertThat(some boolean condition)

The above actually does nothing. It at least needs to be

assertThat(some boolean condition).isTrue()

This commit refines some assertions that were missing a verify
condition.

Also, one Javadoc was just a little bit confusing, so this
clarifies it.

Issue: gh-6259
 2018-12-21 08:47:37 -07:00
Rafael Dominguez 086b105273
Remove Servlet 2.5 Support for Session Fixation 
This commit removes existence validation of a method only available in Servlet 3.1.
Spring Framework baseline is Servlet 3.1 so is not longer required.

Fixes: gh-6259
 2018-12-21 08:47:37 -07:00
Joe Grandja 12f320851d Set openid scope in OAuth2LoginTests 2018-12-21 09:24:55 -06:00
Joe Grandja 8f4f52edb9 Support configurable JwtDecoder for IdToken verification 
Fixes gh-5717
 2018-12-21 09:24:55 -06:00
Robbie Martinus e60ae4984a Add hasAnyAuthority() and hasAnyRole() in AuthorizeExchangeSpec 
Fixes gh-6306
 2018-12-19 09:55:47 -06:00
Ankur Pathak 3bcb1d9458 Allow setting authenticationEntryPoint for Http Basic 
1. Added method authenticationEntryPoint in ServerHttpSecurity to allow
setting authenticationEntryPoint.
2. Added test in ServerHttpSecurityTests to check if
if specified realm name set by authenticationEntryPoint is
returned

Fixes: gh-6270
 2018-12-17 11:24:11 -06:00
Ankur Pathak 2b369cfe98 Added support for Anonymous Authentication 
1. Created new WebFilter AnonymousAuthenticationWebFilter to
for anonymous authentication
2. Created class AnonymousSpec, method anonymous to configure
anonymous authentication in ServerHttpSecurity
3. Added ANONYMOUS_AUTHENTICATION order after AUTHENTICATION for
anonymous authentication in SecurityWebFiltersOrder
4. Added tests for anonymous authentication in
AnonymousAuthenticationWebFilterTests and ServerHttpSecurityTests
5. Added support for Controller in WebTestClientBuilder

Fixes: gh-5934
 2018-12-12 16:05:30 -06:00
ir73 9a357f8cb6 Moved CachingUserDetailsService to spring-core 
Made CachingUserDetailsService constructor public and moved to spring-core to make it easier to configure caching in UserDetailsService

Fixes gh-4139
 2018-12-11 13:22:08 -06:00
Dongmin Shin 56eb658eae RoleVoter Configuration Defaults Prefix Using GrantedAuthorityDefauts 
Fixes: gh-4876
 2018-12-07 14:17:44 -06:00
Ankur Pathak 8b3fb55aea Added methods to add filter relatively in ServerHttpSecurity 
Addition of two new methods addFilterBefore and addFilterAfter in
ServerHttpSecurity to allow addition of WebFilter before and after of
specified order

Fixes: gh-6138
 2018-12-04 13:29:53 -06:00
Daniel Bustamante Ospina 6bddb38cac Update to Gradle 5.0 
Change project's gradle version to 5.0, this requires to make some minor
adjustments.

Fixes: gh-6148
 2018-11-30 08:50:47 -06:00
Joe Grandja b8f038e86a Polish OAuth2ResourceServerConfigurer 2018-11-30 06:37:00 -05:00
Eric Deandrea be423debfd ServerAuthenticationConverter should be configurable 
Fixes gh-6186
 2018-11-29 14:37:22 -07:00
Josh Cummings 3a43ed8f1c Register NullRequestCache When Disabled 
Fixes: gh-6102
 2018-11-20 07:15:09 -07:00
Josh Cummings f30fcdda6b
RequestCacheConfigurerTests groovy->java 
Issue: gh-4939
 2018-11-16 15:40:12 -07:00
Josh Cummings 686393ed5c
ExceptionHandlingConfigurerTests groovy->java 
Issue: gh-4939
 2018-11-16 14:51:26 -07:00
Josh Cummings 1ea73e7d8e Jwt Decoder Local Key Configuration 
Adds support for configuring Resource Server DSL with a local public
key.

Fixes: gh-5131
 2018-11-16 13:07:19 -06:00
Josh Cummings d28e32b000 NimbusJwtDecoder Builder 
A Builder to simply common construction patterns for NimbusJwtDecoder

Issue: gh-6010
 2018-11-14 15:53:47 -06:00
Karl Goffin db5e54266c #3912 lazyBean method respects @Primary annotation 2018-11-14 14:31:29 -06:00
Josh Cummings 8eedb3919e
Policy OAuth2ResourceServerSpecTests 
Issue: gh-6052
 2018-11-12 15:01:15 -07:00
Erik van Paassen 3a6582d2a6 Fix csrf:token-repository-ref XSD documentation 
The documentation of the token-repository-ref attribute of the csrf
element in the schema has been updated to make clear the default
repository is lazy. Targets versions 4.2, 5.0 and 5.1.

Fixes gh-6037
 2018-11-08 10:14:49 -06:00
Josh Cummings 9a13f9acde Custom Bearer Token Error Handling Support 
Users can specify a custom access denied handler and authentication
entry point for reactive resource servers.

Fixes: gh-6052
 2018-11-07 16:29:56 -06:00
Josh Cummings 75e7e099ab
MiscHttpConfigTests groovy->java 
Issue: gh-4939
 2018-10-30 12:58:20 -06:00
Bob Maertz 52be2839ca Migraged unit test from groovy to java 
Moved AbstractConfigAttributeRequestMatcherRegistryTests.groovy to AbstractConfigAttributeRequestMatcherRegistryTests.java

gh-4939
 2018-10-23 20:04:42 -05:00
Joe Grandja 8ef65ce5c5 Set AuthenticationEventPublisher on each AuthenticationManagerBuilder 
Fixes gh-6009
 2018-10-23 14:08:23 -04:00
Brian Demers 8f49ca850a Fixing IllegalStateException message in OAuth2ResourceServerConfigurer 
Updated message to include `http.oauth2ResourceServer()`
 2018-10-17 15:14:36 -05:00
Josh Cummings bd9e3877f9 JDK 10 Compatibility 
Upgrading dependencies and reconfiguring PowerMock

Issue: gh-5860
 2018-10-17 15:03:42 -05:00
Joe Grandja 921abefaa2 Remove address and phone scope from CommonOAuth2Provider.OKTA 
Fixes gh-5987
 2018-10-17 11:50:34 -04:00
Josh Cummings 22bd8f1c1f Reactive Jwt Authentication Converter Support 
Fixes: gh-5092
 2018-10-15 11:55:12 -05:00
Rob Winch 93ca455405 OAuth2LoginAuthenticationFilter ignores authenticated Users 
This ensures that OAuth2 Client support works with the same log in URL as
oauth2 login.

Fixes: gh-5915
 2018-10-12 16:29:27 -05:00
Rob Winch 5d18bb68ed Add @formatter to @EnableWebFluxSecurity Javadoc 
Fixes: gh-5898
 2018-09-21 08:11:50 -05:00
Rob Winch 45a9c0fd54 Polish Automatically Add CsrfServerLogoutHandler 
Issue: gh-5337
 2018-09-21 00:59:36 -05:00
Eric Deandrea b060ec050a Automatically add CsrfServerLogoutHandler if csrf enabled 
The configuration DSL should automatically add CsrfServerLogoutHandler if csrf is enabled

Fixes gh-5337
 2018-09-21 00:59:36 -05:00
Vedran Pavic 79828d4f7b Polish WebFlux Referrer-Policy header config 2018-09-20 17:14:16 -05:00
Rob Winch 8a49c431c3 Add OAuth2ClientSpec.and 
Fixes: gh-5888
 2018-09-20 10:19:21 -05:00
Josh Cummings 73c1abbba0
EnableGlobalMethodSecurity Misconfiguration Check 
This polishes the EnableGlobalMethodSecurity misconfiguration check to
not error if the user has specified a custom method security metadata
source.

Issue: gh-5341
 2018-09-20 07:55:03 -06:00
artsiom 1e864ad764
Validate @EnableGlobalMethodSecurity usage 
Fixes: gh-5341
 2018-09-20 07:55:03 -06:00
Rob Winch 9e0c7f17b7 Default RequestCache should ignore favicon 
Fixes: gh-5875
 2018-09-19 14:29:14 -05:00
Joe Grandja 8b0a3a760c Use providedSessionAuthenticationStrategy 
Fixes gh-5763
 2018-09-19 07:04:49 -04:00
Rob Winch 501c008526 Add WebFlux Redirect to HTTPS Reference 
Fixes: gh-5869
 2018-09-18 21:12:37 -05:00
Rob Winch 54d07b6b8b Add WebFlux HTTP Headers Reference 
Fixes: gh-5868
 2018-09-18 17:09:41 -05:00
Rob Winch 72301e548a Reactive OAuth2 DSL Customizations 
Fixes: gh-5855
 2018-09-17 21:21:36 -05:00
Rob Winch 385bdfc055 OAuth2AuthorizationCodeGrantWebFilter works with /{action}/ 
This ensures that the same URL can work for both log in and
authorization code which prevents having to create additional registrations
on the client and potentially on the server (GitHub only allows a single
valid redirect URL).

Fixes: gh-5856
 2018-09-17 21:21:36 -05:00
Rob Winch 68bc649a45 Fix XsdDocumentedTests 
Issue: gh-5836
 2018-09-12 19:56:30 -05:00
Johnny Lim 42327a0aec Polish OAuth2ResourceServerConfigurerTests 2018-09-10 13:24:16 -06:00
Josh Cummings 2c982a4168 Reactive Redirect to Https 
This introduces the capability to configure Reactive Spring Security
to upgrade requests to HTTPS

Fixes: gh-5749
 2018-09-07 14:25:58 -05:00
Johnny Lim f164f2f869
Polish FilterComparator 
Extracts STEP incrementing into a separate helper class
 2018-09-07 10:30:57 -06:00
Rob Winch 438d2911fb OAuth2AuthorizedClientResolver 
Extract out a private API for shared code between the argument resolver
and WebClient support. This makes it easier to make changes in both
locations. Later we will extract this out so it is not a copy/paste
effort.

Issue: gh-4921
 2018-09-07 08:58:00 -05:00
Rob Winch 07b6699fd9 ServerWebExchangeReactorContextWebFilter 
Fixes: gh-5779
 2018-09-07 08:49:27 -05:00
Sola c60fcf263e provide test for custom principal extractor config 
Signed-off-by: Sola <dev@sola.love>
 2018-09-05 15:51:14 -05:00
Sola 2980f96b55 Allow PrincipalExtractor to be customized. 
Signed-off-by: Sola <dev@sola.love>
 2018-09-05 15:51:14 -05:00
Josh Cummings 932ea245fb AuthenticationManager for OAuth2ResourceServerSpec 
This makes the AuthenticationManager used by the OAuth2 Resource
Server configurable, focusing at this point on the Jwt use case.

Fixes: gh-5750
 2018-09-05 09:19:11 -05:00
Josh Cummings 25d1f49d84
Remove Resource Server's Session Policy Config 
Resource Server doesn't need to set the session policy for the
application to STATELESS since it can rely on the
SessionManagementFilter ignoring token's annotated with @Transient,
which a JwtAuthenticationToken is.

Fixes: gh-5759
 2018-09-04 14:55:40 -06:00
Josh Cummings 8510e9a285 Reactive Resource Server insufficient_scope 
This introduces an implementation of ServerAccessDeniedHandler that is
compliant with the OAuth 2.0 spec for insufficent_scope errors.

Fixes: gh-5705
 2018-08-31 10:33:11 -05:00
Joe Grandja 229b69dd35 Add DefaultAuthorizationCodeTokenResponseClient 
Fixes gh-5547
 2018-08-27 12:44:19 -04:00
Vedran Pavic cb0ba58b58 Fix WhitespaceAfterCheck Checkstyle check 2018-08-27 10:45:35 -05:00
Rob Winch 1640a1f462 Polish ServerAuthenticationConverter 
Fix package tangles

Issue: gh-5338
 2018-08-24 09:44:27 -05:00
Josh Cummings 68d836d508 Reactive Resource Server Csrf Bypass 
This makes requests identified as bearer token requests skip the csrf
filter.

Fixes: gh-5710
 2018-08-24 09:44:01 -05:00
Rob Winch 820fb7d828 Polish formatting ServerHttpSecurity JwtSpec 
Fixes: gh-5728
 2018-08-23 15:12:19 -05:00
Josh Cummings cba2444e1a ServerHttpSecurity ReactiveJwtDecoder discovery 
This makes so that WebFlux OAuth 2.0 Resource Server configuration
will pick up a ReactiveJwtDecoder exposed as a bean.

Fixes: gh-5720
 2018-08-23 15:12:14 -05:00
Josh Cummings 0fdc081ab5 Add unit tests 
Added some unit tests around some untested parts of the code that I
will be touching for this issue.

Issue: gh-5720
 2018-08-23 15:11:40 -05:00
Joe Grandja ff6e1232c8 Flatten HttpSecurity.oauth2() 
Fixes gh-5715
 2018-08-22 05:58:04 -04:00
Joe Grandja 0f89e59707 Simplified oauth2().client() DSL 
Fixes gh-5662
 2018-08-22 04:45:35 -04:00
Rob Winch 0dc80aed40 Flatten ServerHttpSecurity.oauth2() 
Fixes: gh-5712
 2018-08-21 15:48:41 -05:00
Rob Winch 53652584b2 ResourceServerSpec->OAuth2ResourceServerSpec 
Fixes: gh-5713
 2018-08-21 14:51:22 -05:00
Joe Grandja c3e19e29b5 Remove authorizationEndpoint.baseUri in OAuth2ClientConfigurer 
Fixes gh-5661
 2018-08-21 15:33:58 -04:00
Vedran Pavic f382b69507 Add reactive support for Referrer-Policy security header 2018-08-20 10:10:59 -05:00
Vedran Pavic 10621a0f2c Add reactive support for Content-Security-Policy security header 2018-08-20 10:03:42 -05:00