Commit Graph

9675 Commits

Author SHA1 Message Date
Rob Winch 7e334f8abc Update jackson-bom to 2.12.5
Closes gh-10283
2021-09-17 16:40:58 -05:00
Rob Winch 963d40a7cd Update logback-classic to 1.2.6
Closes gh-10282
2021-09-17 16:40:58 -05:00
Steve Riesenberg d207d03bf7 Update What's New for 5.6 2021-09-17 14:40:57 -05:00
Marcus Hert da Coregio ab098f171d Propagate TestSecurityContextHolder to SecurityContextHolder
Create SecurityMockMvcResultHandlers to define security related MockMvc ResultHandlers
Create a method to allow copying the SecurityContext from the TestSecurityContextHolder to SecurityContextHolder

Closes gh-9565
2021-09-17 16:39:53 -03:00
Marcus Da Coregio 017c218bbd Update What's New section
Adds the SAML 2.0 Single Logout Support and the new Saml2AuthenticationRequestRepository
2021-09-17 13:57:23 -03:00
Marcus Da Coregio 0364518b69 Update Saml2LoginConfigurer to pick up Saml2AuthenticationTokenConverter bean
Closes gh-10268
2021-09-17 08:13:19 -03:00
Eleftheria Stein 1e76b11b3c Remove duplicate entry from test LDIF file
Closes gh-10274
2021-09-16 10:26:06 +02:00
Ashley Scopes 171522ebf2 Replace usages of deprecated OAuth2IntrospectionClaimNames
Replace all usages of OAuth2IntrospectionClaimNames with
the suggested OAuth2TokenIntrospectionClaimNames.

There does not appear to be any further usages of OAuth2IntrospectionClaimNames,
so it should be suitable for removal when appropriate in accordance with the
deprecation policy.
2021-09-15 15:05:08 -06:00
Ashley Scopes 7ccc915b2b Ensuring consistency in error handling of opaque providers/managers
The OpaqueTokenAuthenticationProvider now propagates the cause of
introspection exceptions in the same way that the reactive
OpaqueTokenReactiveAuthenticationManager does.

Fixed a final field warning on both OpaqueTokenAuthenticationProvider
and OpaqueTokenReactiveAuthenticationManager.
2021-09-15 15:05:08 -06:00
Ashley Scopes e9d5bbba34 Fixed final field warnings in opaque token introspectors 2021-09-15 15:05:08 -06:00
Ashley Scopes 729418ad7a Fix typo in headers asciidoc 2021-09-15 15:05:08 -06:00
Ashley Scopes 95c2403968 Fixed potential NullPointerException in opaque token introspection
It appears Nimbus does not check the presence of the Content-Type
header before parsing it in some versions, and since prior to this
commit, the code is .toString()-ing the result, a malformed response
(such as that from a misbehaving cloud gateway) that does not include
a Content-Type would currently throw a NullPointerException.

In addition to this, I have added a little more information to the
log output for this module on the standard and reactive implementations
to aid in debugging authorization/authentication issues much more
easily.
2021-09-15 15:05:08 -06:00
Ashley Scopes dd43d9198b Amended treatment of OAuth2 'iss' claim
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
2021-09-15 15:05:08 -06:00
Dmitriy Bogdanov fe274e7553 Fix some list punctuation and capitalization in docs 2021-09-15 10:49:02 -06:00
Dmitriy Bogdanov 31a8f8c4df Fix the use of "s" with code blocks in docs 2021-09-15 10:49:02 -06:00
Dmitriy Bogdanov af4cc03dec Fix some typos and mistakes in docs 2021-09-15 10:49:02 -06:00
Josh Cummings 194993ad1a Add Saml2ParameterNames
Closes gh-10270
2021-09-14 17:40:12 -06:00
Anthony Lofton 8cba9fbf9d Updated test.adoc SecurityMockServerConfigurers method references
Updated all references to SecurityMockServerConfigurers to refer to
correct methods.
Added documentation for mockJwt to include the
SecurityMockServerConfigurers class.
2021-09-14 15:04:08 -03:00
Josh Cummings 4f06fc6ed1 Add Saml2LogoutConfigurer
Closes gh-9497
2021-09-13 16:39:48 -06:00
Josh Cummings c63d618b26 Add Single Logout Support
Closes gh-8731
2021-09-13 16:39:48 -06:00
Josh Cummings 6488295cad Add RelyingPartyRegistrationResolver
Closes gh-9486
2021-09-13 16:39:48 -06:00
Josh Cummings f5a525e740 Add Registration to Saml2Authentication
Closes gh-9487
2021-09-13 16:39:48 -06:00
Josh Cummings 822e59af45 useJUnitPlatform for SAML 2.0 Tests
Issue gh-9467
2021-09-13 16:39:48 -06:00
Josh Cummings 5da55448f9 Polish SecurityContextChangedEvent
- Changed methods to getOldContext and getNewContext

Closes gh-10249
2021-09-13 16:04:36 -06:00
Josh Cummings 3e87ef84ae Replace SecurityContextHolder#addListener
Closes gh-10226
2021-09-13 15:57:06 -06:00
Derek Van Blerkom 58d50888df Fix return type to allow further security config 2021-09-13 15:31:02 -03:00
heqiang 3443eac829 Fix typo in index.adoc 2021-09-13 16:32:32 +02:00
Yanming Zhou f2b2e6002f Replace static "ROLE_" with customized role prefix
Fix gh-4134
2021-09-09 11:48:25 -06:00
Eleftheria Stein df6ed74303 Compile with parameter names
Closes gh-10240
2021-09-08 10:01:47 +02:00
Marcus Da Coregio 6fae98a6f4 Update docs to point to ACL samples
Closes gh-10110
2021-09-06 11:14:57 -03:00
Josh Cummings 989c1419d5 Clarify OAuth 2.0 Resource Server Multitenancy Snippet
Closes gh-10233
2021-09-03 16:54:41 -06:00
Ayush Kohli f1691370d6 Closes gh-10222 2021-09-03 10:58:01 -06:00
Ayush Kohli 1cfe84922c Add Java examples to session management docs
Closes gh-8979
2021-08-26 10:14:48 +02:00
/usr/local/ΕΨΗΕΛΩΝ 4302a86fad
Default principalClaimName to SUB
Closes gh-10214
2021-08-20 15:02:22 -06:00
Rujun Chen 9b4ddd7e0a Make AuthorizationGrantTypeConverter support custom grant type
Closes gh-10155
2021-08-19 13:13:20 -04:00
Marcus Da Coregio d0fbe6b501 Update CI deployments to be dependent on Check Samples
Closes gh-10207
2021-08-19 10:13:38 -03:00
Marcus Da Coregio be91a78781 Update Check Samples job to run in parallel
Issue gh-9846
2021-08-17 11:15:10 -03:00
YevheniiLutsyshyn ac8e912ea1 Update a broken link to Spring Boot documentation 2021-08-17 11:33:49 +02:00
Rob Winch 87ec94a321 Next Development Version 2021-08-16 15:24:29 -05:00
Rob Winch b3cb7b388c Release 5.6.0-M2 2021-08-16 15:24:14 -05:00
Rob Winch 71f1cf1e0b Remove Remaining Sonar Reference
Issue gh-10205
2021-08-16 14:45:33 -05:00
Rob Winch 829733896c Remove unused Sonar from Build
Closes gh-10205
2021-08-16 14:42:38 -05:00
Rob Winch 1d4859a7ee Update org.slf4j to 1.7.32
Closes gh-10204
2021-08-16 14:18:54 -05:00
Rob Winch 0a40ce6181 Update htmlunit-driver to 2.52.0
Closes gh-10203
2021-08-16 14:18:54 -05:00
Rob Winch f8fad9d34d Update hibernate-entitymanager to 5.5.6
Closes gh-10202
2021-08-16 14:18:54 -05:00
Rob Winch f45f0b32b2 Update htmlunit to 2.52.0
Closes gh-10201
2021-08-16 14:18:54 -05:00
Rob Winch 0b068b9b81 Update io.projectreactor to 2020.0.10
Closes gh-10199
2021-08-16 14:18:54 -05:00
Rob Winch dd8048809b Update com.nimbusds to 9.12
Closes gh-10198
2021-08-16 14:18:54 -05:00
Rob Winch ad9da129a8 Update nebula-project-plugin to 8.1.0
Closes gh-10197
2021-08-16 14:18:54 -05:00
Rob Winch 9677ef17f3 Update logback-classic to 1.2.5
Closes gh-10196
2021-08-16 14:18:54 -05:00