Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 05:42:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
16,510 Commits 55 Branches 348 Tags
Commit Graph

16510 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
86acba9d22 Bump io-spring-javaformat from 0.0.43 to 0.0.45 
Bumps `io-spring-javaformat` from 0.0.43 to 0.0.45.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-21 14:50:17 -06:00
Gurunathan
a4cd6f4278
Advise Overriding equals() and hashCode() in UserDetails Implementations 
This commit adds a documentation note explaining the importance of
overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory
ConcurrentMap<Object, Set<String>>, Map<String,SessionInformation> to
associate principals with sessions. If a custom UserDetails class does
not properly override equals() and hashCode(), user sessions may not
be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues
when implementing custom authentication logic.

Signed-off-by: Gurunathan <129361658+Gurunathan16@users.noreply.github.com>
 2025-05-21 12:41:44 -06:00
Rob Winch
5da31ab8a8
Use spring-io/codeql-actions 2025-05-20 15:52:36 -05:00
Mark Putsiata
cae3467a8d Improve AbstractPreAuthenticatedProcessingFilter docs 
Clarify misleading SecurityContextRepository setter documentation.
Note that AbstractPreAuthenticatedProcessingFilter saves the
SecurityContext upon successful authentication, and this behavior
can be customized via the setSecurityContextRepository setter.

Closes gh-14137

Signed-off-by: Mark Putsiata <m.putsiata@gmail.com>
 2025-05-19 09:45:53 -06:00
dependabot[bot]
a17b2a18d9
Bump org.springframework.data:spring-data-bom 
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.11 to 2024.0.12.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.11...2024.0.12)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-19 03:30:36 +00:00
dependabot[bot]
0cbc38cdd6
Bump org.springframework:spring-framework-bom from 6.1.19 to 6.1.20 
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.19 to 6.1.20.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.19...v6.1.20)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-16 03:22:19 +00:00
Josh Cummings
eb30fd7f59
Add Missing Header 
Issue gh-11161
 2025-05-15 18:16:36 -06:00
snowykte0426
260d298cc5 Add Migration Guide from Spring Security SAML Extension 
This adds a dedicated migration guide for users moving from the Spring Security SAML Extension to the built-in SAML 2.0 support.

Includes:
- Content migrated from the project wiki
- xref links for `saml2Login`, `saml2Logout`, and `saml2Metadata`
- Metadata example moved to Examples Matrix
- Cleanup and naming per review feedback

Closes gh-11161

Signed-off-by: snowykte0426 <snowykte0426@naver.com>
 2025-05-15 17:17:43 -06:00
dependabot[bot]
78a60d0d84
Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18 
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.17 to 2023.0.18.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.17...2023.0.18)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-14 03:23:25 +00:00
dependabot[bot]
a001f27690 Bump org-apache-maven-resolver from 1.9.22 to 1.9.23 
Bumps `org-apache-maven-resolver` from 1.9.22 to 1.9.23.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.22 to 1.9.23
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.22...maven-resolver-1.9.23)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.22 to 1.9.23
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.22...maven-resolver-1.9.23)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.22 to 1.9.23

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-13 12:15:42 -06:00
Danilo Piazzalunga
27319e3f9b Add missing registration property in YAML listing 
Signed-off-by: Danilo Piazzalunga <danilopiazza@gmail.com>
 2025-05-13 11:17:35 -06:00
Danilo Piazzalunga
ec462e8bc5 Update assertingparty property usage in YAML snippets 
Spring Boot 2.7 renamed spring.security.saml2.relyingparty.registration.*.identityprovider.*
to spring.security.saml2.relyingparty.registration.*.assertingparty.*.

Closes gh-12810.

Signed-off-by: Danilo Piazzalunga <danilopiazza@gmail.com>
 2025-05-13 11:17:35 -06:00
dependabot[bot]
a4111a606b Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6 
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-05-06 10:15:11 -06:00
Tran Ngoc Nhan
505fe3abed
Correct method name 
Closes gh-17031

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2025-05-06 10:17:29 -05:00
Rob Winch
9710492619
remove update-dependabot action 2025-05-05 13:34:16 -05:00
Rob Winch
9436796973
Use pull-request: write for gradlew updates 
Explicitly provide the permissions required for updating the Gradle
wrapper
 2025-05-05 11:49:08 -05:00
Josh Cummings
51239359ed
Fix ClearSiteData Code Snippet 
Closes gh-16948
 2025-05-02 15:57:31 -06:00
Josh Cummings
e48f26e51e
Propagate StrictFirewallRequest Wrapper 
Closes gh-16978
 2025-05-02 10:57:07 -06:00
Rob Winch
3b7e3a6c5c
codeql uses ubuntu-latest 2025-05-02 11:49:41 -05:00
Rob Winch
a04025c114
rm mark-duplicate-dependabot-prs.yml 2025-05-02 11:26:41 -05:00
Rob Winch
1564076276
Remove automerge forward 2025-05-02 11:23:01 -05:00
Rob Winch
ae09f36291
Add .github/workflows/codeql.yml 2025-05-02 11:15:37 -05:00
Soumik Sarker
bcef6ed74f Reformatted lines in x509 overview documentation 
Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
 2025-05-01 12:02:45 -06:00
github-actions[bot]
c8581683da
Bump Gradle Wrapper from 8.13 to 8.14. 
Release notes of Gradle 8.14 can be found here:
https://docs.gradle.org/8.14/release-notes.html

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2025-04-29 14:48:42 -06:00
Josh Cummings
f631a0fcd5
Polish ClientRegistrationsTests 
Simplified the assertion so that it is focused on the core
behavior being verified. This will likely also make the test
more stable when updating Spring Framework versions.

Issue gh-16860
 2025-04-29 14:27:04 -06:00
Evgeniy Cheban
0e84f31a00 Add ClientRegistration's RestClient failed attempts information to exception message 
Closes gh-16860

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2025-04-29 13:43:20 -06:00
Yanming Zhou
9c76ab69f0 Use proper configuration key 
the getter method is `getOpaquetoken()` not `getOpaqueToken()`

See c6045c3111/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java (L51)

Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
 2025-04-29 13:37:51 -06:00
Josh Cummings
5354e4d2c5
Check for Null Issuer 
Closes gh-16989
 2025-04-28 11:18:32 -06:00
Rob Winch
db48d4ca50
rm merge-dependabot-pr.yml from Unsupported Branch 2025-04-25 13:17:14 -05:00
Josh Cummings
547d174f3e Fix Formatting 2025-04-24 10:43:03 -06:00
Roman Trapickin
d2d1275b39 Fix IllegalArgumentException message for unknown Argon2 types 
Array index 0 points to an empty string. Use index 1 instead.

Signed-off-by: Roman Trapickin <8594293+rntrp@users.noreply.github.com>
 2025-04-24 10:43:03 -06:00
dependabot[bot]
7bf776ec38 Bump org.springframework.data:spring-data-bom 
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.10 to 2024.0.11.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.10...2024.0.11)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-22 20:49:38 -07:00
Rob Winch
e47a6714a5
Update to io.spring.gradle:spring-security-release-plugin:1.0.5 
Closes gh-6.3.10
 2025-04-21 13:44:10 -05:00
github-actions[bot]
b9cae82b89 Next development version 2025-04-21 16:26:30 +00:00
github-actions[bot]
f6354250a1 Release 6.3.9 6.3.9 2025-04-21 15:58:56 +00:00
dependabot[bot]
a5d963387b Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19 
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.18 to 6.1.19.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.18...v6.1.19)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-17 20:49:18 -07:00
dependabot[bot]
99c4f58c34 Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12 
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.11 to 3.2.12.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.11...3.2.12)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-17 20:36:42 -07:00
Joe Grandja
c1aa99fdd2 Enforce BCrypt password length for new passwords only 
Closes gh-16802
 2025-04-17 04:53:33 -04:00
dependabot[bot]
eb01394427 Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17 
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.16 to 2023.0.17.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.16...2023.0.17)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-15 20:50:56 -07:00
dependabot[bot]
0d3d6f75f8 Bump org-aspectj from 1.9.22.1 to 1.9.24 
Bumps `org-aspectj` from 1.9.22.1 to 1.9.24.

Updates `org.aspectj:aspectjrt` from 1.9.22.1 to 1.9.24
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

Updates `org.aspectj:aspectjweaver` from 1.9.22.1 to 1.9.24
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

---
updated-dependencies:
- dependency-name: org.aspectj:aspectjrt
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.aspectj:aspectjweaver
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-13 20:22:34 -07:00
dependabot[bot]
eb83c35ded Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4 
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-09 20:33:22 -07:00
Steve Riesenberg
3c0fef59b5
Polish gh-16039 
Closes gh-16038
 2025-04-07 10:54:09 -05:00
Jonah Klöckner
da94fbe431
Evaluate URI query parameter only if enabled 
Issue gh-16038
 2025-04-07 10:54:07 -05:00
DingHao
857ef6fe08 WithHttpOnlyCookie defaults to false 
Closes gh-16820

Signed-off-by: DingHao <dh.hiekn@gmail.com>
 2025-04-01 11:59:51 -06:00
Steve Riesenberg
b7df86197c
Apply request-handler-ref to CsrfAuthenticationStrategy 
Closes gh-16801
 2025-03-28 16:25:52 -05:00
Steve Riesenberg
c84c438075
Apply request-handler-ref to CsrfAuthenticationStrategy 
Closes gh-16801
 2025-03-28 16:08:36 -05:00
DingHao
1e7db094d1 Use correct message prompt 
Signed-off-by: DingHao <dh.hiekn@gmail.com>
 2025-03-27 16:42:52 -06:00
Josh Cummings
456604ab45 Sort Default Advisors and Added Advisors 
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue gh-16819
 2025-03-27 16:18:00 -06:00
Josh Cummings
15b9a50060 Add Test 
Issue gh-16819
 2025-03-27 16:18:00 -06:00
Tran Ngoc Nhan
fcc1bd598d Sort Advisors AfterSingletonsInstantiated 
In order to make so that authorization advisors are sorted
only one time and also as part of the configuration lifecycle,
AuthorizationAdvisorProxyFactory now implements
SmartInitializingBean.

Closes gh-16819

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2025-03-27 16:18:00 -06:00