Commit Graph

1262 Commits

Author SHA1 Message Date
Josh Cummings cb6e4f4a11
Add NPE Guards
- Like values, names are only validated if they are not null

Closes gh-9598
2021-04-22 11:22:19 -06:00
Craig Andrews 7dc4de05b1 Add guard around logger.debug statement
The log message involves string concatenation, the cost of which should only be incurred if debug logging is enabled
2021-04-16 10:32:58 -06:00
Josh Cummings 4f7d529c5d
Polish Csrf Tests
Issue gh-9561
2021-04-09 22:47:31 -06:00
佚名 87ed527023
Add null check in CsrfFilter and CsrfWebFilter
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>
2021-04-09 21:43:19 -06:00
Rob Winch f3f1106624 Update io.spring.javaformat to 0.0.27
Closes gh-9553
2021-04-05 22:23:59 -05:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies"))
Closes gh-9540
2021-04-05 10:36:36 -05:00
Rob Winch 1a76ee7442 Update Gradle configuration names
Closes gh-9540
2021-04-05 10:36:36 -05:00
Eleftheria Stein 4a492846f1 Revert "Lock dependencies for 2.5.0-M3"
This reverts commit f05cc6269c.
2021-03-15 23:18:45 +01:00
Eleftheria Stein f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Rob Winch 95da12110b
Additional Test for HttpSessionSecurityContextRepository
Issue gh-9387
2021-02-11 15:58:29 -07:00
Rob Winch 3116369f02
Optimize HttpSessionSecurityContextRepository
Closes gh-9387
2021-02-11 15:58:28 -07:00
Josh Cummings c4be1c6a56
Revert "Lock Dependencies"
This reverts commit a85caa4098.
2021-02-11 15:49:59 -07:00
Josh Cummings a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Josh Cummings 107f38fff9
Polish Tests
Issue gh-9331
2021-02-03 09:05:31 -07:00
happier233 873b9bdbca
Configure CurrentSecurityContextArgumentResolver BeanResolver
Closes gh-9331
2021-02-03 09:05:31 -07:00
Evgeniy Cheban 77484018bb Reconsider AntPathRequestMatcher matching logic
Closes gh-9285
2021-01-19 12:02:06 -07:00
Rob Winch 0201c31deb Fix Checkstyle for CsrfWebFilter
Issue gh-9337
2021-01-12 11:37:12 -06:00
Rob Winch a1083d9a5c Fix CsrfWebFilter error message when expected CSRF not found
Closes gh-9337
2021-01-12 11:18:29 -06:00
Josh Cummings 160a4a3676
Reformat MvcRequestMatcher
- Moved related private methods together

Issue gh-9284
2021-01-11 08:28:59 -07:00
Evgeniy Cheban 8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods
Closes gh-9284
2021-01-09 21:42:16 +03:00
Zeeshan Adnan 848bd44837
Remove unused code
Issue gh-9203
2020-12-18 11:49:52 -07:00
Rob Winch 40e027c56d Constant Time Comparison for CSRF tokens
Closes gh-9291
2020-12-17 15:01:43 -06:00
Josh Cummings c066e23a86
Add @since attributes
Issue gh-8900
2020-12-16 15:58:53 -07:00
Evgeniy Cheban 34b4b1054f Add AuthorizationManager
Closes gh-8900
2020-12-16 15:58:36 -07:00
Nick McKinney 5306d4c4d5 Minor cleanup on Ant / Regex Request Matchers
- Removed duplicative code for transforming String into HttpMethod
 - Removed an unnecessary array initialization
2020-12-14 14:19:23 +01:00
Nick McKinney 6be25df1db Introduced DispatcherType request matcher
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes gh-9205
2020-12-14 14:19:23 +01:00
Christophe Gilles 54d3839f63 Add permissionsPolicy http header 2020-12-11 12:32:18 +01:00
Serdar Kuzucu 48ef27b80a Make assertion messages in CookieCsrfTokenRepository clearer
Changes assertion message format from 'X is not null' to
'X cannot be null' since this is more meaningful when the error
occurs and the message is printed in the logs.

Closes gh-9195
2020-12-09 10:45:22 -06:00
Serdar Kuzucu 76e117a67a Allow maximum age of csrf cookie to be configured
Allows maxAge of the generated cookie by CookieCsrfTokenRepository
to be configurable.

Prior to this commit, maximum age was set with a value of -1.

After this commit, it will be configured by the user with an either
positive or negative value. If the user does not provide a value,
it will be set -1.

An IllegalArgumentException will be thrown when
this value is set to zero.

Closes gh-9195
2020-12-09 10:45:22 -06:00
Josh Cummings f614a8230c
Polish getRemoteUser
- Corrected instanceof check

Issue gh-3357
2020-12-03 13:08:40 -07:00
Stephen Joyner 9c373ef4f8
getRemoteUser() returns principal name
Closes gh-3357
2020-12-03 13:08:40 -07:00
Eleftheria Stein 7f482eda7d Fix CookieRequestCache for URL encoded query parameters
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request.

Closes gh-9203
2020-11-26 18:16:42 +01:00
Aditya Sekhar 4cc3c25a0e removed whitespace formatting 2020-11-13 15:01:17 -06:00
Aditya Sekhar a26975f780 cleanup compatibility method based on spring-projects#8868 2020-11-13 15:01:17 -06:00
zhuang ff58ac836e
Decode cookie once in AbstractRememberMeServices
Issue gh-9192
2020-11-09 08:14:20 -05:00
Eleftheria Stein 34a21cd80c Fix formatting 2020-11-09 13:46:09 +01:00
Eleftheria Stein 5661e06e9c Fix typo UserDetailService -> UserDetailsService 2020-11-09 13:13:32 +01:00
Arnaud Mergey 2b9efccc50 Implement MessageSourceAware where missing
Closes gh-8951
2020-11-05 10:57:33 -07:00
Joe Grandja b95e1aa209 Revert "Lock dependencies for 5.5.0-M1"
This reverts commit 25a7482c8c.
2020-11-03 19:53:28 -05:00
Rob Winch 25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Alexander Polozov a362ab53bc Change guard expressions order
Check of allowed user sessions count moved to head for avoid unnecessary fetching all user sessions.
2020-10-27 09:49:29 -04:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 910b81928f Replace try/catch with AssertJ
Replace manual try/catch/fail blocks with AssertJ calls.
2020-09-22 16:13:51 -06:00
Tomoki Tsubaki 65f788532e Fix broken Mono chain
This commit restore broken Mono chain in WebSessionServerCsrfTokenRepository.generateToken(ServerWebExchange).

Closes gh-9017
2020-09-16 09:53:23 -06:00
Tomoki Tsubaki 2c297fbd63 Create the CSRF token on the bounded elactic scheduler
The CSRF token is generated by UUID.randomUUID() which is I/O blocking operation.
This commit changes the subscriber thread to the bounded elactic scheduler.

Closes gh-9018
2020-09-16 08:48:00 -06:00
Joe Grandja 7b1f574769 Revert "Lock Dependency Versions for 5.4.0"
This reverts commit 3d0e459182.
2020-09-09 18:14:12 -04:00
Joe Grandja 3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Eleftheria Stein-Kousathana 02d1516c56
Restructure BasicAuthenticationFilter Logs
Issue gh-6311
2020-09-02 07:42:03 -06:00
Josh Cummings fa7baf551d
Restructure Logs
Followed common use cases based off of HelloWorld sample:
  - Public endpoint
  - Unauthorized endpoint
  - Undefined endpoint
  - Successful form login
  - Failed form login
  - Post-login redirect

Issue gh-6311
2020-09-02 07:37:59 -06:00
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb ef8f113619 Use assertThat instead of Java assert
Fix `DefaultSavedRequestMixinTests` so that `assertThat` is used rather
than Java's `assert` keyword.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 5bdd757108 Polish spring-security-web main code
Manually polish `spring-security-web` following the formatting
and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb ee661f7b71 Fix whitespace issues in format-off code
Fix a few whitespace issues in format-off code that would
otherwise fail checkstyle.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ec6a4cb3f0 Use consistent equals/hashCode/toString order
Ensure that `equals` `hashCode` and `toString` methods always appear in
the same order. This aligns with the style used in Spring Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 612fb22a7f Remove unnecessary lambda blocks
Remove lambda blocks that aren't needed and replace instead with a
simple expression.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 31ec450d05 Remove superfluous comments
Remove a few comments that previously add noise but don't offer a great
deal of value.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 9a3fa6e812 Simplify boolean returns
Simplify boolean returns of the form:

	if (b) {
		return true;
	} else {
		return false;
	}

to:

	return b;

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb c12ced6aaa Migrate SwitchUserWebFilterTests AssertJ
Replace the JUnit Assertions used in `SwitchUserWebFilterTests` with
AssertJ. This test appears to have been missed during the original
AssertJ migration.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb f1cee9500f Ensure classes are defined in their own files
Ensure that all classes are defined in their own files. Mostly classes
have been changed to inner-types.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 4d487e8dc3 Ensure all files end with a new line
Update all files to ensure that they always end with a new-line
character.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 81fe9fc640 Make all exception classes immutable
Update all exception classes so that they are fully immutable and cannot
be changed once they have been thrown.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 3e700e7571 Remove (non-Javadoc) comments
Search and replace using '(?s)/\*\s*\* \(non-Javadoc\).*?\*/' to remove
all "(non-Javadoc)" comments. These comments used to be added
automatically by Eclipse, but are not really necessary.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b5d499e2eb Remove empty block
Refactor a few classes so that empty blocks are not longer used. For
example, rather than:

	if(x) {
	} else {
		i++;
	}

use:

	if(!x) {
		i++;
	}

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 71bc145ae4 Remove superfluous comments
Use '^\s+//\ \~\ .*$' and '^\s+//\ ============+$' regular expression
searches to remove superfluous comments.

Prior to this commit, many classes would have comments to indicate
blocks of code (such as constructors/methods/instance fields). These
added a lot of noise and weren't all that helpful, especially given
the outline views available in most modern IDEs.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 1d74d556c2 Revert "Lock Dependency Versions for 5.4.0-RC1"
This reverts commit f3a1e5d40c.
2020-08-05 14:59:11 -04:00
Joe Grandja f3a1e5d40c Lock Dependency Versions for 5.4.0-RC1 2020-08-05 13:46:11 -04:00
Artur Otrzonsek b22c50c4a8 Reactive SwitchUserWebFilter for user impersonation
Closes gh-8599
2020-07-22 16:05:31 +02:00
Josh Cummings b61bf49d07
Polish gh-8824 2020-07-21 10:47:37 -06:00
Dávid Kováč 37aa5f9b7c Introduce AuthenticationConverterServerWebExchangeMatcher
AuthenticationConverterServerWebExchangeMatcher is ServerWebExchangeMatcher implementation based on AuthenticationConverter which matches if ServerWebExchange can be converted to Authentication.
It can be used as a matcher where SecurityFilterChain should be matched based on used authentication method.
BearerTokenServerWebExchangeMatcher was replaced by this matcher.

Closes gh-8824
2020-07-21 10:11:57 -06:00
Eleftheria Stein e902be7ab9 Use String to specify custom HTTP method in test
Closes gh-8592
2020-07-21 15:47:11 +02:00
Eleftheria Stein fb936e2780 Polish CookieRequestCacheTests
Issue gh-8817
Issue gh-8820
2020-07-21 15:02:21 +02:00
majian 41f26b768a Improve request matching logic when using cookie
- Repair request cache deleted by mistake
- Fix RequestCache throw exception and error redirect.

Closes gh-8820
Closes gh-8817
2020-07-21 15:02:21 +02:00
Roman Sydorov 896b324722 Updated SimpleSavedRequest#getMethod
Before:
1. SimpleSavedRequest#getMethod returned null
2. SimpleSavedRequest(SavedRequest request) constructor did not set the method field from request

After:
1. SimpleSavedRequest#getMethod returns method property value
2. SimpleSavedRequest(SavedRequest request) constructor sets the method field from request

Closes gh-8675
2020-07-08 14:47:51 -06:00
Rob Winch 09fe6071e1 LoginPageGeneratingWebFilter honors context path
Closes gh-8807
2020-07-07 13:34:55 -05:00
Eleftheria Stein 4fb5ff35db Polish CookieRequestCache
Issue gh-8034
2020-07-02 13:41:37 +02:00
Zeeshan Adnan 9708a2d63f Adds cookie based RequestCache
fixes spring-projectsgh-8034
2020-07-02 07:11:16 -04:00
Josh Cummings 146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2"
This reverts commit 68538897c8.
2020-07-01 13:11:50 -06:00
Josh Cummings 68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
michal e113bd3c01 issue 5414 - configurable secure flag in CookieCsrfTokenRepository
While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).

It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
2020-06-25 14:42:38 -05:00
Craig Andrews c71352c548 Validate headers and parameters in StrictHttpFirewall
Adds methods to configure validation of header names and values and
parameter names and values:
 * setAllowedHeaderNames(Predicate)
 * setAllowedHeaderValues(Predicate)
 * setAllowedParameterNames(Predicate)
 * setAllowedParameterValues(Predicate)

By default, header names, header values, and parameter names that
contain ISO control characters or unassigned unicode characters are
rejected. No parameter value validation is performed by default.

Issue gh-8644
2020-06-24 14:15:46 -06:00
Eleftheria Stein 12d20f99a1 Fix incorrect Javadoc
Closes gh-8744
2020-06-22 13:14:34 +02:00
Eleftheria Stein c854f6b190 Add missing Javadoc
Closes gh-8743
2020-06-22 13:13:32 +02:00
Craig Andrews efb6953017 Reject the NULL character in paths in StrictHttpFirewall
Adds `setAllowNull`
By default, denies null in paths
2020-06-18 10:19:37 -06:00
Rob Winch ccbad61ae8 Change blacklist to blocklist
Closes gh-8676
2020-06-10 11:49:49 -05:00
Rob Winch ca1252be94 Replace whitelist with allowlist
Issue gh-8676
2020-06-10 11:49:21 -05:00
Rob Winch a907026eae Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive
Closes gh-8677
2020-06-10 11:48:56 -05:00
Joe Grandja da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Eleftheria Stein 0a42aa26c8 Mock request with non-standard HTTP method in test
Fixes gh-8594
2020-05-26 10:16:56 -04:00
Astushi Yoshikawa f08ca4e688 Throw exception if URL does not include context path when context relative
Issue: gh-8399
2020-05-20 14:02:17 -04:00
Rob Winch dc514b369e FilterInvocation Support Default Methods on HttpServletRequest
Closes gh-8566
2020-05-20 10:13:59 -05:00
cbornet bfb401eeed Create the CSRF token on the bounded elactic scheduler
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.

Fixes gh-8128
2020-05-18 11:04:54 -05:00
Mathieu Ouellet cd08102b93 Add debug logging
Goal is to provide insight to devs on:
- Authentication & Authorization success/failures
- WebSession & SecurityContext
- Request matchers, cache & authn/authz flow

Fixes gh-5758
2020-05-12 09:03:24 -05:00
Rob Winch 4473dca022 Polish matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed
Issue gh-8149
2020-05-11 17:20:16 -05:00
Parikshit Dutta 0f92415395 Fix non-standard HTTP method for CsrfWebFilter
Closes gh-8149
2020-05-11 17:19:57 -05:00
Artyom Tarynin 6db514a4e2 Update AntPathRequestMatcher.java
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
2020-05-11 17:11:22 -04:00
Joe Grandja 86ca6b013c Unlock dependencies
This reverts commit 206960cf44.
2020-05-06 17:27:35 -04:00
Joe Grandja 206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Rob Winch 0483b3e042 Polish RequestRejectedHandler
Issue gh-5007
2020-05-01 10:51:11 -05:00
Leonard Brünings b826c798f7 Add RequestRejectedHandler
Closes gh-5007
2020-05-01 10:51:01 -05:00
Oh Myung Woon b7d3acc02c Add constructors to AbstractAuthenticationProcessingFilter
Closes gh-8309
2020-04-09 13:53:06 -05:00
Mustafa Ulu 6bdd5f710f
Fix example in javadoc of FilterChainProxy 2020-04-07 21:05:12 +03:00
Rob Winch 91728ef53b Fix HttpServlet3RequestFactory Logout Handlers
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.

This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.

Closes gh-4760
2020-03-30 17:50:28 -05:00
Josh Cummings eed71243cb
SwitchUserFilter Defaults to POST
Fixes gh-4183
2020-03-27 13:41:49 -06:00
Zeeshan Adnan 935c547dde Fix exception for empty basic auth header token
fixes spring-projectsgh-7976
2020-03-16 12:57:13 -04:00
Eleftheria Stein 47011eb9e2 Polish transfer session's max inactive interval
Issue: gh-2693
2020-03-12 12:11:14 -04:00
Venkata Jaswanth U 02b7d04027 Transfer session's max inactive interval
Fixes: gh-2693
2020-03-12 10:11:59 -04:00
Eleftheria Stein b2ea0ba775 Polish SessionIdChangedEvent
Add AbstractSessionEvent; clean up license headers and Javadocs

Fixes: gh-5438
2020-03-06 12:04:49 -05:00
Venkata Jaswanth 5fc6414377 SessionRegistryImpl is now aware of SessionIdChangedEvent 2020-03-06 12:04:01 -05:00
Eleftheria Stein ae532c080c Add server request cache that uses cookie
Fixes: gh-8033
2020-03-05 15:36:47 -05:00
Eleftheria Stein 38979b1b09 Add test for ServerRequestCacheWebFilter 2020-03-05 14:57:07 -05:00
Josh Cummings 6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
This reverts commit 147d7dadd7.
2020-03-04 12:02:48 -07:00
Josh Cummings 147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
AmitB 2ce9eef95e Fix typo in AntPathRequestMatcher contructor comment 2020-03-02 07:14:27 -06:00
Joe Grandja 82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Josh Cummings 5bdf57d1e5
Remove Groovy and Spock Dependencies
Fixes gh-4939
2020-02-10 10:38:40 -07:00
Josh Cummings bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java
Issue gh-4939
2020-02-10 10:38:39 -07:00
Eleftheria Stein 84b8a5abd7 Unlock dependencies for next development version
This reverts commit 064616f1ef.
2020-02-05 15:53:04 +01:00
Eleftheria Stein 064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Josh Cummings cb9fd09150
Change AuthenticationWebFilter's constructor
Fixes gh-7872
2020-01-31 09:31:28 -07:00
Peter Keller e62fb755e8 Set charset of BasicAuthenticationFilter converter
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
2020-01-23 15:34:35 +01:00
Onur Kağan Özcan 1f6381d970 Set secure on cookie when logging out
Mark cookie secure flag to ensure cookie identity is the same
2020-01-13 11:01:33 +01:00
Rob Winch ffccec953f Fix HttpHeaderWriterWebFilterTests
Ensure setComplete() is subscribed to
2020-01-09 14:24:35 -06:00
Eleftheria Stein fcc6457bef Unlock dependencies for next development version
This reverts commit 93acf8f0f1.
2020-01-08 22:15:17 +01:00
Eleftheria Stein 93acf8f0f1 Lock dependencies for 5.3.0.M1 2020-01-08 19:41:10 +01:00
Onur Kağan Özcan 2015f392ef Set secure when cancelling remember-me cookie
AbstractRememberMeServices is setting remember-me cookie with checking request is secure or secure usage is independently set to a fixed flag.
But when cancelling a cookie, cookie is not being marked secure or not. It produces an inconsistency when using secure flag as a part to identity of cookie.
2019-12-20 16:04:31 +01:00
Rob Winch a8331ba7ed CompositeServerHttpHeadersWriter Executes Sequentially
Fixes gh-7731
2019-12-12 11:23:56 -06:00
David Herberth 64e063d948 switches web authentication principal resolver to use reactive context
gh #6598

Signed-off-by: David Herberth <github@dav1d.de>
2019-12-12 15:33:23 +01:00
Rob Winch 8e53c3f269 DelegatingServerAuthenticationSuccessHandler Executes Sequentially
Fixes gh-7728
2019-12-12 08:32:44 -06:00
Rob Winch 73babc3314 DelegatingServerLogoutHandler Executes Sequentially
Fixes gh-7723
2019-12-11 15:39:27 -06:00
Joe Grandja 4d9cee116c Display general error message when WebFlux oauth2Login() fails
Issue gh-5562 gh-6484
2019-12-05 16:54:31 -05:00
Filip Hrisafov 796859333f Log full failed authentication exception in BasicAuthenticationFilter 2019-11-27 14:56:24 +01:00
Josh Cummings 5f17032ffd Restore Removed Throws Clauses
In a recent clean-up, certain exceptions were removed from various
throws clauses.

This PR re-introduces throws clauses that are important for one of the
following reasons:

1. It's a method on a public interface
2. It's a method clearly designed for inheritance, for example, a
method stub, an abstract method, or indicated as such in the docs.

Fixes gh-7541
2019-10-30 12:13:54 -06:00
Rob Winch 635f7e1edd CsrfWebFilter supports multipart/form-data
Fixes gh-7576
2019-10-28 14:06:10 -05:00
Filip Hrisafov b9f122230b Align javadoc of continueFilterChainOnUnsuccessfulAuthentication with actual behaviour 2019-10-23 14:50:57 -04:00
Michel Palourdio d26f40f062 DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path. 2019-10-23 09:41:00 -04:00
Tadaya Tsuyukubo 62c7de03c3 Add RequestMatcher to AbstractPreAuthenticatedProcessingFilter
Moved the existing auth check logic to the matcher.

Issue: gh-5928
2019-10-22 16:55:54 -04:00
Eleftheria Stein 264daec697 Test context relative URL with multiple schemes 2019-10-16 15:32:02 -04:00
Josh Cummings b764af6b9b
CookieServerCsrfTokenRepositoryTests Leading Dot
ResponseCookie removed support for having a leading dot in the cookie
domain.

Fixes gh-7500
2019-09-30 08:39:45 -06:00
Josh Cummings 7949dd492a
Move DelegatingServerAuthenticationSuccessHandlerTests
Moved from src/test/groovy to src/test/java

Issue gh-5332
2019-09-27 16:57:43 -06:00
Josh Cummings 5f905232cb
Polish CurrentSecurityContextArgumentResolvers
Fixes gh-7487
2019-09-27 13:19:08 -06:00
Rob Winch 00f8991fac Merge Remove Redudant Throws
Fixes gh-7301
2019-09-19 11:04:53 -05:00
Onur Kagan Ozcan 034b5e9e93 Introduce LogoutSuccessEvent
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.

By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.

This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.

Fixes gh-2900
2019-09-18 10:57:16 -05:00
Josh Cummings 7576dc44d7
AuthenticationFilter Session Fixation Protection
Fixes gh-7446
2019-09-17 08:17:09 -06:00
Josh Cummings 496a2cdc60
Make AuthenticationFilter methods private
Fixes gh-7447
2019-09-17 08:06:21 -06:00
Josh Cummings aa12748c9b Add Request-level CSRF Skip
Fixes gh-7367
2019-09-13 19:04:05 +01:00
Eleftheria Stein 9f0986a093 Fix javadoc typo for invalid session strategy 2019-09-09 16:51:14 -04:00
Filip Hanik 08d50868c9
Merge pull request #7260 from fhanik/feature/saml2-sp-mvp
Add SAML Service Provider Support
2019-09-05 17:04:14 -07:00
Filip Hanik e9a44bc0ce HttpSecurity.saml2login() - MVP Core Code
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:

  - Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
  - Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
  - Supports basic java-configuration via DSL
  - Provides an integration sample using Spring Boot

Not implemented with this MVP

  - Single Logout
  - Dynamic Service Provider Metadata

Fixes gh-6019
2019-09-05 14:40:08 -07:00
Rob Winch 2a1f3f6aa7 Remove Package Tangle in HeaderWriterFilter
Fixes gh-7380
2019-09-05 16:08:45 -05:00
Josh Cummings 39e84013f7
ClearSiteDataHeaderWriter Directives
Fixes gh-7347
2019-09-03 15:57:10 -06:00
Eleftheria Stein ad0d3e9702 Polish remember me username check 2019-09-03 11:48:46 -04:00
Scott Murphy 26ae590c68 Check that userdetails for username exists. #7251 2019-09-03 11:48:46 -04:00
kostya05983 f6c650db47
Replace Streams with Loops
First version of replacing streams

fix wwwAuthenticate and codestyle

fix errors in implementation to pass tests

Fix review notes

Remove uneccessary final to align with cb

Short circuit way to authorize

Simplify error message, make code readably

Return error while duplicate key found

Delete check for duplicate, checkstyle issues

Return duplicate error

Fixes gh-7154
2019-09-02 15:30:48 -06:00
Lars Grefer 95511331fa fix checkstyle 2019-08-26 22:42:26 +02:00
watsta 2c2e8e5f24 Remove internal Optional usage in favor of null checks
Issue gh-7155
2019-08-26 09:27:40 -04:00
Lars Grefer 34dd5fea30 Remove redundant throws clauses
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
Daniel Wegener 1a233a58c7 Add OnCommittedResponseWrapper.setContentLengthLong
Add setContentLengthLong tracking to OnCommittedResponseWrapper in
order to detect commits on servlets that use setContentLengthLong to
announce the entity size they are about to write (as used in the
Apache Tomcat's DefaultServlet).

Fixes gh-7261
2019-08-19 21:14:41 -04:00
Eleftheria Stein 4bc231872f Expire as many sessions as exceed maximum allowed
Fixes: gh-7166
2019-08-15 09:48:42 -05:00
Josh Cummings 9735a718cc
Remove MultiTenantAuthenticationManagerResolver
Fixes gh-7259
2019-08-14 11:14:47 -06:00
Rob Winch c1db1aad91
Cleanup Code Style Issues
Cleanup Code Style Issues
2019-08-12 13:06:49 -05:00
Lars Grefer ec6ca97226 Fix tests 2019-08-11 21:09:10 +02:00
Lars Grefer ff1070df36 remove redundant modifiers found by checkstyle 2019-08-10 00:18:56 +02:00
Lars Grefer 38de737663 Java 8: Statement lambda can be replaced with expression lambda 2019-08-09 16:59:07 -05:00
Lars Grefer 7b2a7847e5 Java 8: Single Map method can be used 2019-08-09 16:59:07 -05:00
Lars Grefer 25c06be1eb Java 7: Identical 'catch' branches in 'try' statement 2019-08-09 16:59:07 -05:00
Lars Grefer 578d628774 'Collection.toArray()' call style 2019-08-09 16:57:31 -05:00
Lars Grefer b388976ac8 fix checkstyle 2019-08-09 02:46:20 +02:00
Lars Grefer 35bdf1f009 Unnecessary semicolon 2019-08-09 00:43:13 +02:00
Lars Grefer d9c1f03b84 Unnecessary interface modifier 2019-08-09 00:42:35 +02:00
Lars Grefer 40bee457f9 Unnecessary enum modifier 2019-08-09 00:42:07 +02:00
Lars Grefer 8d0ca14e55 Unnecessary conversion to String 2019-08-09 00:41:46 +02:00
Lars Grefer fb39d9c255 Anonymous type can be replaced with lambda 2019-08-08 17:09:09 -04:00
Lars Grefer 05f42a4995 Remove unused imports 2019-08-08 14:22:31 -04:00
Lars Grefer 2056834432 Cleanup unnecessary unboxing
Unboxing is unnecessary under Java 5 and newer, and can be safely removed.
2019-08-06 10:17:38 -04:00
Lars Grefer 2306d987e9 Cleanup unnecessary boxing 2019-08-06 10:17:38 -04:00
Filip Hanik 2055466ad7 Add Javadoc 2019-08-05 19:43:00 -04:00
Filip Hanik ddf68821cb Add RequestMatcher.matcher(HttpServletRequest)
Step 3 - Usage of RequestVariablesExtractor or types that are assigned
to AntPathRequestMatcher should be replaced with the new method.

[closes #7148]
2019-08-05 19:43:00 -04:00
Eddú Meléndez 496579dde2 Add match result for servlet requests
Fixes gh-7148
2019-08-05 19:43:00 -04:00
Josh Cummings 774a2e669c
Polish setAllowedHostnames
Added JavaDoc to method, including @since attribute

Issue gh-4310
2019-08-03 19:19:44 -06:00
Eddú Meléndez f712c5598c Add support for allowedHostnames in StrictHttpFirewall
Introduce a new method `setAllowedHostnames` which perform the validation
against untrusted hostnames.

Fixes gh-4310
2019-08-03 21:16:45 -04:00
Khy a5cfd9fdb9 Downgrade AuthenticationFilter modifier
Fixes gh-7177
2019-08-03 21:14:33 -04:00