Commit Graph

1725 Commits

Author SHA1 Message Date
Steve Riesenberg c306df9b46
Add XorCsrfChannelInterceptor
Issue gh-12378
2023-01-23 16:00:35 -06:00
Josh Cummings 879770a0f6 Polish AbstractAuthenticationTargetUrlHandler
Issue gh-12344
2023-01-18 08:30:57 -07:00
Dayan Kodippily 6b8a778da8 Rework determineTargetUrl for Readability
Closes gh-12344
2023-01-18 08:30:57 -07:00
Dayan Kodippily 58e948a781 Test AbstractAuthenticationTargetUrlRequestHandler
Issue gh-12344
2023-01-18 08:30:57 -07:00
Steve Riesenberg 62b58d2c92
Polish gh-12530 2023-01-17 15:05:56 -06:00
Onur Kagan Ozcan c77c76e722
Relax final modifiers on AbstractRememberMeServices methods
Closes gh-12145
2023-01-17 15:05:09 -06:00
Josh Cummings f9d674cb10
Merge branch '6.0.x'
Closes gh-12525
2023-01-11 10:14:01 -07:00
Josh Cummings 4d2dab9b6b
Lookup Parent Observation
Closes gh-12524
2023-01-11 10:13:33 -07:00
Steve Riesenberg 5f89f39627
Merge branch '6.0.x'
Closes gh-12515
2023-01-10 11:34:34 -06:00
Steve Riesenberg 4e80338a9b
Polish gh-12466 2023-01-10 11:31:51 -06:00
Wellington Domiciano 2c8854bb7f
Adjusts setRequestHandler javadoc in CsrfFilter
Adjusts setRequestHandler method javadoc in CsrfFilter class to reflect
changes in 6.0.

In 6.0, the default CsrfTokenRequestHandler changed to
XorCsrfTokenRequestAttributeHandler, however, the javadoc for the
setRequestHandler method still said it was
CsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because,
although XorCsrfTokenRequestAttributeHandler is a subclass of
CsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12464
2023-01-10 11:31:51 -06:00
Marcus Da Coregio 556891b4fa Merge branch '6.0.x'
Closes gh-12512
2023-01-10 09:43:05 -03:00
Marcus Da Coregio d1fc789ae2 Merge branch '5.8.x' into 6.0.x
Closes gh-12511
2023-01-10 09:42:48 -03:00
Marcus Da Coregio ae46032ced Merge branch '5.7.x' into 5.8.x
Closes gh-12510
2023-01-10 09:39:40 -03:00
Marcus Da Coregio ffdb397830 Save the SecurityContext when switching user
Closes gh-12504
2023-01-10 09:27:56 -03:00
Josh Cummings f3ce04e59a
Merge branch '6.0.x'
Closes gh-12493
2023-01-06 11:15:03 -07:00
Josh Cummings c308e4665a
Polish Event Name
Provide a name with no spaces separate from the human-friendly
one with spaces.

Closes gh-12490
2023-01-06 11:13:11 -07:00
Josh Cummings c0fe74869f
Merge branch '6.0.x'
Closes gh-12484
2023-01-04 10:54:10 -07:00
Wellington Domiciano 27b3f4d403 Adjusts setRequestHandler javadoc in CsrfWebFilter
Adjusts setRequestHandler method javadoc in CsrfWebFilter class to reflect changes in 6.0.

In 6.0, the default ServerCsrfTokenRequestHandler changed to XorServerCsrfTokenRequestAttributeHandler, however, the javadoc for the setRequestHandler method still said it was ServerCsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because, although XorServerCsrfTokenRequestAttributeHandler is a subclass of ServerCsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12465
2023-01-04 10:53:47 -07:00
Marcus Da Coregio c2d0ea3694 Merge branch '6.0.x'
Closes gh-12369
2022-12-12 16:55:32 -03:00
Marcus Da Coregio 898c36287c Merge branch '5.8.x' into 6.0.x
Closes gh-12368
2022-12-12 16:55:14 -03:00
Marcus Da Coregio 99d6d21554 Apply SecurityContextHolderFilter to all dispatcher types
Closes gh-11962
2022-12-12 11:45:24 -08:00
Josh Cummings 886d1ffec2
Remove Deprecated Usage
Issue gh-12086
2022-12-05 11:00:57 -07:00
Josh Cummings 8ef2fc3837
Format
Issue gh-12086
2022-12-05 10:51:42 -07:00
Alex Montoya 8717b7544a
Perform JUnit 5 clean up tasks
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests

Issue gh-12086
2022-12-05 10:51:41 -07:00
Alex Montoya b79ba89eeb
Add setCookieCustomizer to csrf token repository
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and
setSecure as deprecated.

- Add the method setCookieCustomizer which allows to set properties
to the ResponseCookieBuilder without having to add new setter methods.

Closes gh-12086
2022-12-05 10:51:40 -07:00
Josh Cummings 701f754e37
Cast FilterChainObservationContext Safely
Closes gh-12268
2022-11-29 16:24:56 -07:00
Steve Riesenberg fd547321e8
Default to XorCsrfTokenRequestAttributeHandler
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
2022-11-18 22:50:26 -06:00
Steve Riesenberg 5da78f44f2
Merge branch '5.8.x' 2022-11-18 14:54:33 -06:00
Steve Riesenberg 2ed7cff643
Check for existing token before clearing
Closes gh-12236
2022-11-18 13:12:59 -06:00
Josh Cummings 24860d9fb0
Observe Filter Start and Stop
Issue gh-11911
2022-11-17 15:11:29 -07:00
Josh Cummings e08ed89403 Polish Span and Meter Names
Closes gh-12156
2022-11-17 15:09:52 -07:00
Marcus Da Coregio 063f06e7bf Register FilterChainProxy for all dispatcher types
Closes gh-12180
2022-11-16 09:55:21 -03:00
Steve Riesenberg 1a3be83084
Merge branch '5.8.x'
Closes gh-12185
2022-11-09 12:28:37 -06:00
Steve Riesenberg 57b163bb78
Polish gh-12141 2022-11-09 12:19:43 -06:00
Marcus Da Coregio 2a261e0583 Add Jakarta WebSocket 2.1 test dependency to spring-security-web
Issue gh-12148
2022-11-08 09:54:34 -03:00
Marcus Da Coregio 3b5d19c8a4 Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
Steve Riesenberg 36f668dd9c
Merge branch '5.8.x'
Closes gh-12142
2022-11-04 18:12:34 -05:00
Steve Riesenberg 6b0ed0205b
Re-generate tokens in CookieCsrfTokenRepository
Fixes support for re-generating tokens within a request such as when
CsrfAuthenticationStrategy removes a null token and saves an empty
cookie value on the response.

Closes gh-12141
2022-11-04 18:10:15 -05:00
Steve Riesenberg 801ceb0832
Merge branch '5.8.x' 2022-10-31 08:58:14 -05:00
Steve Riesenberg 66f2f1cde7
Merge branch '5.7.x' into 5.8.x 2022-10-31 08:55:03 -05:00
Steve Riesenberg 2915a70bf7
Merge branch '5.6.x' into 5.7.x 2022-10-28 13:05:48 -05:00
Steve Riesenberg 6530777742
Merge branch '5.5.x' into 5.6.x
Closes gh-dry-run
2022-10-28 11:31:50 -05:00
Marcus Da Coregio 1f481aafff
Fix AuthorizationFilter incorrectly extending OncePerRequestFilter
Closes gh-12102
2022-10-28 11:29:35 -05:00
Josh Cummings d651da5ac3
Merge remote-tracking branch 'origin/5.8.x'
Closes gh-12077
2022-10-24 16:54:03 -06:00
Josh Cummings dd30694979
Merge remote-tracking branch 'origin/5.7.x' into 5.8.x
Closes gh-12076
2022-10-24 16:46:08 -06:00
David Becker 2b426872a3
Use InetSocketAddress#getHostString
Sometimes InetSocketAddress#getAddress#getHostAddress retuns null.
In that case, call InetSocketAddress#getHostString instead.

There is no performance loss since IpAddressMatcher#matches attemptsi
to re-parse and resolve the address anyway.

Closes gh-11888
2022-10-24 16:32:19 -06:00
Steve Riesenberg 8554e70c09
Remove deprecated loadContext(request)
Closes gh-12048
2022-10-17 20:13:51 -05:00
Steve Riesenberg e238b721bb
Fix imports in DelegatingSecurityContextRepository
Issue gh-12023
2022-10-17 19:36:25 -05:00
Steve Riesenberg bd43c1f28a
Merge branch '5.8.x'
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
Steve Riesenberg acc35aeb18
Add DelegatingSecurityContextRepository
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg c75ca10900
Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Josh Cummings f4cc27c375
Change Default for (Server)AuthenticationEntryPointFailureHandler
Closes gh-9429
2022-10-13 20:03:03 -06:00
Josh Cummings 5afc7cb04f
Merge remote-tracking branch 'origin/5.8.x' 2022-10-13 19:48:05 -06:00
Josh Cummings 099aaa33ff
Remove Deprecation Markers
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux 200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
2022-10-13 19:25:04 -06:00
Steve Riesenberg 9090f62d9b
Merge branch '5.8.x' 2022-10-13 16:46:53 -05:00
Evgeniy Cheban 56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext>
Closes gh-11900
2022-10-13 16:44:48 -05:00
Steve Riesenberg 45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled
Closes gh-12019
2022-10-13 11:29:16 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny
Closes gh-11958
2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
Closes gh-11960
2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
Issue gh-11960
2022-10-13 09:39:55 -05:00
Joe Grandja 6026f9f70f Merge branch '5.8.x' 2022-10-13 06:31:37 -04:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager"
This reverts commit 4ddec07d0e.
2022-10-13 06:18:00 -04:00
Josh Cummings 2713075d08
Mark Observations with Firewall Failures
Closes gh-11994
2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b
Mark Observations with CSRF Failures
Closes gh-11993
2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd
Instrument Filter Chain
Closes gh-11911
2022-10-12 20:32:22 -06:00
Steve Riesenberg 9b43950e13
Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken
Closes gh-11988
2022-10-12 12:30:40 -05:00
Marcus Da Coregio c5e35bf32e Merge branch '5.8.x'
Closes gh-11978
2022-10-10 09:24:50 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher
Closes gh-11938
2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0"
Closes gh-9631
2022-10-07 17:42:55 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present
Closes gh-11899
2022-10-06 09:12:04 -03:00
Josh Cummings 353ca76973
Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings 380a6a2564
Polish SecurityContextHolderStrategy Usage
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
2022-10-05 23:59:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler
Issue gh-11105
2022-10-05 21:47:14 -06:00
Josh Cummings eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 21:45:26 -06:00
Josh Cummings 4ddec07d0e
Add default AuthorizationManager
Closes gh-11963
2022-10-05 21:37:41 -06:00
Steve Riesenberg ee9449dbfe
Fix tests for deferred CSRF tokens
Issue gh-4001
2022-10-05 16:10:36 -05:00
Steve Riesenberg 521cdfd738
Use correct servlet imports
Issue gh-4001
2022-10-05 16:10:35 -05:00
Steve Riesenberg 8b490de08d
Merge branch '5.8.x'
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg 5de6da890b
Merge branch '5.8.x'
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Steve Riesenberg 7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x'
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x'
Closes gh-11937
2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true
Closes gh-11763
2022-09-30 21:49:05 -05:00
Steve Riesenberg 76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux 93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Steve Riesenberg e0e6467d9b
Remove UsernamePasswordAuthenticationToken check
This commit reverts 21dd050d7b.

Closes gh-10347
2022-09-29 15:25:53 -05:00
shazin 1e0e9a2c98
Allow authenticationIsRequired to be overridden
Issue gh-10347
2022-09-29 15:25:53 -05:00
Steve Riesenberg bcb21c9384
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
Steve Riesenberg 46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Steve Riesenberg 3c66ef6305
Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
2022-09-22 17:31:14 -05:00
Steve Riesenberg ccac34b07c
Merge branch '5.8.x' 2022-09-22 16:45:48 -05:00
Steve Riesenberg d140d95305
Fix assertion in NullSecurityContextRepository
Issue gh-11060
2022-09-22 15:33:22 -05:00
Steve Riesenberg 5d757919a2
Add SecurityContextHolderStrategy to new repository
In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.

Issue gh-11060
Closes gh-11895
2022-09-22 15:33:21 -05:00
Rob Winch 0efe26c1fd Merge branch '5.8.x'
Closes gh-11894
2022-09-22 13:47:04 -05:00
Rob Winch d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Josh Cummings 2a487ae7f8
Updated hashcode and equals
Closes gh-4133
2022-09-20 16:36:37 -06:00
Josh Cummings 46f402243b
Merge remote-tracking branch 'origin/5.8.x' 2022-09-20 16:11:16 -06:00
Josh Cummings 3f8503f1b4
Deprecate AccessDecisionManager et al
Closes gh-11302
2022-09-20 16:09:59 -06:00
Steve Riesenberg 088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
Steve Riesenberg ed41a60aae
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
Steve Riesenberg 86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Rob Winch 8cb97a090b Default CsrfFilter.csrfRequestAttributeName = _csrf 2022-08-31 14:26:26 -05:00
Steve Riesenberg 0aa5850d22
Fix formatting
Issue gh-11762
2022-08-29 16:26:30 -05:00
Rob Winch 2efc8dcd15 Default Require Explicit Save SecurityContext
Closes gh-11762
2022-08-29 10:16:04 -05:00
Rob Winch f84f08c4b9 Default HttpSessionRequestCache.matchingRequestParameterName=continue
Closes gh-11757
2022-08-26 14:44:55 -05:00
Josh Cummings b28efbc4b8
Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-25 15:44:31 -06:00
Bert Vanwolleghem a5351f3d89
LogoutPageGeneratingWebFilter Uses Context Path
Closes gh-11716
2022-08-25 15:36:04 -06:00
Steve Riesenberg 76c39fa490
Merge branch '5.8.x'
Closes gh-11750
2022-08-24 16:47:08 -05:00
shinD 4ff0724c87
slight improvement in HttpSessionRequestCache
Closes gh-11666
2022-08-24 16:44:23 -05:00
Rob Winch 670b71363d Merge branch '5.8.x'
Closes gh-11749
2022-08-23 16:03:50 -05:00
Rob Winch 2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
cyb3r4nt 1d555b62e3 Fix IP address parse error msg in IpAddressMatcher
There is no whitespace between error message and IP address value  `IpAddressMatcher#parseAddress()`
If IP value is wrong, then error text looks like `Failed to parse addressi.am.ip`.
There should be some separator between those two text tokens.

Also wrapped the address value with single quotes.
Will this add any confusion for the caller?
Or colon and `"Failed to parse address: $value` looks better?
2022-08-18 10:40:38 -06:00
Rob Winch 8ad20b1768 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-16 13:47:31 -05:00
Rob Winch 2aedf5899b LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-16 13:47:31 -05:00
Rob Winch 5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch 666f175225 LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-15 17:07:02 -05:00
Marcus Da Coregio ead587c597 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:42 -03:00
Marcus Da Coregio 6a2ca52aae Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:10 -03:00
Marcus Da Coregio 24bb83e2c7 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:31:45 -03:00
Marcus Da Coregio 1c4d6ed098 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:30:15 -03:00
Rob Winch c23324e7a7 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 14:14:12 -05:00
Rob Winch 269c711a64 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:56 -05:00
Rob Winch c9f8d2b111 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:12 -05:00
Marcus Da Coregio 0c549ee147 Use SHA256 by default in Remember Me
Closes gh-11520
2022-07-25 10:33:12 -03:00
Marcus Da Coregio f45c4d4b8e Add SHA256 as an algorithm option for Remember Me token hashing
Closes gh-8549
2022-07-15 10:41:03 -03:00
Marcus Da Coregio dda98f333c Polish
Make encodingAlgorithm final and add it to the constructor
Add since tags
Add more tests
2022-07-15 10:34:36 -03:00
Marcus Da Coregio e17fe8ced9 Add SHA256 as an algorithm option for Remember Me token hashing
Closes gh-8549
2022-07-15 10:34:36 -03:00
Josh Cummings 20def5e25d
Consolidate ExpressionAuthorizationDecision
Issue gh-11493
2022-07-14 09:25:17 -06:00
Josh Cummings db25a37320
Consolidate ExpressionAuthorizationDecision
Issue gh-11493
2022-07-13 17:58:16 -06:00
Marcus Da Coregio 7abea4a964 Add RuntimeHints suffix for RuntimeHintsRegistrar
Closes gh-11497
2022-07-13 10:14:43 -03:00
Joe Grandja 177baba8c9 RuntimeHintsPredicates moved to predicate package 2022-07-12 16:00:50 -04:00
Marcus Da Coregio 6455e98745 FilterSecurityInterceptor applies to every request by default
Closes gh-11466
2022-07-12 10:53:03 -03:00
Steve Riesenberg 206c6ffb54
Remove deprecation warnings with Context.putAll
Closes gh-11476
2022-07-08 16:03:45 -05:00
Rob Winch 7da34cfa2c Fix logging for AnonymousAuthenticationFilter
Currently if trace logging is enabled a StackOverflowException is thrown
when trying to resolve toString of the authentication.

java.lang.StackOverflowError: null
        at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:538) ~[na:na]
        at java.base/java.lang.StringBuilder.append(StringBuilder.java:174) ~[na:na]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$0(AnonymousAuthenticationFilter.java:105) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.lambda$setDeferredContext$2(ThreadLocalSecurityContextHolderStrategy.java:67) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.getContext(ThreadLocalSecurityContextHolderStrategy.java:43) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:126) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125)

Issue gh-11457
2022-07-08 15:44:21 -05:00
Rob Winch 1c61748bb9 Fix logging for AnonymousAuthenticationFilter
Currently if trace logging is enabled a StackOverflowException is thrown
when trying to resolve toString of the authentication.

java.lang.StackOverflowError: null
        at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:538) ~[na:na]
        at java.base/java.lang.StringBuilder.append(StringBuilder.java:174) ~[na:na]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$0(AnonymousAuthenticationFilter.java:105) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.lambda$setDeferredContext$2(ThreadLocalSecurityContextHolderStrategy.java:67) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.getContext(ThreadLocalSecurityContextHolderStrategy.java:43) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:126) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125)

Issue gh-11457
2022-07-08 15:39:53 -05:00
Rob Winch 0bf985ed7c AnonymousAuthenticationFilter Avoids Eager SecurityContext Access
Previously AnonymousAuthenticationFilter accessed the SecurityContext to
determine if anonymous authentication needed setup eagerly. Now this is done
lazily to avoid unnecessary access to the SecurityContext which in turn avoids
unnecessary HTTP Session access.

Closes gh-11457
2022-07-05 15:51:12 -05:00
Rob Winch 415a674edc AnonymousAuthenticationFilter Avoids Eager SecurityContext Access
Previously AnonymousAuthenticationFilter accessed the SecurityContext to
determine if anonymous authentication needed setup eagerly. Now this is done
lazily to avoid unnecessary access to the SecurityContext which in turn avoids
unnecessary HTTP Session access.

Closes gh-11457
2022-07-05 15:34:21 -05:00
Rob Winch 6510274854 Request Cache supports matchingRequestParameterName
Closes gh-7157 gh-11453
2022-07-01 16:51:49 -05:00
Rob Winch 28c0d1459c Request Cache supports matchingRequestParameterName 2022-07-01 16:35:06 -05:00
Josh Cummings d18ff25b95
Use SecurityContextHolderStrategy for NullSecurityContextRepository
Issue gh-11060
2022-06-28 15:33:06 -06:00
Josh Cummings 05b788d1ac
Use SecurityContextHolderStrategy for Concurrency Filter
Issue gh-11060
Issue gh-11061
2022-06-28 15:33:05 -06:00
Josh Cummings 5357cb8c95
Use SecurityContextHolderStrategy for NullSecurityContextRepository
Issue gh-11060
2022-06-28 15:32:20 -06:00
Josh Cummings 03a5c3b08a
Use SecurityContextHolderStrategy for Concurrency Filter
Issue gh-11060
Issue gh-11061
2022-06-28 15:32:05 -06:00
Josh Cummings a218d3e140
Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:56:55 -06:00
Josh Cummings 27de315e5e
Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
Josh Cummings 5086409dcf
Use SecurityContextHolderStrategy for Digest
Issue gh-11060
2022-06-28 13:54:56 -06:00
Josh Cummings 135e602472
Use SecurityContextHolderStrategy for Digest
Issue gh-11060
2022-06-28 13:54:29 -06:00
Josh Cummings 44d99f41a3
Use SecurityContextHolderStrategy for Switch User
Issue gh-11060
2022-06-28 13:35:39 -06:00
Josh Cummings e1c211c11f
Use SecurityContextHolderStrategy for Switch User
Issue gh-11060
2022-06-28 13:34:04 -06:00
Josh Cummings 83b3bb3209
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:10:07 -06:00
Josh Cummings 98995f2225
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
Josh Cummings 944f565c16
Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:09:38 -06:00
Josh Cummings 4a2d77d3f2
Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
Josh Cummings b316a3217b
Add SecurityContextHolderStrategy for Jaas
Issue gh-11060
Issue gh-11061
2022-06-28 09:35:54 -06:00
Josh Cummings ee66850aed
Add SecurityContextHolderStrategy for Jaas
Issue gh-11060
Issue gh-11061
2022-06-28 09:26:05 -06:00
Josh Cummings f3d99f557b
Use SecurityContextHolderStrategy for AuthenticationFilter
Issue gh-11060
2022-06-27 16:28:37 -06:00
Josh Cummings 0fee05d023
Use SecurityContextHolderStrategy for AuthenticationFilter
Issue gh-11060
2022-06-27 16:26:42 -06:00
Josh Cummings a7b58c2299
Polish SecurityContextHolderStrategy for Defaults
gh-11060
2022-06-27 13:17:44 -06:00
Josh Cummings 772f29e063
Polish SecurityContextHolderStrategy for Defaults
gh-11060
2022-06-27 13:00:24 -06:00
Marcus Da Coregio a8c30f79e6 Add Core, MVC and MethodSecurity runtime hints
Closes gh-11431
2022-06-27 09:25:49 -03:00
Alonso Araya Calvo 7841827169
Adds the ability to set the CSRF Token cookie max age value
Closes gh-11432
2022-06-24 16:42:32 -06:00
Alonso Araya Calvo 1ac1271972 Adds the ability to set the CSRF Token cookie max age value
Closes gh-11432
2022-06-24 16:42:05 -06:00
Rob Winch d32f74d19d SecurityContextHolder Deferred SecurityContext
Closes gh-10913
2022-06-17 17:03:19 -05:00
Rob Winch b6d43e58c0 SecurityContextHolder Deferred SecurityContext
Closes gh-10913
2022-06-17 16:59:09 -05:00
Rob Winch d4a03dc2b1 Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
Closes gh-11390
2022-06-17 15:28:57 -05:00
Rob Winch 29db051f7a Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
Closes gh-11390
2022-06-17 14:52:35 -05:00
Rob Winch 591d1edc7d Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
Closes gh-11390
2022-06-17 14:52:01 -05:00
Josh Cummings a31a99b591
Add SecurityContextHolderStrategy to Default Components
Issue gh-11060
2022-06-17 11:58:36 -06:00
Josh Cummings 31e25b115e Add SecurityContextHolderStrategy to Default Components
Issue gh-11060
2022-06-17 11:28:10 -06:00
j3graham 29ba67b6d7 Remove dependency on commons-codec by using java.util.Base64
Closes gh-11318
2022-06-09 06:50:01 -06:00
j3graham f3c96fa9cd Remove dependency on commons-codec by using java.util.Base64
Closes gh-11318
2022-06-09 06:49:39 -06:00
Zhivko Delchev e97c5a533b Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:47:35 -05:00
Zhivko Delchev d882bfcf2b Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:47:14 -05:00
Zhivko Delchev cf69cdf008 Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:46:28 -05:00
Zhivko Delchev 1483a57018 Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
2022-06-06 15:45:55 -05:00
Josh Cummings 57fe5b8b5c
Fix Import Order Checkstyle Error
Issue gh-9667
2022-05-23 15:55:21 -06:00
Evgeniy Cheban 5540bbcf0b
createEvaluationContext should defer lookup of Authentication
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication

Closes gh-9667
2022-05-18 17:36:17 -06:00
Evgeniy Cheban 362f15534e createEvaluationContext should defer lookup of Authentication
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication

Closes gh-9667
2022-05-18 17:34:14 -06:00
Rob Winch 5b0dab5d3e StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 09:54:16 -05:00
Rob Winch 7d97839235 StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 09:53:29 -05:00
Rob Winch 66d1cd592a StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 09:04:46 -05:00
Rob Winch 077c9e0b3e StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 08:56:57 -05:00
Rob Winch e2eed33eca Add StrictHttpFirewall.allow* new lines and separators
Issue gh-11264
2022-05-17 22:24:31 -05:00
Rob Winch 5bf478e72e Fix Formatting
Issue gh-11264
2022-05-17 16:16:02 -05:00
Rob Winch e0a6a9efa9 StrictHttpFirewall allows CJKV characters
Issue gh-11264
2022-05-17 15:53:18 -05:00
Rob Winch 472c25b5e8 AntRegexRequestMatcher Optimization
Closes gh-11234
2022-05-16 11:32:01 -05:00
Rob Winch 0df5ece758 Extract rejectNonPrintableAsciiCharactersInFieldName
Closes gh-11234
2022-05-16 11:32:01 -05:00
Rob Winch 538252cf07 AntRegexRequestMatcher Optimization
Closes gh-11234
2022-05-16 10:22:30 -05:00
Rob Winch 04ca7ef91b Extract rejectNonPrintableAsciiCharactersInFieldName
Closes gh-11234
2022-05-16 10:22:30 -05:00
Rob Winch c6461d61ba AntRegexRequestMatcher Optimization
Closes gh-11234
2022-05-16 10:18:12 -05:00
Rob Winch 4405cf18f3 Extract rejectNonPrintableAsciiCharactersInFieldName
Closes gh-11234
2022-05-16 10:18:11 -05:00
Rob Winch 70863952ae AntRegexRequestMatcher Optimization
Closes gh-11234
2022-05-16 10:17:44 -05:00
Rob Winch af95be34c6 Extract rejectNonPrintableAsciiCharactersInFieldName
Closes gh-11234
2022-05-16 10:17:44 -05:00
Rob Winch ee28896f42 AntRegexRequestMatcher Optimization
Closes gh-11234
2022-05-16 10:17:26 -05:00
Rob Winch 6b823fb27e Extract rejectNonPrintableAsciiCharactersInFieldName
Closes gh-11234
2022-05-16 10:17:26 -05:00
Josh Cummings 0814136ee8
Polish WebExpressionAuthorizationManager
- Add support for request variables
- Added additional tests

Issue gh-11105
2022-05-13 14:14:42 -06:00
Evgeniy Cheban c4766e64fe
Add AuthorizationManager that uses ExpressionHandler
Closes gh-11105
2022-05-13 14:05:34 -06:00
Josh Cummings ffaf5b4e61
Polish WebExpressionAuthorizationManager
- Add support for request variables
- Added additional tests

Issue gh-11105
2022-05-13 13:53:38 -06:00
Evgeniy Cheban 07b0be3f42 Add AuthorizationManager that uses ExpressionHandler
Closes gh-11105
2022-05-13 13:52:49 -06:00
Rob Winch f34ea188e2 RequestRejectedException is 400 by Default
Closes gh-7568
2022-05-12 10:32:27 -05:00
Marcus Da Coregio 000b87f9aa Revert "Use Spring Framework version 6.0.0-M3"
This reverts commit b803e845e7.
2022-05-11 08:36:14 -03:00
Marcus Da Coregio 806e05855c Replace removed context-related operators
Closes gh-11194
2022-05-10 14:58:02 -03:00
Marcus Da Coregio b803e845e7 Use Spring Framework version 6.0.0-M3
Closes gh-11193
2022-05-10 14:49:02 -03:00
Marcus Da Coregio ce86f4e4b5 Polish ServerWebExchangeDelegatingServerHttpHeadersWriter
Issue gh-11073
2022-05-06 09:51:28 -03:00
David Herberth 57cededd49 Add DelegatingServerHttpHeadersWriter
Servlet Spring Security has DelegatingRequestMatcherHeaderWriter
the reactive world of Spring Security was missing a class to
conditionally write headers.

Closes gh-11073
2022-05-06 09:51:28 -03:00
Marcus Da Coregio 195d767d98 Polish ServerWebExchangeDelegatingServerHttpHeadersWriter
Issue gh-11073
2022-05-06 09:43:34 -03:00
David Herberth 0e2fc51bad Add DelegatingServerHttpHeadersWriter
Servlet Spring Security has DelegatingRequestMatcherHeaderWriter
the reactive world of Spring Security was missing a class to
conditionally write headers.

Closes gh-11073
2022-05-06 09:43:34 -03:00
Rob Winch 67830f4111 Fix WebSessionReactiveSecurityRepository Supports Cache
Fix the checkstyle for this feature

Closes gh-8422
2022-05-03 21:10:07 -05:00
Rob Winch 768267c131 Fix WebSessionReactiveSecurityRepository Supports Cache
Fix the checkstyle for this feature

Closes gh-8422
2022-05-03 21:09:41 -05:00
Rob Winch 3c259b4be5 Fix WebSessionReactiveSecurityRepository Supports Cache
Fix the checkstyle for this feature

Closes gh-8422
2022-05-03 21:08:51 -05:00
Rob Winch dbe7e37f2b WebSessionReactiveSecurityRepository Supports Cache 2022-05-03 16:40:51 -05:00
Rob Winch c6eaa05fc5 WebSessionReactiveSecurityRepository Supports Cache 2022-05-03 16:40:38 -05:00
Rob Winch 1ef738ba34 WebSessionReactiveSecurityRepository Supports Cache 2022-05-03 16:15:22 -05:00
Rob Winch 9a9a43a0c0 ForceEagerSessionCreationFilter
Closes gh-11109
2022-04-15 14:18:25 -05:00
Rob Winch aaf78330b1 ForceEagerSessionCreationFilter
Closes gh-11109
2022-04-15 14:16:35 -05:00
Marcus Da Coregio 5367524030 Change the default of shouldFilterAllDispatchTypes to true
Closes gh-11107
2022-04-14 16:30:42 -03:00
Marcus Da Coregio 84b5c76a7b Add Option to Filter All Dispatcher Types
Closes gh-11092
2022-04-14 16:10:36 -03:00
Marcus Da Coregio 7fea639a43 Add Option to Filter All Dispatcher Types
Closes gh-11092
2022-04-14 15:58:00 -03:00
Rob Winch 3a9b080bbe Deprecate loadContext(RequestResponseHolder)
Fix gh-11032
2022-04-12 16:36:08 -05:00
Rob Winch 0c2b9758fc Deprecate loadContext(RequestResponseHolder)
Fix gh-11032
2022-04-12 16:35:38 -05:00
Marcus Da Coregio 50f8df6f07 Use HttpStatusCode
Closes gh-11091
2022-04-11 09:19:56 -03:00
Marcus Da Coregio bc50146f60 Fix tests in AntPathRequestMatcherTests
Closes gh-11090
2022-04-11 09:19:56 -03:00
Rob Winch 39b0620a84 Add DisableUrlRewritingFilter
Closes gh-11084
2022-04-08 16:13:44 -05:00
Rob Winch 7be32872e9 Add DisableUrlRewritingFilter
Closes gh-11084
2022-04-08 16:13:24 -05:00
Eleftheria Stein c4e88415a5 Remove MessageSourceAware from ExceptionTranslationWebFilter
Closes gh-11057
2022-04-05 16:13:41 +02:00
Eleftheria Stein ae8e77f9ff Remove blocking call from ExceptionTranslationWebFilter
This also means that the exception message is no longer retrieved from a MessageSource. This is consistent with the other WebFilters.

Closes gh-10864
2022-04-05 14:05:56 +02:00
Eleftheria Stein 725a57fccc Remove blocking call from ExceptionTranslationWebFilter
This also means that the exception message is no longer retrieved from a MessageSource. This is consistent with the other WebFilters.

Closes gh-10864
2022-04-05 13:12:17 +02:00
Josh Cummings 1edfa07d27
Use RequestMatcherEntry
Closes gh-11046
2022-03-30 14:40:06 -06:00
Josh Cummings c175118f62
Use RequestMatcherEntry
Closes gh-11046
2022-03-30 14:31:11 -06:00
Josh Cummings bdd5f86526
Polish Authorization Event Support
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support

Issue gh-9288
2022-03-29 16:37:21 -06:00
Parikshit Dutta 990831db85
Add authorization events
Closes gh-9288
2022-03-29 16:22:43 -06:00
Josh Cummings 061f69eb70
Polish Authorization Event Support
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support

Issue gh-9288
2022-03-29 16:03:19 -06:00
Parikshit Dutta bd9434882f
Add authorization events
Closes gh-9288
2022-03-29 15:44:21 -06:00
Marcus Da Coregio 9792e2a0fa Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
2022-03-28 10:21:15 -03:00
Marcus Da Coregio c67632225d Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
2022-03-28 10:13:40 -03:00
Marcus Da Coregio 8c34af711e Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
2022-03-28 10:01:51 -03:00