Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
10,005 Commits 30 Branches 330 Tags 114 MiB
Commit Graph

1166 Commits

Author SHA1 Message Date
Zhivko Delchev e97c5a533b Reverse content type check 
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
 2022-06-06 15:47:35 -05:00
Rob Winch 077c9e0b3e StrictHttpFirewall allows CJKV characters 
Closes gh-11264
 2022-05-18 08:56:57 -05:00
Rob Winch 70863952ae AntRegexRequestMatcher Optimization 
Closes gh-11234
 2022-05-16 10:17:44 -05:00
Rob Winch af95be34c6 Extract rejectNonPrintableAsciiCharactersInFieldName 
Closes gh-11234
 2022-05-16 10:17:44 -05:00
Marcus Da Coregio c67632225d Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator 
Closes gh-10908
 2022-03-28 10:13:40 -03:00
Marcus Da Coregio 70b67cd2f1 AuthorizationManagerWebInvocationPrivilegeEvaluator grant access when AuthorizationManager abstains 
Closes gh-10950
 2022-03-09 15:22:21 -03:00
Josh Cummings f0c548cee7 Invert Log Messages 
Closes gh-10909
 2022-02-28 13:17:01 -07:00
Josh Cummings f53c65b3a0 Polish ignoring() log messaging 
- Public API remains unchanged

Issue gh-9334
 2022-02-07 15:07:29 -07:00
Manuel Jordan 0be772ff5b Print ignore message DefaultSecurityFilterChain 
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334
 2022-02-07 15:07:29 -07:00
Marcus Da Coregio a041e7c943 RequestMatcherDelegatingWebInvocationPrivilegeEvaluator doesn't provided access to the ServletContext 
Closes gh-10779
 2022-01-31 09:50:17 -03:00
Rob Winch 04f3bbcefa javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api 
Issue gh-10501
 2022-01-19 15:32:12 -06:00
Rob Winch c67ee6f2a8 javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api 
Issue gh-10501
 2022-01-19 15:32:12 -06:00
Josh Cummings 6c5ac0d8ec Use noNullElements 
Collection#contains(null) does not work for all collection types

Closes gh-10703
 2022-01-14 15:09:21 -07:00
Marcus Da Coregio e7e3f06044 Fix @since tag 
Issue gh-10590, gh-10554
 2022-01-06 13:22:13 -03:00
Marcus Da Coregio 994e93741b Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains 
Closes gh-10554
 2022-01-05 14:06:47 -03:00
Marcus Da Coregio 04e1a11e35 Add RequestMatcherEntry 2022-01-05 14:06:47 -03:00
Marcus Da Coregio 547056d5cc Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator 
Closes gh-10590
 2022-01-05 14:06:47 -03:00
Steve Riesenberg c7ffd2513a Update copyright year 
Issue gh-10557
 2021-12-01 17:36:19 -06:00
Steve Riesenberg b3e0f167ff Fix case sensitive headers comparison 
Closes gh-10557
 2021-12-01 15:01:06 -06:00
Marcus Da Coregio caad3d57e2 Improve log message when no CSRF token found 
Closes gh-10436
 2021-10-29 14:06:17 -03:00
Emil Sierżęga 04b47c5928 Fixed various broken links in Javadocs 2021-10-21 11:47:04 +02:00
Emil Sierżęga a188138715 Javadocs author tag doesn't work in methods 2021-10-21 11:47:04 +02:00
Rob Winch f836897190 Checkstyle Fixes 
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
 2021-10-18 21:03:35 -05:00
Rob Winch e1f4ec1137 Fix Jackson 2021-10-18 21:03:12 -05:00
Marcus Da Coregio faec20bc69 Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext 
Closes gh-10208
 2021-10-14 09:27:02 -03:00
Josh Cummings 7b98c2ea95 Restructure SwitchUserFilter Logs 
Issue gh-6311
 2021-10-12 13:32:29 -06:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin 
Issue gh-9615
 2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2 
Closes gh-9615
 2021-10-04 15:19:40 -03:00
Eleftheria Stein 7d81a52780 Allow AuthenticationPrincipal argument type to be primitive 
Closes gh-10172
 2021-10-04 16:22:21 +02:00
heowc 84d173c310 Fix typo 2021-09-27 10:55:18 -03:00
Bogdan Ilchyshyn a4c088a3b3 Introducing WebSessionServerLogoutHandler 
Closes gh-4838
 2021-08-16 13:08:35 -06:00
Hiroshi Shirosaki 6f3e346b76 Add SecurityContextHolder#addListener 
Closes gh-10032
 2021-08-11 17:12:13 -06:00
Josh Cummings b8d51725c7 Immutable SecurityContext 
Issue gh-10032
 2021-08-11 17:12:13 -06:00
Rob Winch f73f213f50 Remove DependencySetPlugin 
Closes gh-10070
 2021-07-12 15:31:38 -05:00
Rob Winch f800d2c993 Add hamcrest dependency 2021-07-09 15:57:21 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Rob Winch 14240b2559 Remove Powermock 
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
 2021-07-08 12:35:32 -05:00
Evgeniy Cheban d121ab9565 Support A Well-Known URL for Changing Passwords 
Closes gh-8657
 2021-07-01 16:57:53 -06:00
Alexey Markevich 3219fd554d DigestAuthenticationFilter decodes nonce only once 
Closes gh-8455
 2021-06-18 15:25:00 -04:00
Steve Riesenberg 3bb8e1d200 Remove redundant translations in spring-security-web 2021-06-15 09:18:13 -05:00
Ruben Suarez Alvarez 7cd344acab
Add spanish translation of insufficient authentication and cookie stolen 2021-06-15 09:11:53 -05:00
Josh Cummings ca76c54471
Polish CsrfWebFilterTests 
Issue gh-9113
 2021-06-04 16:41:08 -06:00
Tomoki Tsubaki 0c8b6df82a
Cache Mono that generate the CSRF token 
Closes gh-9113
 2021-06-04 16:41:08 -06:00
AlexeyAnufriev baac9e0cf2 Properly clean cookies with context path after logout 
Closes gh-8846
 2021-06-04 15:42:33 +02:00
Marcus Hert da Coregio 2a7998d0fc Adjust createNewSessionIfAllowed to prevent NPE 
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
 2021-05-26 10:36:44 -06:00
César Revert cf74ad3a52 Anonymous in ExceptionTranslationWebFilter 
The ExceptionTranslationWebFilter does not support correctly when
anonymous authentication is enabled. With this enabled provoked always
the execution of the access denied handler, and with this fix it
behaves like the ExceptionTranslationFilter (servlet), executing the
access denied handler only if the principal is not empty and neither
anonymous.

Closes gh-9130
 2021-05-26 09:17:41 -05:00
Craig Andrews a7fbae8355 Add test for RequestedUrlRedirectInvalidSessionStrategy 2021-05-26 09:11:38 -05:00
Craig Andrews 0e6d47b082 Add guard around debug logging involving string concatenation 2021-05-26 09:11:38 -05:00
Craig Andrews 0af74ce134 Use ServletUriComponentsBuilder instead of UrlPathHelper 2021-05-26 09:11:38 -05:00