Marcus Da Coregio 
							
						 
					 
					
						
						
						
						
							
						
						
							c4d23f2b49 
							
						 
					 
					
						
						
							
							Use MvcRequestMatcher by default if Spring MVC is present  
						
						... 
						
						
						
						Closes gh-11899 
						
						
					 
					
						2022-10-06 09:12:04 -03:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							353ca76973 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'origin/5.8.x'  
						
						
						
						
					 
					
						2022-10-06 00:01:40 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							380a6a2564 
							
						 
					 
					
						
						
							
							Polish SecurityContextHolderStrategy Usage  
						
						... 
						
						
						
						- Add to HttpSessionSecurityContextRepository#saveContext
Issue gh-11060 
						
						
					 
					
						2022-10-05 23:59:14 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							72a46ddd31 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'origin/5.8.x'  
						
						
						
						
					 
					
						2022-10-05 22:48:33 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							f16d47c7b5 
							
						 
					 
					
						
						
							
							Polish DefaultHttpSecurityExpressionHandler  
						
						... 
						
						
						
						Issue gh-11105 
						
						
					 
					
						2022-10-05 21:47:14 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							eeb28e4f91 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'origin/5.8.x'  
						
						
						
						
					 
					
						2022-10-05 21:45:26 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4ddec07d0e 
							
						 
					 
					
						
						
							
							Add default AuthorizationManager  
						
						... 
						
						
						
						Closes gh-11963 
						
						
					 
					
						2022-10-05 21:37:41 -06:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							ee9449dbfe 
							
						 
					 
					
						
						
							
							Fix tests for deferred CSRF tokens  
						
						... 
						
						
						
						Issue gh-4001 
						
						
					 
					
						2022-10-05 16:10:36 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							521cdfd738 
							
						 
					 
					
						
						
							
							Use correct servlet imports  
						
						... 
						
						
						
						Issue gh-4001 
						
						
					 
					
						2022-10-05 16:10:35 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							8b490de08d 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc 
						
						
					 
					
						2022-10-05 14:46:15 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							dce1c30522 
							
						 
					 
					
						
						
							
							Add support for BREACH  
						
						... 
						
						
						
						Closes gh-4001 
						
						
					 
					
						2022-10-05 14:21:13 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							5de6da890b 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-dry-run 
						
						
					 
					
						2022-10-04 11:18:00 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							475b3bb6bb 
							
						 
					 
					
						
						
							
							Add deferred CsrfTokenRepository.loadDeferredToken  
						
						... 
						
						
						
						* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918 
						
						
					 
					
						2022-10-03 17:10:54 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							7c3cc1e386 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						
						
						
					 
					
						2022-10-03 14:29:51 -05:00 
						 
				 
			
				
					
						
							
							
								Daniel Garnier-Moiroux 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0e215a21ad 
							
						 
					 
					
						
						
							
							Add X-Xss-Protection headerValue to XML config  
						
						... 
						
						
						
						Issue gh-9631 
						
						
					 
					
						2022-10-03 14:29:34 -05:00 
						 
				 
			
				
					
						
							
							
								Marcus Da Coregio 
							
						 
					 
					
						
						
						
						
							
						
						
							ad2abd39dc 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-11347 in 6.0.x
Closes gh-11945 
						
						
					 
					
						2022-10-03 16:02:18 -03:00 
						 
				 
			
				
					
						
							
							
								Marcus Da Coregio 
							
						 
					 
					
						
						
						
						
							
						
						
							039e0328e1 
							
						 
					 
					
						
						
							
							Simplify Java Configuration RequestMatcher Usage  
						
						... 
						
						
						
						If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159 
						
						
					 
					
						2022-10-03 15:55:20 -03:00 
						 
				 
			
				
					
						
							
							
								Marcus Da Coregio 
							
						 
					 
					
						
						
						
						
							
						
						
							5f2744db33 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-11937 
						
						
					 
					
						2022-10-03 11:43:22 -03:00 
						 
				 
			
				
					
						
							
							
								Marcus Da Coregio 
							
						 
					 
					
						
						
						
						
							
						
						
							64a19de4dc 
							
						 
					 
					
						
						
							
							Deprecate HPKP security header  
						
						... 
						
						
						
						Closes gh-10144 
						
						
					 
					
						2022-10-03 11:36:19 -03:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							4479cefade 
							
						 
					 
					
						
						
							
							Default Require Explicit Session Management = true  
						
						... 
						
						
						
						Closes gh-11763 
						
						
					 
					
						2022-09-30 21:49:05 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							76fbca9f46 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						
						
						
					 
					
						2022-09-30 09:50:02 -05:00 
						 
				 
			
				
					
						
							
							
								Daniel Garnier-Moiroux 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							93250013e4 
							
						 
					 
					
						
						
							
							Make X-Xss-Protection configurable through ServerHttpSecurity  
						
						... 
						
						
						
						OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631 
						
						
					 
					
						2022-09-30 09:38:08 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							e0e6467d9b 
							
						 
					 
					
						
						
							
							Remove UsernamePasswordAuthenticationToken check  
						
						... 
						
						
						
						This commit reverts 21dd050d7b69bf3a8efdb46100893d151fe8b15e.
Closes gh-10347 
						
						
					 
					
						2022-09-29 15:25:53 -05:00 
						 
				 
			
				
					
						
							
							
								shazin 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							1e0e9a2c98 
							
						 
					 
					
						
						
							
							Allow authenticationIsRequired to be overridden  
						
						... 
						
						
						
						Issue gh-10347 
						
						
					 
					
						2022-09-29 15:25:53 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							bcb21c9384 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java 
						
						
					 
					
						2022-09-23 15:39:43 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							46696a9226 
							
						 
					 
					
						
						
							
							CsrfTokenRequestHandler extends CsrfTokenRequestResolver  
						
						... 
						
						
						
						Closes gh-11896 
						
						
					 
					
						2022-09-23 15:09:00 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							3c66ef6305 
							
						 
					 
					
						
						
							
							Change default SecurityContextRepository  
						
						... 
						
						
						
						Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026 
						
						
					 
					
						2022-09-22 17:31:14 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							ccac34b07c 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						
						
						
					 
					
						2022-09-22 16:45:48 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							d140d95305 
							
						 
					 
					
						
						
							
							Fix assertion in NullSecurityContextRepository  
						
						... 
						
						
						
						Issue gh-11060 
						
						
					 
					
						2022-09-22 15:33:22 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							5d757919a2 
							
						 
					 
					
						
						
							
							Add SecurityContextHolderStrategy to new repository  
						
						... 
						
						
						
						In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.
Issue gh-11060
Closes gh-11895 
						
						
					 
					
						2022-09-22 15:33:21 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							0efe26c1fd 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-11894 
						
						
					 
					
						2022-09-22 13:47:04 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							d94677f87e 
							
						 
					 
					
						
						
							
							CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler  
						
						... 
						
						
						
						This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892 
						
						
					 
					
						2022-09-22 11:09:44 -05:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							2a487ae7f8 
							
						 
					 
					
						
						
							
							Updated hashcode and equals  
						
						... 
						
						
						
						Closes gh-4133 
						
						
					 
					
						2022-09-20 16:36:37 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							46f402243b 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'origin/5.8.x'  
						
						
						
						
					 
					
						2022-09-20 16:11:16 -06:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							3f8503f1b4 
							
						 
					 
					
						
						
							
							Deprecate AccessDecisionManager et al  
						
						... 
						
						
						
						Closes gh-11302 
						
						
					 
					
						2022-09-20 16:09:59 -06:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							088ebe2e00 
							
						 
					 
					
						
						
							
							Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf  
						
						... 
						
						
						
						Issue gh-11764
Issue gh-4001 
						
						
					 
					
						2022-09-06 12:28:52 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							ed41a60aae 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java 
						
						
					 
					
						2022-09-06 11:51:55 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
						
						
							
						
						
							86fbb8db07 
							
						 
					 
					
						
						
							
							Add new interfaces for CSRF request processing  
						
						... 
						
						
						
						Issue gh-4001
Issue gh-11456 
						
						
					 
					
						2022-09-06 11:43:33 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							8cb97a090b 
							
						 
					 
					
						
						
							
							Default CsrfFilter.csrfRequestAttributeName = _csrf  
						
						
						
						
					 
					
						2022-08-31 14:26:26 -05:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							0aa5850d22 
							
						 
					 
					
						
						
							
							Fix formatting  
						
						... 
						
						
						
						Issue gh-11762 
						
						
					 
					
						2022-08-29 16:26:30 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							2efc8dcd15 
							
						 
					 
					
						
						
							
							Default Require Explicit Save SecurityContext  
						
						... 
						
						
						
						Closes gh-11762 
						
						
					 
					
						2022-08-29 10:16:04 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							f84f08c4b9 
							
						 
					 
					
						
						
							
							Default HttpSessionRequestCache.matchingRequestParameterName=continue  
						
						... 
						
						
						
						Closes gh-11757 
						
						
					 
					
						2022-08-26 14:44:55 -05:00 
						 
				 
			
				
					
						
							
							
								Josh Cummings 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							b28efbc4b8 
							
						 
					 
					
						
						
							
							Merge remote-tracking branch 'origin/5.8.x' into main  
						
						
						
						
					 
					
						2022-08-25 15:44:31 -06:00 
						 
				 
			
				
					
						
							
							
								Bert Vanwolleghem 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							a5351f3d89 
							
						 
					 
					
						
						
							
							LogoutPageGeneratingWebFilter Uses Context Path  
						
						... 
						
						
						
						Closes gh-11716 
						
						
					 
					
						2022-08-25 15:36:04 -06:00 
						 
				 
			
				
					
						
							
							
								Steve Riesenberg 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							76c39fa490 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-11750 
						
						
					 
					
						2022-08-24 16:47:08 -05:00 
						 
				 
			
				
					
						
							
							
								shinD 
							
						 
					 
					
						
						
							
							
						
						
						
							
						
						
							4ff0724c87 
							
						 
					 
					
						
						
							
							slight improvement in HttpSessionRequestCache  
						
						... 
						
						
						
						Closes gh-11666 
						
						
					 
					
						2022-08-24 16:44:23 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							670b71363d 
							
						 
					 
					
						
						
							
							Merge branch '5.8.x'  
						
						... 
						
						
						
						Closes gh-11749 
						
						
					 
					
						2022-08-23 16:03:50 -05:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							2fb625db84 
							
						 
					 
					
						
						
							
							Remove mockito deprecations  
						
						... 
						
						
						
						Issue gh-11748 
						
						
					 
					
						2022-08-23 15:59:52 -05:00 
						 
				 
			
				
					
						
							
							
								cyb3r4nt 
							
						 
					 
					
						
						
						
						
							
						
						
							1d555b62e3 
							
						 
					 
					
						
						
							
							Fix IP address parse error msg in IpAddressMatcher  
						
						... 
						
						
						
						There is no whitespace between error message and IP address value  `IpAddressMatcher#parseAddress()`
If IP value is wrong, then error text looks like `Failed to parse addressi.am.ip`.
There should be some separator between those two text tokens.
Also wrapped the address value with single quotes.
Will this add any confusion for the caller?
Or colon and `"Failed to parse address: $value` looks better? 
						
						
					 
					
						2022-08-18 10:40:38 -06:00 
						 
				 
			
				
					
						
							
							
								Rob Winch 
							
						 
					 
					
						
						
						
						
							
						
						
							8ad20b1768 
							
						 
					 
					
						
						
							
							Add CsrfFilter.csrfRequestAttributeName  
						
						... 
						
						
						
						Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699 
						
						
					 
					
						2022-08-16 13:47:31 -05:00