Adding/removing sessions from principals wasn't atomic. If one thread
removed the last session from a principal while another thread added a
new one, the addition could be lost.
Fixes gh-3189
ClientRegistration.Builder defaulted to validating as an
authorization_code registration, though a custom grant type could be in
use. The actual grant_type is now verified for every case.
- Fixed validation in ClientRegistration.Builder
- New test that fails unless the issue is fixed.
Also made OAuth2AuthorizationGrantRequestEntityUtils public to help
implementing custom token response clients.
Fixes gh-7040
These four items, not three items, constitute the auth process:
. A user is prompted to log in with a username and password.
. The system (successfully) verifies that the password is correct for the username.
. The context information for that user is obtained (their list of roles and so on).
. A security context is established for the user
Prior to this change, "HttpBasicSpec#authenticationManager" and
"FormLoginSpec#authenticationManager" were always overridden by
"ServerHttpSecurity#authenticationManager".
This commit makes sure override only happens when custom authentication
manager was not specified.
Fixes: gh-5660
Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.
This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED
Fixes gh-7011
Issue #5856
Commit 385bdfc055854581e9e9f671d11f86a978c27c42
NOTE: This commit 'partially' reverts #5856. Only the ServerWebExchangeMatcher for OAuth2LoginSpec is reverted.
Fixes gh-6890
The 5.1.x code will only update patch versions of Spring Framework, so we
should lock down the Snapshot tests to use the latest 5.1.x changes
Fixes: gh-6880
