Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-17 14:30:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,754 Commits 62 Branches 376 Tags
Commit Graph

3291 Commits

Author SHA1 Message Date
Joe Grandja
9527a4b281 Merge branch '7.0.x' 2026-04-02 10:58:06 -04:00
Robert Winch
64d8e6cc9b
Merge Add XML Based shouldWriteHeadersEagerly tests 2026-04-01 11:41:58 -05:00
Robert Winch
679a47a51d
Add XML Based shouldWriteHeadersEagerly tests 2026-04-01 11:37:39 -05:00
Josh Cummings
16b5df40de
Exclude Anonymous Classes in Serializable Scan 
Issue gh-17729

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 16:17:12 -06:00
Josh Cummings
8472599067
Add Missing 7.1 Serialization Artifacts 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 16:16:27 -06:00
Josh Cummings
cb129d6b2d
Merge branch '7.0.x' 2026-03-31 15:56:49 -06:00
Josh Cummings
d4678c8e04
Add Missing Serialization Support 
Closes gh-19013

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 15:55:09 -06:00
Josh Cummings
43b132bec6
Merge branch '6.5.x' into 7.0.x 2026-03-31 15:27:58 -06:00
Josh Cummings
08fca57d12
Add Missing Serialization Support 
Closed gh-19012

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 13:58:35 -06:00
Josh Cummings
acabacb971
Update Test to find SuppressWarnings 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 13:47:52 -06:00
johnycho
1a130fca3c
Improve serialVersionUID check in tests 
Signed-off-by: johnycho <shunnn215@gmail.com>
 2026-03-31 13:47:50 -06:00
Josh Cummings
067f79dde5
Merge branch 'fix-17729' into 7.0.x 2026-03-30 17:19:31 -06:00
Josh Cummings
0b680be97b
Update Test to find SuppressWarnings 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-30 17:14:03 -06:00
johnycho
7c28b15471 Improve serialVersionUID check in tests 
Signed-off-by: johnycho <shunnn215@gmail.com>
 2026-03-30 14:26:12 -06:00
Robert Winch
9d047b6edc
Merge CredentialRecordOwnerAuthorizationManager 2026-03-29 22:24:52 -05:00
Robert Winch
c08329c0c5
Merge CredentialRecordOwnerAuthorizationManager 2026-03-29 22:24:21 -05:00
Robert Winch
a856baa6a8
Add CredentialRecordOwnerAuthorizationManager 
Add CredentialRecordOwnerAuthorizationManager that verifies the
credential being deleted is owned by the currently authenticated user.
Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter
for the delete credential operation, defaulting to deny all, and wire it
up in WebAuthnConfigurer.

Per the WebAuthn specification [1], credential ids contain at least 16
bytes with at least 100 bits of entropy, making them practically
unguessable. The specification also advises that credential ids should
be kept private, as exposing them can leak personally identifying
information [2]. The CredentialRecordOwnerAuthorizationManager serves as
defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.

[1] https://www.w3.org/TR/webauthn-3/#credential-id
[2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak
 2026-03-29 21:54:27 -05:00
Robert Winch
4199240662 Add Support for PreFlightRequestFilter 
Closes gh-18926
 2026-03-25 16:04:42 -04:00
Andrey Litvitski
2fda37de53 Fix equals nullability annotations for jspecify compliance 
In this commit, we added `@Nullable` to equals methods of classes that
support `jspecify` for consistency with other Spring projects and to
avoid bugs that caused other Spring projects to do this natively.

Closes: gh-18929, gh-18927

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-23 09:25:57 -06:00
Joe Grandja
baad23caab Enable null-safety in spring-security-oauth2-client 
Closes gh-17819
 2026-03-18 05:04:30 -04:00
Robert Winch
ea2f2302da
Add MultiFactorCondition.WEBAUTHN_REGISTERED 
Closes gh-18923
 2026-03-17 17:20:58 -05:00
Robert Winch
bd7171140e
Support Customizer<AdditionalRequiredFactorsBuilder<Object>>> 
Closes gh-18922
 2026-03-17 17:20:58 -05:00
Robert Winch
c71b178f63
Remove Unnecessary ObjectProvider<RoleHierarchy> roleHierarchy parameter 
Closes gh-18921
 2026-03-17 17:20:58 -05:00
Joe Grandja
22a98583f1 Enable null-safety in spring-security-oauth2-jose 
Closes gh-17821
 2026-03-13 11:58:29 -04:00
Josh Cummings
5687867a09
Fix Checkstyle 
Issue gh-18874

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-11 14:46:24 -06:00
Joe Grandja
36450d6c26 Fix checkstyle error 
Issue gh-18874
 2026-03-11 12:25:13 -04:00
Josh Cummings
a980368f26 Move Integration Test from Spring LDAP 
Closes gh-18874

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-10 15:44:07 -06:00
Joe Grandja
703ffaf143 Merge branch '7.0.x' 2026-03-10 15:59:29 -04:00
Joe Grandja
1906075b0c OAuth2DeviceVerificationEndpointFilter is applied after AuthorizationFilter 
Closes gh-18873
 2026-03-10 15:32:24 -04:00
Andrey Litvitski
d1ce69ca99 Specify charset in WWW-Authenticate for Basic Auth 
In this commit, we add support for the charset from RFC-7617, which
definitely solves the problem when the client does not know what charset
we are parsing with.

Closes: gh-18755

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-10 07:57:43 -06:00
Joe Grandja
c7235ec0a3 Allow custom token settings for OAuth 2.0 dynamic client registration 
Closes gh-18870
 2026-03-10 07:48:37 -04:00
Josh Cummings
17d2131fe9 Merge remote-tracking branch 'origin/7.0.x' 2026-03-09 17:13:45 -06:00
Ronny Perinke
e8e0da1ec6 Add Null Guard for Setting ReactiveUserDetailsPasswordService 
This use case specifically arises when using `ReactiveUserDetailsService`
without `ReactiveUserDetailsPasswordService`.

Closes gh-17986

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
 2026-03-09 17:12:59 -06:00
wonderfulrosemari
07297e7a80 Add MessageExpressionAuthorizationManager 
Closes gh-12650

Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
 2026-03-03 18:56:47 -07:00
023-dev
b9f974b18f Remove compiler warnings for spring-security-config 
Signed-off-by: 023-dev <0_2_3@naver.com>
 2026-02-27 21:53:55 -06:00
Josh Cummings
eb25bbaa24
Merge branch '7.0.x' 2026-02-26 15:09:03 -07:00
Menashe Eliezer
ee97c83042 Update request-matcher schema and XML tests to use path 
Closes gh-18641

Signed-off-by: Menashe Eliezer <menashe.eliezer@gmail.com>
 2026-02-26 14:42:09 -07:00
Rob Winch
a4cadb5cc5
Merge Make PublicKeyCredentialCreationOptions Serializable 
Make PublicKeyCredentialCreationOptions Serializable
 2026-02-23 16:01:34 -06:00
Robert Winch
701736da5d
Fix checkstyle 
Issue gh-18354

Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>
 2026-02-23 15:43:55 -06:00
Mohammad Amin Pahlevani
9e5a425859
Make PublicKeyCredentialCreationOptions Serializable 
Closes gh-16431

Signed-off-by: Mohammad Amin Pahlevani <pahlevani@live.com>
 2026-02-23 15:43:40 -06:00
Robert Winch
53300be8d7
Fix checkstyle 
Issue gh-18530
 2026-02-23 15:16:02 -06:00
CHANHAN
d5ba9dcada
Add tests for intercept-url access attribute validation 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN
fa87c78edb
fix missing access attribute validation in FilterInvocationSecurityMetadataSourceParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN
f1e367f93d
fix missing access attribute validation in AuthorizationFilterParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
Robert Winch
f8ac095d48 Add nullability contract to PasswordEncoder#encode implementations 
Signed-off-by: Stefano Cordio <stefano.cordio@gmail.com>AbstractValidatingPasswordEncoder.java
 2026-02-19 14:36:48 -06:00
Minu Kim
18068c9099 fix compile warning in spring-security-test 
Signed-off-by: Minu Kim <kmw106933@naver.com>
 2026-02-19 14:26:20 -06:00
DingHao
199473fcb3 Ability to configure authenticationDetailsSource in AnonymousConfigurer 
Closes gh-17831

Signed-off-by: DingHao <dh.hiekn@gmail.com>
 2026-02-05 17:19:03 -07:00
Joe Grandja
0eba9de7d4 Merge branch '7.0.x' 2026-02-05 04:55:34 -05:00
Joe Grandja
d3c42a7a4f Polish OAuth2ConfigurerUtils 2026-02-05 04:52:02 -05:00
Joe Grandja
e61c03f7c3 Fix to allow multiple PasswordEncoder beans 
Closes gh-18645
 2026-02-05 04:51:51 -05:00