This commit reverts f6414e9a52 and
partial revert of e1b095df32.
NOTE: InMemoryReactiveClientRegistrationRepository should not expose a
Map constructor as it would allow the caller to pass in a 'distributed' (remote) Map,
which would result in a blocking I/O operation.
ClientRegistration.Builder defaulted to validating as an
authorization_code registration, though a custom grant type could be in
use. The actual grant_type is now verified for every case.
- Fixed validation in ClientRegistration.Builder
- New test that fails unless the issue is fixed.
Also made OAuth2AuthorizationGrantRequestEntityUtils public to help
implementing custom token response clients.
Fixes gh-7040
Make BearerTokenAuthenticationFilter expose an AuthenticationFailureHandler which, by default, invokes the AuthenticationEntryPoint set in the filter.
Fixes gh-7009
These four items, not three items, constitute the auth process:
. A user is prompted to log in with a username and password.
. The system (successfully) verifies that the password is correct for the username.
. The context information for that user is obtained (their list of roles and so on).
. A security context is established for the user
Prior to this change, "HttpBasicSpec#authenticationManager" and
"FormLoginSpec#authenticationManager" were always overridden by
"ServerHttpSecurity#authenticationManager".
This commit makes sure override only happens when custom authentication
manager was not specified.
Fixes: gh-5660
A class with a number of handy request-based implementations of
AuthenticationManagerResolver targeted at common multi-tenancy
scenarios.
Fixes: gh-6976
If the salt length is 28 characters and the
version is 2{a,x,y}, an IndexOutOfBoundsException
is thrown. This commit adds an extra check that
the salt length should be at least 29 characters long
if the version is not equal to "2".
Fixes: gh-6907
Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.
This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED
Fixes gh-7011
Eleftheria Stein
Lars Grefer
Joe Grandja
Vedran Pavic
Bruno Studer
Édouard Hue
Rob Winch
Clement Ng
Josh Cummings
Thomas Vitale
Behrang
Tadaya Tsuyukubo
Léon van der Kaap