Other configurers can now offer their preference on session creation
policy without trumping what a user provided via the
sessionCreationPolicy method.
This is valuable for configurer's like Resource Server that would like
to have session management be stateless, but not at the expense of the
user's direct configuration.
Fixes: gh-5518
This commit introduces support for transient authentication tokens
which indicate to the filter chain, specifically the
HttpSessionSecurityContextRepository, whether or not the token ought
to be persisted across requests.
To leverage this, simply annotate any Authentication implementation
with @TransientAuthentication, extend from an Authentication that uses
this annotation, or annotate a custom annotation.
Implementations of SecurityContextRepository may choose to not persist
tokens that are marked with @TransientAuthentication in the same way
that HttpSessionSecurityContextRepository does.
Fixes: gh-5481
Java Config http.oauth2Login().loginProcessingUrl("url"); throws NPE.
Override loginProcessingUrl method and cached config url.
Then when the config is initialized,
it calls the super method to complete the configuration.
Fixes gh-5488
HstsSpec methods maxAge and includeSubdomains use to return void
which broke using it as a fluent API.
The methods now return HstsSpec which fixes this issue.
Fixes: gh-5483
Also, slightly modified the approach when asserting headers. In the
previous incarnation, the tests would assert an exact match against
the list of headers, which is more brittle than confirming that the
expected headers are there and the unexpected ones are not.
Now, should Spring Security add other headers that are outside the
purview of the secure headers configuration, the assertions won't
break.
Issue: gh-4939
This reverts commit 9fe0f50e3ced98357bfaceee88c4539f03d11e45.
The original commit was accidentally pushed prior to PR. We attempted
to revert the commit hoping the PR would open again. This did not work.
We are going to do a Polish commit instead.
Issue: gh-5355
