This commit removes all and() methods that have been
deprecated in the HttpSecurity DSL with the exception
of featurePolicy, which will be removed when that
feature is removed. Note that since featurePolicy
does not have a lambda equivalent, the and support
needs to remain for the moment.
Issue gh-13067
Replaces repeated if-else string comparisons with a Set.contains() check
for known WebSocket handshake handler class names in MessageSecurityPostProcessor.
Improves readability and maintainability without changing behavior.
Signed-off-by: Wonpyo Hong <evga7@naver.com>
This commit separates the authentication principal, the assertion details,
and the relying party tenant into separate components. This allows the
principal to be completely decoupled from how Spring Security triggers and
processes SLO.
Specifically, it adds Saml2AssertionAuthentication, a new authentication
implementation that allows an Object principal and a Saml2ResponseAssertionAccessor
credential. It also moves the relying party registration id from
Saml2AuthenticatedPrincipal to Saml2AssertionAuthentication.
As such, Saml2AuthenticatedPrincipal is now deprecated in favor of
placing its assertion components in Saml2ResponseAssertionAccessor and
the relying party registration id in Saml2AssertionAuthentication.
Closes gh-10820
- Moved to BearerTokenAuthenticationFilter constructor to align with
AuthenticationFilter
- Undeprecated BearerTokenResolver to reduce number of migration scenarios
- Updated to 7.0 schema
- Added migration docs
Issue gh-14750
In tests, we want to both test that functionality works and also
demonstrate common or expected usage, where possible. It is likely
incorrect to use @Order(0) for a target visitor as this states that
it should take precedence over all Spring Security visitors defined
at a lower precedence.
Also, it appears this may have been added this way because of a mock
visitor that appears to be unused by any tests. Further, when an
application has multiple visitors, they should use the TargetVisitor.of
method to publish one bean with the order determined by the order
of the method parameters instead of having two separate beans.
This commit removes the @Order(0) annotation and also the mock
visitor, deferring to the natural ordering afforded by the
framework.
Issue gh-15994
NimbusJwtDecoder and NimbusReactiveJwtDecoder now use
Spring Security's JwtTypeValidator by default instead
of Nimbus's type validator.
Closes gh-17181
Now that NimbusReactiveOpaqueTokenIntrospector is
deprecated, this commit changes the Spring
Security default to now use SpringReactiveOpaqueTokenIntrospector.
Issue gh-15988
Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
