Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,949 Commits 29 Branches 320 Tags 104 MiB
Commit Graph

1163 Commits

Author SHA1 Message Date
heowc 1ab0705b47 Fix typo 2022-01-10 16:17:42 +01:00
Marcus Da Coregio f04cd641b0 Fix @since tag 
Issue gh-10590, gh-10554
 2022-01-06 13:18:25 -03:00
Marcus Da Coregio 18427b6411 Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains 
Closes gh-10554
 2021-12-13 08:57:30 -03:00
Marcus Da Coregio 7e17a00197 Add RequestMatcherEntry 2021-12-13 08:57:30 -03:00
Marcus Da Coregio 53b8cff26f Introduce AuthorizationManagerWebInvocationPrivilegeEvaluator 
Closes gh-10590
 2021-12-13 08:57:30 -03:00
Marcus Da Coregio 65426a40ec Add Cross Origin Policies headers 
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers

Closes gh-9385, gh-10118
 2021-12-07 17:23:06 +01:00
Steve Riesenberg 62e8799a8d Use BDD in tests 2021-12-02 17:44:47 -06:00
Steve Riesenberg df0f6f83af Polish gh-9597 2021-12-02 17:44:47 -06:00
Karl Tinawi 925d531cbe Set details on authentication token created by HttpServlet3RequestFactory 
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.

This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.

Closes gh-9579
 2021-12-02 17:44:46 -06:00
Steve Riesenberg bb2d80fea3 Update copyright year 
Issue gh-10557
 2021-12-01 17:35:43 -06:00
Steve Riesenberg f49c286050 Fix case sensitive headers comparison 
Closes gh-10557
 2021-12-01 15:05:13 -06:00
Josh Cummings 1251cde04c Add Missing Since 
Issue gh-10482
 2021-11-30 15:17:48 -07:00
Igor Pelesic a3a9de1b9b PermitAllSupport supports AuthorizeHttpRequestsConfigurer 
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.

Closes gh-10482
 2021-11-30 15:17:22 -07:00
Steve Riesenberg 204f0b4599 Polish gh-10007 2021-11-30 15:27:58 -06:00
Guirong Hu 43317c5a61 Support IP whitelist for Spring Security Webflux 
Closes gh-7765
 2021-11-30 15:27:58 -06:00
Rob Winch 96a6fef820 Prevent Save @Transient Authentication with existing HttpSession 
Previously, @Transient Authentication would get saved if an existing
HttpSession existed but it shouldn't.

This commit always prevents @Transient Authentication from being saved.

Closes gh-9992
 2021-11-16 14:44:49 -06:00
Marcus Da Coregio caad3d57e2 Improve log message when no CSRF token found 
Closes gh-10436
 2021-10-29 14:06:17 -03:00
Emil Sierżęga 04b47c5928 Fixed various broken links in Javadocs 2021-10-21 11:47:04 +02:00
Emil Sierżęga a188138715 Javadocs author tag doesn't work in methods 2021-10-21 11:47:04 +02:00
Rob Winch f836897190 Checkstyle Fixes 
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
 2021-10-18 21:03:35 -05:00
Rob Winch e1f4ec1137 Fix Jackson 2021-10-18 21:03:12 -05:00
Marcus Da Coregio faec20bc69 Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext 
Closes gh-10208
 2021-10-14 09:27:02 -03:00
Josh Cummings 7b98c2ea95 Restructure SwitchUserFilter Logs 
Issue gh-6311
 2021-10-12 13:32:29 -06:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin 
Issue gh-9615
 2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2 
Closes gh-9615
 2021-10-04 15:19:40 -03:00
Eleftheria Stein 7d81a52780 Allow AuthenticationPrincipal argument type to be primitive 
Closes gh-10172
 2021-10-04 16:22:21 +02:00
heowc 84d173c310 Fix typo 2021-09-27 10:55:18 -03:00
Bogdan Ilchyshyn a4c088a3b3 Introducing WebSessionServerLogoutHandler 
Closes gh-4838
 2021-08-16 13:08:35 -06:00
Hiroshi Shirosaki 6f3e346b76 Add SecurityContextHolder#addListener 
Closes gh-10032
 2021-08-11 17:12:13 -06:00
Josh Cummings b8d51725c7 Immutable SecurityContext 
Issue gh-10032
 2021-08-11 17:12:13 -06:00
Rob Winch f73f213f50 Remove DependencySetPlugin 
Closes gh-10070
 2021-07-12 15:31:38 -05:00
Rob Winch f800d2c993 Add hamcrest dependency 2021-07-09 15:57:21 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Rob Winch 14240b2559 Remove Powermock 
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
 2021-07-08 12:35:32 -05:00
Evgeniy Cheban d121ab9565 Support A Well-Known URL for Changing Passwords 
Closes gh-8657
 2021-07-01 16:57:53 -06:00
Alexey Markevich 3219fd554d DigestAuthenticationFilter decodes nonce only once 
Closes gh-8455
 2021-06-18 15:25:00 -04:00
Steve Riesenberg 3bb8e1d200 Remove redundant translations in spring-security-web 2021-06-15 09:18:13 -05:00
Ruben Suarez Alvarez 7cd344acab
Add spanish translation of insufficient authentication and cookie stolen 2021-06-15 09:11:53 -05:00
Josh Cummings ca76c54471
Polish CsrfWebFilterTests 
Issue gh-9113
 2021-06-04 16:41:08 -06:00
Tomoki Tsubaki 0c8b6df82a
Cache Mono that generate the CSRF token 
Closes gh-9113
 2021-06-04 16:41:08 -06:00
AlexeyAnufriev baac9e0cf2 Properly clean cookies with context path after logout 
Closes gh-8846
 2021-06-04 15:42:33 +02:00
Marcus Hert da Coregio 2a7998d0fc Adjust createNewSessionIfAllowed to prevent NPE 
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
 2021-05-26 10:36:44 -06:00
César Revert cf74ad3a52 Anonymous in ExceptionTranslationWebFilter 
The ExceptionTranslationWebFilter does not support correctly when
anonymous authentication is enabled. With this enabled provoked always
the execution of the access denied handler, and with this fix it
behaves like the ExceptionTranslationFilter (servlet), executing the
access denied handler only if the principal is not empty and neither
anonymous.

Closes gh-9130
 2021-05-26 09:17:41 -05:00
Craig Andrews a7fbae8355 Add test for RequestedUrlRedirectInvalidSessionStrategy 2021-05-26 09:11:38 -05:00
Craig Andrews 0e6d47b082 Add guard around debug logging involving string concatenation 2021-05-26 09:11:38 -05:00
Craig Andrews 0af74ce134 Use ServletUriComponentsBuilder instead of UrlPathHelper 2021-05-26 09:11:38 -05:00
Craig Andrews 2bcd4627fa Eliminate use of Optional 2021-05-26 09:11:38 -05:00
Craig Andrews 10a264c144 Add RequestedUrlRedirectInvalidSessionStrategy implemention of InvalidSessionStrategy 
Performs a redirect to the original request URL when an invalid requested session is detected.

In effect, when a user's session times out, the user is redirected to URL they originally requested instead of some fixed URL.
 2021-05-26 09:11:38 -05:00
Josh Cummings df6ebc7051
Rename DelegatingAuthorizationManager 
Closes gh-9692
 2021-04-28 09:53:25 -06:00