Commit Graph

1742 Commits

Author SHA1 Message Date
Marcus Da Coregio 07b6c451fd Merge branch '6.1.x'
Closes gh-13884
2023-09-29 11:47:38 -03:00
Marcus Da Coregio 8adfc9b463 Merge branch '6.0.x' into 6.1.x
Closes gh-13883
2023-09-29 11:46:48 -03:00
Marcus Da Coregio 92c82191c9 Merge branch '5.8.x' into 6.0.x
Closes gh-13882
2023-09-29 11:46:00 -03:00
Marcus Da Coregio 64e2a2ff8b Apply updated Code Style
Closes gh-13881
2023-09-29 11:44:32 -03:00
Steve Riesenberg ff374935fb
Verify ReactorContext when using Virtual Threads
Closes gh-12791
2023-09-25 12:01:31 -05:00
Steve Riesenberg ecf8467cac
Fix tests on JDK 21
Issue gh-12790
Issue gh-13811
2023-09-19 10:39:04 -05:00
Steve Riesenberg d48b8697bd
Fix mockito usage
Issue gh-13810
2023-09-19 10:39:04 -05:00
Steve Riesenberg d6ff58bb7f
Update Mockito to 5.5.0
Closes gh-13810
2023-09-19 10:39:03 -05:00
Marcus Da Coregio a052e2effb Merge branch '6.1.x'
Closes gh-13821
2023-09-14 21:26:05 +01:00
Marcus Da Coregio 7fcf44f8d9 Merge branch '6.0.x' into 6.1.x
Closes gh-13820
2023-09-14 21:25:48 +01:00
Marcus Da Coregio 18e88366d2 Resolve The matchingRequestParameterName From The Query String
Prior to this commit, the ServletRequest#getParameter method was used in order to verify if the matchingRequestParameterName was present in the request. That method has some side effects like interfering in the execution of the ServletRequest#getInputStream and ServletRequest#getReader method when the request is an HTTP POST (if those methods are invoked after getParameter, or vice-versa, the content won't be available). This commit makes that we only use the query string to check for the parameter, avoiding draining the request's input stream.

Closes gh-13731
2023-09-14 21:25:25 +01:00
Josh Cummings 2a1cf98b80 Update Copyright and Formatting
Issue gh-13615
2023-09-12 16:20:28 -06:00
Bjorn Harvold 5e715c5297 Improve StrictHttpFirewall Error Messaging
Better error strings for invalid header and parameter values.

Closes gh-13615
2023-09-12 16:20:28 -06:00
Tim te Beek 9df9cb5aed refactor: AssertJ best practices
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D

Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
Marcus Da Coregio 36a488a360 Merge branch '6.1.x'
Closes gh-13797
2023-09-12 16:22:31 +01:00
Marcus Da Coregio b80a1de9fa Merge branch '6.0.x' into 6.1.x
Closes gh-13796
2023-09-12 16:22:04 +01:00
Marcus Da Coregio db37bdfe94 Merge branch '5.8.x' into 6.0.x
Closes gh-13795
2023-09-12 16:21:48 +01:00
Marcus Da Coregio ce012a4661 CookieRequestCache Should Preserve Request Locale
Closes gh-13792
2023-09-12 16:21:27 +01:00
Marcus Da Coregio d23b231ac3 Merge branch '6.1.x'
Closes gh-13760
2023-08-31 10:16:30 -03:00
Marcus Da Coregio b64d5395c5 Merge branch '6.0.x' into 6.1.x
Closes gh-13759
2023-08-31 10:16:07 -03:00
Marcus Da Coregio 629540f9d8 Merge branch '5.8.x' into 6.0.x
Closes gh-13758
2023-08-31 10:12:59 -03:00
Marcus Da Coregio 96d1763fc4 WWW-Authenticate header should not be added twice
Closes gh-13737
2023-08-31 10:07:10 -03:00
Josh Cummings 0d70a7f508
Merge branch '6.1.x'
Closes gh-13748
2023-08-28 17:04:25 -06:00
Josh Cummings a4d8c62ad7
withHttpOnlyCookie defaults to false
Closes gh-13659
2023-08-28 16:58:28 -06:00
Steve Riesenberg 985e569685
Polish gh-13608 2023-08-10 17:30:54 -05:00
Olivier Vanekem 6353d90047
Add integrity attribute for signin.css
Closes gh-13486
2023-08-10 17:30:52 -05:00
Josh Cummings 82c0ddc56d Polish
- Add Reactive equivalent
- Update copyright

Issue gh-13310
2023-08-07 17:57:02 -06:00
Kevin2Jordan e21da061d3 Suppress ArrayIndexOutOfBoundsException in XorCsrfTokenRequestAttributeHandler
Closes gh-13310
2023-08-07 17:57:02 -06:00
Josh Cummings 75e0068925
Merge branch '6.1.x' 2023-08-07 16:03:55 -06:00
Seongguk Jeong bcd4dcc15c Refactor equals method
Using the accessor method for fields instead of directly access
2023-08-07 16:00:18 -06:00
Seongguk Jeong ea19f82b8a Using pattern matching for instanceof 2023-08-07 16:00:18 -06:00
Josh Cummings beab899c3d
Fix Import Order 2023-08-07 15:56:38 -06:00
1993heqiang 94c80bc2c6 Remove redundant code. 2023-08-07 15:01:52 -06:00
Jonas Bamberger 0d4e3f939a Clean up SavedRequestAwareWrapper and related test 2023-08-07 14:56:39 -06:00
Jonas Bamberger 07f737b989 Return content-type from saved request 2023-08-07 14:56:39 -06:00
Marcus Da Coregio 8f5793afb1 Merge branch '6.1.x' 2023-07-17 09:17:10 -03:00
Marcus Da Coregio aaa31312bd Merge branch '6.0.x' into 6.1.x 2023-07-17 09:16:45 -03:00
Marcus Da Coregio cbef118026 Merge branch '5.8.x' into 6.0.x 2023-07-17 09:16:20 -03:00
Marcus Da Coregio a939f17890 Merge branch '5.7.x' into 5.8.x 2023-07-17 09:15:56 -03:00
Marcus Da Coregio fe9bc26bdc Merge branch '5.6.x' into 5.7.x 2023-07-17 09:13:28 -03:00
Marcus Da Coregio 7813a9ba26 Use default PathPatternParser instance 2023-07-17 09:12:28 -03:00
Josh Cummings b0022a0ae8
Update Mockito Usage
Issue gh-13542
2023-07-14 18:44:34 -06:00
Josh Cummings 6c3636d780
Update Removed Usages
Issue gh-13544
2023-07-14 18:38:58 -06:00
Josh Cummings 1637b5c071
Merge branch '6.1.x'
Closes gh-13483
2023-07-10 16:18:02 -06:00
Josh Cummings c58e0dd113
Merge branch '6.0.x' into 6.1.x
Closes gh-13482
2023-07-10 16:17:13 -06:00
Josh Cummings 83c0f4231e
Merge branch '5.8.x' into 6.0.x
Closes gh-13481
2023-07-10 16:13:04 -06:00
Josh Cummings 40d61743b9
Replace Existing Continue Parameter
Closes gh-13438
2023-07-10 16:12:05 -06:00
Marcus Da Coregio 72698680e2 Merge branch '6.1.x'
Closes gh-13466
2023-07-07 14:36:08 -03:00
Marcus Da Coregio 230977d7ef Merge branch '6.0.x' into 6.1.x
Closes gh-13465
2023-07-07 14:35:52 -03:00
Marcus Da Coregio 863aa5f65f Fix Documented Default Value for AuthorizationFilter properties
Closes gh-13456
2023-07-07 14:35:11 -03:00
Marcus Da Coregio 2dee6218b5 Create NoOpAccessDeniedHandler
Closes gh-13109
2023-06-27 14:44:40 -03:00
Marcus Da Coregio e35faa84f7 Create NoOpAuthenticationEntryPoint
Closes gh-13107
2023-06-27 14:44:40 -03:00
Claudio Nave 52e12ad64b Replace deprecated methods 2023-06-22 13:19:55 -06:00
Evgeniy Cheban 0cefb27928 Simplify RequestMatcherDelegatingAuthorizationManager.Builder matcher registration
Closes gh-11624
2023-06-22 16:07:30 -03:00
Cedomir Igaly dd469ac2a0 Assert is missing object. It was useless before Spring Framework 6.1, and will not compile on 6.1 2023-06-22 12:11:40 -06:00
Krzysztof Krason 9b603b99ab Using modern Java features 2023-06-22 11:24:25 -06:00
Kandaguru17 7e01ebdd92 Remove LazyCsrfTokenRepository usage
Closes gh-13194
2023-06-22 11:23:35 -06:00
Josh Cummings aeeed6c368
Merge branch '6.0.x'
Closes gh-13279
2023-06-05 12:49:09 -06:00
Josh Cummings 45683349a4
Merge branch '5.8.x' into 6.0.x
Closes gh-13278
2023-06-05 12:48:43 -06:00
Josh Cummings 9ac286e8ea
Merge branch '5.7.x' into 5.8.x
Closes gh-13231
2023-06-05 12:47:23 -06:00
Christoph Zuleger 06e58e4c34 Update JavaDoc of BasicAuthenticationFilter
Remove deprecated hint to use Digest Auth in favor of Basic Auth.
2023-06-05 12:46:30 -06:00
Marcus Da Coregio bb7c7d3554 Merge branch '6.0.x' 2023-05-24 15:00:44 -03:00
Marcus Da Coregio ce5aa9e694 Merge branch '5.8.x' into 6.0.x 2023-05-24 15:00:17 -03:00
Marcus Da Coregio f8e39336cb Merge branch '5.7.x' into 5.8.x 2023-05-24 14:59:27 -03:00
Marcus Da Coregio a53cbb838b Polish
Issue gh-13155
2023-05-24 14:59:16 -03:00
joerg-richter-5234 8287289bcb Fix XContentTypeOptionsServerHttpHeadersWriter
set constant value to X-Content-Type-Options

Closes gh-13155
2023-05-24 14:59:14 -03:00
Josh Cummings 17a58194c1
Merge branch '6.0.x' 2023-05-18 09:33:12 -06:00
Josh Cummings 4c5bf3bdf5 Polish
Use StringUtils#hasText

PR gh-13179
2023-05-18 09:17:02 -06:00
Dennis Frommknecht af233a2a00 Use consistent list of micrometer tags in web observation handler
The tag `spring.security.reached.filter.name` is only set if a
filter-name is available, otherwise the tag is omitted entirely. This
leads to issues with metric-exporters that don't support dynamic tags,
but rather expect tag-names of a metric to be always the same. The most
prominent example is the Prometheus-exporter.

Instead of omitting the tag if no filer-name is set, a none-value is
applied instead, making the tag-list consistent in all cases

Closes gh-13179
2023-05-18 09:17:02 -06:00
Josh Cummings a4e13c520b
Merge branch '6.0.x'
Closes gh-13150
2023-05-10 16:15:13 -06:00
Josh Cummings e033e347b4
Remove Redundant Close
Closes gh-12787
2023-05-10 16:12:34 -06:00
Josh Cummings cdcc2d31d1
Merge branch '6.0.x'
Closes gh-13145
2023-05-08 14:19:15 -06:00
Josh Cummings 5d903b5b71
Enforce start happens-before stop
Closes gh-13133
2023-05-08 14:07:05 -06:00
Steve Riesenberg 07b884a2cb
Add Set-Cookie header value for XSRF-TOKEN
This commit fixes an issue where using HttpServletResponse#setHeader
causes previous header values to be overwritten.

Closes gh-13075
2023-04-25 15:15:02 -05:00
Marcus Da Coregio 04b3d07319 Merge branch '6.0.x' 2023-04-17 07:30:54 -03:00
Marcus Da Coregio a484044591 Merge branch '5.8.x' into 6.0.x 2023-04-17 07:29:42 -03:00
Marcus Da Coregio 6cf8c53aaa Merge branch '5.7.x' into 5.8.x 2023-04-17 07:16:47 -03:00
Marcus Da Coregio 2d52fb8e4b Clear Repository on Logout 2023-04-17 06:47:57 -03:00
Marcus Da Coregio 01d1e20dc3 Deprecate shouldFilterAllDispatcherTypes
Closes gh-12138
2023-04-13 15:05:10 -03:00
Josh Cummings 02345b97ff Polish Observation Event Names
Issue gh-12811
2023-04-11 19:10:27 -06:00
bvn13 59ba7f5388 Shorten Observation Event Names
Closes gh-12811
2023-04-11 19:10:27 -06:00
Josh Cummings b3c83440bd
Merge branch '6.0.x'
Closes gh-13001
2023-04-11 17:09:21 -06:00
Josh Cummings 4813ec1e09
Merge branch '5.8.x' into 6.0.x
Closes gh-13000
2023-04-11 17:08:54 -06:00
Josh Cummings dad1fba1bf
Merge branch '5.7.x' into 5.8.x
Closes gh-12999
2023-04-11 17:02:16 -06:00
Christian Marck 442faccb5f
Avoid NPE in FilterInvocation
Handle unknown headers in dummy request wrapper.

Closes gh-12998
2023-04-11 17:01:59 -06:00
Josh Cummings d3c22a0de3
Merge branch '6.0.x'
Closes gh-12934
2023-03-27 16:31:29 -06:00
Josh Cummings 6db2b0dcd0
Align Filter Chain Observability Lineage
Closes gh-12849
2023-03-27 16:30:32 -06:00
Christian Schuster 6791f3208e Add factory class for RequestMatcher composition
Closes gh-12751
2023-03-27 16:26:23 -06:00
Marcus Da Coregio ff06108572 Merge branch '6.0.x'
Closes gh-12920
2023-03-22 08:55:38 -03:00
Marcus Da Coregio 177514b6c5 Merge branch '5.8.x' into 6.0.x
Closes gh-12919
2023-03-22 08:54:57 -03:00
Marcus Da Coregio 8d664bc4c2 DelegatingSecurityContextRepository should call loadContext
Closes gh-12314
2023-03-22 08:53:19 -03:00
Josh Cummings 5e8c68187b
Merge branch '6.0.x' 2023-03-20 16:29:08 -06:00
Josh Cummings 3fbb64db96
Fix javax package 2023-03-20 16:28:52 -06:00
Josh Cummings 229325a0bb
Merge branch '5.8.x' into 6.0.x 2023-03-20 16:22:23 -06:00
Josh Cummings a74008cc79
Merge branch '5.7.x' into 5.8.x 2023-03-20 16:20:46 -06:00
twosom 3d7e22a4e9 Add test to SimpleUrlAuthenticationSuccessHandlerTests 2023-03-20 16:20:30 -06:00
Josh Cummings 391f00af1d
Merge branch '6.0.x'
Closes gh-12910
2023-03-20 16:10:57 -06:00
Josh Cummings 6935045172
Merge branch '5.8.x' into 6.0.x
Closes gh-12909
2023-03-20 16:10:35 -06:00
twosom abd51f7b63
Polished DefaultLoginPageGeneratingFilterTests Validation
Closes gh-12694
2023-03-20 15:31:59 -06:00
Josh Cummings 9bba1a1c6b Propagate Variables in And and OrRequestMatcher
Closes gh-12847
2023-03-17 18:00:02 -06:00
Marcus Da Coregio dd9ab953e3 Merge branch '6.0.x'
Closes gh-12837
2023-03-07 13:29:07 -03:00
Marcus Da Coregio cdc0fa0e5b Merge branch '5.8.x' into 6.0.x
Closes gh-12836
2023-03-07 13:28:31 -03:00
Marcus Da Coregio 2e92dad761 Merge branch '5.7.x' into 5.8.x
Closes gh-12835
2023-03-07 13:27:57 -03:00
Marcus Da Coregio 84cca81edf Use HttpSessionSecurityContextRepository by default in SwitchUserFilter
Closes gh-12834
2023-03-07 13:27:18 -03:00
Josh Cummings 69606fd5a2
Merge branch '6.0.x'
Closes gh-12831
2023-03-06 12:47:55 -07:00
Josh Cummings c06e604278
Address Observability Thread Safety
Closes gh-12829
2023-03-06 12:46:23 -07:00
twosom 28d353d731 Extract errorMessage from generateLoginPageHtml 2023-02-15 17:18:26 -07:00
twosom ae23e3f5f4 Use instanceof pattern matching in initAuthFilter 2023-02-15 17:18:26 -07:00
twosom 99eacf2f0b Change private static method to private methods 2023-02-15 17:18:26 -07:00
Josh Cummings 1ca4781923
Merge branch '6.0.x' 2023-02-14 08:25:29 -07:00
Josh Cummings 8ca726f4fa
Specify query string
Issue gh-12665
2023-02-14 08:24:07 -07:00
Josh Cummings e7d65966fd
Merge branch '5.8.x' into 6.0.x
Closes gh-12671
2023-02-14 08:01:31 -07:00
Josh Cummings 0d4c619648
Include continue in query string
Closes gh-12665
2023-02-14 08:00:19 -07:00
twosom 073dab3bf6 Refactor SavedCookie for Cookie's deprecated method
Closes gh-12454
2023-02-01 12:33:45 -07:00
twosom a855b33535 fix typo in RememberMeAuthenticationFilter 2023-02-01 12:33:45 -07:00
Steve Riesenberg 6abbdd3654
Merge branch '6.0.x' 2023-01-26 15:55:41 -06:00
Steve Riesenberg 1363a4eece
Merge branch '5.8.x' into 6.0.x 2023-01-26 15:44:47 -06:00
Steve Riesenberg c306df9b46
Add XorCsrfChannelInterceptor
Issue gh-12378
2023-01-23 16:00:35 -06:00
Josh Cummings 879770a0f6 Polish AbstractAuthenticationTargetUrlHandler
Issue gh-12344
2023-01-18 08:30:57 -07:00
Dayan Kodippily 6b8a778da8 Rework determineTargetUrl for Readability
Closes gh-12344
2023-01-18 08:30:57 -07:00
Dayan Kodippily 58e948a781 Test AbstractAuthenticationTargetUrlRequestHandler
Issue gh-12344
2023-01-18 08:30:57 -07:00
Steve Riesenberg 62b58d2c92
Polish gh-12530 2023-01-17 15:05:56 -06:00
Onur Kagan Ozcan c77c76e722
Relax final modifiers on AbstractRememberMeServices methods
Closes gh-12145
2023-01-17 15:05:09 -06:00
Josh Cummings f9d674cb10
Merge branch '6.0.x'
Closes gh-12525
2023-01-11 10:14:01 -07:00
Josh Cummings 4d2dab9b6b
Lookup Parent Observation
Closes gh-12524
2023-01-11 10:13:33 -07:00
Steve Riesenberg 5f89f39627
Merge branch '6.0.x'
Closes gh-12515
2023-01-10 11:34:34 -06:00
Steve Riesenberg 4e80338a9b
Polish gh-12466 2023-01-10 11:31:51 -06:00
Wellington Domiciano 2c8854bb7f
Adjusts setRequestHandler javadoc in CsrfFilter
Adjusts setRequestHandler method javadoc in CsrfFilter class to reflect
changes in 6.0.

In 6.0, the default CsrfTokenRequestHandler changed to
XorCsrfTokenRequestAttributeHandler, however, the javadoc for the
setRequestHandler method still said it was
CsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because,
although XorCsrfTokenRequestAttributeHandler is a subclass of
CsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12464
2023-01-10 11:31:51 -06:00
Marcus Da Coregio 556891b4fa Merge branch '6.0.x'
Closes gh-12512
2023-01-10 09:43:05 -03:00
Marcus Da Coregio d1fc789ae2 Merge branch '5.8.x' into 6.0.x
Closes gh-12511
2023-01-10 09:42:48 -03:00
Marcus Da Coregio ae46032ced Merge branch '5.7.x' into 5.8.x
Closes gh-12510
2023-01-10 09:39:40 -03:00
Marcus Da Coregio ffdb397830 Save the SecurityContext when switching user
Closes gh-12504
2023-01-10 09:27:56 -03:00
Josh Cummings f3ce04e59a
Merge branch '6.0.x'
Closes gh-12493
2023-01-06 11:15:03 -07:00
Josh Cummings c308e4665a
Polish Event Name
Provide a name with no spaces separate from the human-friendly
one with spaces.

Closes gh-12490
2023-01-06 11:13:11 -07:00
Josh Cummings c0fe74869f
Merge branch '6.0.x'
Closes gh-12484
2023-01-04 10:54:10 -07:00
Wellington Domiciano 27b3f4d403 Adjusts setRequestHandler javadoc in CsrfWebFilter
Adjusts setRequestHandler method javadoc in CsrfWebFilter class to reflect changes in 6.0.

In 6.0, the default ServerCsrfTokenRequestHandler changed to XorServerCsrfTokenRequestAttributeHandler, however, the javadoc for the setRequestHandler method still said it was ServerCsrfTokenRequestAttributeHandler.

This change adjusts the information to make it more accurate, because, although XorServerCsrfTokenRequestAttributeHandler is a subclass of ServerCsrfTokenRequestAttributeHandler, the behavior is quite different.

Closes gh-12465
2023-01-04 10:53:47 -07:00
Marcus Da Coregio c2d0ea3694 Merge branch '6.0.x'
Closes gh-12369
2022-12-12 16:55:32 -03:00
Marcus Da Coregio 898c36287c Merge branch '5.8.x' into 6.0.x
Closes gh-12368
2022-12-12 16:55:14 -03:00
Marcus Da Coregio 99d6d21554 Apply SecurityContextHolderFilter to all dispatcher types
Closes gh-11962
2022-12-12 11:45:24 -08:00
Josh Cummings 886d1ffec2
Remove Deprecated Usage
Issue gh-12086
2022-12-05 11:00:57 -07:00
Josh Cummings 8ef2fc3837
Format
Issue gh-12086
2022-12-05 10:51:42 -07:00
Alex Montoya 8717b7544a
Perform JUnit 5 clean up tasks
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests

Issue gh-12086
2022-12-05 10:51:41 -07:00
Alex Montoya b79ba89eeb
Add setCookieCustomizer to csrf token repository
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and
setSecure as deprecated.

- Add the method setCookieCustomizer which allows to set properties
to the ResponseCookieBuilder without having to add new setter methods.

Closes gh-12086
2022-12-05 10:51:40 -07:00
Josh Cummings 701f754e37
Cast FilterChainObservationContext Safely
Closes gh-12268
2022-11-29 16:24:56 -07:00
Steve Riesenberg fd547321e8
Default to XorCsrfTokenRequestAttributeHandler
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
2022-11-18 22:50:26 -06:00
Steve Riesenberg 5da78f44f2
Merge branch '5.8.x' 2022-11-18 14:54:33 -06:00
Steve Riesenberg 2ed7cff643
Check for existing token before clearing
Closes gh-12236
2022-11-18 13:12:59 -06:00
Josh Cummings 24860d9fb0
Observe Filter Start and Stop
Issue gh-11911
2022-11-17 15:11:29 -07:00
Josh Cummings e08ed89403 Polish Span and Meter Names
Closes gh-12156
2022-11-17 15:09:52 -07:00
Marcus Da Coregio 063f06e7bf Register FilterChainProxy for all dispatcher types
Closes gh-12180
2022-11-16 09:55:21 -03:00