1353 Commits

Author SHA1 Message Date
Steve Riesenberg
dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Marcus Da Coregio
64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Daniel Garnier-Moiroux
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Steve Riesenberg
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Steve Riesenberg
d140d95305
Fix assertion in NullSecurityContextRepository
Issue gh-11060
2022-09-22 15:33:22 -05:00
Steve Riesenberg
5d757919a2
Add SecurityContextHolderStrategy to new repository
In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.

Issue gh-11060
Closes gh-11895
2022-09-22 15:33:21 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Josh Cummings
3f8503f1b4
Deprecate AccessDecisionManager et al
Closes gh-11302
2022-09-20 16:09:59 -06:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Bert Vanwolleghem
a5351f3d89
LogoutPageGeneratingWebFilter Uses Context Path
Closes gh-11716
2022-08-25 15:36:04 -06:00
shinD
4ff0724c87
slight improvement in HttpSessionRequestCache
Closes gh-11666
2022-08-24 16:44:23 -05:00
Rob Winch
2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Rob Winch
5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch
666f175225 LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-15 17:07:02 -05:00
Marcus Da Coregio
ead587c597 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:42 -03:00
Marcus Da Coregio
6a2ca52aae Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:32:10 -03:00
Marcus Da Coregio
1c4d6ed098 Consistently handle RequestRejectedException if it is wrapped
Closes gh-11645
2022-08-09 08:30:15 -03:00
Rob Winch
269c711a64 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:56 -05:00
Rob Winch
c9f8d2b111 RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
2022-08-08 13:52:12 -05:00
Marcus Da Coregio
f45c4d4b8e Add SHA256 as an algorithm option for Remember Me token hashing
Closes gh-8549
2022-07-15 10:41:03 -03:00
Josh Cummings
db25a37320
Consolidate ExpressionAuthorizationDecision
Issue gh-11493
2022-07-13 17:58:16 -06:00
Rob Winch
1c61748bb9 Fix logging for AnonymousAuthenticationFilter
Currently if trace logging is enabled a StackOverflowException is thrown
when trying to resolve toString of the authentication.

java.lang.StackOverflowError: null
        at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:538) ~[na:na]
        at java.base/java.lang.StringBuilder.append(StringBuilder.java:174) ~[na:na]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$0(AnonymousAuthenticationFilter.java:105) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.lambda$setDeferredContext$2(ThreadLocalSecurityContextHolderStrategy.java:67) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.getContext(ThreadLocalSecurityContextHolderStrategy.java:43) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:126) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
        at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
        at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
        at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
        at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125)

Issue gh-11457
2022-07-08 15:39:53 -05:00
Rob Winch
415a674edc AnonymousAuthenticationFilter Avoids Eager SecurityContext Access
Previously AnonymousAuthenticationFilter accessed the SecurityContext to
determine if anonymous authentication needed setup eagerly. Now this is done
lazily to avoid unnecessary access to the SecurityContext which in turn avoids
unnecessary HTTP Session access.

Closes gh-11457
2022-07-05 15:34:21 -05:00
Rob Winch
28c0d1459c Request Cache supports matchingRequestParameterName 2022-07-01 16:35:06 -05:00
Josh Cummings
5357cb8c95
Use SecurityContextHolderStrategy for NullSecurityContextRepository
Issue gh-11060
2022-06-28 15:32:20 -06:00
Josh Cummings
03a5c3b08a
Use SecurityContextHolderStrategy for Concurrency Filter
Issue gh-11060
Issue gh-11061
2022-06-28 15:32:05 -06:00
Josh Cummings
27de315e5e
Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
Josh Cummings
135e602472
Use SecurityContextHolderStrategy for Digest
Issue gh-11060
2022-06-28 13:54:29 -06:00
Josh Cummings
e1c211c11f
Use SecurityContextHolderStrategy for Switch User
Issue gh-11060
2022-06-28 13:34:04 -06:00
Josh Cummings
98995f2225
Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
Josh Cummings
4a2d77d3f2
Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
Josh Cummings
ee66850aed
Add SecurityContextHolderStrategy for Jaas
Issue gh-11060
Issue gh-11061
2022-06-28 09:26:05 -06:00
Josh Cummings
0fee05d023
Use SecurityContextHolderStrategy for AuthenticationFilter
Issue gh-11060
2022-06-27 16:26:42 -06:00
Josh Cummings
772f29e063
Polish SecurityContextHolderStrategy for Defaults
gh-11060
2022-06-27 13:00:24 -06:00
Alonso Araya Calvo
1ac1271972 Adds the ability to set the CSRF Token cookie max age value
Closes gh-11432
2022-06-24 16:42:05 -06:00
Rob Winch
d32f74d19d SecurityContextHolder Deferred SecurityContext
Closes gh-10913
2022-06-17 17:03:19 -05:00
Rob Winch
29db051f7a Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
Closes gh-11390
2022-06-17 14:52:35 -05:00
Rob Winch
591d1edc7d Cache SecurityContextRepository.loadContext(HttpServletRequest) Result
Closes gh-11390
2022-06-17 14:52:01 -05:00
Josh Cummings
31e25b115e Add SecurityContextHolderStrategy to Default Components
Issue gh-11060
2022-06-17 11:28:10 -06:00
j3graham
29ba67b6d7 Remove dependency on commons-codec by using java.util.Base64
Closes gh-11318
2022-06-09 06:50:01 -06:00
Zhivko Delchev
e97c5a533b Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:47:35 -05:00
Zhivko Delchev
d882bfcf2b Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:47:14 -05:00
Zhivko Delchev
cf69cdf008 Reverse content type check
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.

closes gh-11204
Closes gh-11205
2022-06-06 15:46:28 -05:00
Evgeniy Cheban
362f15534e createEvaluationContext should defer lookup of Authentication
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication

Closes gh-9667
2022-05-18 17:34:14 -06:00
Rob Winch
7d97839235 StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 09:53:29 -05:00
Rob Winch
66d1cd592a StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 09:04:46 -05:00
Rob Winch
077c9e0b3e StrictHttpFirewall allows CJKV characters
Closes gh-11264
2022-05-18 08:56:57 -05:00