Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,479 Commits 32 Branches 333 Tags 112 MiB
Commit Graph

2149 Commits

Author SHA1 Message Date
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Steve Riesenberg d9a682a414
Polish gh-11896 2022-10-03 10:00:43 -05:00
Steve Riesenberg bf9339d88e
Merge branch '5.8.x' 2022-10-03 09:57:40 -05:00
Steve Riesenberg 7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x' 
Closes gh-11937
 2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true 
Closes gh-11763
 2022-09-30 21:49:05 -05:00
Rob Winch 0d58c5180e Remove Explicit RequestCache Config from DeferHttpSession Tests 
Issue gh-11757
 2022-09-30 21:49:05 -05:00
Rob Winch 12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests 
Issue gh-11764
 2022-09-30 21:49:04 -05:00
Rob Winch 617353eaa8 Merge branch '5.8.x' 
Closes gh-11928
 2022-09-30 21:46:26 -05:00
Rob Winch 6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Steve Riesenberg 76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux 93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
 2022-09-30 09:38:08 -05:00
Marcus Da Coregio 3bfdf6dd0f Merge branch '5.8.x' 
Closes gh-11922
 2022-09-29 11:21:24 -03:00
Marcus Da Coregio cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration 
Closes gh-11916
 2022-09-29 11:21:08 -03:00
Josh Cummings 506e50bfd0
Move Saml2 Authentication Filters 
Issue gh-8819
 2022-09-26 10:44:27 -06:00
Steve Riesenberg 181ee7410b
Change default authority for oauth2Login() 
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
 2022-09-26 10:06:31 -05:00
Josh Cummings 37a160245f
Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-23 16:31:21 -06:00
Steve Riesenberg 21c0c73878
Remove request-resolver-ref in 6.0 
Issue gh-11896
 2022-09-23 16:04:35 -05:00
Steve Riesenberg bcb21c9384
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 2022-09-23 15:39:43 -05:00
Steve Riesenberg 46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver 
Closes gh-11896
 2022-09-23 15:09:00 -05:00
Steve Riesenberg 3c66ef6305
Change default SecurityContextRepository 
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
 2022-09-22 17:31:14 -05:00
Rob Winch 0efe26c1fd Merge branch '5.8.x' 
Closes gh-11894
 2022-09-22 13:47:04 -05:00
Rob Winch d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler 
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
 2022-09-22 11:09:44 -05:00
Josh Cummings 44b7847258
Fix Import Order 
Issue gh-8819
 2022-09-21 09:08:41 -06:00
Josh Cummings 70460ca009
Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-20 17:44:05 -06:00
Josh Cummings 61c80bcac5
Move Saml2 Authentication Filters 
Closes gh-8819
 2022-09-20 17:18:05 -06:00
Rob Winch 48e31f87e4 Remove Deprecated OpenSAML 3 Support 
Closes gh-10556
 2022-09-20 16:57:38 -06:00
Josh Cummings 46f402243b
Merge remote-tracking branch 'origin/5.8.x' 2022-09-20 16:11:16 -06:00
Josh Cummings 3f8503f1b4
Deprecate AccessDecisionManager et al 
Closes gh-11302
 2022-09-20 16:09:59 -06:00
Marcus Da Coregio bd18c05a27 Use mock class instead of interface on mock's return 
Issue gh-11860
 2022-09-16 15:57:43 -03:00
Steve Riesenberg 1a1a8a7a46
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/annotation/web/HttpSecurityDslTests.kt
 2022-09-14 14:11:10 -05:00
slam 45bbd86f7e
HttpSecurityDsl should support apply method 
Closes gh-11754
 2022-09-14 13:58:42 -05:00
Steve Riesenberg 1aee40dcca
Polish gh-11665 
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
 2022-09-14 10:41:42 -05:00
Steve Riesenberg 2431dd1103
Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg 355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy 1efb63387f
Add authentication converter for introspected tokens 
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
 2022-09-13 16:45:36 -05:00
Steve Riesenberg 088ebe2e00
Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf 
Issue gh-11764
Issue gh-4001
 2022-09-06 12:28:52 -05:00
Steve Riesenberg ed41a60aae
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
 2022-09-06 11:51:55 -05:00
Steve Riesenberg 86fbb8db07 Add new interfaces for CSRF request processing 
Issue gh-4001
Issue gh-11456
 2022-09-06 11:43:33 -05:00
Rob Winch 7bf2d3dc4e Update DeferHttpSession Tests 
Closes gh-11764
 2022-08-31 14:40:06 -05:00
ch4mpy 7d6552b3f4 gh-11772 2022-08-31 13:33:53 -05:00
Marcus Da Coregio 3de421be3a Remove setAuthenticationManager from HttpSecurityConfiguration 
Closes gh-11776
 2022-08-31 15:14:45 -03:00
Steve Riesenberg f1b79e08cb
Merge branch '5.8.x' 2022-08-30 13:10:51 -05:00
Steve Riesenberg 6b297cc3a3
Polish javadoc in Kotlin DSL 
Issue gh-11646
 2022-08-30 13:10:35 -05:00
Steve Riesenberg 3eac274317
Merge branch '5.8.x' 2022-08-30 12:59:19 -05:00
Steve Riesenberg 5bdbc3f78d
Polish javadoc in Kotlin DSL 
Issue gh-11646
 2022-08-30 12:53:37 -05:00
Steve Riesenberg 2e26e875c8
Remove WebSecurityConfigurerAdapter in Kotlin DSL 
Issue gh-11277
Closes gh-11646
 2022-08-30 12:53:18 -05:00
Steve Riesenberg 41ede20712
Add method-security.mode to spring-security-6.0.xsd 2022-08-29 16:05:20 -05:00