Commit Graph

1287 Commits

Author SHA1 Message Date
Josh Cummings 25d1f49d84
Remove Resource Server's Session Policy Config
Resource Server doesn't need to set the session policy for the
application to STATELESS since it can rely on the
SessionManagementFilter ignoring token's annotated with @Transient,
which a JwtAuthenticationToken is.

Fixes: gh-5759
2018-09-04 14:55:40 -06:00
Josh Cummings 8510e9a285 Reactive Resource Server insufficient_scope
This introduces an implementation of ServerAccessDeniedHandler that is
compliant with the OAuth 2.0 spec for insufficent_scope errors.

Fixes: gh-5705
2018-08-31 10:33:11 -05:00
Joe Grandja 229b69dd35 Add DefaultAuthorizationCodeTokenResponseClient
Fixes gh-5547
2018-08-27 12:44:19 -04:00
Vedran Pavic cb0ba58b58 Fix WhitespaceAfterCheck Checkstyle check 2018-08-27 10:45:35 -05:00
Rob Winch 1640a1f462 Polish ServerAuthenticationConverter
Fix package tangles

Issue: gh-5338
2018-08-24 09:44:27 -05:00
Josh Cummings 68d836d508 Reactive Resource Server Csrf Bypass
This makes requests identified as bearer token requests skip the csrf
filter.

Fixes: gh-5710
2018-08-24 09:44:01 -05:00
Rob Winch 820fb7d828 Polish formatting ServerHttpSecurity JwtSpec
Fixes: gh-5728
2018-08-23 15:12:19 -05:00
Josh Cummings cba2444e1a ServerHttpSecurity ReactiveJwtDecoder discovery
This makes so that WebFlux OAuth 2.0 Resource Server configuration
will pick up a ReactiveJwtDecoder exposed as a bean.

Fixes: gh-5720
2018-08-23 15:12:14 -05:00
Josh Cummings 0fdc081ab5 Add unit tests
Added some unit tests around some untested parts of the code that I
will be touching for this issue.

Issue: gh-5720
2018-08-23 15:11:40 -05:00
Joe Grandja ff6e1232c8 Flatten HttpSecurity.oauth2()
Fixes gh-5715
2018-08-22 05:58:04 -04:00
Joe Grandja 0f89e59707 Simplified oauth2().client() DSL
Fixes gh-5662
2018-08-22 04:45:35 -04:00
Rob Winch 0dc80aed40 Flatten ServerHttpSecurity.oauth2()
Fixes: gh-5712
2018-08-21 15:48:41 -05:00
Rob Winch 53652584b2 ResourceServerSpec->OAuth2ResourceServerSpec
Fixes: gh-5713
2018-08-21 14:51:22 -05:00
Joe Grandja c3e19e29b5 Remove authorizationEndpoint.baseUri in OAuth2ClientConfigurer
Fixes gh-5661
2018-08-21 15:33:58 -04:00
Vedran Pavic f382b69507 Add reactive support for Referrer-Policy security header 2018-08-20 10:10:59 -05:00
Vedran Pavic 10621a0f2c Add reactive support for Content-Security-Policy security header 2018-08-20 10:03:42 -05:00
Vedran Pavic 29cfc3dd1d Add reactive support for Feature-Policy security header
Closes gh-5672
2018-08-20 09:02:12 -05:00
Rob Winch b9ab4929b7 Add OAuth2AuthorizationCodeGrantWebFilter
Issue: gh-5620
2018-08-19 21:12:41 -05:00
Rob Winch d0ebe47cd5 OAuth2LoginReactiveAuthenticationManager uses OAuth2AuthorizationCodeReactiveAuthenticationManager
Issue: gh-5620
2018-08-19 21:12:32 -05:00
Rob Winch f843da1942 Add OAuth2LoginAuthenticationWebFilter
This is necessary so that the saving of the authorized client occurs
outside of the ReactiveAuthenticationManager. It will allow for
saving with the ServerWebExchange when ReactiveOAuth2AuthorizedClientRepository
is added.

Issue: gh-5621
2018-08-19 21:11:43 -05:00
Rob Winch dd7925cb63 OAuth2AuthorizedClientArgumentResolver Uses ServerOAuth2AuthorizedClientRepository
Issue: gh-5621
2018-08-19 21:11:24 -05:00
Rob Winch b02ce59188 TestClientRegistrations
Fixes: gh-5651
2018-08-19 21:08:02 -05:00
Rob Winch 5ddb25fff8 Consistent .server package for ServerWebExchange OAuth2
Fixes: gh-5663
2018-08-19 21:05:55 -05:00
Rob Winch e3eaa99ad0 Polish ServerAuthenticationConverter
Update changes for ServerAuthenticationConverter to be passive.

Issue: gh-5338
2018-08-18 19:55:39 -05:00
Rob Winch 46f71cc232 Update to assertj 3.11.0
Fixes: gh-5686
2018-08-17 21:10:47 -05:00
Rob Winch 2c27e18eb3 GlobalMethodSecurityConfiguration uses BeanFactoryAware
This works around an issue found when updating to
Spring 5.1.0.RC2

Issue: gh-5679
2018-08-17 21:09:37 -05:00
Rob Winch ff8163f4c7 Run rnc generation after Feature-Policy Support
After the Feature-Policy support changes the format of the xsd did not
align with the generator which meant running the build caused changes
for the commit.

This commit ran the xsd generation so that the formatting would be
consistent with the generator.

Issue: gh-5670
2018-08-17 11:20:26 -05:00
Josh Cummings d610f31425 Jwt -> Authentication Conversion
Exposes ability to specify a strategy for converting Jwt into an
Authentication, specifically in JwtAuthenticationProvider.

Fixes: gh-5629
2018-08-17 11:04:27 -05:00
Rob Winch 938dbbf424 Add OAuth2AuthorizationRequestResolver.resolve(HttpServletRequest,String)
Previously there was a tangle between
DefaultOAuth2AuthorizationRequestResolver and
OAuth2AuthorizationRequestRedirectFilter with
AUTHORIZATION_REQUIRED_EXCEPTION_ATTR_NAME

This commit adds a new method that can be used for resolving the
OAuth2AuthorizationRequest when the client registration id is known.

Issue: gh-4911
2018-08-16 20:41:13 -05:00
Josh Cummings 7c524aa0c8 Jwt Claim Validation
This introduces OAuth2TokenValidator which allows the customization of
validation steps that need to be performing when decoding a string
token to a Jwt.

At this point, two validators, JwtTimestampValidator and
JwtIssuerValidator, are available for use.

Fixes: gh-5133
2018-08-16 13:19:26 -05:00
Vedran Pavic c6ea447cc0 Add support for Feature-Policy security header 2018-08-16 09:31:02 -05:00
Josh Cummings a4bd0d3923
OIDC Provider Configuration - ClientRegistrations
OIDC Provider Configuration is now being used to create more than just
ClientRegistration instances. Also, the endpoint is being addressed in
more contexts than just the client.

To that end, this refactors OidcConfigurationProvider in the config
project to ClientRegistrations in the oauth2-client project.

Fixes: gh-5647
2018-08-14 13:26:46 -06:00
Josh Cummings 950a314c9f
RememberMeConfigTests groovy->java
Issue: gh-4939
2018-08-10 11:17:54 -06:00
Johnny Lim 68878a1675 Replace isEqualTo(null) with isNull() 2018-08-09 18:04:48 -06:00
Rob Winch 4de3d0b860 Create AuthorizationEndpointConfig.configure
Issue: gh-5654
2018-08-08 16:02:40 -05:00
Rob Winch 52622bc6dd Move OAuth2ClientConfigurer.configure to AuthorizationCodeGrantConfigurer
Issue: gh-5654
2018-08-08 16:02:34 -05:00
Joe Grandja 952743269d Add support for client_credentials grant
Fixes gh-4982
2018-08-08 08:06:47 -05:00
Daniel Meier 14a7387190 Made JwtConfigurer fluent
Adjusted return type of #decoder(JwtDecoder) and #jwkSetUri(String)
to return the JwtDecoder itself. Added new method #and() that returns
the enclosing OAuth2ResourceServerConfigurer.

Fixes gh-5595
2018-08-08 08:28:26 -04:00
Rob Winch 6a2dd78f88 Regenerate spring-security-5.1.xsd
Commit 884fdbf9 performed some manual edits of this file which
means running the rncToXsd task causes this file to change. This
commit regenerates the file properly.

Fixes: gh-5640
2018-08-03 10:57:54 -05:00
Rob Winch 4e8f2a3ee4 Add @Configuration to ServerHttpSecurityConfiguration
Fixes: gh-5635
2018-08-03 09:37:03 -05:00
Rob Winch cecbc2175b Add CORS WebFlux Support
Fixes: gh-4832
2018-07-31 11:37:50 -05:00
Rob Winch afa2d9cbc7 Remove ExchangeFilterFunctions
Issue: gh-5612
2018-07-30 15:34:44 -05:00
Rob Winch 6d0369647b Add OAuth2LoginSpec.and()
Fixes: gh-5609
2018-07-30 12:07:51 -05:00
Rob Winch e215d2733f Add OAuth2Spec
Issue: gh-5605
2018-07-30 11:39:45 -05:00
Rob Winch f3c9cce56d Rename to WebClientAuthorizationCodeTokenResponseClient
Rename NimbusReactiveAUthorizationCodeTokenResponseClient to
WebClientReactiveAuthorizationCodeTokenResponseClient

Fixes: gh-5529
2018-07-26 15:14:11 -05:00
Rob Winch 1c8a931e33 Rename to OidcAuthorizationCodeReactiveAuthenticationManager
Renamed OidcReactiveAuthenticationManager to
OidcAuthorizationCodeReactiveAuthenticationManager since it only handles
authorization code flow.

Fixes: gh-5530
2018-07-26 15:14:11 -05:00
Rob Winch 7b2b1a877d Default RequestCache as @Bean
Fixes: gh-5583
2018-07-26 15:14:11 -05:00
Rob Winch 8ce244f5d2 Simplify Configuring RequestCache
Now the RequestCache is configured on any default success handler.

Fixes: gh-5582
2018-07-26 15:14:11 -05:00
Rob Winch 6012bfdc6e Rename FormLoginConfigurerTests to FormLoginConfigurerSpec
Rename so can add new Java based tests for gh-5582

Issue: gh-5582
2018-07-26 15:14:11 -05:00
Josh Cummings fc5083ae0c Bearer Token Exception Handling Configuration
This exposes #authenticationEntryPoint(), #accessDeniedHandler, on
the Resource Server DSL.

With these, a user can customize the error responses when a bearer
token request fails.

Fixes: gh-5497
2018-07-24 12:49:26 -06:00
Josh Cummings 6a45ecd4bb Bearer Token Resolver Configuration
This introduces #bearerTokenResolver(BearerTokenResolver) to the
Resource Server DSL, allowing users to configure the resolver to allow
the access token as part of the request body or a query parameter. It
also allows the user to replace the resolver with a completely custom
one.

This also introduces the same ability by exposing a bean of type
BearerTokenResolver

Fixes: gh-5496
2018-07-24 13:12:16 -04:00
Josh Cummings 195a6943e2
OpenIDConfigTests groovy->java
For the remember me test, there is some hand configuration that was
carried over from the groovy test as there isn't a way via the xml
config to achieve the same result.

For the attribute exchange test, in order to reduce the amount of
endpoint configuration, the test uses a bit of reflection to disable
the OpenID association step. This is because the xml config does not
support wiring a custom ConsumerManager, like the java configurer
does.

Issue: gh-4939
2018-07-23 12:43:23 -06:00
Joe Grandja 6c7d49759e Auto-redirect to provider login when one client configured
Fixes gh-5347
2018-07-23 10:24:20 -04:00
Josh Cummings 4fc1e63369 User-Specified JwtDecoder
This exposes JwtConfigurer#decoder as well as makes the configurer
look in the application context for a bean of type JwtDecoder.

Fixes: gh-5519
2018-07-20 11:33:14 -05:00
Joe Grandja a4fdc28b27 Use context.getBean() for ClientRegistrationRepository
Fixes gh-5538
2018-07-20 09:47:35 -04:00
Joe Grandja 9a144d742e Use OAuth2AuthorizedClientRepository in filters and resolver
Fixes gh-5544
2018-07-19 22:57:10 -04:00
Josh Cummings 39e336136f
MultiHttpBlockConfigTests groovy->java
Note that originally there were five tests in the groovy test, however
the last one, multipleAuthenticationManagersWorks, turned out to be a
duplicate after creating the test
requestWhenUsingMutuallyExclusiveHttpElementsThenIsRoutedAccordingly

As such, the new file contains just four tests.

Issue: gh-4939
2018-07-19 14:44:54 -06:00
Eric Hudon 79bbd6a39c Fix a missing "throws Exception" for configure(AuthenticationManagerBuilder auth)
The actual method signature look this this:
```java
protected void configure(AuthenticationManagerBuilder auth) throws Exception
```
 This PR aims at aligning the javadoc for this annotation with the actual method signature.
2018-07-19 09:30:51 -06:00
Rob Winch f48404a6a0 Default Log In Pages Use HTTPS for CSS
Fixes: gh-5539
2018-07-18 20:06:17 -05:00
Jonathan Chen fbf870a82e Include email in user information attributes from Facebook
Fixes gh-5532
2018-07-18 17:09:33 -04:00
mhyeon.lee 18db425861 Polish Javadoc to remove warning 2018-07-18 09:24:59 -06:00
Josh Cummings f0f678d61e
SessionManagementConfigTests groovy->java
Issue: gh-4939
2018-07-17 10:47:44 -06:00
Josh Cummings 884fdbf9b3 Add Bearer Token filter to Security Filters
This introduces BearerTokenAuthenticationFilter to SecurityFilters so
that it can be used in the various addFilter methods and with the
`custom-filter` xml tag.

Fixes: gh-5479
2018-07-17 10:56:49 -05:00
Joe Grandja 2cd548221d Allow configuring a custom OAuth2AuthorizationRequestResolver
Fixes gh-5521
2018-07-16 20:47:39 -04:00
Josh Cummings a9bc384b48
Reliable Error State Tests
Some of Resource Server Configurer's tests were relying on specific
error messaging from Nimbus and from the JDK, which makes them
brittle.

These tests now simply confirm that resource server responses
contain the correct error state without relying on specific wording
outside of our control.
2018-07-16 14:19:23 -06:00
Rob Winch d595098823 Rename @TransientAuthentication to @Transient
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
2018-07-16 11:31:10 -05:00
Josh Cummings 40ccdb93f7 Resource Server Jwt Support
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.

High-level features include:

- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set

And:

- A DSL for easy configuration
- A sample to demonstrate usage

Fixes: gh-5128
Fixes: gh-5125
Fixes: gh-5121
Fixes: gh-5130
Fixes: gh-5226
Fixes: gh-5237
2018-07-16 10:40:46 -05:00
Josh Cummings 28afb4e3d7 Access Denied Handling Defaults
This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.

This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.

Fixes: gh-5478
2018-07-16 10:40:46 -05:00
Josh Cummings b7ccb63dfd Disable CSRF by Request Matcher
This introduces an evolution on CsrfConfigurer#ignoreAntMatchers,
allowing users to specify a RequestMatcher in the circumstance where
more than just the path needs to be analyzed to determine whether
CsrfFilter should require a token for the request.

Simply put, a user can now selectively disable csrf by request matcher
in addition to the way it can already be done with ant matchers.

Fixes: gh-5477
2018-07-16 10:40:45 -05:00
Josh Cummings ed20edd177 Improved Session Creation Policy Configuration
Other configurers can now offer their preference on session creation
policy without trumping what a user provided via the
sessionCreationPolicy method.

This is valuable for configurer's like Resource Server that would like
to have session management be stateless, but not at the expense of the
user's direct configuration.

Fixes: gh-5518
2018-07-16 10:40:45 -05:00
Josh Cummings 3c46727be1 Transient Authentication Tokens
This commit introduces support for transient authentication tokens
which indicate to the filter chain, specifically the
HttpSessionSecurityContextRepository, whether or not the token ought
to be persisted across requests.

To leverage this, simply annotate any Authentication implementation
with @TransientAuthentication, extend from an Authentication that uses
this annotation, or annotate a custom annotation.

Implementations of SecurityContextRepository may choose to not persist
tokens that are marked with @TransientAuthentication in the same way
that HttpSessionSecurityContextRepository does.

Fixes: gh-5481
2018-07-16 10:40:45 -05:00
Joe Grandja 371221d729 Support anonymous Principal for OAuth2AuthorizedClient
Fixes gh-5064
2018-07-16 10:15:41 -05:00
Joe Grandja 779597af2a Add support for custom authorization request parameters
Fixes gh-4911
2018-07-16 09:39:06 -05:00
Rob Winch a3210c96d9 Default Log Out Page
Fixes: gh-5516
2018-07-15 19:45:20 -05:00
Rob Winch 05ed028f9d Modernize Default Log In Page
Fixes: gh-5515
2018-07-15 19:43:42 -05:00
Rob Winch a66b945ab7 Configuration for ReactiveUserDetailsPasswordService
Issue: gh-2778
2018-07-15 15:08:06 -05:00
Rob Winch 3ca5810bc8 Configuration Support for UserDetailsPasswordManager
Issue: gh-2778
2018-07-15 14:56:45 -05:00
Rob Winch 02b857d82a Add PasswordEncoder.upgradeEncoding
Issue: gh-2778
2018-07-14 22:52:15 -05:00
mhyeon.lee 2af69f08a9 Fix oauth2login loginProcessingUrl NPE for java config
Java Config http.oauth2Login().loginProcessingUrl("url"); throws NPE.
Override loginProcessingUrl method and cached config url.
Then when the config is initialized,
it calls the super method to complete the configuration.

Fixes gh-5488
2018-07-13 09:34:17 -04:00
Johnny Lim 522bfe9e05 Polish Javadoc in ServerHttpSecurity 2018-07-11 08:01:49 -05:00
Mahan Hashemizadeh 555512e1f0 HstsSpec methods return this
HstsSpec methods maxAge and includeSubdomains use to return void
which broke using it as a fluent API.

The methods now return HstsSpec which fixes this issue.

Fixes: gh-5483
2018-07-05 13:58:45 -05:00
Josh Cummings 1d0bb08398
InterceptUrlConfigTests groovy->java
Issue: gh-4939
2018-07-02 10:39:24 -06:00
Joe Grandja ec970c9b8e Improve message for NoUniqueBeanDefinitionException in OAuth2ClientConfigurerUtils 2018-06-25 15:20:02 -04:00
Joe Grandja b3a38fb0f6 OAuth2ClientWebMvcSecurityConfiguration handles multiple OAuth2AuthorizedClientService @Bean
Fixes gh-5321
2018-06-25 15:20:02 -04:00
Josh Cummings b437ce03b0
HttpHeadersConfigTests groovy->java
Also, slightly modified the approach when asserting headers. In the
previous incarnation, the tests would assert an exact match against
the list of headers, which is more brittle than confirming that the
expected headers are there and the unexpected ones are not.

Now, should Spring Security add other headers that are outside the
purview of the secure headers configuration, the assertions won't
break.

Issue: gh-4939
2018-06-20 07:53:22 -06:00
Joe Grandja 6081451fa3 Polish OAuth2Configurer 2018-06-19 06:10:30 -04:00
Rob Winch 3573167d77 ServerHttpSecurity oauth leverages OidcReactiveAuthenticationManager
Issue: gh-5330
2018-06-18 16:08:07 -05:00
Joe Grandja 4fc6d96073 Rename @OAuth2Client to @RegisteredOAuth2AuthorizedClient
Fixes gh-5360
2018-06-08 17:33:21 -04:00
Joe Grandja 81a73e1f55 Fix package tangle in OAuth2Configurer
Fixes gh-5342
2018-06-08 11:09:16 -04:00
Rob Winch dd1b1b9cc3 Use Spring Framework 5.1.0 SNAPSHOT
Fixes: gh-5408
2018-06-05 12:28:51 -05:00
Josh Cummings 3332ccbe50
SecurityContextHolderAwareRequestConfig groovy->java
Issue: gh-4939
2018-05-30 17:37:45 -06:00
Rob Winch 73345e7434 Add Cross Site Tracing (XST) & HTTP Method Tampering Protection
Fixes: gh-5377
2018-05-24 09:35:40 -05:00
Kazuki Shimizu 2c92496911 Polishing the OidcConfigurationProvider
See gh-5355
2018-05-21 12:20:58 -05:00
Rob Winch 9d55a64465 OidcConfigurationProvider validate returned issuer
Validate the issuer that was returned matches the issuer that was
was requested.

Issue: gh-5355
2018-05-18 13:15:27 -05:00
Rob Winch db889973a8 OidcConfigurationProvider improve invalid issuer error
Issue: gh-5355
2018-05-18 11:21:45 -05:00
Rob Winch 18c8af8f0d Add OidcConfigurationProvider ClientAuthenticationMethod.POST support
Issue: gh-5355
2018-05-18 10:35:53 -05:00
Rob Winch 7853c759d9 OidcConfigurationProvider uses OidcScopes.OPENID
Issue: gh-5355
2018-05-18 10:03:36 -05:00
Rob Winch cbf9a7b7a2 Polish OidcConfigurationProvider Javadoc
Issue: gh-5355
2018-05-18 10:02:07 -05:00
Rob Winch 9862c7bbef Move OidcConfigurationProvider to .oidc package
Issue: gh-5355
2018-05-18 09:57:12 -05:00
Rob Winch 0eedfc717a Revert "Revert "Add ClientRegistration from OpenID Connect Discovery""
This reverts commit 9fe0f50e3c.

The original commit was accidentally pushed prior to PR. We attempted
to revert the commit hoping the PR would open again. This did not work.
We are going to do a Polish commit instead.

Issue: gh-5355
2018-05-18 09:40:43 -05:00
Rob Winch 9fe0f50e3c Revert "Add ClientRegistration from OpenID Connect Discovery"
This reverts commit 0598d47732.
2018-05-18 09:20:51 -05:00
Rob Winch 0598d47732 Add ClientRegistration from OpenID Connect Discovery
Fixes: gh-4413
2018-05-16 12:30:04 -05:00
Josh Cummings 658acf0332
PlaceHolderAndELConfigTests groovy->java
Issue: gh-4939
2018-05-15 08:47:33 -06:00
Josh Cummings 428b0e45aa
HttpCorsConfigTests groovy->java
Issue: gh-4939
2018-05-15 08:47:33 -06:00
Josh Cummings 306e9ed91c
HttpConfigTests groovy->java
Issue: gh-4939
2018-05-15 08:47:33 -06:00
Rob Winch 32e368d9b7 Single ClientRegistration redirects by default
Fixes: gh-5339
2018-05-14 16:38:13 -05:00
Rob Winch f29e4cf91f LoginPageGeneratingWebFilter conditionally renders formLogin
Issue: gh-4807
2018-05-14 16:38:13 -05:00
Rob Winch 7013c6fd76 Add OAuth2LoginSpec
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Johnny Lim b91ebf7090 Fix @since for MockEventListener 2018-05-07 16:53:26 -05:00
Denys Ivano fed15f2b01 Add accessDeniedHandler method to ExceptionHandlingSpec
This allows to configure accessDeniedHandler in ExceptionTranslationWebFilter through ServerHttpSecurity.

Issue: gh-5257
2018-05-07 16:22:29 -05:00
Johnny Lim 2a0f529ee4 Use spring-projects for organization in GitHub URLs 2018-05-04 21:01:39 -05:00
Josh Cummings 2273839aad
FormLoginConfigTests groovy->java
Issue: gh-4939
2018-05-01 08:11:04 -06:00
Rob Winch 9bb841ac67 ExceptionTranslationFilter does not handle committed responses
Fixes: gh-5273
2018-04-30 16:49:51 -05:00
Rob Winch eb067bc3a1 DefaultWebSecurityExpressionHandler uses PermissionEvaluator Bean
The default instance of DefaultWebSecurityExpressionHandler uses the
PermissionEvaluator Bean by default.

Fixes: gh-5272
2018-04-30 12:15:50 -05:00
Josh Cummings 359a73eff2
Merge pull request #5260 from jzheaux/gh-4939-FormLoginBeanDefinitionParserTests
FormLoginBeanDefinitionParserTests groovy->java
2018-04-27 12:03:55 -06:00
Josh Cummings 3c1231efd3
CsrfConfigTests groovy->java
Issue: gh-4939
2018-04-25 11:41:32 -06:00
Josh Cummings 65326b1178
FormLoginBeanDefinitionParserTests groovy->java
Issue: gh-4939
2018-04-25 11:12:07 -06:00
Josh Cummings 9c0f2cc281
AccessDeniedConfigTests groovy->java
Issue: gh-4939
2018-04-24 08:11:47 -06:00
Joe Grandja 526e0fdd4f Add OAuth2 Client HandlerMethodArgumentResolver
Fixes gh-4651
2018-04-02 12:13:52 -04:00
Joe Grandja 982fc360b2 Add support for authorization_code grant
Fixes gh-4928
2018-04-02 12:13:06 -04:00
Rob Winch 234c20eb30 Polish XsdDocumentedTests
- NicerNoce->XmlNode
- NicerXmlSupport->XmlSupport
- NicerXmlParser->XmlParser

Issue: gh-4939
2018-03-29 16:36:41 -05:00
Josh Cummings 0c0abea3ad XsdDocumentedTests groovy->java
Groovy has more extensive support for Xml parsing via XmlSlurper.
To replace it, this conversion also introduces a SAX wrapper,
NicerXmlParser, and a companion Node wrapper, NicerNode, that
allowed for less modification of the converted tests.

Issue: gh-4939
2018-03-29 16:36:41 -05:00
Rob Winch fb7394c1de Polish Javadoc
Fixes: gh-5186
2018-03-29 15:33:57 -05:00
Rob Winch 6e1e977778 Polish HeadersSpec
Fixes: gh-5187
2018-03-29 15:33:57 -05:00
Rob Winch 7a204a5f58 Fixes for SPR-16624
Fixes: gh-5164
2018-03-27 22:35:08 -05:00
Josh Cummings ec46b7dbe1 WebSocketMessageBrokerConfigTests groovy->java
Of note is that this commit unrolls three Spock @Unroll-parameterized
tests into a separate test for each parameter.

Issue: gh-4939
2018-03-27 12:38:06 -05:00
Christoph Dreis d07cfe655d Use Supplier variants of Assert methods 2018-03-27 10:58:55 -05:00
Rob Winch b1d013e8f0 Fix JDK 9
Issue: gh-5160
2018-03-27 09:30:56 -05:00
Rob Winch 018ab7d92c Fix Javadoc Typo uses->use
Issue: gh-5113
2018-03-19 15:36:31 -05:00
Rob Winch 01152ede41 Clarify HttpSecurity.registerFilterAt
Fixes: gh-5113
2018-03-19 14:41:03 -05:00
Rob Winch e86becc151 Relax assertions in HeaderSpecTests
Fixes: gh-5116
2018-03-15 08:30:37 -05:00
Rob Winch 4f709d47b9 Fix @since on GlobalAuthenticationConfigurerAdapter
Fixes: gh-5106
2018-03-13 14:23:36 -05:00
Rob Winch 452d855396 Fix appendix tests 2018-03-09 16:34:49 -06:00
Rob Winch a2073b2b91 Support BeanResolver for Reactive AuthenticationPrincipal
Fixes: gh-4326
2018-03-09 12:05:55 -06:00
Josh Cummings 3121f9c000 NamespaceGlobalMethodSecurity groovy->java
Note that the `WhenUsingAspectJ` tests are still simply verifying structure instead of behavior. This is because the project appearsto be misconfigured in some way such that AspectJ advice isn't getting woven in at runtime. The original Groovy tests also only verified structure and they may be that way for a similar reason.

Either way, I will open up a ticket so we can review why that is the case and if there is a good fix.

Issue: gh-4939
2018-03-08 16:53:54 -06:00
Josh Cummings c91ca0584c Sec2758Tests groovy->java
Note that the old groovy test used a configuration of

```
http
    .authorizeRequests()
        .anyRequest().hasAnyAuthority("USER")
```

However, as I read the issue, gh-2984, the problem this issue
identifies is the non-passive change of defaulting to prefix
ROLE_ with all role-based configuration methods. So, the test now
does the following:

```
http
    .authorizeRequests()
        .anyRequest().access("hasAnyRole('USER')")
```

which demonstrates, given the configuration in this test, that
ROLE_ is correctly not prefixed in this expression, even though
it is a role-based configuration.

Issue: gh-4939
2018-03-08 16:52:20 -06:00
Joe Grandja a5bd76b6ed Revert authorization_code grant support
This reverts commit eae7afd9aa.
2018-03-06 16:16:45 -05:00
Joe Grandja c922fe3be1 WebSecurityConfigurationTests groovy->java
Issue: gh-4939
2018-03-06 09:24:52 -05:00
Joe Grandja b1f3d495d9 Sec2515Tests groovy->java
Issue: gh-4939
2018-03-05 15:16:52 -05:00
Joe Grandja 0aa87e8501 EnableWebSecurityTests groovy->java
Issue: gh-4939
2018-03-05 10:23:48 -05:00
Joe Grandja 5af1d1d936 Polish HttpConfigurationTests 2018-03-05 08:36:15 -05:00
Joe Grandja 2a678ebc6e Polish WebSecurityConfigurerAdapterTests 2018-03-05 06:20:27 -05:00
Joe Grandja eae7afd9aa Add support for authorization_code grant
Fixes gh-4928
2018-03-02 14:30:49 -05:00
Josh Cummings 1ed51033cc Migrate config-debug groovy->java
All tests in `org.springframework.security.config.debug` are migrated.

Note that `SecurityDebugBeanFactoryPostProceessorTest` preserves the original structure-verifying strategy used in the Groovy test. Verifying debug behavior turns out to be fairly tricky since being behaviorally invisible is in its nature.

Issue: gh-4939
2018-03-02 08:55:07 -06:00
Josh Cummings 1b69c62d20 PortMapperConfigurerTests groovy->java
Issue: gh-4939
2018-02-27 11:44:21 -05:00
Josh Cummings e08d4cc90c AnonymousConfigurerTests groovy->java
This test now checks key and principal both, which differs from the original Groovy test

In order to keep from needing to execute logic internal to `AnonymousAuthenticationToken`, this test changed from the original Groovy test. In the Groovy test, `key` is tested; however in this new test, `principal` is tested instead.

A concern was raised that if `AnonymousAuthenticationProvider` were invoked in this test, then testing only `principal` would not confirm that `key` was correctly propagated to `AnonymousAuthenticationProvider`. So, the test now configures both `key` and `principal`. The former to confirm correct wiring of `AnonymousAuthenticationProvider` and the latter to confirm correct wiring of `AnonymousAuthenticationFilter`.

Issue: gh-4939
2018-02-27 11:30:02 -05:00
Josh Cummings bb59733736 Sec2377Tests groovy->java
Issue: gh-4939
2018-02-22 10:48:18 -05:00
Joe Grandja dc9248e73c NamespaceHttpTests groovy->java
Issue: gh-4939
2018-02-22 10:29:48 -05:00
Joe Grandja fded710e04 HttpConfigurationTests groovy->java
Issue: gh-4939
2018-02-16 14:16:51 -05:00
Rob Winch 210a510bba Use HttpFirewall Bean
Fixes: gh-5022
2018-02-15 17:18:28 -06:00