ae532c080c
Add server request cache that uses cookie
...
Fixes: gh-8033
2020-03-05 15:36:47 -05:00
38979b1b09
Add test for ServerRequestCacheWebFilter
2020-03-05 14:57:07 -05:00
6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
...
This reverts commit 147d7dadd7
2020-03-04 12:02:48 -07:00
147d7dadd7
Lock dependencies for 5.3.0.RELEASE
2020-03-04 10:28:39 -07:00
2ce9eef95e
Fix typo in AntPathRequestMatcher contructor comment
2020-03-02 07:14:27 -06:00
82cd203791
Remove unnecessary mocking
...
Fixes gh-8012
2020-02-23 19:35:16 -05:00
5bdf57d1e5
Remove Groovy and Spock Dependencies
...
Fixes gh-4939
2020-02-10 10:38:40 -07:00
bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java
...
Issue gh-4939
2020-02-10 10:38:39 -07:00
84b8a5abd7
Unlock dependencies for next development version
...
This reverts commit 064616f1ef
2020-02-05 15:53:04 +01:00
064616f1ef
Lock dependencies for 5.3.0.RC1
2020-02-05 10:20:05 +01:00
cb9fd09150
Change AuthenticationWebFilter's constructor
...
Fixes gh-7872
2020-01-31 09:31:28 -07:00
e62fb755e8
Set charset of BasicAuthenticationFilter converter
...
Allow BasicAuthenticationFilter to pick up the given credentials charset.
Fixes: gh-7835
2020-01-23 15:34:35 +01:00
1f6381d970
Set secure on cookie when logging out
...
Mark cookie secure flag to ensure cookie identity is the same
2020-01-13 11:01:33 +01:00
ffccec953f
Fix HttpHeaderWriterWebFilterTests
...
Ensure setComplete() is subscribed to
2020-01-09 14:24:35 -06:00
fcc6457bef
Unlock dependencies for next development version
...
This reverts commit 93acf8f0f1
2020-01-08 22:15:17 +01:00
93acf8f0f1
Lock dependencies for 5.3.0.M1
2020-01-08 19:41:10 +01:00
2015f392ef
Set secure when cancelling remember-me cookie
...
AbstractRememberMeServices is setting remember-me cookie with checking request is secure or secure usage is independently set to a fixed flag.
But when cancelling a cookie, cookie is not being marked secure or not. It produces an inconsistency when using secure flag as a part to identity of cookie.
2019-12-20 16:04:31 +01:00
a8331ba7ed
CompositeServerHttpHeadersWriter Executes Sequentially
...
Fixes gh-7731
2019-12-12 11:23:56 -06:00
64e063d948
switches web authentication principal resolver to use reactive context
...
gh #6598
Signed-off-by: David Herberth <github@dav1d.de>
2019-12-12 15:33:23 +01:00
8e53c3f269
DelegatingServerAuthenticationSuccessHandler Executes Sequentially
...
Fixes gh-7728
2019-12-12 08:32:44 -06:00
73babc3314
DelegatingServerLogoutHandler Executes Sequentially
...
Fixes gh-7723
2019-12-11 15:39:27 -06:00
4d9cee116c
Display general error message when WebFlux oauth2Login() fails
...
Issue gh-5562 gh-6484
2019-12-05 16:54:31 -05:00
796859333f
Log full failed authentication exception in BasicAuthenticationFilter
2019-11-27 14:56:24 +01:00
5f17032ffd
Restore Removed Throws Clauses
...
In a recent clean-up, certain exceptions were removed from various
throws clauses.
This PR re-introduces throws clauses that are important for one of the
following reasons:
1. It's a method on a public interface
2. It's a method clearly designed for inheritance, for example, a
method stub, an abstract method, or indicated as such in the docs.
Fixes gh-7541
2019-10-30 12:13:54 -06:00
635f7e1edd
CsrfWebFilter supports multipart/form-data
...
Fixes gh-7576
2019-10-28 14:06:10 -05:00
b9f122230b
Align javadoc of continueFilterChainOnUnsuccessfulAuthentication with actual behaviour
2019-10-23 14:50:57 -04:00
d26f40f062
DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path.
2019-10-23 09:41:00 -04:00
62c7de03c3
Add RequestMatcher to AbstractPreAuthenticatedProcessingFilter
...
Moved the existing auth check logic to the matcher.
Issue: gh-5928
2019-10-22 16:55:54 -04:00
264daec697
Test context relative URL with multiple schemes
2019-10-16 15:32:02 -04:00
b764af6b9b
CookieServerCsrfTokenRepositoryTests Leading Dot
...
ResponseCookie removed support for having a leading dot in the cookie
domain.
Fixes gh-7500
2019-09-30 08:39:45 -06:00
7949dd492a
Move DelegatingServerAuthenticationSuccessHandlerTests
...
Moved from src/test/groovy to src/test/java
Issue gh-5332
2019-09-27 16:57:43 -06:00
5f905232cb
Polish CurrentSecurityContextArgumentResolvers
...
Fixes gh-7487
2019-09-27 13:19:08 -06:00
00f8991fac
Merge Remove Redudant Throws
...
Fixes gh-7301
2019-09-19 11:04:53 -05:00
034b5e9e93
Introduce LogoutSuccessEvent
...
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.
By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.
This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.
Fixes gh-2900
2019-09-18 10:57:16 -05:00
7576dc44d7
AuthenticationFilter Session Fixation Protection
...
Fixes gh-7446
2019-09-17 08:17:09 -06:00
496a2cdc60
Make AuthenticationFilter methods private
...
Fixes gh-7447
2019-09-17 08:06:21 -06:00
aa12748c9b
Add Request-level CSRF Skip
...
Fixes gh-7367
2019-09-13 19:04:05 +01:00
9f0986a093
Fix javadoc typo for invalid session strategy
2019-09-09 16:51:14 -04:00
08d50868c9
Merge pull request #7260 from fhanik/feature/saml2-sp-mvp
...
Add SAML Service Provider Support
2019-09-05 17:04:14 -07:00
e9a44bc0ce
HttpSecurity.saml2login() - MVP Core Code
...
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:
- Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
- Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
- Supports basic java-configuration via DSL
- Provides an integration sample using Spring Boot
Not implemented with this MVP
- Single Logout
- Dynamic Service Provider Metadata
Fixes gh-6019
2019-09-05 14:40:08 -07:00
2a1f3f6aa7
Remove Package Tangle in HeaderWriterFilter
...
Fixes gh-7380
2019-09-05 16:08:45 -05:00
39e84013f7
ClearSiteDataHeaderWriter Directives
...
Fixes gh-7347
2019-09-03 15:57:10 -06:00
ad0d3e9702
Polish remember me username check
2019-09-03 11:48:46 -04:00
26ae590c68
Check that userdetails for username exists. #7251
2019-09-03 11:48:46 -04:00
f6c650db47
Replace Streams with Loops
...
First version of replacing streams
fix wwwAuthenticate and codestyle
fix errors in implementation to pass tests
Fix review notes
Remove uneccessary final to align with cb
Short circuit way to authorize
Simplify error message, make code readably
Return error while duplicate key found
Delete check for duplicate, checkstyle issues
Return duplicate error
Fixes gh-7154
2019-09-02 15:30:48 -06:00
95511331fa
fix checkstyle
2019-08-26 22:42:26 +02:00
2c2e8e5f24
Remove internal Optional usage in favor of null checks
...
Issue gh-7155
2019-08-26 09:27:40 -04:00
34dd5fea30
Remove redundant throws clauses
...
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
1a233a58c7
Add OnCommittedResponseWrapper.setContentLengthLong
...
Add setContentLengthLong tracking to OnCommittedResponseWrapper in
order to detect commits on servlets that use setContentLengthLong to
announce the entity size they are about to write (as used in the
Apache Tomcat's DefaultServlet).
Fixes gh-7261
2019-08-19 21:14:41 -04:00
4bc231872f
Expire as many sessions as exceed maximum allowed
...
Fixes: gh-7166
2019-08-15 09:48:42 -05:00
9735a718cc
Remove MultiTenantAuthenticationManagerResolver
...
Fixes gh-7259
2019-08-14 11:14:47 -06:00
c1db1aad91
Cleanup Code Style Issues
...
Cleanup Code Style Issues
2019-08-12 13:06:49 -05:00
ec6ca97226
Fix tests
2019-08-11 21:09:10 +02:00
ff1070df36
remove redundant modifiers found by checkstyle
2019-08-10 00:18:56 +02:00
38de737663
Java 8: Statement lambda can be replaced with expression lambda
2019-08-09 16:59:07 -05:00
7b2a7847e5
Java 8: Single Map method can be used
2019-08-09 16:59:07 -05:00
25c06be1eb
Java 7: Identical 'catch' branches in 'try' statement
2019-08-09 16:59:07 -05:00
578d628774
'Collection.toArray()' call style
2019-08-09 16:57:31 -05:00
b388976ac8
fix checkstyle
2019-08-09 02:46:20 +02:00
35bdf1f009
Unnecessary semicolon
2019-08-09 00:43:13 +02:00
d9c1f03b84
Unnecessary interface modifier
2019-08-09 00:42:35 +02:00
40bee457f9
Unnecessary enum modifier
2019-08-09 00:42:07 +02:00
8d0ca14e55
Unnecessary conversion to String
2019-08-09 00:41:46 +02:00
fb39d9c255
Anonymous type can be replaced with lambda
2019-08-08 17:09:09 -04:00
05f42a4995
Remove unused imports
2019-08-08 14:22:31 -04:00
2056834432
Cleanup unnecessary unboxing
...
Unboxing is unnecessary under Java 5 and newer, and can be safely removed.
2019-08-06 10:17:38 -04:00
2306d987e9
Cleanup unnecessary boxing
2019-08-06 10:17:38 -04:00
2055466ad7
Add Javadoc
2019-08-05 19:43:00 -04:00
ddf68821cb
Add RequestMatcher.matcher(HttpServletRequest)
...
Step 3 - Usage of RequestVariablesExtractor or types that are assigned
to AntPathRequestMatcher should be replaced with the new method.
[closes #7148 ]
2019-08-05 19:43:00 -04:00
496579dde2
Add match result for servlet requests
...
Fixes gh-7148
2019-08-05 19:43:00 -04:00
774a2e669c
Polish setAllowedHostnames
...
Added JavaDoc to method, including @since attribute
Issue gh-4310
2019-08-03 19:19:44 -06:00
f712c5598c
Add support for allowedHostnames in StrictHttpFirewall
...
Introduce a new method `setAllowedHostnames` which perform the validation
against untrusted hostnames.
Fixes gh-4310
2019-08-03 21:16:45 -04:00
a5cfd9fdb9
Downgrade AuthenticationFilter modifier
...
Fixes gh-7177
2019-08-03 21:14:33 -04:00
776a4c3760
Use org.mockito.ArgumentMatchers in favor of org.mockito.Matchers
2019-08-03 12:28:37 -04:00
ad2f999c25
Polish BasicAuthenticationConverter
...
This reverts to the old behavior from BasicAuthenticationFilter.
Specifically, if a token has an empty password, it still parses a username
and an empty String password.
Issue gh-7025
2019-08-02 09:04:55 -05:00
d157125c8e
Polish AuthenticationFilter
...
Updated member variable references to be prefixed with "this.".
Fixed typo in authentication manager resolver error message.
Issue: gh-6506
2019-08-01 16:26:54 -06:00
50adb6abcb
Fix javadoc
2019-07-31 15:36:30 -04:00
0b4502b2c5
Remove exceptions from lambda security configuration
...
Fixes: gh-7128
2019-07-30 08:31:37 -05:00
b55322b2cb
Make basic authentication scheme case-insensitive
...
Fixes: gh-7163
2019-07-29 16:30:03 -04:00
f1187bdfc2
issue/6506: AuthenticationConverter implementation
2019-07-23 17:31:21 -05:00
ab6440db10
Throws exception when passed IP address with too long mask
...
Fixes gh-2790
2019-07-19 06:25:58 -04:00
ea54d9014d
DSL nested builder for HTTP security
...
DSL nested builder for HTTP security
Fixes gh-5557
2019-07-12 16:09:19 -05:00
3ea9d376b2
Cleanup explicit type arguments
2019-07-10 09:32:41 -05:00
c5b5cc507c
Cleanup redundant type casts
2019-07-10 09:31:09 -05:00
758397f102
Allow configuration of headers through nested builder
...
Issue: gh-5557
2019-07-09 15:35:37 -04:00
43737a56bd
Use foreach where possible
2019-07-09 06:11:45 -06:00
8016a193b9
Optimize IpAddressMatcher
...
Get rid of byte array allocation in matcher and small optimizations
2019-07-03 23:27:12 -06:00
4b0fb19fff
Use MessageDigest.isEqual() where possible
...
fixes #7058
2019-07-03 05:40:20 -06:00
400e0c83b0
Add missing nullability annotation
2019-06-27 14:54:14 -05:00
f5da63118e
Add MultiTenantAuthenticationManagerResolver
...
A class with a number of handy request-based implementations of
AuthenticationManagerResolver targeted at common multi-tenancy
scenarios.
Fixes: gh-6976
2019-06-25 17:21:38 -06:00
878d262a26
Reimplement some hashCodes according to the currently recommended pattern.
...
These hashCode implementations seemed suspicious (field hashCodes XORed together with 31).
Included caseSensitive in AntPathRequestMatcher.hashCode() to be consistent with equals().
2019-06-18 12:44:57 -06:00
f6ed1db702
Introduced ReactiveAuthenticationManagerResolver
...
Suitable for multi-tenant reactive applications needing to branch
authentication strategies based on request details.
2019-06-13 08:52:19 -06:00
e66369f6c6
Added null checks and tests to constructors
...
RequestKey, JaasGrantedAuthority, and SwitchUserGrantedAuthority
assume certain final members are non-null.
Issue: gh-6892
2019-05-29 16:10:36 -06:00
98a8467e4c
Fix javadoc typo
2019-04-30 10:42:25 -06:00
9a67441507
Add x509 support for Reactive Security
...
[gh #5038 ]
2019-04-26 12:15:18 -05:00
2c136f7b6c
Add Reactive Clear-Site-Data Support
...
1. A new implementation of ServerHttpHeadersWriter has been created to
add Clear-Site-Data header support.
2. A new implementation of ServerLogoutHandler has been created which
can be configured to write response headers during logout.
3. Added unit tests for both implementations.
Fixes gh-6743
2019-04-19 17:46:37 -06:00
20a7bc4785
Improved DigestAuthenticationFilter Test Coverage
...
Issue: gh-5462
2019-04-13 20:27:08 -06:00
d88c2c19f0
Throw exception that was created but not thrown
...
Fixes gh-5462
2019-04-13 20:27:07 -06:00
22c8f63390
review phase2
2019-04-13 19:22:44 -06:00
570eb01733
review phase1
2019-04-13 19:22:44 -06:00
Eleftheria Stein
Josh Cummings
AmitB
Joe Grandja
Peter Keller
Onur Kağan Özcan
Rob Winch
David Herberth
Filip Hrisafov
Michel Palourdio
Tadaya Tsuyukubo
Filip Hanik
Scott Murphy
kostya05983
Lars Grefer
watsta
Daniel Wegener
Eddú Meléndez
Khy
sbespalov
Clement Ng
Bruno Studer
Bagyoni Attila
Rafiullah Hamedy
httpain
Alexey Nesterov
MD Sayem Ahmed
Thomas Vitale
Dan Zheng