spring-security

mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-17 14:30:27 +00:00

Author	SHA1	Message	Date
Steve Riesenberg	bd43c1f28a	Merge branch '5.8.x' # Conflicts: # web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java # web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java	2022-10-17 19:35:27 -05:00
Steve Riesenberg	c75ca10900	Add DeferredSecurityContext Issue gh-12023	2022-10-17 19:33:58 -05:00
Joe Grandja	753e113a13	RequestMatcherDelegatingAuthorizationManager defaults to deny Closes gh-11958	2022-10-13 11:12:00 -04:00
Steve Riesenberg	2a2051cd7b	Default to Xor CSRF tokens in CsrfFilter Issue gh-11960	2022-10-13 09:39:55 -05:00
Josh Cummings	99a87179dd	Instrument Filter Chain Closes gh-11911	2022-10-12 20:32:22 -06:00
Steve Riesenberg	7c872cf7fd	Merge branch '5.8.x'	2022-10-12 15:02:40 -05:00
Steve Riesenberg	440748ec65	Add test support for Xor CSRF tokens Issue gh-4001	2022-10-12 15:02:15 -05:00
Daniel Garnier-Moiroux	27059ced87	Default X-Xss-Protection header value to "0" Closes gh-9631	2022-10-07 17:42:55 -05:00
Steve Riesenberg	6753f9745e	Merge branch '5.8.x' # Conflicts: # config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt # docs/modules/ROOT/pages/reactive/exploits/csrf.adoc	2022-10-07 17:29:07 -05:00
Steve Riesenberg	f462134e87	Add reactive support for BREACH Closes gh-11959	2022-10-07 16:34:17 -05:00
Steve Riesenberg	f4ca90e719	Add reactive interfaces for CSRF request handling Issue gh-11959	2022-10-07 16:34:16 -05:00
Marcus Da Coregio	398f5dee7f	Remove deprecated RequestMatcher methods from Java Configuration Closes gh-11939	2022-10-07 15:26:46 -03:00
Marcus Da Coregio	9fd195d419	Default to shouldFilterAllDispatcherTypes=true in XML Closes gh-11970	2022-10-07 11:46:20 -03:00
Marcus Da Coregio	146d3269bc	Merge branch '5.8.x' Closes gh-11971	2022-10-07 10:28:14 -03:00
Marcus Da Coregio	f3321c256c	Add XML support for shouldFilterAllDispatcherTypes Closes gh-11492	2022-10-07 10:20:32 -03:00
Josh Cummings	12b9f2e196	use-authorization-manager defaults to true Closes gh-11929	2022-10-06 08:12:46 -06:00
Marcus Da Coregio	c4d23f2b49	Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899	2022-10-06 09:12:04 -03:00
Josh Cummings	2079309c5a	Add SecurityContextHolderStrategy XML Configuration for OAuth2 Issue gh-11061	2022-10-05 23:50:59 -06:00
Josh Cummings	7543effe89	Add SecurityContextHolderStrategy Java Configuration for OAuth2 Issue gh-11061	2022-10-05 23:50:58 -06:00
Josh Cummings	7e3841105b	Add SecurityContextHolderStrategy XML Configuration for Saml2 Issue gh-11061	2022-10-05 23:50:57 -06:00
Josh Cummings	19181a5afd	Add SecurityContextHolderStrategy Java Configuration for Saml2 Issue gh-11061	2022-10-05 23:50:56 -06:00
Josh Cummings	72a46ddd31	Merge remote-tracking branch 'origin/5.8.x'	2022-10-05 22:48:33 -06:00
Josh Cummings	7043ef6ccb	Polish OpaqueTokenAuthenticationConverterTests Issue gh-11665	2022-10-05 22:18:41 -06:00
Steve Riesenberg	8b490de08d	Merge branch '5.8.x' # Conflicts: # docs/modules/ROOT/pages/servlet/exploits/csrf.adoc	2022-10-05 14:46:15 -05:00
Steve Riesenberg	dce1c30522	Add support for BREACH Closes gh-4001	2022-10-05 14:21:13 -05:00
Marcus Da Coregio	c2ed65c67a	Fix failing tests Issue gh-9159	2022-10-05 14:59:33 -03:00
Marcus Da Coregio	76d7a85bc0	Use modified classpath test support for tests that depend on the classpath Issue gh-11347	2022-10-04 15:32:19 -03:00
Marcus Da Coregio	77dcc691b3	Add modified classpath test support Closes gh-11951	2022-10-04 15:32:18 -03:00
Marcus Da Coregio	5002199be3	Revert "Disable tests that need Spring MVC mocked in classpath" This reverts commit c6978fba7c53c5bec765dba672b0ccb084e3048f.	2022-10-04 15:32:18 -03:00
Marcus Da Coregio	35f7e46d05	Remove WebSecurityConfigurerAdapter Closes gh-10902	2022-10-04 15:13:04 -03:00
Steve Riesenberg	5de6da890b	Merge branch '5.8.x' Closes gh-dry-run	2022-10-04 11:18:00 -05:00
Marcus Da Coregio	c6978fba7c	Disable tests that need Spring MVC mocked in classpath Issue gh-11347	2022-10-04 08:56:06 -03:00
Steve Riesenberg	475b3bb6bb	Add deferred CsrfTokenRepository.loadDeferredToken * Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken> * Move RepositoryDeferredCsrfToken to top-level and make package-private * Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) * Update CsrfFilter * Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler Issue gh-11892 Closes gh-11918	2022-10-03 17:10:54 -05:00
Steve Riesenberg	c847efd3fd	Fix servlet import Issue gh-11347 Issue gh-9159	2022-10-03 15:10:56 -05:00
Steve Riesenberg	7c3cc1e386	Merge branch '5.8.x'	2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux	0e215a21ad	Add X-Xss-Protection headerValue to XML config Issue gh-9631	2022-10-03 14:29:34 -05:00
Marcus Da Coregio	ad2abd39dc	Merge branch '5.8.x' Closes gh-11347 in 6.0.x Closes gh-11945	2022-10-03 16:02:18 -03:00
Marcus Da Coregio	039e0328e1	Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159	2022-10-03 15:55:20 -03:00
Rob Winch	4479cefade	Default Require Explicit Session Management = true Closes gh-11763	2022-09-30 21:49:05 -05:00
Rob Winch	12a0ccf6de	Remove Explicit CSRF Config from DeferHttpSessionTests Issue gh-11764	2022-09-30 21:49:04 -05:00
Steve Riesenberg	76fbca9f46	Merge branch '5.8.x'	2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux	93250013e4	Make X-Xss-Protection configurable through ServerHttpSecurity OWASP recommends using "X-Xss-Protection: 0". The default is currently "X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0". This commits adds the ability to configure the xssProtection header value in ServerHttpSecurity. This commit deprecates the use of "enabled" and "block" booleans to configure XSS protection, as the state "!enabled + block" is invalid. This impacts HttpSecurity. Issue gh-9631	2022-09-30 09:38:08 -05:00
Marcus Da Coregio	3bfdf6dd0f	Merge branch '5.8.x' Closes gh-11922	2022-09-29 11:21:24 -03:00
Marcus Da Coregio	cf3349f31a	Configure ContentNegotiationStrategy in HttpSecurityConfiguration Closes gh-11916	2022-09-29 11:21:08 -03:00
Josh Cummings	506e50bfd0	Move Saml2 Authentication Filters Issue gh-8819	2022-09-26 10:44:27 -06:00
Steve Riesenberg	181ee7410b	Change default authority for oauth2Login() Previously, the default authority was ROLE_USER when using oauth2Login() for both OAuth2 and OIDC providers. * Default authority for OAuth2UserAuthority is now OAUTH2_USER * Default authority for OidcUserAuthority is now OIDC_USER Documentation has been updated to include this implementation detail. Closes gh-7856	2022-09-26 10:06:31 -05:00
Josh Cummings	37a160245f	Adjust OAuth2 Resource Server packaging Closes gh-7349	2022-09-23 16:31:21 -06:00
Steve Riesenberg	bcb21c9384	Merge branch '5.8.x' # Conflicts: # config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java	2022-09-23 15:39:43 -05:00
Steve Riesenberg	46696a9226	CsrfTokenRequestHandler extends CsrfTokenRequestResolver Closes gh-11896	2022-09-23 15:09:00 -05:00
Steve Riesenberg	3c66ef6305	Change default SecurityContextRepository Save SecurityContext in request attributes for stateless session management using RequestAttributeSecurityContextRepository. Closes gh-11026	2022-09-22 17:31:14 -05:00

1 2 3 4 5 ...

1100 Commits