Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
7,103 Commits 29 Branches 320 Tags 104 MiB
Commit Graph

813 Commits

Author SHA1 Message Date
Rob Winch 483e25f821 HttpSessionRequestCache Allow Any SavedRequest 
Fixes: gh-5585
 2018-07-26 15:14:11 -05:00
Rob Winch fa0565109b Add SimpleSavedRequest 
Fixes: gh-5581
 2018-07-26 15:14:11 -05:00
Rob Winch f48404a6a0 Default Log In Pages Use HTTPS for CSS 
Fixes: gh-5539
 2018-07-18 20:06:17 -05:00
Rob Winch d468d7e6da Cache Control disabled for 304 
Fixes: gh-5534
 2018-07-17 22:13:33 -05:00
Rob Winch d595098823 Rename @TransientAuthentication to @Transient 
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
 2018-07-16 11:31:10 -05:00
Josh Cummings 28afb4e3d7 Access Denied Handling Defaults 
This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.

This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.

Fixes: gh-5478
 2018-07-16 10:40:46 -05:00
Josh Cummings 3c46727be1 Transient Authentication Tokens 
This commit introduces support for transient authentication tokens
which indicate to the filter chain, specifically the
HttpSessionSecurityContextRepository, whether or not the token ought
to be persisted across requests.

To leverage this, simply annotate any Authentication implementation
with @TransientAuthentication, extend from an Authentication that uses
this annotation, or annotate a custom annotation.

Implementations of SecurityContextRepository may choose to not persist
tokens that are marked with @TransientAuthentication in the same way
that HttpSessionSecurityContextRepository does.

Fixes: gh-5481
 2018-07-16 10:40:45 -05:00
Rob Winch a3210c96d9 Default Log Out Page 
Fixes: gh-5516
 2018-07-15 19:45:20 -05:00
Rob Winch 05ed028f9d Modernize Default Log In Page 
Fixes: gh-5515
 2018-07-15 19:43:42 -05:00
Rob Winch c3177a84a3 Override toString() in all RequestMatcher 
It makes it easier to debug having custom
toString().

Fixes: gh-5446
 2018-06-15 11:27:28 -05:00
Joe Grandja 48ef7c966d DefaultLoginPageGeneratingFilter escapes OAuth2 ClientRegistrations 
Fixes gh-5394
 2018-05-29 10:14:50 -04:00
Rob Winch b3ca598679 Add WebClient Bearer token support 
Fixes: gh-5389
 2018-05-25 15:17:08 -05:00
Rob Winch 6a12415d23 Add DelegatingServerLogoutHandler(List<ServerLogoutHandler> delegates) 
Issue: gh-4839
 2018-05-24 09:44:29 -05:00
Eric Deandrea 8c3fdb3bcf DelegatingServerLogoutHandler 
Create a ServerLogoutHandler which delegates to a group of
ServerLogoutHandler implementations.

Fixes gh-4839
 2018-05-24 09:39:12 -05:00
Rob Winch 73345e7434 Add Cross Site Tracing (XST) & HTTP Method Tampering Protection 
Fixes: gh-5377
 2018-05-24 09:35:40 -05:00
Rob Winch f29e4cf91f LoginPageGeneratingWebFilter conditionally renders formLogin 
Issue: gh-4807
 2018-05-14 16:38:13 -05:00
Rob Winch 7013c6fd76 Add OAuth2LoginSpec 
Issue: gh-4807
 2018-05-11 04:19:50 -05:00
Rob Winch ca9cd20832 Add DelegatingServerAuthenticationSuccessHandler 
Fixes: gh-5332
 2018-05-11 04:19:50 -05:00
Rob Winch d874c4954e AuthenticationWebFilter handle empty Authentication 
Fixes: gh-5333
 2018-05-11 04:19:50 -05:00
Rob Winch e78457d3a1 Fix checkstyle for CsrfServerLogoutHandlerTests 
Issue: gh-4840
 2018-05-11 04:16:48 -05:00
Eric Deandrea 26f53a20b3 Add CsrfServerLogoutHandler 
Create a CsrfServerLogoutHandler which invalidates the current CsrfToken

Fixes gh-4840
 2018-05-11 04:16:48 -05:00
Eric Deandrea 21750242cf Add HttpStatusReturningServerLogoutSuccessHandler 
An HttpStatusReturningServerLogoutSuccessHandler is missing on the
reactive side - essentially the reactive equivalent of
HttpStatusReturningLogoutSuccessHandler.

Fixes gh-5081
 2018-05-11 04:03:21 -05:00
Eric Deandrea bc9f8ec430 Add HttpStatusServerEntryPoint 
An HttpStatusServerEntryPoint is missing on the
reactive side - essentially the reactive equivalent of
HttpStatusEntryPoint.

Fixes gh-5082
 2018-05-11 04:00:49 -05:00
Artyom Emelyanenko 902fc0f657 Fixed confused word in the class javadoc 2018-05-07 16:54:40 -05:00
Eric Deandrea b3c5bfe4db CookieServerCsrfTokenRepository fails when cookie is null/empty 
The CookieServerCsrfTokenRepository fails with an IllegalArgumentException
 when a cookie is present but the value is null or empty.

Fixes gh-5315
 2018-05-07 16:16:51 -05:00
Rob Winch 3ba15a16bf Polish CookieServerCsrfTokenRepository 
- Only do work if subscribed to
- use test naming conventions
- Refactor tests to avoid extracting
  - Uses String for member names which are not type safe
  - Uses long argument list which makes assertions difficult to read

Issue: gh-5083
 2018-05-04 16:54:48 -05:00
Rob Winch 37b1136c0c Remove CookieServerCsrfTokenRepository builder methods 
This is inconsistent with the rest of the code base.

Issue: gh-5083
 2018-05-04 16:54:48 -05:00
Eric Deandrea 1eaecc12ec Add CookieServerCsrfTokenRepository 
A cookie implementation of ServerCsrfTokenRepository (like CookieCsrfTokenRepository)
is missing. In this implementation it would be nice to allow the setting of the domain as well.

Fixes: gh-5083
 2018-05-04 16:54:48 -05:00
Alexander Münch 0570cebbce Avoid unnecessary grow of ArrayList 
Adapted ArrayList size in CacheControlHeadersWriter::createHeaders()
 2018-05-04 14:23:31 -05:00
XYUU 3740d33e64 The HttpHeader's ContentLength is a byte unit 2018-05-04 14:18:03 -05:00
XYUU 23dd136efb The HttpHeader's ContentLength is a byte unit 2018-05-04 14:18:03 -05:00
Rob Winch 9bb841ac67 ExceptionTranslationFilter does not handle committed responses 
Fixes: gh-5273
 2018-04-30 16:49:51 -05:00
Rob Winch afdefe7b13 Fixes: gh-5190 2018-04-16 17:52:27 -05:00
Rob Winch 8fbec3f0f1 Polish NegatedServerWebExchangeMatcher 
Issue: gh-5170
 2018-03-29 21:17:40 -05:00
Tao Qian d83b67e4cb Add NegatedServerWebExchangeMatcher 
Fixes: gh-5170
 2018-03-29 21:16:11 -05:00
Rob Winch fb7394c1de Polish Javadoc 
Fixes: gh-5186
 2018-03-29 15:33:57 -05:00
Mark Hobson 3c07d99b0a Close quoted expected path in log when matching 2018-03-27 11:14:14 -05:00
Johnny Lim d20ed9f5c9 Fix @since for StrictHttpFirewall 2018-03-27 11:01:26 -05:00
Christoph Dreis d07cfe655d Use Supplier variants of Assert methods 2018-03-27 10:58:55 -05:00
Rob Winch b1d013e8f0 Fix JDK 9 
Issue: gh-5160
 2018-03-27 09:30:56 -05:00
Rob Winch 7e6ed52603 CookieClearingLogoutHandler adds uses contextPath + "/" 
Fixes: gh-2325
 2018-03-19 16:51:22 -05:00
Rob Winch d21338d212 Support errorOnInvalidType for Reactive AuthenticationPrincipal 
Fixes: gh-5096
 2018-03-09 12:05:55 -06:00
Rob Winch a2073b2b91 Support BeanResolver for Reactive AuthenticationPrincipal 
Fixes: gh-4326
 2018-03-09 12:05:55 -06:00
Rob Winch 949c7d68b8 Fix StrictHttpFirewall rules 
Fixes: gh-5044
 2018-03-08 21:30:23 -06:00
Rob Winch 055a2ca917 Polish Javadoc HttpStatusServerAccessDeniedHandler 2018-03-07 12:35:25 -06:00
Rob Winch 9f23212e43 HttpStatusServerAccessDeniedHandler use injected HttpStatus 
Fixes: gh-5078
 2018-03-07 12:35:25 -06:00
Rob Winch 8d75554b6b Lazily Create Throwables 
Fixes: gh-5040
 2018-02-26 16:24:40 -06:00
Rob Winch 0fc67f765a Polish StrictHttpFirewall Javadoc 
Also cleanup DefaultHttpFirewall Javadoc

Issue: gh-5008
 2018-02-15 17:18:28 -06:00
Rob Winch fcf967687b Add FilterSecurityInterceptor once per request test 
Issue: gh-4997
 2018-02-08 17:11:37 -06:00
json20080301 40a1281c66 FilterSecurityInterceptor once per request set attr 
Only set the attribute if once per request is true
 2018-02-08 17:10:45 -06:00