Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,658 Commits 29 Branches 320 Tags 104 MiB
Commit Graph

12658 Commits

Author SHA1 Message Date
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Joe Grandja bf1e622751 Update What's New in 6.0 for PasswordEncoders 
Issue gh-11985
 2022-10-12 08:27:46 -04:00
Joe Grandja 716aa6df5c Merge branch '5.8.x' 2022-10-12 07:43:26 -04:00
Joe Grandja ffbcaca24a Update reference for PasswordEncoders 
Issue gh-10506
 2022-10-12 07:32:30 -04:00
Joe Grandja ed6a7f7730 Remove deprecated constructors in PasswordEncoders 
Closes gh-11985
 2022-10-12 02:38:25 -04:00
Joe Grandja 7af111cd33 Merge branch '5.8.x' 2022-10-12 01:28:01 -04:00
Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder 
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
 2022-10-12 00:45:10 -04:00
Joe Grandja f8419003eb Update default configuration for SCryptPasswordEncoder 
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1

New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1

The default salt length was also updated from 64 to 16.

Issue gh-10506
 2022-10-12 00:14:07 -04:00
Joe Grandja 2ea62d0f8b Update default configuration for Argon2PasswordEncoder 
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

Previous default configuration:
memory=4, iterations=3, parallelism=1

New default configuration:
memory=16, iterations=2, parallelism=1

Issue gh-10506
 2022-10-11 18:04:37 -04:00
Josh Cummings a453a71bed
Merge remote-tracking branch 'origin/5.8.x' 2022-10-10 12:37:15 -06:00
Josh Cummings 8d096554f8
Add AuthorizationEvent 
Closes gh-11972
 2022-10-10 12:28:57 -06:00
Marcus Da Coregio f9f41047cf Merge branch '5.8.x' 
Closes gh-11981
 2022-10-10 11:02:22 -03:00
Marcus Da Coregio 6e2e76978f Merge branch '5.7.x' into 5.8.x 
Closes gh-11980
 2022-10-10 11:01:56 -03:00
Marcus Da Coregio b17ba7cdcc Merge branch '5.6.x' into 5.7.x 
Closes gh-11979
 2022-10-10 11:01:27 -03:00
Marcus Da Coregio e0f8c711d8 Add default value for cloneOutputDirectory property 
Closes gh-11969
 2022-10-10 11:00:47 -03:00
Marcus Da Coregio c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg dcda899c8c
Merge branch '5.8.x' 2022-10-07 17:40:37 -05:00
Steve Riesenberg 37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio 398f5dee7f Remove deprecated RequestMatcher methods from Java Configuration 
Closes gh-11939
 2022-10-07 15:26:46 -03:00
Marcus Da Coregio 9fd195d419 Default to shouldFilterAllDispatcherTypes=true in XML 
Closes gh-11970
 2022-10-07 11:46:20 -03:00
Marcus Da Coregio 146d3269bc Merge branch '5.8.x' 
Closes gh-11971
 2022-10-07 10:28:14 -03:00
Marcus Da Coregio f3321c256c Add XML support for shouldFilterAllDispatcherTypes 
Closes gh-11492
 2022-10-07 10:20:32 -03:00
Rob Winch 06c879b61a
Add Reference to Security Reporting 2022-10-06 21:33:21 -05:00
Josh Cummings 3de55dbc8b
Update to Reactor Snapshots 2022-10-06 11:07:50 -06:00
Marcus Da Coregio f650ebe545 Merge branch '5.8.x' 2022-10-06 13:50:50 -03:00
Marcus Da Coregio 8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers 
Issue gh-11347
 2022-10-06 13:50:38 -03:00
Marcus Da Coregio d6302aabbc Merge branch '5.8.x' 2022-10-06 13:21:52 -03:00
Marcus Da Coregio bc4ad52feb Add deprecation warning to mvcMatchers methods 
Issue gh-11347
 2022-10-06 13:21:27 -03:00
Josh Cummings 12b9f2e196
use-authorization-manager defaults to true 
Closes gh-11929
 2022-10-06 08:12:46 -06:00
Marcus Da Coregio 1aa3f1414e Start building against Spring Framework SNAPSHOTs 2022-10-06 09:28:28 -03:00
Marcus Da Coregio 52ab2303da Fix failing test 
Issue gh-11061
 2022-10-06 09:28:06 -03:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present 
Closes gh-11899
 2022-10-06 09:12:04 -03:00
Josh Cummings 353ca76973
Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings 380a6a2564
Polish SecurityContextHolderStrategy Usage 
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
 2022-10-05 23:59:14 -06:00
Josh Cummings 12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 23:53:40 -06:00
Josh Cummings 2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2 
Issue gh-11061
 2022-10-05 23:50:59 -06:00
Josh Cummings 7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2 
Issue gh-11061
 2022-10-05 23:50:58 -06:00
Josh Cummings 7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:57 -06:00
Josh Cummings 19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:56 -06:00
Josh Cummings e90a11b1c0
Add SecurityContextHolderStrategy to Saml2 
Issue gh-11060
 2022-10-05 23:50:55 -06:00
Josh Cummings 14584b0562
Add SecurityContextHolderStrategy to OAuth2 
Issue gh-11060
 2022-10-05 23:50:54 -06:00
Josh Cummings 0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy 
Issue gh-11061
 2022-10-05 23:38:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00