Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-03-26 03:51:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,592 Commits 50 Branches 376 Tags
Commit Graph

3269 Commits

Author SHA1 Message Date
Robert Winch
c71b178f63
Remove Unnecessary ObjectProvider<RoleHierarchy> roleHierarchy parameter 
Closes gh-18921
 2026-03-17 17:20:58 -05:00
Joe Grandja
22a98583f1 Enable null-safety in spring-security-oauth2-jose 
Closes gh-17821
 2026-03-13 11:58:29 -04:00
Josh Cummings
5687867a09
Fix Checkstyle 
Issue gh-18874

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-11 14:46:24 -06:00
Joe Grandja
36450d6c26 Fix checkstyle error 
Issue gh-18874
 2026-03-11 12:25:13 -04:00
Josh Cummings
a980368f26 Move Integration Test from Spring LDAP 
Closes gh-18874

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-10 15:44:07 -06:00
Joe Grandja
703ffaf143 Merge branch '7.0.x' 2026-03-10 15:59:29 -04:00
Joe Grandja
1906075b0c OAuth2DeviceVerificationEndpointFilter is applied after AuthorizationFilter 
Closes gh-18873
 2026-03-10 15:32:24 -04:00
Andrey Litvitski
d1ce69ca99 Specify charset in WWW-Authenticate for Basic Auth 
In this commit, we add support for the charset from RFC-7617, which
definitely solves the problem when the client does not know what charset
we are parsing with.

Closes: gh-18755

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-10 07:57:43 -06:00
Joe Grandja
c7235ec0a3 Allow custom token settings for OAuth 2.0 dynamic client registration 
Closes gh-18870
 2026-03-10 07:48:37 -04:00
Josh Cummings
17d2131fe9 Merge remote-tracking branch 'origin/7.0.x' 2026-03-09 17:13:45 -06:00
Ronny Perinke
e8e0da1ec6 Add Null Guard for Setting ReactiveUserDetailsPasswordService 
This use case specifically arises when using `ReactiveUserDetailsService`
without `ReactiveUserDetailsPasswordService`.

Closes gh-17986

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
 2026-03-09 17:12:59 -06:00
wonderfulrosemari
07297e7a80 Add MessageExpressionAuthorizationManager 
Closes gh-12650

Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
 2026-03-03 18:56:47 -07:00
023-dev
b9f974b18f Remove compiler warnings for spring-security-config 
Signed-off-by: 023-dev <0_2_3@naver.com>
 2026-02-27 21:53:55 -06:00
Josh Cummings
eb25bbaa24
Merge branch '7.0.x' 2026-02-26 15:09:03 -07:00
Menashe Eliezer
ee97c83042 Update request-matcher schema and XML tests to use path 
Closes gh-18641

Signed-off-by: Menashe Eliezer <menashe.eliezer@gmail.com>
 2026-02-26 14:42:09 -07:00
Rob Winch
a4cadb5cc5
Merge Make PublicKeyCredentialCreationOptions Serializable 
Make PublicKeyCredentialCreationOptions Serializable
 2026-02-23 16:01:34 -06:00
Robert Winch
701736da5d
Fix checkstyle 
Issue gh-18354

Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>
 2026-02-23 15:43:55 -06:00
Mohammad Amin Pahlevani
9e5a425859
Make PublicKeyCredentialCreationOptions Serializable 
Closes gh-16431

Signed-off-by: Mohammad Amin Pahlevani <pahlevani@live.com>
 2026-02-23 15:43:40 -06:00
Robert Winch
53300be8d7
Fix checkstyle 
Issue gh-18530
 2026-02-23 15:16:02 -06:00
CHANHAN
d5ba9dcada
Add tests for intercept-url access attribute validation 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN
fa87c78edb
fix missing access attribute validation in FilterInvocationSecurityMetadataSourceParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN
f1e367f93d
fix missing access attribute validation in AuthorizationFilterParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
Robert Winch
f8ac095d48 Add nullability contract to PasswordEncoder#encode implementations 
Signed-off-by: Stefano Cordio <stefano.cordio@gmail.com>AbstractValidatingPasswordEncoder.java
 2026-02-19 14:36:48 -06:00
Minu Kim
18068c9099 fix compile warning in spring-security-test 
Signed-off-by: Minu Kim <kmw106933@naver.com>
 2026-02-19 14:26:20 -06:00
DingHao
199473fcb3 Ability to configure authenticationDetailsSource in AnonymousConfigurer 
Closes gh-17831

Signed-off-by: DingHao <dh.hiekn@gmail.com>
 2026-02-05 17:19:03 -07:00
Joe Grandja
0eba9de7d4 Merge branch '7.0.x' 2026-02-05 04:55:34 -05:00
Joe Grandja
d3c42a7a4f Polish OAuth2ConfigurerUtils 2026-02-05 04:52:02 -05:00
Joe Grandja
e61c03f7c3 Fix to allow multiple PasswordEncoder beans 
Closes gh-18645
 2026-02-05 04:51:51 -05:00
Josh Cummings
70fc8fef3a Add Sample SAML Response in Test 
Issue gh-17823

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-02-03 08:54:14 -07:00
Josh Cummings
c5632ccd83
Add security-nullability to ldap 
Closes gh-17818

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-01-28 15:30:54 -07:00
Michael Lück
7513c859bd Fix javadoc warnings and apply plugin javadoc-warnings-error 
Closes to gh-18448

Signed-off-by: Michael Lück <michael@lueckonline.net>
 2026-01-23 14:13:54 -06:00
Robert Winch
d7fbf3673a
Fix consistency with Nullability Usage 
Issue gh-18564
 2026-01-23 10:42:53 -06:00
dev.paramjot
af73f85f66 Fix formatting in HttpSecurity.java documentation 
Signed-off-by: dev.paramjot <50148441+ParamjotSingh5@users.noreply.github.com>
 2026-01-21 16:43:03 -06:00
Robert Winch
048b6bdd88
Update to JDK 25 (release = 17) 
This commit updates the build to use JDK 25 while remaining compatable with JDK 17.

Note that we must update our JAAS related tests to use release=25 due to the disabling of
the Security Manager. See
https://docs.oracle.com/en/java/javase/25/security/security-manager-is-permanently-disabled.html

Closes gh-18512
 2026-01-16 11:25:59 -06:00
Robert Winch
63c99b9438
Revert "Update to 7.1.0-SNAPSHOT" 
This reverts commit b77ea8d3a3009940229239b4b442fe902acf4fba.
 2026-01-12 14:31:57 -06:00
Pavel Vassiliev
641d8a362b Fix Gradle 9.0 deprecations 
This commit addresses several build warnings and errors to prepare for
Gradle 9.0 and resolve static analysis issues.
Closes: gh-18472
Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>

Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>
 2026-01-12 13:43:16 -06:00
Robert Winch
b77ea8d3a3 Update to 7.1.0-SNAPSHOT 2026-01-12 13:37:32 -06:00
Tran Ngoc Nhan
d20c88ecef Format code 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Tran Ngoc Nhan
79815e044e Fix typos 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Josh Cummings
0155d4a345 Restore Check for DispatcherServlet on Classpath 
Closes gh-18315
 2025-12-15 12:18:22 -07:00
dependabot[bot]
e033086ab0 Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 
Includes fixes for Breaking Changes in Spring Framework 7.0.2:

- spring-projects/spring-framework#35916
- spring-projects/spring-framework#35947

Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 7.0.1 to 7.0.2.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v7.0.1...v7.0.2)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-15 11:25:19 -06:00
Josh Cummings
dbf93acb05 Check for spring-security-web on Classpath 
This commit refines the check for adding AuthorizationWebProxyConfiguration
to the application context. The web-based authorization proxy support is intended
for applying Spring Security Method Security primitives to Spring Web components;
as such, this implies a dependency on Spring Security Web.

Closes gh-18307
 2025-12-15 09:18:47 -07:00
Joe Grandja
c53e66a217 OAuth2AuthorizationEndpointFilter is applied after AuthorizationFilter 
Closes gh-18251
 2025-12-02 08:49:49 -05:00
Daniel Garnier-Moiroux
7cb57ab940 Improve webauthn webdriver tests 
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
 2025-11-14 15:21:20 -06:00
Rob Winch
6471a32d66
Merge branch '6.5.x' 
Closes gh-18132
 2025-11-04 11:37:11 -06:00
Rob Winch
c1e9e10bf0
Merge branch '6.4.x' into 6.5.x 
Closes gh-18131
 2025-11-04 11:28:40 -06:00
Daniel Garnier-Moiroux
fed6df5167 Default WebAuthnConfigurer#rpName to rpId 
In WebAuthn L3 spec, PublicKeyCredentialEntity.name is deprecated:

> This member is deprecated because many clients do not display it,
> but it remains a required dictionary member for backwards compatibility.
> Relying Parties MAY, as a safe default, set this equal to the RP ID.

Source: https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialentity

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
 2025-11-04 11:16:22 -06:00
Rob Winch
0928a60cd2
Post Process WebAuthnAuthenticationFilter 
This commit ensures that WebAuthnAuthenticationFilter is
post processed by BeanPostProcessors and
ObjectPostProcessor.

Closes gh-18128
 2025-11-04 10:54:45 -06:00
Rob Winch
884cf0d62e
EnableGlobalMultiFactorAuthentication->EnableMultiFactorAuthentication 
Closes gh-18127
 2025-11-03 22:42:28 -06:00
Rob Winch
aaf738f7ac
MFA is now Opt In 
This commit ensures that MFA is only performed when users opt in. By
doing so, we allow users to decide if they will opt into the semantics
of merging two Authentication instances.

Closes gh-18126
 2025-11-03 22:42:27 -06:00