064616f1ef
Lock dependencies for 5.3.0.RC1
2020-02-05 10:20:05 +01:00
1d7208f8ef
Add RSocket Authentication Extension Support
...
Fixes gh-7935
2020-02-04 23:36:47 -06:00
209c81d65d
Add BadOpaqueTokenException
...
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.
Fixes gh-7902
2020-02-04 17:33:08 -07:00
0c3754c811
Add BadJwtException
...
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.
Fixes gh-7885
2020-02-04 17:33:08 -07:00
3e07b35611
Polish Bearer Token Error Handling
...
Issue gh-7822
Issue gh-7823
2020-02-03 17:54:39 -07:00
ee6df1701b
Polish SessionManagementConfigurer
2020-01-31 11:24:36 -07:00
cb9fd09150
Change AuthenticationWebFilter's constructor
...
Fixes gh-7872
2020-01-31 09:31:28 -07:00
a512789a93
Fix requiresAuthenticationMatcher not being used
...
The custom server requiresAuthenticationMatcher was not always picked up
Fixes: gh-7863
2020-01-27 16:12:27 +01:00
29377545d9
Fix authenticationFailureHandler not being used
...
The custom server authenticationFailureHandler was not always picked up
Fixes: gh-7782
2020-01-27 13:10:03 +01:00
bdc60a9128
Don't cache requests with `Accept: text/event-stream` by default.
...
The eventstream requests is typically not directly invoked by the browser.
And even more unfortunately the Browser-Api doesn't allow the set additional headers as `XMLHttpRequest`..
2020-01-17 10:42:16 -08:00
f1f158b37e
AuthenticationEventPublisher DSL Lookup
...
Fixes gh-4400
2020-01-14 12:07:46 -07:00
5579846263
AuthenticationEventPublisher Bean Lookup
...
Issue gh-7793
Fixes gh-7515
2020-01-14 12:07:46 -07:00
fc9b97c94a
Typo in doc
2020-01-14 08:32:26 -07:00
f0856c83a9
Migrate LDAP integration tests groovy->java
...
This commit also removes BaseSpringSpec
Issue: gh-4939
2020-01-13 14:18:25 +01:00
a35ce77451
Add missing PowerMockIgnore annotation
...
WebSecurityConfigurerAdapterPowermockTests needs to exclude
javax.xml.transform.* from Powermock configuration.
2020-01-09 15:48:08 -07:00
ba21c156dd
Polish WebSecurityConfigurerAdapter tests
...
Moved Powermock-dependent test over to
WebSecurityConfigurerAdapterPowermockTests.
2020-01-09 13:51:19 -07:00
fcc6457bef
Unlock dependencies for next development version
...
This reverts commit 93acf8f0f1
2020-01-08 22:15:17 +01:00
93acf8f0f1
Lock dependencies for 5.3.0.M1
2020-01-08 19:41:10 +01:00
de87675f6d
Add JwtIssuerAuthenticationManagerResolver
...
Fixes gh-7724
2020-01-07 23:30:42 -07:00
2df1099da5
Idiomatic Kotlin DSL for configuring HTTP security
...
Issue: gh-5558
2020-01-07 12:08:43 -05:00
65981444f1
Use Version Ranges
...
Fixes gh-7788
2020-01-06 14:46:48 -06:00
06d7443946
Use Gradle platform and constraints
...
This was largely generated from the following script
wget bd9f8eb541/src/main/groovy/io/spring/gradle/convention/DependencySetPlugin.groovy
2020-01-06 14:46:36 -06:00
924b9e95a1
Polish MethodSecurityEvaluationContext
...
Issue: gh-6224
2020-01-03 20:08:52 -05:00
8b8267e1fe
Fix typo in LDAP Javadoc
2020-01-02 10:58:44 -05:00
b4619f31ee
Fix return type
...
AbstractConfiguredSecurityBuilder.objectPostProcessor() should cast to
B, the type of SecurityBuilder, instead of O, the type of object being
built.
Without this change, calls like
http.objectPostProcessor(...).getFilters() will fail with a
ClassCastException.
2019-12-30 12:01:56 -07:00
2c7f2c2117
Fix Javadoc error in oauth2ResourceServer
...
Fixes: gh-7670
2019-12-27 14:24:46 +01:00
af415948b1
Allow configuration of AuthenticationManagerResolver in saml2Login()
...
Fixes gh-7654
https://github.com/spring-projects/spring-security/issues/7654
2019-12-17 13:34:27 -08:00
9aa333ca4d
Use the custom ServerRequestCache that the user configures
...
on for the default authentication entry point and authentication
success handler
Fixes gh-7721
https://github.com/spring-projects/spring-security/issues/7721
Set RequestCache on the Oauth2LoginSpec default authentication success handler
import static ReflectionTestUtils.getField
Feedback incorporated per
https://github.com/spring-projects/spring-security/pull/7734#pullrequestreview-332150359
2019-12-17 13:33:56 -08:00
02f161aba7
Use OidcIdToken.Builder
...
Issue gh-7592
2019-12-12 07:37:15 -07:00
c40a17b4d1
WebFlux oauth2Login() redirects on failed authentication
...
Fixes gh-5562 gh-6484
2019-12-05 16:50:43 -05:00
d8d59e97ac
Correctly configure authorization requests repository for OAuth2 login
...
To use custom ServerAuthorizationRequestRepository both OAuth2AuthorizationRequestRedirectWebFilter and
OAuth2LoginAuthenticationWebFilter should use the same repo provided in the configuration. Currently the former filter is
correctly configured, but the latter always uses default, WebSession based repository. So authorization code created
before redirect to authorization endpoint will never be found to complete OAuth2 login when custom
ServerAuthorizationRequestRepository is used.
This change also makes OAuth2Client and OAuth2Login authentication converters consistent.
Fixes gh-7675
2019-11-29 12:05:15 -05:00
b7cb93f671
Fix WebFlux logout disabling
...
Fixes: gh-7682
2019-11-28 14:40:25 +01:00
c38e57fa42
Fix class and variable names
2019-11-28 09:23:38 +01:00
8ebc7ca0ea
Fix InitializeAuthenticationProviderBeanManagerConfigurer Javadoc
2019-11-28 09:23:38 +01:00
8a95e5798d
Update @MessageMapping to match input/output cardinality
2019-11-22 15:07:38 -06:00
cd0bec48de
Fix typo in log message.
2019-11-21 15:55:27 -07:00
0d35194b47
Add sessionFixation Javadoc
2019-11-15 12:17:05 +01:00
ca8877c8c5
Updates javadoc for InitializeUserDetailsBeanManagerConfigurer
2019-11-13 10:34:10 +01:00
1188a3bb5f
Polish RememberMeConfigurer
...
Issue: gh-4140
2019-11-07 15:26:59 +01:00
b13f750646
Retrieve remember-me key from service as fallback
...
Fixes: gh-4140
2019-11-07 13:55:39 +01:00
9f6a36444a
Add missing schemas
2019-11-06 08:24:20 -06:00
925bf48ec0
Polish OAuth2ResourceServerConfigurerTests
...
To confirm that resource server only produces SCOPE_<scope>
authorities by default.
Issue gh-7596
2019-11-04 11:39:54 -07:00
0cafcf37e2
Make the loginProcessingUrl configurable for saml2Login()
...
Fixes gh-7565
https://github.com/spring-projects/spring-security/issues/7565
2019-10-31 08:20:12 -07:00
5f17032ffd
Restore Removed Throws Clauses
...
In a recent clean-up, certain exceptions were removed from various
throws clauses.
This PR re-introduces throws clauses that are important for one of the
following reasons:
1. It's a method on a public interface
2. It's a method clearly designed for inheritance, for example, a
method stub, an abstract method, or indicated as such in the docs.
Fixes gh-7541
2019-10-30 12:13:54 -06:00
635f7e1edd
CsrfWebFilter supports multipart/form-data
...
Fixes gh-7576
2019-10-28 14:06:10 -05:00
0ac5f5456f
Fix typo 'is' -> 'if' in javadoc
2019-10-25 13:27:11 -06:00
de7cbc82b5
Clarify in Javadoc that expressionHandler should not be null
...
Fixes: gh-2665
2019-10-23 15:10:39 -04:00
3051a79188
Merge Add hasAnyAuthority method in AuthorizePayloadsSpec.Access
2019-09-30 14:33:41 -05:00
a911f3d52f
Merge Add hasAnyRole method in AuthorizePayloadsSpec.Access
2019-09-30 14:14:59 -05:00
3854afad61
Merge Add denyAll method in AuthorizePayloadsSpec.Access
2019-09-30 14:05:42 -05:00
758af54796
ObjectPostProcessor Tests groovy->java
...
Issue gh-4939
2019-09-27 16:36:33 -06:00
a08be5bf6f
UrlAuthorizationsTests groovy->java
...
Issue gh-4939
2019-09-27 16:23:33 -06:00
870d83eb3e
PermitAllSupportTests groovy->java
...
Issue gh-4939
2019-09-27 16:23:33 -06:00
350bce761f
Add hasAuthority method to RSocketSecurity
...
Fixes gh-7435
2019-09-27 16:48:25 -05:00
5f905232cb
Polish CurrentSecurityContextArgumentResolvers
...
Fixes gh-7487
2019-09-27 13:19:08 -06:00
5ef6e7ed6f
Add author for SecurityReactorContextConfiguration
...
Issue gh-7422
2019-09-27 15:17:20 -04:00
0fea57d6a1
Optimize SecurityReactorContextConfiguration
...
Issue gh-7422
2019-09-27 14:46:39 -04:00
33ba292fed
Resource Server w/ SecurityReactorContextSubscriber
...
Fixes gh-7423
2019-09-27 11:01:04 -06:00
5a67971375
WebFluxSecurityConfiguration configures oauth2Client() by default
...
Fixes gh-7470
2019-09-27 10:04:19 -04:00
08d2c93713
Polish gh-7466
2019-09-26 22:11:53 -04:00
9bae0a4dbd
Allow to customize OAuth2AuthorizationRequestRedirectWebFilter in OAuth2LoginSpec
...
Fixes gh-7466
2019-09-26 17:19:32 -04:00
2a5bd6e719
Align Servlet ExchangeFilterFunction CoreSubscriber
...
Fixes gh-7422
2019-09-26 16:17:17 -04:00
d3b7a47ef8
Polish gh-4442
2019-09-25 21:37:31 -04:00
da9f027fa4
Add nonce to OIDC Authentication Request
...
Fixes gh-4442
2019-09-25 14:57:54 -04:00
ceab56f764
Fix AuthorizationPayloadInterceptor order using PayloadInterceptorOrder.AUTHORIZATION
...
Fixes gh-7434
2019-09-24 15:39:25 -05:00
9f18c2e21a
OAuth2AuthorizationCodeGrantWebFilter matches on registered redirect-uri
...
Fixes gh-7036
2019-09-24 11:07:36 -04:00
98e75eb51a
Fix Javadoc for anonymous
2019-09-23 11:06:28 -04:00
00f8991fac
Merge Remove Redudant Throws
...
Fixes gh-7301
2019-09-19 11:04:53 -05:00
3a66191756
Add hasAnyAuthority method in AuthorizePayloadsSpec.Access
...
See Fixes gh-7437
Co-authored-by: Eddú Meléndez <eddu.melendez@gmail.com>
2019-09-18 21:17:09 -05:00
034b5e9e93
Introduce LogoutSuccessEvent
...
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.
By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.
This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.
Fixes gh-2900
2019-09-18 10:57:16 -05:00
9926ad68b8
add hasAnyRole method in AuthorizePayloadsSpec.Access
2019-09-18 07:59:20 -05:00
daf6b53e3a
Add denyAll method in AuthorizePayloadsSpec.Access
...
See gh-7437
Co-authored-by: Eddú Meléndez <eddu.melendez@gmail.com>
2019-09-17 20:17:10 -05:00
05caf3d8fb
Use Jwt.Builder
...
Fixes gh-7443
2019-09-16 14:00:25 -06:00
1176d0cfdb
Polish DefaultFilters,Issue55Tests
...
Formatted HttpSecurity and WebSecurity configuration stacks
Removed unnecessary code
Issue gh-4939
2019-09-16 13:56:17 -06:00
950e6422a1
Migrate DefaultFilters,Issue55Tests groovy->java
...
Issue gh-4939
2019-09-16 13:37:22 -06:00
101e0a21a8
Bearer WebClient Filter Authentication Propagation
...
Fixes: gh-7418
2019-09-11 16:27:21 +01:00
96d44cd4b7
Add Default RSocketSecurity
...
Fixes gh-7361
2019-09-09 16:10:55 -05:00
5d0815bc76
Allow RSocketMessageHandlerITests to timeout
...
Fixes gh-7415
2019-09-09 16:10:50 -05:00
6296e6e896
RSocketSecurity delegates to correct matcher
...
Fixes gh-7414
2019-09-09 16:09:23 -05:00
1b699a49fb
Polish RSocket packaging
...
Fixes gh-7413
2019-09-09 16:07:14 -05:00
aa533c2565
Add missing javadoc to session fixation
2019-09-06 16:33:51 -04:00
316380e622
Allow Custom PayloadInterceptor to be Added
...
Fixes gh-7362
2019-09-06 14:52:47 -05:00
a60446836b
OAuth2AuthorizeRequest supports attributes
...
Fixes gh-7341
2019-09-05 21:04:25 -04:00
08d50868c9
Merge pull request #7260 from fhanik/feature/saml2-sp-mvp
...
Add SAML Service Provider Support
2019-09-05 17:04:14 -07:00
e9a44bc0ce
HttpSecurity.saml2login() - MVP Core Code
...
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:
- Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
- Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
- Supports basic java-configuration via DSL
- Provides an integration sample using Spring Boot
Not implemented with this MVP
- Single Logout
- Dynamic Service Provider Metadata
Fixes gh-6019
2019-09-05 14:40:08 -07:00
9639962e27
Fix RSocket Package Tangle
...
Issue gh-7360
2019-09-05 16:27:57 -05:00
7ad641d106
RSocket Tests use Available Port
...
Issue gh-7360
2019-09-05 09:16:07 -05:00
26a65249f9
Remove invalid characters
2019-09-05 04:32:34 -06:00
5a4eded696
Add RSocket Support
...
Fixes gh-7360
2019-09-04 19:24:01 -05:00
dcd997ea43
Add support for Resource Owner Password Credentials grant
...
Fixes gh-6003
2019-09-04 14:07:45 -04:00
de672e3ae9
Polish oauth2ResourceServer() Error Messaging
...
Fixes: gh-6876
2019-09-04 11:49:22 -06:00
1fc5b27fa2
Update LogoutConfigurerClearSiteData Tests
...
Issue gh-7347
2019-09-04 03:30:37 -06:00
068f4f0147
Polish Opaque Token
...
Use OAuth2AuthenticatedPrincipal
Use BearerTokenAuthentication
Update names to reflect more generic approach.
Fixes gh-7344
Fixes gh-7345
2019-09-03 15:58:05 -06:00
8773c7994f
Allow to set default securityContextRepository for each authentication mechanisms
...
Fixes gh-7249
2019-09-03 07:46:59 -06:00
f6c650db47
Replace Streams with Loops
...
First version of replacing streams
fix wwwAuthenticate and codestyle
fix errors in implementation to pass tests
Fix review notes
Remove uneccessary final to align with cb
Short circuit way to authorize
Simplify error message, make code readably
Return error while duplicate key found
Delete check for duplicate, checkstyle issues
Return duplicate error
Fixes gh-7154
2019-09-02 15:30:48 -06:00
d6d0d89ff8
NamespaceRememberMeTests groovy->java
...
Issue gh-4939
2019-09-02 13:08:21 -06:00
bf5b693549
NamespaceHttpOpenIDLoginTests groovy->java
...
Issue gh-4939
2019-08-30 15:54:43 -06:00
95511331fa
fix checkstyle
2019-08-26 22:42:26 +02:00
2c2e8e5f24
Remove internal Optional usage in favor of null checks
...
Issue gh-7155
2019-08-26 09:27:40 -04:00
34dd5fea30
Remove redundant throws clauses
...
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
Eleftheria Stein
Rob Winch
Josh Cummings
James
Johannes Edmeier
Vincent Ricard
BELHAKEL Ammar
Filip Hanik
Joe Grandja
Alexey Nesterov
Ruslan Stelmachenko
Pim Moerenhout
Paul Pazderski
Adrian Pena
邓超
Yanming Zhou
Vitalii Mahas
Luis Felipe Vega Calle
Roman Chigvintsev
Mark Heckler
Jesús Ascama
Ebert Toribio
Onur Kagan Ozcan
Manuel Tejeda
kostya05983
Eddú Meléndez
Lars Grefer
watsta