Commit Graph

2501 Commits

Author SHA1 Message Date
Josh Cummings 90b37d6d07
Merge branch '5.8.x' into 6.0.x 2023-05-24 14:38:23 -06:00
Josh Cummings 73cb9862ad
Update Symlink for 5.8
Issue gh-13131
2023-05-24 14:37:18 -06:00
Josh Cummings be409ada10
Merge branch '6.0.x'
Closes gh-13209
2023-05-22 15:43:43 -06:00
Josh Cummings 7c54c0e4fa
Merge branch '5.8.x' into 6.0.x
Closes gh-13208
2023-05-22 15:43:27 -06:00
Josh Cummings 62ede47d86
Merge branch '5.7.x' into 5.8.x
Closes gh-13207
2023-05-22 15:42:36 -06:00
Josh Cummings 1eefd433b6
Add spring-security.xsd symlink
Closes gh-13131
2023-05-22 15:42:02 -06:00
Josh Cummings 31f1604f66
Merge branch '6.0.x'
Closes gh-13199
2023-05-19 16:44:18 -06:00
Josh Cummings 7efa275abc
Merge branch '5.8.x' into 6.0.x
Closes gh-13198
2023-05-19 16:43:57 -06:00
Josh Cummings 35ad1f857e
Only Register as Advisor in Proxy Mode
Closes gh-13160
2023-05-19 16:33:46 -06:00
Josh Cummings 49366907e2
Merge branch '6.0.x'
Closes gh-13183
2023-05-15 17:31:48 -06:00
Josh Cummings b438bc5384
Merge branch '5.8.x' into 6.0.x
Closes gh-13182
2023-05-15 17:30:14 -06:00
lukasz.migdalek f4915890cc
Use Spec Order for Verifying Signatures
Closes gh-12346
2023-05-15 17:24:22 -06:00
Josh Cummings 5814f614c7
Merge branch '6.0.x'
Closes gh-13128
2023-05-02 16:56:37 -06:00
Josh Cummings 46ad9c122e
Merge branch '5.8.x' into 6.0.x
Closes gh-13127
2023-05-02 16:56:06 -06:00
Josh Cummings e9a02bc6e9
RememberMeConfigurer Picks Up SecurityContextRepository
Closes gh-13104
2023-05-02 16:46:35 -06:00
Marcus Da Coregio 45efd48b93 Merge branch '6.0.x'
Closes gh-13122
2023-05-02 10:13:24 -03:00
Marcus Da Coregio 69338ecdfa Only Observe AuthenticationManager if it is not null
Closes gh-13084
2023-05-02 10:12:46 -03:00
SeasonPan a44e91d044 fix javadoc typo 2023-04-24 16:41:17 -06:00
Josh Cummings f261242db1
Merge branch '5.7.x' into 5.8.x 2023-04-24 16:33:29 -06:00
Ruslan Stelmachenko caa4093619 Fix javadoc for migration from WebSecurityConfigurerAdapter 2023-04-24 16:32:16 -06:00
Josh Cummings dd14bbb365
Merge branch '6.0.x' 2023-04-18 12:42:55 -06:00
Josh Cummings 1e25756ee6
Fix Import Order 2023-04-18 12:42:25 -06:00
Josh Cummings 68b198f091
Merge branch '6.0.x' 2023-04-18 12:20:44 -06:00
Josh Cummings 64542b4059
Polish X509 SecurityContextRepository
Like Basic and Bearer authentication, X509 is
stateless by default. As such, it is better to not
pick up the global SecurityContextRepository bean.

The better fix is to change the default from
HttpSessionSecurityContextRepository to
RequestAttributeSecurityContextRepository.

Issue gh-13008
2023-04-18 12:18:20 -06:00
Josh Cummings c79f04cd11
Merge branch '6.0.x'
Closes gh-13063
2023-04-17 17:07:32 -06:00
Josh Cummings c3479ddb45
Pick Up SecurityContextRepository
Closes gh-13008
2023-04-17 17:06:06 -06:00
Marcus Da Coregio 04b3d07319 Merge branch '6.0.x' 2023-04-17 07:30:54 -03:00
Marcus Da Coregio a484044591 Merge branch '5.8.x' into 6.0.x 2023-04-17 07:29:42 -03:00
Marcus Da Coregio 6cf8c53aaa Merge branch '5.7.x' into 5.8.x 2023-04-17 07:16:47 -03:00
Marcus Da Coregio 2d52fb8e4b Clear Repository on Logout 2023-04-17 06:47:57 -03:00
Marcus Da Coregio 82a149207d Deprecate .and() and non lambda DSL methods
Closes gh-12629
2023-04-14 15:50:58 -03:00
Marcus Da Coregio 1a4a2a9055 Merge branch '5.8.x' into 6.0.x 2023-04-14 13:32:10 -03:00
Marcus Da Coregio 54117d7d27 Fix test suffix to align with checkstyle 2023-04-14 13:29:15 -03:00
Marcus Da Coregio 01d1e20dc3 Deprecate shouldFilterAllDispatcherTypes
Closes gh-12138
2023-04-13 15:05:10 -03:00
Marcus Da Coregio 57e134cc5f Merge branch '6.0.x' 2023-03-22 10:12:28 -03:00
Marcus Da Coregio 67645b32f4 Merge branch '5.8.x' into 6.0.x 2023-03-22 10:12:11 -03:00
Marcus Da Coregio fd65dc6756 Merge branch '5.7.x' into 5.8.x 2023-03-22 10:08:17 -03:00
Martin Tarjányi 5eefe9dcff Fix typo in SessionManagementConfigurer javadoc 2023-03-22 10:07:44 -03:00
Josh Cummings ca9139b68f
Merge branch '6.0.x' 2023-03-20 17:02:15 -06:00
twosom cbb4e40166 fix typo in RequestCacheResultMatcher 2023-03-20 17:02:00 -06:00
Josh Cummings a4bc0a6f3c Polish
- Add POST /login assertion
- Rearrange test and config class

Issue gh-12552
2023-03-20 14:31:13 -06:00
Clayton Walker e2332d9620 Add disable to FormLoginDsl
Closes gh-12552
2023-03-20 14:31:13 -06:00
Josh Cummings a7562ad950
Update io.spring.javaformat to 0.0.38
Closes gh-12891
2023-03-20 10:44:35 -06:00
Josh Cummings 3ad6c6ce06 Use EntityId-lookup Components
Closes gh-12880
2023-03-17 18:00:02 -06:00
Josh Cummings 46452c0cae Add saml2Metadata
Closes gh-11828
2023-03-17 18:00:02 -06:00
hdeadman e0284a4503 Fix CAS packages for 4.0.1 and Jasig references
Issue gh-11674
2023-03-01 17:21:24 -03:00
hdeadman b4d3ac6665 Revert "Remove CAS module"
This reverts commit caf4c471
2023-03-01 17:21:23 -03:00
Josh Cummings f5a4b520d1
Merge branch '6.0.x'
Closes gh-12781
2023-02-24 11:04:03 -07:00
Josh Cummings bbd31f0e33
Defer ObservationRegistry Lookup
Closes gh-12780
2023-02-24 11:03:32 -07:00
Marcus Da Coregio 963a18a27f Merge branch '6.0.x'
Closes gh-12778
2023-02-23 15:17:47 -03:00
Marcus Da Coregio 7d22e02593 Merge branch '5.8.x' into 6.0.x
Closes gh-12777
2023-02-23 15:17:25 -03:00
Marcus Da Coregio 97ba596ca3 Merge branch '5.7.x' into 5.8.x
Closes gh-12776
2023-02-23 15:17:04 -03:00
Marcus Da Coregio 1c3ce1e401 Fix entity-id ignored in RelyingPartyRegistration XML config
Closes gh-11898
2023-02-23 15:16:40 -03:00
Josh Cummings afb5a4ae2c
Merge branch '6.0.x'
Closes gh-12688
2023-02-16 14:56:55 -07:00
Josh Cummings cedb9fd199
Merge branch '5.8.x' into 6.0.x
Closes gh-12687
2023-02-16 14:56:32 -07:00
Josh Cummings 0baf650f38
Merge branch '5.7.x' into 5.8.x
Closes gh-12686
2023-02-16 14:55:22 -07:00
Leonid Rozenblyum 000b4bc495 Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.

In particular, this exception can occur when mixing standard and custom DSL to register filters.

The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.

It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.

The error handling is implemented similarly to HttpSecurity#addFilter.

Closes gh-12637
2023-02-16 14:54:44 -07:00
twosom cef13a6a16 Fix Javadoc Type Parameter 2023-02-15 15:31:09 -07:00
twosom c79dac49ca Fix Typo 2023-02-15 15:31:09 -07:00
Josh Cummings d91837eadc
Merge branch '6.0.x'
Closes gh-12641
2023-02-07 12:46:42 -07:00
Tobias Meurer 7dd5cc6082 Pick Up Custom SecurityContextRespository
Closes gh-12579
2023-02-07 12:46:12 -07:00
twosom c66370c092 Update javadoc in EnableWebSecurity 2023-02-07 12:45:23 -07:00
Marcus Da Coregio eb35d3055f Merge branch '6.0.x'
Closes gh-12640
2023-02-07 09:25:33 -03:00
Marcus Da Coregio 52ed165476 Move classpath checks to class member variable
Closes gh-11437
2023-02-07 09:25:06 -03:00
Marcus Da Coregio da28a426f2 Merge branch '6.0.x'
Closes gh-12625
2023-02-03 14:35:08 -03:00
Marcus Da Coregio 3572111cf5 Add JwtDecoder hint for oauth2Login
Closes gh-12615
2023-02-03 14:34:32 -03:00
Evgeniy Cheban 59829321a8
Allow configuring SecurityContextRepository for BasicAuthenticationFilter
Closes gh-12031
2023-02-03 10:09:16 -06:00
Steve Riesenberg 6abbdd3654
Merge branch '6.0.x' 2023-01-26 15:55:41 -06:00
Steve Riesenberg 13487be268
Default to XorCsrfChannelInterceptor in 6.0.x
Closes gh-12378
2023-01-26 15:45:04 -06:00
Steve Riesenberg 1363a4eece
Merge branch '5.8.x' into 6.0.x 2023-01-26 15:44:47 -06:00
Josh Cummings 1243d1327e
Merge branch '6.0.x'
Closes gh-12593
2023-01-26 14:09:19 -07:00
Josh Cummings c3563df25a
Include HttpStatusRequestRequestedHandler
Closes gh-12548
2023-01-26 14:07:22 -07:00
Josh Cummings 66711f2365
Add RequestRejectedHandler Test
Issue gh-12548
2023-01-26 13:07:16 -07:00
Steve Riesenberg c306df9b46
Add XorCsrfChannelInterceptor
Issue gh-12378
2023-01-23 16:00:35 -06:00
Evgeniy Cheban d84b8d2d12 AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context
Closes gh-12473
2023-01-10 10:54:37 -07:00
Josh Cummings e61b17fe13
Merge branch '6.0.x'
Closes gh-12514
2023-01-10 10:21:38 -07:00
Josh Cummings 5b6b3d585f
Change EnableReactiveMethodSecurity Defaults
Closes gh-12506
2023-01-10 08:30:52 -07:00
Joe Grandja e139f1c2ba Polish gh-12438 2022-12-22 11:16:19 -05:00
Spas Poptchev 919280b3e4 Allow ServerOAuth2AuthorizationRequestResolver to be set on oauth2 client configuration
Closes gh-12430
2022-12-22 10:12:18 -05:00
Marcus Da Coregio ca333203aa Merge branch '6.0.x'
Closes gh-12372
2022-12-14 10:30:55 -03:00
Marcus Da Coregio 7080ea652f Add hints for ProxyFactoryBean AuthenticationManager
Closes gh-12367
2022-12-14 10:16:04 -03:00
Marcus Da Coregio 03438ffc03 Merge branch '6.0.x' 2022-12-05 14:57:43 -08:00
Marcus Da Coregio f1698ec188 Fix removed code by merge 2022-12-05 14:57:28 -08:00
Marcus Da Coregio 0fdcde2d6f Merge branch '6.0.x' 2022-12-05 14:42:42 -08:00
Marcus Da Coregio 2fdf762726 Merge branch '5.8.x' into 6.0.x 2022-12-05 14:41:59 -08:00
Marcus Da Coregio 7aaa25b88e Merge branch '5.7.x' into 5.8.x 2022-12-05 14:40:54 -08:00
Marcus Da Coregio fc25b87967 Merge branch '5.6.x' into 5.7.x 2022-12-05 14:40:38 -08:00
Mitja Kotnik f39f215140 Replace javadoc with SecurityFilterChain bean definition 2022-12-05 14:40:05 -08:00
Guillaume Husta a5464ed819 Fix typo in DefaultLoginPageConfigurer Javadoc
'isLogoutRequest' seems to have nothing to do here.
2022-12-05 14:31:15 -08:00
Marcus Da Coregio e6173f9e5b Prepare for Spring Security 6.1 2022-11-28 15:47:10 -03:00
Marcus Da Coregio e774bd480b Merge branch '5.7.x' into 5.8.x
Closes gh-12261
2022-11-21 10:25:43 -03:00
Marcus Da Coregio f561d3784e Improve deprecation notice in WebSecurityConfigurerAdapter
Closes gh-12260
2022-11-21 10:05:08 -03:00
Steve Riesenberg dd9f954ace
Fix tests in CsrfConfigurerTests
Closes gh-12241
2022-11-18 14:58:41 -06:00
Steve Riesenberg 5da78f44f2
Merge branch '5.8.x' 2022-11-18 14:54:33 -06:00
Steve Riesenberg ea6ce05662
Add configurer tests for CookieCsrfTokenRepository
Issue gh-12236
2022-11-18 13:12:59 -06:00
Steve Riesenberg 2ed7cff643
Check for existing token before clearing
Closes gh-12236
2022-11-18 13:12:59 -06:00
Josh Cummings e08ed89403 Polish Span and Meter Names
Closes gh-12156
2022-11-17 15:09:52 -07:00
Steve Riesenberg 222f8ae1a5
Merge branch '5.8.x' 2022-11-16 16:54:32 -06:00
Jan Marten 2301e8ca77
Fix Javadoc in EnableWebSocketSecurity
Add missing method name in EnableWebSocketSecurity JavaDoc code example.
2022-11-16 16:51:42 -06:00
Josh Cummings c45cd6ec9f
Defer ObservationRegistry Resolution
- If Method Security asks for  too early, it is no longer
eligible for post-processing. As such, this commit defers loading it until
the first authorization request.

Issue gh-11990
2022-11-09 22:07:57 -07:00
Marcus Da Coregio 3b5d19c8a4 Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
Marcus Da Coregio 72c25332a5 Fix authenticationFailureHandler customization tests
Issue gh-12132
2022-11-03 10:32:38 -03:00
Josh Cummings fc8e20b89f
Merge branch '5.8.x'
Closes gh-12133
2022-11-02 15:49:18 -06:00
Josh Cummings 3192618220
Add authenticationFailureHandler
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer

Closes gh-12132
2022-11-02 15:35:01 -06:00
Josh Cummings 983f1d4efb
Merge branch '5.8.x'
Closes gh-12127
2022-11-01 18:08:08 -06:00
Josh Cummings 6622e0135a
Merge branch '5.7.x' into 5.8.x
Closes gh-12126
2022-11-01 18:06:41 -06:00
Josh Cummings 6efac34ca7
Merge branch '5.6.x' into 5.7.x
Closes gh-12125
2022-11-01 18:06:01 -06:00
Koos Gadellaa 5c4362bbc4
Refresh parsers when not found
Closes gh-3065
2022-11-01 18:05:15 -06:00
Rob Winch d860775b45 Document Defer load CsrfToken
Closes gh-12105
2022-10-28 15:41:25 -05:00
Josh Cummings abe68abfe4
Merge remote-tracking branch 'origin/5.8.x' 2022-10-26 17:13:02 -06:00
mmoussa_mapfreusa bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
Closes gh-11363
2022-10-26 16:44:23 -06:00
Rob Winch 9cb668aec2 SessionManagementConfigurer properly defaults SecurityContextRepository
Previously the default was an HttpSessionSecurityContextRepository which
meant that if a stateless authentication occurred the SecurityContext would
be lost on ERROR dispatch.

This commit ensures that the RequestAttributeSecurityContextRepository is
also consulted by default.

Closes gh-12070
2022-10-20 10:57:47 -05:00
Rob Winch a4858d9eaa Add SpringTestContext.addFilter
Add SpringTestContext.addFilter which allows Spring Security's tests
to specify a Filter to be added to the SpringTestContext.

Closes gh-12071
2022-10-20 10:54:24 -05:00
Steve Riesenberg 33b492df54
Default to DelegatingSecurityContextRepository
Closes gh-12023
Closes gh-12049
2022-10-17 20:04:43 -05:00
Steve Riesenberg bd43c1f28a
Merge branch '5.8.x'
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
Steve Riesenberg c75ca10900
Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg 819529f5ea
Remove CsrfSpec.tokenFromMultipartDataEnabled
Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled

Closes gh-12020
2022-10-13 11:29:15 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny
Closes gh-11958
2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
Closes gh-11960
2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
Issue gh-11960
2022-10-13 09:39:55 -05:00
Josh Cummings 2713075d08
Mark Observations with Firewall Failures
Closes gh-11994
2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b
Mark Observations with CSRF Failures
Closes gh-11993
2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd
Instrument Filter Chain
Closes gh-11911
2022-10-12 20:32:22 -06:00
Josh Cummings 8c610684f3
Instrument Authentication and Authorization
Closes gh-11989
Closes gh-11990
2022-10-12 20:32:21 -06:00
Steve Riesenberg 7c872cf7fd
Merge branch '5.8.x' 2022-10-12 15:02:40 -05:00
Steve Riesenberg 440748ec65
Add test support for Xor CSRF tokens
Issue gh-4001
2022-10-12 15:02:15 -05:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0"
Closes gh-9631
2022-10-07 17:42:55 -05:00
Steve Riesenberg dcda899c8c
Merge branch '5.8.x' 2022-10-07 17:40:37 -05:00
Steve Riesenberg 37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio 398f5dee7f Remove deprecated RequestMatcher methods from Java Configuration
Closes gh-11939
2022-10-07 15:26:46 -03:00
Marcus Da Coregio 9fd195d419 Default to shouldFilterAllDispatcherTypes=true in XML
Closes gh-11970
2022-10-07 11:46:20 -03:00
Marcus Da Coregio 146d3269bc Merge branch '5.8.x'
Closes gh-11971
2022-10-07 10:28:14 -03:00
Marcus Da Coregio f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Marcus Da Coregio f650ebe545 Merge branch '5.8.x' 2022-10-06 13:50:50 -03:00
Marcus Da Coregio 8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers
Issue gh-11347
2022-10-06 13:50:38 -03:00
Marcus Da Coregio d6302aabbc Merge branch '5.8.x' 2022-10-06 13:21:52 -03:00
Marcus Da Coregio bc4ad52feb Add deprecation warning to mvcMatchers methods
Issue gh-11347
2022-10-06 13:21:27 -03:00
Josh Cummings 12b9f2e196
use-authorization-manager defaults to true
Closes gh-11929
2022-10-06 08:12:46 -06:00
Marcus Da Coregio 52ab2303da Fix failing test
Issue gh-11061
2022-10-06 09:28:06 -03:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present
Closes gh-11899
2022-10-06 09:12:04 -03:00
Josh Cummings 12ac7acb2c
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 23:53:40 -06:00
Josh Cummings 2079309c5a
Add SecurityContextHolderStrategy XML Configuration for OAuth2
Issue gh-11061
2022-10-05 23:50:59 -06:00
Josh Cummings 7543effe89
Add SecurityContextHolderStrategy Java Configuration for OAuth2
Issue gh-11061
2022-10-05 23:50:58 -06:00
Josh Cummings 7e3841105b
Add SecurityContextHolderStrategy XML Configuration for Saml2
Issue gh-11061
2022-10-05 23:50:57 -06:00
Josh Cummings 19181a5afd
Add SecurityContextHolderStrategy Java Configuration for Saml2
Issue gh-11061
2022-10-05 23:50:56 -06:00
Josh Cummings 0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy
Issue gh-11061
2022-10-05 23:38:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings b4d13e7726
Polish use-authorization-manager
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
2022-10-05 22:21:09 -06:00
Josh Cummings 7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests
Issue gh-11665
2022-10-05 22:18:41 -06:00
Steve Riesenberg 8b490de08d
Merge branch '5.8.x'
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522
Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg 6bbf20be93
Fix failing tests
Issue gh-11952
2022-10-05 14:19:40 -05:00
Steve Riesenberg a7000a053b
Merge branch '5.8.x' 2022-10-05 13:46:26 -05:00
Steve Riesenberg 1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl
Closes gh-11952
2022-10-05 13:35:23 -05:00
Marcus Da Coregio c2ed65c67a Fix failing tests
Issue gh-9159
2022-10-05 14:59:33 -03:00
Marcus Da Coregio 22ba358e57 Merge branch '5.8.x' 2022-10-05 13:44:54 -03:00
Marcus Da Coregio bf6e85ec15 Accept String varargs in securityMatcher
Issue gh-9159
2022-10-05 13:44:08 -03:00
Marcus Da Coregio 76d7a85bc0 Use modified classpath test support for tests that depend on the classpath
Issue gh-11347
2022-10-04 15:32:19 -03:00
Marcus Da Coregio 77dcc691b3 Add modified classpath test support
Closes gh-11951
2022-10-04 15:32:18 -03:00
Marcus Da Coregio 5002199be3 Revert "Disable tests that need Spring MVC mocked in classpath"
This reverts commit c6978fba7c.
2022-10-04 15:32:18 -03:00
Marcus Da Coregio 35f7e46d05 Remove WebSecurityConfigurerAdapter
Closes gh-10902
2022-10-04 15:13:04 -03:00
Steve Riesenberg 3bc76815c2
Update csrf.request-handler-ref in 6.0
Issue gh-11918
2022-10-04 11:24:54 -05:00
Steve Riesenberg 5de6da890b
Merge branch '5.8.x'
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
Marcus Da Coregio c6978fba7c Disable tests that need Spring MVC mocked in classpath
Issue gh-11347
2022-10-04 08:56:06 -03:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Steve Riesenberg c847efd3fd
Fix servlet import
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
Steve Riesenberg c98de7af2f
Add xss-protection.header-value in 6.0
Issue gh-9631
2022-10-03 14:31:04 -05:00
Steve Riesenberg 7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x'
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Steve Riesenberg d9a682a414
Polish gh-11896 2022-10-03 10:00:43 -05:00
Steve Riesenberg bf9339d88e
Merge branch '5.8.x' 2022-10-03 09:57:40 -05:00
Steve Riesenberg 7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x'
Closes gh-11937
2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true
Closes gh-11763
2022-09-30 21:49:05 -05:00
Rob Winch 0d58c5180e Remove Explicit RequestCache Config from DeferHttpSession Tests
Issue gh-11757
2022-09-30 21:49:05 -05:00
Rob Winch 12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests
Issue gh-11764
2022-09-30 21:49:04 -05:00
Rob Winch 617353eaa8 Merge branch '5.8.x'
Closes gh-11928
2022-09-30 21:46:26 -05:00
Rob Winch 6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Steve Riesenberg 76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux 93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Marcus Da Coregio 3bfdf6dd0f Merge branch '5.8.x'
Closes gh-11922
2022-09-29 11:21:24 -03:00
Marcus Da Coregio cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration
Closes gh-11916
2022-09-29 11:21:08 -03:00
Josh Cummings 506e50bfd0
Move Saml2 Authentication Filters
Issue gh-8819
2022-09-26 10:44:27 -06:00
Steve Riesenberg 181ee7410b
Change default authority for oauth2Login()
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
2022-09-26 10:06:31 -05:00
Josh Cummings 37a160245f
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-23 16:31:21 -06:00
Steve Riesenberg 21c0c73878
Remove request-resolver-ref in 6.0
Issue gh-11896
2022-09-23 16:04:35 -05:00
Steve Riesenberg bcb21c9384
Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
Steve Riesenberg 46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Steve Riesenberg 3c66ef6305
Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
2022-09-22 17:31:14 -05:00
Rob Winch 0efe26c1fd Merge branch '5.8.x'
Closes gh-11894
2022-09-22 13:47:04 -05:00
Rob Winch d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Josh Cummings 44b7847258
Fix Import Order
Issue gh-8819
2022-09-21 09:08:41 -06:00
Josh Cummings 70460ca009
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-20 17:44:05 -06:00
Josh Cummings 61c80bcac5
Move Saml2 Authentication Filters
Closes gh-8819
2022-09-20 17:18:05 -06:00