spring-security

mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 17:22:13 +00:00

Author	SHA1	Message	Date
Josh Cummings	d29ab8bcae	Merge branch '5.7.x' into 5.8.x	2022-11-01 13:43:40 -06:00
Josh Cummings	c94e33b6c8	Merge branch '5.6.x' into 5.7.x	2022-11-01 13:42:35 -06:00
Ger Roza	8315545144	Update RP-Initiated Logout target URLs. The URLs we're using are not actually pointing to the OIDC RP-Initiated Logout Specs. Fixes: gh-12081	2022-11-01 12:35:39 -06:00
Josh Cummings	c5badbc631	Add AccessDecisionManager Preparation Steps Issue gh-11337	2022-10-31 15:25:05 -06:00
Rob Winch	3da0d1bf27	Merge branch '5.8.x'	2022-10-27 15:39:03 -05:00
Rob Winch	aac1261f0c	Document Migration to SecurityContextHolderFilter Closes gh-12098	2022-10-27 15:12:45 -05:00
Rob Winch	d40ed58118	Merge branch '5.8.x' Closes gh-12091 Closes gh-12092	2022-10-26 14:56:02 -05:00
Rob Winch	c17e258a6f	Document Saved Requests Closes gh-12088	2022-10-26 14:22:30 -05:00
Josh Cummings	7adc000c6b	Merge remote-tracking branch 'origin/5.8.x'	2022-10-25 14:42:32 -06:00
Josh Cummings	04fa5af794	Add Missing Doc Header The EnableMethodSecurity section	2022-10-25 14:41:11 -06:00
Josh Cummings	fe96a62dfc	Document Observability Support Issue gh-10964	2022-10-12 20:32:25 -06:00
Marcus Da Coregio	c5e35bf32e	Merge branch '5.8.x' Closes gh-11978	2022-10-10 09:24:50 -03:00
Marcus Da Coregio	4b6fed0667	Add static factory method to AntPathRequestMather and RegexRequestMatcher Closes gh-11938	2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux	27059ced87	Default X-Xss-Protection header value to "0" Closes gh-9631	2022-10-07 17:42:55 -05:00
Marcus Da Coregio	398f5dee7f	Remove deprecated RequestMatcher methods from Java Configuration Closes gh-11939	2022-10-07 15:26:46 -03:00
Marcus Da Coregio	9fd195d419	Default to shouldFilterAllDispatcherTypes=true in XML Closes gh-11970	2022-10-07 11:46:20 -03:00
Marcus Da Coregio	146d3269bc	Merge branch '5.8.x' Closes gh-11971	2022-10-07 10:28:14 -03:00
Marcus Da Coregio	f3321c256c	Add XML support for shouldFilterAllDispatcherTypes Closes gh-11492	2022-10-07 10:20:32 -03:00
Josh Cummings	12b9f2e196	use-authorization-manager defaults to true Closes gh-11929	2022-10-06 08:12:46 -06:00
Marcus Da Coregio	c4d23f2b49	Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899	2022-10-06 09:12:04 -03:00
Steve Riesenberg	8b490de08d	Merge branch '5.8.x' # Conflicts: # docs/modules/ROOT/pages/servlet/exploits/csrf.adoc	2022-10-05 14:46:15 -05:00
Steve Riesenberg	dce1c30522	Add support for BREACH Closes gh-4001	2022-10-05 14:21:13 -05:00
Marcus Da Coregio	38a7bbd2eb	Merge branch '5.8.x'	2022-10-05 13:20:12 -03:00
Marcus Da Coregio	ace8caa182	Remove mvcMatchers usage from docs Issue gh-11347	2022-10-05 13:19:37 -03:00
Steve Riesenberg	5de6da890b	Merge branch '5.8.x' Closes gh-dry-run	2022-10-04 11:18:00 -05:00
Steve Riesenberg	475b3bb6bb	Add deferred CsrfTokenRepository.loadDeferredToken * Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken> * Move RepositoryDeferredCsrfToken to top-level and make package-private * Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) * Update CsrfFilter * Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler Issue gh-11892 Closes gh-11918	2022-10-03 17:10:54 -05:00
Steve Riesenberg	7c3cc1e386	Merge branch '5.8.x'	2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux	0e215a21ad	Add X-Xss-Protection headerValue to XML config Issue gh-9631	2022-10-03 14:29:34 -05:00
Marcus Da Coregio	ad2abd39dc	Merge branch '5.8.x' Closes gh-11347 in 6.0.x Closes gh-11945	2022-10-03 16:02:18 -03:00
Marcus Da Coregio	039e0328e1	Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159	2022-10-03 15:55:20 -03:00
Steve Riesenberg	181ee7410b	Change default authority for oauth2Login() Previously, the default authority was ROLE_USER when using oauth2Login() for both OAuth2 and OIDC providers. * Default authority for OAuth2UserAuthority is now OAUTH2_USER * Default authority for OidcUserAuthority is now OIDC_USER Documentation has been updated to include this implementation detail. Closes gh-7856	2022-09-26 10:06:31 -05:00
Steve Riesenberg	bcb21c9384	Merge branch '5.8.x' # Conflicts: # config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java	2022-09-23 15:39:43 -05:00
Steve Riesenberg	46696a9226	CsrfTokenRequestHandler extends CsrfTokenRequestResolver Closes gh-11896	2022-09-23 15:09:00 -05:00
Rob Winch	0efe26c1fd	Merge branch '5.8.x' Closes gh-11894	2022-09-22 13:47:04 -05:00
Rob Winch	d94677f87e	CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and moves usage from CsrfFilter into CsrfTokenRequestHandler. Closes gh-11892	2022-09-22 11:09:44 -05:00
Rob Winch	48e31f87e4	Remove Deprecated OpenSAML 3 Support Closes gh-10556	2022-09-20 16:57:38 -06:00
Steve Riesenberg	2431dd1103	Merge branch '5.8.x'	2022-09-13 17:38:10 -05:00
Steve Riesenberg	355ef21117	Polish gh-11665	2022-09-13 16:45:39 -05:00
ch4mpy	1efb63387f	Add authentication converter for introspected tokens Adds configurable authentication converter for resource-servers with token introspection (something very similar to what JwtAuthenticationConverter does for resource-servers with JWT decoder). The new (Reactive)OpaqueTokenAuthenticationConverter is given responsibility for converting successful token introspection result into an Authentication instance (which is currently done by a private methods of OpaqueTokenAuthenticationProvider and OpaqueTokenReactiveAuthenticationManager). The default (Reactive)OpaqueTokenAuthenticationConverter, behave the same as current private convert(OAuth2AuthenticatedPrincipal principal, String token) methods: map authorities from scope attribute and build a BearerTokenAuthentication. Closes gh-11661	2022-09-13 16:45:36 -05:00
Steve Riesenberg	ed41a60aae	Merge branch '5.8.x' # Conflicts: # config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java # config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml # web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java	2022-09-06 11:51:55 -05:00
Steve Riesenberg	86fbb8db07	Add new interfaces for CSRF request processing Issue gh-4001 Issue gh-11456	2022-09-06 11:43:33 -05:00
Marcus Da Coregio	e17989d92d	Merge branch '5.8.x'	2022-09-01 09:39:33 -03:00
Marcus Da Coregio	ff6fd78d64	Merge branch '5.7.x' into 5.8.x	2022-09-01 09:39:10 -03:00
Marcus Da Coregio	0a08a23423	Merge branch '5.6.x' into 5.7.x	2022-09-01 09:38:33 -03:00
Underground Hill	8b74bf9742	Updated reference to architecture page In the context of Servlet Authentication page, "Architecture" should probably link to "Servlet Authentication Architecture" page	2022-09-01 09:38:10 -03:00
Steve Riesenberg	8474acebf2	Merge branch '5.8.x'	2022-08-29 15:12:48 -05:00
he1ex-tG	568277f8bc	Mistake in Kotlin code representation is fixed	2022-08-29 15:11:10 -05:00
Josh Cummings	b1fd9af723	Merge remote-tracking branch 'origin/5.8.x' into main	2022-08-26 16:01:40 -06:00
Josh Cummings	0f58620643	Add AspectJ AuthorizationManager Support Closes gh-11326	2022-08-26 15:59:08 -06:00
Rob Winch	81d6b6df6c	Add Explicit SessionAuthenticationStrategy Option SessionAuthenticationFilter requires accessing the HttpSession to do its job. Previously, there was no way to just disable the SessionAuthenticationFilter despite the fact that SessionAuthenticationStrategy is invoked by the authentication filters directly. This commit adds an option to disable SessionManagmentFilter in favor of requiring explicit SessionAuthenticationStrategy invocation already performed by the authentication filters. Closes gh-11455	2022-08-18 17:38:03 -05:00

... 2 3 4 5 6 ...

381 Commits