Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.
This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.
Closes gh-9579
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.
Closes gh-10482
Fix when AccessDeniedHandler is specified per RequestMatcher on
ExceptionHandlingConfigurer.
This introduces evolutions on :
- CsrfConfigurer#getDefaultAccessDeniedHandler,
to retrieve an AccessDeniedHandler similar to the one used by
ExceptionHandlingConfigurer.
- OAuth2ResourceServerConfigurer#accessDeniedHandler, to continue to
handle CsrfException with the default AccessDeniedHandler implementation
Fixes: gh-6511
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.
This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).
Closes gh-10326
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.
Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.
Closes gh-6025
- Cleaned up JavaDoc
- Updated implementation to align with no-parameter authorizeRequests
- Updated test names and content for clarity, specifically identified
tests that target no-parameter authorizeHttpRequests with noParameter in
the name
- Switched order of methods to match others in HttpSecurity
- Updated copyright year
Issue gh-9498
If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.
Closes gh-9973
When a bean of type ReactiveJwtAuthenticationConverter is defined,
the OAuth2 Resource Server configuration will use it automatically
when no other converter is defined through the DSL.
Closes gh-9698
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @Configuration classes, one for each set of
authorization annotations
Issue gh-9289
