Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,648 Commits 32 Branches 333 Tags 111 MiB
Commit Graph

1426 Commits

Author SHA1 Message Date
Steve Riesenberg e238b721bb
Fix imports in DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:36:25 -05:00
Steve Riesenberg bd43c1f28a
Merge branch '5.8.x' 
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
 2022-10-17 19:35:27 -05:00
Steve Riesenberg acc35aeb18
Add DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Steve Riesenberg c75ca10900
Add DeferredSecurityContext 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Josh Cummings f4cc27c375
Change Default for (Server)AuthenticationEntryPointFailureHandler 
Closes gh-9429
 2022-10-13 20:03:03 -06:00
Josh Cummings 5afc7cb04f
Merge remote-tracking branch 'origin/5.8.x' 2022-10-13 19:48:05 -06:00
Josh Cummings 099aaa33ff
Remove Deprecation Markers 
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
 2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux 200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter 
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
 2022-10-13 19:25:04 -06:00
Steve Riesenberg 9090f62d9b
Merge branch '5.8.x' 2022-10-13 16:46:53 -05:00
Evgeniy Cheban 56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> 
Closes gh-11900
 2022-10-13 16:44:48 -05:00
Steve Riesenberg 45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled 
Closes gh-12019
 2022-10-13 11:29:16 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny 
Closes gh-11958
 2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890
Default to Xor CSRF tokens in CsrfWebFilter 
Closes gh-11960
 2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter 
Issue gh-11960
 2022-10-13 09:39:55 -05:00
Joe Grandja 6026f9f70f Merge branch '5.8.x' 2022-10-13 06:31:37 -04:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager" 
This reverts commit 4ddec07d0e.
 2022-10-13 06:18:00 -04:00
Josh Cummings 2713075d08
Mark Observations with Firewall Failures 
Closes gh-11994
 2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b
Mark Observations with CSRF Failures 
Closes gh-11993
 2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd
Instrument Filter Chain 
Closes gh-11911
 2022-10-12 20:32:22 -06:00
Steve Riesenberg 9b43950e13
Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Marcus Da Coregio c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux 27059ced87
Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg 6753f9745e
Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present 
Closes gh-11899
 2022-10-06 09:12:04 -03:00
Josh Cummings 353ca76973
Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings 380a6a2564
Polish SecurityContextHolderStrategy Usage 
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
 2022-10-05 23:59:14 -06:00
Josh Cummings 72a46ddd31
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler 
Issue gh-11105
 2022-10-05 21:47:14 -06:00
Josh Cummings eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 21:45:26 -06:00
Josh Cummings 4ddec07d0e
Add default AuthorizationManager 
Closes gh-11963
 2022-10-05 21:37:41 -06:00
Steve Riesenberg ee9449dbfe
Fix tests for deferred CSRF tokens 
Issue gh-4001
 2022-10-05 16:10:36 -05:00
Steve Riesenberg 521cdfd738
Use correct servlet imports 
Issue gh-4001
 2022-10-05 16:10:35 -05:00
Steve Riesenberg 8b490de08d
Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg 5de6da890b
Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Steve Riesenberg 475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Steve Riesenberg 7c3cc1e386
Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux 0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x' 
Closes gh-11937
 2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true 
Closes gh-11763
 2022-09-30 21:49:05 -05:00
Steve Riesenberg 76fbca9f46
Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00