Commit Graph

717 Commits

Author SHA1 Message Date
Frank Pavageau 35706ad60a Deserialize the principal in a neutral way
When the principal of the Authentication is an object, it is not necessarily
an User: it could be another implementation of UserDetails, or even a
completely unrelated type. Since the type of the object is serialized as a
property and used by the deserialization anyway, there's no point in
enforcing a stricter type.
2017-10-30 00:53:31 -05:00
Frank Pavageau 6fd9ff254b Map values directly from the JSON nodes
Not only is it more efficient without converting to an intermediate String,
using JsonNode.toString() may not even produce valid JSON according to its
Javadoc (ObjectMapper.writeValueAsString() should be used).
2017-10-30 00:53:31 -05:00
SignleMR a1fdb7dcb3 Update AbstractRememberMeServices.java
this file`s file encode is unkown,maybe is "Eddu Melendez"
2017-10-30 00:50:23 -05:00
Jeremy Waters 832f5c39c1 SEC-3190: Add support for colons in remember-me token values
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons.  so this 
change urlencodes the individual tokens when creating the cookie 
string; and urldecodes them decoding the cookie and extracting the 
tokens.  This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.
2017-10-30 00:33:14 -05:00
Rob Winch 93ac706d86 Polish XFrameOptionsHeaderWriter
Issue: gh-4559
2017-10-29 23:32:53 -05:00
Nathan Wong 02a78b17b9 Add check to see if return value is DENY
Originally, if the return from getAllowFromValue(request) is "DENY",
then the X-Frame-Options header's value will proceed to be written as
"ALLOW FROM DENY" - an invalid value.

This commit adds a condition in the if clause that checks whether
allowFromValue is "DENY". This way, the X-Frame-Options header will be
written as "ALLOW FROM origin" or "DENY".
2017-10-29 23:32:53 -05:00
Antoine bed4ec7d18 Fix leading space characters reported by checkstyle 2017-10-29 22:22:34 -05:00
Antoine 0771778b81 Polish more AssertJ assertions 2017-10-29 22:22:34 -05:00
Antoine e0aca04a28 Polish AssertJ assertions
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
Rob Winch 5a5ec58ca4 Add LogoutPageGeneratingWebFilter
Fixes gh-4735
2017-10-29 00:12:23 -05:00
Rob Winch 0734d70d02 Logout requires POST
Issue: gh-4734
2017-10-29 00:11:59 -05:00
Rob Winch 8da2c7f657 Add WebFlux CSRF Protection
Fixes gh-4734
2017-10-28 22:59:24 -05:00
Rob Winch 192776858d HttpStatusServerAccessDeniedHandler write error message 2017-10-28 22:59:24 -05:00
Rob Winch e63c53e267 Add AuthorizationWebFilterTests 2017-10-28 22:58:55 -05:00
Rob Winch 2060125ebd ServerWebExchangeAttributeServerSecurityContextRepository->NoOpNoOpServerSecurityContextRepository
Issue: gh-4719
2017-10-27 18:17:52 -05:00
Rob Winch 4777a869bc Logout at the end of logout method
Issue: gh-4719
2017-10-27 18:17:40 -05:00
Rob Winch 5bcf3c559b Remove wrappedExchange from AuthenticationWebFilter
Issue: gh-4719
2017-10-27 18:17:29 -05:00
Rob Winch 437ba56415 ReactorContextWebFilter & SecurityContextServerWebExchangeWebFilter
Issue: gh-4719
2017-10-27 18:17:10 -05:00
Rob Winch c63b258b16 AuthorizeWebFilter uses ReactiveSecurityContextHolder
Issue gh-4719
2017-10-27 18:16:59 -05:00
Rob Winch 747473257f Use ReactorSecurityContextHolder
Issue gh-4713
2017-10-26 20:11:42 -05:00
Rob Winch 44b41e78cd Flux member variables in favor of Collections
Fix gh-4694
2017-10-25 07:41:37 -05:00
Rob Winch fcc1152f78 WebFilterChainProxy not matched continues WebFilterChain
Fixes gh-4668
2017-10-24 16:22:07 -05:00
Rob Winch b81c1ce2c0 Move spring-security-webflux into spring-security-web
Fixes gh-4662
2017-10-18 16:20:09 -05:00
Rob Winch a74f7c6faa Fix CSRF / DefaultLoginPageGeneratingFilter package tangle
Issue: gh-4636
2017-10-16 16:36:49 -05:00
Andreas Gebhardt 0c830f9ba8 fix JavaDoc typo on `BasicAuthenticationEntryPoint` 2017-10-12 07:42:58 -05:00
Rob Winch 23f56f568c Update MockitJunitRunner import
Issue: gh-4608
2017-10-09 16:13:33 -05:00
Rob Winch 445834784a Update to Mockito 2.10.0
Issue: gh-4608
2017-10-09 16:13:11 -05:00
Rob Winch f3828924ff Fix equals and hashCode alignment
Fixes gh-4588
2017-09-28 17:25:00 -05:00
Rob Winch 646b3e48b3 Avoid Exception Message in HTTP Response
Fixes gh-4587
2017-09-28 17:24:49 -05:00
Stephan Schroevers 9e719bc313 Drop the `aopalliance:aopalliance` dependency
As of Spring 4.3 RC1 the `org.aopalliance` interfaces are once again bundled
with `spring-aop` [1]. Moreover, all modules with a dependency on
`aopalliance:aopalliance` directly or indirectly also depend on `spring-aop`.

This change drops the `aopalliance:aopalliance` dependency in all places it's
declared. Where applicable an explicit dependency on `spring-aop` was added in
its place. (This dependency was already present in most places; in one case the
module didn't require `aopalliance:aopalliance` in the first place.)

The documentation is updated accordingly.

[1] https://jira.spring.io/browse/SPR-13984
2017-09-22 11:11:04 -05:00
Vedran Pavic 95de158909 Add `ForwardLogoutSuccessHandler` 2017-09-06 15:15:02 -05:00
Joe Grandja 4951550d7d Add context path to authorization request URI
Fixes gh-4510
2017-08-26 18:55:23 -04:00
Rob Winch e16b8e7976 Fix logback-test.xml 2017-08-17 16:42:01 -05:00
Kyle Anderson d8a678df6f Removed Unicode Character from Parameter Name 2017-06-29 16:03:29 -05:00
Takuma Setoguchi f2c04dd9b1 fix typo 2017-06-20 08:17:15 -05:00
Rob Winch d81b436e5d Remove pom.xml from build
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.

This commit removes the pom.xml files from the build.

Fixes gh-4283
2017-05-11 14:32:36 -05:00
Vedran Pavic 85719fcd64 Use Base64 implementation provided by Java 8 2017-05-10 00:27:36 -05:00
Joe Grandja 829c386756 Add support for OAuth 2.0 Login
Fixes gh-3907
2017-04-28 10:58:59 -04:00
Rob Winch dd6fc48dd8 Standardize Build
The build now uses spring build conventions to simplify the build

Fixes gh-4284
2017-04-21 10:55:05 -05:00
Rob Winch 5a65da400d Use ReflectionTestUtils rather than Whitebox
This is better because it no longer uses Mockito's internal API

Fixes gh-4305
2017-04-21 10:54:58 -05:00
Rob Winch 9d9aadb80f Fix DefaultSavedRequestMixinTests with Spring 5
Previously DefaultSavedRequestMixinTests
serializeDefaultRequestBuildWithConstructorTest broke in Spring 5
because Spring 5's MockHttpServletRequest.setCookie now automatically adds
the Cookie header.

This commit ensures that the Cookie header is not added by overriding the
class we are writing.

Fixes gh-4272
2017-04-12 15:51:26 -05:00
Joe Grandja 2ce174dbf0 Update poms to 5.0.0.BUILD-SNAPSHOT 2017-04-07 16:49:50 -04:00
Joe Grandja 2b81983f7c Update to Java 8 compatibility
* Spring IO Athens-BUILD-SNAPSHOT -> Cairo-BUILD-SNAPSHOT
* CGLib 3.1 -> 3.2.5 latest release Issue related to ASM https://github.com/cglib/cglib/issues/20
* AssertJ 2.2.0 -> 3.6.2 latest release
* PowerMock 1.6.2 -> 1.6.5 latest release is 1.6.6 but has regression Issue https://github.com/powermock/powermock/issues/717
* Update maven-compiler-plugin source/target to 1.8
2017-04-07 16:49:38 -04:00
borlafu 8a458eb9e1 Avoid multiple X-Frame-Options headers
XFrameOptionsHeaderWriter should not *add*, but *set* the
X-Frame-Options header. According to
https://tools.ietf.org/html/rfc7034#section-2.1, having
multiple values for the header is disallowed:

"There are three different values for the header field.
These values are mutually exclusive; that is, the header
field MUST be set to exactly one of the three values."

With this change, only the latest XFrameOptionsHeaderWriter
will remain.
2017-03-08 15:49:18 -06:00
Rob Winch d2524eadfc Update poms to new to SNAPSHOT version 2017-03-02 09:20:34 -06:00
Spring Buildmaster 081f0c4d94 Release version 4.2.2.RELEASE 2017-03-02 07:29:42 +00:00
Rob Winch 247f54dc41 Fix SwitchUserFilter.setSwitchFailureUrl assertion
Fixes gh-4198
2017-03-02 00:47:09 -06:00
Rob Winch 017e9834bd Fix NPE in UrlUtils with null url
Fixes gh-4233
2017-03-02 00:46:01 -06:00
Rob Winch 168f4b8f70 Prevent Duplicate Cache Headers
Fixes gh-4199
2017-03-01 16:14:12 -06:00
Rob Winch 9c03571bbb Use message in all Assert
This ensures compatibility with Spring 5.

Fixes gh-4193
2017-01-30 19:58:24 -06:00