Commit Graph

11280 Commits

Author SHA1 Message Date
Rob Winch e8a388d5b7 Merge branch '5.8.x'
Closes gh-11747
2022-08-23 13:43:43 -05:00
Rob Winch e3c447d761 Merge branch '5.7.x' into 5.8.x
Closes gh-11746
2022-08-23 13:42:37 -05:00
Rob Winch 93d8983f8a Merge branch '5.8.x' 2022-08-23 13:42:21 -05:00
Rob Winch d37c413460 Merge branch '5.7.x' into 5.8.x 2022-08-23 13:39:25 -05:00
Rob Winch f774c4de39 Merge branch '5.6.x' into 5.7.x
Closes gh-11738
2022-08-23 13:30:59 -05:00
Rob Winch fc10d5fc29 repository=spring-projects/spring-security
Previously the repository used spring-project (missing the s)
2022-08-23 13:30:20 -05:00
Rob Winch df785408f1 Merge branch '5.6.x' into 5.7.x 2022-08-23 13:23:15 -05:00
Marcus Da Coregio 38c05ad31c Add native hints for basic @PostAuthorize usage
Closes gh-11737
2022-08-23 15:17:14 -03:00
Marcus Da Coregio bd5a05dcdd Polish CoreSecurityRuntimeHints 2022-08-23 15:06:07 -03:00
Rob Winch c79ebf4edf Setup Forward Merge 2022-08-22 16:19:44 -05:00
Marcus Da Coregio a8d6c1d21f Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:58:22 -03:00
Marcus Da Coregio c7912c551b Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:51:53 -03:00
Marcus Da Coregio 0aac515737 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
Marcus Da Coregio 3826fca567 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
Rob Winch 888c65a936 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:38:03 -05:00
Rob Winch 81d6b6df6c Add Explicit SessionAuthenticationStrategy Option
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.

This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.

Closes gh-11455
2022-08-18 17:38:03 -05:00
Rob Winch 1de810a565 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:00:47 -05:00
Rob Winch 89f8310d6c Add Explicit SessionAuthenticationStrategy Option
SessionAuthenticationFilter requires accessing the HttpSession to do its
job. Previously, there was no way to just disable the
SessionAuthenticationFilter despite the fact that
SessionAuthenticationStrategy is invoked by the authentication filters
directly.

This commit adds an option to disable SessionManagmentFilter in favor of
requiring explicit SessionAuthenticationStrategy invocation already
performed by the authentication filters.

Closes gh-11455
2022-08-18 17:00:47 -05:00
Steve Riesenberg 7c7f9380c7
Refresh remote JWK when unknown KID error occurs
Closes gh-11621
2022-08-18 16:54:45 -05:00
tinolazreg 888715bbb2
Add tests for unknown KID error
Issue gh-11621
2022-08-18 16:54:45 -05:00
Steve Riesenberg 53a3ff8932
Refresh remote JWK when unknown KID error occurs
Closes gh-11621
2022-08-18 16:53:45 -05:00
tinolazreg 77d11a3f9f
Add tests for unknown KID error
Issue gh-11621
2022-08-18 16:53:44 -05:00
Steve Riesenberg 51dc672625
Refresh remote JWK when unknown KID error occurs
Closes gh-11621
2022-08-18 16:48:42 -05:00
tinolazreg d1c742d7aa
Add tests for unknown KID error
Issue gh-11621
2022-08-18 16:48:41 -05:00
Steve Riesenberg 9c02e835e8 Refresh remote JWK when unknown KID error occurs
Closes gh-11621
2022-08-18 16:42:57 -05:00
tinolazreg 3e73fa6954 Add tests for unknown KID error
Issue gh-11621
2022-08-18 16:42:57 -05:00
Yuriy Savchenko 63d2f19e2a Remove default value for access parameter
Closes gh-10957
2022-08-18 15:22:08 -03:00
cyb3r4nt 1d555b62e3 Fix IP address parse error msg in IpAddressMatcher
There is no whitespace between error message and IP address value  `IpAddressMatcher#parseAddress()`
If IP value is wrong, then error text looks like `Failed to parse addressi.am.ip`.
There should be some separator between those two text tokens.

Also wrapped the address value with single quotes.
Will this add any confusion for the caller?
Or colon and `"Failed to parse address: $value` looks better?
2022-08-18 10:40:38 -06:00
Marcus Da Coregio 2564f061e7 Start building against Spring LDAP 3.0.0-M4 snapshots
Issue gh-11718
2022-08-17 10:33:27 -03:00
Marcus Da Coregio af3d70f130 Remove GlobalMethodSecurityRuntimeHints
Closes gh-11714
2022-08-17 08:07:28 -03:00
Evgeniy Cheban ba50c50b4b
Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:14:08 -06:00
Evgeniy Cheban 5ecd513a57 Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:12:47 -06:00
Marcus Da Coregio 00302c80ad
Move SAML Post inline javascript to script tag
To avoid relying on HTML event handlers and adding unsafe-* rules to CSP, the javascript is moved to a <script> tag. This also allows a better browser compatibility

Closes gh-11676
2022-08-16 15:11:01 -06:00
Marcus Da Coregio 7359bd5949 Move SAML Post inline javascript to script tag
To avoid relying on HTML event handlers and adding unsafe-* rules to CSP, the javascript is moved to a <script> tag. This also allows a better browser compatibility

Closes gh-11676
2022-08-16 15:06:10 -06:00
jujunChen 13feb87171
Modify words
- <dependencyManagement> to dependencyManagement
- pom.xml to build.gradle
2022-08-16 14:51:36 -06:00
jujunChen d93bde7465
Modify words
- <dependencyManagement> to dependencyManagement
- pom.xml to build.gradle
2022-08-16 14:51:06 -06:00
jujunChen e3d85881e9
Modify words
- <dependencyManagement> to dependencyManagement
- pom.xml to build.gradle
2022-08-16 14:48:14 -06:00
jujunChen 9f6d9c2b84 Modify words
- <dependencyManagement> to dependencyManagement
- pom.xml to build.gradle
2022-08-16 14:44:34 -06:00
Rob Winch 5cf42b1f2e Defer CsrfFilter Session Access
Closes gh-11456
2022-08-16 13:48:20 -05:00
Rob Winch 8ad20b1768 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-16 13:47:31 -05:00
Rob Winch 2aedf5899b LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-16 13:47:31 -05:00
Steve Riesenberg a73e32e43e
Add automated release info to release doc
Closes gh-11715
2022-08-16 11:46:04 -05:00
Rob Winch c1a6cea60a Defer CsrfFilter Session Access
Closes gh-11456
2022-08-16 11:31:27 -05:00
Rob Winch 5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch 666f175225 LazyCsrfTokenRepository#loadToken Supports Deferring Delegation
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).

This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.

Closes gh-11700
2022-08-15 17:07:02 -05:00
Rob Winch faf9fb7337 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:46 -05:00
Rob Winch 9f00045638 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:30 -05:00
Rob Winch 002a770f13 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:26:12 -05:00
Rob Winch ce778b0e20 NamespaceLdapAuthenticationProviderTests use Dynamic Port
Closes gh-11710
2022-08-15 15:25:15 -05:00
Rob Winch f33d7253b6 GitHubMilestoneApiTests due_on Uses LocalDate
`GitHubMilestoneApiTests` uses `Instant.now()` for `due_on`. Since
`Instant.now()` is UTC time based,
`isMilestoneDueTodayWhenDueTodayThenTrue` fails when the computer that runs
the test is not the same day as it is in UTC time.

To fix it, `due_on` should be set to an `Instant` based upon the timezone
of the current computer.

Closes gh-11706
2022-08-15 13:04:29 -05:00