There is no whitespace between error message and IP address value `IpAddressMatcher#parseAddress()`
If IP value is wrong, then error text looks like `Failed to parse addressi.am.ip`.
There should be some separator between those two text tokens.
Also wrapped the address value with single quotes.
Will this add any confusion for the caller?
Or colon and `"Failed to parse address: $value` looks better?
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.
This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.
Issue gh-11699
Previously LazyCsrfTokenRepository supported lazily saving the CsrfToken
which allowed for lazily saving the CsrfToken. However, it did not
support lazily reading the CsrfToken. This meant every request required
reading the CsrfToken (often the HttpSession).
This commit allows for lazily reading the CsrfToken and thus prevents
unnecessary reads to the HttpSession.
Closes gh-11700
Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext
This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.
Closes gh-11606
Currently if trace logging is enabled a StackOverflowException is thrown
when trying to resolve toString of the authentication.
java.lang.StackOverflowError: null
at java.base/java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:538) ~[na:na]
at java.base/java.lang.StringBuilder.append(StringBuilder.java:174) ~[na:na]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$0(AnonymousAuthenticationFilter.java:105) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.lambda$setDeferredContext$2(ThreadLocalSecurityContextHolderStrategy.java:67) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.security.core.context.ThreadLocalSecurityContextHolderStrategy.getContext(ThreadLocalSecurityContextHolderStrategy.java:43) ~[spring-security-core-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.lambda$defaultWithAnonymous$2(AnonymousAuthenticationFilter.java:126) ~[spring-security-web-5.8.0-SNAPSHOT.jar:5.8.0-SNAPSHOT]
at org.springframework.core.log.LogMessage$SupplierMessage.buildString(LogMessage.java:155) ~[spring-core-5.3.12.jar:5.3.12]
at org.springframework.core.log.LogMessage.toString(LogMessage.java:70) ~[spring-core-5.3.12.jar:5.3.12]
at java.base/java.lang.String.valueOf(String.java:2951) ~[na:na]
at org.apache.commons.logging.LogAdapter$Slf4jLocationAwareLog.trace(LogAdapter.java:482) ~[spring-jcl-5.3.12.jar:5.3.12]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.defaultWithAnonymous(AnonymousAuthenticationFilter.java:125)
Issue gh-11457
Previously AnonymousAuthenticationFilter accessed the SecurityContext to
determine if anonymous authentication needed setup eagerly. Now this is done
lazily to avoid unnecessary access to the SecurityContext which in turn avoids
unnecessary HTTP Session access.
Closes gh-11457
When MultipartFormData is enabled currently the CsrfWebFilter compares
the content-type header against MULTIPART_FORM_DATA MediaType which
leads to NullPointerExecption when there is no content-type header.
This commit reverse the check to compare the MULTIPART_FORM_DATA
MediaType against the content-type which contains null check and avoids
the exception.
closes gh-11204
- Added createEvaluationContext method that accepts Supplier<Authentication>
- Refactored classes that use EvaluationContext to use lazy initialization of Authentication
Closes gh-9667
Servlet Spring Security has DelegatingRequestMatcherHeaderWriter
the reactive world of Spring Security was missing a class to
conditionally write headers.
Closes gh-11073
cyb3r4nt
Rob Winch
Marcus Da Coregio
Josh Cummings
Joe Grandja
Steve Riesenberg
Alonso Araya Calvo
j3graham
Zhivko Delchev
Evgeniy Cheban
David Herberth