Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-01-18 20:37:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,700 Commits 46 Branches 369 Tags
Commit Graph

19700 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Grandja
51fe7ff737 Return device_code grant metadata when enabled 
Issue gh-17998
 2025-10-04 05:38:11 -04:00
Rob Winch
9595d37c14
Integration Test for DefaultLoginPageGeneratingFilterTests 
Add a minimal test to ensure that
DelegatingMissingAuthorityAccessDeniedHandler and
DefaultLoginPageGeneratingFilterTests work together properly.

Issue gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch
2473378fcd
Use RequiredFactorErrors 
Closes gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch
d1ff983c11
Add AllFactorsAuthorizationManager 
Closes gh-17997
 2025-10-03 15:20:03 -05:00
Rob Winch
3f74991ce9
Authentication adds FactorGrantedAuthority 
Closes gh-18001
 2025-10-03 15:20:03 -05:00
Rob Winch
ce36fc1e76
Add FactorGrantedAuthority 
Closes gh-17996
 2025-10-03 15:20:00 -05:00
Joe Grandja
477a456d6c Disable device_code grant by default 
Closes gh-17998
 2025-10-03 14:10:13 -04:00
Joe Grandja
4dfef1483d Polish gh-17507 2025-10-03 13:09:09 -04:00
Rohan Naik
8c65dc93f2 Enable PKCE by default 
Closes gh-17507

Signed-off-by: Rohan Naik <rohan.nn1203@gmail.com>
 2025-10-03 13:08:04 -04:00
dependabot[bot]
0f40f694b8
Bump io.spring.nullability:io.spring.nullability.gradle.plugin 
Bumps [io.spring.nullability:io.spring.nullability.gradle.plugin](https://github.com/spring-gradle-plugins/nullability-plugin) from 0.0.4 to 0.0.5.
- [Release notes](https://github.com/spring-gradle-plugins/nullability-plugin/releases)
- [Commits](https://github.com/spring-gradle-plugins/nullability-plugin/compare/v0.0.4...v0.0.5)

---
updated-dependencies:
- dependency-name: io.spring.nullability:io.spring.nullability.gradle.plugin
  dependency-version: 0.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-03 03:08:45 +00:00
Joe Grandja
54aae36f98 Add support for OAuth 2.0 Protected Resource Metadata 
Closes gh-17244
 2025-10-02 14:50:17 -04:00
dependabot[bot]
564726adea
Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.6.RELEASE to 0.29.7.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.6.RELEASE...0.29.7.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.7.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:19:11 +00:00
dependabot[bot]
c1375b857a
Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:17:57 +00:00
dependabot[bot]
c5a335ac91
Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:08:25 +00:00
Rob Winch
64c9e3e210
Prevent Dupliate GrantedAuthority#getAuthority() 
If the GrantedAuthority is not equal, but contains a duplicate
GrantedAuthority#getAuthority() then at the time of authentication,
the Filter or WebFilter will duplicate the GrantedAuthority which leads
to a memory leak. This is important to avoid for when we add support for
a GrantedAuthority that might have an issuedAt attribute. If it is too
old, then we'd want only the new GrantedAuthority to be added and the old
instance to be removed. However, the two GrantedAuthority instances
will not be equal because the issuedAt will not be equal.

Closes gh-17981
 2025-10-01 15:37:23 -05:00
Rob Winch
c9010345b9
Add TestingAuthenticationToken(principal,credential,grantedAuthorities...) 
Closes gh-17980
 2025-10-01 13:05:56 -05:00
Joe Grandja
681e166be8 Remove default HttpSecurity.securityMatcher() for authorization server 
Closes gh-17965
 2025-10-01 11:45:21 -04:00
dependabot[bot]
dc5962af16
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:55 +00:00
dependabot[bot]
70da545463
Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:01 +00:00
Rob Winch
7f10897de3
SecurityMockMvcResultMatchers.withAuthorities(String...) 
Closes gh-17974
 2025-09-30 10:39:14 -05:00
Rob Winch
0e99324c43
Merge branch '6.5.x' 2025-09-29 13:44:37 -05:00
Rob Winch
cf9568fe09
Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 2025-09-29 13:43:45 -05:00
dependabot[bot]
7409133cc0
Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5...rel/v5.5.1)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-29 03:26:33 +00:00
Joe Grandja
f3761aff99 Add support for OAuth 2.0 Dynamic Client Registration Protocol 
Closes gh-17964
 2025-09-25 16:33:16 -04:00
Rob Winch
667cd4aa7c
Remove unnecessary throws Exception from spring-security-config 
Closes gh-17957
 2025-09-25 11:50:13 -05:00
Rob Winch
be20201bf7
FACTOR uses defaultEntryPoint when possible 
Previously they used addEntryPointFor(entryPoint, AnyRequestMatcher.INSTANCE) to
work around gh-17955. They now can use defaultEntryPoint which is more concise.

Issue gh-gh-17955
 2025-09-25 11:18:20 -05:00
Rob Winch
029e31ebe8
DelegatingAuthenticationEntryPoint.Builder allows just defaultEntryPoint 
Previously build threw an Exception when entryPoints was empty and
defaultEntryPoint was specified.

This commit changes build to return the defaultEntryPoint instead.

Closes gh-17955
 2025-09-25 09:45:52 -05:00
Josh Cummings
ad6fe4fdc3
Polish MFA Samples 
This commit removes unneeded AuthorizationManagerFactory
implementations, simplifies the custom AuthorizationManagerFactory
example, and updates usage of hasAllAuthorities.

Issue gh-17934
 2025-09-24 17:54:59 -06:00
Rob Winch
f652920bb3
Add @EnableGlobalMultiFactorAuthentication 
Closes gh-17954
 2025-09-24 14:47:26 -05:00
Rob Winch
e33e4d80a9
Fix Antora Warnings in servlet/authentication/adaptive.adoc 
Issue gh-2603
 2025-09-24 13:05:50 -05:00
Rob Winch
b2d76dfe66
Add GrantedAuthorities.FACTOR_*_AUTHORITY 
Closes gh-17952
 2025-09-24 09:53:56 -05:00
Josh Cummings
28aad8855c
Merge branch 'mfa' 
Closes gh-2603
 2025-09-23 18:23:11 -06:00
Josh Cummings
bbba2930e9
Add Initial Documentation 
Issue gh-17934
 2025-09-23 18:16:36 -06:00
Josh Cummings
d757e6e44e
Response to Additional Feedback 
- Moved request attribute to WebAttributes
- Renamed ExceptionHandlingConfigurer methods
- Removed varargs from DelegatingMissingAuthorityAccessDeniedHandler

Issue gh-17901
Issue gh-17934
 2025-09-23 18:16:22 -06:00
Josh Cummings
50ebd467c3
Polish Default Login Page 
Issue gh-17901
 2025-09-23 17:59:23 -06:00
Josh Cummings
42376e2eee
Prepopulate Username When Known 
Closes gh-17935
 2025-09-23 17:59:22 -06:00
Josh Cummings
e813aad82b
Support Showing One Part of Login Page 
Closes gh-17901
 2025-09-23 17:59:21 -06:00
Josh Cummings
9f317757c3
Make Public Missing Authority AccessDeniedHandler 
Issue gh-17934
 2025-09-23 17:59:19 -06:00
Josh Cummings
df7a7cdc99
Update Test for Method Security 
Issue gh-17936
 2025-09-23 17:16:33 -06:00
Josh Cummings
e66c498d80
Redirect to Appropriate Entry Point Based on Missing Authorities 
Issue gh-17934
 2025-09-23 17:16:32 -06:00
Josh Cummings
fe17f2904d
Initial Exception Handling 
This commit hardcodes factors as a proof of concept for
multi-factor authentication

Issue gh-17934
 2025-09-23 17:16:30 -06:00
Rob Winch
549569ea55
Add DefaultAuthorizationManagerFactory.additionalAuthorization 2025-09-23 16:52:10 -05:00
Rob Winch
1608465a38
DefaultAuthorizationManagerFactory additionalAuthorization 
This commit adds AuthorizationManager<T> additionalAuthorization to
DefaultAuthorizationManagerFactory which can be used for multi factor
authorization.

There is a builder that allows for creating an instance that requires
static additional authorities, but for more advanced cases users can
inject an additionalAuthorization that looks up if the user has settings
that enable additional required authorities.

The builder can later be updated to support checking that a particular
authority was granted within a specified amount of time.

Issue gh-17900
 2025-09-23 15:25:26 -05:00
Rob Winch
459b872a20
Cleanup Kotlin AuthorizationManagerFactory Generics 
This cleans up the generic types within the Kotlin DSL that reference
AuthorizationManagerFactory

Issue gh-17860
 2025-09-23 10:32:02 -05:00
dependabot[bot]
02bc3adfb8
Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.5 to 3.27.6.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.5...assertj-build-3.27.6)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-23 03:17:16 +00:00
dependabot[bot]
f8ab033c7b
Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.5 to 3.27.6.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.5...assertj-build-3.27.6)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-23 03:07:48 +00:00
Josh Cummings
628f3da30b
Revert "Add AuthorityUtils Methods" 
This reverts commit 50bdaeb1001b04b269dfe5968b3c2ef3856053fd that
was accidentally committed
 2025-09-22 12:26:07 -06:00
Josh Cummings
5ca5aca48e
Add Null Guard 
Issue gh-17933
 2025-09-22 12:23:29 -06:00
Josh Cummings
c61f53ad64
Copy Query to Parameters 
Issue gh-17450
 2025-09-22 12:17:24 -06:00
Josh Cummings
50bdaeb100
Add AuthorityUtils Methods 
This commit adds a couple of utility methods for working with authorities
by type. Now that there are infrastructural authorities that Spring Secuirty
works with directly, it's helpful to be able to filter them out of the
authority list.
 2025-09-22 11:42:14 -06:00