Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
11,815 Commits 30 Branches 330 Tags 114 MiB
Commit Graph

11815 Commits

Author SHA1 Message Date
Josh Cummings d5354db6f4
Next Development Version 2022-10-17 14:59:47 -06:00
Josh Cummings 6b25307339
Merge remote-tracking branch 'origin/5.6.x' into 5.7.x 2022-10-17 14:57:39 -06:00
Josh Cummings 730359f144
Next Development Version 2022-10-17 14:56:34 -06:00
Josh Cummings 89c815032c
Fix Index Out of Bounds 2022-10-17 14:52:03 -06:00
Josh Cummings 154f6d7316
Merge remote-tracking branch 'origin/5.6.x' into 5.7.x 2022-10-17 14:30:39 -06:00
Josh Cummings ff055cf07a
Remote antoraUpdateVersion task from CI 2022-10-17 14:24:13 -06:00
github-actions[bot] b08a06aa76 Release 5.6.8 2022-10-17 18:55:50 +00:00
github-actions[bot] 53cdec799b Release 5.7.4 2022-10-17 18:55:41 +00:00
Marcus Da Coregio 7994222436 Merge branch '5.7.x' into 5.8.x 2022-10-17 15:51:39 -03:00
Marcus Da Coregio 31fd098b8e Merge branch '5.6.x' into 5.7.x 2022-10-17 15:51:19 -03:00
Marcus Da Coregio 465d80c162 Remove antoreUpdateVersion task from release automation 2022-10-17 15:50:44 -03:00
Josh Cummings 099aaa33ff
Remove Deprecation Markers 
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
 2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux 200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter 
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
 2022-10-13 19:25:04 -06:00
Evgeniy Cheban 56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> 
Closes gh-11900
 2022-10-13 16:44:48 -05:00
Steve Riesenberg 5a55987d6e
Add links to reference in What's New for 5.8 
Issue gh-4001
Issue gh-11959
 2022-10-13 12:52:01 -05:00
Josh Cummings 59c4538798
Update What's New 
Closes gh-12021
 2022-10-13 10:13:20 -06:00
Marcus Da Coregio 445833295b Merge branch '5.7.x' into 5.8.x 2022-10-13 09:37:33 -03:00
Marcus Da Coregio 0c239813e5 Merge branch '5.6.x' into 5.7.x 2022-10-13 09:36:09 -03:00
Marcus Da Coregio 717320a9ba Update org.springframework.data to 2021.2.4 
Closes gh-12018
 2022-10-13 09:30:50 -03:00
Marcus Da Coregio 601fafd3de Update org.springframework to 5.3.23 
Closes gh-12017
 2022-10-13 09:30:47 -03:00
Marcus Da Coregio 0f5c23ab17 Update hibernate-entitymanager to 5.6.12.Final 
Closes gh-12016
 2022-10-13 09:30:43 -03:00
Marcus Da Coregio a73b8de0f4 Update org.eclipse.jetty to 9.4.49.v20220914 
Closes gh-12015
 2022-10-13 09:30:40 -03:00
Marcus Da Coregio 2d7813be6e Update io.rsocket to 1.1.3 
Closes gh-12014
 2022-10-13 09:30:37 -03:00
Marcus Da Coregio 655a1e345e Update io.projectreactor to 2020.0.24 
Closes gh-12012
 2022-10-13 09:30:31 -03:00
Marcus Da Coregio 4fc00b74a9 Update mockk to 1.12.8 
Closes gh-12011
 2022-10-13 09:30:28 -03:00
Marcus Da Coregio 0521bb1af5 Update jackson-bom to 2.13.4.20221012 
Closes gh-12008
 2022-10-13 09:30:17 -03:00
Marcus Da Coregio 4992e8ce62 Update org.springframework.data to 2021.1.8 
Closes gh-12007
 2022-10-13 09:24:21 -03:00
Marcus Da Coregio c772daab92 Update org.springframework to 5.3.23 
Closes gh-12006
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio 45a4a89960 Update hibernate-entitymanager to 5.6.12.Final 
Closes gh-12005
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio b43c7e927f Update org.eclipse.jetty to 9.4.49.v20220914 
Closes gh-12004
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio 50d23622d0 Update io.rsocket to 1.1.3 
Closes gh-12003
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio 2c2603ba0f Update io.projectreactor to 2020.0.24 
Closes gh-12001
 2022-10-13 09:24:20 -03:00
Marcus Da Coregio f7f53ea2b7 Update jackson-bom to 2.13.4.20221012 
Closes gh-11997
 2022-10-13 09:22:28 -03:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager" 
This reverts commit 4ddec07d0e.
 2022-10-13 06:18:00 -04:00
Steve Riesenberg 440748ec65
Add test support for Xor CSRF tokens 
Issue gh-4001
 2022-10-12 15:02:15 -05:00
Steve Riesenberg 8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20
Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Joe Grandja ffbcaca24a Update reference for PasswordEncoders 
Issue gh-10506
 2022-10-12 07:32:30 -04:00
Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder 
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
 2022-10-12 00:45:10 -04:00
Joe Grandja f8419003eb Update default configuration for SCryptPasswordEncoder 
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.

Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1

New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1

The default salt length was also updated from 64 to 16.

Issue gh-10506
 2022-10-12 00:14:07 -04:00
Joe Grandja 2ea62d0f8b Update default configuration for Argon2PasswordEncoder 
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

Previous default configuration:
memory=4, iterations=3, parallelism=1

New default configuration:
memory=16, iterations=2, parallelism=1

Issue gh-10506
 2022-10-11 18:04:37 -04:00
Josh Cummings 8d096554f8
Add AuthorizationEvent 
Closes gh-11972
 2022-10-10 12:28:57 -06:00
Marcus Da Coregio 6e2e76978f Merge branch '5.7.x' into 5.8.x 
Closes gh-11980
 2022-10-10 11:01:56 -03:00
Marcus Da Coregio b17ba7cdcc Merge branch '5.6.x' into 5.7.x 
Closes gh-11979
 2022-10-10 11:01:27 -03:00
Marcus Da Coregio e0f8c711d8 Add default value for cloneOutputDirectory property 
Closes gh-11969
 2022-10-10 11:00:47 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Steve Riesenberg 37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00