4c2401a576
Revert "Make source code compatible with JDK 8"
...
This reverts commit 60ed3602f6
2022-06-02 19:24:42 +02:00
38d481eba6
Make Internal Class Package-Private
...
Issue gh-11305
2022-05-31 16:04:26 -06:00
d994ddc9b8
Polish InterceptUrlConfigTests
...
Issue gh-11305
2022-05-31 16:04:02 -06:00
9dbd1f3e25
Use AuthorizationManager in <http>
...
Closes gh-11305
2022-05-31 15:10:00 -06:00
7c0ba58019
Fix rnc typo
...
Issue gh-11076
2022-05-27 16:59:23 -06:00
8a03d1fcec
Add AuthorizationManager to Messaging
...
Closes gh-11076
2022-05-27 12:20:48 -06:00
16664dcdbd
Use Base64 encoder with no CRLF in output for SAML 2.0 messages
...
Closes gh-11262
2022-05-25 11:43:50 -06:00
b51c71c3b3
Use original query string to verify signature
...
Closes gh-11235
2022-05-23 13:56:28 -06:00
5adb6e25a3
Correctly encode query parameters
...
Issue gh-11235
2022-05-20 17:46:40 -06:00
ffaf5b4e61
Polish WebExpressionAuthorizationManager
...
- Add support for request variables
- Added additional tests
Issue gh-11105
2022-05-13 13:53:38 -06:00
07b0be3f42
Add AuthorizationManager that uses ExpressionHandler
...
Closes gh-11105
2022-05-13 13:52:49 -06:00
18c220c870
Update copyright headers
...
Issue gh-10956
2022-05-06 14:26:29 -03:00
18345feeed
Fix mvcMatchers overriding previous paths
...
Closes gh-10956
2022-05-06 14:26:29 -03:00
6420cf28a9
Multiple <authentication-manager> Do Not Duplicate Alias
...
Previously, two authentication managers with different ids would duplicate
the alias to the global authentication manager. This would cause failures
for when allowBeanDefinitionOverriding = false.
This commit ensures that if the global authentication manager alias is
already set, then it is not set again. This means the first
<authentication-manager> will be used as the global AuthenticationManager.
Closes gh-8767
2022-05-03 14:52:22 -05:00
0e9228d10a
Prepare for Spring Security 5.8
2022-05-02 16:34:23 -06:00
5ac5edc2e6
Detect UserDetailsService bean in X509 configuration
...
Closes gh-11174
2022-04-28 14:47:18 +02:00
d40c15e09e
Update remember me Javadocs
...
Describe the new behaviour for retrieving the UserDetailsService
Issue gh-11170
2022-04-28 14:13:52 +02:00
e94adedb94
Add shouldFilterAllDispatcherTypes to Kotlin DSL
...
Closes gh-11153
2022-04-28 08:19:20 -03:00
8e34cedcfe
Detect UserDetailsService bean in remember me
...
Closes gh-11170
2022-04-28 12:43:13 +02:00
a3e7e54b70
Security Context Dsl
...
Closes gh-11039
2022-04-26 17:34:44 +02:00
23594b3d01
Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator
...
Issue gh-10908
2022-04-25 09:42:00 -03:00
aaf78330b1
ForceEagerSessionCreationFilter
...
Closes gh-11109
2022-04-15 14:16:35 -05:00
7fea639a43
Add Option to Filter All Dispatcher Types
...
Closes gh-11092
2022-04-14 15:58:00 -03:00
147ab42440
Revert "Pick up AuthorizationManager Bean"
...
This reverts commit 32b83aae63
2022-04-12 09:32:09 -06:00
39b0620a84
Add DisableUrlRewritingFilter
...
Closes gh-11084
2022-04-08 16:13:44 -05:00
32b83aae63
Pick up AuthorizationManager Bean
...
Closes gh-11067
Closes gh-11068
2022-04-08 10:08:33 -06:00
b39f213e64
Revert "Add AuthorizationManager to Messaging"
...
This reverts commit 77a6e014a9
2022-04-07 17:39:34 -06:00
77a6e014a9
Add AuthorizationManager to Messaging
...
Closes gh-11076
2022-04-07 17:39:10 -06:00
66213e5b2e
Add Default Test to HttpBasicConfigurerTests
...
Issue gh-10973
2022-04-05 17:11:39 -06:00
47c8676be7
Polish Saml2LoginConfigurerTests
...
Issue gh-10973
2022-04-05 17:11:38 -06:00
c175118f62
Use RequestMatcherEntry
...
Closes gh-11046
2022-03-30 14:31:11 -06:00
061f69eb70
Polish Authorization Event Support
...
- Added spring-security-config support
- Renamed classes
- Changed contracts to include the authenticated user and secured
object
- Added method security support
Issue gh-9288
2022-03-29 16:03:19 -06:00
a43677d36a
Simplify PrePostMethodSecurityConfiguration
...
Issue gh-9288
2022-03-29 15:44:16 -06:00
67fd46bfa6
Add SecurityContextRepository.loadContext(HttpServletRequest)
...
This allows loading the SecurityContext lazily, without the need for the
response, and does not attempt to automatically save the request when
the response is comitted.
Closes gh-11028
2022-03-25 14:21:52 -05:00
446ab5047c
Add authorizeHttpRequests to Kotlin DSL
...
Closes gh-10481
2022-03-22 09:39:06 -06:00
3016ed0067
Fix typos in Kotlin DSL docs
...
Issue gh-10481
2022-03-22 08:27:29 -06:00
87ed31a99c
Add SecurityContextHolderFilter
...
Closes gh-9635
2022-03-11 17:22:23 -06:00
dbcb5004b4
Extract createSecurityContextRepository()
...
Extract out method in preparation for adding SecurityContextHolderFilter
configuration.
Issue gh-9635
2022-03-11 17:21:49 -06:00
ac9c29b2a0
Add UsernamePasswordAuthenticationToken factory methods
...
- unauthenticated factory method
- authenticated factory method
- test for unauthenticated factory method
- test for authenticated factory method
- make existing constructor protected
- use newly factory methods in rest of the project
- update copyright dates
Closes gh-10790
2022-03-09 15:23:35 -07:00
93d4fd3559
Add SAML 2.0 Single Logout XML Support
...
Closes gh-10842
2022-03-09 09:18:01 -03:00
73f839312d
Add SAML 2.0 Login XML Support
...
Closes gh-9012
2022-03-09 09:18:01 -03:00
7a02bd14c1
Replace Apache Commons Base64 Decoding
...
Issue gh-10923
2022-03-02 16:19:03 -07:00
3aa7a65cb4
OAuth2AuthorizedClientArgumentResolver resolves ReactiveOAuth2AuthorizedClientManager
...
Closes gh-10846
2022-02-28 15:30:19 -07:00
e97c643870
Deprecate WebSecurityConfigurerAdapter
...
Closes gh-10822
2022-02-17 12:13:50 +01:00
c2635ba6bf
Apply configurers from spring.factories to HttpSecurity bean
...
Closes gh-10814
2022-02-09 14:40:57 +01:00
cbd87fac89
Polish ignoring() log messaging
...
- Public API remains unchanged
Issue gh-9334
2022-02-07 14:50:28 -07:00
01ed617d5f
Print ignore message DefaultSecurityFilterChain
...
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.
Closes gh-9334
2022-02-07 14:50:19 -07:00
d538423f98
Add Saml2AuthenticationRequestResolver
...
Closes gh-10355
2022-01-24 15:09:45 -07:00
ba922dcdf0
Exclude javax from hibernate dependency
...
Issue gh-10501
2022-01-19 14:35:25 -06:00
27e1a2ca69
Remove javax.transaction
...
Issue gh-10501
2022-01-19 14:35:05 -06:00
9d4ecc9c37
Additional removal of javax.inject
...
Issue gh-10501
2022-01-19 14:34:45 -06:00
678c386834
jsr250-api -> jakarta.annotation-api
...
Issue gh-10501
2022-01-19 14:34:32 -06:00
0e8c03401b
javax.xml.bind:jaxb-api -> jakarta.xml.bind:jakarta.xml.bind-api
...
Issue gh-10501
2022-01-19 14:34:16 -06:00
8f64bb6c8c
javax.servlet:javax.servlet-api -> jakarta.servlet:jakarta.servlet-api
...
Issue gh-10501
2022-01-19 14:33:53 -06:00
f8e14683f6
Remove jcl-over-slf4j
...
Issue gh-10499
2022-01-19 14:33:46 -06:00
3c641dee75
Remove commons-logging
...
Closes gh-10499
2022-01-19 14:33:44 -06:00
a537b636c1
Add LDAP factory beans
...
Issue gh-10138
2022-01-18 15:11:30 +01:00
75f25bff82
Polish multiple RequestRejectedHandlers support
...
Issue gh-10603
2022-01-14 16:49:38 -07:00
4ea57f3e3f
Support multiple RequestRejectedHandler beans
...
Closes gh-10603
2022-01-14 16:46:15 -07:00
60ed3602f6
Make source code compatible with JDK 8
...
Closes gh-10695
2022-01-11 09:19:41 -03:00
1ab0705b47
Fix typo
2022-01-10 16:17:42 +01:00
18427b6411
Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
...
Closes gh-10554
2021-12-13 08:57:30 -03:00
cd8983d4e5
Polish enableSessionUrlRewriting Clarification
...
Closes gh-7644
2021-12-09 12:14:40 -07:00
5598688fa6
Clarify behaviour of enableSessionUrlRewriting
...
See #3087
2021-12-09 12:06:30 -07:00
65426a40ec
Add Cross Origin Policies headers
...
Add DSL support for Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy headers
Closes gh-9385, gh-10118
2021-12-07 17:23:06 +01:00
ed3b0fbaad
Prevent using both authorizeRequests and authorizeHttpRequests
...
Closes gh-10573
2021-12-06 15:47:49 -03:00
df0f6f83af
Polish gh-9597
2021-12-02 17:44:47 -06:00
925d531cbe
Set details on authentication token created by HttpServlet3RequestFactory
...
Currently the login mechanism when triggered by executing HttpServlet3RequestFactory#login does not set any details on the underlying authentication token that is authenticated.
This change adds an AuthenticationDetailsSource on the HttpServlet3RequestFactory, which defaults to a WebAuthenticationDetailsSource.
Closes gh-9579
2021-12-02 17:44:46 -06:00
074e38d565
Add missing since
...
Issue gh-7765
2021-12-02 12:09:57 -06:00
3af619d565
Add hasIpAddress to Reactive Kotlin DSL
...
Closes gh-10571
2021-12-02 12:01:11 -06:00
a68411566e
Polish Memory Leak Mitigation
...
Issue gh-9841
2021-11-30 15:33:47 -07:00
2bc643d6c8
Address SecurityContextHolder memory leak
...
To get current context without creating a new context.
Creating a new context may cause ThreadLocal leak.
Closes gh-9841
2021-11-30 15:33:39 -07:00
a3a9de1b9b
PermitAllSupport supports AuthorizeHttpRequestsConfigurer
...
PermitAllSupport supports either an ExpressionUrlAuthorizationConfigurer or an AuthorizeHttpRequestsConfigurer. If none or both are configured an error message is thrown.
Closes gh-10482
2021-11-30 15:17:22 -07:00
43317c5a61
Support IP whitelist for Spring Security Webflux
...
Closes gh-7765
2021-11-30 15:27:58 -06:00
4318a51971
Fix CsrfConfigurer default AccessDeniedHandler consistency
...
Fix when AccessDeniedHandler is specified per RequestMatcher on
ExceptionHandlingConfigurer.
This introduces evolutions on :
- CsrfConfigurer#getDefaultAccessDeniedHandler,
to retrieve an AccessDeniedHandler similar to the one used by
ExceptionHandlingConfigurer.
- OAuth2ResourceServerConfigurer#accessDeniedHandler, to continue to
handle CsrfException with the default AccessDeniedHandler implementation
Fixes: gh-6511
2021-11-16 14:22:35 -06:00
61ee4e5a76
Avoid using SpEL to change the meaning of the injection point
...
This commit removes the use of SpEL expression and replaces it with an
explicit call to the underlying method.
2021-11-16 13:53:00 -06:00
aa0f788f59
Add RedirectStrategy customization to ChannelSecurityConfigurer for RetryWith classes
2021-11-16 13:44:18 -06:00
7b15098570
Update Spring Security to 5.7
...
Closes gh-10509
2021-11-15 17:10:00 -07:00
76ebbb84f7
Separate Namespace Servlet Docs
...
Issue gh-10367
2021-11-05 12:45:46 -06:00
2f1638ec57
Fix javadoc
...
Closes gh-10382
2021-10-22 11:20:37 -03:00
cb70b6a39b
Fixed invalid usage of & tag in Javadocs
2021-10-21 11:47:04 +02:00
04b47c5928
Fixed various broken links in Javadocs
2021-10-21 11:47:04 +02:00
a188138715
Javadocs author tag doesn't work in methods
2021-10-21 11:47:04 +02:00
6b26032ce7
Fixed invalid usege of > tag in Javadocs
2021-10-21 11:47:04 +02:00
f836897190
Checkstyle Fixes
...
- Javadoc tag ordering
- Private constructors before inner classes
Issue gh-10394
2021-10-18 21:03:35 -05:00
6db58cbf8a
Conditionally resolve bearer token from request parameters
...
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.
This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).
Closes gh-10326
2021-10-13 17:10:50 -05:00
33708e61fb
Add postProcess support to Saml2LogoutConfigurer
...
Closes gh-10311
2021-10-13 12:05:48 -06:00
fbb7691be4
Polish SecurityNamespaceHandler Tests
...
Issue gh-8974
2021-10-13 11:50:14 -06:00
8daa6ec1fd
SecurityNamespaceHandler: update schema version to 5.6
...
Closes gh-8974
2021-10-13 11:49:57 -06:00
ba8844a67e
Deprecate Kotlin methods that don't use reified types
...
Closes gh-10365
2021-10-13 10:16:37 +02:00
02b2fcc6f0
Restore ManagementConfigurationPlugin
...
Issue gh-9615
2021-10-05 11:23:29 -03:00
d2e5f2ae0d
Update Gradle to 7.2
...
Closes gh-9615
2021-10-04 15:19:40 -03:00
7112ee3eaa
Allow SAML 2.0 loginProcessingURL without registrationId
...
Closes gh-10176
2021-10-04 09:54:40 -03:00
e36e2b2a97
Move Saml2AuthnRequestRepository to web package
...
Moving to solve package tangles
Issue gh-9185
2021-09-29 14:10:39 -03:00
3b64cdfc03
Fix XsdDocumentedTests
...
Issue gh-5835
2021-09-24 10:25:26 -05:00
c3ba2332da
Wire BeanResolver into DefaultMethodSecurityExpressionHandler
...
Closes gh-10305
2021-09-22 14:14:29 -06:00
7b599d4770
Share JWKSource Instances
...
Closes gh-10312
2021-09-22 13:28:08 -06:00
0364518b69
Update Saml2LoginConfigurer to pick up Saml2AuthenticationTokenConverter bean
...
Closes gh-10268
2021-09-17 08:13:19 -03:00
1e76b11b3c
Remove duplicate entry from test LDIF file
...
Closes gh-10274
2021-09-16 10:26:06 +02:00
4f06fc6ed1
Add Saml2LogoutConfigurer
...
Closes gh-9497
2021-09-13 16:39:48 -06:00
Marcus Da Coregio
Josh Cummings
Juny Tse
Evgeniy Cheban
Rob Winch
Eleftheria Stein
nor-ek
Yuriy Savchenko
m0k045e
Manuel Jordan
Adam Ostrožlík
heowc
James Howe
Steve Riesenberg
Karl Tinawi
Hiroshi Shirosaki
Igor Pelesic
Guirong Hu
« Christophe
Stephane Nicoll
Onur Kagan Ozcan
Emil Sierżęga
Philipp Neuschwander
Gaurav Tiwari
Emil Sierżęga