Commit Graph

7177 Commits

Author SHA1 Message Date
Rob Winch fa0565109b Add SimpleSavedRequest
Fixes: gh-5581
2018-07-26 15:14:11 -05:00
Joe Grandja 2c1c2c78c3 Add HttpServletResponse param to removeAuthorizationRequest
Fixes gh-5313
2018-07-26 14:15:56 -04:00
Johnny Lim 887db71333 Fix typo (#5580) 2018-07-26 10:04:21 -04:00
Joe Grandja 3d4e5836f2 Update to selenium-support:3.13.0
Fixes gh-5578
2018-07-24 20:35:14 -04:00
Joe Grandja 82c9931377 Update to selenium-java:3.13.0
Fixes gh-5577
2018-07-24 20:35:14 -04:00
Joe Grandja c3acdb36a6 Update to hibernate-validator:6.0.11.Final
Fixes gh-5576
2018-07-24 20:35:13 -04:00
Joe Grandja 21302b7e39 Update to hibernate-entitymanager:5.3.3.Final
Fixes gh-5575
2018-07-24 20:35:13 -04:00
Joe Grandja c502f668da Update to bcpkix-jdk15on:1.60
Fixes gh-5574
2018-07-24 20:35:13 -04:00
Joe Grandja 1468fee3d5 Update to org.apache.httpcomponents:httpclient:4.5.6
Fixes gh-5573
2018-07-24 20:35:13 -04:00
Joe Grandja c111f5902f Update to ehcache:2.10.5
Fixes gh-5572
2018-07-24 20:35:13 -04:00
Joe Grandja 67ee011866 Update to javax.servlet.jsp.jstl-api:1.2.2
Fixes gh-5571
2018-07-24 20:35:12 -04:00
Joe Grandja 45a2607cd0 Update to oauth2-oidc-sdk:5.64.2
Fixes gh-5569
2018-07-24 16:23:22 -04:00
Joe Grandja aad66fb094 Update to nimbus-jose-jwt:5.14
Fixes gh-5568
2018-07-24 16:21:12 -04:00
Joe Grandja 0d9f4b3a0a Update to cglib-nodep:3.2.7
Fixes gh-5567
2018-07-24 16:16:52 -04:00
Josh Cummings fc5083ae0c Bearer Token Exception Handling Configuration
This exposes #authenticationEntryPoint(), #accessDeniedHandler, on
the Resource Server DSL.

With these, a user can customize the error responses when a bearer
token request fails.

Fixes: gh-5497
2018-07-24 12:49:26 -06:00
Josh Cummings 6a45ecd4bb Bearer Token Resolver Configuration
This introduces #bearerTokenResolver(BearerTokenResolver) to the
Resource Server DSL, allowing users to configure the resolver to allow
the access token as part of the request body or a query parameter. It
also allows the user to replace the resolver with a completely custom
one.

This also introduces the same ability by exposing a bean of type
BearerTokenResolver

Fixes: gh-5496
2018-07-24 13:12:16 -04:00
mhyeon.lee ba29b363fc Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring
To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixed: gh-5520
2018-07-23 15:42:15 -04:00
Josh Cummings 195a6943e2
OpenIDConfigTests groovy->java
For the remember me test, there is some hand configuration that was
carried over from the groovy test as there isn't a way via the xml
config to achieve the same result.

For the attribute exchange test, in order to reduce the amount of
endpoint configuration, the test uses a bit of reflection to disable
the OpenID association step. This is because the xml config does not
support wiring a custom ConsumerManager, like the java configurer
does.

Issue: gh-4939
2018-07-23 12:43:23 -06:00
Joe Grandja 36cbdfe013 Fix NPE when null Authentication in authorization_code grant
Fixes gh-5560
2018-07-23 12:28:48 -04:00
Joe Grandja 6c7d49759e Auto-redirect to provider login when one client configured
Fixes gh-5347
2018-07-23 10:24:20 -04:00
Rob Winch 88975dad41 ServletOAuth2AuthorizedClientExchangeFilterFunction handles null authorized client
Issue: gh-5545
2018-07-22 12:01:42 -07:00
Rob Winch 67dd3f16e9 Add static methods for ServletOAuth2AuthorizedClientExchangeFilterFunction
This will allow us to break up
ServletOAuth2AuthorizedClientExchangeFilterFunction into multiple
components if we decide to later.

Issue: gh-5545
2018-07-20 11:48:20 -05:00
Rob Winch 9ababf4168 Rename to ServerOAuth2AuthorizedClientExchangeFilterFunction
Rename OAuth2AuthorizedClientExchangeFilterFunction to
ServerOAuth2AuthorizedClientExchangeFilterFunction->

Issue: gh-5386
2018-07-20 11:48:19 -05:00
Rob Winch 1b79bbed7f Add ServletOAuth2AuthorizedClientExchangeFilterFunction
Fixes: gh-5545
2018-07-20 11:48:19 -05:00
Josh Cummings 4fc1e63369 User-Specified JwtDecoder
This exposes JwtConfigurer#decoder as well as makes the configurer
look in the application context for a bean of type JwtDecoder.

Fixes: gh-5519
2018-07-20 11:33:14 -05:00
mhyeon.lee 3c461b704c Add AuthenticationMethod type
This section defines three methods of sending bearer access tokens
in resource requests to resource servers.
Clients MUST NOT use more than
one method to transmit the token in each request.

RFC6750 Section 2 Authenticated Requests
https://tools.ietf.org/html/rfc6750#section-2

Add AuthenticationMethod in ClientRegistration UserInfoEndpoint.

Add AuthenticationMethod for OAuth2UserService to get User.

To support the use of the POST method.
https://tools.ietf.org/html/rfc6750#section-2.2

gh-5500
2018-07-20 11:32:51 -04:00
Joe Grandja a4fdc28b27 Use context.getBean() for ClientRegistrationRepository
Fixes gh-5538
2018-07-20 09:47:35 -04:00
Joe Grandja 9a144d742e Use OAuth2AuthorizedClientRepository in filters and resolver
Fixes gh-5544
2018-07-19 22:57:10 -04:00
Josh Cummings 39e336136f
MultiHttpBlockConfigTests groovy->java
Note that originally there were five tests in the groovy test, however
the last one, multipleAuthenticationManagersWorks, turned out to be a
duplicate after creating the test
requestWhenUsingMutuallyExclusiveHttpElementsThenIsRoutedAccordingly

As such, the new file contains just four tests.

Issue: gh-4939
2018-07-19 14:44:54 -06:00
Henry Lin 7e52fe67f4 Fixed document error 2018-07-19 09:35:16 -06:00
Eric Hudon 79bbd6a39c Fix a missing "throws Exception" for configure(AuthenticationManagerBuilder auth)
The actual method signature look this this:
```java
protected void configure(AuthenticationManagerBuilder auth) throws Exception
```
 This PR aims at aligning the javadoc for this annotation with the actual method signature.
2018-07-19 09:30:51 -06:00
Rob Winch f48404a6a0 Default Log In Pages Use HTTPS for CSS
Fixes: gh-5539
2018-07-18 20:06:17 -05:00
Jonathan Chen fbf870a82e Include email in user information attributes from Facebook
Fixes gh-5532
2018-07-18 17:09:33 -04:00
mhyeon.lee 3f8e69211f Fix OAuth2 ClientRegistration scope can be null
Allows scope of OAuth2 ClientRegistration to be null.

- The scope setting in the RFC document is defined as Optional.
https://tools.ietf.org/html/rfc6749#section-4.1.1

    > scope:  OPTIONAL.
    > The scope of the access request as described by Section 3.3.

- When the client omits the scope parameter,
validation is determined by the authorization server.
https://tools.ietf.org/html/rfc6749#section-3.3

    > If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Fixes gh-5494
2018-07-18 16:17:14 -04:00
mhyeon.lee 18db425861 Polish Javadoc to remove warning 2018-07-18 09:24:59 -06:00
Rob Winch d468d7e6da Cache Control disabled for 304
Fixes: gh-5534
2018-07-17 22:13:33 -05:00
Josh Cummings f0f678d61e
SessionManagementConfigTests groovy->java
Issue: gh-4939
2018-07-17 10:47:44 -06:00
mhyeon.lee 191a4760f9 Fix DefaultOAuth2AuthorizationRequestResolver baseUrl excludes queryParams
To create redirect_uri in DefaultOAuth2AuthorizationRequestResolver,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixes gh-5520
2018-07-17 12:00:01 -04:00
Josh Cummings 884fdbf9b3 Add Bearer Token filter to Security Filters
This introduces BearerTokenAuthenticationFilter to SecurityFilters so
that it can be used in the various addFilter methods and with the
`custom-filter` xml tag.

Fixes: gh-5479
2018-07-17 10:56:49 -05:00
Rob Winch 981d35a92c Add ClientRegistration.Builder.registrationId
Fixes: gh-5527
2018-07-17 01:27:39 -05:00
Joe Grandja 2cd548221d Allow configuring a custom OAuth2AuthorizationRequestResolver
Fixes gh-5521
2018-07-16 20:47:39 -04:00
Josh Cummings becff23df1
Reliable Error State Tests - Nimbus
A test against the Nimbus library was relying on specific messaging
from Nimbus as well as the JDK, making it brittle.

Now, it simply relies on the messaging that we control.

Issue: gh-4887
2018-07-16 14:46:42 -06:00
Josh Cummings a9bc384b48
Reliable Error State Tests
Some of Resource Server Configurer's tests were relying on specific
error messaging from Nimbus and from the JDK, which makes them
brittle.

These tests now simply confirm that resource server responses
contain the correct error state without relying on specific wording
outside of our control.
2018-07-16 14:19:23 -06:00
Rob Winch d595098823 Rename @TransientAuthentication to @Transient
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
2018-07-16 11:31:10 -05:00
Rob Winch ed3ed5e64c Rename @TransientAuthentication to @Transient
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
2018-07-16 11:17:08 -05:00
Josh Cummings 40ccdb93f7 Resource Server Jwt Support
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.

High-level features include:

- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set

And:

- A DSL for easy configuration
- A sample to demonstrate usage

Fixes: gh-5128
Fixes: gh-5125
Fixes: gh-5121
Fixes: gh-5130
Fixes: gh-5226
Fixes: gh-5237
2018-07-16 10:40:46 -05:00
Josh Cummings 6e67c0dcea Remap Nimbus JSON Parsing Errors
When Nimbus fails to parse either a JWK response or a JWT response,
the error message contains information that either should or cannot be
included in a Bearer Token response.

For example, if the response from a JWK endpoint is invalid JSON, then
Nimbus will send the entire response from the authentication server in
the resulting exception message.

This commit captures these exceptions and removes the parsing detail,
replacing it with more generic information about the nature of the
error.

Fixes: gh-5517
2018-07-16 10:40:46 -05:00
Josh Cummings 28afb4e3d7 Access Denied Handling Defaults
This introduces the capability for users to wire denial handling
by request matcher, similar to how users can already do with
authentication entry points.

This is handy for when denial behavior differs based on the contents
of the request, for example, when the Authorization header indicates
an OAuth2 Bearer Token request vs Basic authentication.

Fixes: gh-5478
2018-07-16 10:40:46 -05:00
Josh Cummings b7ccb63dfd Disable CSRF by Request Matcher
This introduces an evolution on CsrfConfigurer#ignoreAntMatchers,
allowing users to specify a RequestMatcher in the circumstance where
more than just the path needs to be analyzed to determine whether
CsrfFilter should require a token for the request.

Simply put, a user can now selectively disable csrf by request matcher
in addition to the way it can already be done with ant matchers.

Fixes: gh-5477
2018-07-16 10:40:45 -05:00
Josh Cummings ed20edd177 Improved Session Creation Policy Configuration
Other configurers can now offer their preference on session creation
policy without trumping what a user provided via the
sessionCreationPolicy method.

This is valuable for configurer's like Resource Server that would like
to have session management be stateless, but not at the expense of the
user's direct configuration.

Fixes: gh-5518
2018-07-16 10:40:45 -05:00