Previously the SecurityExpressionHandler for message based configuration
did not have a beanResolver set.
This commit post processes the default message SecurityExpressionHandler
to ensure the beanResolver is set.
Fixes gh-3797
Previously it required quite a bit of extra work to use RoleHiearchy
within Java Based Spring Security configuration.
Now if a single RoleHiearchy Bean is defined it will automatically
be picked up and used by method security.
Fixes gh-3394
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.
Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.
Fixes gh-3786
When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.
This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.
Fixes gh-3296
Previously the error message when multiple WebSecurityConfigurer with the
same Order did not include both WebSecurityConfigurer classes that were
involved in the duplicate Order. This made resolving errors difficult.
This commit ensures both WebSecurityConfigurers are include in the error
message.
Fixes gh-3380
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.
This commit will add this new functionality.
Fixes gh-3706
* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().
Now we default the patterns to be "/**" if it is null or empty.
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.
This commit fixes this.
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.
Instead users that wish to override requestDataValueProcessor can use
@Primary.
Exposing a UserDetailsService as a bean is now all that is necessary
for Java based configuration. Additionally, an optional PasswordEncoder
bean can be used to configure password encoding.
Rob Winch
Johnny Lim
Matthias Merdes
Rob Winch
Leon Radley
Jeffrey Walraven
Nicolai Ehemann
Joe Grandja
Quinten De Swaef
Spring Buildmaster
Eddú Meléndez
Shazin Sadakath
Billy Korando
Wallace Wadge
Tim Ysewyn
Nikos Kastamoulas
William Gorder
Kazuki Shimizu
zhanhb