Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-23 06:58:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
12,069 Commits 33 Branches 337 Tags
Commit Graph

2029 Commits

Author SHA1 Message Date
Josh Cummings
f261242db1
Merge branch '5.7.x' into 5.8.x 2023-04-24 16:33:29 -06:00
Ruslan Stelmachenko
caa4093619 Fix javadoc for migration from WebSecurityConfigurerAdapter 2023-04-24 16:32:16 -06:00
Marcus Da Coregio
6cf8c53aaa Merge branch '5.7.x' into 5.8.x 2023-04-17 07:16:47 -03:00
Marcus Da Coregio
2d52fb8e4b Clear Repository on Logout 2023-04-17 06:47:57 -03:00
Marcus Da Coregio
54117d7d27 Fix test suffix to align with checkstyle 2023-04-14 13:29:15 -03:00
Marcus Da Coregio
fd65dc6756 Merge branch '5.7.x' into 5.8.x 2023-03-22 10:08:17 -03:00
Martin Tarjányi
5eefe9dcff Fix typo in SessionManagementConfigurer javadoc 2023-03-22 10:07:44 -03:00
Marcus Da Coregio
97ba596ca3 Merge branch '5.7.x' into 5.8.x 
Closes gh-12776
 2023-02-23 15:17:04 -03:00
Marcus Da Coregio
1c3ce1e401 Fix entity-id ignored in RelyingPartyRegistration XML config 
Closes gh-11898
 2023-02-23 15:16:40 -03:00
Josh Cummings
0baf650f38
Merge branch '5.7.x' into 5.8.x 
Closes gh-12686
 2023-02-16 14:55:22 -07:00
Leonid Rozenblyum
000b4bc495 Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter 
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.

In particular, this exception can occur when mixing standard and custom DSL to register filters.

The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.

It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.

The error handling is implemented similarly to HttpSecurity#addFilter.

Closes gh-12637
 2023-02-16 14:54:44 -07:00
Steve Riesenberg
c306df9b46
Add XorCsrfChannelInterceptor 
Issue gh-12378
 2023-01-23 16:00:35 -06:00
Marcus Da Coregio
7aaa25b88e Merge branch '5.7.x' into 5.8.x 2022-12-05 14:40:54 -08:00
Marcus Da Coregio
fc25b87967 Merge branch '5.6.x' into 5.7.x 2022-12-05 14:40:38 -08:00
Mitja Kotnik
f39f215140 Replace javadoc with SecurityFilterChain bean definition 2022-12-05 14:40:05 -08:00
Guillaume Husta
a5464ed819 Fix typo in DefaultLoginPageConfigurer Javadoc 
'isLogoutRequest' seems to have nothing to do here.
 2022-12-05 14:31:15 -08:00
Marcus Da Coregio
e774bd480b Merge branch '5.7.x' into 5.8.x 
Closes gh-12261
 2022-11-21 10:25:43 -03:00
Marcus Da Coregio
f561d3784e Improve deprecation notice in WebSecurityConfigurerAdapter 
Closes gh-12260
 2022-11-21 10:05:08 -03:00
Steve Riesenberg
ea6ce05662
Add configurer tests for CookieCsrfTokenRepository 
Issue gh-12236
 2022-11-18 13:12:59 -06:00
Steve Riesenberg
2ed7cff643
Check for existing token before clearing 
Closes gh-12236
 2022-11-18 13:12:59 -06:00
Jan Marten
2301e8ca77
Fix Javadoc in EnableWebSocketSecurity 
Add missing method name in EnableWebSocketSecurity JavaDoc code example.
 2022-11-16 16:51:42 -06:00
Josh Cummings
3192618220
Add authenticationFailureHandler 
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer

Closes gh-12132
 2022-11-02 15:35:01 -06:00
Josh Cummings
6622e0135a
Merge branch '5.7.x' into 5.8.x 
Closes gh-12126
 2022-11-01 18:06:41 -06:00
Josh Cummings
6efac34ca7
Merge branch '5.6.x' into 5.7.x 
Closes gh-12125
 2022-11-01 18:06:01 -06:00
Koos Gadellaa
5c4362bbc4
Refresh parsers when not found 
Closes gh-3065
 2022-11-01 18:05:15 -06:00
Rob Winch
d860775b45 Document Defer load CsrfToken 
Closes gh-12105
 2022-10-28 15:41:25 -05:00
mmoussa_mapfreusa
bd4e0fb5db
Set LogoutRequestRepository on Saml2 LogoutSuccessHandler 
Closes gh-11363
 2022-10-26 16:44:23 -06:00
Steve Riesenberg
c75ca10900
Add DeferredSecurityContext 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Steve Riesenberg
440748ec65
Add test support for Xor CSRF tokens 
Issue gh-4001
 2022-10-12 15:02:15 -05:00
Steve Riesenberg
37fa49b32d
Polish gh-11952 2022-10-07 17:40:12 -05:00
Steve Riesenberg
f462134e87
Add reactive support for BREACH 
Closes gh-11959
 2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719
Add reactive interfaces for CSRF request handling 
Issue gh-11959
 2022-10-07 16:34:16 -05:00
Marcus Da Coregio
f3321c256c Add XML support for shouldFilterAllDispatcherTypes 
Closes gh-11492
 2022-10-07 10:20:32 -03:00
Marcus Da Coregio
8a5aed2983 Add deprecation warning to CsrfDsl#ignoringAntMatchers 
Issue gh-11347
 2022-10-06 13:50:38 -03:00
Marcus Da Coregio
bc4ad52feb Add deprecation warning to mvcMatchers methods 
Issue gh-11347
 2022-10-06 13:21:27 -03:00
Josh Cummings
0c0e298aa7
Polish Saml2 XML Use of SecurityContextHolderStrategy 
Issue gh-11061
 2022-10-05 23:38:14 -06:00
Josh Cummings
b4d13e7726
Polish use-authorization-manager 
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
 2022-10-05 22:21:09 -06:00
Josh Cummings
7043ef6ccb
Polish OpaqueTokenAuthenticationConverterTests 
Issue gh-11665
 2022-10-05 22:18:41 -06:00
Steve Riesenberg
dce1c30522
Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg
1d706ae13d
Add csrfTokenRequestResolver to CsrfDsl 
Closes gh-11952
 2022-10-05 13:35:23 -05:00
Marcus Da Coregio
bf6e85ec15 Accept String varargs in securityMatcher 
Issue gh-9159
 2022-10-05 13:44:08 -03:00
Steve Riesenberg
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux
0e215a21ad
Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Steve Riesenberg
7f9600ae08
Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio
64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Rob Winch
6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Daniel Garnier-Moiroux
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
 2022-09-30 09:38:08 -05:00
Marcus Da Coregio
cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration 
Closes gh-11916
 2022-09-29 11:21:08 -03:00
Josh Cummings
506e50bfd0
Move Saml2 Authentication Filters 
Issue gh-8819
 2022-09-26 10:44:27 -06:00