Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
9,753 Commits 32 Branches 333 Tags 109 MiB
Commit Graph

1795 Commits

Author SHA1 Message Date
Eleftheria Stein aeed286e8a Add AuthenticationManager to saml2Login Kotlin DSL 
Closes gh-9905
 2021-06-15 09:53:53 +02:00
Marcus Hert da Coregio 9d2db89838 Fix Adding Filter Relative to Custom Filter 
Closes gh-9787
 2021-06-14 14:37:21 -03:00
Josh Cummings 65239e93f9
Update Copyright Header 
Issue gh-9845
 2021-06-09 11:33:48 -06:00
Josh Cummings 5b49433ed1
Add GlobalMethodSecurityConfiguration Test 
Issue gh-9845
 2021-06-09 09:29:52 -06:00
Kay-Uwe Janssen 7a233c41f0 Some infrastructure beans are not marked properly 
Added missing infrastructure role to methodSecurityMetadataSource bean
and move the post processing of the defaultMethodExpressionHandler to
the end of afterSingletonsInstantiated.

Closes gh-9845
 2021-06-09 09:28:55 -06:00
theexiile1305 3074ad4136 Migrate Kotlin tests from java Mockito to Mockk 
Closes gh-9785
 2021-06-07 13:13:31 +02:00
Eleftheria Stein 204a32aba8 Replace < and > with &lt and &gt in Javadoc 
Closes gh-9847
 2021-06-04 12:26:07 +03:00
Rob Winch 68f91edbb8 Make XsdDocumentedTests Parsing More Lenient 
Closes gh-9830
 2021-05-27 18:37:14 -05:00
Rob Winch 8400b841e9 Improve XsdDocumentedTests Error Message 
This makes it easier to compare the expected and actual values.

Closes gh-9829
 2021-05-27 18:37:02 -05:00
Eleftheria Stein fa77f4c8ff Deprecate feature-policy where not already deprecated 
Issue gh-9262
 2021-05-19 10:04:09 +02:00
Eleftheria Stein be903b8e25 Cleanup unused import 2021-05-19 10:04:09 +02:00
Eleftheria Stein 1728b06b30 Ensure Kotlin 1.3 compatibility 
Closes gh-9765
 2021-05-19 10:04:08 +02:00
Josh Cummings 67e5c05a47 Polish AuthorizationManager Method Security 
- Removed consolidated pointcut advisor in favor of each interceptor
being an advisor. This allows Spring AOP to do more of the heavy
lifting of selecting the set of interceptors that applies
- Created new method context for after interceptors instead of
modifying existing one
- Added documentation
- Added XML support
- Added AuthorizationInterceptorsOrder to simplify interceptor
ordering
- Adjusted annotation lookup to comply with JSR-250 spec
- Adjusted annotation lookup to exhaustively search for duplicate
annotations
- Separated into three @Configuration classes, one for each set of
authorization annotations

Issue gh-9289
 2021-05-18 17:34:04 -06:00
Evgeniy Cheban 84e2e80915 Consider AuthorizationManager for Method Security 
Closes gh-9289
 2021-05-18 17:34:04 -06:00
Josh Cummings d203235567
Update to Spring Security 5.6 
Closes gh-9695
 2021-05-18 10:45:17 -06:00
Rob Winch 4d251157b2 opensaml4MainCompile 2021-05-17 23:21:17 -05:00
Rob Winch eda38b8f88 opensaml fixes 2021-05-17 15:51:55 -05:00
Rob Winch e5a652e749 Update to Kotlin 1.5.0 
Closes gh-9763
 2021-05-17 10:30:26 -05:00
Joe Grandja e51ca79954 Document Jwt Client Authentication support 
Closes gh-9578
 2021-05-14 22:58:44 -04:00
Joe Grandja f874a12ddb Document jwt-bearer authorization grant 
Closes gh-9580
 2021-05-14 14:48:37 -04:00
Josh Cummings ca2bc4feb3
Bump Schema Version 
Closes gh-9694
 2021-04-29 16:52:29 -06:00
Josh Cummings 4d564ffb50
Update AuthorizationManager references 
Issue gh-9692
 2021-04-28 11:58:30 -06:00
Josh Cummings 17cfc6ade3
Inline ResourceKeyConverterAdapter 
Closes gh-9689
Closes gh-9626
 2021-04-28 09:39:12 -06:00
Eleftheria Stein de0cd11a72 Fix PreAuthorize when returning Kotlin Flow 
Closes gh-9676
 2021-04-28 12:33:18 +02:00
Joe Grandja 53e94bca45 Add oauth2Login() tests 
Issue gh-9548 gh-9660 gh-9266
 2021-04-20 08:37:19 -04:00
Joe Grandja 5afeaa3ce7 WebFlux httpBasic() matches on XHR requests 
Closes gh-9660
 2021-04-20 08:36:42 -04:00
Rob Winch a31a855146 Fix HttpSecurity.addFilter* Ordering 
Closes gh-9633
 2021-04-14 17:47:31 -05:00
Denis Washington 2b4b856b32 Limit oauth2Login() links to redirect-based flows 
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
 2021-04-14 05:02:30 -04:00
Josh Cummings 163b5943ca
Revert AuthorizationManager Method Security 2021-04-12 15:53:22 -06:00
Josh Cummings 404a6c5674
Revert "Publish CsrfTokenRepository as shared object" 
This reverts commit d19ff12813.
 2021-04-12 14:43:37 -06:00
Josh Cummings 4e81bbe386
Revert "Add Saml2LogoutConfigurer" 
This reverts commit 6f52baba29.
 2021-04-12 14:43:19 -06:00
Josh Cummings 6f52baba29
Add Saml2LogoutConfigurer 
Closes gh-9497
 2021-04-10 00:25:34 -06:00
Josh Cummings d19ff12813
Publish CsrfTokenRepository as shared object 
Closes gh-9595
 2021-04-10 00:25:34 -06:00
Josh Cummings df8abcfae7
Use Interceptors instead of Advice 
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization

Issue gh-9289
 2021-04-09 18:45:31 -06:00
Josh Cummings 6828987b4b
Add AfterMethodAuthorizationManager 
- Removes the need to keep MethodAuthorizationContext#returnObject
in sync with other method parameters
- Restores MethodAuthorizationContext's immutability

Closes gh-9591
 2021-04-09 18:43:56 -06:00
Josh Cummings 2b494ebc5f
Polish AOP Structure 
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes

Issue gh-9289
 2021-04-09 17:46:33 -06:00
Josh Cummings 62d77ec97e
Add GrantedAuthorityDefaults to Expression Handler 
Issue gh-9289
 2021-04-09 17:46:33 -06:00
Josh Cummings 68cf74468c
Add check for custom advice 
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified

Issue gh-9289
 2021-04-09 17:46:33 -06:00
Josh Cummings 45376b359b
Adjust Packaging 
Issue gh-9289
 2021-04-09 17:46:32 -06:00
Evgeniy Cheban 20778f727b
Consider AuthorizationManager for Method Security 
Closes gh-9289
 2021-04-09 17:46:32 -06:00
Josh Cummings 7ded671858
Refactor AuthenticationDetailsSource support 
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
 2021-04-09 12:41:16 -06:00
Eleftheria Stein e03fe7f089 Add coroutine support to pre/post authorize 
Closes gh-8143
 2021-04-09 19:33:06 +02:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies")) 
Closes gh-9540
 2021-04-05 10:36:36 -05:00
Rob Winch 1a76ee7442 Update Gradle configuration names 
Closes gh-9540
 2021-04-05 10:36:36 -05:00
Eleftheria Stein 0f3df3e714 Consider Order on SecurityFilterChain bean definitions 
Closes gh-9154
 2021-03-24 11:02:29 +02:00
Eleftheria Stein f5fe64cd5b Fix typo 2021-03-24 11:00:37 +02:00
Josh Cummings d0d0a8d958 Add OpenSAML 4 Support 
Closes gh-9095
 2021-03-23 19:07:23 -06:00
Eleftheria Stein 4a492846f1 Revert "Lock dependencies for 2.5.0-M3" 
This reverts commit f05cc6269c.
 2021-03-15 23:18:45 +01:00
Eleftheria Stein f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Josh Cummings b774e91734
Polish BearerTokenAuthenticationConverter 
Issue gh-8840
 2021-03-12 15:05:06 -07:00
Jeongjin Kim 31f310fd22
Add BearerTokenAuthenticationConverter 
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.

Closes gh-8840
 2021-03-12 15:05:06 -07:00
Eleftheria Stein 92b3a7b01b Clarify in .csrf() enables CSRF protection 
Closes gh-9489
 2021-03-05 16:11:12 +01:00
wonwoo cf2bb62442 Fix typo in doc 2021-03-05 14:09:30 +01:00
Han YanJing f3fa8e8800
Polish 
Issue gh-9310
 2021-03-02 12:04:22 -07:00
Han YanJing 6e41246a2b
Throw Saml2AuthenticationException 
Closes gh-9310
 2021-03-02 12:04:22 -07:00
Ivan Pavlov 857830f695 Add RememberMeDsl 
Issue: gh-9319
 2021-02-22 09:15:40 +01:00
Josh Cummings f129410ff9
Add Java 8 Polyfill for Apache DS tests 
Closes gh-9416
 2021-02-17 11:53:51 -07:00
Josh Cummings c4be1c6a56
Revert "Lock Dependencies" 
This reverts commit a85caa4098.
 2021-02-11 15:49:59 -07:00
Josh Cummings a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Josh Cummings ccb3b02888
Bearer Token Server-side Errors Return 500 
Closes gh-9395
 2021-02-10 12:35:34 -07:00
Josh Cummings ca5e303308
Fix Test Configuration 
- Typo in PlaceholderConfig was causing Windows builds to
resolve the CLASSPATH environment variable

Closes gh-9421
 2021-02-10 11:31:30 -07:00
Josh Cummings 3e1616c311
Remove BearerTokenAuthenticationWebFilter 
Closes gh-9377
 2021-01-26 10:23:17 -07:00
Josh Cummings 76229cfab7
Migrate SAML 2.0 Tests and Docs to PCFOne 
Issue gh-9362
 2021-01-22 15:14:03 -07:00
Ihor Ilkevych 43a071a89e Add WebFlux oauth2Login with formLogin test 
Closes gh-9326
 2021-01-20 15:04:06 -05:00
Josh Cummings 65d3b0d71c
Add ResourceKeyConverterAdapter 
Simplifies publishing RsaKeyConverters with
@ConfigurationPropertiesBinding

Issue gh-9316
 2021-01-15 22:15:56 -07:00
Ivan Pavlov f4d78d00ef Extend CorsDsl with CorsConfigurationSource property 
Issue: gh-9314
 2021-01-13 10:22:07 +01:00
Evgeniy Cheban 8449df9fd2
Consider Aligning MvcRequestMatcher's matching methods 
Closes gh-9284
 2021-01-09 21:42:16 +03:00
Eleftheria Stein 8cefc8a792 Fix bug with multiple AuthenticationManager beans 
Closes gh-9256
 2021-01-06 16:26:26 +01:00
Josh Cummings 337d24e6db
Update Copyright Messages 
Issue gh-9202
 2021-01-05 15:30:51 -07:00
Mazen Aissa c907838440
Make max-session configurable 
Closes gh-9202
 2021-01-05 15:30:51 -07:00
Josh Cummings c066e23a86
Add @since attributes 
Issue gh-8900
 2020-12-16 15:58:53 -07:00
Evgeniy Cheban 34b4b1054f Add AuthorizationManager 
Closes gh-8900
 2020-12-16 15:58:36 -07:00
Nick McKinney 5306d4c4d5 Minor cleanup on Ant / Regex Request Matchers 
- Removed duplicative code for transforming String into HttpMethod
 - Removed an unnecessary array initialization
 2020-12-14 14:19:23 +01:00
Nick McKinney 6be25df1db Introduced DispatcherType request matcher 
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes gh-9205
 2020-12-14 14:19:23 +01:00
Christophe Gilles 54d3839f63 Add permissionsPolicy http header 2020-12-11 12:32:18 +01:00
Eleftheria Stein d3ef340b26 Fix typos 2020-12-03 11:05:22 +01:00
Joe Grandja 58e3235093 Deprecate ClientAuthenticationMethod BASIC and POST 
Closes gh-9220
 2020-11-25 15:13:28 -05:00
Josh Cummings 4602e9a661
Use HttpBasicConfigurer's Conneg Strategy 
Closes gh-9100
 2020-11-12 16:26:10 -07:00
Eleftheria Stein 5661e06e9c Fix typo UserDetailService -> UserDetailsService 2020-11-09 13:13:32 +01:00
Joe Grandja b95e1aa209 Revert "Lock dependencies for 5.5.0-M1" 
This reverts commit 25a7482c8c.
 2020-11-03 19:53:28 -05:00
Eleftheria Stein 5c8972b7d5 Add test for ordered WebSecurityCustomizers 
Issue gh-9154
 2020-11-02 14:19:14 +01:00
Rob Winch 25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Eleftheria Stein aac6d2f56b Kotlin MockMvc result matchers use parentheses 
Closes gh-9155
 2020-10-27 10:57:49 +01:00
Josh Cummings b1a3aef4f8
Update Test Controllers 
Closes gh-9121
 2020-10-12 17:41:16 -06:00
Josh Cummings 366146ff80
Polish JWT Signature Algorithm Discovery 
- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.

Closes gh-7160
 2020-10-09 14:17:30 -06:00
Nick Hitchan 290786438c
Add Support for JWK Signature Algorithm Discovery 
Issue gh-7160
 2020-10-09 13:09:38 -06:00
Josh Cummings ce68431037
Bump Schema, Serialization, and Taglib to 5.5 2020-10-07 17:17:58 -06:00
Artem Grankin dc5f2444ae Replace expired msdn link with latest web archive copy 
Initial link expired in March, 2016. Latest copy found in web archive is from February, 2016
 2020-09-28 17:04:59 -06:00
Geonu Jeon fd615535b3 fix comment of authenticationFailureHandler 2020-09-24 05:18:22 -04:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ 
Replace JUnit expected @Test attributes with AssertJ calls.
 2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ 
Replace JUnit ExpectedException @Rules with AssertJ calls.
 2020-09-22 16:13:51 -06:00
Phillip Webb 910b81928f Replace try/catch with AssertJ 
Replace manual try/catch/fail blocks with AssertJ calls.
 2020-09-22 16:13:51 -06:00
Josh Cummings b667cbbb86
Align Raw Types 
Closes gh-9026
 2020-09-18 16:21:53 -06:00
Joe Grandja 7b1f574769 Revert "Lock Dependency Versions for 5.4.0" 
This reverts commit 3d0e459182.
 2020-09-09 18:14:12 -04:00
Joe Grandja 3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Eleftheria Stein 4e2a050c14 Customizer for WebSecurity 
Closes gh-8978
 2020-09-09 09:34:52 -04:00
Josh Cummings fa7baf551d
Restructure Logs 
Followed common use cases based off of HelloWorld sample:
  - Public endpoint
  - Unauthorized endpoint
  - Undefined endpoint
  - Successful form login
  - Failed form login
  - Post-login redirect

Issue gh-6311
 2020-09-02 07:37:59 -06:00
Evgeniy Cheban 17f1540280 Resolve oauth2 client placeholders 
Closes gh-8453
 2020-09-01 08:26:44 -04:00
Eleftheria Stein 902fca65a4 Add authenticationManagerResolver to Kotlin DSL 
Closes gh-8981
 2020-08-28 11:48:55 +02:00
Rob Winch 2abf59b695 Merge Formatting Changes 
Issue gh-8945
 2020-08-24 17:33:23 -05:00