556891b4fa
Merge branch '6.0.x'
...
Closes gh-12512
2023-01-10 09:43:05 -03:00
d1fc789ae2
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12511
2023-01-10 09:42:48 -03:00
ae46032ced
Merge branch '5.7.x' into 5.8.x
...
Closes gh-12510
2023-01-10 09:39:40 -03:00
ffdb397830
Save the SecurityContext when switching user
...
Closes gh-12504
2023-01-10 09:27:56 -03:00
f3ce04e59a
Merge branch '6.0.x'
...
Closes gh-12493
2023-01-06 11:15:03 -07:00
c308e4665a
Polish Event Name
...
Provide a name with no spaces separate from the human-friendly
one with spaces.
Closes gh-12490
2023-01-06 11:13:11 -07:00
c0fe74869f
Merge branch '6.0.x'
...
Closes gh-12484
2023-01-04 10:54:10 -07:00
27b3f4d403
Adjusts setRequestHandler javadoc in CsrfWebFilter
...
Adjusts setRequestHandler method javadoc in CsrfWebFilter class to reflect changes in 6.0.
In 6.0, the default ServerCsrfTokenRequestHandler changed to XorServerCsrfTokenRequestAttributeHandler, however, the javadoc for the setRequestHandler method still said it was ServerCsrfTokenRequestAttributeHandler.
This change adjusts the information to make it more accurate, because, although XorServerCsrfTokenRequestAttributeHandler is a subclass of ServerCsrfTokenRequestAttributeHandler, the behavior is quite different.
Closes gh-12465
2023-01-04 10:53:47 -07:00
c2d0ea3694
Merge branch '6.0.x'
...
Closes gh-12369
2022-12-12 16:55:32 -03:00
898c36287c
Merge branch '5.8.x' into 6.0.x
...
Closes gh-12368
2022-12-12 16:55:14 -03:00
99d6d21554
Apply SecurityContextHolderFilter to all dispatcher types
...
Closes gh-11962
2022-12-12 11:45:24 -08:00
886d1ffec2
Remove Deprecated Usage
...
Issue gh-12086
2022-12-05 11:00:57 -07:00
8ef2fc3837
Format
...
Issue gh-12086
2022-12-05 10:51:42 -07:00
8717b7544a
Perform JUnit 5 clean up tasks
...
- For CookieCsrfTokenRepositoryTests and
CookieServerCsrfTokenRepositoryTests
Issue gh-12086
2022-12-05 10:51:41 -07:00
b79ba89eeb
Add setCookieCustomizer to csrf token repository
...
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and
setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties
to the ResponseCookieBuilder without having to add new setter methods.
Closes gh-12086
2022-12-05 10:51:40 -07:00
701f754e37
Cast FilterChainObservationContext Safely
...
Closes gh-12268
2022-11-29 16:24:56 -07:00
fd547321e8
Default to XorCsrfTokenRequestAttributeHandler
...
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.
Issue gh-11960
Closes gh-12235
2022-11-18 22:50:26 -06:00
5da78f44f2
Merge branch '5.8.x'
2022-11-18 14:54:33 -06:00
2ed7cff643
Check for existing token before clearing
...
Closes gh-12236
2022-11-18 13:12:59 -06:00
24860d9fb0
Observe Filter Start and Stop
...
Issue gh-11911
2022-11-17 15:11:29 -07:00
e08ed89403
Polish Span and Meter Names
...
Closes gh-12156
2022-11-17 15:09:52 -07:00
063f06e7bf
Register FilterChainProxy for all dispatcher types
...
Closes gh-12180
2022-11-16 09:55:21 -03:00
1a3be83084
Merge branch '5.8.x'
...
Closes gh-12185
2022-11-09 12:28:37 -06:00
57b163bb78
Polish gh-12141
2022-11-09 12:19:43 -06:00
2a261e0583
Add Jakarta WebSocket 2.1 test dependency to spring-security-web
...
Issue gh-12148
2022-11-08 09:54:34 -03:00
3b5d19c8a4
Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1
...
Closes gh-12146
Closes gh-12148
2022-11-08 08:34:21 -03:00
36f668dd9c
Merge branch '5.8.x'
...
Closes gh-12142
2022-11-04 18:12:34 -05:00
6b0ed0205b
Re-generate tokens in CookieCsrfTokenRepository
...
Fixes support for re-generating tokens within a request such as when
CsrfAuthenticationStrategy removes a null token and saves an empty
cookie value on the response.
Closes gh-12141
2022-11-04 18:10:15 -05:00
801ceb0832
Merge branch '5.8.x'
2022-10-31 08:58:14 -05:00
66f2f1cde7
Merge branch '5.7.x' into 5.8.x
2022-10-31 08:55:03 -05:00
2915a70bf7
Merge branch '5.6.x' into 5.7.x
2022-10-28 13:05:48 -05:00
6530777742
Merge branch '5.5.x' into 5.6.x
...
Closes gh-dry-run
2022-10-28 11:31:50 -05:00
1f481aafff
Fix AuthorizationFilter incorrectly extending OncePerRequestFilter
...
Closes gh-12102
2022-10-28 11:29:35 -05:00
d651da5ac3
Merge remote-tracking branch 'origin/5.8.x'
...
Closes gh-12077
2022-10-24 16:54:03 -06:00
dd30694979
Merge remote-tracking branch 'origin/5.7.x' into 5.8.x
...
Closes gh-12076
2022-10-24 16:46:08 -06:00
2b426872a3
Use InetSocketAddress#getHostString
...
Sometimes InetSocketAddress#getAddress#getHostAddress retuns null.
In that case, call InetSocketAddress#getHostString instead.
There is no performance loss since IpAddressMatcher#matches attemptsi
to re-parse and resolve the address anyway.
Closes gh-11888
2022-10-24 16:32:19 -06:00
8554e70c09
Remove deprecated loadContext(request)
...
Closes gh-12048
2022-10-17 20:13:51 -05:00
e238b721bb
Fix imports in DelegatingSecurityContextRepository
...
Issue gh-12023
2022-10-17 19:36:25 -05:00
bd43c1f28a
Merge branch '5.8.x'
...
# Conflicts:
# web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
# web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
2022-10-17 19:35:27 -05:00
acc35aeb18
Add DelegatingSecurityContextRepository
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
c75ca10900
Add DeferredSecurityContext
...
Issue gh-12023
2022-10-17 19:33:58 -05:00
f4cc27c375
Change Default for (Server)AuthenticationEntryPointFailureHandler
...
Closes gh-9429
2022-10-13 20:03:03 -06:00
5afc7cb04f
Merge remote-tracking branch 'origin/5.8.x'
2022-10-13 19:48:05 -06:00
099aaa33ff
Remove Deprecation Markers
...
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.
Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.
At that time, BearerTokenAuthenticationFilter can change to use
the handler.
Closes gh-11932
2022-10-13 19:47:22 -06:00
200b7fecd3
Add (Server)AuthenticationEntryPointFailureHandlerAdapter
...
Issue gh-11932, gh-9429
(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.
BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
2022-10-13 19:25:04 -06:00
9090f62d9b
Merge branch '5.8.x'
2022-10-13 16:46:53 -05:00
56b9badcfe
AnonymousAuthenticationFilter should cache its Supplier<SecurityContext>
...
Closes gh-11900
2022-10-13 16:44:48 -05:00
45a963a011
Remove CsrfWebFilter.setTokenFromMultipartDataEnabled
...
Closes gh-12019
2022-10-13 11:29:16 -05:00
753e113a13
RequestMatcherDelegatingAuthorizationManager defaults to deny
...
Closes gh-11958
2022-10-13 11:12:00 -04:00
2407d07890
Default to Xor CSRF tokens in CsrfWebFilter
...
Closes gh-11960
2022-10-13 09:39:57 -05:00
2a2051cd7b
Default to Xor CSRF tokens in CsrfFilter
...
Issue gh-11960
2022-10-13 09:39:55 -05:00
6026f9f70f
Merge branch '5.8.x'
2022-10-13 06:31:37 -04:00
185991a606
Revert "Add default AuthorizationManager"
...
This reverts commit 4ddec07d0e
2022-10-13 06:18:00 -04:00
2713075d08
Mark Observations with Firewall Failures
...
Closes gh-11994
2022-10-12 20:32:24 -06:00
46ab84684b
Mark Observations with CSRF Failures
...
Closes gh-11993
2022-10-12 20:32:23 -06:00
99a87179dd
Instrument Filter Chain
...
Closes gh-11911
2022-10-12 20:32:22 -06:00
9b43950e13
Merge branch '5.8.x'
2022-10-12 13:14:20 -05:00
8bd25f90e4
Polish XorServerCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:31:56 -05:00
804f20045e
Polish XorCsrfTokenRequestAttributeHandlerTests
2022-10-12 12:30:40 -05:00
05e4a1dd20
Cache Xor CsrfToken
...
Closes gh-11988
2022-10-12 12:30:40 -05:00
c5e35bf32e
Merge branch '5.8.x'
...
Closes gh-11978
2022-10-10 09:24:50 -03:00
4b6fed0667
Add static factory method to AntPathRequestMather and RegexRequestMatcher
...
Closes gh-11938
2022-10-10 09:24:15 -03:00
27059ced87
Default X-Xss-Protection header value to "0"
...
Closes gh-9631
2022-10-07 17:42:55 -05:00
6753f9745e
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
# docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
f462134e87
Add reactive support for BREACH
...
Closes gh-11959
2022-10-07 16:34:17 -05:00
f4ca90e719
Add reactive interfaces for CSRF request handling
...
Issue gh-11959
2022-10-07 16:34:16 -05:00
c4d23f2b49
Use MvcRequestMatcher by default if Spring MVC is present
...
Closes gh-11899
2022-10-06 09:12:04 -03:00
353ca76973
Merge remote-tracking branch 'origin/5.8.x'
2022-10-06 00:01:40 -06:00
380a6a2564
Polish SecurityContextHolderStrategy Usage
...
- Add to HttpSessionSecurityContextRepository#saveContext
Issue gh-11060
2022-10-05 23:59:14 -06:00
72a46ddd31
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 22:48:33 -06:00
f16d47c7b5
Polish DefaultHttpSecurityExpressionHandler
...
Issue gh-11105
2022-10-05 21:47:14 -06:00
eeb28e4f91
Merge remote-tracking branch 'origin/5.8.x'
2022-10-05 21:45:26 -06:00
4ddec07d0e
Add default AuthorizationManager
...
Closes gh-11963
2022-10-05 21:37:41 -06:00
ee9449dbfe
Fix tests for deferred CSRF tokens
...
Issue gh-4001
2022-10-05 16:10:36 -05:00
521cdfd738
Use correct servlet imports
...
Issue gh-4001
2022-10-05 16:10:35 -05:00
8b490de08d
Merge branch '5.8.x'
...
# Conflicts:
# docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
dce1c30522
Add support for BREACH
...
Closes gh-4001
2022-10-05 14:21:13 -05:00
5de6da890b
Merge branch '5.8.x'
...
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
475b3bb6bb
Add deferred CsrfTokenRepository.loadDeferredToken
...
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler
Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
7c3cc1e386
Merge branch '5.8.x'
2022-10-03 14:29:51 -05:00
0e215a21ad
Add X-Xss-Protection headerValue to XML config
...
Issue gh-9631
2022-10-03 14:29:34 -05:00
ad2abd39dc
Merge branch '5.8.x'
...
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
039e0328e1
Simplify Java Configuration RequestMatcher Usage
...
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity
Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
5f2744db33
Merge branch '5.8.x'
...
Closes gh-11937
2022-10-03 11:43:22 -03:00
64a19de4dc
Deprecate HPKP security header
...
Closes gh-10144
2022-10-03 11:36:19 -03:00
4479cefade
Default Require Explicit Session Management = true
...
Closes gh-11763
2022-09-30 21:49:05 -05:00
76fbca9f46
Merge branch '5.8.x'
2022-09-30 09:50:02 -05:00
93250013e4
Make X-Xss-Protection configurable through ServerHttpSecurity
...
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".
This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.
This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.
Issue gh-9631
2022-09-30 09:38:08 -05:00
e0e6467d9b
Remove UsernamePasswordAuthenticationToken check
...
This commit reverts 21dd050d7b
2022-09-29 15:25:53 -05:00
1e0e9a2c98
Allow authenticationIsRequired to be overridden
...
Issue gh-10347
2022-09-29 15:25:53 -05:00
bcb21c9384
Merge branch '5.8.x'
...
# Conflicts:
# config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
46696a9226
CsrfTokenRequestHandler extends CsrfTokenRequestResolver
...
Closes gh-11896
2022-09-23 15:09:00 -05:00
3c66ef6305
Change default SecurityContextRepository
...
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.
Closes gh-11026
2022-09-22 17:31:14 -05:00
ccac34b07c
Merge branch '5.8.x'
2022-09-22 16:45:48 -05:00
d140d95305
Fix assertion in NullSecurityContextRepository
...
Issue gh-11060
2022-09-22 15:33:22 -05:00
5d757919a2
Add SecurityContextHolderStrategy to new repository
...
In 6.0, RequestAttributeSecurityContextRepository will be the default
implementation of SecurityContextRepository. This commit adds the
ability to configure a custom SecurityContextHolderStrategy, similar
to other components.
Issue gh-11060
Closes gh-11895
2022-09-22 15:33:21 -05:00
0efe26c1fd
Merge branch '5.8.x'
...
Closes gh-11894
2022-09-22 13:47:04 -05:00
d94677f87e
CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
...
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.
Closes gh-11892
2022-09-22 11:09:44 -05:00
2a487ae7f8
Updated hashcode and equals
...
Closes gh-4133
2022-09-20 16:36:37 -06:00
46f402243b
Merge remote-tracking branch 'origin/5.8.x'
2022-09-20 16:11:16 -06:00
Marcus Da Coregio
Josh Cummings
Wellington Domiciano
Alex Montoya
Steve Riesenberg
David Becker
Daniel Garnier-Moiroux
Evgeniy Cheban
Joe Grandja
Rob Winch
Daniel Garnier-Moiroux
shazin