Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-22 14:24:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
8,830 Commits 33 Branches 337 Tags
Commit Graph

1023 Commits

Author SHA1 Message Date
Eleftheria Stein
fb936e2780 Polish CookieRequestCacheTests 
Issue gh-8817
Issue gh-8820
 2020-07-21 15:02:21 +02:00
majian
41f26b768a Improve request matching logic when using cookie 
- Repair request cache deleted by mistake
- Fix RequestCache throw exception and error redirect.

Closes gh-8820
Closes gh-8817
 2020-07-21 15:02:21 +02:00
Roman Sydorov
896b324722 Updated SimpleSavedRequest#getMethod 
Before:
1. SimpleSavedRequest#getMethod returned null
2. SimpleSavedRequest(SavedRequest request) constructor did not set the method field from request

After:
1. SimpleSavedRequest#getMethod returns method property value
2. SimpleSavedRequest(SavedRequest request) constructor sets the method field from request

Closes gh-8675
 2020-07-08 14:47:51 -06:00
Rob Winch
09fe6071e1 LoginPageGeneratingWebFilter honors context path 
Closes gh-8807
 2020-07-07 13:34:55 -05:00
Eleftheria Stein
4fb5ff35db Polish CookieRequestCache 
Issue gh-8034
 2020-07-02 13:41:37 +02:00
Zeeshan Adnan
9708a2d63f Adds cookie based RequestCache 
fixes spring-projectsgh-8034
 2020-07-02 07:11:16 -04:00
Josh Cummings
146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2" 
This reverts commit 68538897c83a7ce8db0ec7275dbd10b1a548498f.
 2020-07-01 13:11:50 -06:00
Josh Cummings
68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
michal
e113bd3c01 issue 5414 - configurable secure flag in CookieCsrfTokenRepository 
While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).

It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
 2020-06-25 14:42:38 -05:00
Craig Andrews
c71352c548 Validate headers and parameters in StrictHttpFirewall 
Adds methods to configure validation of header names and values and
parameter names and values:
 * setAllowedHeaderNames(Predicate)
 * setAllowedHeaderValues(Predicate)
 * setAllowedParameterNames(Predicate)
 * setAllowedParameterValues(Predicate)

By default, header names, header values, and parameter names that
contain ISO control characters or unassigned unicode characters are
rejected. No parameter value validation is performed by default.

Issue gh-8644
 2020-06-24 14:15:46 -06:00
Eleftheria Stein
12d20f99a1 Fix incorrect Javadoc 
Closes gh-8744
 2020-06-22 13:14:34 +02:00
Eleftheria Stein
c854f6b190 Add missing Javadoc 
Closes gh-8743
 2020-06-22 13:13:32 +02:00
Craig Andrews
efb6953017 Reject the NULL character in paths in StrictHttpFirewall 
Adds `setAllowNull`
By default, denies null in paths
 2020-06-18 10:19:37 -06:00
Rob Winch
ccbad61ae8 Change blacklist to blocklist 
Closes gh-8676
 2020-06-10 11:49:49 -05:00
Rob Winch
ca1252be94 Replace whitelist with allowlist 
Issue gh-8676
 2020-06-10 11:49:21 -05:00
Rob Winch
a907026eae Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive 
Closes gh-8677
 2020-06-10 11:48:56 -05:00
Joe Grandja
da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException 
Issue gh-8609
 2020-06-09 17:28:21 -04:00
Eleftheria Stein
0a42aa26c8 Mock request with non-standard HTTP method in test 
Fixes gh-8594
 2020-05-26 10:16:56 -04:00
Astushi Yoshikawa
f08ca4e688 Throw exception if URL does not include context path when context relative 
Issue: gh-8399
 2020-05-20 14:02:17 -04:00
Rob Winch
dc514b369e FilterInvocation Support Default Methods on HttpServletRequest 
Closes gh-8566
 2020-05-20 10:13:59 -05:00
cbornet
bfb401eeed Create the CSRF token on the bounded elactic scheduler 
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.

Fixes gh-8128
 2020-05-18 11:04:54 -05:00
Mathieu Ouellet
cd08102b93 Add debug logging 
Goal is to provide insight to devs on:
- Authentication & Authorization success/failures
- WebSession & SecurityContext
- Request matchers, cache & authn/authz flow

Fixes gh-5758
 2020-05-12 09:03:24 -05:00
Rob Winch
4473dca022 Polish matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed 
Issue gh-8149
 2020-05-11 17:20:16 -05:00
Parikshit Dutta
0f92415395 Fix non-standard HTTP method for CsrfWebFilter 
Closes gh-8149
 2020-05-11 17:19:57 -05:00
Artyom Tarynin
6db514a4e2 Update AntPathRequestMatcher.java 
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
 2020-05-11 17:11:22 -04:00
Joe Grandja
86ca6b013c Unlock dependencies 
This reverts commit 206960cf448b38e643045468b2291e66bfbbd4a9.
 2020-05-06 17:27:35 -04:00
Joe Grandja
206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Rob Winch
0483b3e042 Polish RequestRejectedHandler 
Issue gh-5007
 2020-05-01 10:51:11 -05:00
Leonard Brünings
b826c798f7 Add RequestRejectedHandler 
Closes gh-5007
 2020-05-01 10:51:01 -05:00
Oh Myung Woon
b7d3acc02c Add constructors to AbstractAuthenticationProcessingFilter 
Closes gh-8309
 2020-04-09 13:53:06 -05:00
Mustafa Ulu
6bdd5f710f
Fix example in javadoc of FilterChainProxy 2020-04-07 21:05:12 +03:00
Rob Winch
91728ef53b Fix HttpServlet3RequestFactory Logout Handlers 
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.

This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.

Closes gh-4760
 2020-03-30 17:50:28 -05:00
Josh Cummings
eed71243cb
SwitchUserFilter Defaults to POST 
Fixes gh-4183
 2020-03-27 13:41:49 -06:00
Zeeshan Adnan
935c547dde Fix exception for empty basic auth header token 
fixes spring-projectsgh-7976
 2020-03-16 12:57:13 -04:00
Eleftheria Stein
47011eb9e2 Polish transfer session's max inactive interval 
Issue: gh-2693
 2020-03-12 12:11:14 -04:00
Venkata Jaswanth U
02b7d04027 Transfer session's max inactive interval 
Fixes: gh-2693
 2020-03-12 10:11:59 -04:00
Eleftheria Stein
b2ea0ba775 Polish SessionIdChangedEvent 
Add AbstractSessionEvent; clean up license headers and Javadocs

Fixes: gh-5438
 2020-03-06 12:04:49 -05:00
Venkata Jaswanth
5fc6414377 SessionRegistryImpl is now aware of SessionIdChangedEvent 2020-03-06 12:04:01 -05:00
Eleftheria Stein
ae532c080c Add server request cache that uses cookie 
Fixes: gh-8033
 2020-03-05 15:36:47 -05:00
Eleftheria Stein
38979b1b09 Add test for ServerRequestCacheWebFilter 2020-03-05 14:57:07 -05:00
Josh Cummings
6eadf7b140
Unlock dependencies for 5.3.0.RELEASE 
This reverts commit 147d7dadd7e449e1e8347f9a0b3959c7abf095dc.
 2020-03-04 12:02:48 -07:00
Josh Cummings
147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
AmitB
2ce9eef95e Fix typo in AntPathRequestMatcher contructor comment 2020-03-02 07:14:27 -06:00
Joe Grandja
82cd203791 Remove unnecessary mocking 
Fixes gh-8012
 2020-02-23 19:35:16 -05:00
Josh Cummings
5bdf57d1e5
Remove Groovy and Spock Dependencies 
Fixes gh-4939
 2020-02-10 10:38:40 -07:00
Josh Cummings
bae50ecc05
AbstractSecurityWebApplicationInitializerTests groovy->java 
Issue gh-4939
 2020-02-10 10:38:39 -07:00
Eleftheria Stein
84b8a5abd7 Unlock dependencies for next development version 
This reverts commit 064616f1ef077cf23028d64b61b1452be0ec9eb1.
 2020-02-05 15:53:04 +01:00
Eleftheria Stein
064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Josh Cummings
cb9fd09150
Change AuthenticationWebFilter's constructor 
Fixes gh-7872
 2020-01-31 09:31:28 -07:00
Peter Keller
e62fb755e8 Set charset of BasicAuthenticationFilter converter 
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
 2020-01-23 15:34:35 +01:00