Commit Graph

3105 Commits

Author SHA1 Message Date
Josh Cummings 77f2977c55 Support SpEL Returning AuthorizationDecision
Closes gh-14599
2024-04-04 09:52:15 -07:00
Marcus Hert Da Coregio d85857f905 Add Authorization Denied Handlers for Method Security
Closes gh-14601
2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 19d66c0b8a Introduce AuthorizationResult 2024-04-03 09:25:12 -03:00
Marcus Hert Da Coregio 7d66525e23 Add Compromised Password Checker
Closes gh-7395
2024-04-01 09:48:07 -03:00
Josh Cummings 148776309f
Merge branch '6.2.x' 2024-03-22 14:33:57 -06:00
Josh Cummings afcce0c277
Merge branch '6.1.x' into 6.2.x
Closes gh-14795
2024-03-22 14:33:44 -06:00
Josh Cummings 7162046144
Remove Reference to MethodInvocationResult
Closes gh-14794
2024-03-22 14:33:23 -06:00
Ali-Hassan 04799c5aac Update AuthenticationProvider JavaDoc
Authentication is an interface, not a class. So, it's not correct
to say "instance of the Authentication class".
2024-03-22 11:27:58 -06:00
Josh Cummings e1c5dc0e66 Polish JavaDoc
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings 9898e0e993 Move AuthorizationAdvisorProxyFactory
To prevent package tangles

Issue gh-14596
2024-03-22 11:00:39 -06:00
Josh Cummings 12ea8a5738 Add Supplier Support
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings 795e44d11f Add Value-Type Ignore Support
Issue gh-14597
2024-03-22 11:00:39 -06:00
Josh Cummings ce54a6db18 Add TestAuthentication convenience method
Issue gh-14597
2024-03-19 10:27:03 -06:00
Josh Cummings d169d5a835 Add AuthorizeReturnObject
Closes gh-14597
2024-03-19 10:27:03 -06:00
Marcus Hert Da Coregio a8a9341f2e Merge branch '6.2.x'
Closes gh-14667
2024-03-18 06:43:37 -03:00
Marcus Hert Da Coregio a972338e1d Merge branch '6.1.x' into 6.2.x
Closes gh-14666
2024-03-18 06:43:09 -03:00
Marcus Hert Da Coregio f84c4ea583 Merge branch '5.8.x' into 6.1.x
Closes gh-14665
2024-03-18 06:42:43 -03:00
Marcus Hert Da Coregio 2c9dc08e43 Merge branch '5.7.x' into 5.8.x
Closes gh-14664
2024-03-18 06:40:34 -03:00
Marcus Hert Da Coregio 5a7f12f1a9 Check for null Authentication
Closes gh-14715
2024-03-18 06:39:08 -03:00
Josh Cummings c611b7e33b
Add AuthorizationProxyFactory Reactive Support
Issue gh-14596
2024-03-15 11:44:30 -06:00
Josh Cummings f541bce492
Polish AuthorizationAdvisorProxyFactory
- Ensure Reasonable Defaults
- Simplify Construction

Issue gh-14596
2024-03-15 11:44:30 -06:00
Josh Cummings 52dfbfb5b3 Add Authorization Proxy Support
Closes gh-14596
2024-03-13 14:35:07 -06:00
Marcus Hert Da Coregio d17cbf4342 Merge branch '6.2.x'
Closes gh-14724
2024-03-12 10:19:05 -03:00
Marcus Hert Da Coregio 940efe76fc Merge branch '6.1.x' into 6.2.x
Closes gh-14723
2024-03-12 10:18:51 -03:00
Marcus Hert Da Coregio 8fe0303bad Merge branch '5.8.x' into 6.1.x
Closes gh-14722
2024-03-12 10:18:33 -03:00
Marcus Hert Da Coregio 8f42c86a57 Use AuthorizationInterceptorsOrder for Post Authorize Method Interceptors
Closes gh-14720
2024-03-12 10:17:45 -03:00
Josh Cummings c5a4405c54 Polish JavaDoc
Issue gh-14521
2024-02-26 10:59:54 -07:00
ruabtmh 09010f3f51 Add ContinueOnError Support For Failed Authentications
Closes gh-14521
2024-02-26 10:59:54 -07:00
Josh Cummings 4d383023cb Add meta-annotation parameter support
Closes gh-14480
2024-02-26 10:50:35 -07:00
Marcus Hert Da Coregio 21580fd27d Merge branch '6.2.x' 2024-02-16 13:31:20 -03:00
Marcus Hert Da Coregio 15306c1007 Merge branch '6.1.x' into 6.2.x 2024-02-16 13:21:15 -03:00
Rob Winch 750cb30ce4 Add AuthenticationTrustResolver.isAuthenticated 2024-02-16 13:08:29 -03:00
Marcus Hert Da Coregio 915d68e216 Remove includeExpiredSessions parameter
The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter

Issue gh-6192
2024-02-06 10:43:00 -03:00
DingHao b0da37d4fa Have Method Security Start at Target Class
Closes gh-13783
2024-02-01 09:33:25 -07:00
Sam Brannen 2b7d296994 Revise AuthorizationAnnotationUtils
This commit revises AuthorizationAnnotationUtils as follows.

- Removes code duplication by treating both Class and Method as
  AnnotatedElement.

- Avoids duplicated annotation searches by processing merged
  annotations in a single Stream instead of first using the
  MergedAnnotations API to find possible duplicates and then again
  searching for a single annotation via AnnotationUtils (which
  effectively performs the same search using the MergedAnnotations API
  internally).

- Uses `.distinct()` within the Stream to avoid the need for the
  workaround introduced in gh-13625. Note that the semantics here
  result in duplicate "equivalent" annotations being ignored. In other
  words, if @⁠PreAuthorize("hasRole('someRole')") is present multiple
  times as a meta-annotation, no exception will be thrown and the first
  such annotation found will be used.

- Improves the error message when competing annotations are found by
  including the competing annotations in the error message.

- Updates AuthorizationAnnotationUtilsTests to cover all known,
  supported use cases.

- Configures correct role in @⁠RequireUserRole.

Please note this commit uses
`.map(MergedAnnotation::withNonMergedAttributes)` to retain backward
compatibility with previous versions of Spring Security. However, that
line can be deleted if the Spring Security team decides that it wishes
to support merged annotation attributes via custom composed
annotations. If that decision is made, the
composedMergedAnnotationsAreNotSupported() test should be renamed and
updated as explained in the comment in that method.

See gh-13625
See https://github.com/spring-projects/spring-framework/issues/31803
2024-01-18 07:42:58 -07:00
Marcus Hert Da Coregio 85177c0178 Merge branch '6.2.x'
Closes gh-14408
2024-01-05 14:22:49 -03:00
Steve Riesenberg a32cd66179
Polish gh-14263 2023-12-26 11:56:42 -06:00
Federico Herrera 10e0f98d5e
Add doc and javadoc for CachingUserDetailsService
Close gh-10914
2023-12-26 10:57:58 -06:00
Taehong Kim ec02c22459 Add Request Path Extraction Support
Closes gh-13256
2023-12-19 18:15:49 -07:00
Angel Aguilera 13ad66807e Update messages_es_ES.properties
Uncomment and translate message property.
2023-12-14 10:24:19 -06:00
Josh Cummings db7c5d128b
Fix Typos
Closes gh-14268
2023-12-11 11:34:52 -07:00
ahmd-nabil dfef781e33 Add default implementation in UserDetails
Closes gh-14275

Signed-off-by: ahmd-nabil <ahm3dnabil99@gmail.com>
2023-12-11 11:00:57 -07:00
Marcus Da Coregio 57ab15127a Add Max Sessions on WebFlux
Closes gh-6192
2023-12-11 09:48:34 -03:00
Josh Cummings 4a50d5aab3
Merge branch '6.2.x' 2023-12-09 11:52:31 -07:00
Josh Cummings 6e636e6abb
Merge branch '6.1.x' into 6.2.x
Closes gh-14267
2023-12-09 11:50:58 -07:00
Josh Cummings 9f90661b6f
Merge branch '5.8.x' into 6.1.x
Closes gh-14266
2023-12-09 11:43:04 -07:00
Josh Cummings be11812fe4
Account for Super-super-interface Inheritance
Closes gh-13625
2023-12-09 11:41:02 -07:00
Josh Cummings 92be497d24 Polish RoleHierachyImpl#of
- Change to #fromHierarchy to match naming convention
- Keep existing test methods the same
- Deprecate setHierarchy and default constructor
- Add private Map constructor
- Change Adjust RoleHierarchyBuilder to use Map constructor

Issue gh-13788
2023-12-08 11:49:50 -07:00
Toshiaki Maki c1b3351569 Add RoleHierarchyImpl#of
Closes gh-13788
2023-12-08 11:49:50 -07:00
Josh Cummings bb6b55aca3 Add Not Support
Closes gh-14058
2023-12-07 16:24:19 -07:00
Yuriy Savchenko e49ae096e6 Add AuthorizationManager factory methods
Factory methods to create AuthorizationManager with a configurable default AuthorizationDecision.

Closes gh-13085
2023-12-07 15:20:08 -07:00
Josh Cummings ee8bc78cbc Polish RoleHierarchyImpl#Builder
- Added documentation
- Removed withNoRolePrefix for now; let's see how folks
use the minimal API first
- Adjusted class hierarchy to match AuthorizeHttpRequests more
closely
- Adjusted to match Spring Security style guide
- Added needed @since attributes

Issue gh-13300
2023-12-07 15:18:13 -07:00
Federico Herrera 7d366242ce Add RoleHierarchyImpl.Builder
Closes gh-13300
2023-12-07 15:18:13 -07:00
Angel Aguilera 1ce1ff92de Update messages_ca.properties
Add translation for new message properties
2023-12-07 15:28:06 -06:00
Josh Cummings d50698a269
Prepare for Spring Security 6.3
Closes gh-14210
2023-12-05 15:49:42 -07:00
YangSiJun528 3f6b6aa523 Update Javadoc for getAuthorizationDecision method
Added missing description for `@return` tag.
2023-11-21 10:07:42 -03:00
Marcus Hert Da Coregio e3ab1c94d7 Use assertj assertions 2023-11-17 09:04:50 -03:00
Marcus Hert Da Coregio a7da9491d9 Use assertj assertions 2023-11-17 09:03:36 -03:00
Josh Cummings 97516727a4
Add Coroutine Support
Closes gh-12080
2023-11-15 11:48:37 -07:00
Josh Cummings 24abf45128
Merge remote-tracking branch 'origin/6.1.x' 2023-11-07 13:13:29 -07:00
Josh Cummings f295e9d28f
Merge branch '6.0.x' into 6.1.x
Closes gh-14111
2023-11-07 13:09:20 -07:00
Josh Cummings bb354f1895
Merge branch '5.8.x' into 6.0.x
Closes gh-14110
2023-11-07 13:07:25 -07:00
Josh Cummings 11a21896dd
Defer SecurityContextHolderStrategy Lookup
Due to how early method interceptors are loaded during startup
it's reasonable to consider scenarios where applications are
changing the global security context holder strategy during
startup.

Closes gh-12877
2023-11-07 12:36:16 -07:00
Marcus Hert Da Coregio 6e0fb2fc96 Merge branch '6.1.x' 2023-11-06 15:03:06 -03:00
Marcus Hert Da Coregio 99c84aa935 Merge branch '6.0.x' into 6.1.x 2023-11-06 15:02:09 -03:00
Marcus Hert Da Coregio 3893136084 Remove Gradle deprecations
Stop using JavaPluginConvention type and replace outputFile with destinationFile

Issue gh-13864
2023-11-06 15:01:38 -03:00
Steve Riesenberg d0a5ada2da
Fix formatting 2023-10-31 15:38:44 -05:00
Steve Riesenberg 447f40949c
Revert unnecessary merges on 6.1.x
This commit removes unnecessary main-branch merges starting from
9f8db22b77 and adds the following
needed commit(s) that were made afterward:

- 4d6ff49b9d
- ed6ff670d1
- c823b00794
- 44fad21363
2023-10-31 15:22:15 -05:00
Steve Riesenberg 9db33f33c7
Revert unnecessary merges on 6.0.x
This commit removes unnecessary main-branch merges starting from
8750608b5b and adds the following
needed commit(s) that were made afterward:

- 5dce82c48b
2023-10-31 15:11:45 -05:00
Martin Lukas 1589d19c8b Fix typos in spring-security core module 2023-10-31 09:48:43 -03:00
valery1707 cc86afe658 Use same case for all fields in toString 2023-10-16 14:42:53 -06:00
Marcus Da Coregio 07b6c451fd Merge branch '6.1.x'
Closes gh-13884
2023-09-29 11:47:38 -03:00
Marcus Da Coregio 8adfc9b463 Merge branch '6.0.x' into 6.1.x
Closes gh-13883
2023-09-29 11:46:48 -03:00
Marcus Da Coregio 92c82191c9 Merge branch '5.8.x' into 6.0.x
Closes gh-13882
2023-09-29 11:46:00 -03:00
Marcus Da Coregio 64e2a2ff8b Apply updated Code Style
Closes gh-13881
2023-09-29 11:44:32 -03:00
Steve Riesenberg 7f61d40415
Fix code style 2023-09-27 10:51:08 -05:00
Marcus Da Coregio 33fb37e134 Fix Tests on JDK 21
Issue gh-13811
2023-09-27 11:59:09 -03:00
Steve Riesenberg ff374935fb
Verify ReactorContext when using Virtual Threads
Closes gh-12791
2023-09-25 12:01:31 -05:00
Steve Riesenberg 247ce5dcab
Add integration tests for virtual threads
Closes gh-12790
2023-09-19 10:39:05 -05:00
Steve Riesenberg ecf8467cac
Fix tests on JDK 21
Issue gh-12790
Issue gh-13811
2023-09-19 10:39:04 -05:00
Steve Riesenberg d6ff58bb7f
Update Mockito to 5.5.0
Closes gh-13810
2023-09-19 10:39:03 -05:00
Tim te Beek 9df9cb5aed refactor: AssertJ best practices
Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/bGVuS?organizationId=RGVmYXVsdA%3D%3D

Co-authored-by: Moderne <team@moderne.io>
2023-09-12 16:18:14 -06:00
Steve Riesenberg 92256f0522 Support nested suspend calls for Kotlin coroutines
Closes gh-13764
2023-09-05 00:23:30 -05:00
Josh Cummings 75e0068925
Merge branch '6.1.x' 2023-08-07 16:03:55 -06:00
Seongguk Jeong bcd4dcc15c Refactor equals method
Using the accessor method for fields instead of directly access
2023-08-07 16:00:18 -06:00
Seongguk Jeong 8df8d4022e Fix documentation typo
changed "user name" to "username"
2023-08-07 16:00:18 -06:00
Seongguk Jeong de1357cbd1 Refactor equals method
To use the accessor method for username instead of directly accessing the attribute.
2023-08-07 16:00:18 -06:00
Seongguk Jeong ea19f82b8a Using pattern matching for instanceof 2023-08-07 16:00:18 -06:00
maimate-dev 7b2cb59dab
Localize AccessDeniedException message
Closes gh-13419
2023-07-27 16:50:41 -05:00
Josh Cummings cf79af2386
Update Kotlin Test Usage
Issue gh-13539
2023-07-14 18:38:58 -06:00
Josh Cummings a08036aee5
Change from AwaitKt to MonoKt
Issue gh-13539
2023-07-14 18:38:58 -06:00
Josh Cummings 6c3636d780
Update Removed Usages
Issue gh-13544
2023-07-14 18:38:58 -06:00
Josh Cummings a99dff7de3
Remove Reference to LocalVariableTableParameterNameDiscoverer
Issue gh-2572
2023-07-14 18:38:58 -06:00
Josh Cummings b62dd851a2
Merge branch '6.1.x'
Closes gh-13489
2023-07-11 17:03:53 -06:00
Josh Cummings 0579be0d25
Merge branch '6.0.x' into 6.1.x
Closes gh-13488
2023-07-11 17:02:59 -06:00
Josh Cummings 6393702e70
Fix allOf/anyOf Abstain Logic
Closes gh-13487
2023-07-11 17:02:07 -06:00
Claudio Nave 52e12ad64b Replace deprecated methods 2023-06-22 13:19:55 -06:00
Evgeniy Cheban 0cefb27928 Simplify RequestMatcherDelegatingAuthorizationManager.Builder matcher registration
Closes gh-11624
2023-06-22 16:07:30 -03:00
Josh Cummings 339185998a
Update JavaDoc
Issue gh-12782
2023-06-22 11:26:45 -06:00
kandaguru17 fa2bc745f7 Use AuthoritiesAuthorizationManager in Jsr250AuthorizationManager
Closes gh-12782
2023-06-22 11:25:54 -06:00
Krzysztof Krason 9b603b99ab Using modern Java features 2023-06-22 11:24:25 -06:00
Josh Cummings 97cff7c715 Polish TestingAuthenticationToken
Restore List constructor to retain binary compatibility.
2023-06-22 11:22:15 -06:00
Laurent Martelli f25d76c48f TestingAuthenticationToken takes broader collection type
So that callers do not have to cast.

Closes gh-12953
2023-06-22 11:22:15 -06:00
Josh Cummings fb910e2997
Prepare for Spring Security 6.2
Closes gh-14316
2023-06-22 11:03:28 -06:00
Steve Riesenberg 1f04baa4a3
Polish gh-13290
Issue gh-12533
2023-06-13 14:17:40 -05:00
Dmitry Korotych 4def405067
Allow authorities to be overridden in UserBuilder
Issue gh-12533
2023-06-13 14:12:47 -05:00
Josh Cummings 613165b86c
Merge branch '6.0.x' 2023-05-11 11:46:10 -06:00
Josh Cummings c6c091b12e
Merge branch '5.8.x' into 6.0.x 2023-05-11 11:43:37 -06:00
Josh Cummings 05ef215b88 Align Formatting
Issue gh-13132
2023-05-11 11:42:51 -06:00
Florian Cramer 9669747245 Ignore synthetic methods when checking for duplicate annotations
Closes gh-13132
2023-05-11 11:42:51 -06:00
SeasonPan a44e91d044 fix javadoc typo 2023-04-24 16:41:17 -06:00
Josh Cummings 9244989b2e
Fix allOf/anyOf Abstain Logic
Closes gh-13069
2023-04-24 15:36:17 -06:00
Josh Cummings 072feb2fb8
Merge branch '6.0.x' 2023-04-24 12:52:36 -06:00
Josh Cummings 599ed3e96b
Polish Format
Issue gh-13079
2023-04-24 12:52:26 -06:00
Josh Cummings 57294be795
Merge branch '6.0.x'
Closes gh-13083
2023-04-24 12:49:56 -06:00
Josh Cummings 73a543d318
Handle Empty Role
Closes gh-13079
2023-04-24 12:49:30 -06:00
Marcus Da Coregio 1a4a2a9055 Merge branch '5.8.x' into 6.0.x 2023-04-14 13:32:10 -03:00
Marcus Da Coregio 54117d7d27 Fix test suffix to align with checkstyle 2023-04-14 13:29:15 -03:00
Rob Winch 20b0156d5a Merge branch '6.0.x'
Closes gh-12984
2023-04-10 11:26:01 -05:00
Rob Winch 9c3f91a2d3 Merge branch '5.8.x' into 6.0.x
Closes gh-12983
2023-04-10 11:25:32 -05:00
Rob Winch 16dcfd1cfe Merge branch '5.7.x' into 5.8.x
Closes gh-12982
2023-04-10 11:25:01 -05:00
Yuanhang Guo c69df9fba0 Fix javadoc typo in ReactiveAuthorizationManager
Closes gh-12978
2023-04-10 11:24:49 -05:00
Josh Cummings 25ff3d69bd
Polish WebFlux Observation contextualName
Issue gh-12156
2023-04-04 13:15:44 -06:00
Marcus Da Coregio 5e2dd0351d Merge branch '6.0.x'
Closes gh-12964
2023-04-04 10:21:52 -03:00
Petr Svoboda 44c4a4ae86 Add new DaoAuthenticationProvider constructor
Add a new constructor to the DaoAuthenticationProvider, which allows
providing a custom PasswordEncoder to prevent instantiation of the
default delegating PasswordEncoder in the default constructor.

This provides a way to instantiate the DaoAuthenticationProvider on JDKs
where the default delegating PasswordEncoder cannot be instantiated due
to limited JCE providers for compliance reasons (e.g., FIPS).

Closes gh-12874
2023-04-04 10:21:22 -03:00
Josh Cummings 607e40d366 Polish ObservationConvention Configuration
Change to setObservationConvention so that it reads more clearly
when used, for example `authenticationManager.setObservationConvention`
is clearer than `authenticationManager.setConvention`.

Change unit test names to follow team conventions.

Issue gh-12534
2023-03-28 15:01:26 -06:00
Josh Cummings f1b14de3ba Format ObservationConvention Configuration
Issue gh-12534
2023-03-28 15:01:26 -06:00
Braunson 8d933fcb03 Support Customizing Observation Conventions
Closes gh-12534
2023-03-28 15:01:26 -06:00
Josh Cummings a7562ad950
Update io.spring.javaformat to 0.0.38
Closes gh-12891
2023-03-20 10:44:35 -06:00
Josh Cummings f588f9fa9a
Merge branch '6.0.x' 2023-03-03 15:02:51 -07:00
Josh Cummings acf48721cd
Merge branch '5.8.x' into 6.0.x 2023-03-03 15:02:34 -07:00
Josh Cummings ebabcaa51a
Merge branch '5.7.x' into 5.8.x 2023-03-03 15:02:07 -07:00
bist 094bf1b527 Validate hasRole Input
There are no check for role prefix in AuthorizeHttpRequestsConfigurer#XXXrole
methods. This PR adds check for the same. Now the configuration
will fail if role/s start with prefix for hasRole and hasAnyRole methods.

Closes #12581
2023-03-03 15:00:34 -07:00
Pascal Verdage 659b65a666 Fix javadox typo 2023-02-15 15:20:48 -07:00
Marcus Da Coregio eb35d3055f Merge branch '6.0.x'
Closes gh-12640
2023-02-07 09:25:33 -03:00
Marcus Da Coregio 52ed165476 Move classpath checks to class member variable
Closes gh-11437
2023-02-07 09:25:06 -03:00
stillya 3229bfa40f Add empty authorities by default
Closes gh-12533
2023-01-30 15:37:10 -06:00
Josh Cummings f9d674cb10
Merge branch '6.0.x'
Closes gh-12525
2023-01-11 10:14:01 -07:00
Josh Cummings 4d2dab9b6b
Lookup Parent Observation
Closes gh-12524
2023-01-11 10:13:33 -07:00
Evgeniy Cheban 782b792e7b SecuredAuthorizationManager should allow customizing underlying authorization manager
Closes gh-12233
2023-01-10 17:48:48 -07:00
Evgeniy Cheban 3369cf5fe9 Consider replacing SecurityExpressionRoot.AuthenticationSupplier with SingletonSupplier
Closes gh-12487
2023-01-06 11:21:33 -07:00
Evgeniy Cheban 1bbbd046c3 Polish gh-12231
- Update copyright header
- Use Set.of instead of HashSet in AuthorityAuthorizationManager
- Align roleHierarchy test name with other tests in AuthoritiesAuthorizationManagerTests
2023-01-05 10:50:52 -07:00
Evgeniy Cheban e0d676c03f SecuredAuthorizationManager should cache annotation's value
Closes gh-12232
2023-01-05 10:50:52 -07:00
Marcus Da Coregio 25133a97f9 Merge branch '6.0.x'
Closes gh-12436
2022-12-19 10:45:49 -03:00
Marcus Da Coregio f1824f8a5d Merge branch '5.8.x' into 6.0.x
Closes gh-12435
2022-12-19 10:45:25 -03:00
Guillaume Husta 36d83f863a Fix Javadoc since tag for class ExpressionAuthorizationDecision
Closes gh-12411
2022-12-19 10:44:36 -03:00
Evgeniy Cheban 855282ac3b Add Authority String AuthorizationManager
Closes gh-12231
2022-12-02 14:12:02 -07:00
Josh Cummings 6cbbf06456
Merge branch '6.0.x' 2022-11-30 14:20:01 -07:00
Josh Cummings a76b1f7a51
Merge branch '5.8.x' into 6.0.x 2022-11-30 14:19:38 -07:00
Josh Cummings 68a344d238
Merge branch '5.7.x' into 5.8.x 2022-11-30 14:18:59 -07:00