Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Spring Security
9,663 Commits 32 Branches 333 Tags 111 MiB
Java 94.5%
Kotlin 4.8%
JavaScript 0.3%
Groovy 0.2%
Go to file
Ashley Scopes dd43d9198b Amended treatment of OAuth2 'iss' claim 
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
 		2021-09-15 15:05:08 -06:00
.github Update CI deployments to be dependent on Check Samples 2021-08-19 10:13:38 -03:00
.idea Fix checkstyle rules could not be parsed 2020-11-23 14:33:18 -05:00
acl Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
aspects Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
bom fix bom 2021-05-17 22:29:45 -05:00
buildSrc Update io.projectreactor to 2020.0.10 2021-08-16 14:18:54 -05:00
cas Immutable SecurityContext 2021-08-11 17:12:13 -06:00
config Add Saml2LogoutConfigurer 2021-09-13 16:39:48 -06:00
core Polish SecurityContextChangedEvent 2021-09-13 16:04:36 -06:00
crypto Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
data Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
dependencies Update org.slf4j to 1.7.32 2021-08-16 14:18:54 -05:00
docs Fix some list punctuation and capitalization in docs 2021-09-15 10:49:02 -06:00
etc Add Saml2ParameterNames 2021-09-14 17:40:12 -06:00
gradle/wrapper Update to Gradle 6.9 2021-05-14 13:39:18 -05:00
itest Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
ldap Disable ApacheDSContainerTests on Windows 2021-07-15 20:28:57 -05:00
messaging Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
oauth2 Amended treatment of OAuth2 'iss' claim 2021-09-15 15:05:08 -06:00
openid Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
remoting Immutable SecurityContext 2021-08-11 17:12:13 -06:00
rsocket Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
saml2/saml2-service-provider Add Saml2ParameterNames 2021-09-14 17:40:12 -06:00
scripts Fix Release Notes Template 2021-05-14 11:01:27 -05:00
taglibs Remove DependencySetPlugin 2021-07-12 15:31:38 -05:00
test Move and rename OAuth2IntrospectionClaimAccessor/Names 2021-08-12 16:51:33 -06:00
web Introducing WebSessionServerLogoutHandler 2021-08-16 13:08:35 -06:00
.editorconfig Use UTF-8 for Java sources and XML 2019-08-14 08:47:00 -05:00
.gitattributes Ensure line endings for .bat are not modified 2021-07-05 14:11:49 -03:00
.gitignore Ignore Lock Files 2020-02-07 13:59:05 -06:00
CONTRIBUTING.adoc master->main 2021-04-26 16:55:43 -05:00
LICENSE.txt Add LICENSE.txt 2020-04-15 16:44:13 -05:00
README.adoc Fix README local Maven install command 2021-07-07 12:01:57 +02:00
RELEASE.adoc Fix release instructions for generating changelog 2021-07-19 13:35:03 +02:00
build.gradle Compile with parameter names 2021-09-08 10:01:47 +02:00
class_mapping_from_2.0.x.txt SEC-1148: Simple classname mapping from 2.0 to 3.0 2009-12-02 22:44:30 +00:00
gradle.properties Next Development Version 2021-08-16 15:24:29 -05:00
gradlew Update to Gradle 6.6.1 2020-10-12 17:41:16 -06:00
gradlew.bat Update to Gradle 6.6.1 2020-10-12 17:41:16 -06:00
notice.txt URL Cleanup 2019-03-19 23:53:23 -05:00
settings.gradle Update to com.gradle.enterprise 3.6.1 2021-05-17 10:37:09 -05:00

README.adoc 

image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]

image:https://github.com/spring-projects/spring-security/workflows/CI/badge.svg?branch=main["Build Status", link="https://github.com/spring-projects/spring-security/actions?query=workflow%3ACI"]

image:https://img.shields.io/badge/Revved%20up%20by-Gradle%20Enterprise-06A0CE?logo=Gradle&labelColor=02303A["Revved up by Gradle Enterprise", link="https://ge.spring.io/scans?search.rootProjectNames=spring-security"]

= Spring Security

Spring Security provides security services for the https://docs.spring.io[Spring IO Platform]. Spring Security 5.0 requires Spring 5.0 as
a minimum and also requires Java 8.

For a detailed list of features and access to the latest release, please visit https://spring.io/projects[Spring projects].

== Code of Conduct
Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_CONDUCT.md[code of conduct]

== Downloading Artifacts
See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#getting[Getting Spring Security] for how to obtain Spring Security.

== Documentation
Be sure to read the https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
Extensive JavaDoc for the Spring Security code is also available in the https://docs.spring.io/spring-security/site/docs/current/api/[Spring Security API Documentation].

== Quick Start
See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-hello[Hello Spring Security] to get started with a "Hello, World" application.

== Building from Source
Spring Security uses a https://gradle.org[Gradle]-based build system.
In the instructions below, https://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as
a cross-platform, self-contained bootstrap mechanism for the build.

=== Prerequisites
https://help.github.com/set-up-git-redirect[Git] and the https://www.oracle.com/technetwork/java/javase/downloads[JDK11 build].

Be sure that your `JAVA_HOME` environment variable points to the `jdk-11` folder extracted from the JDK download.

=== Check out sources
[indent=0]
----
git clone git@github.com:spring-projects/spring-security.git
----

=== Install all spring-\* jars into your local Maven cache
[indent=0]
----
./gradlew publishToMavenLocal
----

=== Compile and test; build all jars, distribution zips, and docs
[indent=0]
----
./gradlew build
----

Discover more commands with `./gradlew tasks`.
See also the https://github.com/spring-projects/spring-framework/wiki/Gradle-build-and-release-FAQ[Gradle build and release FAQ].

== Getting Support
Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
https://spring.io/services[Commercial support] is available too.

== Contributing
https://help.github.com/articles/creating-a-pull-request[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/main/CONTRIBUTING.adoc[contributor guidelines] for details.

== License
Spring Security is Open Source software released under the
https://www.apache.org/licenses/LICENSE-2.0.html[Apache 2.0 license].