Commit Graph

933 Commits

Author SHA1 Message Date
Josh Cummings
0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Josh Cummings
e990174c89 Polish ReactiveMethodSecurity Support
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish
2022-08-25 14:36:03 -06:00
Evgeniy Cheban
cbb4f40f0c ReactiveAuthorizationManager + Reactive Method Security
Closes gh-9401
2022-08-25 14:35:04 -06:00
Rob Winch
2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Marcus Da Coregio
3826fca567 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
Rob Winch
1de810a565 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:00:47 -05:00
Evgeniy Cheban
ba50c50b4b Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:14:08 -06:00
Rob Winch
5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Igor Bolic
efaee4e56b Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:35:49 -05:00
Josh Cummings
c2d79fcbd6 Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:34:31 -06:00
Josh Cummings
aa225943d2 Polish Tests
Issue gh-11657
2022-08-03 17:34:26 -06:00
Josh Cummings
5dff157755 Polish HttpSecurity Formatting
Issue gh-11360
2022-07-14 12:50:40 -06:00
Evgeniy Cheban
400cd60368 Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11360
2022-07-14 12:48:39 -06:00
Josh Cummings
624fdfa731 Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-13 17:58:16 -06:00
Josh Cummings
c9a3d21b9b Add Configuration Test
Issue gh-11327
2022-07-07 14:46:37 -06:00
Josh Cummings
d27d431bbc Add AuthorizationFilter to filter chain validator
Closes gh-11327
2022-07-07 13:52:36 -06:00
Josh Cummings
cdafa4ee21 Clarify variable names
Issue gh-11327
2022-07-07 13:38:42 -06:00
Josh Cummings
74a007dc91 Support AuthorizationManager for intercept-methods Element
Closes gh-11328
2022-07-06 12:54:05 -06:00
Josh Cummings
e8723f1f43 Pick up SecurityContextHolderStrategy for WebClient integration
Issue gh-11061
2022-06-28 14:58:53 -06:00
Josh Cummings
27de315e5e Use SecurityContextHolderStrategy for Async Requests
Issue gh-11060
Issue gh-11061
2022-06-28 14:46:52 -06:00
Josh Cummings
98995f2225 Add SecurityContextHolderStrategy to Pre-authenticated scenarios
Issue gh-11060
Issue gh-11061
2022-06-28 12:04:37 -06:00
Josh Cummings
4a2d77d3f2 Use SecurityContextHolderStrategy for Remember-me
Issue gh-11060
Isuse gh-11061
2022-06-28 11:08:57 -06:00
Josh Cummings
74167d62b1 Add SecurityContextHolderStrategy XML Configuration for Messaging
Issue gh-11061
2022-06-27 15:55:28 -06:00
Josh Cummings
9292a13146 Add SecurityContextHolderStrategy Java Configuration for Messaging
Issue gh-11061
2022-06-27 15:55:28 -06:00
Josh Cummings
652c35db2f Add SecurityContextHolderStrategy XML Configuration for OAuth2
Issue gh-11061
2022-06-27 13:05:13 -06:00
Josh Cummings
1d22316574 Add SecurityContextHolderStrategy Java Configuration for OAuth2
Issue gh-11061
2022-06-27 13:05:13 -06:00
Josh Cummings
6c16ac101a Add SecurityContextHolderStrategy XML Configuration for Saml2
Issue gh-11061
2022-06-27 13:05:12 -06:00
Josh Cummings
97253c9293 Add SecurityContextHolderStrategy Java Configuration for Saml2
Issue gh-11061
2022-06-27 13:05:11 -06:00
Josh Cummings
9cd7c7b046 Add SecurityContextHolderStrategy XML Configuration for Method Security
Issue gh-11061
2022-06-27 13:05:07 -06:00
Josh Cummings
da57bac061 Add SecurityContextHolderStrategy Java Configuration for Method Security
Issue gh-11061
2022-06-27 13:03:11 -06:00
Josh Cummings
fa0086d3b0 Polish SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-27 13:01:22 -06:00
Josh Cummings
2a70707c35 Add SecurityContextHolderStrategy XML Configuration for Defaults
Issue gh-11061
2022-06-17 11:28:10 -06:00
Josh Cummings
2c09a300b6 Add SecurityContextHolderStrategy Java Configuration for Defaults
Issue gh-11061
2022-06-17 11:28:10 -06:00
Steve Riesenberg
79c2b8709b Allow form login when single OAuth2 Provider is configured
Closes gh-6802
2022-06-15 14:05:55 -05:00
Marcus Da Coregio
4c2401a576 Revert "Make source code compatible with JDK 8"
This reverts commit 60ed3602f6.
2022-06-02 19:24:42 +02:00
Josh Cummings
d994ddc9b8 Polish InterceptUrlConfigTests
Issue gh-11305
2022-05-31 16:04:02 -06:00
Josh Cummings
9dbd1f3e25 Use AuthorizationManager in <http>
Closes gh-11305
2022-05-31 15:10:00 -06:00
Josh Cummings
8a03d1fcec Add AuthorizationManager to Messaging
Closes gh-11076
2022-05-27 12:20:48 -06:00
Juny Tse
16664dcdbd Use Base64 encoder with no CRLF in output for SAML 2.0 messages
Closes gh-11262
2022-05-25 11:43:50 -06:00
Josh Cummings
b51c71c3b3 Use original query string to verify signature
Closes gh-11235
2022-05-23 13:56:28 -06:00
Josh Cummings
5adb6e25a3 Correctly encode query parameters
Issue gh-11235
2022-05-20 17:46:40 -06:00
Josh Cummings
ffaf5b4e61 Polish WebExpressionAuthorizationManager
- Add support for request variables
- Added additional tests

Issue gh-11105
2022-05-13 13:53:38 -06:00
Evgeniy Cheban
07b0be3f42 Add AuthorizationManager that uses ExpressionHandler
Closes gh-11105
2022-05-13 13:52:49 -06:00
Marcus Da Coregio
18c220c870 Update copyright headers
Issue gh-10956
2022-05-06 14:26:29 -03:00
Marcus Da Coregio
18345feeed Fix mvcMatchers overriding previous paths
Closes gh-10956
2022-05-06 14:26:29 -03:00
Rob Winch
6420cf28a9 Multiple <authentication-manager> Do Not Duplicate Alias
Previously, two authentication managers with different ids would duplicate
the alias to the global authentication manager. This would cause failures
for when allowBeanDefinitionOverriding = false.

This commit ensures that if the global authentication manager alias is
already set, then it is not set again. This means the first
<authentication-manager> will be used as the global AuthenticationManager.

Closes gh-8767
2022-05-03 14:52:22 -05:00
Josh Cummings
0e9228d10a Prepare for Spring Security 5.8 2022-05-02 16:34:23 -06:00
Eleftheria Stein
5ac5edc2e6 Detect UserDetailsService bean in X509 configuration
Closes gh-11174
2022-04-28 14:47:18 +02:00
Eleftheria Stein
8e34cedcfe Detect UserDetailsService bean in remember me
Closes gh-11170
2022-04-28 12:43:13 +02:00
Rob Winch
aaf78330b1 ForceEagerSessionCreationFilter
Closes gh-11109
2022-04-15 14:16:35 -05:00