Commit Graph

543 Commits

Author SHA1 Message Date
Marcus Hert da Coregio
02285708eb Adjust createNewSessionIfAllowed to prevent NPE
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
2021-05-26 15:13:55 -03:00
佚名
22d7043d01 Add null check in CsrfFilter and CsrfWebFilter
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>

Closes gh-9561
2021-04-09 21:55:30 -06:00
Rob Winch
419839d05c Optimize HttpSessionSecurityContextRepository
Closes gh-9387
2021-02-11 13:00:31 -06:00
Josh Cummings
10946e8153 Polish Tests
Issue gh-9331
2021-02-03 09:30:27 -07:00
happier233
3cb98ebed0 Configure CurrentSecurityContextArgumentResolver BeanResolver
Closes gh-9331
2021-02-03 09:24:22 -07:00
Rob Winch
b08075a721 Fix CsrfWebFilter error message when expected CSRF not found
Closes gh-9337
2021-01-12 11:30:12 -06:00
Rob Winch
070706d948 LoginPageGeneratingWebFilter honors context path
Closes gh-8807
2020-07-07 13:36:35 -05:00
Eleftheria Stein
2ebbb6f80a Mock request with non-standard HTTP method in test
Fixes gh-8594
2020-05-26 15:38:53 -04:00
Rob Winch
06a02ed4bb Fix non-standard HTTP method for CsrfWebFilter
Closes gh-8452
2020-05-11 17:28:40 -05:00
Josh Cummings
034c23d46c SwitchUserFilter Defaults to POST
Fixes gh-4183
2020-03-27 14:25:28 -06:00
Zeeshan Adnan
dfa78804a8 Fix exception for empty basic auth header token
fixes spring-projectsgh-7976
2020-03-16 16:05:14 -04:00
Joe Grandja
82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Josh Cummings
bae50ecc05 AbstractSecurityWebApplicationInitializerTests groovy->java
Issue gh-4939
2020-02-10 10:38:39 -07:00
Josh Cummings
cb9fd09150 Change AuthenticationWebFilter's constructor
Fixes gh-7872
2020-01-31 09:31:28 -07:00
Peter Keller
e62fb755e8 Set charset of BasicAuthenticationFilter converter
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
2020-01-23 15:34:35 +01:00
Onur Kağan Özcan
1f6381d970 Set secure on cookie when logging out
Mark cookie secure flag to ensure cookie identity is the same
2020-01-13 11:01:33 +01:00
Rob Winch
ffccec953f Fix HttpHeaderWriterWebFilterTests
Ensure setComplete() is subscribed to
2020-01-09 14:24:35 -06:00
Onur Kağan Özcan
2015f392ef Set secure when cancelling remember-me cookie
AbstractRememberMeServices is setting remember-me cookie with checking request is secure or secure usage is independently set to a fixed flag.
But when cancelling a cookie, cookie is not being marked secure or not. It produces an inconsistency when using secure flag as a part to identity of cookie.
2019-12-20 16:04:31 +01:00
Rob Winch
a8331ba7ed CompositeServerHttpHeadersWriter Executes Sequentially
Fixes gh-7731
2019-12-12 11:23:56 -06:00
David Herberth
64e063d948 switches web authentication principal resolver to use reactive context
gh #6598

Signed-off-by: David Herberth <github@dav1d.de>
2019-12-12 15:33:23 +01:00
Rob Winch
8e53c3f269 DelegatingServerAuthenticationSuccessHandler Executes Sequentially
Fixes gh-7728
2019-12-12 08:32:44 -06:00
Rob Winch
73babc3314 DelegatingServerLogoutHandler Executes Sequentially
Fixes gh-7723
2019-12-11 15:39:27 -06:00
Rob Winch
635f7e1edd CsrfWebFilter supports multipart/form-data
Fixes gh-7576
2019-10-28 14:06:10 -05:00
Michel Palourdio
d26f40f062 DefaultRedirectStrategy should redirect to root if the context-relative URL does not contain the context-path. 2019-10-23 09:41:00 -04:00
Tadaya Tsuyukubo
62c7de03c3 Add RequestMatcher to AbstractPreAuthenticatedProcessingFilter
Moved the existing auth check logic to the matcher.

Issue: gh-5928
2019-10-22 16:55:54 -04:00
Eleftheria Stein
264daec697 Test context relative URL with multiple schemes 2019-10-16 15:32:02 -04:00
Josh Cummings
b764af6b9b CookieServerCsrfTokenRepositoryTests Leading Dot
ResponseCookie removed support for having a leading dot in the cookie
domain.

Fixes gh-7500
2019-09-30 08:39:45 -06:00
Josh Cummings
7949dd492a Move DelegatingServerAuthenticationSuccessHandlerTests
Moved from src/test/groovy to src/test/java

Issue gh-5332
2019-09-27 16:57:43 -06:00
Josh Cummings
5f905232cb Polish CurrentSecurityContextArgumentResolvers
Fixes gh-7487
2019-09-27 13:19:08 -06:00
Rob Winch
00f8991fac Merge Remove Redudant Throws
Fixes gh-7301
2019-09-19 11:04:53 -05:00
Onur Kagan Ozcan
034b5e9e93 Introduce LogoutSuccessEvent
LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout.

By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event.

This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency.

Fixes gh-2900
2019-09-18 10:57:16 -05:00
Josh Cummings
7576dc44d7 AuthenticationFilter Session Fixation Protection
Fixes gh-7446
2019-09-17 08:17:09 -06:00
Josh Cummings
aa12748c9b Add Request-level CSRF Skip
Fixes gh-7367
2019-09-13 19:04:05 +01:00
Filip Hanik
e9a44bc0ce HttpSecurity.saml2login() - MVP Core Code
Implements minimal SAML 2.0 login/authentication functionality with the
following feature set:

  - Supports IDP initiated login at the default url of /login/saml2/sso/{registrationId}
  - Supports SP initiated login at the default url of /saml2/authenticate/{registrationId}
  - Supports basic java-configuration via DSL
  - Provides an integration sample using Spring Boot

Not implemented with this MVP

  - Single Logout
  - Dynamic Service Provider Metadata

Fixes gh-6019
2019-09-05 14:40:08 -07:00
Josh Cummings
39e84013f7 ClearSiteDataHeaderWriter Directives
Fixes gh-7347
2019-09-03 15:57:10 -06:00
Eleftheria Stein
ad0d3e9702 Polish remember me username check 2019-09-03 11:48:46 -04:00
Lars Grefer
95511331fa fix checkstyle 2019-08-26 22:42:26 +02:00
Lars Grefer
34dd5fea30 Remove redundant throws clauses
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
Daniel Wegener
1a233a58c7 Add OnCommittedResponseWrapper.setContentLengthLong
Add setContentLengthLong tracking to OnCommittedResponseWrapper in
order to detect commits on servlets that use setContentLengthLong to
announce the entity size they are about to write (as used in the
Apache Tomcat's DefaultServlet).

Fixes gh-7261
2019-08-19 21:14:41 -04:00
Eleftheria Stein
4bc231872f Expire as many sessions as exceed maximum allowed
Fixes: gh-7166
2019-08-15 09:48:42 -05:00
Josh Cummings
9735a718cc Remove MultiTenantAuthenticationManagerResolver
Fixes gh-7259
2019-08-14 11:14:47 -06:00
Lars Grefer
ec6ca97226 Fix tests 2019-08-11 21:09:10 +02:00
Lars Grefer
ff1070df36 remove redundant modifiers found by checkstyle 2019-08-10 00:18:56 +02:00
Lars Grefer
fb39d9c255 Anonymous type can be replaced with lambda 2019-08-08 17:09:09 -04:00
Lars Grefer
05f42a4995 Remove unused imports 2019-08-08 14:22:31 -04:00
Lars Grefer
2306d987e9 Cleanup unnecessary boxing 2019-08-06 10:17:38 -04:00
Eddú Meléndez
496579dde2 Add match result for servlet requests
Fixes gh-7148
2019-08-05 19:43:00 -04:00
Eddú Meléndez
f712c5598c Add support for allowedHostnames in StrictHttpFirewall
Introduce a new method `setAllowedHostnames` which perform the validation
against untrusted hostnames.

Fixes gh-4310
2019-08-03 21:16:45 -04:00
Lars Grefer
776a4c3760 Use org.mockito.ArgumentMatchers in favor of org.mockito.Matchers 2019-08-03 12:28:37 -04:00
Rob Winch
ad2f999c25 Polish BasicAuthenticationConverter
This reverts to the old behavior from BasicAuthenticationFilter.
Specifically, if a token has an empty password, it still parses a username
and an empty String password.

Issue gh-7025
2019-08-02 09:04:55 -05:00