Commit Graph

1048 Commits

Author SHA1 Message Date
Josh Cummings
44b7847258 Fix Import Order
Issue gh-8819
2022-09-21 09:08:41 -06:00
Josh Cummings
70460ca009 Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-20 17:44:05 -06:00
Rob Winch
48e31f87e4 Remove Deprecated OpenSAML 3 Support
Closes gh-10556
2022-09-20 16:57:38 -06:00
Steve Riesenberg
1aee40dcca Polish gh-11665
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
Steve Riesenberg
2431dd1103 Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg
355ef21117 Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Steve Riesenberg
088ebe2e00 Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
Steve Riesenberg
ed41a60aae Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Rob Winch
7bf2d3dc4e Update DeferHttpSession Tests
Closes gh-11764
2022-08-31 14:40:06 -05:00
Rob Winch
2efc8dcd15 Default Require Explicit Save SecurityContext
Closes gh-11762
2022-08-29 10:16:04 -05:00
Josh Cummings
b1fd9af723 Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-26 16:01:40 -06:00
Josh Cummings
0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Rob Winch
f84f08c4b9 Default HttpSessionRequestCache.matchingRequestParameterName=continue
Closes gh-11757
2022-08-26 14:44:55 -05:00
Josh Cummings
210693eb6b Add @Configuration
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
Josh Cummings
84f765a89c Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-25 14:46:48 -06:00
Josh Cummings
e990174c89 Polish ReactiveMethodSecurity Support
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish
2022-08-25 14:36:03 -06:00
Evgeniy Cheban
cbb4f40f0c ReactiveAuthorizationManager + Reactive Method Security
Closes gh-9401
2022-08-25 14:35:04 -06:00
Rob Winch
670b71363d Merge branch '5.8.x'
Closes gh-11749
2022-08-23 16:03:50 -05:00
Rob Winch
2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Marcus Da Coregio
0aac515737 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
Marcus Da Coregio
3826fca567 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
Rob Winch
888c65a936 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:38:03 -05:00
Rob Winch
1de810a565 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:00:47 -05:00
Marcus Da Coregio
af3d70f130 Remove GlobalMethodSecurityRuntimeHints
Closes gh-11714
2022-08-17 08:07:28 -03:00
Evgeniy Cheban
ba50c50b4b Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:14:08 -06:00
Evgeniy Cheban
5ecd513a57 Add remaining methods from ExpressionUrlAuthorizationConfigurer to MessageMatcherDelegatingAuthorizationManager
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11509
2022-08-16 15:12:47 -06:00
Rob Winch
8ad20b1768 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-16 13:47:31 -05:00
Rob Winch
5b64526ba9 Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name
equal to CsrfToken.getParameterName(). This didn't really make a lot of
sense because the CsrfToken.getParameterName() is intended to be used as
the HTTP parameter that the CSRF token was provided. What's more is it
meant that the CsrfToken needed to be read for every request to place it
as an HttpServletRequestAttribute. This causes unnecessary HttpSession
access which can decrease performance for applications.

This commit allows setting CsrfFilter.csrfReqeustAttributeName to
remove the dual purposing of CsrfToken.parameterName and to allow deferal
of reading the CsrfToken to prevent unnecessary HttpSession access.

Issue gh-11699
2022-08-15 17:07:02 -05:00
Rob Winch
425b3501b7 Remove @Configuration from @Enable* Annotations
This removes `@Configuration` from all `@Enable` Annotations and explicitly
adds `@Configuration` to wherever the `@Enable*` Annotations are used.

Closes gh-11653
2022-08-09 17:00:24 -05:00
Rob Winch
a5069d7e35 Fix Add @Configuration to @Enable*Security Usage
Issue gh-6613
2022-08-09 17:00:16 -05:00
Igor Bolic
2e66b9f6cc Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:44:01 -05:00
Igor Bolic
efaee4e56b Allow customization of redirect strategy
The default redirect strategy will provide authorization redirect
URI within HTTP 302 response Location header.
Allowing the configuration of custom redirect strategy will provide
an option for the clients to obtain the authorization URI from e.g.
HTTP response body as JSON payload, without a need to handle
automatic redirection initiated by the HTTP Location header.

Closes gh-11373
2022-08-08 15:35:49 -05:00
Josh Cummings
ed58ac7d78 Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:49:48 -06:00
Josh Cummings
9e8a04d414 Polish Tests
Issue gh-11657
2022-08-03 17:49:46 -06:00
Josh Cummings
c2d79fcbd6 Add Conditions to Generating AuthnRequest
Closes gh-11657
2022-08-03 17:34:31 -06:00
Josh Cummings
aa225943d2 Polish Tests
Issue gh-11657
2022-08-03 17:34:26 -06:00
Joshua Sattler
040111ae9e Remove Configuration meta-annotation from Enable* annotations
Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration.
While convenient, this is not consistent with the rest of the Spring projects and most notably
Spring Framework's @Enable annotations. Additionally, the introduction of support for
@Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to
remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow
users to opt into their preferred configuration mode.

Closes gh-6613

Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org>
2022-07-30 03:48:42 +02:00
Josh Cummings
d27322c9e0 Polish HttpSecurity Formatting
Issue gh-11360
2022-07-14 13:00:08 -06:00
Evgeniy Cheban
c4b0e9bd74 Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11360
2022-07-14 13:00:07 -06:00
Josh Cummings
5dff157755 Polish HttpSecurity Formatting
Issue gh-11360
2022-07-14 12:50:40 -06:00
Evgeniy Cheban
400cd60368 Add remaining methods from ExpressionUrlAuthorizationConfigurer to AuthorizeHttpRequestsConfigurer
- Added fullyAuthenticated
- Added rememberMe
- Added anonymous

Closes gh-11360
2022-07-14 12:48:39 -06:00
Josh Cummings
35fc437559 Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-14 09:25:49 -06:00
Josh Cummings
624fdfa731 Add AuthorizationManager for protect-pointcut
Closes gh-11323
2022-07-13 17:58:16 -06:00
Marcus Da Coregio
7abea4a964 Add RuntimeHints suffix for RuntimeHintsRegistrar
Closes gh-11497
2022-07-13 10:14:43 -03:00
Joe Grandja
177baba8c9 RuntimeHintsPredicates moved to predicate package 2022-07-12 16:00:50 -04:00
Marcus Da Coregio
6455e98745 FilterSecurityInterceptor applies to every request by default
Closes gh-11466
2022-07-12 10:53:03 -03:00
Rob Winch
d2d5313bba Fix Formatting
Issue gh-11327
2022-07-08 09:21:53 -05:00
Josh Cummings
c9a3d21b9b Add Configuration Test
Issue gh-11327
2022-07-07 14:46:37 -06:00