Commit Graph

804 Commits

Author SHA1 Message Date
Joe Grandja
5afeaa3ce7 WebFlux httpBasic() matches on XHR requests
Closes gh-9660
2021-04-20 08:36:42 -04:00
Rob Winch
a31a855146 Fix HttpSecurity.addFilter* Ordering
Closes gh-9633
2021-04-14 17:47:31 -05:00
Denis Washington
2b4b856b32 Limit oauth2Login() links to redirect-based flows
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
2021-04-14 05:02:30 -04:00
Josh Cummings
163b5943ca Revert AuthorizationManager Method Security 2021-04-12 15:53:22 -06:00
Josh Cummings
4e81bbe386 Revert "Add Saml2LogoutConfigurer"
This reverts commit 6f52baba29.
2021-04-12 14:43:19 -06:00
Josh Cummings
6f52baba29 Add Saml2LogoutConfigurer
Closes gh-9497
2021-04-10 00:25:34 -06:00
Josh Cummings
df8abcfae7 Use Interceptors instead of Advice
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization

Issue gh-9289
2021-04-09 18:45:31 -06:00
Josh Cummings
2b494ebc5f Polish AOP Structure
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings
68cf74468c Add check for custom advice
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings
45376b359b Adjust Packaging
Issue gh-9289
2021-04-09 17:46:32 -06:00
Evgeniy Cheban
20778f727b Consider AuthorizationManager for Method Security
Closes gh-9289
2021-04-09 17:46:32 -06:00
Josh Cummings
7ded671858 Refactor AuthenticationDetailsSource support
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
2021-04-09 12:41:16 -06:00
Eleftheria Stein
e03fe7f089 Add coroutine support to pre/post authorize
Closes gh-8143
2021-04-09 19:33:06 +02:00
Eleftheria Stein
0f3df3e714 Consider Order on SecurityFilterChain bean definitions
Closes gh-9154
2021-03-24 11:02:29 +02:00
Josh Cummings
d0d0a8d958 Add OpenSAML 4 Support
Closes gh-9095
2021-03-23 19:07:23 -06:00
Josh Cummings
b774e91734 Polish BearerTokenAuthenticationConverter
Issue gh-8840
2021-03-12 15:05:06 -07:00
Jeongjin Kim
31f310fd22 Add BearerTokenAuthenticationConverter
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.

Closes gh-8840
2021-03-12 15:05:06 -07:00
Han YanJing
f3fa8e8800 Polish
Issue gh-9310
2021-03-02 12:04:22 -07:00
Han YanJing
6e41246a2b Throw Saml2AuthenticationException
Closes gh-9310
2021-03-02 12:04:22 -07:00
Josh Cummings
ccb3b02888 Bearer Token Server-side Errors Return 500
Closes gh-9395
2021-02-10 12:35:34 -07:00
Josh Cummings
ca5e303308 Fix Test Configuration
- Typo in PlaceholderConfig was causing Windows builds to
resolve the CLASSPATH environment variable

Closes gh-9421
2021-02-10 11:31:30 -07:00
Ihor Ilkevych
43a071a89e Add WebFlux oauth2Login with formLogin test
Closes gh-9326
2021-01-20 15:04:06 -05:00
Evgeniy Cheban
8449df9fd2 Consider Aligning MvcRequestMatcher's matching methods
Closes gh-9284
2021-01-09 21:42:16 +03:00
Eleftheria Stein
8cefc8a792 Fix bug with multiple AuthenticationManager beans
Closes gh-9256
2021-01-06 16:26:26 +01:00
Josh Cummings
337d24e6db Update Copyright Messages
Issue gh-9202
2021-01-05 15:30:51 -07:00
Mazen Aissa
c907838440 Make max-session configurable
Closes gh-9202
2021-01-05 15:30:51 -07:00
Evgeniy Cheban
34b4b1054f Add AuthorizationManager
Closes gh-8900
2020-12-16 15:58:36 -07:00
Nick McKinney
6be25df1db Introduced DispatcherType request matcher
Created a DispatcherTypeRequestMatcher and corresponding methods
for configuring an HttpSecurity object. This enables filtering of
security rules based on the dispatcher type of the incoming servlet
request.

Closes gh-9205
2020-12-14 14:19:23 +01:00
Christophe Gilles
54d3839f63 Add permissionsPolicy http header 2020-12-11 12:32:18 +01:00
Joe Grandja
58e3235093 Deprecate ClientAuthenticationMethod BASIC and POST
Closes gh-9220
2020-11-25 15:13:28 -05:00
Josh Cummings
4602e9a661 Use HttpBasicConfigurer's Conneg Strategy
Closes gh-9100
2020-11-12 16:26:10 -07:00
Eleftheria Stein
5c8972b7d5 Add test for ordered WebSecurityCustomizers
Issue gh-9154
2020-11-02 14:19:14 +01:00
Josh Cummings
b1a3aef4f8 Update Test Controllers
Closes gh-9121
2020-10-12 17:41:16 -06:00
Josh Cummings
366146ff80 Polish JWT Signature Algorithm Discovery
- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.

Closes gh-7160
2020-10-09 14:17:30 -06:00
Nick Hitchan
290786438c Add Support for JWK Signature Algorithm Discovery
Issue gh-7160
2020-10-09 13:09:38 -06:00
Josh Cummings
ce68431037 Bump Schema, Serialization, and Taglib to 5.5 2020-10-07 17:17:58 -06:00
Phillip Webb
c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
910b81928f Replace try/catch with AssertJ
Replace manual try/catch/fail blocks with AssertJ calls.
2020-09-22 16:13:51 -06:00
Eleftheria Stein
4e2a050c14 Customizer for WebSecurity
Closes gh-8978
2020-09-09 09:34:52 -04:00
Evgeniy Cheban
17f1540280 Resolve oauth2 client placeholders
Closes gh-8453
2020-09-01 08:26:44 -04:00
Rob Winch
2abf59b695 Merge Formatting Changes
Issue gh-8945
2020-08-24 17:33:23 -05:00
Rob Winch
254f2e2aec Polish config format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
2f8e835b11 Use assertThatObject to save casting
Update tests that use `assertThat((Object) ...)` to use the convenience
`assertThatObject(...)` method instead.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
0a3eeb9c80 Remove incorrect AssertJ imports
Fix a few tests that were accidentally importing incorrect AssertJ
classes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
ee661f7b71 Fix whitespace issues in format-off code
Fix a few whitespace issues in format-off code that would
otherwise fail checkstyle.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb
834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb
8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00