Commit Graph

1073 Commits

Author SHA1 Message Date
Marcus Da Coregio
77dcc691b3 Add modified classpath test support
Closes gh-11951
2022-10-04 15:32:18 -03:00
Marcus Da Coregio
5002199be3 Revert "Disable tests that need Spring MVC mocked in classpath"
This reverts commit c6978fba7c.
2022-10-04 15:32:18 -03:00
Marcus Da Coregio
35f7e46d05 Remove WebSecurityConfigurerAdapter
Closes gh-10902
2022-10-04 15:13:04 -03:00
Steve Riesenberg
5de6da890b Merge branch '5.8.x'
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
Marcus Da Coregio
c6978fba7c Disable tests that need Spring MVC mocked in classpath
Issue gh-11347
2022-10-04 08:56:06 -03:00
Steve Riesenberg
475b3bb6bb Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Steve Riesenberg
c847efd3fd Fix servlet import
Issue gh-11347
Issue gh-9159
2022-10-03 15:10:56 -05:00
Steve Riesenberg
7c3cc1e386 Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux
0e215a21ad Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio
ad2abd39dc Merge branch '5.8.x'
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Rob Winch
4479cefade Default Require Explicit Session Management = true
Closes gh-11763
2022-09-30 21:49:05 -05:00
Rob Winch
12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests
Issue gh-11764
2022-09-30 21:49:04 -05:00
Steve Riesenberg
76fbca9f46 Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux
93250013e4 Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Marcus Da Coregio
3bfdf6dd0f Merge branch '5.8.x'
Closes gh-11922
2022-09-29 11:21:24 -03:00
Marcus Da Coregio
cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration
Closes gh-11916
2022-09-29 11:21:08 -03:00
Josh Cummings
506e50bfd0 Move Saml2 Authentication Filters
Issue gh-8819
2022-09-26 10:44:27 -06:00
Steve Riesenberg
181ee7410b Change default authority for oauth2Login()
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
2022-09-26 10:06:31 -05:00
Josh Cummings
37a160245f Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-23 16:31:21 -06:00
Steve Riesenberg
bcb21c9384 Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
2022-09-23 15:39:43 -05:00
Steve Riesenberg
46696a9226 CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Steve Riesenberg
3c66ef6305 Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
2022-09-22 17:31:14 -05:00
Rob Winch
0efe26c1fd Merge branch '5.8.x'
Closes gh-11894
2022-09-22 13:47:04 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Josh Cummings
44b7847258 Fix Import Order
Issue gh-8819
2022-09-21 09:08:41 -06:00
Josh Cummings
70460ca009 Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-20 17:44:05 -06:00
Rob Winch
48e31f87e4 Remove Deprecated OpenSAML 3 Support
Closes gh-10556
2022-09-20 16:57:38 -06:00
Steve Riesenberg
1aee40dcca Polish gh-11665
* Add authentication-converter-ref to 6.0
* Add @Configuration to test configs
2022-09-14 10:41:42 -05:00
Steve Riesenberg
2431dd1103 Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg
355ef21117 Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Steve Riesenberg
088ebe2e00 Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf
Issue gh-11764
Issue gh-4001
2022-09-06 12:28:52 -05:00
Steve Riesenberg
ed41a60aae Merge branch '5.8.x'
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
#	config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
#	web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java
2022-09-06 11:51:55 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Rob Winch
7bf2d3dc4e Update DeferHttpSession Tests
Closes gh-11764
2022-08-31 14:40:06 -05:00
Rob Winch
2efc8dcd15 Default Require Explicit Save SecurityContext
Closes gh-11762
2022-08-29 10:16:04 -05:00
Josh Cummings
b1fd9af723 Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-26 16:01:40 -06:00
Josh Cummings
0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Rob Winch
f84f08c4b9 Default HttpSessionRequestCache.matchingRequestParameterName=continue
Closes gh-11757
2022-08-26 14:44:55 -05:00
Josh Cummings
210693eb6b Add @Configuration
Issue gh-6613
Issue gh-9401
2022-08-25 15:30:48 -06:00
Josh Cummings
84f765a89c Merge remote-tracking branch 'origin/5.8.x' into main 2022-08-25 14:46:48 -06:00
Josh Cummings
e990174c89 Polish ReactiveMethodSecurity Support
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish
2022-08-25 14:36:03 -06:00
Evgeniy Cheban
cbb4f40f0c ReactiveAuthorizationManager + Reactive Method Security
Closes gh-9401
2022-08-25 14:35:04 -06:00
Rob Winch
670b71363d Merge branch '5.8.x'
Closes gh-11749
2022-08-23 16:03:50 -05:00
Rob Winch
2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00
Marcus Da Coregio
0aac515737 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:35:41 -03:00
Marcus Da Coregio
3826fca567 Consistently set AuthenticationEventPublisher in AuthenticationManagerBuilder
Prior to this, the HttpSecurity bean was not consistent with WebSecurityConfigurerAdapter's HttpSecurity because it did not setup a default AuthenticationEventPublisher. This also fixes a problem where the AuthenticationEventPublisher bean would only be considered if there was a UserDetailsService

Closes gh-11449
Closes gh-11726
2022-08-19 09:33:08 -03:00
Rob Winch
888c65a936 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:38:03 -05:00
Rob Winch
1de810a565 Add DeferHttpSession*Tests
Closes gh-6125
2022-08-18 17:00:47 -05:00