Commit Graph

1725 Commits

Author SHA1 Message Date
Steve Riesenberg
acc35aeb18 Add DelegatingSecurityContextRepository
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg
c75ca10900 Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Josh Cummings
f4cc27c375 Change Default for (Server)AuthenticationEntryPointFailureHandler
Closes gh-9429
2022-10-13 20:03:03 -06:00
Josh Cummings
5afc7cb04f Merge remote-tracking branch 'origin/5.8.x' 2022-10-13 19:48:05 -06:00
Josh Cummings
099aaa33ff Remove Deprecation Markers
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux
200b7fecd3 Add (Server)AuthenticationEntryPointFailureHandlerAdapter
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
2022-10-13 19:25:04 -06:00
Steve Riesenberg
9090f62d9b Merge branch '5.8.x' 2022-10-13 16:46:53 -05:00
Evgeniy Cheban
56b9badcfe AnonymousAuthenticationFilter should cache its Supplier<SecurityContext>
Closes gh-11900
2022-10-13 16:44:48 -05:00
Steve Riesenberg
45a963a011 Remove CsrfWebFilter.setTokenFromMultipartDataEnabled
Closes gh-12019
2022-10-13 11:29:16 -05:00
Joe Grandja
753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny
Closes gh-11958
2022-10-13 11:12:00 -04:00
Steve Riesenberg
2407d07890 Default to Xor CSRF tokens in CsrfWebFilter
Closes gh-11960
2022-10-13 09:39:57 -05:00
Steve Riesenberg
2a2051cd7b Default to Xor CSRF tokens in CsrfFilter
Issue gh-11960
2022-10-13 09:39:55 -05:00
Joe Grandja
6026f9f70f Merge branch '5.8.x' 2022-10-13 06:31:37 -04:00
Joe Grandja
185991a606 Revert "Add default AuthorizationManager"
This reverts commit 4ddec07d0e.
2022-10-13 06:18:00 -04:00
Josh Cummings
2713075d08 Mark Observations with Firewall Failures
Closes gh-11994
2022-10-12 20:32:24 -06:00
Josh Cummings
46ab84684b Mark Observations with CSRF Failures
Closes gh-11993
2022-10-12 20:32:23 -06:00
Josh Cummings
99a87179dd Instrument Filter Chain
Closes gh-11911
2022-10-12 20:32:22 -06:00
Steve Riesenberg
9b43950e13 Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg
8bd25f90e4 Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg
804f20045e Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg
05e4a1dd20 Cache Xor CsrfToken
Closes gh-11988
2022-10-12 12:30:40 -05:00
Marcus Da Coregio
c5e35bf32e Merge branch '5.8.x'
Closes gh-11978
2022-10-10 09:24:50 -03:00
Marcus Da Coregio
4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher
Closes gh-11938
2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux
27059ced87 Default X-Xss-Protection header value to "0"
Closes gh-9631
2022-10-07 17:42:55 -05:00
Steve Riesenberg
6753f9745e Merge branch '5.8.x'
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
2022-10-07 17:29:07 -05:00
Steve Riesenberg
f462134e87 Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719 Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio
c4d23f2b49 Use MvcRequestMatcher by default if Spring MVC is present
Closes gh-11899
2022-10-06 09:12:04 -03:00
Josh Cummings
353ca76973 Merge remote-tracking branch 'origin/5.8.x' 2022-10-06 00:01:40 -06:00
Josh Cummings
380a6a2564 Polish SecurityContextHolderStrategy Usage
- Add to HttpSessionSecurityContextRepository#saveContext

Issue gh-11060
2022-10-05 23:59:14 -06:00
Josh Cummings
72a46ddd31 Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings
f16d47c7b5 Polish DefaultHttpSecurityExpressionHandler
Issue gh-11105
2022-10-05 21:47:14 -06:00
Josh Cummings
eeb28e4f91 Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 21:45:26 -06:00
Josh Cummings
4ddec07d0e Add default AuthorizationManager
Closes gh-11963
2022-10-05 21:37:41 -06:00
Steve Riesenberg
ee9449dbfe Fix tests for deferred CSRF tokens
Issue gh-4001
2022-10-05 16:10:36 -05:00
Steve Riesenberg
521cdfd738 Use correct servlet imports
Issue gh-4001
2022-10-05 16:10:35 -05:00
Steve Riesenberg
8b490de08d Merge branch '5.8.x'
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
2022-10-05 14:46:15 -05:00
Steve Riesenberg
dce1c30522 Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg
5de6da890b Merge branch '5.8.x'
Closes gh-dry-run
2022-10-04 11:18:00 -05:00
Steve Riesenberg
475b3bb6bb Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Steve Riesenberg
7c3cc1e386 Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux
0e215a21ad Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio
ad2abd39dc Merge branch '5.8.x'
Closes gh-11347 in 6.0.x
Closes gh-11945
2022-10-03 16:02:18 -03:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Marcus Da Coregio
5f2744db33 Merge branch '5.8.x'
Closes gh-11937
2022-10-03 11:43:22 -03:00
Marcus Da Coregio
64a19de4dc Deprecate HPKP security header
Closes gh-10144
2022-10-03 11:36:19 -03:00
Rob Winch
4479cefade Default Require Explicit Session Management = true
Closes gh-11763
2022-09-30 21:49:05 -05:00
Steve Riesenberg
76fbca9f46 Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux
93250013e4 Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Steve Riesenberg
e0e6467d9b Remove UsernamePasswordAuthenticationToken check
This commit reverts 21dd050d7b.

Closes gh-10347
2022-09-29 15:25:53 -05:00