Rob Winch
9e82fc0b83
serverAuthenticationEntryPoint->authenticationEntryPoint
...
Issue: gh-4822
2017-11-14 16:42:20 -06:00
Rob Winch
520e0a5a68
serverAuthenticationSuccessHandler->authenticationSuccessHandler
...
Issue: gh-4822
2017-11-14 16:42:14 -06:00
Rob Winch
5c83f92ddc
serverAuthenticationFailureHandler->authenticationFailureHandler
...
Issue: gh-4822
2017-11-14 16:42:10 -06:00
Rob Winch
692233e431
ServerSecurityContextRepository members to securityContextRepository
...
Issue: gh-4822
2017-11-14 16:42:06 -06:00
Johnny Lim
d900f2a623
Remove unused imports
...
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
Rob Winch
1b70efce2b
Add ServerRequestCache
...
Fixes: gh-4789
2017-11-13 15:49:34 -06:00
Rob Winch
8f6491b281
Add RedirectServerAuthenticationFailureHandler
...
Fixes gh-4816
2017-11-13 15:49:20 -06:00
Rob Winch
060d8689fe
Make RedirectServer*Tests less specific
...
Issue: gh-4816
2017-11-13 15:49:06 -06:00
Rob Winch
676020321e
Add reactive CsrfRequestDataValueProcessor
...
Fixes gh-4762
2017-11-07 22:25:36 -06:00
Rob Winch
7622826b69
WebSessionServerCsrfTokenRepository saves on getToken
...
Fixes gh-4801
2017-11-07 22:25:23 -06:00
Rob Winch
776364d403
ServerCsrfTokenRepository.saveToken return Mono<CsrfToken>
...
Fixes gh-4800
2017-11-07 22:24:53 -06:00
Jeremy Waters
832f5c39c1
SEC-3190: Add support for colons in remember-me token values
...
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons. so this
change urlencodes the individual tokens when creating the cookie
string; and urldecodes them decoding the cookie and extracting the
tokens. This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.
2017-10-30 00:33:14 -05:00
Rob Winch
93ac706d86
Polish XFrameOptionsHeaderWriter
...
Issue: gh-4559
2017-10-29 23:32:53 -05:00
Antoine
bed4ec7d18
Fix leading space characters reported by checkstyle
2017-10-29 22:22:34 -05:00
Antoine
0771778b81
Polish more AssertJ assertions
2017-10-29 22:22:34 -05:00
Antoine
e0aca04a28
Polish AssertJ assertions
...
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
Rob Winch
8da2c7f657
Add WebFlux CSRF Protection
...
Fixes gh-4734
2017-10-28 22:59:24 -05:00
Rob Winch
e63c53e267
Add AuthorizationWebFilterTests
2017-10-28 22:58:55 -05:00
Rob Winch
2060125ebd
ServerWebExchangeAttributeServerSecurityContextRepository->NoOpNoOpServerSecurityContextRepository
...
Issue: gh-4719
2017-10-27 18:17:52 -05:00
Rob Winch
437ba56415
ReactorContextWebFilter & SecurityContextServerWebExchangeWebFilter
...
Issue: gh-4719
2017-10-27 18:17:10 -05:00
Rob Winch
747473257f
Use ReactorSecurityContextHolder
...
Issue gh-4713
2017-10-26 20:11:42 -05:00
Rob Winch
44b41e78cd
Flux member variables in favor of Collections
...
Fix gh-4694
2017-10-25 07:41:37 -05:00
Rob Winch
fcc1152f78
WebFilterChainProxy not matched continues WebFilterChain
...
Fixes gh-4668
2017-10-24 16:22:07 -05:00
Rob Winch
b81c1ce2c0
Move spring-security-webflux into spring-security-web
...
Fixes gh-4662
2017-10-18 16:20:09 -05:00
Rob Winch
23f56f568c
Update MockitJunitRunner import
...
Issue: gh-4608
2017-10-09 16:13:33 -05:00
Rob Winch
445834784a
Update to Mockito 2.10.0
...
Issue: gh-4608
2017-10-09 16:13:11 -05:00
Rob Winch
646b3e48b3
Avoid Exception Message in HTTP Response
...
Fixes gh-4587
2017-09-28 17:24:49 -05:00
Vedran Pavic
95de158909
Add ForwardLogoutSuccessHandler
2017-09-06 15:15:02 -05:00
Rob Winch
5a65da400d
Use ReflectionTestUtils rather than Whitebox
...
This is better because it no longer uses Mockito's internal API
Fixes gh-4305
2017-04-21 10:54:58 -05:00
Rob Winch
9d9aadb80f
Fix DefaultSavedRequestMixinTests with Spring 5
...
Previously DefaultSavedRequestMixinTests
serializeDefaultRequestBuildWithConstructorTest broke in Spring 5
because Spring 5's MockHttpServletRequest.setCookie now automatically adds
the Cookie header.
This commit ensures that the Cookie header is not added by overriding the
class we are writing.
Fixes gh-4272
2017-04-12 15:51:26 -05:00
Joe Grandja
2b81983f7c
Update to Java 8 compatibility
...
* Spring IO Athens-BUILD-SNAPSHOT -> Cairo-BUILD-SNAPSHOT
* CGLib 3.1 -> 3.2.5 latest release Issue related to ASM https://github.com/cglib/cglib/issues/20
* AssertJ 2.2.0 -> 3.6.2 latest release
* PowerMock 1.6.2 -> 1.6.5 latest release is 1.6.6 but has regression Issue https://github.com/powermock/powermock/issues/717
* Update maven-compiler-plugin source/target to 1.8
2017-04-07 16:49:38 -04:00
borlafu
8a458eb9e1
Avoid multiple X-Frame-Options headers
...
XFrameOptionsHeaderWriter should not *add*, but *set* the
X-Frame-Options header. According to
https://tools.ietf.org/html/rfc7034#section-2.1 , having
multiple values for the header is disallowed:
"There are three different values for the header field.
These values are mutually exclusive; that is, the header
field MUST be set to exactly one of the three values."
With this change, only the latest XFrameOptionsHeaderWriter
will remain.
2017-03-08 15:49:18 -06:00
Rob Winch
247f54dc41
Fix SwitchUserFilter.setSwitchFailureUrl assertion
...
Fixes gh-4198
2017-03-02 00:47:09 -06:00
Rob Winch
017e9834bd
Fix NPE in UrlUtils with null url
...
Fixes gh-4233
2017-03-02 00:46:01 -06:00
Rob Winch
168f4b8f70
Prevent Duplicate Cache Headers
...
Fixes gh-4199
2017-03-01 16:14:12 -06:00
Eddú Meléndez
028854b936
Add HttpSessionRequestCache sessionAttrName property
...
This commit allows to customize the session attribute name. Default is
SPRING_SECURITY_SAVED_REQUEST.
Fixes gh-4130
2016-12-21 10:22:09 -06:00
Rob Winch
d39f3385b6
Polish DefaultHttpFirewallTests
...
Issue gh-4169
2016-12-21 09:29:23 -06:00
Rob Winch
666e356ebc
Block URL Encoded "/" in DefaultHttpFirewall
...
Fixes gh-4169
2016-12-21 09:04:00 -06:00
Rob Winch
697daeab7c
Add Jackson2 Support for PreAuthenticatedAuthenticationToken
...
Fixes gh-4120
2016-11-09 16:55:10 -06:00
Rob Winch
f0a9421aa4
SecurityJacksonModules->SecurityJackson2Modules
...
Fixes gh-4121
2016-11-09 16:42:41 -06:00
Eddú Meléndez
23294c4c57
Add Referrer-Policy header support
...
Fixes gh-4110
2016-11-08 13:21:35 -06:00
Rob Winch
57d7ad05f9
Revert "Cache Control only written if not set"
...
This reverts commit 242b831f20 .
Spring MVC fixed the issue we were working around and the changes
in Spring Security were unreliable.
Fixes gh-3975
2016-10-24 15:57:26 -05:00
Rob Winch
2c99cd3bbf
Remove MatcherAssertionErrors
...
Spring 5 removes MatcherAssertionErrors. We should not have been using
this class anyways.
This commit updates to using assertj in favor of MatcherAssertionErrors.
Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch
6fb564a629
Polish HTTP Response Splitting
...
Issue gh-3910
2016-09-23 12:49:01 -05:00
Rob Winch
9ae163e92d
Rename to RequestAttributeAuthenticationFilter
...
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests
Polish gh-3978
2016-09-22 16:44:10 -05:00
Milan Ševčík
a8120e74a7
Added authentication filter reading environment variables.
...
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
2016-09-22 16:30:54 -05:00
Rob Winch
b443baef04
Polish GrantedAuthorityDefaults
...
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
ApplicationContextAware
Issue gh-3701
2016-09-22 15:13:05 -05:00
Eddú Meléndez
eabeaf35d6
Make single definition of defaultRolePrefix and rolePrefix
...
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.
Fixes gh-3701
2016-09-21 14:55:41 -05:00
Rob Winch
2e6656e9d3
Polish HTTP Response Splitting
...
* Use new test method name convention of
methodNameWhen<Condition>Then<Expectation>
* Check null Cookie
* Check Cookie.getName() for crlf since we do not want to rely on the
implementation. For example Cookie could be overriden by extending it.
* Use Crlf as convention instead of CLRF as style guide
* Create new FirewalledResponse before each test to ensure isolation
* Use Mock for HttpServletResponse delegate to keep test in isolation (i.e.
we do not want our tests to fail if MockHttpServletRequest changes an
Exception error message)
Issue gh-3910
2016-09-21 10:42:24 -05:00
Gabriel Lavoie
4a1f00b90f
Add additional HTTP Response splitting prevention
...
- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.
Issue gh-3910
2016-09-21 10:42:18 -05:00