Commit Graph

984 Commits

Author SHA1 Message Date
Marcus Hert Da Coregio
a7da9491d9 Use assertj assertions 2023-11-17 09:03:36 -03:00
Josh Cummings
ffd12ee3b9 Refine requestMatcher Validation Rules
Closes gh-14078
2023-10-31 17:08:24 -06:00
Marcus Da Coregio
64e2a2ff8b Apply updated Code Style
Closes gh-13881
2023-09-29 11:44:32 -03:00
Josh Cummings
28f98b3351 Improve Error Message
Closes gh-13667
2023-08-20 22:53:57 -06:00
Josh Cummings
ed96e2cddf Ignore Unmappable Servlets
Closes gh-13666
2023-08-20 22:53:55 -06:00
Josh Cummings
c4f061c63d Do Not Re-register Method Security Advisors
Closes gh-13572
2023-07-24 11:24:03 -06:00
Josh Cummings
bb46a54270 Add DispatcherServlet to Tests
Issue gh-13551
2023-07-17 10:58:30 -06:00
Josh Cummings
df239b6448 Improve RequestMatcher Validation
Closes gh-13551
2023-07-17 08:41:30 -06:00
Marcus Da Coregio
b47420f8a2 Merge branch '5.7.x' into 5.8.x
Closes gh-13280
2023-06-05 16:02:30 -03:00
Marcus Da Coregio
7250abc185 Does not apply a Configurer when disabled from another DSL
Closes gh-13203
2023-06-05 16:01:20 -03:00
Josh Cummings
73cb9862ad Update Symlink for 5.8
Issue gh-13131
2023-05-24 14:37:18 -06:00
Josh Cummings
1eefd433b6 Add spring-security.xsd symlink
Closes gh-13131
2023-05-22 15:42:02 -06:00
lukasz.migdalek
f4915890cc Use Spec Order for Verifying Signatures
Closes gh-12346
2023-05-15 17:24:22 -06:00
Josh Cummings
e9a02bc6e9 RememberMeConfigurer Picks Up SecurityContextRepository
Closes gh-13104
2023-05-02 16:46:35 -06:00
Marcus Da Coregio
6cf8c53aaa Merge branch '5.7.x' into 5.8.x 2023-04-17 07:16:47 -03:00
Marcus Da Coregio
2d52fb8e4b Clear Repository on Logout 2023-04-17 06:47:57 -03:00
Marcus Da Coregio
54117d7d27 Fix test suffix to align with checkstyle 2023-04-14 13:29:15 -03:00
Marcus Da Coregio
97ba596ca3 Merge branch '5.7.x' into 5.8.x
Closes gh-12776
2023-02-23 15:17:04 -03:00
Marcus Da Coregio
1c3ce1e401 Fix entity-id ignored in RelyingPartyRegistration XML config
Closes gh-11898
2023-02-23 15:16:40 -03:00
Josh Cummings
0baf650f38 Merge branch '5.7.x' into 5.8.x
Closes gh-12686
2023-02-16 14:55:22 -07:00
Leonid Rozenblyum
000b4bc495 Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.

In particular, this exception can occur when mixing standard and custom DSL to register filters.

The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.

It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.

The error handling is implemented similarly to HttpSecurity#addFilter.

Closes gh-12637
2023-02-16 14:54:44 -07:00
Steve Riesenberg
c306df9b46 Add XorCsrfChannelInterceptor
Issue gh-12378
2023-01-23 16:00:35 -06:00
Steve Riesenberg
ea6ce05662 Add configurer tests for CookieCsrfTokenRepository
Issue gh-12236
2022-11-18 13:12:59 -06:00
Steve Riesenberg
2ed7cff643 Check for existing token before clearing
Closes gh-12236
2022-11-18 13:12:59 -06:00
Josh Cummings
3192618220 Add authenticationFailureHandler
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer

Closes gh-12132
2022-11-02 15:35:01 -06:00
Rob Winch
d860775b45 Document Defer load CsrfToken
Closes gh-12105
2022-10-28 15:41:25 -05:00
mmoussa_mapfreusa
bd4e0fb5db Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
Closes gh-11363
2022-10-26 16:44:23 -06:00
Steve Riesenberg
c75ca10900 Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg
440748ec65 Add test support for Xor CSRF tokens
Issue gh-4001
2022-10-12 15:02:15 -05:00
Steve Riesenberg
f462134e87 Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719 Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio
f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Josh Cummings
7043ef6ccb Polish OpaqueTokenAuthenticationConverterTests
Issue gh-11665
2022-10-05 22:18:41 -06:00
Steve Riesenberg
dce1c30522 Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg
475b3bb6bb Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux
0e215a21ad Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux
93250013e4 Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Marcus Da Coregio
cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration
Closes gh-11916
2022-09-29 11:21:08 -03:00
Josh Cummings
506e50bfd0 Move Saml2 Authentication Filters
Issue gh-8819
2022-09-26 10:44:27 -06:00
Josh Cummings
37a160245f Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-23 16:31:21 -06:00
Steve Riesenberg
46696a9226 CsrfTokenRequestHandler extends CsrfTokenRequestResolver
Closes gh-11896
2022-09-23 15:09:00 -05:00
Rob Winch
d94677f87e CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler
This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
2022-09-22 11:09:44 -05:00
Steve Riesenberg
355ef21117 Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Steve Riesenberg
86fbb8db07 Add new interfaces for CSRF request processing
Issue gh-4001
Issue gh-11456
2022-09-06 11:43:33 -05:00
Josh Cummings
0f58620643 Add AspectJ AuthorizationManager Support
Closes gh-11326
2022-08-26 15:59:08 -06:00
Josh Cummings
e990174c89 Polish ReactiveMethodSecurity Support
- Changed annotation property to useAuthorizationManager
to match related XML support
- Moved support found in bean post-processors back into
interceptors directly. This reduces the number of components to
maintain and simplifies ongoing support
- Added @Deprecated annotation to indicate that applications
should use AuthorizationManagerBeforeReactiveMethodInterceptor and
AuthorizationManagerAfterReactiveMethodInterceptor instead. While
true that the new support does not support coroutines, the existing
coroutine support is problematic since it cannot be reliably paired
with other method interceptors
- Moved expression handler configuration to the constructors
- Constrain all method security interceptors to require publisher types
- Use ReactiveAdapter to check for single-value types as well

Issue gh-9401

Polish
2022-08-25 14:36:03 -06:00
Evgeniy Cheban
cbb4f40f0c ReactiveAuthorizationManager + Reactive Method Security
Closes gh-9401
2022-08-25 14:35:04 -06:00
Rob Winch
2fb625db84 Remove mockito deprecations
Issue gh-11748
2022-08-23 15:59:52 -05:00