Commit Graph

727 Commits

Author SHA1 Message Date
Josh Cummings
af5c55c380 Polish AuthnRequest Customization Support
Having the application generate the AuthnRequest fresh allows Spring
Security to back away more gracefully. Using a Consumer implies that
the application will need to undo any values that Spring Security set
that the application doesn't want.

Also, if this does become a configuration burden, it can be simplified
in a separate ticket by exposing the default Converter.

Issue gh-8776
2020-08-19 14:27:31 -06:00
Rob Winch
74b42ba956 Move RSocket integration tests to integration tests
Closes gh-8944
2020-08-05 13:23:20 -05:00
Eleftheria Stein
aeafe04260 Remove need for WebSecurityConfigurerAdapter
Closes gh-8804
2020-08-05 10:10:12 -04:00
Josh Cummings
5061ae9e79 Add Saml2AuthenticationTokenConverter
Closes gh-8768
2020-08-04 18:41:43 -06:00
Josh Cummings
a10c2c6cf8 Polish DefaultSaml2AuthenticationRequestContextResolver
Issue gh-8360
Issue gh-8887
2020-08-04 17:29:13 -06:00
Joe Grandja
0ed919f072 Deprecate ClientRegistration.redirectUriTemplate
Closes gh-8906
2020-08-04 11:03:29 -04:00
Josh Cummings
2c960d2ad1 Add AuthnRequestConsumerResolver
Closes gh-8141
2020-07-16 14:53:22 -06:00
Joe Grandja
0b5a14a900 Register OAuth2AuthorizedClientArgumentResolver as custom resolver for XML config
Issue gh-8669
2020-07-01 11:07:33 -04:00
Joe Grandja
edf06a3461 OAuth2AuthorizedClientArgumentResolver uses OAuth2AuthorizedClientManager @Bean
Closes gh-8700
2020-06-30 11:25:39 -04:00
Joe Grandja
951e64185b Register OAuth2AuthorizedClientArgumentResolver for XML Config
Closes gh-8669
2020-06-25 16:10:29 -04:00
Evgeniy Cheban
4e7be2078f DefaultWebSecurityExpressionHandler uses RoleHierarchy bean
Fixes gh-7059
2020-06-10 16:43:01 -04:00
Rob Winch
a907026eae Deprecate X-FRAME-OPTIONS ALLOW-FROM Directive
Closes gh-8677
2020-06-10 11:48:56 -05:00
Joe Grandja
da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Parikshit Dutta
28d2cfa14a Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
Fixes gh-8536
2020-06-02 21:54:09 -04:00
Rob Winch
748538d19f Delay AuthenticationPrincipalArgumentResolver Creation
Use ObjectProvider<AuthenticationPrincipalArgumentResolver> to delay its
lookup.

Closes gh-8613
2020-05-29 16:49:01 -05:00
Craig Andrews
dbdeec4216 Check for an existing SessionRegistry bean
If a SessionRegistry is necessary, check for one in the ApplicationContext before creating one.
2020-05-22 20:33:32 -05:00
Josh Cummings
51a0cffd36 Post-process AuthenticationRequestFilter
Fixes gh-8552
2020-05-18 21:08:23 -06:00
Josh Cummings
9241cd2892 Move TestRelyingPartyRegistrations
Fixes gh-8551
2020-05-18 16:38:40 -06:00
Parikshit Dutta
1e211b6558 Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter
Fixes gh-8120
2020-05-15 15:13:15 -04:00
Joe Grandja
c1abc9b134 Polish gh-8501 2020-05-15 13:26:09 -04:00
Thomas Vitale
78fa859798 Add issuerUri to ClientRegistration.providerDetails
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.

Fixes gh-8326
2020-05-14 17:13:07 -04:00
Eleftheria Stein
1aadbb2f4d Remove "/path/**/other" patterns in tests
Fixes gh-8513
2020-05-11 17:00:25 -04:00
Rob Winch
d91b153cad Explicitly set useSuffixPatternMatch for Tests
Spring MVC changed their default behavior in
https://github.com/spring-projects/spring-framework/issues/23915 This
causes failures in some of Spring Security's tests.

This explicitly sets useSuffixPatternMatch=true to ensure that Spring
Security still works if users have modified their defaults.

Closes gh-8493
2020-05-08 16:43:56 -05:00
Rob Winch
4a9fa0337a Allow Configure RequestRjectedHandler in XML
Issue gh-5007
2020-05-01 10:51:11 -05:00
Evgeniy Cheban
a70d55552b Resource Server Finds JwtAuthenticationConverter Beans
Fixes gh-8185
2020-04-13 22:47:20 -06:00
Rob Winch
9a42a028e7 Logout defaults to use Global SecurityContextServerLogoutHandler
Closes gh-8375
2020-04-13 16:36:12 -05:00
Rob Winch
91728ef53b Fix HttpServlet3RequestFactory Logout Handlers
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.

This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.

Closes gh-4760
2020-03-30 17:50:28 -05:00
Rob Winch
b055f8bb25 SpringTestContext returns ConfigurableWebApplicationContext
Closes gh-8233
2020-03-30 17:46:25 -05:00
Joe Grandja
e27e548215 oauth2Login WebFlux does not auto-redirect for XHR request
Fixes gh-8118
2020-03-26 04:36:23 -04:00
Eleftheria Stein
97085ef310 Fix rsocket test
Request route that exists; add additional error message verification

Fixes gh-8154
2020-03-19 17:27:14 -04:00
Josh Cummings
f438bdfbcf Add spring-security-5.4.xsd
Issue gh-8138
2020-03-18 09:45:10 -06:00
Josh Cummings
c729fee7bc Malformed Bearer Token Returns 401 for WebFlux
Fixes gh-7668
2020-03-03 15:42:02 -07:00
Josh Cummings
e97396b9c7 Add Resource Server XML Support
Fixes gh-5185
2020-03-02 11:51:40 -07:00
Josh Cummings
19584884b3 Register Authentication Provider in Init Phase
Fixes gh-8031
2020-02-28 15:32:27 -07:00
Filip Hanik
3257349045 Support POST binding for AuthNRequest
Has been tested with

- Keycloak
- SSOCircle
- Okta
- SimpleSAMLPhp

This PR extends (builds on previous commits and adds user configuration
options)
https://github.com/spring-projects/spring-security/pull/7758
2020-02-28 09:15:26 -08:00
Ankur Pathak
480c5bc87e Custom ServerHttpHeadersWriter to HeaderSpec
Add the ability to have a custom ServerHttpHeadersWriter to HeaderSpec
Fixes gh-7636
2020-02-27 07:55:30 -06:00
Joe Grandja
8a4ff4452b Add XML namespace support for oauth2-client
Fixes gh-5184
2020-02-20 20:05:48 -05:00
Joe Grandja
ff8002eb2e Polish gh-4557 2020-02-12 15:47:57 -05:00
Ruby Hartono
71a5c9521c Add XML namespace support for oauth2-login
Fixes gh-4557
2020-02-12 15:26:17 -05:00
Joe Grandja
40c0a452d7 Define oauth2-login xsd elements
Issue gh-4557
2020-02-12 15:26:17 -05:00
Josh Cummings
5bdf57d1e5 Remove Groovy and Spock Dependencies
Fixes gh-4939
2020-02-10 10:38:40 -07:00
Stephane Maldini
851be025e9 Don't force downcasting of RequestAttributes to ServletRequestAttributes
Fixes gh-7952
2020-02-07 20:44:19 -05:00
Rob Winch
1d7208f8ef Add RSocket Authentication Extension Support
Fixes gh-7935
2020-02-04 23:36:47 -06:00
Josh Cummings
209c81d65d Add BadOpaqueTokenException
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.

Fixes gh-7902
2020-02-04 17:33:08 -07:00
Josh Cummings
0c3754c811 Add BadJwtException
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.

Fixes gh-7885
2020-02-04 17:33:08 -07:00
Josh Cummings
3e07b35611 Polish Bearer Token Error Handling
Issue gh-7822
Issue gh-7823
2020-02-03 17:54:39 -07:00
Josh Cummings
cb9fd09150 Change AuthenticationWebFilter's constructor
Fixes gh-7872
2020-01-31 09:31:28 -07:00
Eleftheria Stein
a512789a93 Fix requiresAuthenticationMatcher not being used
The custom server requiresAuthenticationMatcher was not always picked up

Fixes: gh-7863
2020-01-27 16:12:27 +01:00
Eleftheria Stein
29377545d9 Fix authenticationFailureHandler not being used
The custom server authenticationFailureHandler was not always picked up

Fixes: gh-7782
2020-01-27 13:10:03 +01:00
Johannes Edmeier
bdc60a9128 Don't cache requests with Accept: text/event-stream by default.
The eventstream requests is typically not directly invoked by the browser.
And even more unfortunately the Browser-Api doesn't allow the set additional headers as `XMLHttpRequest`..
2020-01-17 10:42:16 -08:00