Commit Graph

994 Commits

Author SHA1 Message Date
Josh Cummings
dab48d25b0 Improve Error Message When Registration Missing
Closes gh-15363
2024-07-18 15:50:41 -06:00
Josh Cummings
6aabd768a8 Pick MvcRequestMatcher for MockMvc requests
Closes gh-13849
2024-06-06 13:17:43 -06:00
Josh Cummings
cdd626644e Use Request-Level Servlet Context
Spring Security cannot use the ServletContext attached
to the ApplicationContext since there may be child
ApplicationContext's with their own ServletContext.

Because of that, it is necessary to always use the
ServletContext attached to the request.

Closes gh-14418
2024-06-03 17:41:51 -06:00
Josh Cummings
5a798e93f1 Polish MVC Tests
Issue gh-14418
2024-06-03 17:41:51 -06:00
sheheryarumair
0e211382ee Remove useBase64 parameter 2024-04-26 17:05:49 -06:00
Steve Riesenberg
39dbd24dcb Polish gh-14742 2024-04-04 14:51:19 -05:00
sheheryarumair
33ebd5405a Removed dataSource null validation
Fixed data source validation
2024-04-04 14:21:18 -05:00
Josh Cummings
eaaa813ede Fix header value typo
Closes gh-11948
2023-12-18 10:42:50 -07:00
Josh Cummings
a98baa7522 Polish ServletRegistration API Deferral
Tomcat uses different ServletContext instances from startup- and request-time.
This commit ensures that if the programmatic API isn't available at startup-time,
then use the ServletContext attached to the HttpServletRequest at runtime.

Issue gh-13794
2023-12-01 12:57:45 -07:00
Josh Cummings
4ca54683ae Defer requestMatchers Validation to Runtime
Closes gh-13794
2023-11-17 11:23:21 -07:00
Marcus Hert Da Coregio
a7da9491d9 Use assertj assertions 2023-11-17 09:03:36 -03:00
Josh Cummings
ffd12ee3b9 Refine requestMatcher Validation Rules
Closes gh-14078
2023-10-31 17:08:24 -06:00
Marcus Da Coregio
64e2a2ff8b Apply updated Code Style
Closes gh-13881
2023-09-29 11:44:32 -03:00
Josh Cummings
28f98b3351 Improve Error Message
Closes gh-13667
2023-08-20 22:53:57 -06:00
Josh Cummings
ed96e2cddf Ignore Unmappable Servlets
Closes gh-13666
2023-08-20 22:53:55 -06:00
Josh Cummings
c4f061c63d Do Not Re-register Method Security Advisors
Closes gh-13572
2023-07-24 11:24:03 -06:00
Josh Cummings
bb46a54270 Add DispatcherServlet to Tests
Issue gh-13551
2023-07-17 10:58:30 -06:00
Josh Cummings
df239b6448 Improve RequestMatcher Validation
Closes gh-13551
2023-07-17 08:41:30 -06:00
Marcus Da Coregio
b47420f8a2 Merge branch '5.7.x' into 5.8.x
Closes gh-13280
2023-06-05 16:02:30 -03:00
Marcus Da Coregio
7250abc185 Does not apply a Configurer when disabled from another DSL
Closes gh-13203
2023-06-05 16:01:20 -03:00
Josh Cummings
73cb9862ad Update Symlink for 5.8
Issue gh-13131
2023-05-24 14:37:18 -06:00
Josh Cummings
1eefd433b6 Add spring-security.xsd symlink
Closes gh-13131
2023-05-22 15:42:02 -06:00
lukasz.migdalek
f4915890cc Use Spec Order for Verifying Signatures
Closes gh-12346
2023-05-15 17:24:22 -06:00
Josh Cummings
e9a02bc6e9 RememberMeConfigurer Picks Up SecurityContextRepository
Closes gh-13104
2023-05-02 16:46:35 -06:00
Marcus Da Coregio
6cf8c53aaa Merge branch '5.7.x' into 5.8.x 2023-04-17 07:16:47 -03:00
Marcus Da Coregio
2d52fb8e4b Clear Repository on Logout 2023-04-17 06:47:57 -03:00
Marcus Da Coregio
54117d7d27 Fix test suffix to align with checkstyle 2023-04-14 13:29:15 -03:00
Marcus Da Coregio
97ba596ca3 Merge branch '5.7.x' into 5.8.x
Closes gh-12776
2023-02-23 15:17:04 -03:00
Marcus Da Coregio
1c3ce1e401 Fix entity-id ignored in RelyingPartyRegistration XML config
Closes gh-11898
2023-02-23 15:16:40 -03:00
Josh Cummings
0baf650f38 Merge branch '5.7.x' into 5.8.x
Closes gh-12686
2023-02-16 14:55:22 -07:00
Leonid Rozenblyum
000b4bc495 Fix NPE in HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter
Before the fix, these methods would throw a NPE in case when the filter class passed as the second parameter, is not registered yet.

In particular, this exception can occur when mixing standard and custom DSL to register filters.

The fix doesn't change the situation that standard DSL for registration of filters cannot refer to filters that are registered via custom DSL even though those calls were done earlier.

It just provides more user-friendly error handling for this and most likely other scenarios of calls of HttpSecurity#addFilterBefore, HttpSecurity#addFilterAfter.

The error handling is implemented similarly to HttpSecurity#addFilter.

Closes gh-12637
2023-02-16 14:54:44 -07:00
Steve Riesenberg
c306df9b46 Add XorCsrfChannelInterceptor
Issue gh-12378
2023-01-23 16:00:35 -06:00
Steve Riesenberg
ea6ce05662 Add configurer tests for CookieCsrfTokenRepository
Issue gh-12236
2022-11-18 13:12:59 -06:00
Steve Riesenberg
2ed7cff643 Check for existing token before clearing
Closes gh-12236
2022-11-18 13:12:59 -06:00
Josh Cummings
3192618220 Add authenticationFailureHandler
- To ServerHttpSecurity#httpBasic
- To ServerHttpSecurity#oauthResourceServer

Closes gh-12132
2022-11-02 15:35:01 -06:00
Rob Winch
d860775b45 Document Defer load CsrfToken
Closes gh-12105
2022-10-28 15:41:25 -05:00
mmoussa_mapfreusa
bd4e0fb5db Set LogoutRequestRepository on Saml2 LogoutSuccessHandler
Closes gh-11363
2022-10-26 16:44:23 -06:00
Steve Riesenberg
c75ca10900 Add DeferredSecurityContext
Issue gh-12023
2022-10-17 19:33:58 -05:00
Steve Riesenberg
440748ec65 Add test support for Xor CSRF tokens
Issue gh-4001
2022-10-12 15:02:15 -05:00
Steve Riesenberg
f462134e87 Add reactive support for BREACH
Closes gh-11959
2022-10-07 16:34:17 -05:00
Steve Riesenberg
f4ca90e719 Add reactive interfaces for CSRF request handling
Issue gh-11959
2022-10-07 16:34:16 -05:00
Marcus Da Coregio
f3321c256c Add XML support for shouldFilterAllDispatcherTypes
Closes gh-11492
2022-10-07 10:20:32 -03:00
Josh Cummings
7043ef6ccb Polish OpaqueTokenAuthenticationConverterTests
Issue gh-11665
2022-10-05 22:18:41 -06:00
Steve Riesenberg
dce1c30522 Add support for BREACH
Closes gh-4001
2022-10-05 14:21:13 -05:00
Steve Riesenberg
475b3bb6bb Add deferred CsrfTokenRepository.loadDeferredToken
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
2022-10-03 17:10:54 -05:00
Daniel Garnier-Moiroux
0e215a21ad Add X-Xss-Protection headerValue to XML config
Issue gh-9631
2022-10-03 14:29:34 -05:00
Marcus Da Coregio
039e0328e1 Simplify Java Configuration RequestMatcher Usage
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
2022-10-03 15:55:20 -03:00
Daniel Garnier-Moiroux
93250013e4 Make X-Xss-Protection configurable through ServerHttpSecurity
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
2022-09-30 09:38:08 -05:00
Marcus Da Coregio
cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration
Closes gh-11916
2022-09-29 11:21:08 -03:00
Josh Cummings
506e50bfd0 Move Saml2 Authentication Filters
Issue gh-8819
2022-09-26 10:44:27 -06:00