Commit Graph

1363 Commits

Author SHA1 Message Date
Rob Winch
e1ad989d38 Merge branch '6.2.x' into 6.3.x
Closes gh-16062
2024-11-11 14:58:39 -06:00
Rob Winch
81e74e65d4 Support ServerExchangeRejectedHandler @Bean
Closes gh-16061
2024-11-11 14:58:00 -06:00
Cedric Montfort
d9d77bed82 Allow logout+jwt JWT type for reactive
The OIDC back-channel spec recommends using a logout token typ `logout+jwt`
(see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken).

Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1f7d)), so back
porting the same on the reactive side to close the gap.

Closes gh-15702
2024-10-28 14:21:48 -07:00
Rob Winch
1ba6301afa Support ServerWebExchangeFirewall @Bean
Closes gh-15987
2024-10-25 12:13:41 -05:00
Rob Winch
adc66e134b Merge branch '6.2.x' into 6.3.x
Support ServerWebExchangeFirewall @Bean

Closes gh-15991
2024-10-25 11:56:53 -05:00
Rob Winch
3ba1263d64 Support ServerWebExchangeFirewall @Bean
Closes gh-15987
2024-10-24 16:47:36 -05:00
Josh Cummings
c104f44546 Merge branch '6.2.x' into 6.3.x 2024-10-23 15:23:15 -07:00
Scott Murphy Heiberg
18dba34bde Make RequestMatcherDelegatingAuthorizationManager Post-Processable
Closes gh-15948
2024-10-23 15:15:10 -07:00
Josh Cummings
746464e035 Merge branch '6.2.x' into 6.3.x 2024-09-30 17:21:13 -06:00
Josh Cummings
c1857c0308 Fix Formatting
Issue gh-15771
2024-09-30 16:19:26 -07:00
chao.wang
690e012fb1 Improve OidcBackChannelLogoutTokenValidator error when provider issuer is missing
Closes gh-15771
2024-09-30 16:19:26 -07:00
DingHao
5c20505b0e Support Class Attributes in Annotation Template Processing
Closes gh-15721
2024-09-04 13:41:46 -07:00
Josh Cummings
279cb89eac Merge branch '6.2.x' into 6.3.x 2024-08-26 16:32:58 -06:00
Hero Wanders
f372f5cf52 Replace OidcSessionStrategy References with OidcSessionRegistry 2024-08-26 15:32:35 -07:00
Josh Cummings
4c0d969f1f Merge branch '6.2.x' into 6.3.x
Closes gh-15676
2024-08-22 12:37:45 -06:00
Josh Cummings
3ee5a96e53 Merge branch '5.8.x' into 6.2.x
Closes gh-15675
2024-08-22 12:24:56 -06:00
Josh Cummings
5c604b95fb Correct PostFilterAuthorizationMethodInterceptor Target Type
Previously, `postFilterAuthorizationMethodInterceptor` mistakenly
was published as an `Advisor`. Because `MethodSecurityAdvisorRegistrar`
re-publishes each pre/post annotation interceptor also as an `Advisor`,
this resulted in a duplicate advisor for `@PostFilter`.

Closes gh-15651
2024-08-22 12:10:25 -06:00
Josh Cummings
ae8e4d148e Produce Exactly One AuthorizationAdvisor Per Annotation
Closes gh-15592
2024-08-19 12:30:03 -06:00
Daniel Garnier-Moiroux
109da2719f Use explicit types everywhere instead of var 2024-08-08 15:29:41 -05:00
Josh Cummings
f20ae1a71c Revert gh-13783
This feature unfortunately regresses pre-existing behavior
like that found in gh-15352. As such, this functionality
has been removed.

Closes gh-15352
2024-07-31 16:16:34 -06:00
Marcus Hert Da Coregio
c1b3b329af Merge branch '6.2.x' into 6.3.x 2024-07-29 14:56:09 -03:00
baezzys
3d4bcf1b44 fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource
- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
2024-07-29 14:55:55 -03:00
Josh Cummings
ba714d78ab Merge branch '6.2.x' into 6.3.x
Closes gh-15440
2024-07-18 15:51:10 -06:00
Josh Cummings
3daeeb8789 Merge branch '5.8.x' into 6.2.x
Closes gh-15439
2024-07-18 15:50:58 -06:00
Josh Cummings
dab48d25b0 Improve Error Message When Registration Missing
Closes gh-15363
2024-07-18 15:50:41 -06:00
Josh Cummings
8ee497f4c5 Merge branch '6.2.x' into 6.3.x
Closes gh-15410
2024-07-12 11:04:08 -06:00
Josh Cummings
7422a1134a Allow logout+jwt JWT type
Closes gh-15003
2024-07-12 10:03:40 -07:00
Josh Cummings
22c7b8760a Merge branch '6.2.x' into 6.3.x
Closes gh-15211
2024-06-06 13:36:20 -06:00
Josh Cummings
f231ea277d Merge branch '5.8.x' into 6.2.x
Closes gh-15210
2024-06-06 13:35:56 -06:00
Josh Cummings
6aabd768a8 Pick MvcRequestMatcher for MockMvc requests
Closes gh-13849
2024-06-06 13:17:43 -06:00
Josh Cummings
0aed8df549 Merge branch '6.2.x' into 6.3.x
Closes gh-15197
2024-06-03 17:42:58 -06:00
Josh Cummings
d6228e0882 Merge branch '5.8.x' into 6.2.x
Closes gh-15196
2024-06-03 17:42:25 -06:00
Josh Cummings
cdd626644e Use Request-Level Servlet Context
Spring Security cannot use the ServletContext attached
to the ApplicationContext since there may be child
ApplicationContext's with their own ServletContext.

Because of that, it is necessary to always use the
ServletContext attached to the request.

Closes gh-14418
2024-06-03 17:41:51 -06:00
Josh Cummings
5a798e93f1 Polish MVC Tests
Issue gh-14418
2024-06-03 17:41:51 -06:00
Marcus Hert Da Coregio
ddcaeb5c20 Serialize objects from 6.3.x
Issue gh-3737
2024-05-24 09:47:29 -03:00
Marcus Hert Da Coregio
08f11f06ab Revert unnecessary commits from main
Issue gh-15016
2024-05-08 13:49:18 -03:00
Marcus Hert Da Coregio
b3c7f3ff19 Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision
Issue gh-7395
2024-04-30 08:38:03 -03:00
Josh Cummings
29d3b438b9 Merge branch '6.1.x' into 6.2.x 2024-04-26 17:09:17 -06:00
Josh Cummings
1ecb036fba Merge branch '5.8.x' into 6.1.x 2024-04-26 17:09:05 -06:00
sheheryarumair
0e211382ee Remove useBase64 parameter 2024-04-26 17:05:49 -06:00
Josh Cummings
664dfd9b45 Defer Anonymous Filter Construction
By delaying when the AnonymousAuthenticationFilter is constructed,
it's now possible to call the principal and filter methods inside
of a custom DSL implementation.

This does not extend to setting the key or the authentication provider
though, as these must be set during the init phase.

Closes gh-14941
2024-04-25 14:03:10 -06:00
Josh Cummings
a4dbf458ab Add relying-party-registrations#id
Closes gh-14487
2024-04-18 12:56:56 -06:00
Marcus Hert Da Coregio
2fbbcc4bd0 Polish Method Authorization Denied Handling
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method

Issue gh-14601
2024-04-12 15:55:25 -03:00
Marcus Hert Da Coregio
61eba00654 Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.

Issue gh-7395
2024-04-10 14:58:01 -03:00
Marcus Hert Da Coregio
8d914ef145 Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
Issue gh-14601
2024-04-08 14:42:13 -03:00
Marcus Hert Da Coregio
d6ae058ee1 Merge branch '6.2.x'
Closes gh-14866
2024-04-08 11:16:30 -03:00
Marcus Hert Da Coregio
697d0c9af4 Merge branch '6.1.x' into 6.2.x
Closes gh-14865
2024-04-08 11:16:15 -03:00
Marcus Hert Da Coregio
472c9f8275 Avoid initializing raw bean during runtime in native-images
Closes gh-14825
2024-04-08 11:11:23 -03:00
Steve Riesenberg
61e93ee68b Merge branch '6.2.x' 2024-04-04 14:56:32 -05:00
Steve Riesenberg
16e2bdc9bc Merge branch '6.1.x' into 6.2.x 2024-04-04 14:55:45 -05:00