Rob Winch
e1ad989d38
Merge branch '6.2.x' into 6.3.x
...
Closes gh-16062
2024-11-11 14:58:39 -06:00
Rob Winch
81e74e65d4
Support ServerExchangeRejectedHandler @Bean
...
Closes gh-16061
2024-11-11 14:58:00 -06:00
Cedric Montfort
d9d77bed82
Allow logout+jwt JWT type for reactive
...
The OIDC back-channel spec recommends using a logout token typ `logout+jwt`
(see [here](https://openid.net/specs/openid-connect-backchannel-1_0-final.html#LogoutToken ).
Support of this type was recently added [on the servlet side]([on the Servlet side](9101bf1f7d )), so back
porting the same on the reactive side to close the gap.
Closes gh-15702
2024-10-28 14:21:48 -07:00
Rob Winch
1ba6301afa
Support ServerWebExchangeFirewall @Bean
...
Closes gh-15987
2024-10-25 12:13:41 -05:00
Rob Winch
adc66e134b
Merge branch '6.2.x' into 6.3.x
...
Support ServerWebExchangeFirewall @Bean
Closes gh-15991
2024-10-25 11:56:53 -05:00
Rob Winch
3ba1263d64
Support ServerWebExchangeFirewall @Bean
...
Closes gh-15987
2024-10-24 16:47:36 -05:00
Josh Cummings
c104f44546
Merge branch '6.2.x' into 6.3.x
2024-10-23 15:23:15 -07:00
Scott Murphy Heiberg
18dba34bde
Make RequestMatcherDelegatingAuthorizationManager Post-Processable
...
Closes gh-15948
2024-10-23 15:15:10 -07:00
Josh Cummings
746464e035
Merge branch '6.2.x' into 6.3.x
2024-09-30 17:21:13 -06:00
Josh Cummings
c1857c0308
Fix Formatting
...
Issue gh-15771
2024-09-30 16:19:26 -07:00
chao.wang
690e012fb1
Improve OidcBackChannelLogoutTokenValidator error when provider issuer is missing
...
Closes gh-15771
2024-09-30 16:19:26 -07:00
DingHao
5c20505b0e
Support Class Attributes in Annotation Template Processing
...
Closes gh-15721
2024-09-04 13:41:46 -07:00
Josh Cummings
279cb89eac
Merge branch '6.2.x' into 6.3.x
2024-08-26 16:32:58 -06:00
Hero Wanders
f372f5cf52
Replace OidcSessionStrategy References with OidcSessionRegistry
2024-08-26 15:32:35 -07:00
Josh Cummings
4c0d969f1f
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15676
2024-08-22 12:37:45 -06:00
Josh Cummings
3ee5a96e53
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15675
2024-08-22 12:24:56 -06:00
Josh Cummings
5c604b95fb
Correct PostFilterAuthorizationMethodInterceptor Target Type
...
Previously, `postFilterAuthorizationMethodInterceptor` mistakenly
was published as an `Advisor`. Because `MethodSecurityAdvisorRegistrar`
re-publishes each pre/post annotation interceptor also as an `Advisor`,
this resulted in a duplicate advisor for `@PostFilter`.
Closes gh-15651
2024-08-22 12:10:25 -06:00
Josh Cummings
ae8e4d148e
Produce Exactly One AuthorizationAdvisor Per Annotation
...
Closes gh-15592
2024-08-19 12:30:03 -06:00
Daniel Garnier-Moiroux
109da2719f
Use explicit types everywhere instead of var
2024-08-08 15:29:41 -05:00
Josh Cummings
f20ae1a71c
Revert gh-13783
...
This feature unfortunately regresses pre-existing behavior
like that found in gh-15352. As such, this functionality
has been removed.
Closes gh-15352
2024-07-31 16:16:34 -06:00
Marcus Hert Da Coregio
c1b3b329af
Merge branch '6.2.x' into 6.3.x
2024-07-29 14:56:09 -03:00
baezzys
3d4bcf1b44
fix: Restrict automatic CORS configuration to UrlBasedCorsConfigurationSource
...
- Update CORS configuration logic to automatically enable .cors() only if a UrlBasedCorsConfigurationSource bean is present.
- Modify applyCorsIfAvailable method to check for UrlBasedCorsConfigurationSource instances.
2024-07-29 14:55:55 -03:00
Josh Cummings
ba714d78ab
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15440
2024-07-18 15:51:10 -06:00
Josh Cummings
3daeeb8789
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15439
2024-07-18 15:50:58 -06:00
Josh Cummings
dab48d25b0
Improve Error Message When Registration Missing
...
Closes gh-15363
2024-07-18 15:50:41 -06:00
Josh Cummings
8ee497f4c5
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15410
2024-07-12 11:04:08 -06:00
Josh Cummings
7422a1134a
Allow logout+jwt JWT type
...
Closes gh-15003
2024-07-12 10:03:40 -07:00
Josh Cummings
22c7b8760a
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15211
2024-06-06 13:36:20 -06:00
Josh Cummings
f231ea277d
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15210
2024-06-06 13:35:56 -06:00
Josh Cummings
6aabd768a8
Pick MvcRequestMatcher for MockMvc requests
...
Closes gh-13849
2024-06-06 13:17:43 -06:00
Josh Cummings
0aed8df549
Merge branch '6.2.x' into 6.3.x
...
Closes gh-15197
2024-06-03 17:42:58 -06:00
Josh Cummings
d6228e0882
Merge branch '5.8.x' into 6.2.x
...
Closes gh-15196
2024-06-03 17:42:25 -06:00
Josh Cummings
cdd626644e
Use Request-Level Servlet Context
...
Spring Security cannot use the ServletContext attached
to the ApplicationContext since there may be child
ApplicationContext's with their own ServletContext.
Because of that, it is necessary to always use the
ServletContext attached to the request.
Closes gh-14418
2024-06-03 17:41:51 -06:00
Josh Cummings
5a798e93f1
Polish MVC Tests
...
Issue gh-14418
2024-06-03 17:41:51 -06:00
Marcus Hert Da Coregio
ddcaeb5c20
Serialize objects from 6.3.x
...
Issue gh-3737
2024-05-24 09:47:29 -03:00
Marcus Hert Da Coregio
08f11f06ab
Revert unnecessary commits from main
...
Issue gh-15016
2024-05-08 13:49:18 -03:00
Marcus Hert Da Coregio
b3c7f3ff19
Rename CompromisedPasswordCheckResult to CompromisedPasswordDecision
...
Issue gh-7395
2024-04-30 08:38:03 -03:00
Josh Cummings
29d3b438b9
Merge branch '6.1.x' into 6.2.x
2024-04-26 17:09:17 -06:00
Josh Cummings
1ecb036fba
Merge branch '5.8.x' into 6.1.x
2024-04-26 17:09:05 -06:00
sheheryarumair
0e211382ee
Remove useBase64 parameter
2024-04-26 17:05:49 -06:00
Josh Cummings
664dfd9b45
Defer Anonymous Filter Construction
...
By delaying when the AnonymousAuthenticationFilter is constructed,
it's now possible to call the principal and filter methods inside
of a custom DSL implementation.
This does not extend to setting the key or the authentication provider
though, as these must be set during the init phase.
Closes gh-14941
2024-04-25 14:03:10 -06:00
Josh Cummings
a4dbf458ab
Add relying-party-registrations#id
...
Closes gh-14487
2024-04-18 12:56:56 -06:00
Marcus Hert Da Coregio
2fbbcc4bd0
Polish Method Authorization Denied Handling
...
- Renamed @AuthorizationDeniedHandler to @HandleAuthorizationDenied
- Merged the post processor interface into MethodAuthorizationDeniedHandler , it now has two methods handleDeniedInvocation and handleDeniedInvocationResult
- @HandleAuthorizationDenied now handles AuthorizationDeniedException thrown from the method
Issue gh-14601
2024-04-12 15:55:25 -03:00
Marcus Hert Da Coregio
61eba00654
Move HaveIBeenPwnedRestApiPasswordChecker to spring-security-web
...
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.
Issue gh-7395
2024-04-10 14:58:01 -03:00
Marcus Hert Da Coregio
8d914ef145
Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
...
Issue gh-14601
2024-04-08 14:42:13 -03:00
Marcus Hert Da Coregio
d6ae058ee1
Merge branch '6.2.x'
...
Closes gh-14866
2024-04-08 11:16:30 -03:00
Marcus Hert Da Coregio
697d0c9af4
Merge branch '6.1.x' into 6.2.x
...
Closes gh-14865
2024-04-08 11:16:15 -03:00
Marcus Hert Da Coregio
472c9f8275
Avoid initializing raw bean during runtime in native-images
...
Closes gh-14825
2024-04-08 11:11:23 -03:00
Steve Riesenberg
61e93ee68b
Merge branch '6.2.x'
2024-04-04 14:56:32 -05:00
Steve Riesenberg
16e2bdc9bc
Merge branch '6.1.x' into 6.2.x
2024-04-04 14:55:45 -05:00