Commit Graph

1106 Commits

Author SHA1 Message Date
Marcus Da Coregio
e05c9f4bba Improve log message when no CSRF token found
Closes gh-10436
2021-11-19 08:43:48 -03:00
Marcus Da Coregio
89db1c37a3 Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext
Closes gh-10208
2021-10-22 14:49:13 -03:00
Steve Riesenberg
0704c709dc Revert "Lock Dependencies for Release"
This reverts commit 03c2c49d66.
2021-10-18 17:38:07 -05:00
Steve Riesenberg
03c2c49d66 Lock Dependencies for Release 2021-10-18 17:34:42 -05:00
Steve Riesenberg
c83bd075a2 Revert "Lock Dependencies for Release"
This reverts commit bedb569f0d.
2021-10-18 16:49:15 -05:00
Steve Riesenberg
bedb569f0d Lock Dependencies for Release 2021-10-18 15:38:17 -05:00
Josh Cummings
ba468c7e6e Restructure SwitchUserFilter Logs
Issue gh-6311
2021-10-18 15:38:16 -05:00
Joe Grandja
ec6b2203ca Revert "Lock Dependencies for Release"
This reverts commit 067bdd0dd9.
2021-08-16 11:55:39 -04:00
Joe Grandja
067bdd0dd9 Lock Dependencies for Release 2021-08-16 11:12:40 -04:00
Steve Riesenberg
c17767883f Revert "Lock Dependencies for Release"
This reverts commit d71be4ca28.
2021-06-21 12:57:05 -05:00
Josh Cummings
d71be4ca28 Lock Dependencies for Release 2021-06-21 10:33:10 -06:00
Marcus Hert da Coregio
4d18d06d9c Adjust createNewSessionIfAllowed to prevent NPE
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
2021-05-26 13:51:52 -03:00
Josh Cummings
2c625f30e0 Add NPE Guards
- Like values, names are only validated if they are not null

Closes gh-9598
2021-04-22 11:28:25 -06:00
Craig Andrews
b97e93a486 Add guard around logger.debug statement
The log message involves string concatenation, the cost of which
should only be incurred if debug logging is enabled

Issue gh-9648
2021-04-16 10:37:48 -06:00
Joe Grandja
8850ccb1c6 Revert "Lock Dependencies"
This reverts commit 924ceac681.
2021-04-12 13:47:04 -04:00
Joe Grandja
924ceac681 Lock Dependencies 2021-04-12 13:36:39 -04:00
佚名
9570d0cada Add null check in CsrfFilter and CsrfWebFilter
Solve the problem that CsrfFilter and CsrfWebFilter
throws NPE exception when comparing two byte array
is equal in low JDK version.

When JDK version is lower than 1.8.0_45, method
java.security.MessageDigest#isEqual does not verify
whether the two arrays are null. And the above two
class call this method without null judgment.

ZiQiang Zhao<1694392889@qq.com>

Closes gh-9561
2021-04-09 21:47:11 -06:00
Josh Cummings
71e0967b53 Revert "Lock Dependencies for Release"
This reverts commit 8c04074264.
2021-02-17 15:59:48 -07:00
Josh Cummings
8c04074264 Lock Dependencies for Release 2021-02-17 14:59:17 -07:00
Josh Cummings
cf032d86d6 Revert "Lock Dependencies"
This reverts commit 9535a41d5a.
2021-02-11 18:38:07 -07:00
Josh Cummings
9535a41d5a Lock Dependencies 2021-02-11 17:43:39 -07:00
Rob Winch
4b6b417d5a Additional Test for HttpSessionSecurityContextRepository
Issue gh-9387
2021-02-11 17:39:49 -07:00
Rob Winch
c72a6fac04 Optimize HttpSessionSecurityContextRepository
Closes gh-9387
2021-02-11 17:39:48 -07:00
Josh Cummings
f449da8b78 Revert "Lock Dependencies"
This reverts commit d17ebf53f9.
2021-02-11 17:28:01 -07:00
Josh Cummings
d17ebf53f9 Lock Dependencies 2021-02-11 16:56:28 -07:00
Josh Cummings
da7141eb5b Polish Tests
Issue gh-9331
2021-02-03 09:13:38 -07:00
happier233
e30d78086a Configure CurrentSecurityContextArgumentResolver BeanResolver
Closes gh-9331
2021-02-03 09:13:28 -07:00
Rob Winch
acb5ae607b Constant Time Comparison for CSRF tokens
Closes gh-9291
2021-01-20 16:09:21 -06:00
Rob Winch
77a1befcc2 Fix Checkstyle for CsrfWebFilter
Issue gh-9337
2021-01-12 11:38:01 -06:00
Rob Winch
61b75bb2d6 Fix CsrfWebFilter error message when expected CSRF not found
Closes gh-9337
2021-01-12 11:19:11 -06:00
Josh Cummings
1af21a9d02 Revert "Lock Dependencies for 5.4.2"
This reverts commit 046bc9789f.
2020-12-02 22:21:02 -07:00
Josh Cummings
046bc9789f Lock Dependencies for 5.4.2 2020-12-02 17:36:26 -07:00
Eleftheria Stein
1d96579265 Fix CookieRequestCache for URL encoded query parameters
Avoid populating the saved request parameters with encoded values. Since the query strings of the request and saved URL are compared and must be equal, we can just use the parameters from the incoming request.

Closes gh-9203
2020-11-26 18:35:59 +01:00
Josh Cummings
84737e7b23 Revert "Lock Dependencies for 5.4.1"
This reverts commit 48ac47418d.
2020-10-07 16:38:48 -06:00
Josh Cummings
48ac47418d Lock Dependencies for 5.4.1 2020-10-07 16:01:34 -06:00
Phillip Webb
c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb
910b81928f Replace try/catch with AssertJ
Replace manual try/catch/fail blocks with AssertJ calls.
2020-09-22 16:13:51 -06:00
Tomoki Tsubaki
65f788532e Fix broken Mono chain
This commit restore broken Mono chain in WebSessionServerCsrfTokenRepository.generateToken(ServerWebExchange).

Closes gh-9017
2020-09-16 09:53:23 -06:00
Tomoki Tsubaki
2c297fbd63 Create the CSRF token on the bounded elactic scheduler
The CSRF token is generated by UUID.randomUUID() which is I/O blocking operation.
This commit changes the subscriber thread to the bounded elactic scheduler.

Closes gh-9018
2020-09-16 08:48:00 -06:00
Joe Grandja
7b1f574769 Revert "Lock Dependency Versions for 5.4.0"
This reverts commit 3d0e459182.
2020-09-09 18:14:12 -04:00
Joe Grandja
3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Eleftheria Stein-Kousathana
02d1516c56 Restructure BasicAuthenticationFilter Logs
Issue gh-6311
2020-09-02 07:42:03 -06:00
Josh Cummings
fa7baf551d Restructure Logs
Followed common use cases based off of HelloWorld sample:
  - Public endpoint
  - Unauthorized endpoint
  - Undefined endpoint
  - Successful form login
  - Failed form login
  - Post-login redirect

Issue gh-6311
2020-09-02 07:37:59 -06:00
Phillip Webb
319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
ef8f113619 Use assertThat instead of Java assert
Fix `DefaultSavedRequestMixinTests` so that `assertThat` is used rather
than Java's `assert` keyword.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
5bdd757108 Polish spring-security-web main code
Manually polish `spring-security-web` following the formatting
and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb
ee661f7b71 Fix whitespace issues in format-off code
Fix a few whitespace issues in format-off code that would
otherwise fail checkstyle.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb
834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00