Commit Graph

1605 Commits

Author SHA1 Message Date
Marcus Da Coregio
7983c695e2 Fix mvcMatchers overriding previous paths
Closes gh-10956
2022-05-12 10:22:54 -03:00
Marcus Da Coregio
15b3744dcf Fix setServletContext not being called for AuthorizationManagerWebInvocationPrivilegeEvaluator
Issue gh-10908
2022-05-12 10:12:31 -03:00
Josh Cummings
040a28a8c9 Replace Apache Commons Base64 Decoding
Issue gh-10923
2022-03-02 17:00:23 -07:00
Josh Cummings
a09f6e15ad Polish ignoring() log messaging
- Public API remains unchanged

Issue gh-9334
2022-02-07 15:22:49 -07:00
Manuel Jordan
7e0302be5c Print ignore message DefaultSecurityFilterChain
When either `web.ignoring().mvcMatchers(...)` or
`web.ignoring().antMatchers(...)` methods are used, for all their
variations, the DefaultSecurityFilterChain class now indicates
correctly through its ouput what paths are ignored according the
`ignoring()` settings.

Closes gh-9334
2022-02-07 15:22:49 -07:00
Marcus Da Coregio
a763382c3e Make source code compatible with JDK 8
Closes gh-10695
2022-01-12 17:26:25 -03:00
Marcus Da Coregio
ba810e468f Configure WebInvocationPrivilegeEvaluator bean for multiple filter chains
Closes gh-10554
2022-01-05 14:01:57 -03:00
Rob Winch
e4a76b0ec9 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-22 10:19:34 -05:00
Josh Cummings
97dfabe92e Polish SecurityNamespaceHandler Tests
Issue gh-8974
2021-10-13 11:37:06 -06:00
Emil Sierżęga
944463e19a SecurityNamespaceHandler: update schema version to 5.5
Closes gh-8974
2021-10-13 11:35:25 -06:00
Marcus Da Coregio
816e847af2 Allow SAML 2.0 loginProcessingURL without registrationId
Closes gh-10176
2021-10-05 12:54:39 -03:00
Derek Van Blerkom
c55f1f8bea Fix return type to allow further security config
Issue gh-10245
2021-09-13 15:41:04 -03:00
Abdul Al-Faraj
ba16d91971 Improve OpenSAML Version Check
Closes gh-10077
2021-07-26 10:51:31 -06:00
/usr/local/ΕΨΗΕΛΩΝ
61284ce22d Improve AuthenticationManagerBeanDefinitionParser XML parsing
Closes gh-7282
2021-06-28 11:55:05 +02:00
Eleftheria Stein
fdd017d935 Apply DefaultLoginPageConfigurer before logout
If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.

Closes gh-9973
2021-06-24 10:28:19 +02:00
Eleftheria Stein
cb4bb463da Disable default logout page when logout disabled
Closes gh-9475
2021-06-17 17:09:34 +02:00
Marcus Hert da Coregio
53870ab3de Fix Adding Filter Relative to Custom Filter
Closes gh-9787
2021-06-14 15:51:27 -03:00
Joe Grandja
e51ca79954 Document Jwt Client Authentication support
Closes gh-9578
2021-05-14 22:58:44 -04:00
Joe Grandja
f874a12ddb Document jwt-bearer authorization grant
Closes gh-9580
2021-05-14 14:48:37 -04:00
Josh Cummings
ca2bc4feb3 Bump Schema Version
Closes gh-9694
2021-04-29 16:52:29 -06:00
Josh Cummings
4d564ffb50 Update AuthorizationManager references
Issue gh-9692
2021-04-28 11:58:30 -06:00
Josh Cummings
17cfc6ade3 Inline ResourceKeyConverterAdapter
Closes gh-9689
Closes gh-9626
2021-04-28 09:39:12 -06:00
Eleftheria Stein
de0cd11a72 Fix PreAuthorize when returning Kotlin Flow
Closes gh-9676
2021-04-28 12:33:18 +02:00
Joe Grandja
53e94bca45 Add oauth2Login() tests
Issue gh-9548 gh-9660 gh-9266
2021-04-20 08:37:19 -04:00
Joe Grandja
5afeaa3ce7 WebFlux httpBasic() matches on XHR requests
Closes gh-9660
2021-04-20 08:36:42 -04:00
Rob Winch
a31a855146 Fix HttpSecurity.addFilter* Ordering
Closes gh-9633
2021-04-14 17:47:31 -05:00
Denis Washington
2b4b856b32 Limit oauth2Login() links to redirect-based flows
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
2021-04-14 05:02:30 -04:00
Josh Cummings
163b5943ca Revert AuthorizationManager Method Security 2021-04-12 15:53:22 -06:00
Josh Cummings
404a6c5674 Revert "Publish CsrfTokenRepository as shared object"
This reverts commit d19ff12813.
2021-04-12 14:43:37 -06:00
Josh Cummings
4e81bbe386 Revert "Add Saml2LogoutConfigurer"
This reverts commit 6f52baba29.
2021-04-12 14:43:19 -06:00
Josh Cummings
6f52baba29 Add Saml2LogoutConfigurer
Closes gh-9497
2021-04-10 00:25:34 -06:00
Josh Cummings
d19ff12813 Publish CsrfTokenRepository as shared object
Closes gh-9595
2021-04-10 00:25:34 -06:00
Josh Cummings
df8abcfae7 Use Interceptors instead of Advice
- Interceptor is a more descriptive term for what
method security is doing
- This also allows the code to follow a delegate
pattern that unifies both before-method and after-
method authorization

Issue gh-9289
2021-04-09 18:45:31 -06:00
Josh Cummings
6828987b4b Add AfterMethodAuthorizationManager
- Removes the need to keep MethodAuthorizationContext#returnObject
in sync with other method parameters
- Restores MethodAuthorizationContext's immutability

Closes gh-9591
2021-04-09 18:43:56 -06:00
Josh Cummings
2b494ebc5f Polish AOP Structure
- Changed from MethodMatcher to Pointcut since authorization
annotations also can be attached to classes
- Adjusted advice to extend Before or AfterAdvice
- Adjusted advice to extend PointcutAdvisor so
that it can share its Pointcut
- Adjusted advice to extend AopInfrastructureBean to
align with old advice classes

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings
62d77ec97e Add GrantedAuthorityDefaults to Expression Handler
Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings
68cf74468c Add check for custom advice
- Because publishing an advice bean replaces Spring Security
defaults, the code should error if both a custom bean and
either secureEnabled or prePostEnabled are specified

Issue gh-9289
2021-04-09 17:46:33 -06:00
Josh Cummings
45376b359b Adjust Packaging
Issue gh-9289
2021-04-09 17:46:32 -06:00
Evgeniy Cheban
20778f727b Consider AuthorizationManager for Method Security
Closes gh-9289
2021-04-09 17:46:32 -06:00
Josh Cummings
7ded671858 Refactor AuthenticationDetailsSource support
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
2021-04-09 12:41:16 -06:00
Eleftheria Stein
e03fe7f089 Add coroutine support to pre/post authorize
Closes gh-8143
2021-04-09 19:33:06 +02:00
Eleftheria Stein
0f3df3e714 Consider Order on SecurityFilterChain bean definitions
Closes gh-9154
2021-03-24 11:02:29 +02:00
Eleftheria Stein
f5fe64cd5b Fix typo 2021-03-24 11:00:37 +02:00
Josh Cummings
d0d0a8d958 Add OpenSAML 4 Support
Closes gh-9095
2021-03-23 19:07:23 -06:00
Josh Cummings
b774e91734 Polish BearerTokenAuthenticationConverter
Issue gh-8840
2021-03-12 15:05:06 -07:00
Jeongjin Kim
31f310fd22 Add BearerTokenAuthenticationConverter
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.

Closes gh-8840
2021-03-12 15:05:06 -07:00
Eleftheria Stein
92b3a7b01b Clarify in .csrf() enables CSRF protection
Closes gh-9489
2021-03-05 16:11:12 +01:00
wonwoo
cf2bb62442 Fix typo in doc 2021-03-05 14:09:30 +01:00
Han YanJing
f3fa8e8800 Polish
Issue gh-9310
2021-03-02 12:04:22 -07:00
Han YanJing
6e41246a2b Throw Saml2AuthenticationException
Closes gh-9310
2021-03-02 12:04:22 -07:00