5c6696ceab
Merge branch '7.0.x'
2026-04-18 04:34:41 -04:00
19b3cae62e
Add authentication validator for dynamic client registration
...
Signed-off-by: Kelvin Mbogo <addcontent08@gmail.com >
2026-04-17 17:22:40 -04:00
46df1e1772
Merge branch '7.0.x' into 7.1.x
2026-04-15 17:12:15 -06:00
53bcf0d16b
Fix Servlet Path Application
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-04-15 17:12:08 -06:00
a3cfa8e13e
Merge branch '7.0.x' into 7.1.x
2026-04-15 16:55:42 -06:00
438c783c7d
securityMatchers uses PathPatternRequestMatcher.Builder Bean
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-04-15 16:54:51 -06:00
f8359ef619
Polish gh-17202
2026-04-10 07:40:34 -04:00
fc6a4c8220
Add Support DPoP Customization
...
Closes gh-16940
Signed-off-by: Max Batischev <mblancer@mail.ru >
2026-04-10 07:09:24 -04:00
036ccff1f5
Move Focus to OTT Button When Username is Read-Only
...
Closes gh-18817
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-04-07 18:32:15 -06:00
245733a631
fix: restore native form submission for OTT login
...
Signed-off-by: Anantha Krishnan <ananthakrishnanj2001@gmail.com >
2026-04-07 18:32:15 -06:00
0c6b73d123
WebAuthn Publishes Authentication Events
...
Closes gh-18113
Signed-off-by: suuuuuuminnnnnn <sumin45402214@gmail.com >
2026-04-07 16:21:15 -06:00
3008848158
Merge branch '7.0.x'
2026-04-07 15:47:01 -04:00
41524880c6
Fix auth_time claim should represent authentication time
...
Closes gh-18282
2026-04-07 15:44:57 -04:00
9527a4b281
Merge branch '7.0.x'
2026-04-02 10:58:06 -04:00
64d8e6cc9b
Merge Add XML Based shouldWriteHeadersEagerly tests
2026-04-01 11:41:58 -05:00
679a47a51d
Add XML Based shouldWriteHeadersEagerly tests
2026-04-01 11:37:39 -05:00
16b5df40de
Exclude Anonymous Classes in Serializable Scan
...
Issue gh-17729
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-31 16:17:12 -06:00
8472599067
Add Missing 7.1 Serialization Artifacts
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-31 16:16:27 -06:00
cb129d6b2d
Merge branch '7.0.x'
2026-03-31 15:56:49 -06:00
d4678c8e04
Add Missing Serialization Support
...
Closes gh-19013
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-31 15:55:09 -06:00
43b132bec6
Merge branch '6.5.x' into 7.0.x
2026-03-31 15:27:58 -06:00
08fca57d12
Add Missing Serialization Support
...
Closed gh-19012
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-31 13:58:35 -06:00
acabacb971
Update Test to find SuppressWarnings
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-31 13:47:52 -06:00
1a130fca3c
Improve serialVersionUID check in tests
...
Signed-off-by: johnycho <shunnn215@gmail.com >
2026-03-31 13:47:50 -06:00
067f79dde5
Merge branch 'fix-17729' into 7.0.x
2026-03-30 17:19:31 -06:00
0b680be97b
Update Test to find SuppressWarnings
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-30 17:14:03 -06:00
7c28b15471
Improve serialVersionUID check in tests
...
Signed-off-by: johnycho <shunnn215@gmail.com >
2026-03-30 14:26:12 -06:00
9d047b6edc
Merge CredentialRecordOwnerAuthorizationManager
2026-03-29 22:24:52 -05:00
c08329c0c5
Merge CredentialRecordOwnerAuthorizationManager
2026-03-29 22:24:21 -05:00
a856baa6a8
Add CredentialRecordOwnerAuthorizationManager
...
Add CredentialRecordOwnerAuthorizationManager that verifies the
credential being deleted is owned by the currently authenticated user.
Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter
for the delete credential operation, defaulting to deny all, and wire it
up in WebAuthnConfigurer.
Per the WebAuthn specification [1], credential ids contain at least 16
bytes with at least 100 bits of entropy, making them practically
unguessable. The specification also advises that credential ids should
be kept private, as exposing them can leak personally identifying
information [2]. The CredentialRecordOwnerAuthorizationManager serves as
defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.
[1] https://www.w3.org/TR/webauthn-3/#credential-id
[2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak
2026-03-29 21:54:27 -05:00
4199240662
Add Support for PreFlightRequestFilter
...
Closes gh-18926
2026-03-25 16:04:42 -04:00
2fda37de53
Fix equals nullability annotations for jspecify compliance
...
In this commit, we added `@Nullable` to equals methods of classes that
support `jspecify` for consistency with other Spring projects and to
avoid bugs that caused other Spring projects to do this natively.
Closes: gh-18929, gh-18927
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com >
2026-03-23 09:25:57 -06:00
baad23caab
Enable null-safety in spring-security-oauth2-client
...
Closes gh-17819
2026-03-18 05:04:30 -04:00
ea2f2302da
Add MultiFactorCondition.WEBAUTHN_REGISTERED
...
Closes gh-18923
2026-03-17 17:20:58 -05:00
bd7171140e
Support Customizer<AdditionalRequiredFactorsBuilder<Object>>>
...
Closes gh-18922
2026-03-17 17:20:58 -05:00
c71b178f63
Remove Unnecessary ObjectProvider<RoleHierarchy> roleHierarchy parameter
...
Closes gh-18921
2026-03-17 17:20:58 -05:00
22a98583f1
Enable null-safety in spring-security-oauth2-jose
...
Closes gh-17821
2026-03-13 11:58:29 -04:00
5687867a09
Fix Checkstyle
...
Issue gh-18874
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-11 14:46:24 -06:00
36450d6c26
Fix checkstyle error
...
Issue gh-18874
2026-03-11 12:25:13 -04:00
a980368f26
Move Integration Test from Spring LDAP
...
Closes gh-18874
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-10 15:44:07 -06:00
703ffaf143
Merge branch '7.0.x'
2026-03-10 15:59:29 -04:00
1906075b0c
OAuth2DeviceVerificationEndpointFilter is applied after AuthorizationFilter
...
Closes gh-18873
2026-03-10 15:32:24 -04:00
d1ce69ca99
Specify charset in WWW-Authenticate for Basic Auth
...
In this commit, we add support for the charset from RFC-7617, which
definitely solves the problem when the client does not know what charset
we are parsing with.
Closes: gh-18755
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com >
2026-03-10 07:57:43 -06:00
c7235ec0a3
Allow custom token settings for OAuth 2.0 dynamic client registration
...
Closes gh-18870
2026-03-10 07:48:37 -04:00
17d2131fe9
Merge remote-tracking branch 'origin/7.0.x'
2026-03-09 17:13:45 -06:00
e8e0da1ec6
Add Null Guard for Setting ReactiveUserDetailsPasswordService
...
This use case specifically arises when using `ReactiveUserDetailsService`
without `ReactiveUserDetailsPasswordService`.
Closes gh-17986
Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com >
2026-03-09 17:12:59 -06:00
07297e7a80
Add MessageExpressionAuthorizationManager
...
Closes gh-12650
Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com >
2026-03-03 18:56:47 -07:00
b9f974b18f
Remove compiler warnings for spring-security-config
...
Signed-off-by: 023-dev <0_2_3@naver.com >
2026-02-27 21:53:55 -06:00
eb25bbaa24
Merge branch '7.0.x'
2026-02-26 15:09:03 -07:00
ee97c83042
Update request-matcher schema and XML tests to use path
...
Closes gh-18641
Signed-off-by: Menashe Eliezer <menashe.eliezer@gmail.com >
2026-02-26 14:42:09 -07:00
Joe Grandja