Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,747 Commits 54 Branches 379 Tags
2ada3f00fa8c5927b8dc750efc6966f23607137d
Commit Graph

20747 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Grandja 2ada3f00fa Polish gh-18888 2026-04-02 06:29:02 -04:00
Evgeniy Cheban 8f2a5a7b6e Add PrincipalResolver to ExchangeFilterFunctions 
Closes gh-16284

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2026-04-02 06:28:42 -04:00
Joe Grandja aa35db5aad Fix merge conflict 2026-04-02 05:45:17 -04:00
Josh Cummings 5b8d81828a Add serialVersionUID 
This commit gives a serialVersionUID to the private adapter class for the Jwt
authentication principal. It also adds a SuppressWarnings annotation so that
it doesn't get picked up by config's serialization tests. This is needed since
the test cannot construct a serialization sample for a private class

Issue gh-6237

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 16:19:41 -06:00
Josh Cummings 16b5df40de Exclude Anonymous Classes in Serializable Scan 
Issue gh-17729

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 16:17:12 -06:00
Josh Cummings 8472599067 Add Missing 7.1 Serialization Artifacts 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 16:16:27 -06:00
Josh Cummings cb129d6b2d Merge branch '7.0.x' 2026-03-31 15:56:49 -06:00
Josh Cummings d4678c8e04 Add Missing Serialization Support 
Closes gh-19013

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 15:55:09 -06:00
Josh Cummings 43b132bec6 Merge branch '6.5.x' into 7.0.x 2026-03-31 15:27:58 -06:00
Josh Cummings 08fca57d12 Add Missing Serialization Support 
Closed gh-19012

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 13:58:35 -06:00
Josh Cummings acabacb971 Update Test to find SuppressWarnings 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-31 13:47:52 -06:00
johnycho 1a130fca3c Improve serialVersionUID check in tests 
Signed-off-by: johnycho <shunnn215@gmail.com>
 2026-03-31 13:47:50 -06:00
Rob Winch 5fe29f9cd0 Add AllRequiredFactorsAuthorizationManager.anyOf 2026-03-31 15:17:08 -04:00
Robert Winch ff820a868e Polish AllRequiredFactorsAuthorizationManager.anyOf 
- Add validation
- Extract to static inner class
- Uniqueness determined by Set rather than requiredFactor
  This is important for the failure with the same RequiredFactor, but a
  different reason
- Add documentation

Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>
 2026-03-31 14:03:29 -05:00
Evgeniy Cheban 6b09352a93 Add AllRequiredFactorsAuthorizationManager.anyOf 
Closes gh-18960

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
 2026-03-31 13:25:02 -05:00
Josh Cummings 067f79dde5 Merge branch 'fix-17729' into 7.0.x 2026-03-30 17:19:31 -06:00
Josh Cummings 45758a5cec Merge branch '6.5.x' into 7.0.x 2026-03-30 17:14:28 -06:00
Josh Cummings 52d98ab7af Add Needed SuppressWarnings Annotations 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-30 17:14:17 -06:00
Josh Cummings 0b680be97b Update Test to find SuppressWarnings 
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-30 17:14:03 -06:00
johnycho 7c28b15471 Improve serialVersionUID check in tests 
Signed-off-by: johnycho <shunnn215@gmail.com>
 2026-03-30 14:26:12 -06:00
Joe Grandja 12997b6ab6 Polish oauth2-client tests with missing Content-Type header 2026-03-30 13:40:32 -04:00
Rob Winch abf3c866fb Merge pull request #19005 from rwinch/7.0.x-CredentialRecordOwnerAuthorizationManager 
Merge Add CredentialRecordOwnerAuthorizationManager
 2026-03-29 23:46:35 -04:00
Rob Winch 5a4ada04ac Merge pull request #19004 from rwinch/CredentialRecordOwnerAuthorizationManager 
Add CredentialRecordOwnerAuthorizationManager
 2026-03-29 23:46:03 -04:00
Rob Winch 8c4cfe83f8 Merge pull request #19006 from rwinch/main-CredentialRecordOwnerAuthorizationManager 
Merge Add CredentialRecordOwnerAuthorizationManager
 2026-03-29 23:45:21 -04:00
Robert Winch 9d047b6edc Merge CredentialRecordOwnerAuthorizationManager 2026-03-29 22:24:52 -05:00
Robert Winch c08329c0c5 Merge CredentialRecordOwnerAuthorizationManager 2026-03-29 22:24:21 -05:00
dependabot[bot] 875b076c39 Bump tools.jackson:jackson-bom from 3.1.0 to 3.1.1 
Bumps [tools.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 3.1.0 to 3.1.1.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-3.1.0...jackson-bom-3.1.1)

---
updated-dependencies:
- dependency-name: tools.jackson:jackson-bom
  dependency-version: 3.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-30 03:19:13 +00:00
dependabot[bot] c2441e5a58 Bump com.nimbusds:oauth2-oidc-sdk from 11.35 to 11.37 
Bumps [com.nimbusds:oauth2-oidc-sdk](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) from 11.35 to 11.37.
- [Changelog](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/CHANGELOG.txt)
- [Commits](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/branches/compare/11.37..11.35)

---
updated-dependencies:
- dependency-name: com.nimbusds:oauth2-oidc-sdk
  dependency-version: '11.37'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-30 03:18:42 +00:00
Robert Winch a856baa6a8 Add CredentialRecordOwnerAuthorizationManager 
Add CredentialRecordOwnerAuthorizationManager that verifies the
credential being deleted is owned by the currently authenticated user.
Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter
for the delete credential operation, defaulting to deny all, and wire it
up in WebAuthnConfigurer.

Per the WebAuthn specification [1], credential ids contain at least 16
bytes with at least 100 bits of entropy, making them practically
unguessable. The specification also advises that credential ids should
be kept private, as exposing them can leak personally identifying
information [2]. The CredentialRecordOwnerAuthorizationManager serves as
defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.

[1] https://www.w3.org/TR/webauthn-3/#credential-id
[2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak
 2026-03-29 21:54:27 -05:00
Josh Cummings 036326d70b Merge branch '7.0.x' 2026-03-27 16:49:33 -06:00
Josh Cummings 611786e4b5 Merge branch '6.5.x' into 7.0.x 2026-03-27 16:49:26 -06:00
Josh Cummings ac63cf4fa5 Polish CustomAuthorizationManager Docs 
Issue gh-13967

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-27 16:45:25 -06:00
as1605 f6bb55effb Fix documentation for Custom Authorization Manager 
Closes gh-13967

Signed-off-by: as1605 <1605.aditya.singh@gmail.com>
 2026-03-27 16:45:25 -06:00
Josh Cummings c489136515 Merge branch '7.0.x' 2026-03-27 16:40:04 -06:00
Josh Cummings 6020ab8e65 Polish CustomAuthorizationManager Docs 
Issue gh-13967

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-27 16:36:00 -06:00
as1605 3076367168 Fix documentation for Custom Authorization Manager 
Closes gh-13967

Signed-off-by: as1605 <1605.aditya.singh@gmail.com>
 2026-03-27 16:36:00 -06:00
Josh Cummings 2c32a9a969 Merge branch '7.0.x' 2026-03-27 16:10:36 -06:00
Josh Cummings 721b22d87a Merge remote-tracking branch 'origin/6.5.x' into 7.0.x 2026-03-27 16:10:18 -06:00
Tran Ngoc Nhan 85b756cb74 Update FilterChainProxy#getFilters(String) javadoc 
Closes gh-18157

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-03-27 16:09:50 -06:00
Andrey Litvitski b92c072501 add tests 
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-27 15:26:57 -06:00
Andrey Litvitski 6335caabae polish 
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-27 15:26:57 -06:00
Andrey Litvitski c3e0b98b7e Use idiomatic Kotlin in custom filter documentation 
This will make Kotlin and all users more native and readable.

Closes: gh-18967

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-27 15:26:57 -06:00
Ziqin Wang acbf64a47d Improve And/Or-RequestMatcher/ServerWebExchangeMatcher API 
Currently, the List-receiving constructors of AndRequestMatcher,
OrRequestMatcher, AndServerWebExchangeMatcher, and OrServerWebExchangeMatcher
don't support covariance, which adds obstacles to users of these
APIs.  For example, one cannot pass a List<PathPatternRequestMatcher>
to OrRequestMatcher(List<RequestMatcher>).

This commit resolves the aforementioned problem.  It should not
break existing code.

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
 2026-03-27 15:24:55 -06:00
Joe Kuhel 46e27aa693 Remove compiler warnings in spring-security-web 
- fix compiler warnings in ServerOneTimeTokenAuthenticationConverter
- Replace deprecated API calls to create a OneTimeTokenAuthenticationToken.unauthenticated with OneTimeTokenAuthenticationToken(String token) call
- Update HttpMessageConverterAuthenticationSuccessHandler to replace deprecated MappingJackson2HttpMessageConverter with JacksonJsonHttpMessageConverter
- Replace updated OneTimeTokenAuthenticationConverter to use non-deprecated OneTimeTokenAuthenticationToken constructor
- update tests to remove use of deprecated methods
- refactor JdbcTokenRepositoryImpl to remove extension of deprecated JdbcDaoSupport class
- enable compile-warnings-error plugin

Closes gh-18441

Signed-off-by: Joe Kuhel <4983938+jkuhel@users.noreply.github.com>
 2026-03-27 15:14:55 -06:00
dependabot[bot] 441e0fc976 Bump org.apereo.cas.client:cas-client-core from 4.0.4 to 4.1.0 
Bumps [org.apereo.cas.client:cas-client-core](https://github.com/apereo/java-cas-client) from 4.0.4 to 4.1.0.
- [Release notes](https://github.com/apereo/java-cas-client/releases)
- [Commits](https://github.com/apereo/java-cas-client/compare/cas-client-4.0.4...cas-client-4.1.0)

---
updated-dependencies:
- dependency-name: org.apereo.cas.client:cas-client-core
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-27 19:45:26 +00:00
Josh Cummings 41efee0d35 Merge branch '7.0.x' 2026-03-27 13:27:15 -06:00
Josh Cummings 0ce76d2c5d Merge branch '6.5.x' into 7.0.x 2026-03-27 13:27:03 -06:00
dependabot[bot] 66cf02c6b0 Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6 
Bumps [spring-io/spring-gradle-build-action](https://github.com/spring-io/spring-gradle-build-action) from 2.0.5 to 2.0.6.
- [Release notes](https://github.com/spring-io/spring-gradle-build-action/releases)
- [Commits](https://github.com/spring-io/spring-gradle-build-action/compare/efc55f07f4dfa22f2afd97f9ea1be4212eeed737...c8668747d7c264864c8c7f7026d0d277d14a78dc)

---
updated-dependencies:
- dependency-name: spring-io/spring-gradle-build-action
  dependency-version: 2.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-27 13:26:10 -06:00
dependabot[bot] 7441ce7f16 Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml 
Bumps [spring-io/spring-security-release-tools/.github/workflows/perform-release.yml](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095)

---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml
  dependency-version: 1.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-27 13:25:46 -06:00
dependabot[bot] 9dbcd8cf00 Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml 
Bumps [spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml](https://github.com/spring-io/spring-security-release-tools) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095)

---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml
  dependency-version: 1.0.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-03-27 13:25:35 -06:00