Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
20,525 Commits 54 Branches 379 Tags
36450d6c26e99f939de6118bf6ddca3ab586547b
Commit Graph

3266 Commits

Author SHA1 Message Date
Joe Grandja 36450d6c26 Fix checkstyle error 
Issue gh-18874
 2026-03-11 12:25:13 -04:00
Josh Cummings a980368f26 Move Integration Test from Spring LDAP 
Closes gh-18874

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-03-10 15:44:07 -06:00
Joe Grandja 703ffaf143 Merge branch '7.0.x' 2026-03-10 15:59:29 -04:00
Joe Grandja 1906075b0c OAuth2DeviceVerificationEndpointFilter is applied after AuthorizationFilter 
Closes gh-18873
 2026-03-10 15:32:24 -04:00
Andrey Litvitski d1ce69ca99 Specify charset in WWW-Authenticate for Basic Auth 
In this commit, we add support for the charset from RFC-7617, which
definitely solves the problem when the client does not know what charset
we are parsing with.

Closes: gh-18755

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
 2026-03-10 07:57:43 -06:00
Joe Grandja c7235ec0a3 Allow custom token settings for OAuth 2.0 dynamic client registration 
Closes gh-18870
 2026-03-10 07:48:37 -04:00
Josh Cummings 17d2131fe9 Merge remote-tracking branch 'origin/7.0.x' 2026-03-09 17:13:45 -06:00
Ronny Perinke e8e0da1ec6 Add Null Guard for Setting ReactiveUserDetailsPasswordService 
This use case specifically arises when using `ReactiveUserDetailsService`
without `ReactiveUserDetailsPasswordService`.

Closes gh-17986

Signed-off-by: Ronny Perinke <23166289+sephiroth-j@users.noreply.github.com>
 2026-03-09 17:12:59 -06:00
wonderfulrosemari 07297e7a80 Add MessageExpressionAuthorizationManager 
Closes gh-12650

Signed-off-by: wonderfulrosemari <whwlsgur1419@naver.com>
 2026-03-03 18:56:47 -07:00
023-dev b9f974b18f Remove compiler warnings for spring-security-config 
Signed-off-by: 023-dev <0_2_3@naver.com>
 2026-02-27 21:53:55 -06:00
Josh Cummings eb25bbaa24 Merge branch '7.0.x' 2026-02-26 15:09:03 -07:00
Menashe Eliezer ee97c83042 Update request-matcher schema and XML tests to use path 
Closes gh-18641

Signed-off-by: Menashe Eliezer <menashe.eliezer@gmail.com>
 2026-02-26 14:42:09 -07:00
Rob Winch a4cadb5cc5 Merge Make PublicKeyCredentialCreationOptions Serializable 
Make PublicKeyCredentialCreationOptions Serializable
 2026-02-23 16:01:34 -06:00
Robert Winch 701736da5d Fix checkstyle 
Issue gh-18354

Signed-off-by: Robert Winch <362503+rwinch@users.noreply.github.com>
 2026-02-23 15:43:55 -06:00
Mohammad Amin Pahlevani 9e5a425859 Make PublicKeyCredentialCreationOptions Serializable 
Closes gh-16431

Signed-off-by: Mohammad Amin Pahlevani <pahlevani@live.com>
 2026-02-23 15:43:40 -06:00
Robert Winch 53300be8d7 Fix checkstyle 
Issue gh-18530
 2026-02-23 15:16:02 -06:00
CHANHAN d5ba9dcada Add tests for intercept-url access attribute validation 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN fa87c78edb fix missing access attribute validation in FilterInvocationSecurityMetadataSourceParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
CHANHAN f1e367f93d fix missing access attribute validation in AuthorizationFilterParser 
Fixes gh-18503

Signed-off-by: CHANHAN <130114269+chanani@users.noreply.github.com>
 2026-02-23 15:16:02 -06:00
Robert Winch f8ac095d48 Add nullability contract to PasswordEncoder#encode implementations 
Signed-off-by: Stefano Cordio <stefano.cordio@gmail.com>AbstractValidatingPasswordEncoder.java
 2026-02-19 14:36:48 -06:00
Minu Kim 18068c9099 fix compile warning in spring-security-test 
Signed-off-by: Minu Kim <kmw106933@naver.com>
 2026-02-19 14:26:20 -06:00
DingHao 199473fcb3 Ability to configure authenticationDetailsSource in AnonymousConfigurer 
Closes gh-17831

Signed-off-by: DingHao <dh.hiekn@gmail.com>
 2026-02-05 17:19:03 -07:00
Joe Grandja 0eba9de7d4 Merge branch '7.0.x' 2026-02-05 04:55:34 -05:00
Joe Grandja d3c42a7a4f Polish OAuth2ConfigurerUtils 2026-02-05 04:52:02 -05:00
Joe Grandja e61c03f7c3 Fix to allow multiple PasswordEncoder beans 
Closes gh-18645
 2026-02-05 04:51:51 -05:00
Josh Cummings 70fc8fef3a Add Sample SAML Response in Test 
Issue gh-17823

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-02-03 08:54:14 -07:00
Josh Cummings c5632ccd83 Add security-nullability to ldap 
Closes gh-17818

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
 2026-01-28 15:30:54 -07:00
Michael Lück 7513c859bd Fix javadoc warnings and apply plugin javadoc-warnings-error 
Closes to gh-18448

Signed-off-by: Michael Lück <michael@lueckonline.net>
 2026-01-23 14:13:54 -06:00
Robert Winch d7fbf3673a Fix consistency with Nullability Usage 
Issue gh-18564
 2026-01-23 10:42:53 -06:00
dev.paramjot af73f85f66 Fix formatting in HttpSecurity.java documentation 
Signed-off-by: dev.paramjot <50148441+ParamjotSingh5@users.noreply.github.com>
 2026-01-21 16:43:03 -06:00
Robert Winch 048b6bdd88 Update to JDK 25 (release = 17) 
This commit updates the build to use JDK 25 while remaining compatable with JDK 17.

Note that we must update our JAAS related tests to use release=25 due to the disabling of
the Security Manager. See
https://docs.oracle.com/en/java/javase/25/security/security-manager-is-permanently-disabled.html

Closes gh-18512
 2026-01-16 11:25:59 -06:00
Robert Winch 63c99b9438 Revert "Update to 7.1.0-SNAPSHOT" 
This reverts commit b77ea8d3a3.
 2026-01-12 14:31:57 -06:00
Pavel Vassiliev 641d8a362b Fix Gradle 9.0 deprecations 
This commit addresses several build warnings and errors to prepare for
Gradle 9.0 and resolve static analysis issues.
Closes: gh-18472
Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>

Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>
 2026-01-12 13:43:16 -06:00
Robert Winch b77ea8d3a3 Update to 7.1.0-SNAPSHOT 2026-01-12 13:37:32 -06:00
Tran Ngoc Nhan d20c88ecef Format code 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Tran Ngoc Nhan 79815e044e Fix typos 
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
 2026-01-08 13:35:43 -06:00
Josh Cummings 0155d4a345 Restore Check for DispatcherServlet on Classpath 
Closes gh-18315
 2025-12-15 12:18:22 -07:00
dependabot[bot] e033086ab0 Bump org.springframework:spring-framework-bom from 7.0.1 to 7.0.2 
Includes fixes for Breaking Changes in Spring Framework 7.0.2:

- spring-projects/spring-framework#35916
- spring-projects/spring-framework#35947

Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 7.0.1 to 7.0.2.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v7.0.1...v7.0.2)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-15 11:25:19 -06:00
Josh Cummings dbf93acb05 Check for spring-security-web on Classpath 
This commit refines the check for adding AuthorizationWebProxyConfiguration
to the application context. The web-based authorization proxy support is intended
for applying Spring Security Method Security primitives to Spring Web components;
as such, this implies a dependency on Spring Security Web.

Closes gh-18307
 2025-12-15 09:18:47 -07:00
Joe Grandja c53e66a217 OAuth2AuthorizationEndpointFilter is applied after AuthorizationFilter 
Closes gh-18251
 2025-12-02 08:49:49 -05:00
Daniel Garnier-Moiroux 7cb57ab940 Improve webauthn webdriver tests 
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
 2025-11-14 15:21:20 -06:00
Rob Winch 6471a32d66 Merge branch '6.5.x' 
Closes gh-18132
 2025-11-04 11:37:11 -06:00
Rob Winch c1e9e10bf0 Merge branch '6.4.x' into 6.5.x 
Closes gh-18131
 2025-11-04 11:28:40 -06:00
Daniel Garnier-Moiroux fed6df5167 Default WebAuthnConfigurer#rpName to rpId 
In WebAuthn L3 spec, PublicKeyCredentialEntity.name is deprecated:

> This member is deprecated because many clients do not display it,
> but it remains a required dictionary member for backwards compatibility.
> Relying Parties MAY, as a safe default, set this equal to the RP ID.

Source: https://www.w3.org/TR/webauthn-3/#dictdef-publickeycredentialentity

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
 2025-11-04 11:16:22 -06:00
Rob Winch 0928a60cd2 Post Process WebAuthnAuthenticationFilter 
This commit ensures that WebAuthnAuthenticationFilter is
post processed by BeanPostProcessors and
ObjectPostProcessor.

Closes gh-18128
 2025-11-04 10:54:45 -06:00
Rob Winch 884cf0d62e EnableGlobalMultiFactorAuthentication->EnableMultiFactorAuthentication 
Closes gh-18127
 2025-11-03 22:42:28 -06:00
Rob Winch aaf738f7ac MFA is now Opt In 
This commit ensures that MFA is only performed when users opt in. By
doing so, we allow users to decide if they will opt into the semantics
of merging two Authentication instances.

Closes gh-18126
 2025-11-03 22:42:27 -06:00
Simon Von 0927bed66a 📔 Documentation 
1. Correct the org.springframework.security.config.annotation.web.LogoutDsl's property description

Signed-off-by: Simon Von <g1672943850@gmail.com>
 2025-10-20 15:17:32 -06:00
Josh Cummings 9c7b34a48b Favor Relative Redirects by Default 
Closes gh-16300
 2025-10-20 10:25:17 -06:00
Joe Grandja fc8b6b5863 Return PAR endpoint metadata only when enabled 
Issue https://github.com/spring-projects/spring-authorization-server/issues/2219
 2025-10-20 06:06:24 -04:00