Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,626 Commits 54 Branches 379 Tags
488e55032ebd8fe7f1031aa92ab2926a5f8fb81a
Commit Graph

19626 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rob Winch 488e55032e AllFactorsAuthorizationManager->AllRequiredFactorsAuthorizationManager 
This allows the authorization logic to be relaxed so that if RequiredFactor
only has an authority specified, then the GrantedAuthority can be of any
type.

Closes gh-18031
 2025-10-10 16:24:47 -05:00
Rob Winch d18431a78d Move FACTOR_ constants to FactorGrantedAuthority 
Previously GrantedAuthorities had an implicit package tangle because it
was located in ~.core and FactorGrantedAuthority is in ~.core.authority
and FactorGrantedAuthority's authority property was implicitly expected
to be constants found in `GrantedAuthorities`.

This commit moves the constants to the FactorGrantedAuthority which
resolves this tangle. It wasn't initially done because
FactorGrantedAuthority did not exist at that time.

Closes gh-18030
 2025-10-10 16:24:46 -05:00
Rob Winch e290c98e97 Document Multi-Factor Simple to Complex 
This reworks the Multi-Factor documentation to start with the
simplest scenario and work to progressively more complex requirements.

Closes gh-18029
 2025-10-10 16:23:38 -05:00
Rob Winch 473baad6bd Add RequiredAuthoritiesRepository 
Closes gh-18028
 2025-10-10 15:42:17 -05:00
Joe Grandja 586081c125 Revert "Temporarily fix integration tests" 
This reverts commit 35f41f87d1.

Issue gh-17880
 2025-10-10 13:33:42 -04:00
Rob Winch 864a9b2fb3 Fix ProviderManager.copyDetails Changes Authentication Type 
Closes gh-18027
 2025-10-10 11:03:49 -05:00
Joe Grandja 1213dbe76f Fix checkstyle 2025-10-09 13:51:50 -04:00
Joe Grandja 3656e7ad8c Add tests to OAuth2AuthorizationServerJackson2ModuleTests 2025-10-09 13:23:38 -04:00
Joe Grandja 1cca9c5822 Enable PKCE by default in authorization server 
Closes gh-18020
 2025-10-09 09:51:17 -04:00
Joe Grandja 469ed09645 Allow setting Clock in OAuth2TokenGenerator implementations 
Closes gh-18017
 2025-10-07 16:34:43 -04:00
Joe Grandja 1d7f4c3b11 Polish javadoc for ClientSettings.requireAuthorizationConsent 
Issue gh-18016
 2025-10-07 11:29:10 -04:00
Joe Grandja baa3b287d6 Add Predicate for authorizationConsentRequired for device code grant 
Introduces customizable Predicate to determine if user consent is
required in device authorization flows. Previously, device consent
handling used fixed logic. Now applications can define custom logic
for skipping or displaying consent pages.

Adds OAuth2DeviceVerificationAuthenticationContext and updates
OAuth2DeviceVerificationAuthenticationProvider with
setAuthorizationConsentRequired method.

Fixes gh-18016

Signed-off-by: Dinesh Gupta <dineshgupta630@outlook.com>
 2025-10-07 11:13:30 -04:00
dependabot[bot] d5c5bb234c Bump antora from 3.2.0-alpha.9 to 3.2.0-alpha.10 in /docs 
Bumps [antora](https://gitlab.com/antora/antora) from 3.2.0-alpha.9 to 3.2.0-alpha.10.
- [Changelog](https://gitlab.com/antora/antora/blob/main/CHANGELOG.adoc)
- [Commits](https://gitlab.com/antora/antora/compare/v3.2.0-alpha.9...v3.2.0-alpha.10)

---
updated-dependencies:
- dependency-name: antora
  dependency-version: 3.2.0-alpha.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 14:01:08 -05:00
Rob Winch 83da86a358 DefaultLoginPageGeneratingFilter uses List 
This fixes an ordering problem with query parameters of the tests.

Issue gh-18002
 2025-10-06 09:34:06 -05:00
dependabot[bot] 71e6d81910 Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.6.RELEASE to 0.29.7.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.6.RELEASE...0.29.7.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.7.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 09:29:57 -05:00
dependabot[bot] 16475d3453 Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 09:15:25 -05:00
Rob Winch 3f84e96711 Bump io.mockk:mockk from 1.14.5 to 1.14.6 2025-10-06 09:13:16 -05:00
Rob Winch 1c870f25e9 Bump io.spring.nullability:io.spring.nullability.gradle.plugin from 0.0.4 to 0.0.5 2025-10-06 09:13:12 -05:00
Rob Winch 79e2d4b688 Merge branch '6.5.x' 2025-10-06 09:12:06 -05:00
Rob Winch 9f8ebdcf4d Merge branch '6.4.x' into 6.5.x 2025-10-06 09:11:56 -05:00
Rob Winch 8ce38af608 Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 2025-10-06 09:11:20 -05:00
Rob Winch 607b1dfffe Bump io.mockk:mockk from 1.14.5 to 1.14.6 2025-10-06 09:11:17 -05:00
Rob Winch 904f5157fa Bump com.webauthn4j:webauthn4j-core from 0.29.6.RELEASE to 0.29.7.RELEASE 2025-10-06 09:11:15 -05:00
Rob Winch f57c9ffcbb Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 2025-10-06 09:10:34 -05:00
dependabot[bot] b7f40a4e08 Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.29.Final to 6.6.31.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.31/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.29...6.6.31)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.31.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 03:21:28 +00:00
dependabot[bot] dd7f809564 Bump org.hibernate.orm:hibernate-core from 6.6.29.Final to 6.6.31.Final 
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.29.Final to 6.6.31.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.31/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.29...6.6.31)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.31.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-06 03:13:36 +00:00
Joe Grandja 51fe7ff737 Return device_code grant metadata when enabled 
Issue gh-17998
 2025-10-04 05:38:11 -04:00
Rob Winch 9595d37c14 Integration Test for DefaultLoginPageGeneratingFilterTests 
Add a minimal test to ensure that
DelegatingMissingAuthorityAccessDeniedHandler and
DefaultLoginPageGeneratingFilterTests work together properly.

Issue gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch 2473378fcd Use RequiredFactorErrors 
Closes gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch d1ff983c11 Add AllFactorsAuthorizationManager 
Closes gh-17997
 2025-10-03 15:20:03 -05:00
Rob Winch 3f74991ce9 Authentication adds FactorGrantedAuthority 
Closes gh-18001
 2025-10-03 15:20:03 -05:00
Rob Winch ce36fc1e76 Add FactorGrantedAuthority 
Closes gh-17996
 2025-10-03 15:20:00 -05:00
Joe Grandja 477a456d6c Disable device_code grant by default 
Closes gh-17998
 2025-10-03 14:10:13 -04:00
Joe Grandja 4dfef1483d Polish gh-17507 2025-10-03 13:09:09 -04:00
Rohan Naik 8c65dc93f2 Enable PKCE by default 
Closes gh-17507

Signed-off-by: Rohan Naik <rohan.nn1203@gmail.com>
 2025-10-03 13:08:04 -04:00
dependabot[bot] 0f40f694b8 Bump io.spring.nullability:io.spring.nullability.gradle.plugin 
Bumps [io.spring.nullability:io.spring.nullability.gradle.plugin](https://github.com/spring-gradle-plugins/nullability-plugin) from 0.0.4 to 0.0.5.
- [Release notes](https://github.com/spring-gradle-plugins/nullability-plugin/releases)
- [Commits](https://github.com/spring-gradle-plugins/nullability-plugin/compare/v0.0.4...v0.0.5)

---
updated-dependencies:
- dependency-name: io.spring.nullability:io.spring.nullability.gradle.plugin
  dependency-version: 0.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-03 03:08:45 +00:00
Joe Grandja 54aae36f98 Add support for OAuth 2.0 Protected Resource Metadata 
Closes gh-17244
 2025-10-02 14:50:17 -04:00
dependabot[bot] 564726adea Bump com.webauthn4j:webauthn4j-core 
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.6.RELEASE to 0.29.7.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.6.RELEASE...0.29.7.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.7.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:19:11 +00:00
dependabot[bot] c1375b857a Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:17:57 +00:00
dependabot[bot] c5a335ac91 Bump io.mockk:mockk from 1.14.5 to 1.14.6 
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.5 to 1.14.6.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.5...1.14.6)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-02 03:08:25 +00:00
Rob Winch 64c9e3e210 Prevent Dupliate GrantedAuthority#getAuthority() 
If the GrantedAuthority is not equal, but contains a duplicate
GrantedAuthority#getAuthority() then at the time of authentication,
the Filter or WebFilter will duplicate the GrantedAuthority which leads
to a memory leak. This is important to avoid for when we add support for
a GrantedAuthority that might have an issuedAt attribute. If it is too
old, then we'd want only the new GrantedAuthority to be added and the old
instance to be removed. However, the two GrantedAuthority instances
will not be equal because the issuedAt will not be equal.

Closes gh-17981
 2025-10-01 15:37:23 -05:00
Rob Winch c9010345b9 Add TestingAuthenticationToken(principal,credential,grantedAuthorities...) 
Closes gh-17980
 2025-10-01 13:05:56 -05:00
Joe Grandja 681e166be8 Remove default HttpSecurity.securityMatcher() for authorization server 
Closes gh-17965
 2025-10-01 11:45:21 -04:00
dependabot[bot] dc5962af16 Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:55 +00:00
dependabot[bot] 70da545463 Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.19 
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.18 to 1.5.19.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.18...v_1.5.19)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-10-01 03:20:01 +00:00
Rob Winch 7f10897de3 SecurityMockMvcResultMatchers.withAuthorities(String...) 
Closes gh-17974
 2025-09-30 10:39:14 -05:00
Rob Winch 0e99324c43 Merge branch '6.5.x' 2025-09-29 13:44:37 -05:00
Rob Winch cf9568fe09 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 2025-09-29 13:43:45 -05:00
dependabot[bot] 7409133cc0 Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5...rel/v5.5.1)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-29 03:26:33 +00:00
Joe Grandja f3761aff99 Add support for OAuth 2.0 Dynamic Client Registration Protocol 
Closes gh-17964
 2025-09-25 16:33:16 -04:00