Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
19,594 Commits 54 Branches 379 Tags
51fe7ff73775b073ba92b90ea9b8bd0fab7aa884
Commit Graph

19594 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Grandja 51fe7ff737 Return device_code grant metadata when enabled 
Issue gh-17998
 2025-10-04 05:38:11 -04:00
Rob Winch 9595d37c14 Integration Test for DefaultLoginPageGeneratingFilterTests 
Add a minimal test to ensure that
DelegatingMissingAuthorityAccessDeniedHandler and
DefaultLoginPageGeneratingFilterTests work together properly.

Issue gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch 2473378fcd Use RequiredFactorErrors 
Closes gh-18002
 2025-10-03 15:20:03 -05:00
Rob Winch d1ff983c11 Add AllFactorsAuthorizationManager 
Closes gh-17997
 2025-10-03 15:20:03 -05:00
Rob Winch 3f74991ce9 Authentication adds FactorGrantedAuthority 
Closes gh-18001
 2025-10-03 15:20:03 -05:00
Rob Winch ce36fc1e76 Add FactorGrantedAuthority 
Closes gh-17996
 2025-10-03 15:20:00 -05:00
Joe Grandja 477a456d6c Disable device_code grant by default 
Closes gh-17998
 2025-10-03 14:10:13 -04:00
Joe Grandja 4dfef1483d Polish gh-17507 2025-10-03 13:09:09 -04:00
Rohan Naik 8c65dc93f2 Enable PKCE by default 
Closes gh-17507

Signed-off-by: Rohan Naik <rohan.nn1203@gmail.com>
 2025-10-03 13:08:04 -04:00
Joe Grandja 54aae36f98 Add support for OAuth 2.0 Protected Resource Metadata 
Closes gh-17244
 2025-10-02 14:50:17 -04:00
Rob Winch 64c9e3e210 Prevent Dupliate GrantedAuthority#getAuthority() 
If the GrantedAuthority is not equal, but contains a duplicate
GrantedAuthority#getAuthority() then at the time of authentication,
the Filter or WebFilter will duplicate the GrantedAuthority which leads
to a memory leak. This is important to avoid for when we add support for
a GrantedAuthority that might have an issuedAt attribute. If it is too
old, then we'd want only the new GrantedAuthority to be added and the old
instance to be removed. However, the two GrantedAuthority instances
will not be equal because the issuedAt will not be equal.

Closes gh-17981
 2025-10-01 15:37:23 -05:00
Rob Winch c9010345b9 Add TestingAuthenticationToken(principal,credential,grantedAuthorities...) 
Closes gh-17980
 2025-10-01 13:05:56 -05:00
Joe Grandja 681e166be8 Remove default HttpSecurity.securityMatcher() for authorization server 
Closes gh-17965
 2025-10-01 11:45:21 -04:00
Rob Winch 7f10897de3 SecurityMockMvcResultMatchers.withAuthorities(String...) 
Closes gh-17974
 2025-09-30 10:39:14 -05:00
Rob Winch 0e99324c43 Merge branch '6.5.x' 2025-09-29 13:44:37 -05:00
Rob Winch cf9568fe09 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 2025-09-29 13:43:45 -05:00
dependabot[bot] 7409133cc0 Bump org.apache.httpcomponents.client5:httpclient5 from 5.5 to 5.5.1 
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5 to 5.5.1.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.1/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5...rel/v5.5.1)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-29 03:26:33 +00:00
Joe Grandja f3761aff99 Add support for OAuth 2.0 Dynamic Client Registration Protocol 
Closes gh-17964
 2025-09-25 16:33:16 -04:00
Rob Winch 667cd4aa7c Remove unnecessary throws Exception from spring-security-config 
Closes gh-17957
 2025-09-25 11:50:13 -05:00
Rob Winch be20201bf7 FACTOR uses defaultEntryPoint when possible 
Previously they used addEntryPointFor(entryPoint, AnyRequestMatcher.INSTANCE) to
work around gh-17955. They now can use defaultEntryPoint which is more concise.

Issue gh-gh-17955
 2025-09-25 11:18:20 -05:00
Rob Winch 029e31ebe8 DelegatingAuthenticationEntryPoint.Builder allows just defaultEntryPoint 
Previously build threw an Exception when entryPoints was empty and
defaultEntryPoint was specified.

This commit changes build to return the defaultEntryPoint instead.

Closes gh-17955
 2025-09-25 09:45:52 -05:00
Josh Cummings ad6fe4fdc3 Polish MFA Samples 
This commit removes unneeded AuthorizationManagerFactory
implementations, simplifies the custom AuthorizationManagerFactory
example, and updates usage of hasAllAuthorities.

Issue gh-17934
 2025-09-24 17:54:59 -06:00
Rob Winch f652920bb3 Add @EnableGlobalMultiFactorAuthentication 
Closes gh-17954
 2025-09-24 14:47:26 -05:00
Rob Winch e33e4d80a9 Fix Antora Warnings in servlet/authentication/adaptive.adoc 
Issue gh-2603
 2025-09-24 13:05:50 -05:00
Rob Winch b2d76dfe66 Add GrantedAuthorities.FACTOR_*_AUTHORITY 
Closes gh-17952
 2025-09-24 09:53:56 -05:00
Josh Cummings 28aad8855c Merge branch 'mfa' 
Closes gh-2603
 2025-09-23 18:23:11 -06:00
Josh Cummings bbba2930e9 Add Initial Documentation 
Issue gh-17934
 2025-09-23 18:16:36 -06:00
Josh Cummings d757e6e44e Response to Additional Feedback 
- Moved request attribute to WebAttributes
- Renamed ExceptionHandlingConfigurer methods
- Removed varargs from DelegatingMissingAuthorityAccessDeniedHandler

Issue gh-17901
Issue gh-17934
 2025-09-23 18:16:22 -06:00
Josh Cummings 50ebd467c3 Polish Default Login Page 
Issue gh-17901
 2025-09-23 17:59:23 -06:00
Josh Cummings 42376e2eee Prepopulate Username When Known 
Closes gh-17935
 2025-09-23 17:59:22 -06:00
Josh Cummings e813aad82b Support Showing One Part of Login Page 
Closes gh-17901
 2025-09-23 17:59:21 -06:00
Josh Cummings 9f317757c3 Make Public Missing Authority AccessDeniedHandler 
Issue gh-17934
 2025-09-23 17:59:19 -06:00
Josh Cummings df7a7cdc99 Update Test for Method Security 
Issue gh-17936
 2025-09-23 17:16:33 -06:00
Josh Cummings e66c498d80 Redirect to Appropriate Entry Point Based on Missing Authorities 
Issue gh-17934
 2025-09-23 17:16:32 -06:00
Josh Cummings fe17f2904d Initial Exception Handling 
This commit hardcodes factors as a proof of concept for
multi-factor authentication

Issue gh-17934
 2025-09-23 17:16:30 -06:00
Rob Winch 549569ea55 Add DefaultAuthorizationManagerFactory.additionalAuthorization 2025-09-23 16:52:10 -05:00
Rob Winch 1608465a38 DefaultAuthorizationManagerFactory additionalAuthorization 
This commit adds AuthorizationManager<T> additionalAuthorization to
DefaultAuthorizationManagerFactory which can be used for multi factor
authorization.

There is a builder that allows for creating an instance that requires
static additional authorities, but for more advanced cases users can
inject an additionalAuthorization that looks up if the user has settings
that enable additional required authorities.

The builder can later be updated to support checking that a particular
authority was granted within a specified amount of time.

Issue gh-17900
 2025-09-23 15:25:26 -05:00
Rob Winch 459b872a20 Cleanup Kotlin AuthorizationManagerFactory Generics 
This cleans up the generic types within the Kotlin DSL that reference
AuthorizationManagerFactory

Issue gh-17860
 2025-09-23 10:32:02 -05:00
dependabot[bot] 02bc3adfb8 Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.5 to 3.27.6.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.5...assertj-build-3.27.6)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-23 03:17:16 +00:00
dependabot[bot] f8ab033c7b Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.5 to 3.27.6.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.5...assertj-build-3.27.6)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-23 03:07:48 +00:00
Josh Cummings 628f3da30b Revert "Add AuthorityUtils Methods" 
This reverts commit 50bdaeb100 that
was accidentally committed
 2025-09-22 12:26:07 -06:00
Josh Cummings 5ca5aca48e Add Null Guard 
Issue gh-17933
 2025-09-22 12:23:29 -06:00
Josh Cummings c61f53ad64 Copy Query to Parameters 
Issue gh-17450
 2025-09-22 12:17:24 -06:00
Josh Cummings 50bdaeb100 Add AuthorityUtils Methods 
This commit adds a couple of utility methods for working with authorities
by type. Now that there are infrastructural authorities that Spring Secuirty
works with directly, it's helpful to be able to filter them out of the
authority list.
 2025-09-22 11:42:14 -06:00
Rob Winch b31fdcd89f Merge branch '6.5.x' 2025-09-22 11:57:34 -05:00
Rob Winch 1878a1e03b Merge branch '6.4.x' into 6.5.x 2025-09-22 11:57:26 -05:00
Rob Winch f0f57ad560 Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 2025-09-22 11:57:04 -05:00
Rob Winch 93ded52236 Bump org.gretty:gretty from 4.1.7 to 4.1.10 2025-09-22 11:57:02 -05:00
Rob Winch 329af112ed Bump com.webauthn4j:webauthn4j-core from 0.29.5.RELEASE to 0.29.6.RELEASE 2025-09-22 11:55:59 -05:00
Rob Winch 3f1a60b0b8 Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 2025-09-22 11:55:56 -05:00