Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,522 Commits 54 Branches 379 Tags
7543effe8995f8919e3e3c10683c1004351dc595
Commit Graph

2175 Commits

Author SHA1 Message Date
Josh Cummings 7543effe89 Add SecurityContextHolderStrategy Java Configuration for OAuth2 
Issue gh-11061
 2022-10-05 23:50:58 -06:00
Josh Cummings 7e3841105b Add SecurityContextHolderStrategy XML Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:57 -06:00
Josh Cummings 19181a5afd Add SecurityContextHolderStrategy Java Configuration for Saml2 
Issue gh-11061
 2022-10-05 23:50:56 -06:00
Josh Cummings 72a46ddd31 Merge remote-tracking branch 'origin/5.8.x' 2022-10-05 22:48:33 -06:00
Josh Cummings b4d13e7726 Polish use-authorization-manager 
- Use SecurityContextHolderStrategy
- Allow empty role prefix
- Disallow access-decision-manager-ref and authorization-manager-ref
together

Issue gh-11305
 2022-10-05 22:21:09 -06:00
Josh Cummings 7043ef6ccb Polish OpaqueTokenAuthenticationConverterTests 
Issue gh-11665
 2022-10-05 22:18:41 -06:00
Steve Riesenberg 8b490de08d Merge branch '5.8.x' 
# Conflicts:
#	docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
 2022-10-05 14:46:15 -05:00
Steve Riesenberg dce1c30522 Add support for BREACH 
Closes gh-4001
 2022-10-05 14:21:13 -05:00
Steve Riesenberg 6bbf20be93 Fix failing tests 
Issue gh-11952
 2022-10-05 14:19:40 -05:00
Steve Riesenberg a7000a053b Merge branch '5.8.x' 2022-10-05 13:46:26 -05:00
Steve Riesenberg 1d706ae13d Add csrfTokenRequestResolver to CsrfDsl 
Closes gh-11952
 2022-10-05 13:35:23 -05:00
Marcus Da Coregio c2ed65c67a Fix failing tests 
Issue gh-9159
 2022-10-05 14:59:33 -03:00
Marcus Da Coregio 22ba358e57 Merge branch '5.8.x' 2022-10-05 13:44:54 -03:00
Marcus Da Coregio bf6e85ec15 Accept String varargs in securityMatcher 
Issue gh-9159
 2022-10-05 13:44:08 -03:00
Marcus Da Coregio 76d7a85bc0 Use modified classpath test support for tests that depend on the classpath 
Issue gh-11347
 2022-10-04 15:32:19 -03:00
Marcus Da Coregio 77dcc691b3 Add modified classpath test support 
Closes gh-11951
 2022-10-04 15:32:18 -03:00
Marcus Da Coregio 5002199be3 Revert "Disable tests that need Spring MVC mocked in classpath" 
This reverts commit c6978fba7c.
 2022-10-04 15:32:18 -03:00
Marcus Da Coregio 35f7e46d05 Remove WebSecurityConfigurerAdapter 
Closes gh-10902
 2022-10-04 15:13:04 -03:00
Steve Riesenberg 3bc76815c2 Update csrf.request-handler-ref in 6.0 
Issue gh-11918
 2022-10-04 11:24:54 -05:00
Steve Riesenberg 5de6da890b Merge branch '5.8.x' 
Closes gh-dry-run
 2022-10-04 11:18:00 -05:00
Marcus Da Coregio c6978fba7c Disable tests that need Spring MVC mocked in classpath 
Issue gh-11347
 2022-10-04 08:56:06 -03:00
Steve Riesenberg 475b3bb6bb Add deferred CsrfTokenRepository.loadDeferredToken 
* Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken>
* Move RepositoryDeferredCsrfToken to top-level and make package-private
* Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse)
* Update CsrfFilter
* Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler

Issue gh-11892
Closes gh-11918
 2022-10-03 17:10:54 -05:00
Steve Riesenberg c847efd3fd Fix servlet import 
Issue gh-11347
Issue gh-9159
 2022-10-03 15:10:56 -05:00
Steve Riesenberg c98de7af2f Add xss-protection.header-value in 6.0 
Issue gh-9631
 2022-10-03 14:31:04 -05:00
Steve Riesenberg 7c3cc1e386 Merge branch '5.8.x' 2022-10-03 14:29:51 -05:00
Daniel Garnier-Moiroux 0e215a21ad Add X-Xss-Protection headerValue to XML config 
Issue gh-9631
 2022-10-03 14:29:34 -05:00
Marcus Da Coregio ad2abd39dc Merge branch '5.8.x' 
Closes gh-11347 in 6.0.x
Closes gh-11945
 2022-10-03 16:02:18 -03:00
Marcus Da Coregio 039e0328e1 Simplify Java Configuration RequestMatcher Usage 
If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity

Closes gh-11347
Closes gh-9159
 2022-10-03 15:55:20 -03:00
Steve Riesenberg d9a682a414 Polish gh-11896 2022-10-03 10:00:43 -05:00
Steve Riesenberg bf9339d88e Merge branch '5.8.x' 2022-10-03 09:57:40 -05:00
Steve Riesenberg 7f9600ae08 Polish gh-11896 2022-10-03 09:57:08 -05:00
Marcus Da Coregio 5f2744db33 Merge branch '5.8.x' 
Closes gh-11937
 2022-10-03 11:43:22 -03:00
Marcus Da Coregio 64a19de4dc Deprecate HPKP security header 
Closes gh-10144
 2022-10-03 11:36:19 -03:00
Rob Winch 4479cefade Default Require Explicit Session Management = true 
Closes gh-11763
 2022-09-30 21:49:05 -05:00
Rob Winch 0d58c5180e Remove Explicit RequestCache Config from DeferHttpSession Tests 
Issue gh-11757
 2022-09-30 21:49:05 -05:00
Rob Winch 12a0ccf6de Remove Explicit CSRF Config from DeferHttpSessionTests 
Issue gh-11764
 2022-09-30 21:49:04 -05:00
Rob Winch 617353eaa8 Merge branch '5.8.x' 
Closes gh-11928
 2022-09-30 21:46:26 -05:00
Rob Winch 6d56af7b65 SessionManagementDsl.requireExplicitAuthenticationStrategy 2022-09-30 21:37:44 -05:00
Steve Riesenberg 76fbca9f46 Merge branch '5.8.x' 2022-09-30 09:50:02 -05:00
Daniel Garnier-Moiroux 93250013e4 Make X-Xss-Protection configurable through ServerHttpSecurity 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
 2022-09-30 09:38:08 -05:00
Marcus Da Coregio 3bfdf6dd0f Merge branch '5.8.x' 
Closes gh-11922
 2022-09-29 11:21:24 -03:00
Marcus Da Coregio cf3349f31a Configure ContentNegotiationStrategy in HttpSecurityConfiguration 
Closes gh-11916
 2022-09-29 11:21:08 -03:00
Josh Cummings 506e50bfd0 Move Saml2 Authentication Filters 
Issue gh-8819
 2022-09-26 10:44:27 -06:00
Steve Riesenberg 181ee7410b Change default authority for oauth2Login() 
Previously, the default authority was ROLE_USER when using
oauth2Login() for both OAuth2 and OIDC providers.

* Default authority for OAuth2UserAuthority is now OAUTH2_USER
* Default authority for OidcUserAuthority is now OIDC_USER

Documentation has been updated to include this implementation detail.

Closes gh-7856
 2022-09-26 10:06:31 -05:00
Josh Cummings 37a160245f Adjust OAuth2 Resource Server packaging 
Closes gh-7349
 2022-09-23 16:31:21 -06:00
Steve Riesenberg 21c0c73878 Remove request-resolver-ref in 6.0 
Issue gh-11896
 2022-09-23 16:04:35 -05:00
Steve Riesenberg bcb21c9384 Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 2022-09-23 15:39:43 -05:00
Steve Riesenberg 46696a9226 CsrfTokenRequestHandler extends CsrfTokenRequestResolver 
Closes gh-11896
 2022-09-23 15:09:00 -05:00
Steve Riesenberg 3c66ef6305 Change default SecurityContextRepository 
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
 2022-09-22 17:31:14 -05:00
Rob Winch 0efe26c1fd Merge branch '5.8.x' 
Closes gh-11894
 2022-09-22 13:47:04 -05:00