c08329c0c5
Merge CredentialRecordOwnerAuthorizationManager
2026-03-29 22:24:21 -05:00
a856baa6a8
Add CredentialRecordOwnerAuthorizationManager
...
Add CredentialRecordOwnerAuthorizationManager that verifies the
credential being deleted is owned by the currently authenticated user.
Also add an AuthorizationManager<Bytes> to WebAuthnRegistrationFilter
for the delete credential operation, defaulting to deny all, and wire it
up in WebAuthnConfigurer.
Per the WebAuthn specification [1], credential ids contain at least 16
bytes with at least 100 bits of entropy, making them practically
unguessable. The specification also advises that credential ids should
be kept private, as exposing them can leak personally identifying
information [2]. The CredentialRecordOwnerAuthorizationManager serves as
defense in depth: even if a credential id were somehow exposed, an
unauthorized user could not delete another user's credential.
[1] https://www.w3.org/TR/webauthn-3/#credential-id
[2] https://www.w3.org/TR/webauthn-3/#sctn-credential-id-privacy-leak
2026-03-29 21:54:27 -05:00
611786e4b5
Merge branch '6.5.x' into 7.0.x
2026-03-27 16:49:26 -06:00
ac63cf4fa5
Polish CustomAuthorizationManager Docs
...
Issue gh-13967
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-27 16:45:25 -06:00
f6bb55effb
Fix documentation for Custom Authorization Manager
...
Closes gh-13967
Signed-off-by: as1605 <1605.aditya.singh@gmail.com >
2026-03-27 16:45:25 -06:00
6020ab8e65
Polish CustomAuthorizationManager Docs
...
Issue gh-13967
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-27 16:36:00 -06:00
3076367168
Fix documentation for Custom Authorization Manager
...
Closes gh-13967
Signed-off-by: as1605 <1605.aditya.singh@gmail.com >
2026-03-27 16:36:00 -06:00
721b22d87a
Merge remote-tracking branch 'origin/6.5.x' into 7.0.x
2026-03-27 16:10:18 -06:00
85b756cb74
Update FilterChainProxy#getFilters(String) javadoc
...
Closes gh-18157
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com >
2026-03-27 16:09:50 -06:00
0ce76d2c5d
Merge branch '6.5.x' into 7.0.x
2026-03-27 13:27:03 -06:00
66cf02c6b0
Bump spring-io/spring-gradle-build-action from 2.0.5 to 2.0.6
...
Bumps [spring-io/spring-gradle-build-action](https://github.com/spring-io/spring-gradle-build-action ) from 2.0.5 to 2.0.6.
- [Release notes](https://github.com/spring-io/spring-gradle-build-action/releases )
- [Commits](https://github.com/spring-io/spring-gradle-build-action/compare/efc55f07f4dfa22f2afd97f9ea1be4212eeed737...c8668747d7c264864c8c7f7026d0d277d14a78dc )
---
updated-dependencies:
- dependency-name: spring-io/spring-gradle-build-action
dependency-version: 2.0.6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-27 13:26:10 -06:00
7441ce7f16
Bump spring-io/spring-security-release-tools/.github/workflows/perform-release.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/perform-release.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-27 13:25:46 -06:00
9dbcd8cf00
Bump spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-27 13:25:35 -06:00
e6db4418b0
Merge branch '6.5.x' into 7.0.x
2026-03-27 13:22:44 -06:00
835d6c1fbd
Add Issuer Validation to withIssuerLocation Snippets
...
Closes gh-19000
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-27 13:22:24 -06:00
9fb3e14989
Merge branch '6.5.x' into 7.0.x
2026-03-27 12:14:41 -06:00
2c90edd7b7
Merge branch '6.5.x' into 7.0.x
2026-03-27 12:12:27 -06:00
95b2cdf7f4
Clarify JavaDoc
...
Removed note about DelegatingJwtGrantedAuthoritiesConverter from
ExpressionJwtGrantedAuthoritiesConverter and further explained in
DelegatingJwtGrantedAuthoritiesConverter where it comes in handy.
Issue gh-18300
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-27 11:48:56 -06:00
f0e71a8bc4
Merge pull request #18990 from rwinch/7.0.x-gh-18970-null-oncommitted
...
Merge Handle null value in OnCommittedResponseWrapper header methods
2026-03-26 17:33:33 -04:00
3ecf84855e
Merge pull request #18989 from rwinch/gh-18970-null-oncommitted
...
Merge Handle null value in OnCommittedResponseWrapper header methods
2026-03-26 17:29:33 -04:00
2848b95fe0
Merge Handle null value in OnCommittedResponseWrapper header methods
2026-03-26 15:44:49 -05:00
0039bc0cf0
Handle null value in OnCommittedResponseWrapper header methods
...
Closes gh-18970
2026-03-26 14:50:44 -05:00
671a53e850
Merge branch '6.5.x' into 7.0.x
2026-03-25 15:19:59 -06:00
057e5181ea
Adjust Formatting
...
Issue gh-18805
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-25 15:19:29 -06:00
178ca56aaf
Fallback defaultTargetUrl if refererHeader is empty
...
Closes gh-18805
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com >
2026-03-25 15:19:29 -06:00
164fbaf007
Merge branch '6.5.x' into 7.0.x
2026-03-25 15:11:52 -06:00
61ccf14953
Bump org.hibernate.orm:hibernate-core from 6.6.44.Final to 6.6.45.Final
...
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm ) from 6.6.44.Final to 6.6.45.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases )
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.45/changelog.txt )
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.44...6.6.45 )
---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
dependency-version: 6.6.45.Final
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-25 15:11:27 -06:00
65cf2586c5
Merge branch '6.5.x' into 7.0.x
...
Closes gh-18978
2026-03-25 12:40:43 -04:00
6e683f2286
Fix ID Token auth_time validation
...
Closes gh-18839
2026-03-25 11:33:55 -04:00
bae4cdd765
Adjust for Nullability
...
Issue gh-18973
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-24 13:39:27 -06:00
a7c3e842d6
Merge branch '6.5.x' into 7.0.x
2026-03-23 18:12:36 -06:00
b6e24db68c
Return Mono.empty on Empty POST
...
Closes gh-18973
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-23 18:12:21 -06:00
7dea8b8ca2
Merge branch '6.5.x' into 7.0.x
2026-03-23 17:53:14 -06:00
aeb5fc1fb0
Fix HttpSessionRequestCache#getMatchingRequest query string parsing
...
- URL parsing changed in framework 6.2, and fails when path contains a % sign.
- The HttpSessionRequestCache only needs to inspect the query string, not the full URL.
Fixes gh-16656
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf >
2026-03-23 17:52:17 -06:00
4542f58be7
Merge branch '6.5.x' into 7.0.x
2026-03-20 21:27:04 -06:00
62f33d3fcf
Add equals and hashCode to HttpMethodRequestMatcher
...
Closes gh-18911
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com >
2026-03-20 21:22:20 -06:00
956561e143
Merge branch '6.5.x' into 7.0.x
2026-03-20 15:28:36 -06:00
9fed1ac8c3
New line per sentence
...
Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com >
2026-03-20 15:28:21 -06:00
9dbe3bdcc0
Polish Session Management Persistence Docs
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-20 15:28:21 -06:00
d547ae0181
Fix defaults description in Session Management doc
...
Corrected that starting from Spring Security 6
security context is not automatically saved by default.
Signed-off-by: sankranti <sankranty@gmail.com >
2026-03-20 15:28:21 -06:00
b8b1278e1f
Bump @springio/antora-extensions from 1.14.7 to 1.14.9 in /docs
...
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions ) from 1.14.7 to 1.14.9.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc )
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.7...v1.14.9 )
---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
dependency-version: 1.14.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 15:22:06 -06:00
381047e386
Bump spring-io/spring-security-release-tools from 1.0.14 to 1.0.15
...
Bumps [spring-io/spring-security-release-tools](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 15:21:53 -06:00
fbbbd46bee
Update asciidoctor-extensions to 1.0.0-alpha.18
...
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com >
2026-03-20 21:21:22 +00:00
8abffbd0df
Merge branch '6.5.x' into 7.0.x
2026-03-20 15:00:02 -06:00
376b40a735
Bump io.spring.gradle:spring-security-release-plugin
...
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.14...v1.0.15 )
---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:58:20 -06:00
89fa1cbdd2
Bump spring-io/spring-security-release-tools/.github/workflows/build.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/build.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/build.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:57:09 -06:00
0d75e6d10c
Bump @springio/asciidoctor-extensions in /docs
...
Bumps [@springio/asciidoctor-extensions](https://github.com/spring-io/asciidoctor-extensions ) from 1.0.0-alpha.17 to 1.0.0-alpha.18.
- [Changelog](https://github.com/spring-io/asciidoctor-extensions/blob/main/CHANGELOG.adoc )
- [Commits](https://github.com/spring-io/asciidoctor-extensions/compare/v1.0.0-alpha.17...v1.0.0-alpha.18 )
---
updated-dependencies:
- dependency-name: "@springio/asciidoctor-extensions"
dependency-version: 1.0.0-alpha.18
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:56:46 -06:00
01758c4c59
Bump spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:56:10 -06:00
f37833a59c
Bump spring-io/spring-security-release-tools/.github/workflows/test.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/test.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/test.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:55:52 -06:00
52e6c4c4be
Bump spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml
...
Bumps [spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml](https://github.com/spring-io/spring-security-release-tools ) from 1.0.14 to 1.0.15.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases )
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc )
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/729fed56d42122f88583aff1be35c0800b7d77e9...b92832ecbc7cbe969201e6beafbde0ee400cf095 )
---
updated-dependencies:
- dependency-name: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml
dependency-version: 1.0.15
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-03-20 14:55:38 -06:00
Robert Winch