Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
12,956 Commits 54 Branches 379 Tags
edd1915d1bd06d7d05f9f9c7da43c23ec72008e5
Commit Graph

1382 Commits

Author SHA1 Message Date
Marcus Da Coregio 898c36287c Merge branch '5.8.x' into 6.0.x 
Closes gh-12368
 2022-12-12 16:55:14 -03:00
Marcus Da Coregio 99d6d21554 Apply SecurityContextHolderFilter to all dispatcher types 
Closes gh-11962
 2022-12-12 11:45:24 -08:00
Josh Cummings 701f754e37 Cast FilterChainObservationContext Safely 
Closes gh-12268
 2022-11-29 16:24:56 -07:00
Steve Riesenberg fd547321e8 Default to XorCsrfTokenRequestAttributeHandler 
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
 2022-11-18 22:50:26 -06:00
Steve Riesenberg 5da78f44f2 Merge branch '5.8.x' 2022-11-18 14:54:33 -06:00
Steve Riesenberg 2ed7cff643 Check for existing token before clearing 
Closes gh-12236
 2022-11-18 13:12:59 -06:00
Josh Cummings 24860d9fb0 Observe Filter Start and Stop 
Issue gh-11911
 2022-11-17 15:11:29 -07:00
Josh Cummings e08ed89403 Polish Span and Meter Names 
Closes gh-12156
 2022-11-17 15:09:52 -07:00
Marcus Da Coregio 063f06e7bf Register FilterChainProxy for all dispatcher types 
Closes gh-12180
 2022-11-16 09:55:21 -03:00
Steve Riesenberg 1a3be83084 Merge branch '5.8.x' 
Closes gh-12185
 2022-11-09 12:28:37 -06:00
Steve Riesenberg 57b163bb78 Polish gh-12141 2022-11-09 12:19:43 -06:00
Marcus Da Coregio 3b5d19c8a4 Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1 
Closes gh-12146
Closes gh-12148
 2022-11-08 08:34:21 -03:00
Steve Riesenberg 36f668dd9c Merge branch '5.8.x' 
Closes gh-12142
 2022-11-04 18:12:34 -05:00
Steve Riesenberg 6b0ed0205b Re-generate tokens in CookieCsrfTokenRepository 
Fixes support for re-generating tokens within a request such as when
CsrfAuthenticationStrategy removes a null token and saves an empty
cookie value on the response.

Closes gh-12141
 2022-11-04 18:10:15 -05:00
Steve Riesenberg 801ceb0832 Merge branch '5.8.x' 2022-10-31 08:58:14 -05:00
Steve Riesenberg 66f2f1cde7 Merge branch '5.7.x' into 5.8.x 2022-10-31 08:55:03 -05:00
Steve Riesenberg 2915a70bf7 Merge branch '5.6.x' into 5.7.x 2022-10-28 13:05:48 -05:00
Steve Riesenberg 6530777742 Merge branch '5.5.x' into 5.6.x 
Closes gh-dry-run
 2022-10-28 11:31:50 -05:00
Marcus Da Coregio 1f481aafff Fix AuthorizationFilter incorrectly extending OncePerRequestFilter 
Closes gh-12102
 2022-10-28 11:29:35 -05:00
Josh Cummings d651da5ac3 Merge remote-tracking branch 'origin/5.8.x' 
Closes gh-12077
 2022-10-24 16:54:03 -06:00
Josh Cummings dd30694979 Merge remote-tracking branch 'origin/5.7.x' into 5.8.x 
Closes gh-12076
 2022-10-24 16:46:08 -06:00
David Becker 2b426872a3 Use InetSocketAddress#getHostString 
Sometimes InetSocketAddress#getAddress#getHostAddress retuns null.
In that case, call InetSocketAddress#getHostString instead.

There is no performance loss since IpAddressMatcher#matches attemptsi
to re-parse and resolve the address anyway.

Closes gh-11888
 2022-10-24 16:32:19 -06:00
Steve Riesenberg 8554e70c09 Remove deprecated loadContext(request) 
Closes gh-12048
 2022-10-17 20:13:51 -05:00
Steve Riesenberg e238b721bb Fix imports in DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:36:25 -05:00
Steve Riesenberg bd43c1f28a Merge branch '5.8.x' 
# Conflicts:
#	web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
#	web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java
 2022-10-17 19:35:27 -05:00
Steve Riesenberg acc35aeb18 Add DelegatingSecurityContextRepository 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Steve Riesenberg c75ca10900 Add DeferredSecurityContext 
Issue gh-12023
 2022-10-17 19:33:58 -05:00
Josh Cummings f4cc27c375 Change Default for (Server)AuthenticationEntryPointFailureHandler 
Closes gh-9429
 2022-10-13 20:03:03 -06:00
Josh Cummings 5afc7cb04f Merge remote-tracking branch 'origin/5.8.x' 2022-10-13 19:48:05 -06:00
Josh Cummings 099aaa33ff Remove Deprecation Markers 
Since Spring Security still needs these methods and classes, we
should wait on deprecating them if we can.

Instead, this commit changes the original classes to have a
boolean property that is currently false, but will switch to true
in 6.0.

At that time, BearerTokenAuthenticationFilter can change to use
the handler.

Closes gh-11932
 2022-10-13 19:47:22 -06:00
Daniel Garnier-Moiroux 200b7fecd3 Add (Server)AuthenticationEntryPointFailureHandlerAdapter 
Issue gh-11932, gh-9429

(Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead
when an AuthenticationServiceException is thrown, instead of HTTP 401.
This commit deprecates the current behavior and introduces an opt-in
(Server)AuthenticationEntryPointFailureHandlerAdapter with the expected
behavior.

BearerTokenAuthenticationFilter uses the new adapter, but with a closure
to keep the current behavior re: entrypoint.
 2022-10-13 19:25:04 -06:00
Steve Riesenberg 9090f62d9b Merge branch '5.8.x' 2022-10-13 16:46:53 -05:00
Evgeniy Cheban 56b9badcfe AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> 
Closes gh-11900
 2022-10-13 16:44:48 -05:00
Steve Riesenberg 45a963a011 Remove CsrfWebFilter.setTokenFromMultipartDataEnabled 
Closes gh-12019
 2022-10-13 11:29:16 -05:00
Joe Grandja 753e113a13 RequestMatcherDelegatingAuthorizationManager defaults to deny 
Closes gh-11958
 2022-10-13 11:12:00 -04:00
Steve Riesenberg 2407d07890 Default to Xor CSRF tokens in CsrfWebFilter 
Closes gh-11960
 2022-10-13 09:39:57 -05:00
Steve Riesenberg 2a2051cd7b Default to Xor CSRF tokens in CsrfFilter 
Issue gh-11960
 2022-10-13 09:39:55 -05:00
Joe Grandja 6026f9f70f Merge branch '5.8.x' 2022-10-13 06:31:37 -04:00
Joe Grandja 185991a606 Revert "Add default AuthorizationManager" 
This reverts commit 4ddec07d0e.
 2022-10-13 06:18:00 -04:00
Josh Cummings 2713075d08 Mark Observations with Firewall Failures 
Closes gh-11994
 2022-10-12 20:32:24 -06:00
Josh Cummings 46ab84684b Mark Observations with CSRF Failures 
Closes gh-11993
 2022-10-12 20:32:23 -06:00
Josh Cummings 99a87179dd Instrument Filter Chain 
Closes gh-11911
 2022-10-12 20:32:22 -06:00
Steve Riesenberg 9b43950e13 Merge branch '5.8.x' 2022-10-12 13:14:20 -05:00
Steve Riesenberg 8bd25f90e4 Polish XorServerCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:31:56 -05:00
Steve Riesenberg 804f20045e Polish XorCsrfTokenRequestAttributeHandlerTests 2022-10-12 12:30:40 -05:00
Steve Riesenberg 05e4a1dd20 Cache Xor CsrfToken 
Closes gh-11988
 2022-10-12 12:30:40 -05:00
Marcus Da Coregio c5e35bf32e Merge branch '5.8.x' 
Closes gh-11978
 2022-10-10 09:24:50 -03:00
Marcus Da Coregio 4b6fed0667 Add static factory method to AntPathRequestMather and RegexRequestMatcher 
Closes gh-11938
 2022-10-10 09:24:15 -03:00
Daniel Garnier-Moiroux 27059ced87 Default X-Xss-Protection header value to "0" 
Closes gh-9631
 2022-10-07 17:42:55 -05:00
Steve Riesenberg 6753f9745e Merge branch '5.8.x' 
# Conflicts:
#	config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
#	docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
 2022-10-07 17:29:07 -05:00