1
0
mirror of synced 2026-07-15 23:55:09 +00:00

Compare commits

..

24 Commits

Author SHA1 Message Date
Marcus Da Coregio 5bc0537f1b Release 5.5.4 2021-12-20 10:18:36 -03:00
Marcus Da Coregio 355bf8ddee Update spring-ldap-core to 2.3.5.RELEASE
Closes gh-10641
2021-12-20 10:02:03 -03:00
Marcus Da Coregio 05585a5f13 Update org.springframework.data to 2021.0.7
Closes gh-10640
2021-12-20 10:02:00 -03:00
Marcus Da Coregio 00d350608a Update org.springframework to 5.3.14
Closes gh-10639
2021-12-20 10:01:58 -03:00
Marcus Da Coregio 906c520fa0 Update org.jetbrains.kotlin to 1.5.32
Closes gh-10638
2021-12-20 10:01:55 -03:00
Marcus Da Coregio ca19601f8b Update cas-client-core to 3.6.4
Closes gh-10637
2021-12-20 10:01:52 -03:00
Marcus Da Coregio bdd4d05ce2 Update hsqldb to 2.6.1
Closes gh-10636
2021-12-20 10:01:50 -03:00
Marcus Da Coregio 0eec932917 Update hibernate-entitymanager to 5.4.33
Closes gh-10635
2021-12-20 10:01:47 -03:00
Marcus Da Coregio af5c1761e8 Update io.projectreactor to 2020.0.14
Closes gh-10633
2021-12-20 10:01:42 -03:00
Marcus Da Coregio 491989c692 Update jackson-bom to 2.12.6
Closes gh-10630
2021-12-20 10:01:34 -03:00
Marcus Da Coregio 731069a69a Update logback-classic to 1.2.9
Closes gh-10629
2021-12-20 10:01:31 -03:00
Steve Riesenberg 47b8860681 Update copyright year
Issue gh-10557
2021-12-01 17:36:52 -06:00
Steve Riesenberg 828cac8889 Fix case sensitive headers comparison
Closes gh-10557
2021-12-01 15:19:33 -06:00
Jonas Erbe aefd2d497c Fix JwtClaimValidator wrong error code
Previously JwtClaimValidator returned the invalid_request error on claim validation failure.
But validators have to return invalid_token errors on failure according to:
https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.
Also see gh-10337

Closes gh-10337
2021-11-29 12:22:30 -07:00
Henning Poettker 775bf91c77 Fix return type for NoOpPasswordEncoder bean in documentation 2021-11-23 14:14:41 -03:00
Marcus Da Coregio 2bf7a5ae80 Improve log message when no CSRF token found
Closes gh-10436
2021-11-19 08:37:25 -03:00
Josh Cummings c495ff8759 Fix AuthnRequestConverter Sample Typos
Closes gh-10364
2021-11-18 13:37:45 -07:00
Josh Cummings b7a12e1b80 Fix setJWTClaimSetJWSKeySelector Typo
Closes gh-10504
2021-11-16 15:34:40 -07:00
Josh Cummings 670d10dadd Fix jwtDecoder Documentation Usage
Closes gh-10505
2021-11-16 15:21:05 -07:00
Josh Cummings 72db6a20c9 Don't Cache ReactiveJwtDecoders Errors
Closes gh-10444
2021-11-10 17:44:15 -07:00
Marcus Da Coregio 00f4033b9b Update DefaultWebInvocationPrivilegeEvaluator to use current ServletContext
Closes gh-10208
2021-10-22 13:22:12 -03:00
Steve Riesenberg ddb59d439f Update io.spring.javaformat to 0.0.29
Closes gh-10411
2021-10-22 10:19:35 -05:00
Rob Winch e4a76b0ec9 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-22 10:19:34 -05:00
Steve Riesenberg 78e8507af7 Next Development Version 2021-10-18 14:51:43 -05:00
72 changed files with 288 additions and 115 deletions
+1 -1
View File
@@ -72,7 +72,7 @@ dependencies {
implementation localGroovy()
implementation 'io.github.gradle-nexus:publish-plugin:1.1.0'
implementation 'io.projectreactor:reactor-core:3.4.11'
implementation 'io.projectreactor:reactor-core:3.4.13'
implementation 'gradle.plugin.org.gretty:gretty:3.0.1'
implementation 'com.apollographql.apollo:apollo-runtime:2.4.5'
implementation 'com.github.ben-manes:gradle-versions-plugin:0.38.0'
@@ -40,9 +40,9 @@ import org.jasig.cas.client.authentication.AttributePrincipal;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see CasJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -37,9 +37,9 @@ import org.jasig.cas.client.proxy.ProxyRetriever;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see CasJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -47,9 +47,9 @@ import org.springframework.security.core.userdetails.UserDetails;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see CasJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -19,8 +19,8 @@ package org.springframework.security.config;
/**
* Callback interface that accepts a single input argument and returns no result.
*
* @author Eleftheria Stein
* @param <T> the type of the input to the operation
* @author Eleftheria Stein
* @since 5.2
*/
@FunctionalInterface
@@ -27,8 +27,8 @@ import org.springframework.security.config.annotation.authentication.builders.Au
* {@link AuthenticationConfiguration} to configure the global
* {@link AuthenticationManagerBuilder}.
*
* @since 5.0
* @author Rob Winch
* @since 5.0
*/
@Order(100)
public abstract class GlobalAuthenticationConfigurerAdapter
@@ -30,10 +30,10 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
* class is not intended to be imported manually rather it is imported automatically when
* using {@link EnableWebSecurity} or {@link EnableGlobalMethodSecurity}.
*
* @see EnableWebSecurity
* @see EnableGlobalMethodSecurity
* @author Rob Winch
* @since 3.2
* @see EnableWebSecurity
* @see EnableGlobalMethodSecurity
*/
@Configuration(proxyBeanMethods = false)
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@@ -60,11 +60,11 @@ import org.springframework.util.Assert;
* {@link WebSecurityConfigurer} and exposing it as a {@link Configuration}. This
* configuration is imported when using {@link EnableWebSecurity}.
*
* @see EnableWebSecurity
* @see WebSecurity
* @author Rob Winch
* @author Keesun Baik
* @since 3.2
* @see EnableWebSecurity
* @see WebSecurity
*/
@Configuration(proxyBeanMethods = false)
public class WebSecurityConfiguration implements ImportAware, BeanClassLoaderAware {
@@ -87,8 +87,8 @@ import org.springframework.web.accept.HeaderContentNegotiationStrategy;
* org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer = sample.MyClassThatExtendsAbstractHttpConfigurer, sample.OtherThatExtendsAbstractHttpConfigurer
* </pre>
*
* @see EnableWebSecurity
* @author Rob Winch
* @see EnableWebSecurity
*/
@Order(100)
public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigurer<WebSecurity> {
@@ -490,8 +490,8 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
* @return the {@link FeaturePolicyConfig} for additional configuration
* @throws IllegalArgumentException if policyDirectives is {@code null} or empty
* @since 5.1
* @see FeaturePolicyHeaderWriter
* @deprecated Use {@link #permissionsPolicy(Customizer)} instead.
* @seeObjectPostProcessorConfiguration FeaturePolicyHeaderWriter
*/
@Deprecated
public FeaturePolicyConfig featurePolicy(String policyDirectives) {
@@ -49,15 +49,15 @@ import org.springframework.util.Assert;
* <li>{@link ClientRegistrationRepository}</li>
* </ul>
*
* @author Joe Grandja
* @since 5.0
* @see OAuth2AuthorizationRequestRedirectFilter
* @see ClientRegistrationRepository
* @deprecated It is not recommended to use the implicit flow due to the inherent risks of
* returning access tokens in an HTTP redirect without any confirmation that it has been
* received by the client. See reference
* <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit
* Grant</a>.
* @author Joe Grandja
* @since 5.0
* @see OAuth2AuthorizationRequestRedirectFilter
* @see ClientRegistrationRepository
*/
@Deprecated
public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>>
@@ -683,10 +683,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
/**
* Sets a custom {@link OAuth2User} type and associates it to the provided client
* {@link ClientRegistration#getRegistrationId() registration identifier}.
* @deprecated See {@link CustomUserTypesOAuth2UserService} for alternative usage.
* @param customUserType a custom {@link OAuth2User} type
* @param clientRegistrationId the client registration identifier
* @return the {@link UserInfoEndpointConfig} for further configuration
* @deprecated See {@link CustomUserTypesOAuth2UserService} for alternative usage.
*/
@Deprecated
public UserInfoEndpointConfig customUserType(Class<? extends OAuth2User> customUserType,
@@ -37,9 +37,9 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
* {@link AuthenticationPrincipalArgumentResolver} as a
* {@link HandlerMethodArgumentResolver}.
*
* @deprecated This is applied internally using SpringWebMvcImportSelector
* @author Rob Winch
* @since 3.2
* @deprecated This is applied internally using SpringWebMvcImportSelector
*/
@Deprecated
@Configuration(proxyBeanMethods = false)
@@ -79,8 +79,8 @@ import org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsSe
* }
* </pre>
*
* @since 4.0
* @author Rob Winch
* @since 4.0
*/
@Order(Ordered.HIGHEST_PRECEDENCE + 100)
@Import(ObjectPostProcessorConfiguration.class)
@@ -40,9 +40,9 @@ import org.springframework.security.core.GrantedAuthority;
* <i>Note: This class will save full class name into a property called @class</i>
*
* @author Jitendra Singh
* @since 4.2
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -36,8 +36,8 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* called @class</i> <i>The cause and stackTrace are ignored in the serialization.</i>
*
* @author Yannick Lombardi
* @see CoreJackson2Module
* @since 5.0
* @see CoreJackson2Module
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace" })
@@ -44,8 +44,8 @@ import org.springframework.security.core.userdetails.User;
* of all security modules.</b>
*
* @author Jitendra Singh.
* @see SecurityJackson2Modules
* @since 4.2
* @see SecurityJackson2Modules
*/
@SuppressWarnings("serial")
public class CoreJackson2Module extends SimpleModule {
@@ -47,9 +47,9 @@ import org.springframework.security.core.GrantedAuthority;
* called @class</i>
*
* @author Jitendra Singh
* @since 4.2
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -32,9 +32,9 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
@@ -32,10 +32,10 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
* </pre>
*
* @author Rob Winch
* @since 5.0.2
* @see UnmodifiableListDeserializer
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 5.0.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UnmodifiableListDeserializer.class)
@@ -32,10 +32,10 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see UnmodifiableSetDeserializer
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UnmodifiableSetDeserializer.class)
@@ -37,10 +37,10 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see UserDeserializer
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UserDeserializer.class)
@@ -39,9 +39,9 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see CoreJackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+8 -8
View File
@@ -8,14 +8,14 @@ javaPlatform {
dependencies {
api platform("org.springframework:spring-framework-bom:$springFrameworkVersion")
api platform("io.projectreactor:reactor-bom:2020.0.12")
api platform("io.projectreactor:reactor-bom:2020.0.14")
api platform("io.rsocket:rsocket-bom:1.1.1")
api platform("org.springframework.data:spring-data-bom:2021.0.6")
api platform("org.springframework.data:spring-data-bom:2021.0.7")
api platform("org.jetbrains.kotlin:kotlin-bom:$kotlinVersion")
api platform("org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.5.2")
api platform("com.fasterxml.jackson:jackson-bom:2.12.5")
api platform("com.fasterxml.jackson:jackson-bom:2.12.6")
constraints {
api "ch.qos.logback:logback-classic:1.2.6"
api "ch.qos.logback:logback-classic:1.2.9"
api "com.google.inject:guice:3.0"
api "com.nimbusds:nimbus-jose-jwt:9.10.1"
api "com.nimbusds:oauth2-oidc-sdk:9.9.1"
@@ -52,9 +52,9 @@ dependencies {
api "org.eclipse.jetty:jetty-server:9.4.44.v20210927"
api "org.eclipse.jetty:jetty-servlet:9.4.44.v20210927"
api "org.eclipse.persistence:javax.persistence:2.2.1"
api "org.hibernate:hibernate-entitymanager:5.4.32.Final"
api "org.hsqldb:hsqldb:2.6.0"
api "org.jasig.cas.client:cas-client-core:3.6.2"
api "org.hibernate:hibernate-entitymanager:5.4.33"
api "org.hsqldb:hsqldb:2.6.1"
api "org.jasig.cas.client:cas-client-core:3.6.4"
api "org.mockito:mockito-core:3.9.0"
api "org.openid4java:openid4java-nodeps:0.9.6"
api "org.opensaml:opensaml-core:$openSamlVersion"
@@ -74,7 +74,7 @@ dependencies {
api "org.slf4j:jcl-over-slf4j:1.7.32"
api "org.slf4j:log4j-over-slf4j:1.7.32"
api "org.slf4j:slf4j-api:1.7.32"
api "org.springframework.ldap:spring-ldap-core:2.3.4.RELEASE"
api "org.springframework.ldap:spring-ldap-core:2.3.5.RELEASE"
api "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
}
}
@@ -463,7 +463,7 @@ You should instead migrate to using `DelegatingPasswordEncoder` to support secur
[source,java,role="primary"]
----
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
public static PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
----
@@ -2641,7 +2641,7 @@ Next, we can construct a `JWTProcessor`:
JWTProcessor jwtProcessor(JWTClaimSetJWSKeySelector keySelector) {
ConfigurableJWTProcessor<SecurityContext> jwtProcessor =
new DefaultJWTProcessor();
jwtProcessor.setJWTClaimSetJWSKeySelector(keySelector);
jwtProcessor.setJWTClaimsSetAwareJWSKeySelector(keySelector);
return jwtProcessor;
}
----
@@ -2734,9 +2734,9 @@ Now that we have a tenant-aware processor and a tenant-aware validator, we can p
----
@Bean
JwtDecoder jwtDecoder(JWTProcessor jwtProcessor, OAuth2TokenValidator<Jwt> jwtValidator) {
NimbusJwtDecoder decoder = new NimbusJwtDecoder(processor);
NimbusJwtDecoder decoder = new NimbusJwtDecoder(jwtProcessor);
OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>
(JwtValidators.createDefault(), this.jwtValidator);
(JwtValidators.createDefault(), jwtValidator);
decoder.setJwtValidator(validator);
return decoder;
}
@@ -739,7 +739,7 @@ But, if you do need something from the request, then you can use create a custom
----
@Component
public class AuthnRequestConverter implements
Converter<MySaml2AuthenticationRequestContext, AuthnRequest> {
Converter<Saml2AuthenticationRequestContext, AuthnRequest> {
private final AuthnRequestBuilder authnRequestBuilder;
private final IssuerBuilder issuerBuilder;
+4 -4
View File
@@ -1,10 +1,10 @@
aspectjVersion=1.9.7
springJavaformatVersion=0.0.28
springJavaformatVersion=0.0.29
springBootVersion=2.4.2
springFrameworkVersion=5.3.11
springFrameworkVersion=5.3.14
openSamlVersion=3.4.6
version=5.5.3
kotlinVersion=1.5.31
version=5.5.4
kotlinVersion=1.5.32
samplesBranch=5.5.x
org.gradle.jvmargs=-Xmx3g -XX:MaxPermSize=2048m -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true
@@ -29,9 +29,9 @@ import org.springframework.util.Assert;
/**
* Simple expression configuration attribute for use in {@link Message} authorizations.
*
* @since 4.0
* @author Rob Winch
* @author Daniel Bustamante Ospina
* @since 4.0
*/
@SuppressWarnings("serial")
class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationContextPostProcessor<Message<?>> {
@@ -58,7 +58,6 @@ import org.springframework.util.CollectionUtils;
*
* @author Joe Grandja
* @since 5.0
* @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
* @see OAuth2AccessTokenResponseClient
* @see OAuth2AuthorizationCodeGrantRequest
* @see OAuth2AccessTokenResponse
@@ -71,6 +70,7 @@ import org.springframework.util.CollectionUtils;
* @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response
* (Authorization Code Grant)</a>
* @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
*/
@Deprecated
public class NimbusAuthorizationCodeTokenResponseClient
@@ -112,8 +112,8 @@ public final class ClientRegistration implements Serializable {
/**
* Returns the uri (or uri template) for the redirection endpoint.
* @deprecated Use {@link #getRedirectUri()} instead
* @return the uri (or uri template) for the redirection endpoint
* @deprecated Use {@link #getRedirectUri()} instead
*/
@Deprecated
public String getRedirectUriTemplate() {
@@ -445,10 +445,10 @@ public final class ClientRegistration implements Serializable {
/**
* Sets the uri (or uri template) for the redirection endpoint.
* @deprecated Use {@link #redirectUri(String)} instead
* @param redirectUriTemplate the uri (or uri template) for the redirection
* endpoint
* @return the {@link Builder}
* @deprecated Use {@link #redirectUri(String)} instead
*/
@Deprecated
public Builder redirectUriTemplate(String redirectUriTemplate) {
@@ -42,18 +42,18 @@ import org.springframework.web.client.RestTemplate;
* {@link OAuth2User} type(s) keyed by {@code String}, which represents the
* {@link ClientRegistration#getRegistrationId() Registration Id} of the Client.
*
* @deprecated It is recommended to use a delegation-based strategy of an
* {@link OAuth2UserService} to support custom {@link OAuth2User} types, as it provides
* much greater flexibility compared to this implementation. See the
* <a target="_blank" href=
* "https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-map-authorities-oauth2userservice">reference
* manual</a> for details on how to implement.
* @author Joe Grandja
* @since 5.0
* @see OAuth2UserService
* @see OAuth2UserRequest
* @see OAuth2User
* @see ClientRegistration
* @deprecated It is recommended to use a delegation-based strategy of an
* {@link OAuth2UserService} to support custom {@link OAuth2User} types, as it provides
* much greater flexibility compared to this implementation. See the
* <a target="_blank" href=
* "https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2login-advanced-map-authorities-oauth2userservice">reference
* manual</a> for details on how to implement.
*/
@Deprecated
public class CustomUserTypesOAuth2UserService implements OAuth2UserService<OAuth2UserRequest, OAuth2User> {
@@ -27,13 +27,13 @@ import org.springframework.security.oauth2.core.user.OAuth2User;
* {@link OAuth2UserRequest#getClientRegistration() Client} and returning an
* {@link AuthenticatedPrincipal} in the form of an {@link OAuth2User}.
*
* @param <R> The type of OAuth 2.0 User Request
* @param <U> The type of OAuth 2.0 User
* @author Joe Grandja
* @since 5.0
* @see OAuth2UserRequest
* @see OAuth2User
* @see AuthenticatedPrincipal
* @param <R> The type of OAuth 2.0 User Request
* @param <U> The type of OAuth 2.0 User
*/
@FunctionalInterface
public interface OAuth2UserService<R extends OAuth2UserRequest, U extends OAuth2User> {
@@ -29,13 +29,13 @@ import org.springframework.security.oauth2.core.user.OAuth2User;
* {@link OAuth2UserRequest#getClientRegistration() Client} and returning an
* {@link AuthenticatedPrincipal} in the form of an {@link OAuth2User}.
*
* @param <R> The type of OAuth 2.0 User Request
* @param <U> The type of OAuth 2.0 User
* @author Rob Winch
* @since 5.1
* @see OAuth2UserRequest
* @see OAuth2User
* @see AuthenticatedPrincipal
* @param <R> The type of OAuth 2.0 User Request
* @param <U> The type of OAuth 2.0 User
*/
@FunctionalInterface
public interface ReactiveOAuth2UserService<R extends OAuth2UserRequest, U extends OAuth2User> {
@@ -59,12 +59,12 @@ public interface AuthorizationRequestRepository<T extends OAuth2AuthorizationReq
/**
* Removes and returns the {@link OAuth2AuthorizationRequest} associated to the
* provided {@code HttpServletRequest} or if not available returns {@code null}.
* @deprecated Use
* {@link #removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)}
* instead
* @param request the {@code HttpServletRequest}
* @return the removed {@link OAuth2AuthorizationRequest} or {@code null} if not
* available
* @deprecated Use
* {@link #removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)}
* instead
*/
@Deprecated
T removeAuthorizationRequest(HttpServletRequest request);
@@ -156,6 +156,9 @@ public final class OAuth2AuthorizedClientArgumentResolver implements HandlerMeth
/**
* Sets the client used when requesting an access token credential at the Token
* Endpoint for the {@code client_credentials} grant.
* @param clientCredentialsTokenResponseClient the client used when requesting an
* access token credential at the Token Endpoint for the {@code client_credentials}
* grant
* @deprecated Use
* {@link #OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)}
* instead. Create an instance of
@@ -165,9 +168,6 @@ public final class OAuth2AuthorizedClientArgumentResolver implements HandlerMeth
* to
* {@link DefaultOAuth2AuthorizedClientManager#setAuthorizedClientProvider(OAuth2AuthorizedClientProvider)
* DefaultOAuth2AuthorizedClientManager}.
* @param clientCredentialsTokenResponseClient the client used when requesting an
* access token credential at the Token Endpoint for the {@code client_credentials}
* grant
*/
@Deprecated
public void setClientCredentialsTokenResponseClient(
@@ -355,6 +355,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
/**
* Sets the {@link ReactiveOAuth2AccessTokenResponseClient} used for getting an
* {@link OAuth2AuthorizedClient} for the client_credentials grant.
* @param clientCredentialsTokenResponseClient the client to use
* @deprecated Use
* {@link #ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)}
* instead. Create an instance of
@@ -364,7 +365,6 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
* supply it to
* {@link DefaultReactiveOAuth2AuthorizedClientManager#setAuthorizedClientProvider(ReactiveOAuth2AuthorizedClientProvider)
* DefaultReactiveOAuth2AuthorizedClientManager}.
* @param clientCredentialsTokenResponseClient the client to use
*/
@Deprecated
public void setClientCredentialsTokenResponseClient(
@@ -407,13 +407,13 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
/**
* An access token will be considered expired by comparing its expiration to now +
* this skewed Duration. The default is 1 minute.
* @param accessTokenExpiresSkew the Duration to use.
* @deprecated The {@code accessTokenExpiresSkew} should be configured with the
* specific {@link ReactiveOAuth2AuthorizedClientProvider} implementation, e.g.
* {@link ClientCredentialsReactiveOAuth2AuthorizedClientProvider#setClockSkew(Duration)
* ClientCredentialsReactiveOAuth2AuthorizedClientProvider} or
* {@link RefreshTokenReactiveOAuth2AuthorizedClientProvider#setClockSkew(Duration)
* RefreshTokenReactiveOAuth2AuthorizedClientProvider}.
* @param accessTokenExpiresSkew the Duration to use.
*/
@Deprecated
public void setAccessTokenExpiresSkew(Duration accessTokenExpiresSkew) {
@@ -239,6 +239,7 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
/**
* Sets the {@link OAuth2AccessTokenResponseClient} used for getting an
* {@link OAuth2AuthorizedClient} for the client_credentials grant.
* @param clientCredentialsTokenResponseClient the client to use
* @deprecated Use
* {@link #ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)}
* instead. Create an instance of
@@ -248,7 +249,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
* to
* {@link DefaultOAuth2AuthorizedClientManager#setAuthorizedClientProvider(OAuth2AuthorizedClientProvider)
* DefaultOAuth2AuthorizedClientManager}.
* @param clientCredentialsTokenResponseClient the client to use
*/
@Deprecated
public void setClientCredentialsTokenResponseClient(
@@ -397,13 +397,13 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
/**
* An access token will be considered expired by comparing its expiration to now +
* this skewed Duration. The default is 1 minute.
* @param accessTokenExpiresSkew the Duration to use.
* @deprecated The {@code accessTokenExpiresSkew} should be configured with the
* specific {@link OAuth2AuthorizedClientProvider} implementation, e.g.
* {@link ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(Duration)
* ClientCredentialsOAuth2AuthorizedClientProvider} or
* {@link RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(Duration)
* RefreshTokenOAuth2AuthorizedClientProvider}.
* @param accessTokenExpiresSkew the Duration to use.
*/
@Deprecated
public void setAccessTokenExpiresSkew(Duration accessTokenExpiresSkew) {
@@ -35,10 +35,10 @@ import org.springframework.web.server.ServerWebExchange;
* {@link ServerWebExchange} is null and that the {@link Authentication} is either null or
* anonymous to prevent using it incorrectly.
*
* @deprecated Use {@link AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager}
* instead
* @author Rob Winch
* @since 5.1
* @deprecated Use {@link AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager}
* instead
*/
@Deprecated
public class UnAuthenticatedServerOAuth2AuthorizedClientRepository implements ServerOAuth2AuthorizedClientRepository {
@@ -42,11 +42,10 @@ public interface ClaimAccessor {
/**
* Returns the claim value as a {@code T} type. The claim value is expected to be of
* type {@code T}.
*
* @since 5.2
* @param claim the name of the claim
* @param <T> the type of the claim value
* @return the claim value
* @since 5.2
*/
@SuppressWarnings("unchecked")
default <T> T getClaim(String claim) {
@@ -34,6 +34,7 @@ import org.springframework.util.StringUtils;
* @author Joe Grandja
* @author Nikita Konev
* @since 5.3
* @deprecated Use {@link DefaultMapOAuth2AccessTokenResponseConverter} instead
*/
public final class MapOAuth2AccessTokenResponseConverter
implements Converter<Map<String, String>, OAuth2AccessTokenResponse> {
@@ -32,6 +32,7 @@ import org.springframework.util.StringUtils;
* @author Joe Grandja
* @author Nikita Konev
* @since 5.3
* @deprecated Use {@link DefaultOAuth2AccessTokenResponseMapConverter} instead
*/
public final class OAuth2AccessTokenResponseMapConverter
implements Converter<OAuth2AccessTokenResponse, Map<String, String>> {
@@ -110,6 +110,7 @@ public class OAuth2AccessTokenResponseHttpMessageConverter
* parameters to an {@link OAuth2AccessTokenResponse}.
* @param tokenResponseConverter the {@link Converter} used for converting to an
* {@link OAuth2AccessTokenResponse}
* @deprecated Use {@link #setAccessTokenResponseConverter(Converter)} instead
*/
public final void setTokenResponseConverter(
Converter<Map<String, String>, OAuth2AccessTokenResponse> tokenResponseConverter) {
@@ -123,6 +124,8 @@ public class OAuth2AccessTokenResponseHttpMessageConverter
* Access Token Response parameters.
* @param tokenResponseParametersConverter the {@link Converter} used for converting
* to a {@code Map} representation of the Access Token Response parameters
* @deprecated Use {@link #setAccessTokenResponseParametersConverter(Converter)}
* instead
*/
public final void setTokenResponseParametersConverter(
Converter<OAuth2AccessTokenResponse, Map<String, String>> tokenResponseParametersConverter) {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -54,7 +54,7 @@ public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
Assert.notNull(test, "test can not be null");
this.claim = claim;
this.test = test;
this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, "The " + this.claim + " claim is not valid",
this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN, "The " + this.claim + " claim is not valid",
"https://tools.ietf.org/html/rfc6750#section-3.1");
}
@@ -20,11 +20,11 @@ package org.springframework.security.oauth2.jwt;
* A factory for {@link JwtDecoder}(s). This factory should be supplied with a type that
* provides contextual information used to create a specific {@code JwtDecoder}.
*
* @param <C> The type that provides contextual information used to create a specific
* {@code JwtDecoder}.
* @author Joe Grandja
* @since 5.2
* @see JwtDecoder
* @param <C> The type that provides contextual information used to create a specific
* {@code JwtDecoder}.
*/
@FunctionalInterface
public interface JwtDecoderFactory<C> {
@@ -35,7 +35,6 @@ import org.springframework.web.client.RestOperations;
* <p>
* <b>NOTE:</b> This implementation uses the Nimbus JOSE + JWT SDK internally.
*
* @deprecated Use {@link NimbusJwtDecoder} or {@link JwtDecoders} instead
* @author Joe Grandja
* @author Josh Cummings
* @since 5.0
@@ -49,6 +48,7 @@ import org.springframework.web.client.RestOperations;
* (JWK)</a>
* @see <a target="_blank" href="https://connect2id.com/products/nimbus-jose-jwt">Nimbus
* JOSE + JWT SDK</a>
* @deprecated Use {@link NimbusJwtDecoder} or {@link JwtDecoders} instead
*/
@Deprecated
public final class NimbusJwtDecoderJwkSupport implements JwtDecoder {
@@ -21,11 +21,11 @@ package org.springframework.security.oauth2.jwt;
* type that provides contextual information used to create a specific
* {@code ReactiveJwtDecoder}.
*
* @param <C> The type that provides contextual information used to create a specific
* {@code ReactiveJwtDecoder}.
* @author Joe Grandja
* @since 5.2
* @see ReactiveJwtDecoder
* @param <C> The type that provides contextual information used to create a specific
* {@code ReactiveJwtDecoder}.
*/
@FunctionalInterface
public interface ReactiveJwtDecoderFactory<C> {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,10 +16,14 @@
package org.springframework.security.oauth2.jwt;
import java.util.Collection;
import java.util.Objects;
import java.util.function.Predicate;
import org.junit.Test;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import static org.assertj.core.api.Assertions.assertThat;
@@ -45,7 +49,9 @@ public class JwtClaimValidatorTests {
@Test
public void validateWhenClaimFailsTheTestThenReturnsFailure() {
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "http://abc").build();
Collection<OAuth2Error> details = this.validator.validate(jwt).getErrors();
assertThat(this.validator.validate(jwt).getErrors().isEmpty()).isFalse();
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import java.time.ZoneId;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.junit.Test;
@@ -64,6 +65,7 @@ public class JwtTimestampValidatorTests {
.collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt expired at " + oneHourAgo);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test
@@ -78,6 +80,7 @@ public class JwtTimestampValidatorTests {
.collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt used before " + oneHourFromNow);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test
@@ -16,6 +16,7 @@
package org.springframework.security.oauth2.server.resource.authentication;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
@@ -186,7 +187,7 @@ public final class JwtIssuerReactiveAuthenticationManagerResolver
return this.authenticationManagers.computeIfAbsent(issuer,
(k) -> Mono.<ReactiveAuthenticationManager>fromCallable(() -> new JwtReactiveAuthenticationManager(ReactiveJwtDecoders.fromIssuerLocation(k)))
.subscribeOn(Schedulers.boundedElastic())
.cache()
.cache((manager) -> Duration.ofMillis(Long.MAX_VALUE), (ex) -> Duration.ZERO, () -> Duration.ZERO)
);
// @formatter:on
}
@@ -33,6 +33,7 @@ import org.springframework.security.oauth2.core.ClaimAccessor;
* @see OAuth2IntrospectionAuthenticatedPrincipal
* @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc7662#section-2.2">Introspection Response</a>
* @deprecated Use {@link OAuth2TokenIntrospectionClaimAccessor} instead
*/
public interface OAuth2IntrospectionClaimAccessor extends ClaimAccessor {
@@ -23,6 +23,7 @@ package org.springframework.security.oauth2.server.resource.introspection;
*
* @author Josh Cummings
* @since 5.2
* @deprecated Use {@link OAuth2TokenIntrospectionClaimNames} instead
*/
public interface OAuth2IntrospectionClaimNames {
@@ -96,6 +96,44 @@ public class JwtIssuerAuthenticationManagerResolverTests {
}
}
@Test
public void resolveWhednUsingTrustedIssuerThenReturnsAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
server.start();
String issuer = server.url("").toString();
// @formatter:off
server.enqueue(new MockResponse().setResponseCode(500)
.setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer))
);
server.enqueue(new MockResponse().setResponseCode(200)
.setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer))
);
server.enqueue(new MockResponse().setResponseCode(200)
.setHeader("Content-Type", "application/json")
.setBody(JWK_SET)
);
server.enqueue(new MockResponse().setResponseCode(200)
.setHeader("Content-Type", "application/json")
.setBody(JWK_SET)
);
// @formatter:on
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerAuthenticationManagerResolver(
issuer);
Authentication token = withBearerToken(jws.serialize());
AuthenticationManager authenticationManager = authenticationManagerResolver.resolve(null);
assertThat(authenticationManager).isNotNull();
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> authenticationManager.authenticate(token));
Authentication authentication = authenticationManager.authenticate(token);
assertThat(authentication.isAuthenticated()).isTrue();
}
}
@Test
public void resolveWhenUsingSameIssuerThenReturnsSameAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
@@ -95,6 +95,36 @@ public class JwtIssuerReactiveAuthenticationManagerResolverTests {
}
}
// gh-10444
@Test
public void resolveWhednUsingTrustedIssuerThenReturnsAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
String issuer = server.url("").toString();
// @formatter:off
server.enqueue(new MockResponse().setResponseCode(500).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(String.format(DEFAULT_RESPONSE_TEMPLATE, issuer, issuer)));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET));
server.enqueue(new MockResponse().setResponseCode(200).setHeader("Content-Type", "application/json")
.setBody(JWK_SET));
// @formatter:on
JWSObject jws = new JWSObject(new JWSHeader(JWSAlgorithm.RS256),
new Payload(new JSONObject(Collections.singletonMap(JwtClaimNames.ISS, issuer))));
jws.sign(new RSASSASigner(TestKeys.DEFAULT_PRIVATE_KEY));
JwtIssuerReactiveAuthenticationManagerResolver authenticationManagerResolver = new JwtIssuerReactiveAuthenticationManagerResolver(
issuer);
ReactiveAuthenticationManager authenticationManager = authenticationManagerResolver.resolve(null).block();
assertThat(authenticationManager).isNotNull();
Authentication token = withBearerToken(jws.serialize());
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> authenticationManager.authenticate(token).block());
Authentication authentication = authenticationManager.authenticate(token).block();
assertThat(authentication.isAuthenticated()).isTrue();
}
}
@Test
public void resolveWhenUsingSameIssuerThenReturnsSameAuthenticationManager() throws Exception {
try (MockWebServer server = new MockWebServer()) {
@@ -43,12 +43,12 @@ import org.openid4java.message.ax.FetchResponse;
import org.springframework.util.StringUtils;
/**
* @author Ray Krueger
* @author Luke Taylor
* @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
* <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to
* migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is
* supported by <code>spring-security-oauth2</code>.
* @author Ray Krueger
* @author Luke Taylor
*/
@Deprecated
@SuppressWarnings("unchecked")
@@ -126,6 +126,10 @@ final class OpenSamlSigningUtils {
return credentials;
}
private OpenSamlSigningUtils() {
}
static class QueryParametersPartial {
final RelyingPartyRegistration registration;
@@ -166,8 +170,4 @@ final class OpenSamlSigningUtils {
}
private OpenSamlSigningUtils() {
}
}
@@ -85,6 +85,10 @@ final class OpenSamlVerificationUtils {
DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
}
private OpenSamlVerificationUtils() {
}
static class VerifierPartial {
private final String id;
@@ -210,8 +214,4 @@ final class OpenSamlVerificationUtils {
}
private OpenSamlVerificationUtils() {
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
@@ -78,10 +79,19 @@ public class FilterInvocation {
}
public FilterInvocation(String contextPath, String servletPath, String method) {
this(contextPath, servletPath, null, null, method);
this(contextPath, servletPath, method, null);
}
public FilterInvocation(String contextPath, String servletPath, String method, ServletContext servletContext) {
this(contextPath, servletPath, null, null, method, servletContext);
}
public FilterInvocation(String contextPath, String servletPath, String pathInfo, String query, String method) {
this(contextPath, servletPath, pathInfo, query, method, null);
}
public FilterInvocation(String contextPath, String servletPath, String pathInfo, String query, String method,
ServletContext servletContext) {
DummyRequest request = new DummyRequest();
contextPath = (contextPath != null) ? contextPath : "/cp";
request.setContextPath(contextPath);
@@ -90,6 +100,7 @@ public class FilterInvocation {
request.setPathInfo(pathInfo);
request.setQueryString(query);
request.setMethod(method);
request.setServletContext(servletContext);
this.request = request;
}
@@ -160,6 +171,8 @@ public class FilterInvocation {
private String method;
private ServletContext servletContext;
private final HttpHeaders headers = new HttpHeaders();
private final Map<String, String[]> parameters = new LinkedHashMap<>();
@@ -290,6 +303,15 @@ public class FilterInvocation {
this.parameters.put(name, values);
}
@Override
public ServletContext getServletContext() {
return this.servletContext;
}
void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}
static final class UnsupportedOperationExceptionInvocationHandler implements InvocationHandler {
@@ -1,5 +1,5 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,6 +18,8 @@ package org.springframework.security.web.access;
import java.util.Collection;
import javax.servlet.ServletContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -28,6 +30,7 @@ import org.springframework.security.access.intercept.AbstractSecurityInterceptor
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;
import org.springframework.web.context.ServletContextAware;
/**
* Allows users to determine whether they have privileges for a given web URI.
@@ -36,12 +39,14 @@ import org.springframework.util.Assert;
* @author Luke Taylor
* @since 3.0
*/
public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator, ServletContextAware {
protected static final Log logger = LogFactory.getLog(DefaultWebInvocationPrivilegeEvaluator.class);
private final AbstractSecurityInterceptor securityInterceptor;
private ServletContext servletContext;
public DefaultWebInvocationPrivilegeEvaluator(AbstractSecurityInterceptor securityInterceptor) {
Assert.notNull(securityInterceptor, "SecurityInterceptor cannot be null");
Assert.isTrue(FilterInvocation.class.equals(securityInterceptor.getSecureObjectClass()),
@@ -82,7 +87,7 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
@Override
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
Assert.notNull(uri, "uri parameter is required");
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
Collection<ConfigAttribute> attributes = this.securityInterceptor.obtainSecurityMetadataSource()
.getAttributes(filterInvocation);
if (attributes == null) {
@@ -101,4 +106,9 @@ public class DefaultWebInvocationPrivilegeEvaluator implements WebInvocationPriv
}
}
@Override
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}
@@ -78,11 +78,11 @@ import org.springframework.web.method.support.ModelAndViewContainer;
* }
* </pre>
*
* @author Rob Winch
* @since 3.2
* @deprecated Use
* {@link org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver}
* instead.
* @author Rob Winch
* @since 3.2
*/
@Deprecated
public final class AuthenticationPrincipalArgumentResolver implements HandlerMethodArgumentResolver {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2013 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -26,7 +26,7 @@ package org.springframework.security.web.csrf;
public class MissingCsrfTokenException extends CsrfException {
public MissingCsrfTokenException(String actualToken) {
super("Could not verify the provided CSRF token because your session was not found.");
super("Could not verify the provided CSRF token because no token was found to compare.");
}
}
@@ -29,9 +29,9 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see WebServletJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = CookieDeserializer.class)
@@ -31,9 +31,9 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see WebJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
@JsonIgnoreProperties(ignoreUnknown = true)
@@ -34,9 +34,9 @@ import org.springframework.security.web.savedrequest.DefaultSavedRequest;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see WebServletJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(builder = DefaultSavedRequest.Builder.class)
@@ -42,9 +42,9 @@ import org.springframework.security.jackson2.SimpleGrantedAuthorityMixin;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see Webackson2Module
* @see SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
@@ -33,9 +33,9 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* </pre>
*
* @author Jitendra Singh.
* @since 4.2
* @see WebServletJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE)
@@ -32,9 +32,9 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* </pre>
*
* @author Jitendra Singh
* @since 4.2
* @see WebServletJackson2Module
* @see org.springframework.security.jackson2.SecurityJackson2Modules
* @since 4.2
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonIgnoreProperties(ignoreUnknown = true)
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,7 +17,6 @@
package org.springframework.security.web.server.header;
import java.util.Arrays;
import java.util.Collections;
import reactor.core.publisher.Mono;
@@ -41,8 +40,16 @@ public class StaticServerHttpHeadersWriter implements ServerHttpHeadersWriter {
@Override
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
HttpHeaders headers = exchange.getResponse().getHeaders();
boolean containsOneHeaderToAdd = Collections.disjoint(headers.keySet(), this.headersToAdd.keySet());
if (containsOneHeaderToAdd) {
// Note: We need to ensure that the following algorithm compares headers
// case insensitively, which should be true of headers.containsKey().
boolean containsNoHeadersToAdd = true;
for (String headerName : this.headersToAdd.keySet()) {
if (headers.containsKey(headerName)) {
containsNoHeadersToAdd = false;
break;
}
}
if (containsNoHeadersToAdd) {
this.headersToAdd.forEach(headers::put);
}
return Mono.empty();
@@ -32,8 +32,8 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
* </pre>
*
* @author Boris Finkelshteyn
* @see WebServerJackson2Module
* @since 5.1
* @see WebServerJackson2Module
*/
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
@JsonIgnoreProperties(ignoreUnknown = true)
@@ -1,5 +1,5 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.web.FilterInvocation.DummyRequest;
import org.springframework.security.web.util.UrlUtils;
@@ -131,4 +132,14 @@ public class FilterInvocationTests {
UrlUtils.buildRequestUrl(request);
}
@Test
public void constructorWhenServletContextProvidedThenSetServletContextInRequest() {
String contextPath = "";
String servletPath = "/path";
String method = "";
MockServletContext mockServletContext = new MockServletContext();
FilterInvocation filterInvocation = new FilterInvocation(contextPath, servletPath, method, mockServletContext);
assertThat(filterInvocation.getRequest().getServletContext()).isSameAs(mockServletContext);
}
}
@@ -18,8 +18,10 @@ package org.springframework.security.web.access;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.intercept.RunAsManager;
@@ -27,6 +29,7 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
@@ -34,9 +37,11 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyList;
import static org.mockito.ArgumentMatchers.anyObject;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.BDDMockito.willThrow;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/**
* Tests
@@ -106,4 +111,17 @@ public class DefaultWebInvocationPrivilegeEvaluatorTests {
assertThat(wipe.isAllowed("/foo/index.jsp", token)).isFalse();
}
@Test
public void isAllowedWhenServletContextIsSetThenPassedFilterInvocationHasServletContext() {
Authentication token = new TestingAuthenticationToken("test", "Password", "MOCK_INDEX");
MockServletContext servletContext = new MockServletContext();
ArgumentCaptor<FilterInvocation> filterInvocationArgumentCaptor = ArgumentCaptor
.forClass(FilterInvocation.class);
DefaultWebInvocationPrivilegeEvaluator wipe = new DefaultWebInvocationPrivilegeEvaluator(this.interceptor);
wipe.setServletContext(servletContext);
wipe.isAllowed("/foo/index.jsp", token);
verify(this.adm).decide(eq(token), filterInvocationArgumentCaptor.capture(), any());
assertThat(filterInvocationArgumentCaptor.getValue().getRequest().getServletContext()).isNotNull();
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2017 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,11 +16,14 @@
package org.springframework.security.web.server.header;
import java.util.Locale;
import org.junit.Test;
import org.springframework.http.HttpHeaders;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.server.ServerWebExchange;
import static org.assertj.core.api.Assertions.assertThat;
@@ -56,6 +59,24 @@ public class StaticServerHttpHeadersWriterTests {
.containsOnly(headerValue);
}
// gh-10557
@Test
public void writeHeadersWhenHeaderWrittenWithDifferentCaseThenDoesNotWriteHeaders() {
String headerName = HttpHeaders.CACHE_CONTROL.toLowerCase(Locale.ROOT);
String headerValue = "max-age=120";
this.headers.set(headerName, headerValue);
// Note: This test inverts which collection uses case sensitive headers,
// due to the fact that gh-10557 reports NettyHeadersAdapter as the
// response headers implementation, which is not accessible here.
HttpHeaders caseSensitiveHeaders = new HttpHeaders(new LinkedMultiValueMap<>());
caseSensitiveHeaders.set(HttpHeaders.CACHE_CONTROL, CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
caseSensitiveHeaders.set(HttpHeaders.PRAGMA, CacheControlServerHttpHeadersWriter.PRAGMA_VALUE);
caseSensitiveHeaders.set(HttpHeaders.EXPIRES, CacheControlServerHttpHeadersWriter.EXPIRES_VALUE);
this.writer = new StaticServerHttpHeadersWriter(caseSensitiveHeaders);
this.writer.writeHttpHeaders(this.exchange);
assertThat(this.headers.get(headerName)).containsOnly(headerValue);
}
@Test
public void writeHeadersWhenMultiHeaderThenWritesAllHeaders() {
this.writer = StaticServerHttpHeadersWriter.builder()