1
0
mirror of synced 2026-07-09 04:40:13 +00:00

Compare commits

...

177 Commits

Author SHA1 Message Date
Michał Sobkiewicz c963f4250e Update Angular documentation links in csrf.adoc
Replaced `angular.io` links with their corresponding `angular.dev` URLs.
This change ensures that users referencing CSRF documentation are
directed to the most current Angular resources.

Signed-off-by: Michał Sobkiewicz <perceptron8@users.noreply.github.com>
2025-07-31 10:21:06 -06:00
dependabot[bot] 97597389cc Bump org.gretty:gretty from 4.1.6 to 4.1.7
Bumps [org.gretty:gretty](https://github.com/gretty-gradle-plugin/gretty) from 4.1.6 to 4.1.7.
- [Release notes](https://github.com/gretty-gradle-plugin/gretty/releases)
- [Changelog](https://github.com/gretty-gradle-plugin/gretty/blob/master/changes.md)
- [Commits](https://github.com/gretty-gradle-plugin/gretty/compare/v4.1.6...v4.1.7)

---
updated-dependencies:
- dependency-name: org.gretty:gretty
  dependency-version: 4.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-31 09:29:13 -06:00
dependabot[bot] 6dba7b5051 Bump io.spring.gradle:spring-security-release-plugin
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.6 to 1.0.10.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.6...v1.0.10)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-31 09:28:43 -06:00
dependabot[bot] de14fb8f77 Bump @springio/antora-extensions from 1.14.6 to 1.14.7 in /docs
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.6 to 1.14.7.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.6...v1.14.7)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-version: 1.14.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-30 11:50:19 -06:00
dependabot[bot] 0ba2b3e0eb Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-30 11:47:23 -06:00
Bernie Schelberg edcb3b024e Update Shibboleth repository URL
Signed-off-by: Bernie Schelberg <bernard.schelberg@invicara.com>
2025-07-29 09:26:42 -06:00
Rob Winch 82fa658c9b Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-21 07:52:56 -05:00
dependabot[bot] c27f7206d9 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:23:35 +00:00
Rob Winch cb515e5c57 Merge branch 'npm_and_yarn/docs/6.3.x/springio/antora-extensions-1.14.6' into 6.3.x 2025-07-18 09:14:23 -05:00
Rob Winch 59365e9ac5 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-18 09:05:22 -05:00
dependabot[bot] 854703cb47 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:15:01 +00:00
Rob Winch 3395e061f0 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-17 12:58:50 -05:00
dependabot[bot] e2f96480a4 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 04:00:56 +00:00
dependabot[bot] 759736672d Bump @springio/antora-extensions from 1.14.4 to 1.14.6 in /docs
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.4 to 1.14.6.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.4...v1.14.6)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 01:05:46 +00:00
Josh Cummings 4f5b17334e Pick Up csrfChannelInterceptor in XML
Closes gh-17493
2025-07-07 12:53:27 -06:00
dependabot[bot] 192bafe9a5 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:38:21 -06:00
dependabot[bot] b144c37cad Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:17:18 -06:00
dependabot[bot] 22992afbe8 Bump org-apache-maven-resolver from 1.9.23 to 1.9.24
Bumps `org-apache-maven-resolver` from 1.9.23 to 1.9.24.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.23 to 1.9.24

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:17:06 -06:00
dependabot[bot] 39b53ee0be Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:16:33 -06:00
dependabot[bot] 23fa7c3047 Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:16:20 -06:00
Rob Winch 3306e7dfba Bump org-apache-maven-resolver from 1.9.23 to 1.9.24 2025-07-02 10:42:47 -05:00
Rob Winch 41782d225c Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-07-02 10:42:45 -05:00
Rob Winch debaaf1b1e Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-07-02 10:42:43 -05:00
Rob Winch e6fc3af8ee Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-07-02 10:42:39 -05:00
Rob Winch 7cf632b96d Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-07-02 10:42:34 -05:00
dependabot[bot] 96972eb599 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-02 03:39:23 +00:00
dependabot[bot] 7c80af6a56 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-02 03:39:15 +00:00
dependabot[bot] ba6e5b1c6d Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-02 03:39:09 +00:00
dependabot[bot] fb4a3cf7b5 Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-02 03:38:56 +00:00
dependabot[bot] 5b456f1542 Bump org-apache-maven-resolver from 1.9.23 to 1.9.24
Bumps `org-apache-maven-resolver` from 1.9.23 to 1.9.24.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.23 to 1.9.24

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-02 03:38:48 +00:00
Rob Winch cba7abc304 Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-07-01 16:31:57 -05:00
Rob Winch 3edace26a7 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-07-01 16:31:55 -05:00
Rob Winch 28bcb58d95 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-07-01 16:31:52 -05:00
Rob Winch fc00770e97 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-07-01 16:31:50 -05:00
dependabot[bot] 33351102c7 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-01 07:29:51 +00:00
dependabot[bot] e8566fb722 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-01 07:06:52 +00:00
dependabot[bot] 700b4a17f8 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-01 07:03:44 +00:00
dependabot[bot] 1b472ddeb1 Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-01 06:57:36 +00:00
Rob Winch 7ed91e2143 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-30 13:52:59 -05:00
Rob Winch fb116c469a Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-30 13:52:57 -05:00
Rob Winch 55298fbb58 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-30 13:52:55 -05:00
Rob Winch 7408599278 Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-06-30 13:52:50 -05:00
dependabot[bot] 325e36b3e2 Bump io-spring-javaformat from 0.0.46 to 0.0.47
---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-30 03:54:56 +00:00
dependabot[bot] c7a54d456f Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-30 03:51:29 +00:00
dependabot[bot] 3c3ee78538 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-30 03:51:10 +00:00
dependabot[bot] f2a88f99a6 Bump org.springframework.data:spring-data-bom
---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-30 03:51:02 +00:00
Rob Winch fe8e0f0ccd Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-06-27 08:58:27 -05:00
Rob Winch 84f5e6bd75 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-27 08:58:25 -05:00
Rob Winch 6f80951acf Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-27 08:58:23 -05:00
Rob Winch d5e887a584 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-27 08:58:18 -05:00
dependabot[bot] 784583c216 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-26 03:37:00 +00:00
dependabot[bot] c2bea7ef9a Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-26 03:36:50 +00:00
dependabot[bot] d06f73cde9 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-26 03:36:36 +00:00
dependabot[bot] bfecd2583d Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-26 03:36:19 +00:00
Rob Winch ce94683d82 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-25 10:04:53 -05:00
Rob Winch c22cdd2242 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-25 10:04:51 -05:00
Rob Winch 8b97e5455f Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-06-25 10:04:48 -05:00
Rob Winch c3896b29c8 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-25 10:04:45 -05:00
dependabot[bot] 7844b4db5c Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-24 04:40:37 +00:00
dependabot[bot] bca18d78af Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-24 04:07:24 +00:00
dependabot[bot] 5a861d69fd Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-24 03:57:19 +00:00
dependabot[bot] ed8dafc035 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-24 03:51:31 +00:00
Rob Winch 74a3cb4d88 Merge branch '6.2.x' into 6.3.x 2025-06-23 10:24:31 -05:00
Rob Winch 502616645e Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-23 10:20:27 -05:00
Rob Winch 76f162a6b9 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-23 10:20:25 -05:00
Rob Winch b04a475380 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-23 10:20:22 -05:00
Rob Winch 95f03a4d97 Bump io-spring-javaformat from 0.0.46 to 0.0.47 2025-06-23 10:20:17 -05:00
dependabot[bot] 78d894a4ad Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-23 04:11:38 +00:00
dependabot[bot] 275893f1d1 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-18 03:54:59 +00:00
dependabot[bot] 7300be3161 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-18 03:54:49 +00:00
dependabot[bot] 22614d4521 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-18 03:54:17 +00:00
Rob Winch 987760c8b8 Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-17 08:42:32 -05:00
Rob Winch b6f9e99763 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-17 08:42:30 -05:00
Rob Winch d9577f5bb3 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-17 08:42:27 -05:00
dependabot[bot] 9f1ba97bb0 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-17 03:43:53 +00:00
dependabot[bot] f0c34eb39d Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-17 03:40:53 +00:00
dependabot[bot] d871f7f295 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-17 03:33:42 +00:00
github-actions[bot] 449c7a8419 Next development version 2025-06-16 15:34:45 +00:00
github-actions[bot] ae1537b409 Release 6.3.10 2025-06-16 15:08:20 +00:00
Rob Winch 49cddee343 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-16 08:55:32 -05:00
Rob Winch 1c56c0c0c8 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-16 08:55:30 -05:00
Rob Winch d79cf75dfb Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-16 08:55:28 -05:00
dependabot[bot] e34c5e73e1 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:01:56 +00:00
dependabot[bot] 46254e01fb Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:36:23 +00:00
dependabot[bot] effe682fc4 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:35:50 +00:00
dependabot[bot] 7f36155b47 Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.18 to 2023.0.19.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.18...2023.0.19)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 03:59:26 +00:00
Rob Winch 888d87619d Explicit Permissions for codeql.yml 2025-06-10 10:48:37 -05:00
Rob Winch e8028e15c0 Merge branch 'gradle/6.3.x/org.apache.maven-maven-resolver-provider-3.9.10' into 6.3.x 2025-06-09 17:08:30 -05:00
Rob Winch 482eb0e2cd Bump io-spring-javaformat from 0.0.45 to 0.0.46 2025-06-09 16:22:15 -05:00
Andrey Litvitski b0f8aa5ea0 Fix to allow multiple AuthenticationFilter instances to process each request
Closes gh-17173

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-06-06 06:37:03 -04:00
dependabot[bot] f75ac6c837 Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10
Bumps org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 03:37:31 +00:00
dependabot[bot] 5e56fc13be Bump io-spring-javaformat from 0.0.45 to 0.0.46
Bumps `io-spring-javaformat` from 0.0.45 to 0.0.46.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-03 03:29:44 +00:00
Joaquin Santana c0568ea9b0 Log Request Mismatch Only When Mismatches
Signed-off-by: Joaquin Santana <joaquinjsb@outlook.com>
2025-05-23 11:34:48 -06:00
Andrey Litvitski 4048b2bd7d Use HttpStatus in BackChannel Logout Filters
Closes gh-17125

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-05-21 16:45:46 -06:00
dependabot[bot] 86acba9d22 Bump io-spring-javaformat from 0.0.43 to 0.0.45
Bumps `io-spring-javaformat` from 0.0.43 to 0.0.45.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 14:50:17 -06:00
Gurunathan a4cd6f4278 Advise Overriding equals() and hashCode() in UserDetails Implementations
This commit adds a documentation note explaining the importance of
overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory
ConcurrentMap<Object, Set<String>>, Map<String,SessionInformation> to
associate principals with sessions. If a custom UserDetails class does
not properly override equals() and hashCode(), user sessions may not
be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues
when implementing custom authentication logic.

Signed-off-by: Gurunathan <129361658+Gurunathan16@users.noreply.github.com>
2025-05-21 12:41:44 -06:00
Rob Winch 5da31ab8a8 Use spring-io/codeql-actions 2025-05-20 15:52:36 -05:00
Mark Putsiata cae3467a8d Improve AbstractPreAuthenticatedProcessingFilter docs
Clarify misleading SecurityContextRepository setter documentation.
Note that AbstractPreAuthenticatedProcessingFilter saves the
SecurityContext upon successful authentication, and this behavior
can be customized via the setSecurityContextRepository setter.

Closes gh-14137

Signed-off-by: Mark Putsiata <m.putsiata@gmail.com>
2025-05-19 09:45:53 -06:00
dependabot[bot] a17b2a18d9 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.11 to 2024.0.12.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.11...2024.0.12)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-19 03:30:36 +00:00
dependabot[bot] 0cbc38cdd6 Bump org.springframework:spring-framework-bom from 6.1.19 to 6.1.20
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.19 to 6.1.20.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.19...v6.1.20)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.20
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-16 03:22:19 +00:00
Josh Cummings eb30fd7f59 Add Missing Header
Issue gh-11161
2025-05-15 18:16:36 -06:00
snowykte0426 260d298cc5 Add Migration Guide from Spring Security SAML Extension
This adds a dedicated migration guide for users moving from the Spring Security SAML Extension to the built-in SAML 2.0 support.

Includes:
- Content migrated from the project wiki
- xref links for `saml2Login`, `saml2Logout`, and `saml2Metadata`
- Metadata example moved to Examples Matrix
- Cleanup and naming per review feedback

Closes gh-11161

Signed-off-by: snowykte0426 <snowykte0426@naver.com>
2025-05-15 17:17:43 -06:00
dependabot[bot] 78a60d0d84 Bump io.projectreactor:reactor-bom from 2023.0.17 to 2023.0.18
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.17 to 2023.0.18.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.17...2023.0.18)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-14 03:23:25 +00:00
dependabot[bot] a001f27690 Bump org-apache-maven-resolver from 1.9.22 to 1.9.23
Bumps `org-apache-maven-resolver` from 1.9.22 to 1.9.23.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.22 to 1.9.23
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.22...maven-resolver-1.9.23)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.22 to 1.9.23
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.22...maven-resolver-1.9.23)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.22 to 1.9.23

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-13 12:15:42 -06:00
Danilo Piazzalunga 27319e3f9b Add missing registration property in YAML listing
Signed-off-by: Danilo Piazzalunga <danilopiazza@gmail.com>
2025-05-13 11:17:35 -06:00
Danilo Piazzalunga ec462e8bc5 Update assertingparty property usage in YAML snippets
Spring Boot 2.7 renamed spring.security.saml2.relyingparty.registration.*.identityprovider.*
to spring.security.saml2.relyingparty.registration.*.assertingparty.*.

Closes gh-12810.

Signed-off-by: Danilo Piazzalunga <danilopiazza@gmail.com>
2025-05-13 11:17:35 -06:00
dependabot[bot] a4111a606b Bump io.spring.gradle:spring-security-release-plugin from 1.0.5 to 1.0.6
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-06 10:15:11 -06:00
Tran Ngoc Nhan 505fe3abed Correct method name
Closes gh-17031

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-05-06 10:17:29 -05:00
Rob Winch 9710492619 remove update-dependabot action 2025-05-05 13:34:16 -05:00
Rob Winch 9436796973 Use pull-request: write for gradlew updates
Explicitly provide the permissions required for updating the Gradle
wrapper
2025-05-05 11:49:08 -05:00
Josh Cummings 51239359ed Fix ClearSiteData Code Snippet
Closes gh-16948
2025-05-02 15:57:31 -06:00
Rob Winch 1a6915d3c0 rm .github/workflows for unsupported branch 2025-05-02 12:35:31 -05:00
Josh Cummings e48f26e51e Propagate StrictFirewallRequest Wrapper
Closes gh-16978
2025-05-02 10:57:07 -06:00
Rob Winch 3b7e3a6c5c codeql uses ubuntu-latest 2025-05-02 11:49:41 -05:00
Rob Winch a04025c114 rm mark-duplicate-dependabot-prs.yml 2025-05-02 11:26:41 -05:00
Rob Winch 1564076276 Remove automerge forward 2025-05-02 11:23:01 -05:00
Rob Winch ae09f36291 Add .github/workflows/codeql.yml 2025-05-02 11:15:37 -05:00
Soumik Sarker bcef6ed74f Reformatted lines in x509 overview documentation
Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>
2025-05-01 12:02:45 -06:00
github-actions[bot] c8581683da Bump Gradle Wrapper from 8.13 to 8.14.
Release notes of Gradle 8.14 can be found here:
https://docs.gradle.org/8.14/release-notes.html

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-04-29 14:48:42 -06:00
Josh Cummings f631a0fcd5 Polish ClientRegistrationsTests
Simplified the assertion so that it is focused on the core
behavior being verified. This will likely also make the test
more stable when updating Spring Framework versions.

Issue gh-16860
2025-04-29 14:27:04 -06:00
Evgeniy Cheban 0e84f31a00 Add ClientRegistration's RestClient failed attempts information to exception message
Closes gh-16860

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
2025-04-29 13:43:20 -06:00
Yanming Zhou 9c76ab69f0 Use proper configuration key
the getter method is `getOpaquetoken()` not `getOpaqueToken()`

See https://github.com/spring-projects/spring-boot/blob/c6045c3111c43bd7b0f99e6c2858bfb2999e358f/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java#L51

Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>
2025-04-29 13:37:51 -06:00
Josh Cummings 5354e4d2c5 Check for Null Issuer
Closes gh-16989
2025-04-28 11:18:32 -06:00
Rob Winch db48d4ca50 rm merge-dependabot-pr.yml from Unsupported Branch 2025-04-25 13:17:14 -05:00
Rob Winch 8325728035 rm merge-dependabot-pr.yml from Unsupported Branch 2025-04-25 13:16:44 -05:00
Josh Cummings 547d174f3e Fix Formatting 2025-04-24 10:43:03 -06:00
Roman Trapickin d2d1275b39 Fix IllegalArgumentException message for unknown Argon2 types
Array index 0 points to an empty string. Use index 1 instead.

Signed-off-by: Roman Trapickin <8594293+rntrp@users.noreply.github.com>
2025-04-24 10:43:03 -06:00
dependabot[bot] 7bf776ec38 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.10 to 2024.0.11.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.10...2024.0.11)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-22 20:49:38 -07:00
Rob Winch e47a6714a5 Update to io.spring.gradle:spring-security-release-plugin:1.0.5
Closes gh-6.3.10
2025-04-21 13:44:10 -05:00
github-actions[bot] b9cae82b89 Next development version 2025-04-21 16:26:30 +00:00
github-actions[bot] f6354250a1 Release 6.3.9 2025-04-21 15:58:56 +00:00
dependabot[bot] a5d963387b Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.18 to 6.1.19.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.18...v6.1.19)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-17 20:49:18 -07:00
dependabot[bot] 99c4f58c34 Bump org.springframework.ldap:spring-ldap-core from 3.2.11 to 3.2.12
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.11 to 3.2.12.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.11...3.2.12)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-17 20:36:42 -07:00
Joe Grandja c1aa99fdd2 Enforce BCrypt password length for new passwords only
Closes gh-16802
2025-04-17 04:53:33 -04:00
dependabot[bot] eb01394427 Bump io.projectreactor:reactor-bom from 2023.0.16 to 2023.0.17
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.16 to 2023.0.17.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.16...2023.0.17)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-15 20:50:56 -07:00
dependabot[bot] 0d3d6f75f8 Bump org-aspectj from 1.9.22.1 to 1.9.24
Bumps `org-aspectj` from 1.9.22.1 to 1.9.24.

Updates `org.aspectj:aspectjrt` from 1.9.22.1 to 1.9.24
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

Updates `org.aspectj:aspectjweaver` from 1.9.22.1 to 1.9.24
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

---
updated-dependencies:
- dependency-name: org.aspectj:aspectjrt
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.aspectj:aspectjweaver
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-13 20:22:34 -07:00
dependabot[bot] eb83c35ded Bump io.spring.gradle:spring-security-release-plugin from 1.0.3 to 1.0.4
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-09 20:33:22 -07:00
Steve Riesenberg 3c0fef59b5 Polish gh-16039
Closes gh-16038
2025-04-07 10:54:09 -05:00
Jonah Klöckner da94fbe431 Evaluate URI query parameter only if enabled
Issue gh-16038
2025-04-07 10:54:07 -05:00
DingHao 857ef6fe08 WithHttpOnlyCookie defaults to false
Closes gh-16820

Signed-off-by: DingHao <dh.hiekn@gmail.com>
2025-04-01 11:59:51 -06:00
Steve Riesenberg b7df86197c Apply request-handler-ref to CsrfAuthenticationStrategy
Closes gh-16801
2025-03-28 16:25:52 -05:00
Steve Riesenberg c84c438075 Apply request-handler-ref to CsrfAuthenticationStrategy
Closes gh-16801
2025-03-28 16:08:36 -05:00
DingHao 1e7db094d1 Use correct message prompt
Signed-off-by: DingHao <dh.hiekn@gmail.com>
2025-03-27 16:42:52 -06:00
Josh Cummings 456604ab45 Sort Default Advisors and Added Advisors
This commit ensures that the default advisors and added advisors
are sorted in the event that this component is not being published
as a Spring bean.

Issue gh-16819
2025-03-27 16:18:00 -06:00
Josh Cummings 15b9a50060 Add Test
Issue gh-16819
2025-03-27 16:18:00 -06:00
Tran Ngoc Nhan fcc1bd598d Sort Advisors AfterSingletonsInstantiated
In order to make so that authorization advisors are sorted
only one time and also as part of the configuration lifecycle,
AuthorizationAdvisorProxyFactory now implements
SmartInitializingBean.

Closes gh-16819

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-27 16:18:00 -06:00
github-actions[bot] af2668f7cb Bump Gradle Wrapper from 8.10.2 to 8.13.
Release notes of Gradle 8.13 can be found here:
https://docs.gradle.org/8.13/release-notes.html

Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-03-25 15:11:10 -06:00
dependabot[bot] 883765b2de Bump @springio/asciidoctor-extensions in /docs
Bumps [@springio/asciidoctor-extensions](https://github.com/spring-io/asciidoctor-extensions) from 1.0.0-alpha.16 to 1.0.0-alpha.17.
- [Changelog](https://github.com/spring-io/asciidoctor-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/asciidoctor-extensions/compare/v1.0.0-alpha.16...v1.0.0-alpha.17)

---
updated-dependencies:
- dependency-name: "@springio/asciidoctor-extensions"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-23 18:40:37 -07:00
Rob Winch 58e7ba4a4b https docs download 2025-03-21 15:59:39 -05:00
Bragolgirith 72554f7f36 Update authorize-http-requests.adoc
Fix patterns in the Security Matchers documentation

Signed-off-by: Bragolgirith <6455473+Bragolgirith@users.noreply.github.com>
2025-03-21 14:46:53 -06:00
Rob Winch 65e83f8e7a Add link to docs zip
Closes gh-16798
2025-03-21 15:10:52 -05:00
Tran Ngoc Nhan ab6e9d2d1f Clarify WebInvocationPrivilegeEvaluator JavaDoc
Closes gh-16529

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-20 14:38:10 -05:00
Tran Ngoc Nhan a53ca7c3d0 Update ServerOAuth2AuthorizedClientExchangeFilterFunction javadoc
Closes gh-16555

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-20 14:38:09 -05:00
Tran Ngoc Nhan af40d7e35a Fix typo
Closes gh-16776

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-20 14:38:09 -05:00
Tran Ngoc Nhan daf8cfe8d2 Fix Spring Framework reference link
Closes gh-16699

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-20 14:38:08 -05:00
Tran Ngoc Nhan 75b537f99a Fix WebFlux authentication reference link
Closes gh-16702

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-03-20 14:38:07 -05:00
Josh Cummings d1b7f8a119 Update Gradle Wrapper Upgrade
Issue gh-16221
2025-03-20 13:23:49 -06:00
dependabot[bot] 5353d499b4 Bump ch.qos.logback:logback-classic from 1.5.17 to 1.5.18
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.17 to 1.5.18.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.17...v_1.5.18)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-18 20:41:11 -07:00
dependabot[bot] 1d75b907f9 Bump org-eclipse-jetty from 11.0.24 to 11.0.25
Bumps `org-eclipse-jetty` from 11.0.24 to 11.0.25.

Updates `org.eclipse.jetty:jetty-server` from 11.0.24 to 11.0.25

Updates `org.eclipse.jetty:jetty-servlet` from 11.0.24 to 11.0.25

---
updated-dependencies:
- dependency-name: org.eclipse.jetty:jetty-server
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.eclipse.jetty:jetty-servlet
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-17 20:56:08 -07:00
github-actions[bot] 7dbd69fee1 Next development version 2025-03-17 21:31:02 +00:00
github-actions[bot] 147081f771 Release 6.3.8 2025-03-17 20:59:34 +00:00
dependabot[bot] 709d9bc039 Bump org.springframework:spring-framework-bom from 6.1.17 to 6.1.18
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.17 to 6.1.18.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.17...v6.1.18)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-17 13:01:51 -07:00
dependabot[bot] d9bb16e913 Bump io.projectreactor:reactor-bom from 2023.0.15 to 2023.0.16
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.15 to 2023.0.16.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.15...2023.0.16)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-17 12:49:50 -07:00
dependabot[bot] 11114919ec Bump org.springframework.data:spring-data-bom from 2024.0.9 to 2024.0.10
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.9 to 2024.0.10.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.9...2024.0.10)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-17 12:49:20 -07:00
Rob Winch adb303e152 Add testRuntimeOnly junit-platform-launcher
Closes gh-16755
2025-03-17 14:16:44 -05:00
Joe Grandja 46f0dc6dfc Enforce BCrypt password length 2025-03-17 13:23:27 -04:00
Josh Cummings 36ea1b11a7 Fix Compilation Error
Issue gh-16697
2025-03-17 09:43:21 -06:00
Josh Cummings e793a962c5 Remove s101 From Builds
Issue gh-16752
2025-03-17 09:42:49 -06:00
Josh Cummings 46cd94b5f4 SpEL Propagates Authorization Exceptions
Closes gh-16697
2025-03-04 09:51:55 -07:00
dependabot[bot] acd2de4553 Bump io.mockk:mockk from 1.13.16 to 1.13.17
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.13.16 to 1.13.17.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/commits)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-27 19:37:43 -08:00
dependabot[bot] 31f593cca2 Bump org.jfrog.buildinfo:build-info-extractor-gradle
Bumps [org.jfrog.buildinfo:build-info-extractor-gradle](https://github.com/jfrog/build-info) from 4.33.23 to 4.33.24.
- [Release notes](https://github.com/jfrog/build-info/releases)
- [Changelog](https://github.com/jfrog/build-info/blob/master/RELEASE.md)
- [Commits](https://github.com/jfrog/build-info/compare/build-info-gradle-extractor-4.33.23...build-info-gradle-extractor-4.33.24)

---
updated-dependencies:
- dependency-name: org.jfrog.buildinfo:build-info-extractor-gradle
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-26 19:34:57 -08:00
dependabot[bot] 64bdcecdcd Bump org.slf4j:slf4j-api from 2.0.16 to 2.0.17
Bumps org.slf4j:slf4j-api from 2.0.16 to 2.0.17.

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-25 19:57:42 -08:00
dependabot[bot] bc0fd60e1a Bump ch.qos.logback:logback-classic from 1.5.16 to 1.5.17
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.16 to 1.5.17.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.16...v_1.5.17)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-25 19:55:25 -08:00
Tran Ngoc Nhan a0cfb2777c Fix typo
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2025-02-24 12:49:18 -07:00
dependabot[bot] e8206b42d2 Bump @springio/antora-extensions from 1.14.2 to 1.14.4 in /docs
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.2 to 1.14.4.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.2...v1.14.4)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-23 17:49:04 -08:00
github-actions[bot] 0737957f94 Next development version 2025-02-18 17:17:05 +00:00
github-actions[bot] 77892d571f Release 6.3.7 2025-02-18 16:52:08 +00:00
99 changed files with 743 additions and 491 deletions
-41
View File
@@ -1,41 +0,0 @@
version: 2
registries:
spring-milestones:
type: maven-repository
url: https://repo.spring.io/milestone
updates:
- package-ecosystem: "gradle"
target-branch: "main"
directory: "/"
schedule:
interval: "daily"
time: "03:00"
timezone: "Etc/UTC"
labels: [ "type: dependency-upgrade" ]
registries:
- "spring-milestones"
ignore:
- dependency-name: "com.nimbusds:nimbus-jose-jwt" # nimbus-jose-jwt gets updated when oauth2-oidc-sdk is updated to ensure consistency
- dependency-name: "org.python:jython" # jython updates break integration tests
- dependency-name: "org.apache.directory.server:*" # ApacheDS version > 1.5.5 contains break changes
- dependency-name: "org.junit:junit-bom"
update-types: [ "version-update:semver-major" ]
- dependency-name: "org.mockito:mockito-bom"
update-types: [ "version-update:semver-major" ]
- dependency-name: "*"
update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
# GitHub Actions
- package-ecosystem: github-actions
target-branch: "main"
directory: "/"
schedule:
interval: weekly
ignore:
- dependency-name: "sjohnr/*"
- dependency-name: "spring-io/*"
- dependency-name: "spring-security-release-tools/*"
+17
View File
@@ -0,0 +1,17 @@
name: "CodeQL Advanced"
on:
push:
pull_request:
workflow_dispatch:
schedule:
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
- cron: '0 5 * * *'
permissions: read-all
jobs:
codeql-analysis-call:
permissions:
actions: read
contents: read
security-events: write
uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1
@@ -64,39 +64,23 @@ jobs:
./gradlew publishMavenJavaPublicationToLocalRepository
./gradlew cloneRepository -PrepositoryName="spring-projects/spring-security-samples" -Pref="$samples_branch" -PcloneOutputDirectory="$SAMPLES_DIR"
./gradlew --project-dir "$SAMPLES_DIR" --init-script spring-security-ci.gradle -PlocalRepositoryPath="$LOCAL_REPOSITORY_PATH" -PspringSecurityVersion="$version" :runAllTests
check-tangles:
name: Check for Package Tangles
runs-on: ubuntu-latest
if: ${{ github.repository_owner == 'spring-projects' }}
steps:
- uses: actions/checkout@v4
- name: Set up gradle
uses: spring-io/spring-gradle-build-action@v2
with:
java-version: 17
distribution: temurin
- name: Check for package tangles
env:
STRUCTURE101_LICENSEID: ${{ secrets.STRUCTURE101_LICENSEID }}
run: |
./gradlew assemble && ./gradlew s101 -Ps101.licenseId="$STRUCTURE101_LICENSEID" --stacktrace
deploy-artifacts:
name: Deploy Artifacts
needs: [ build, test, check-samples, check-tangles ]
needs: [ build, test, check-samples ]
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
with:
should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
secrets: inherit
deploy-docs:
name: Deploy Docs
needs: [ build, test, check-samples, check-tangles ]
needs: [ build, test, check-samples ]
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
with:
should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
secrets: inherit
deploy-schema:
name: Deploy Schema
needs: [ build, test, check-samples, check-tangles ]
needs: [ build, test, check-samples ]
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
with:
should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
@@ -1,57 +0,0 @@
name: Auto Merge Forward Dependabot Commits
on:
workflow_dispatch:
permissions:
contents: read
concurrency:
group: dependabot-auto-merge-forward
jobs:
get-supported-branches:
uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
with:
project: spring-security
type: oss
repository_name: spring-projects/spring-security
auto-merge-forward-dependabot:
name: Auto Merge Forward Dependabot Commits
runs-on: ubuntu-latest
needs: [get-supported-branches]
permissions:
contents: write
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
- name: Setup GitHub User
id: setup-gh-user
run: |
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]@users.noreply.github.com'
- name: Run Auto Merge Forward
id: run-auto-merge-forward
uses: spring-io/spring-security-release-tools/.github/actions/auto-merge-forward@actions-v1
with:
branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
from-author: dependabot[bot]
notify_result:
name: Check for failures
needs: [ auto-merge-forward-dependabot ]
if: failure()
runs-on: ubuntu-latest
permissions:
actions: read
steps:
- name: Send Slack message
uses: Gamesight/slack-workflow-status@v1.3.0
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
channel: '#spring-security-ci'
name: 'CI Notifier'
@@ -4,7 +4,8 @@ on:
schedule:
- cron: '0 2 * * *' # 2am UTC
workflow_dispatch:
permissions:
pull-requests: write
jobs:
upgrade_wrapper:
name: Execution
@@ -1,45 +0,0 @@
name: Mark Duplicate Dependabot PRs
on:
pull_request:
types: [closed]
jobs:
check_duplicate_prs:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true && github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Extract Dependency Name from PR Title
id: extract
run: |
PR_TITLE="${{ github.event.pull_request.title }}"
DEPENDENCY_NAME=$(echo "$PR_TITLE" | awk -F ' from ' '{print $1}')
echo "dependency_name=$DEPENDENCY_NAME" >> $GITHUB_OUTPUT
- name: Find PRs
id: find_duplicates
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PRS=$(gh pr list --search 'milestone:${{ github.event.pull_request.milestone.title }} is:merged in:title "${{ steps.extract.outputs.dependency_name }}"' --json number --jq 'map(.number) | join(",")')
echo "prs=$PRS" >> $GITHUB_OUTPUT
- name: Label Duplicate PRs
if: steps.find_duplicates.outputs.prs != ''
env:
PRS: ${{ steps.find_duplicates.outputs.prs }}
CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
for i in ${PRS//,/ }
do
if [ ! $i -eq "$CURRENT_PR_NUMBER" ]; then
echo "Marking PR $i as duplicate"
gh pr edit "$i" --add-label "status: duplicate"
gh pr comment "$i" --body "Duplicate of #$CURRENT_PR_NUMBER"
fi
done
-63
View File
@@ -1,63 +0,0 @@
name: Merge Dependabot PR
on: pull_request_target
run-name: Merge Dependabot PR ${{ github.ref_name }}
permissions: write-all
jobs:
merge-dependabot-pr:
name: Merge Dependabot PR
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
steps:
- uses: actions/checkout@v4
with:
show-progress: false
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 17
- name: Set Milestone to Dependabot Pull Request
id: set-milestone
run: |
if test -f pom.xml
then
CURRENT_VERSION=$(mvn help:evaluate -Dexpression="project.version" -q -DforceStdout)
else
CURRENT_VERSION=$(cat gradle.properties | sed -n '/^version=/ { s/^version=//;p }')
fi
export CANDIDATE_VERSION=${CURRENT_VERSION/-SNAPSHOT}
MILESTONE=$(gh api repos/$GITHUB_REPOSITORY/milestones --jq 'map(select(.due_on != null and (.title | startswith(env.CANDIDATE_VERSION)))) | .[0] | .title')
if [ -z $MILESTONE ]
then
gh run cancel ${{ github.run_id }}
echo "::warning title=Cannot merge::No scheduled milestone for $CURRENT_VERSION version"
else
gh pr edit ${{ github.event.pull_request.number }} --milestone $MILESTONE
echo mergeEnabled=true >> $GITHUB_OUTPUT
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Merge Dependabot pull request
if: steps.set-milestone.outputs.mergeEnabled
run: gh pr merge ${{ github.event.pull_request.number }} --auto --rebase
env:
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
send-notification:
name: Send Notification
needs: [ merge-dependabot-pr ]
if: ${{ failure() || cancelled() }}
runs-on: ubuntu-latest
steps:
- name: Send Notification
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
with:
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
@@ -1,22 +0,0 @@
name: Trigger Dependabot Auto Merge Forward
on:
push:
branches:
- '*.x'
permissions: read-all
jobs:
trigger-worflow:
name: Trigger Workflow
runs-on: ubuntu-latest
if: ${{ github.event.commits[0].author.username == 'dependabot[bot]' && github.repository == 'spring-projects/spring-security' }}
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
- id: trigger
env:
GH_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
run: gh workflow run dependabot-auto-merge-forward.yml -r main
-36
View File
@@ -1,36 +0,0 @@
name: Update dependabot.yml
on:
workflow_dispatch:
permissions:
contents: read
jobs:
get-supported-branches:
uses: spring-io/spring-security-release-tools/.github/workflows/retrieve-spring-supported-versions.yml@actions-v1
with:
project: spring-security
type: oss
repository_name: spring-projects/spring-security
main:
runs-on: ubuntu-latest
needs: [get-supported-branches]
if: ${{ (github.repository == 'spring-projects/spring-security') && (github.ref == 'refs/heads/main') }}
permissions:
contents: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 1
- uses: spring-io/spring-security-release-tools/.github/actions/generate-dependabot-yml@actions-v1
name: Update dependabot.yml
with:
gradle-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main
github-actions-branches: ${{ needs.get-supported-branches.outputs.supported_versions }},main,docs-build
gh-token: ${{ secrets.GITHUB_TOKEN }}
- uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: Update dependabot.yml
+1
View File
@@ -20,4 +20,5 @@ dependencies {
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
+2
View File
@@ -27,6 +27,8 @@ dependencies {
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testAspect sourceSets.main.output
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
compileAspectj.ajcOptions.outxmlfile = "META-INF/aop.xml"
+1 -7
View File
@@ -20,7 +20,6 @@ plugins {
apply plugin: 'io.spring.nohttp'
apply plugin: 'locks'
apply plugin: 's101'
apply plugin: 'io.spring.convention.root'
apply plugin: 'org.jetbrains.kotlin.jvm'
apply plugin: 'org.springframework.security.versions.verify-dependencies-versions'
@@ -117,16 +116,11 @@ tasks.register('cloneRepository', IncludeRepoTask) {
outputDirectory = project.hasProperty("cloneOutputDirectory") ? project.file("$cloneOutputDirectory") : defaultDirectory
}
s101 {
repository = 'https://structure101.com/binaries/latest'
configurationDirectory = project.file("etc/s101")
}
wrapperUpgrade {
gradle {
'spring-security' {
repo = 'spring-projects/spring-security'
baseBranch = '6.1.x' // runs only on 6.1.x and the update is merged forward to main
baseBranch = '6.3.x' // runs only on 6.3.x and the update is merged forward to main
}
}
}
+2
View File
@@ -95,6 +95,8 @@ dependencies {
testImplementation 'org.mockito:mockito-core'
testImplementation 'org.mockito:mockito-junit-jupiter'
testImplementation libs.com.squareup.okhttp3.mockwebserver
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -6,5 +6,7 @@ dependencies {
implementation 'org.springframework:spring-core'
testImplementation "org.junit.jupiter:junit-jupiter-api"
testImplementation "org.junit.jupiter:junit-jupiter-engine"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -5,4 +5,6 @@ dependencies {
optional 'ch.qos.logback:logback-classic'
testImplementation "org.junit.jupiter:junit-jupiter-api"
testImplementation "org.junit.jupiter:junit-jupiter-engine"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
+2
View File
@@ -22,4 +22,6 @@ dependencies {
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testImplementation 'org.skyscreamer:jsonassert'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
+1
View File
@@ -115,6 +115,7 @@ dependencies {
testImplementation libs.org.instancio.instancio.junit
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
def rncToXsd = tasks.named('rncToXsd', RncToXsd)
@@ -183,6 +183,9 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
BeanDefinitionBuilder csrfAuthenticationStrategy = BeanDefinitionBuilder
.rootBeanDefinition(CsrfAuthenticationStrategy.class);
csrfAuthenticationStrategy.addConstructorArgReference(this.csrfRepositoryRef);
if (StringUtils.hasText(this.requestHandlerRef)) {
csrfAuthenticationStrategy.addPropertyReference("requestHandler", this.requestHandlerRef);
}
return csrfAuthenticationStrategy.getBeanDefinition();
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,12 +18,12 @@ package org.springframework.security.config.web.server;
import java.util.Collections;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import reactor.core.publisher.Mono;
import org.springframework.core.ResolvableType;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.EncoderHttpMessageWriter;
import org.springframework.http.codec.HttpMessageWriter;
@@ -48,6 +48,7 @@ import org.springframework.web.server.WebFilterChain;
* A filter for the Client-side OIDC Back-Channel Logout endpoint
*
* @author Josh Cummings
* @author Andrey Litvitski
* @since 6.2
* @see <a target="_blank" href=
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
@@ -107,7 +108,7 @@ class OidcBackChannelLogoutWebFilter implements WebFilter {
private Mono<Void> handleAuthenticationFailure(ServerWebExchange exchange, Exception ex) {
this.logger.debug("Failed to process OIDC Back-Channel Logout", ex);
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
return this.errorHttpMessageConverter.write(Mono.just(oauth2Error(ex)), ResolvableType.forClass(Object.class),
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
exchange.getResponse(), Collections.emptyMap());
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,13 +22,13 @@ import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import reactor.core.publisher.Mono;
import org.springframework.core.ResolvableType;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.http.codec.EncoderHttpMessageWriter;
@@ -54,6 +54,7 @@ import org.springframework.web.util.UriComponentsBuilder;
* Back-Channel Logout Token and invalidates each one.
*
* @author Josh Cummings
* @author Andrey Litvitski
* @since 6.2
* @see <a target="_blank" href=
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
@@ -154,7 +155,7 @@ final class OidcBackChannelServerLogoutHandler implements ServerLogoutHandler {
}
private Mono<Void> handleLogoutFailure(ServerWebExchange exchange, OAuth2Error error) {
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
return this.errorHttpMessageConverter.write(Mono.just(error), ResolvableType.forClass(Object.class),
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
exchange.getResponse(), Collections.emptyMap());
@@ -301,6 +301,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
private static final String INTERCEPTORS_PROP = "interceptors";
private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
@@ -356,7 +358,12 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
ManagedList<Object> interceptors = new ManagedList();
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
if (!this.sameOriginDisabled) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
}
else {
interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
}
}
interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Role;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.core.annotation.AnnotationConfigurationException;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.PermissionEvaluator;
@@ -1007,6 +1008,21 @@ public class PrePostMethodSecurityConfigurationTests {
assertThat(service.getIdPath("uid")).isEqualTo("uid");
}
// gh-16819
@Test
void autowireWhenDefaultsThenAdvisorAnnotationsAreSorted() {
this.spring.register(MethodSecurityServiceConfig.class).autowire();
AuthorizationAdvisorProxyFactory proxyFactory = this.spring.getContext()
.getBean(AuthorizationAdvisorProxyFactory.class);
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
private static Consumer<ConfigurableWebApplicationContext> disallowBeanOverriding() {
return (context) -> ((AnnotationConfigWebApplicationContext) context).setAllowBeanDefinitionOverriding(false);
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -1560,12 +1560,15 @@ public class OAuth2ResourceServerConfigurerTests {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
defaultBearerTokenResolver.setAllowUriQueryParameter(true);
http
.authorizeRequests()
.requestMatchers("/requires-read-scope").access("hasAuthority('SCOPE_message:read')")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.bearerTokenResolver(defaultBearerTokenResolver)
.jwt()
.jwkSetUri(this.jwkSetUri);
return http.build();
@@ -336,6 +336,43 @@ public class CsrfConfigTests {
// @formatter:on
}
@Test
public void postWhenUsingCsrfAndXorCsrfTokenRequestAttributeHandlerThenCsrfAuthenticationStrategyUses()
throws Exception {
this.spring.configLocations(this.xml("WithXorCsrfTokenRequestAttributeHandler"), this.xml("shared-controllers"))
.autowire();
// @formatter:off
MvcResult mvcResult1 = this.mvc.perform(get("/csrf"))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request1 = mvcResult1.getRequest();
MockHttpSession session = (MockHttpSession) request1.getSession();
CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request1);
// @formatter:off
MockHttpServletRequestBuilder login = post("/login")
.param("username", "user")
.param("password", "password")
.session(session)
.with(csrf());
this.mvc.perform(login)
.andExpect(status().is3xxRedirection())
.andExpect(redirectedUrl("/"));
// @formatter:on
assertThat(repository.loadToken(request1)).isNull();
// @formatter:off
MvcResult mvcResult2 = this.mvc.perform(get("/csrf").session(session))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
MockHttpServletRequest request2 = mvcResult2.getRequest();
CsrfToken csrfToken = repository.loadToken(request2);
CsrfToken csrfTokenAttribute = (CsrfToken) request2.getAttribute(CsrfToken.class.getName());
assertThat(csrfTokenAttribute).isNotNull();
assertThat(csrfTokenAttribute.getToken()).isNotBlank();
assertThat(csrfTokenAttribute.getToken()).isNotEqualTo(csrfToken.getToken());
}
@Test
public void postWhenHasCsrfTokenButSessionExpiresThenRequestIsCancelledAfterSuccessfulAuthentication()
throws Exception {
@@ -44,6 +44,7 @@ import org.springframework.messaging.handler.invocation.HandlerMethodArgumentRes
import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.messaging.support.ChannelInterceptor;
import org.springframework.messaging.support.ExecutorSubscribableChannel;
import org.springframework.messaging.support.GenericMessage;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.expression.SecurityExpressionOperations;
@@ -496,6 +497,16 @@ public class WebSocketMessageBrokerConfigTests {
verify(authorizationManager).check(any(), any());
}
@Test
public void configureWhenCsrfChannelInterceptorBeanThenUses() {
this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
ExecutorSubscribableChannel channel = this.spring.getContext()
.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
ChannelInterceptor interceptor = this.spring.getContext()
.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
assertThat(channel.getInterceptors()).contains(interceptor);
}
private String xml(String configName) {
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
}
@@ -25,10 +25,15 @@
<c:property-placeholder local-override="true"/>
<b:bean id="bearerTokenResolver"
class="org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver">
<b:property name="allowUriQueryParameter" value="true"/>
</b:bean>
<http>
<intercept-url pattern="/**" access="authenticated"/>
<intercept-url pattern="/requires-read-scope" access="hasAuthority('SCOPE_message:read')"/>
<oauth2-resource-server>
<oauth2-resource-server bearer-token-resolver-ref="bearerTokenResolver">
<jwt jwk-set-uri="${jwk-set-uri:https://idp.example.org}"/>
</oauth2-resource-server>
</http>
@@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ https://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor" type="java.lang.Class"/>
</b:bean>
<websocket-message-broker use-authorization-manager="false">
<intercept-message pattern="/**" access="denyNile()"/>
</websocket-message-broker>
</b:beans>
+1
View File
@@ -33,6 +33,7 @@ dependencies {
testImplementation 'org.springframework:spring-test'
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
task springVersion(type: org.gradle.api.tasks.WriteProperties) {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -42,6 +42,7 @@ import reactor.core.publisher.Mono;
import org.springframework.aop.Advisor;
import org.springframework.aop.framework.ProxyFactory;
import org.springframework.beans.factory.SmartInitializingSingleton;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.lang.NonNull;
import org.springframework.security.authorization.AuthorizationProxyFactory;
@@ -75,7 +76,7 @@ import org.springframework.util.ClassUtils;
* @since 6.3
*/
public final class AuthorizationAdvisorProxyFactory
implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor> {
implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor>, SmartInitializingSingleton {
private static final boolean isReactivePresent = ClassUtils.isPresent("reactor.core.publisher.Mono", null);
@@ -108,7 +109,9 @@ public final class AuthorizationAdvisorProxyFactory
advisors.add(AuthorizationManagerAfterMethodInterceptor.postAuthorize());
advisors.add(new PreFilterAuthorizationMethodInterceptor());
advisors.add(new PostFilterAuthorizationMethodInterceptor());
return new AuthorizationAdvisorProxyFactory(advisors);
AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(advisors);
AnnotationAwareOrderComparator.sort(factory.advisors);
return factory;
}
/**
@@ -123,7 +126,14 @@ public final class AuthorizationAdvisorProxyFactory
advisors.add(AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize());
advisors.add(new PreFilterAuthorizationReactiveMethodInterceptor());
advisors.add(new PostFilterAuthorizationReactiveMethodInterceptor());
return new AuthorizationAdvisorProxyFactory(advisors);
AuthorizationAdvisorProxyFactory factory = new AuthorizationAdvisorProxyFactory(advisors);
AnnotationAwareOrderComparator.sort(factory.advisors);
return factory;
}
@Override
public void afterSingletonsInstantiated() {
AnnotationAwareOrderComparator.sort(this.advisors);
}
/**
@@ -146,7 +156,6 @@ public final class AuthorizationAdvisorProxyFactory
*/
@Override
public Object proxy(Object target) {
AnnotationAwareOrderComparator.sort(this.advisors);
if (target == null) {
return null;
}
@@ -155,9 +164,9 @@ public final class AuthorizationAdvisorProxyFactory
return proxied;
}
ProxyFactory factory = new ProxyFactory(target);
for (Advisor advisor : this.advisors) {
factory.addAdvisors(advisor);
}
List<Advisor> advisors = new ArrayList<>(this.advisors);
AnnotationAwareOrderComparator.sort(advisors);
factory.addAdvisors(advisors);
factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));
return factory.getProxy();
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -48,7 +48,7 @@ public final class AuthorizeReturnObjectMethodInterceptor implements Authorizati
private int order = AuthorizationInterceptorsOrder.SECURE_RESULT.getOrder();
public AuthorizeReturnObjectMethodInterceptor(AuthorizationProxyFactory authorizationProxyFactory) {
Assert.notNull(authorizationProxyFactory, "authorizationManager cannot be null");
Assert.notNull(authorizationProxyFactory, "authorizationProxyFactory cannot be null");
this.authorizationProxyFactory = authorizationProxyFactory;
}
@@ -19,6 +19,7 @@ package org.springframework.security.authorization.method;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.EvaluationException;
import org.springframework.expression.Expression;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.AuthorizationResult;
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
@@ -43,9 +44,24 @@ final class ExpressionUtils {
"SpEL expression must return either a Boolean or an AuthorizationDecision");
}
catch (EvaluationException ex) {
AuthorizationDeniedException denied = findAuthorizationException(ex);
if (denied != null) {
throw denied;
}
throw new IllegalArgumentException("Failed to evaluate expression '" + expr.getExpressionString() + "'",
ex);
}
}
static AuthorizationDeniedException findAuthorizationException(EvaluationException ex) {
Throwable cause = ex.getCause();
while (cause != null) {
if (cause instanceof AuthorizationDeniedException denied) {
return denied;
}
cause = cause.getCause();
}
return null;
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@ import org.jetbrains.annotations.NotNull;
import org.junit.jupiter.api.Test;
import org.springframework.aop.Pointcut;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.TestAuthentication;
@@ -336,6 +337,32 @@ public class AuthorizationAdvisorProxyFactoryTests {
assertThat(factory.proxy(35)).isEqualTo(35);
}
// gh-16819
@Test
void advisorsWhenWithDefaultsThenAreSorted() {
AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
// gh-16819
@Test
void advisorsWhenWithReactiveDefaultsThenAreSorted() {
AuthorizationAdvisorProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withReactiveDefaults();
AnnotationAwareOrderComparator comparator = AnnotationAwareOrderComparator.INSTANCE;
AuthorizationAdvisor previous = null;
for (AuthorizationAdvisor advisor : proxyFactory) {
boolean ordered = previous == null || comparator.compare(previous, advisor) < 0;
assertThat(ordered).isTrue();
previous = advisor;
}
}
private Authentication authenticated(String user, String... authorities) {
return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
}
@@ -22,9 +22,11 @@ import org.springframework.expression.Expression;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationDeniedException;
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
public class ExpressionUtilsTests {
@@ -48,10 +50,23 @@ public class ExpressionUtilsTests {
assertThat(ExpressionUtils.evaluate(expression, context)).isInstanceOf(ExpressionAuthorizationDecision.class);
}
@Test
public void evaluateWhenExpressionThrowsAuthorizationDeniedExceptionThenPropagates() {
SpelExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression("#root.throwException()");
StandardEvaluationContext context = new StandardEvaluationContext(this);
assertThatExceptionOfType(AuthorizationDeniedException.class)
.isThrownBy(() -> ExpressionUtils.evaluate(expression, context));
}
public AuthorizationDecision returnDecision() {
return new AuthorizationDecisionDetails(false, this.details);
}
public Object throwException() {
throw new AuthorizationDeniedException("denied", new AuthorizationDecision(false));
}
public boolean returnResult() {
return false;
}
+2
View File
@@ -13,4 +13,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -111,7 +111,7 @@ final class Argon2EncodingUtils {
case "argon2d" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_d);
case "argon2i" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_i);
case "argon2id" -> new Argon2Parameters.Builder(Argon2Parameters.ARGON2_id);
default -> throw new IllegalArgumentException("Invalid algorithm type: " + parts[0]);
default -> throw new IllegalArgumentException("Invalid algorithm type: " + parts[1]);
};
if (parts[currentPart].startsWith("v=")) {
paramsBuilder.withVersion(Integer.parseInt(parts[currentPart].substring(2)));
@@ -611,6 +611,10 @@ public class BCrypt {
int rounds, off;
StringBuilder rs = new StringBuilder();
// Enforce max length for new passwords only
if (!for_check && passwordb.length > 72) {
throw new IllegalArgumentException("password cannot be more than 72 bytes");
}
if (salt == null) {
throw new IllegalArgumentException("salt cannot be null");
}
@@ -94,8 +94,10 @@ public class Argon2EncodingUtilsTests {
@Test
public void decodeWhenNonexistingAlgorithmThenThrowException() {
assertThatIllegalArgumentException().isThrownBy(() -> Argon2EncodingUtils
.decode("$argon2x$v=19$m=1024,t=3,p=2$Y1JkRmJDdzIzZ3oyTWx4aw$cGE5Cbd/cx7micVhXVBdH5qTr66JI1iUyuNNVAnErXs"));
assertThatIllegalArgumentException()
.isThrownBy(() -> Argon2EncodingUtils.decode(
"$argon2x$v=19$m=1024,t=3,p=2$Y1JkRmJDdzIzZ3oyTWx4aw$cGE5Cbd/cx7micVhXVBdH5qTr66JI1iUyuNNVAnErXs"))
.withMessageContaining("argon2x");
}
@Test
@@ -222,4 +222,35 @@ public class BCryptPasswordEncoderTests {
assertThat(encoder.matches("wrong", "$2a$00$9N8N35BVs5TLqGL3pspAte5OWWA2a2aZIs.EGp7At7txYakFERMue")).isFalse();
}
@Test
public void encodeWhenPasswordOverMaxLengthThenThrowIllegalArgumentException() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String password72chars = "123456789012345678901234567890123456789012345678901234567890123456789012";
encoder.encode(password72chars);
String password73chars = password72chars + "3";
assertThatIllegalArgumentException().isThrownBy(() -> encoder.encode(password73chars));
}
@Test
public void matchesWhenPasswordOverMaxLengthThenAllowToMatch() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String password71chars = "12345678901234567890123456789012345678901234567890123456789012345678901";
String encodedPassword71chars = "$2a$10$jx3x2FaF.iX5QZ9i3O424Os2Ou5P5JrnedmWYHuDyX8JKA4Unp4xq";
assertThat(encoder.matches(password71chars, encodedPassword71chars)).isTrue();
String password72chars = password71chars + "2";
String encodedPassword72chars = "$2a$10$oXYO6/UvbsH5rQEraBkl6uheccBqdB3n.RaWbrimog9hS2GX4lo/O";
assertThat(encoder.matches(password72chars, encodedPassword72chars)).isTrue();
// Max length is 72 bytes, however, we need to ensure backwards compatibility
// for previously encoded passwords that are greater than 72 bytes and allow the
// match to be performed.
String password73chars = password72chars + "3";
String encodedPassword73chars = "$2a$10$1l9.kvQTsqNLiCYFqmKtQOHkp.BrgIrwsnTzWo9jdbQRbuBYQ/AVK";
assertThat(encoder.matches(password73chars, encodedPassword73chars)).isTrue();
}
}
+2
View File
@@ -15,4 +15,6 @@ dependencies {
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
+2 -1
View File
@@ -82,6 +82,7 @@
**** xref:servlet/saml2/login/authentication.adoc[SAML2 Authentication Responses]
*** xref:servlet/saml2/logout.adoc[SAML2 Logout]
*** xref:servlet/saml2/metadata.adoc[SAML2 Metadata]
*** xref:servlet/saml2/saml-extension-migration.adoc[Migrating from Spring Security SAML Extension]
** xref:servlet/exploits/index.adoc[Protection Against Exploits]
*** xref:servlet/exploits/csrf.adoc[]
*** xref:servlet/exploits/headers.adoc[]
@@ -128,7 +129,7 @@
*** xref:servlet/appendix/faq.adoc[FAQ]
* xref:reactive/index.adoc[Reactive Applications]
** xref:reactive/getting-started.adoc[Getting Started]
** Authentication
** xref:reactive/authentication/index.adoc[Authentication]
*** xref:reactive/authentication/x509.adoc[X.509 Authentication]
*** xref:reactive/authentication/logout.adoc[Logout]
*** Session Management
@@ -8,4 +8,4 @@ Once authentication is performed we know the identity and can perform authorizat
Spring Security provides built-in support for authenticating users.
This section is dedicated to generic authentication support that applies in both Servlet and WebFlux environments.
Refer to the sections on authentication for xref:servlet/authentication/index.adoc#servlet-authentication[Servlet] and xref:servlet/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
Refer to the sections on authentication for xref:servlet/authentication/index.adoc[Servlet] and xref:reactive/authentication/index.adoc[WebFlux] for details on what is supported for each stack.
+5
View File
@@ -1,5 +1,10 @@
= Spring Security
[NOTE]
====
Spring Security's documentation can be https://docs.spring.io/spring-security/reference/spring-security-docs.zip[downloaded] as a zip file.
====
Spring Security is a framework that provides xref:features/authentication/index.adoc[authentication], xref:features/authorization/index.adoc[authorization], and xref:features/exploits/index.adoc[protection against common attacks].
With first class support for securing both xref:servlet/index.adoc[imperative] and xref:reactive/index.adoc[reactive] applications, it is the de-facto standard for securing Spring-based applications.
@@ -0,0 +1,3 @@
[[webflux-authentication]]
= Authentication
:page-section-summary-toc: 1
@@ -29,7 +29,7 @@ spring:
security:
oauth2:
resourceserver:
opaque-token:
opaquetoken:
introspection-uri: https://idp.example.com/introspect
client-id: client
client-secret: secret
@@ -616,7 +616,7 @@ spring:
security:
oauth2:
resourceserver:
opaque-token:
opaquetoken:
introspection-uri: https://idp.example.org/introspection
client-id: client
client-secret: secret
@@ -649,7 +649,7 @@ class MyAuthoritiesPopulator : LdapAuthoritiesPopulator {
You would then add a bean of this type to your application context and inject it into the `LdapAuthenticationProvider`. This is covered in the section on configuring LDAP by using explicit Spring beans in the LDAP chapter of the reference manual.
Note that you cannot use the namespace for configuration in this case.
You should also consult the security-api-url[Javadoc] for the relevant classes and interfaces.
You should also consult the {security-api-url}[Javadoc] for the relevant classes and interfaces.
[[appendix-faq-namespace-post-processor]]
@@ -34,7 +34,7 @@ The attributes on the `<http>` element control some of the properties on the cor
Use AuthorizationManager API instead of SecurityMetadataSource (defaults to true)
[[nsa-http-authorization-manager-ref]]
* **access-decision-manager-ref**
* **use-authorization-manager**
Use this AuthorizationManager instead of deriving one from <intercept-url> elements
[[nsa-http-access-decision-manager-ref]]
@@ -259,7 +259,7 @@ Java::
+
[source,java,role="primary"]
----
HeaderWriterLogoutHandler clearSiteData = new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter());
HeaderWriterLogoutHandler clearSiteData = new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(Directives.ALL));
http
.logout((logout) -> logout.addLogoutHandler(clearSiteData))
----
@@ -268,7 +268,7 @@ Kotlin::
+
[source,kotlin,role="secondary"]
----
val clearSiteData = HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter())
val clearSiteData = HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(Directives.ALL))
http {
logout {
addLogoutHandler(clearSiteData)
@@ -402,7 +402,7 @@ SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
@PostMapping("/my/logout")
public String performLogout(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
// .. perform logout
this.logoutHandler.doLogout(request, response, authentication);
this.logoutHandler.logout(request, response, authentication);
return "redirect:/home";
}
----
@@ -416,7 +416,7 @@ val logoutHandler = SecurityContextLogoutHandler()
@PostMapping("/my/logout")
fun performLogout(val authentication: Authentication, val request: HttpServletRequest, val response: HttpServletResponse): String {
// .. perform logout
this.logoutHandler.doLogout(request, response, authentication)
this.logoutHandler.logout(request, response, authentication)
return "redirect:/home"
}
----
@@ -534,6 +534,13 @@ public class MaximumSessionsPreventLoginTests {
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
[NOTE]
=====
If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
=====
== Detecting Timeouts
Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.
@@ -8,14 +8,12 @@ The browser automatically checks that the certificate presented by a server has
You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
The server authenticates the client by checking that its certificate is signed by an acceptable authority.
If a valid certificate has been provided, it can be obtained through the servlet API in an application.
The Spring Security X.509 module extracts the certificate by using a filter.
It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
The server authenticates the client by checking that its certificate is signed by an acceptable authority.
For example, if you use Tomcat, you should read the https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html[Tomcat SSL instructions].
You should get this working before trying it out with Spring Security.
The Spring Security X.509 module extracts the certificate by using a filter.
It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
== Adding X.509 Authentication to Your Web Application
Enabling X.509 client authentication is very straightforward.
@@ -1035,8 +1035,8 @@ public class SecurityConfig {
http
.securityMatcher("/api/**") <1>
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/user/**").hasRole("USER") <2>
.requestMatchers("/admin/**").hasRole("ADMIN") <3>
.requestMatchers("/api/user/**").hasRole("USER") <2>
.requestMatchers("/api/admin/**").hasRole("ADMIN") <3>
.anyRequest().authenticated() <4>
)
.formLogin(withDefaults());
@@ -1058,8 +1058,8 @@ open class SecurityConfig {
http {
securityMatcher("/api/**") <1>
authorizeHttpRequests {
authorize("/user/**", hasRole("USER")) <2>
authorize("/admin/**", hasRole("ADMIN")) <3>
authorize("/api/user/**", hasRole("USER")) <2>
authorize("/api/admin/**", hasRole("ADMIN")) <3>
authorize(anyRequest, authenticated) <4>
}
}
@@ -1071,8 +1071,8 @@ open class SecurityConfig {
======
<1> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`
<2> Allow access to URLs that start with `/user/` to users with the `USER` role
<3> Allow access to URLs that start with `/admin/` to users with the `ADMIN` role
<2> Allow access to URLs that start with `/api/user/` to users with the `USER` role
<3> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role
<4> Any other request that doesn't match the rules above, will require authentication
The `securityMatcher(s)` and `requestMatcher(s)` methods will decide which `RequestMatcher` implementation fits best for your application: If {spring-framework-reference-url}web.html#spring-web[Spring MVC] is in the classpath, then {security-api-url}org/springframework/security/web/servlet/util/matcher/MvcRequestMatcher.html[`MvcRequestMatcher`] will be used, otherwise, {security-api-url}org/springframework/security/web/servlet/util/matcher/AntPathRequestMatcher.html[`AntPathRequestMatcher`] will be used.
@@ -1098,8 +1098,8 @@ public class SecurityConfig {
http
.securityMatcher(antMatcher("/api/**")) <2>
.authorizeHttpRequests(authorize -> authorize
.requestMatchers(antMatcher("/user/**")).hasRole("USER") <3>
.requestMatchers(regexMatcher("/admin/.*")).hasRole("ADMIN") <4>
.requestMatchers(antMatcher("/api/user/**")).hasRole("USER") <3>
.requestMatchers(regexMatcher("/api/admin/.*")).hasRole("ADMIN") <4>
.requestMatchers(new MyCustomRequestMatcher()).hasRole("SUPERVISOR") <5>
.anyRequest().authenticated()
)
@@ -1133,8 +1133,8 @@ open class SecurityConfig {
http {
securityMatcher(antMatcher("/api/**")) <2>
authorizeHttpRequests {
authorize(antMatcher("/user/**"), hasRole("USER")) <3>
authorize(regexMatcher("/admin/**"), hasRole("ADMIN")) <4>
authorize(antMatcher("/api/user/**"), hasRole("USER")) <3>
authorize(regexMatcher("/api/admin/**"), hasRole("ADMIN")) <4>
authorize(MyCustomRequestMatcher(), hasRole("SUPERVISOR")) <5>
authorize(anyRequest, authenticated)
}
@@ -1148,8 +1148,8 @@ open class SecurityConfig {
<1> Import the static factory methods from `AntPathRequestMatcher` and `RegexRequestMatcher` to create `RequestMatcher` instances.
<2> Configure `HttpSecurity` to only be applied to URLs that start with `/api/`, using `AntPathRequestMatcher`
<3> Allow access to URLs that start with `/user/` to users with the `USER` role, using `AntPathRequestMatcher`
<4> Allow access to URLs that start with `/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
<3> Allow access to URLs that start with `/api/user/` to users with the `USER` role, using `AntPathRequestMatcher`
<4> Allow access to URLs that start with `/api/admin/` to users with the `ADMIN` role, using `RegexRequestMatcher`
<5> Allow access to URLs that match the `MyCustomRequestMatcher` to users with the `SUPERVISOR` role, using a custom `RequestMatcher`
== Further Reading
@@ -206,7 +206,7 @@ These defaults come from Angular and its predecessor https://docs.angularjs.org/
[TIP]
====
See the https://angular.io/guide/http-security-xsrf-protection[Cross-Site Request Forgery (XSRF) protection] guide and the https://angular.io/api/common/http/HttpClientXsrfModule[HttpClientXsrfModule] for more recent information on this topic.
See the https://angular.dev/best-practices/security#httpclient-xsrf-csrf-security[HttpClient XSRF/CSRF security] and the https://angular.dev/api/common/http/withXsrfConfiguration[withXsrfConfiguration] for more recent information on this topic.
====
You can configure the `CookieCsrfTokenRepository` using the following configuration:
@@ -28,7 +28,7 @@ spring:
security:
oauth2:
resourceserver:
opaque-token:
opaquetoken:
introspection-uri: https://idp.example.com/introspect
client-id: client
client-secret: secret
@@ -782,7 +782,7 @@ spring:
security:
oauth2:
resourceserver:
opaque-token:
opaquetoken:
introspection-uri: https://idp.example.org/introspection
client-id: client
client-secret: secret
@@ -66,10 +66,11 @@ spring:
security:
saml2:
relyingparty:
okta:
identityprovider:
entity-id: ...
singlesignon.sign-request: false
registration:
okta:
assertingparty:
entity-id: ...
singlesignon.sign-request: false
----
Java::
@@ -78,7 +78,11 @@ Maven::
<!-- ... -->
<repository>
<id>shibboleth-releases</id>
<url>https://build.shibboleth.net/nexus/content/repositories/releases/</url>
<name>Shibboleth Releases Repository</name>
<url>https://build.shibboleth.net/maven/releases/</url>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
<dependency>
@@ -125,7 +129,7 @@ spring:
relyingparty:
registration:
adfs:
identityprovider:
assertingparty:
entity-id: https://idp.example.com/issuer
verification.credentials:
- certificate-location: "classpath:idp.crt"
@@ -835,16 +839,17 @@ spring:
security:
saml2:
relyingparty:
okta:
signing.credentials: &relying-party-credentials
- private-key-location: classpath:rp.key
certificate-location: classpath:rp.crt
identityprovider:
entity-id: ...
azure:
signing.credentials: *relying-party-credentials
identityprovider:
entity-id: ...
registration:
okta:
signing.credentials: &relying-party-credentials
- private-key-location: classpath:rp.key
certificate-location: classpath:rp.crt
assertingparty:
entity-id: ...
azure:
signing.credentials: *relying-party-credentials
assertingparty:
entity-id: ...
----
Second, in a database, you need not replicate the model of `RelyingPartyRegistration`.
@@ -0,0 +1,67 @@
= SAML 2.0 Extension Migration
This document contains guidance for moving SAML 2.0 Service Providers from Spring Security SAML Extensions 1.x to Spring Security Since Spring Security doesnt provide Identity Provider support, migrating a Spring Security SAML Extensions Identity Provider is out of scope for this document.
Because the two approaches are as different as they are, this document will tend to cover patterns more than precise search-and-replace steps.
[[saml2-login-logout]]
== Login & Logout
=== Changes In Approach
https://github.com/spring-projects/spring-security[Spring Security] takes a slightly different approach from https://github.com/spring-projects/spring-security-saml[Spring Security SAML Extensions] in a few notable ways.
==== Simplified Enablement
Spring Security SAML Extensions support for Service Providers is provided by a series of filters enabled by adding each filter manually in the correct order to various Spring Security filter chains.
Spring Securitys SAML 2.0 Service Provider support is enabled via the Spring Security DSL methods:
xref:servlet/saml2/login/index.adoc[`saml2Login`],
xref:servlet/saml2/logout.adoc[`saml2Logout`], and
xref:servlet/saml2/metadata.adoc[`saml2Metadata`]. It selects the correct filters to add and puts them in the appropriate places in the filter chain.
==== Stronger Encapsulation
Like Spring Security SAML Extensions, Spring Security bases its SAML support on OpenSAML. The Extensions project exposes OpenSAML over public interfaces, blurring the lines between the two projects, effectively requiring OpenSAML, and making upgrades to later versions of OpenSAML more complicated.
Spring Security provides stronger encapsulation. No public interfaces expose OpenSAML components and any class that exposes OpenSAML in its public API is named with an `OpenSaml` prefix for additional clarity.
==== Out-of-the-box Multitenancy
Spring Security SAML Extensions offered some lightweight support for declaring more than one Identity Provider and accessing it at login time using the `idp` request parameter. This was limiting as far as changing things at runtime was concerned and also doesnt allow for a many-to-many relationship between relying and asserting parties.
Spring Security builds SAML 2.0 multitenancy into its default URLs and basic components in the form of a `RelyingPartyRegistration`. This component acts as a link between a Relying Partys metadata and an Asserting Partys metadata, and all pairs are available for lookup in a `RelyingPartyRegistrationRepository`. Each URL represents a unique registration pair to be retrieved.
Whether its AuthnRequests, Responses, LogoutRequests, LogoutResponses, or EntityDescriptors, each filter is based off of `RelyingPartyRegistrationRepository` and so is fundamentally multi-tenant.
=== Examples Matrix
Both Spring Security and Spring Security SAML Extensions have examples for how to configure the Service Provider:
[options="header"]
|===
| Use case | Spring Security | Spring Security SAML Extension
| Login & Logout | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/login[Sample] |
https://github.com/jzheaux/spring-security-saml-migrate/tree/main/login-logout[Sample]
| Login using SAML Extension URLs | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/custom-urls[Sample] | -
| Metadata support | https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/saml2/refreshable-metadata[Sample] | -
|===
You can also see a showcase example in https://github.com/spring-projects/spring-security-saml/tree/main/sample[Spring Security SAML Extension]'s GitHub project.
[NOTE]
====
Spring Security does not support HTTP-Redirect binding for SAML 2.0 Responses.
According to the SAML specification, the HTTP-Redirect binding is not permitted for SAML Responses due to URL length and signature limitations. Attempting to use this binding may result in unexpected errors.
Use HTTP-POST binding instead when configuring your identity provider.
====
[[saml2-unported]]
== Unported Features
There are some features that are not yet ported over and there are as yet no plans to do so:
* HTTP-Redirect binding for SAML 2.0 Responses
* Artifact binding support
@@ -2,4 +2,4 @@
= Spring MVC Test Integration
:page-section-summary-toc: 1
Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test]
Spring Security provides comprehensive integration with {spring-framework-reference-url}testing/mockmvc.html[Spring MVC Test]
+2 -2
View File
@@ -4,7 +4,7 @@
"@antora/atlas-extension": "1.0.0-alpha.2",
"@antora/collector-extension": "1.0.1",
"@asciidoctor/tabs": "1.0.0-beta.6",
"@springio/antora-extensions": "1.14.2",
"@springio/asciidoctor-extensions": "1.0.0-alpha.16"
"@springio/antora-extensions": "1.14.7",
"@springio/asciidoctor-extensions": "1.0.0-alpha.17"
}
}
+1 -1
View File
@@ -1,5 +1,5 @@
springBootVersion=3.1.1
version=6.3.7-SNAPSHOT
version=6.3.11-SNAPSHOT
samplesBranch=6.3.x
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true
+15 -15
View File
@@ -1,22 +1,22 @@
[versions]
com-squareup-okhttp3 = "3.14.9"
io-rsocket = "1.1.5"
io-spring-javaformat = "0.0.43"
io-spring-javaformat = "0.0.47"
io-spring-nohttp = "0.0.11"
jakarta-websocket = "2.1.1"
org-apache-directory-server = "1.5.5"
org-apache-maven-resolver = "1.9.22"
org-aspectj = "1.9.22.1"
org-apache-maven-resolver = "1.9.24"
org-aspectj = "1.9.24"
org-bouncycastle = "1.78.1"
org-eclipse-jetty = "11.0.24"
org-eclipse-jetty = "11.0.25"
org-jetbrains-kotlin = "1.9.25"
org-jetbrains-kotlinx = "1.8.1"
org-mockito = "5.11.0"
org-opensaml = "4.3.2"
org-springframework = "6.1.17"
org-springframework = "6.1.21"
[libraries]
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.16"
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.18"
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.17.3"
com-google-inject-guice = "com.google.inject:guice:3.0"
com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
@@ -27,14 +27,14 @@ com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.
com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:6.0.11"
commons-collections = "commons-collections:commons-collections:3.2.2"
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.12.13"
io-mockk = "io.mockk:mockk:1.13.16"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.15"
io-mockk = "io.mockk:mockk:1.13.17"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.19"
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }
io-spring-nohttp-nohttp-checkstyle = { module = "io.spring.nohttp:nohttp-checkstyle", version.ref = "io-spring-nohttp" }
io-spring-nohttp-nohttp-gradle = { module = "io.spring.nohttp:nohttp-gradle", version.ref = "io-spring-nohttp" }
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.3"
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.10"
jakarta-annotation-jakarta-annotation-api = "jakarta.annotation:jakarta.annotation-api:2.1.1"
jakarta-inject-jakarta-inject-api = "jakarta.inject:jakarta.inject-api:2.0.1"
jakarta-persistence-jakarta-persistence-api = "jakarta.persistence:jakarta.persistence-api:3.1.0"
@@ -53,7 +53,7 @@ org-apache-directory-server-apacheds-protocol-shared = { module = "org.apache.di
org-apache-directory-server-apacheds-server-jndi = { module = "org.apache.directory.server:apacheds-server-jndi", version.ref = "org-apache-directory-server" }
org-apache-directory-shared-shared-ldap = "org.apache.directory.shared:shared-ldap:0.9.15"
org-apache-httpcomponents-httpclient = "org.apache.httpcomponents:httpclient:4.5.14"
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.9"
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.11"
org-apache-maven-resolver-maven-resolver-connector-basic = { module = "org.apache.maven.resolver:maven-resolver-connector-basic", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-impl = { module = "org.apache.maven.resolver:maven-resolver-impl", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-transport-http = { module = "org.apache.maven.resolver:maven-resolver-transport-http", version.ref = "org-apache-maven-resolver" }
@@ -83,9 +83,9 @@ org-seleniumhq-selenium-selenium-java = "org.seleniumhq.selenium:selenium-java:3
org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-support:3.141.59"
org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3"
org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.16"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.9"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.11"
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.17"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.0.13"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.13"
org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" }
org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
@@ -95,11 +95,11 @@ net-sourceforge-saxon-saxon = "net.sourceforge.saxon:saxon:9.1.0.8"
org-yaml-snakeyaml = "org.yaml:snakeyaml:1.33"
org-apache-commons-commons-io = "org.apache.commons:commons-io:1.3.2"
io-github-gradle-nexus-publish-plugin = "io.github.gradle-nexus:publish-plugin:1.3.0"
org-gretty-gretty = "org.gretty:gretty:4.1.6"
org-gretty-gretty = "org.gretty:gretty:4.1.7"
com-github-ben-manes-gradle-versions-plugin = "com.github.ben-manes:gradle-versions-plugin:0.51.0"
com-github-spullara-mustache-java-compiler = "com.github.spullara.mustache.java:compiler:0.9.14"
org-hidetake-gradle-ssh-plugin = "org.hidetake:gradle-ssh-plugin:2.10.1"
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:4.33.23"
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:4.33.24"
org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969"
org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1"
Binary file not shown.
+2 -2
View File
@@ -1,7 +1,7 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionSha256Sum=8d97a97984f6cbd2b85fe4c60a743440a347544bf18818048e611f5288d46c94
distributionUrl=https\://services.gradle.org/distributions/gradle-8.12.1-bin.zip
distributionSha256Sum=61ad310d3c7d3e5da131b76bbf22b5a4c0786e9d892dae8c1658d4b484de3caa
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
Vendored
+4 -5
View File
@@ -86,8 +86,7 @@ done
# shellcheck disable=SC2034
APP_BASE_NAME=${0##*/}
# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
' "$PWD" ) || exit
APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD=maximum
@@ -115,7 +114,7 @@ case "$( uname )" in #(
NONSTOP* ) nonstop=true ;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
CLASSPATH="\\\"\\\""
# Determine the Java command to use to start the JVM.
@@ -206,7 +205,7 @@ fi
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Collect all arguments for the java command:
# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
# * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
# and any embedded shellness will be escaped.
# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
# treated as '${Hostname}' itself on the command line.
@@ -214,7 +213,7 @@ DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
set -- \
"-Dorg.gradle.appname=$APP_BASE_NAME" \
-classpath "$CLASSPATH" \
org.gradle.wrapper.GradleWrapperMain \
-jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
"$@"
# Stop when "xargs" is not available.
Vendored
+2 -2
View File
@@ -70,11 +70,11 @@ goto fail
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
set CLASSPATH=
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
:end
@rem End local scope for the variables with windows NT shell
@@ -22,6 +22,7 @@ dependencies {
testRuntimeOnly project(':spring-security-config')
testRuntimeOnly 'org.aspectj:aspectjweaver'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
System.setProperty('python.cachedir.skip', 'true')
@@ -25,4 +25,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -25,4 +25,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -18,4 +18,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -17,4 +17,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -18,4 +18,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -25,6 +25,7 @@ dependencies {
testRuntimeOnly project(':spring-security-config')
testRuntimeOnly project(':spring-security-ldap')
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
integrationTest {
+2
View File
@@ -35,6 +35,8 @@ dependencies {
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testImplementation 'org.skyscreamer:jsonassert'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
integrationTest {
@@ -27,4 +27,5 @@ dependencies {
testImplementation "ch.qos.logback:logback-classic"
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -33,6 +33,7 @@ dependencies {
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
provided 'jakarta.servlet:jakarta.servlet-api'
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
package org.springframework.security.oauth2.client.registration;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
@@ -49,6 +50,7 @@ import org.springframework.web.util.UriComponentsBuilder;
* @author Rob Winch
* @author Josh Cummings
* @author Rafiullah Hamedy
* @author Evgeniy Cheban
* @since 5.1
*/
public final class ClientRegistrations {
@@ -211,6 +213,7 @@ public final class ClientRegistrations {
private static ClientRegistration.Builder getBuilder(String issuer,
Supplier<ClientRegistration.Builder>... suppliers) {
String errorMessage = "Unable to resolve Configuration with the provided Issuer of \"" + issuer + "\"";
List<String> errors = new ArrayList<>();
for (Supplier<ClientRegistration.Builder> supplier : suppliers) {
try {
return supplier.get();
@@ -219,6 +222,7 @@ public final class ClientRegistrations {
if (!ex.getStatusCode().is4xxClientError()) {
throw ex;
}
errors.add(ex.getMessage());
// else try another endpoint
}
catch (IllegalArgumentException | IllegalStateException ex) {
@@ -228,6 +232,9 @@ public final class ClientRegistrations {
throw new IllegalArgumentException(errorMessage, ex);
}
}
if (!errors.isEmpty()) {
throw new IllegalArgumentException(errorMessage + ", errors: " + errors);
}
throw new IllegalArgumentException(errorMessage);
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -245,7 +245,7 @@ public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements
* be used to create an Authentication for saving.</li>
* </ul>
* @param authorizedClient the {@link OAuth2AuthorizedClient} to use.
* @return the {@link Consumer} to populate the
* @return the {@link Consumer} to populate the attributes
*/
public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
return (attributes) -> attributes.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, authorizedClient);
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -36,12 +36,14 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
/**
* @author Rob Winch
* @author Rafiullah Hamedy
* @author Evgeniy Cheban
* @since 5.1
*/
public class ClientRegistrationsTests {
@@ -455,6 +457,27 @@ public class ClientRegistrationsTests {
// @formatter:on
}
@Test
public void issuerWhenAllEndpointsFailedThenExceptionIncludesFailureInformation() {
this.issuer = createIssuerFromServer("issuer1");
this.server.setDispatcher(new Dispatcher() {
@Override
public MockResponse dispatch(RecordedRequest request) {
int responseCode = switch (request.getPath()) {
case "/issuer1/.well-known/openid-configuration" -> 405;
case "/.well-known/openid-configuration/issuer1" -> 400;
default -> 404;
};
return new MockResponse().setResponseCode(responseCode);
}
});
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> ClientRegistrations.fromIssuerLocation(this.issuer).build())
.withMessageContaining("405")
.withMessageContaining("400")
.withMessageContaining("404");
}
private ClientRegistration.Builder registration(String path) throws Exception {
this.issuer = createIssuerFromServer(path);
this.response.put("issuer", this.issuer);
@@ -17,4 +17,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -23,4 +23,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -26,4 +26,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -52,26 +52,77 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
@Override
public String resolve(final HttpServletRequest request) {
final String authorizationHeaderToken = resolveFromAuthorizationHeader(request);
final String parameterToken = isParameterTokenSupportedForRequest(request)
? resolveFromRequestParameters(request) : null;
if (authorizationHeaderToken != null) {
if (parameterToken != null) {
// @formatter:off
return resolveToken(
resolveFromAuthorizationHeader(request),
resolveAccessTokenFromQueryString(request),
resolveAccessTokenFromBody(request)
);
// @formatter:on
}
private static String resolveToken(String... accessTokens) {
if (accessTokens == null || accessTokens.length == 0) {
return null;
}
String accessToken = null;
for (String token : accessTokens) {
if (accessToken == null) {
accessToken = token;
}
else if (token != null) {
BearerTokenError error = BearerTokenErrors
.invalidRequest("Found multiple bearer tokens in the request");
throw new OAuth2AuthenticationException(error);
}
return authorizationHeaderToken;
}
if (parameterToken != null && isParameterTokenEnabledForRequest(request)) {
if (!StringUtils.hasText(parameterToken)) {
BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return parameterToken;
if (accessToken != null && accessToken.isBlank()) {
BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return null;
return accessToken;
}
private String resolveFromAuthorizationHeader(HttpServletRequest request) {
String authorization = request.getHeader(this.bearerTokenHeaderName);
if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
return null;
}
Matcher matcher = authorizationPattern.matcher(authorization);
if (!matcher.matches()) {
BearerTokenError error = BearerTokenErrors.invalidToken("Bearer token is malformed");
throw new OAuth2AuthenticationException(error);
}
return matcher.group("token");
}
private String resolveAccessTokenFromQueryString(HttpServletRequest request) {
if (!this.allowUriQueryParameter || !HttpMethod.GET.name().equals(request.getMethod())) {
return null;
}
return resolveToken(request.getParameterValues(ACCESS_TOKEN_PARAMETER_NAME));
}
private String resolveAccessTokenFromBody(HttpServletRequest request) {
if (!this.allowFormEncodedBodyParameter
|| !MediaType.APPLICATION_FORM_URLENCODED_VALUE.equals(request.getContentType())
|| HttpMethod.GET.name().equals(request.getMethod())) {
return null;
}
String queryString = request.getQueryString();
if (queryString != null && queryString.contains(ACCESS_TOKEN_PARAMETER_NAME)) {
return null;
}
return resolveToken(request.getParameterValues(ACCESS_TOKEN_PARAMETER_NAME));
}
/**
@@ -109,50 +160,4 @@ public final class DefaultBearerTokenResolver implements BearerTokenResolver {
this.bearerTokenHeaderName = bearerTokenHeaderName;
}
private String resolveFromAuthorizationHeader(HttpServletRequest request) {
String authorization = request.getHeader(this.bearerTokenHeaderName);
if (!StringUtils.startsWithIgnoreCase(authorization, "bearer")) {
return null;
}
Matcher matcher = authorizationPattern.matcher(authorization);
if (!matcher.matches()) {
BearerTokenError error = BearerTokenErrors.invalidToken("Bearer token is malformed");
throw new OAuth2AuthenticationException(error);
}
return matcher.group("token");
}
private static String resolveFromRequestParameters(HttpServletRequest request) {
String[] values = request.getParameterValues(ACCESS_TOKEN_PARAMETER_NAME);
if (values == null || values.length == 0) {
return null;
}
if (values.length == 1) {
return values[0];
}
BearerTokenError error = BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request");
throw new OAuth2AuthenticationException(error);
}
private boolean isParameterTokenSupportedForRequest(final HttpServletRequest request) {
return isFormEncodedRequest(request) || isGetRequest(request);
}
private static boolean isGetRequest(HttpServletRequest request) {
return HttpMethod.GET.name().equals(request.getMethod());
}
private static boolean isFormEncodedRequest(HttpServletRequest request) {
return MediaType.APPLICATION_FORM_URLENCODED_VALUE.equals(request.getContentType());
}
private static boolean hasAccessTokenInQueryString(HttpServletRequest request) {
return (request.getQueryString() != null) && request.getQueryString().contains(ACCESS_TOKEN_PARAMETER_NAME);
}
private boolean isParameterTokenEnabledForRequest(HttpServletRequest request) {
return ((this.allowFormEncodedBodyParameter && isFormEncodedRequest(request) && !isGetRequest(request)
&& !hasAccessTokenInQueryString(request)) || (this.allowUriQueryParameter && isGetRequest(request)));
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -77,18 +77,18 @@ public class ServerBearerTokenAuthenticationConverter implements ServerAuthentic
}
return authorizationHeaderToken;
}
if (parameterToken != null && isParameterTokenSupportedForRequest(request)) {
if (!StringUtils.hasText(parameterToken)) {
BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return parameterToken;
if (parameterToken != null && !StringUtils.hasText(parameterToken)) {
BearerTokenError error = BearerTokenErrors
.invalidRequest("The requested token parameter is an empty string");
throw new OAuth2AuthenticationException(error);
}
return null;
return parameterToken;
}
private static String resolveAccessTokenFromRequest(ServerHttpRequest request) {
private String resolveAccessTokenFromRequest(ServerHttpRequest request) {
if (!isParameterTokenSupportedForRequest(request)) {
return null;
}
List<String> parameterTokens = request.getQueryParams().get("access_token");
if (CollectionUtils.isEmpty(parameterTokens)) {
return null;
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -110,6 +110,7 @@ public class DefaultBearerTokenResolverTests {
@Test
public void resolveWhenValidHeaderIsPresentTogetherWithFormParameterThenAuthenticationExceptionIsThrown() {
this.resolver.setAllowFormEncodedBodyParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + TEST_TOKEN);
request.setMethod("POST");
@@ -121,6 +122,7 @@ public class DefaultBearerTokenResolverTests {
@Test
public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() {
this.resolver.setAllowUriQueryParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Bearer " + TEST_TOKEN);
request.setMethod("GET");
@@ -133,6 +135,7 @@ public class DefaultBearerTokenResolverTests {
// gh-10326
@Test
public void resolveWhenRequestContainsTwoAccessTokenQueryParametersThenAuthenticationExceptionIsThrown() {
this.resolver.setAllowUriQueryParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
request.addParameter("access_token", "token1", "token2");
@@ -143,6 +146,7 @@ public class DefaultBearerTokenResolverTests {
// gh-10326
@Test
public void resolveWhenRequestContainsTwoAccessTokenFormParametersThenAuthenticationExceptionIsThrown() {
this.resolver.setAllowFormEncodedBodyParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("POST");
request.setContentType("application/x-www-form-urlencoded");
@@ -233,6 +237,19 @@ public class DefaultBearerTokenResolverTests {
assertThat(this.resolver.resolve(request)).isNull();
}
@Test
public void resolveWhenPostAndQueryParameterIsSupportedAndFormParameterIsPresentThenTokenIsNotResolved() {
this.resolver.setAllowUriQueryParameter(true);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("POST");
request.setContentType("application/x-www-form-urlencoded");
request.setQueryString("access_token=" + TEST_TOKEN);
request.addParameter("access_token", TEST_TOKEN);
assertThat(this.resolver.resolve(request)).isNull();
}
@Test
public void resolveWhenFormParameterIsPresentAndNotSupportedThenTokenIsNotResolved() {
MockHttpServletRequest request = new MockHttpServletRequest();
@@ -261,6 +278,25 @@ public class DefaultBearerTokenResolverTests {
assertThat(this.resolver.resolve(request)).isNull();
}
// gh-16038
@Test
public void resolveWhenRequestContainsTwoAccessTokenFormParametersAndSupportIsDisabledThenTokenIsNotResolved() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("POST");
request.setContentType("application/x-www-form-urlencoded");
request.addParameter("access_token", "token1", "token2");
assertThat(this.resolver.resolve(request)).isNull();
}
// gh-16038
@Test
public void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setMethod("GET");
request.addParameter("access_token", "token1", "token2");
assertThat(this.resolver.resolve(request)).isNull();
}
@Test
public void resolveWhenQueryParameterIsPresentAndEmptyStringThenTokenIsNotResolved() {
this.resolver.setAllowUriQueryParameter(true);
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -157,6 +157,7 @@ public class ServerBearerTokenAuthenticationConverterTests {
@Test
public void resolveWhenValidHeaderIsPresentTogetherWithQueryParameterThenAuthenticationExceptionIsThrown() {
// @formatter:off
this.converter.setAllowUriQueryParameter(true);
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/")
.queryParam("access_token", TEST_TOKEN)
.header(HttpHeaders.AUTHORIZATION, "Bearer " + TEST_TOKEN);
@@ -205,6 +206,7 @@ public class ServerBearerTokenAuthenticationConverterTests {
@Test
void resolveWhenQueryParameterHasMultipleAccessTokensThenOAuth2AuthenticationException() {
this.converter.setAllowUriQueryParameter(true);
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/")
.queryParam("access_token", TEST_TOKEN, TEST_TOKEN);
assertThatExceptionOfType(OAuth2AuthenticationException.class).isThrownBy(() -> convertToToken(request))
@@ -217,6 +219,14 @@ public class ServerBearerTokenAuthenticationConverterTests {
}
// gh-16038
@Test
void resolveWhenRequestContainsTwoAccessTokenQueryParametersAndSupportIsDisabledThenTokenIsNotResolved() {
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/")
.queryParam("access_token", TEST_TOKEN, TEST_TOKEN);
assertThat(convertToToken(request)).isNull();
}
private BearerTokenAuthenticationToken convertToToken(MockServerHttpRequest.BaseBuilder<?> request) {
return convertToToken(request.build());
}
+2
View File
@@ -14,4 +14,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -24,4 +24,6 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -391,7 +391,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
String inResponseTo = response.getInResponseTo();
result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
String issuer = response.getIssuer().getValue();
String issuer = issuer(response);
String destination = response.getDestination();
String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
if (StringUtils.hasText(destination) && !destination.equals(location)) {
@@ -414,6 +414,13 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
};
}
private static String issuer(Response response) {
if (response.getIssuer() == null) {
return null;
}
return response.getIssuer().getValue();
}
private static List<String> getStatusCodes(Response response) {
if (response.getStatus() == null) {
return List.of(StatusCode.SUCCESS);
@@ -576,7 +583,7 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv
}
private void process(Saml2AuthenticationToken token, Response response) {
String issuer = response.getIssuer().getValue();
String issuer = issuer(response);
this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
boolean responseSigned = response.isSigned();
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -861,6 +861,15 @@ public class OpenSaml4AuthenticationProviderTests {
provider.authenticate(token);
}
// gh-16989
@Test
public void authenticateWhenNullIssuerThenNoNullPointer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Response response = TestOpenSamlObjects.signedResponseWithOneAssertion((r) -> r.setIssuer(null));
Saml2AuthenticationToken token = token(response, verifying(registration()));
assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token));
}
private <T extends XMLObject> T build(QName qName) {
return (T) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilder(qName).buildObject(qName);
}
+2
View File
@@ -24,6 +24,8 @@ dependencies {
testImplementation "org.mockito:mockito-core"
testImplementation "org.mockito:mockito-junit-jupiter"
testImplementation "org.springframework:spring-test"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
configure(project.tasks.withType(Test)) {
+2
View File
@@ -32,4 +32,6 @@ dependencies {
testImplementation 'org.skyscreamer:jsonassert'
testImplementation 'org.springframework:spring-webmvc'
testImplementation 'org.springframework:spring-tx'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
+1
View File
@@ -39,4 +39,5 @@ dependencies {
testImplementation 'com.squareup.okhttp3:mockwebserver'
testRuntimeOnly 'org.hsqldb:hsqldb'
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
@@ -29,6 +29,9 @@ public interface WebInvocationPrivilegeEvaluator {
/**
* Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI.
* <p>
* Note this will only match authorization rules that don't require a certain
* {@code HttpMethod}.
* @param uri the URI excluding the context path (a default context path setting will
* be used)
*/
@@ -36,13 +39,18 @@ public interface WebInvocationPrivilegeEvaluator {
/**
* Determines whether the user represented by the supplied <tt>Authentication</tt>
* object is allowed to invoke the supplied URI, with the given .
* object is allowed to invoke the supplied URI, with the given parameters.
* <p>
* Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
* Note:
* <ul>
* <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
* disregards the <code>contextPath</code> when evaluating which secure object
* metadata applies to a given request URI, so generally the <code>contextPath</code>
* is unimportant unless you are using a custom
* <code>FilterInvocationSecurityMetadataSource</code>.
* <code>FilterInvocationSecurityMetadataSource</code>.</li>
* <li>this will only match authorization rules that don't require a certain
* {@code HttpMethod}.</li>
* </ul>
* @param uri the URI excluding the context path
* @param contextPath the context path (may be null).
* @param method the HTTP method (or null, for any method)
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -64,6 +64,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
* </ul>
*
* @author Sergey Bespalov
* @author Andrey Litvitski
* @since 5.2.0
*/
public class AuthenticationFilter extends OncePerRequestFilter {
@@ -193,6 +194,15 @@ public class AuthenticationFilter extends OncePerRequestFilter {
}
}
@Override
protected String getAlreadyFilteredAttributeName() {
String name = getFilterName();
if (name == null) {
name = getClass().getName().concat("-" + System.identityHashCode(this));
}
return name + ALREADY_FILTERED_SUFFIX;
}
private void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
this.securityContextHolderStrategy.clearContext();
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -79,6 +79,10 @@ import org.springframework.web.filter.GenericFilterBean;
* raised by the <tt>AuthenticationManager</tt> will the be re-thrown. Note that this will
* not affect cases where the principal returned by {@link #getPreAuthenticatedPrincipal}
* is null, when the chain will still proceed as normal.
* <p>
* The filter saves the {@link SecurityContext} using the configured
* {@link SecurityContextRepository}, which can be set via
* {@link #setSecurityContextRepository}.
*
* @author Luke Taylor
* @author Ruud Senden
@@ -253,8 +257,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
/**
* Sets the {@link SecurityContextRepository} to save the {@link SecurityContext} on
* authentication success. The default action is not to save the
* {@link SecurityContext}.
* authentication success. The default action is to save the {@link SecurityContext}
* in {@link HttpSession} using {@link HttpSessionSecurityContextRepository}.
* @param securityContextRepository the {@link SecurityContextRepository} to use.
* Cannot be null.
*/
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,6 +75,7 @@ public final class ClearSiteDataHeaderWriter implements HeaderWriter {
if (!response.containsHeader(CLEAR_SITE_DATA_HEADER)) {
response.setHeader(CLEAR_SITE_DATA_HEADER, this.headerValue);
}
return;
}
this.logger.debug(
LogMessage.format("Not injecting Clear-Site-Data header since it did not match the requestMatcher %s",
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -84,7 +84,7 @@ public final class CookieServerCsrfTokenRepository implements ServerCsrfTokenRep
*/
public static CookieServerCsrfTokenRepository withHttpOnlyFalse() {
CookieServerCsrfTokenRepository result = new CookieServerCsrfTokenRepository();
result.setCookieCustomizer((cookie) -> cookie.httpOnly(false));
result.cookieHttpOnly = false;
return result;
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -802,42 +802,42 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
@Override
public Builder method(HttpMethod httpMethod) {
return this.delegate.method(httpMethod);
return new StrictFirewallBuilder(this.delegate.method(httpMethod));
}
@Override
public Builder uri(URI uri) {
return this.delegate.uri(uri);
return new StrictFirewallBuilder(this.delegate.uri(uri));
}
@Override
public Builder path(String path) {
return this.delegate.path(path);
return new StrictFirewallBuilder(this.delegate.path(path));
}
@Override
public Builder contextPath(String contextPath) {
return this.delegate.contextPath(contextPath);
return new StrictFirewallBuilder(this.delegate.contextPath(contextPath));
}
@Override
public Builder header(String headerName, String... headerValues) {
return this.delegate.header(headerName, headerValues);
return new StrictFirewallBuilder(this.delegate.header(headerName, headerValues));
}
@Override
public Builder headers(Consumer<HttpHeaders> headersConsumer) {
return this.delegate.headers(headersConsumer);
return new StrictFirewallBuilder(this.delegate.headers(headersConsumer));
}
@Override
public Builder sslInfo(SslInfo sslInfo) {
return this.delegate.sslInfo(sslInfo);
return new StrictFirewallBuilder(this.delegate.sslInfo(sslInfo));
}
@Override
public Builder remoteAddress(InetSocketAddress remoteAddress) {
return this.delegate.remoteAddress(remoteAddress);
return new StrictFirewallBuilder(this.delegate.remoteAddress(remoteAddress));
}
@Override
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
package org.springframework.security.web.authentication;
import jakarta.servlet.FilterChain;
import jakarta.servlet.Servlet;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
@@ -57,6 +58,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
/**
* @author Sergey Bespalov
* @author Andrey Litvitski
* @since 5.2.0
*/
@ExtendWith(MockitoExtension.class)
@@ -318,4 +320,18 @@ public class AuthenticationFilterTests {
assertThat(securityContextArg.getValue().getAuthentication()).isEqualTo(authentication);
}
@Test
public void filterWhenMultipleInChainThenAllFiltered() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
MockHttpServletResponse response = new MockHttpServletResponse();
AuthenticationFilter filter1 = new AuthenticationFilter(this.authenticationManager,
this.authenticationConverter);
AuthenticationConverter converter2 = mock(AuthenticationConverter.class);
AuthenticationFilter filter2 = new AuthenticationFilter(this.authenticationManager, converter2);
FilterChain chain = new MockFilterChain(mock(Servlet.class), filter1, filter2);
chain.doFilter(request, response);
verify(this.authenticationConverter).convert(any());
verify(converter2).convert(any());
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -290,6 +290,21 @@ class CookieServerCsrfTokenRepositoryTests {
loadAndAssertExpectedValues();
}
// gh-16820
@Test
void withHttpOnlyFalseWhenCookieCustomizerThenStillDefaultsToFalse() {
CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer((customizer) -> customizer.maxAge(1000));
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = repository.generateToken(exchange).block();
repository.saveToken(exchange, csrfToken).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge().getSeconds()).isEqualTo(1000);
assertThat(cookie.isHttpOnly()).isEqualTo(Boolean.FALSE);
}
private void setExpectedHeaderName(String expectedHeaderName) {
this.csrfTokenRepository.setHeaderName(expectedHeaderName);
this.expectedHeaderName = expectedHeaderName;
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -534,4 +534,17 @@ class StrictServerWebExchangeFirewallTests {
.isThrownBy(() -> headers.get(invalidHeaderName));
}
// gh-16978
@Test
void getMutatedFirewalledExchangeHeadersGetHeaderWhenNotAllowedHeaderNameThenException() {
String invalidHeaderName = "bad name";
this.firewall.setAllowedHeaderNames((name) -> !name.equals(invalidHeaderName));
ServerWebExchange exchange = getFirewalledExchange();
var mutatedRequest = exchange.getRequest().mutate().method(HttpMethod.POST).build();
var mutatedExchange = exchange.mutate().request(mutatedRequest).build();
HttpHeaders headers = mutatedExchange.getRequest().getHeaders();
assertThatExceptionOfType(ServerExchangeRejectedException.class)
.isThrownBy(() -> headers.get(invalidHeaderName));
}
}