1
0
mirror of synced 2026-07-11 13:50:35 +00:00

Compare commits

..

99 Commits

Author SHA1 Message Date
github-actions[bot] ebdd6c22a8 Release 6.5.1 2025-06-16 15:07:59 +00:00
Rob Winch f7cff8deb5 Merge branch '6.4.x' into 6.5.x 2025-06-16 09:46:00 -05:00
Rob Winch b8c19f9df5 Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final 2025-06-16 09:45:36 -05:00
Rob Winch f2dbe28b81 Merge branch '6.4.x' into 6.5.x 2025-06-16 09:06:07 -05:00
Rob Winch 17fe96e4a7 Merge branch '6.3.x' into 6.4.x 2025-06-16 09:05:57 -05:00
Rob Winch 1828d56bf1 Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 2025-06-16 08:56:25 -05:00
Rob Winch 71851de649 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-16 08:56:23 -05:00
Rob Winch 60a930a49a Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final 2025-06-16 08:56:21 -05:00
Rob Winch 2b51705413 Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 2025-06-16 08:56:19 -05:00
Rob Winch 0a15dcaadf Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8 2025-06-16 08:56:08 -05:00
Rob Winch 1fcba70c61 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-16 08:56:06 -05:00
Rob Winch 03a11d6ffd Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7 2025-06-16 08:56:04 -05:00
Rob Winch 49cddee343 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21 2025-06-16 08:55:32 -05:00
Rob Winch 1c56c0c0c8 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13 2025-06-16 08:55:30 -05:00
Rob Winch d79cf75dfb Bump org.springframework.data:spring-data-bom from 2024.0.12 to 2024.0.13 2025-06-16 08:55:28 -05:00
dependabot[bot] 3e6eda579f Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.6 to 2024.1.7.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.6...2024.1.7)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:10:04 +00:00
dependabot[bot] 07bb38e5e5 Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.17.Final to 6.6.18.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.18/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.17...6.6.18)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.18.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:09:40 +00:00
dependabot[bot] e34c5e73e1 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 04:01:56 +00:00
dependabot[bot] 29866df7cf Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.6 to 2024.1.7.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.6...2024.1.7)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 03:52:20 +00:00
dependabot[bot] aca7c4f5c4 Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.18.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.17.Final to 6.6.18.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.18/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.17...6.6.18)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.18.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-16 03:52:13 +00:00
dependabot[bot] 46254e01fb Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:36:23 +00:00
dependabot[bot] effe682fc4 Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:35:50 +00:00
dependabot[bot] 1b2ac8567e Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:31:36 +00:00
dependabot[bot] 34ec5fd7a4 Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.7 to 6.2.8.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.7...v6.2.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:31:29 +00:00
dependabot[bot] 9f487ad0bc Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:11:55 +00:00
dependabot[bot] c1492f0e4e Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.7 to 6.2.8.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.7...v6.2.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 03:11:19 +00:00
Rob Winch 2be756e9dd Merge branch '6.4.x' into 6.5.x 2025-06-12 12:26:33 -05:00
Rob Winch df90cd5e23 Merge branch '6.3.x' into 6.4.x 2025-06-12 12:26:21 -05:00
Rob Winch 540ceef866 Merge branch 'gradle/6.5.x/com.fasterxml.jackson-jackson-bom-2.18.4.1' into 6.5.x 2025-06-12 12:26:07 -05:00
Rob Winch d32b6629b7 Merge branch 'gradle/6.4.x/io.projectreactor-reactor-bom-2023.0.19' into 6.4.x 2025-06-12 12:24:21 -05:00
dependabot[bot] 9be7b37472 Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1
Bumps [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.18.4 to 2.18.4.1.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.18.4...jackson-bom-2.18.4.1)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.18.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 04:06:48 +00:00
dependabot[bot] 195fb7253c Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.18 to 2023.0.19.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.18...2023.0.19)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 04:06:24 +00:00
dependabot[bot] 7f36155b47 Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.18 to 2023.0.19.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.18...2023.0.19)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 03:59:26 +00:00
dependabot[bot] 53ce08d79d Bump io.projectreactor:reactor-bom from 2023.0.18 to 2023.0.19
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2023.0.18 to 2023.0.19.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2023.0.18...2023.0.19)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2023.0.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 03:36:18 +00:00
dependabot[bot] cc40879f05 Bump com.fasterxml.jackson:jackson-bom from 2.18.4 to 2.18.4.1
Bumps [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.18.4 to 2.18.4.1.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.18.4...jackson-bom-2.18.4.1)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.18.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-11 03:35:43 +00:00
Rob Winch b4418014aa Merge branch '6.4.x' into 6.5.x 2025-06-10 10:49:05 -05:00
Rob Winch 29ec4c8736 Merge branch '6.3.x' into 6.4.x 2025-06-10 10:48:44 -05:00
Rob Winch 888d87619d Explicit Permissions for codeql.yml 2025-06-10 10:48:37 -05:00
Rob Winch 0299ba6027 Merge branch '6.4.x' into 6.5.x 2025-06-10 09:55:50 -05:00
dependabot[bot] d7bada7fec Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-10 03:35:38 +00:00
dependabot[bot] eaba293cc5 Bump io.micrometer:micrometer-observation from 1.14.7 to 1.14.8
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-10 03:25:56 +00:00
Rob Winch c9a67818d7 Merge branch '6.4.x' into 6.5.x 2025-06-09 17:11:04 -05:00
Rob Winch af15d735eb Merge branch '6.3.x' into 6.4.x 2025-06-09 17:10:55 -05:00
Rob Winch d7452138ac Merge branch 'gradle/6.5.x/org.apache.maven-maven-resolver-provider-3.9.10' into 6.5.x 2025-06-09 17:10:46 -05:00
Rob Winch e00d06e97f Merge branch 'gradle/6.4.x/org.apache.maven-maven-resolver-provider-3.9.10' into 6.4.x 2025-06-09 17:09:09 -05:00
Rob Winch e8028e15c0 Merge branch 'gradle/6.3.x/org.apache.maven-maven-resolver-provider-3.9.10' into 6.3.x 2025-06-09 17:08:30 -05:00
Rob Winch 1bd59c7fec Merge branch '6.4.x' into 6.5.x 2025-06-09 17:05:55 -05:00
Rob Winch 12d479baab Merge branch '6.3.x' into 6.4.x 2025-06-09 17:05:46 -05:00
Rob Winch 362cc62611 Merge branch 'gradle/6.4.x/io.spring.develocity.conventions-0.0.23' into 6.4.x 2025-06-09 17:02:55 -05:00
Rob Winch c5b41f50f5 Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23 2025-06-09 16:52:54 -05:00
Rob Winch f0ba7500ff Bump io-spring-javaformat from 0.0.45 to 0.0.46 2025-06-09 16:25:30 -05:00
Rob Winch fd2e3f43f6 Bump io-spring-javaformat from 0.0.45 to 0.0.46 2025-06-09 16:23:10 -05:00
Rob Winch 482eb0e2cd Bump io-spring-javaformat from 0.0.45 to 0.0.46 2025-06-09 16:22:15 -05:00
Rob Winch aec876403f Bump com.webauthn4j:webauthn4j-core from 0.29.2.RELEASE to 0.29.3.RELEASE 2025-06-09 16:20:04 -05:00
Rob Winch 648882adc7 Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final 2025-06-09 16:19:18 -05:00
Rob Winch 0411986013 Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final 2025-06-09 16:16:56 -05:00
Joe Grandja d622183e62 Merge branch '6.4.x' into 6.5.x
Closes gh-17216
2025-06-06 07:06:12 -04:00
Joe Grandja a377175455 Merge branch '6.3.x' into 6.4.x
Closes gh-17215
2025-06-06 06:50:45 -04:00
Andrey Litvitski b0f8aa5ea0 Fix to allow multiple AuthenticationFilter instances to process each request
Closes gh-17173

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-06-06 06:37:03 -04:00
dependabot[bot] 893d539c18 Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10
Bumps org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 03:55:31 +00:00
dependabot[bot] 47b6e31606 Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10
Bumps org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 03:40:05 +00:00
dependabot[bot] f75ac6c837 Bump org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10
Bumps org.apache.maven:maven-resolver-provider from 3.9.9 to 3.9.10.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-06 03:37:31 +00:00
Joe Grandja dab989d7c3 Fix NPE with DPoP tokenAuthenticationManager
Closes gh-17172
2025-06-05 16:06:55 -04:00
damable-nuvolex 3b12e758d3 Fix inconsistent constructor declaration
Closes gh-16325

Signed-off-by: damable-nuvolex <damable@nuvolex.com>
2025-06-05 12:36:27 -06:00
damable-nuvolex a0c5504eca Fix inconsistent constructor declaration
Closes gh-16325

Signed-off-by: damable-nuvolex <damable@nuvolex.com>
2025-06-05 12:34:35 -06:00
Evgeniy Cheban 33ae1711a7 Set Precedence Order for Spring MVC TargetVisitor
Closes gh-17185

Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
2025-06-04 12:47:36 -06:00
dependabot[bot] 7341e629cb Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23
Bumps [io.spring.develocity.conventions](https://github.com/spring-io/develocity-conventions) from 0.0.22 to 0.0.23.
- [Release notes](https://github.com/spring-io/develocity-conventions/releases)
- [Commits](https://github.com/spring-io/develocity-conventions/compare/v0.0.22...v0.0.23)

---
updated-dependencies:
- dependency-name: io.spring.develocity.conventions
  dependency-version: 0.0.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-04 03:49:51 +00:00
dependabot[bot] 1b081b0628 Bump io.spring.develocity.conventions from 0.0.22 to 0.0.23
Bumps [io.spring.develocity.conventions](https://github.com/spring-io/develocity-conventions) from 0.0.22 to 0.0.23.
- [Release notes](https://github.com/spring-io/develocity-conventions/releases)
- [Commits](https://github.com/spring-io/develocity-conventions/compare/v0.0.22...v0.0.23)

---
updated-dependencies:
- dependency-name: io.spring.develocity.conventions
  dependency-version: 0.0.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-04 03:44:50 +00:00
dependabot[bot] 9872997cad Bump io-spring-javaformat from 0.0.45 to 0.0.46
Bumps `io-spring-javaformat` from 0.0.45 to 0.0.46.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-03 04:05:48 +00:00
dependabot[bot] b85814efcf Bump io-spring-javaformat from 0.0.45 to 0.0.46
Bumps `io-spring-javaformat` from 0.0.45 to 0.0.46.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-03 03:43:40 +00:00
dependabot[bot] 5e56fc13be Bump io-spring-javaformat from 0.0.45 to 0.0.46
Bumps `io-spring-javaformat` from 0.0.45 to 0.0.46.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.45 to 0.0.46
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.45...v0.0.46)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-03 03:29:44 +00:00
dependabot[bot] 72771c28c3 Bump com.webauthn4j:webauthn4j-core
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.2.RELEASE to 0.29.3.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.2.RELEASE...0.29.3.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.3.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-02 03:27:50 +00:00
dependabot[bot] fed198f3f0 Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.15.Final to 6.6.17.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.17/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.15...6.6.17)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.17.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-29 03:56:04 +00:00
dependabot[bot] 9a3d076bfd Bump org.hibernate.orm:hibernate-core from 6.6.15.Final to 6.6.17.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.15.Final to 6.6.17.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.17/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.15...6.6.17)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.17.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-29 03:39:38 +00:00
Josh Cummings 8aaa9c28fa Merge branch '6.4.x' into 6.5.x 2025-05-23 11:36:01 -06:00
Josh Cummings 2989d12743 Merge branch '6.3.x' into 6.4.x 2025-05-23 11:35:25 -06:00
Joaquin Santana c0568ea9b0 Log Request Mismatch Only When Mismatches
Signed-off-by: Joaquin Santana <joaquinjsb@outlook.com>
2025-05-23 11:34:48 -06:00
Rob Winch 6eee256e12 Demonstrate include-code usage
Closes gh-17161
2025-05-22 14:59:35 -05:00
Rob Winch 0fecaf4924 Add include-code extension setup for docs
Closes gh-17160
2025-05-22 14:59:35 -05:00
Josh Cummings d2d2b97b7d Remove Conflict Markers 2025-05-22 12:31:40 -06:00
Josh Cummings 4bf03bde5b Merge branch '6.4.x' into 6.5.x 2025-05-21 16:47:25 -06:00
Josh Cummings 3186e8df84 Merge remote-tracking branch 'origin/6.3.x' into 6.4.x 2025-05-21 16:46:54 -06:00
Andrey Litvitski 4048b2bd7d Use HttpStatus in BackChannel Logout Filters
Closes gh-17125

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-05-21 16:45:46 -06:00
dependabot[bot] b5126f54bc Bump io-spring-javaformat from 0.0.43 to 0.0.45
Bumps `io-spring-javaformat` from 0.0.43 to 0.0.45.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 14:53:31 -06:00
Josh Cummings f169d31691 Merge branch '6.4.x' into 6.5.x 2025-05-21 14:52:36 -06:00
dependabot[bot] e77388ca16 Bump io-spring-javaformat from 0.0.43 to 0.0.45
Bumps `io-spring-javaformat` from 0.0.43 to 0.0.45.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 14:52:21 -06:00
Josh Cummings d98e9c0ed9 Merge branch '6.4.x' into 6.5.x 2025-05-21 14:51:33 -06:00
Josh Cummings 22b8294f7f Merge branch '6.3.x' into 6.4.x 2025-05-21 14:51:24 -06:00
dependabot[bot] 86acba9d22 Bump io-spring-javaformat from 0.0.43 to 0.0.45
Bumps `io-spring-javaformat` from 0.0.43 to 0.0.45.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.43 to 0.0.45
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.43...v0.0.45)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.45
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-21 14:50:17 -06:00
Josh Cummings 7d49c41e03 Merge branch '6.4.x' into 6.5.x 2025-05-21 14:44:03 -06:00
Josh Cummings fbfb28456a Merge branch '6.3.x' into 6.4.x 2025-05-21 14:43:44 -06:00
Gurunathan a4cd6f4278 Advise Overriding equals() and hashCode() in UserDetails Implementations
This commit adds a documentation note explaining the importance of
overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory
ConcurrentMap<Object, Set<String>>, Map<String,SessionInformation> to
associate principals with sessions. If a custom UserDetails class does
not properly override equals() and hashCode(), user sessions may not
be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues
when implementing custom authentication logic.

Signed-off-by: Gurunathan <129361658+Gurunathan16@users.noreply.github.com>
2025-05-21 12:41:44 -06:00
Rob Winch 043acdae68 Merge branch '6.4.x' into 6.5.x 2025-05-20 16:03:39 -05:00
Rob Winch 6433f7ecc0 Merge branch '6.4.x' into 6.5.x 2025-05-20 15:59:40 -05:00
Rob Winch 233a6651cc Merge branch '6.3.x' into 6.4.x 2025-05-20 15:53:04 -05:00
Rob Winch 5da31ab8a8 Use spring-io/codeql-actions 2025-05-20 15:52:36 -05:00
github-actions[bot] b2576583e2 Next development version 2025-05-19 16:33:39 +00:00
github-actions[bot] 4a2953fa5b Next development version 2025-05-19 16:33:25 +00:00
github-actions[bot] 3fbcd5f62a Release 6.4.6 2025-05-19 15:53:05 +00:00
21 changed files with 218 additions and 120 deletions
+8 -71
View File
@@ -1,80 +1,17 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL Advanced"
on:
push: # run if we update the workflow
push:
pull_request:
workflow_dispatch:
schedule:
- cron: '39 13 * * 4'
# https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
- cron: '0 5 * * *'
permissions: read-all
jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ubuntu-latest
codeql-analysis-call:
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
- language: actions
build-mode: none
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
# Use `c-cpp` to analyze code written in C, C++ or both
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Add any setup steps before running the `github/codeql-action/init` action.
# This includes steps like installing compilers or runtimes (`actions/setup-node`
# or others). This is typically only required for manual builds.
# - name: Setup runtime (example)
# uses: actions/setup-example@v1
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: security-extended,security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
security-events: write
uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1
@@ -22,6 +22,7 @@ import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Role;
import org.springframework.core.Ordered;
import org.springframework.http.HttpEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
@@ -37,7 +38,9 @@ class AuthorizationProxyWebConfiguration {
return new WebTargetVisitor();
}
static class WebTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor {
static class WebTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
private static final int DEFAULT_ORDER = 100;
@Override
public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object target) {
@@ -60,6 +63,11 @@ class AuthorizationProxyWebConfiguration {
return null;
}
@Override
public int getOrder() {
return DEFAULT_ORDER;
}
}
}
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -83,10 +83,11 @@ final class ReactiveAuthorizationManagerMethodSecurityConfiguration
private final AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeMethodInterceptor;
@Autowired(required = false)
ReactiveAuthorizationManagerMethodSecurityConfiguration(MethodSecurityExpressionHandler expressionHandler,
ReactiveAuthorizationManagerMethodSecurityConfiguration(
ObjectProvider<MethodSecurityExpressionHandler> expressionHandlers,
ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocation>>> preAuthorizePostProcessor,
ObjectProvider<ObjectPostProcessor<ReactiveAuthorizationManager<MethodInvocationResult>>> postAuthorizePostProcessor) {
MethodSecurityExpressionHandler expressionHandler = expressionHandlers.getIfUnique();
if (expressionHandler != null) {
this.preFilterMethodInterceptor = new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler);
this.preAuthorizeAuthorizationManager = new PreAuthorizeReactiveAuthorizationManager(expressionHandler);
@@ -29,6 +29,7 @@ import jakarta.servlet.http.HttpServletResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.Authentication;
@@ -51,6 +52,9 @@ import org.springframework.security.web.context.RequestAttributeSecurityContextR
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
/**
* An {@link AbstractHttpConfigurer} for OAuth 2.0 Demonstrating Proof of Possession
@@ -76,7 +80,7 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
@Override
public void configure(B http) {
AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
http.authenticationProvider(new DPoPAuthenticationProvider(authenticationManager));
http.authenticationProvider(new DPoPAuthenticationProvider(getTokenAuthenticationManager(http)));
AuthenticationFilter authenticationFilter = new AuthenticationFilter(authenticationManager,
getAuthenticationConverter());
authenticationFilter.setRequestMatcher(getRequestMatcher());
@@ -87,6 +91,23 @@ final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
http.addFilter(authenticationFilter);
}
private AuthenticationManager getTokenAuthenticationManager(B http) {
OAuth2ResourceServerConfigurer<B> resourceServerConfigurer = http
.getConfigurer(OAuth2ResourceServerConfigurer.class);
final AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver = resourceServerConfigurer
.getAuthenticationManagerResolver();
if (authenticationManagerResolver == null) {
return resourceServerConfigurer.getAuthenticationManager(http);
}
return (authentication) -> {
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) requestAttributes;
AuthenticationManager authenticationManager = authenticationManagerResolver
.resolve(servletRequestAttributes.getRequest());
return authenticationManager.authenticate(authentication);
};
}
private RequestMatcher getRequestMatcher() {
if (this.requestMatcher == null) {
this.requestMatcher = new DPoPRequestMatcher();
@@ -363,6 +363,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
return http.getSharedObject(AuthenticationManager.class);
}
AuthenticationManagerResolver<HttpServletRequest> getAuthenticationManagerResolver() {
return this.authenticationManagerResolver;
}
BearerTokenResolver getBearerTokenResolver() {
if (this.bearerTokenResolver == null) {
if (this.context.getBeanNamesForType(BearerTokenResolver.class).length > 0) {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -18,12 +18,12 @@ package org.springframework.security.config.web.server;
import java.util.Collections;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import reactor.core.publisher.Mono;
import org.springframework.core.ResolvableType;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.EncoderHttpMessageWriter;
import org.springframework.http.codec.HttpMessageWriter;
@@ -47,6 +47,7 @@ import org.springframework.web.server.WebFilterChain;
* A filter for the Client-side OIDC Back-Channel Logout endpoint
*
* @author Josh Cummings
* @author Andrey Litvitski
* @since 6.2
* @see <a target="_blank" href=
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
@@ -108,7 +109,7 @@ class OidcBackChannelLogoutWebFilter implements WebFilter {
private Mono<Void> handleAuthenticationFailure(ServerWebExchange exchange, Exception ex) {
this.logger.debug("Failed to process OIDC Back-Channel Logout", ex);
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
return this.errorHttpMessageConverter.write(Mono.just(oauth2Error(ex)), ResolvableType.forClass(Object.class),
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
exchange.getResponse(), Collections.emptyMap());
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,13 +22,13 @@ import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import reactor.core.publisher.Mono;
import org.springframework.core.ResolvableType;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.http.codec.EncoderHttpMessageWriter;
@@ -54,7 +54,8 @@ import org.springframework.web.util.UriComponentsBuilder;
* Back-Channel Logout Token and invalidates each one.
*
* @author Josh Cummings
* @since 6.4
* @author Andrey Litvitski
* @since 6.2
* @see <a target="_blank" href=
* "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
* Spec</a>
@@ -170,7 +171,7 @@ public final class OidcBackChannelServerLogoutHandler implements ServerLogoutHan
}
private Mono<Void> handleLogoutFailure(ServerWebExchange exchange, OAuth2Error error) {
exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
return this.errorHttpMessageConverter.write(Mono.just(error), ResolvableType.forClass(Object.class),
ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
exchange.getResponse(), Collections.emptyMap());
@@ -88,6 +88,7 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
@@ -2532,7 +2533,9 @@ public class OAuth2ResourceServerConfigurerTests {
// @formatter:off
http
.oauth2ResourceServer()
.authenticationManagerResolver(authenticationManagerResolver);
.authenticationManagerResolver(authenticationManagerResolver)
.and()
.anonymous(AbstractHttpConfigurer::disable);
return http.build();
// @formatter:on
}
+2
View File
@@ -16,3 +16,5 @@ asciidoc:
gh-old-samples-url: 'https://github.com/spring-projects/spring-security/tree/5.4.x/samples'
gh-samples-url: "https://github.com/spring-projects/spring-security-samples/tree/{gh-tag}"
gh-url: "https://github.com/spring-projects/spring-security/tree/{gh-tag}"
include-java: 'example$docs-src/test/java/org/springframework/security/docs'
include-kotlin: 'example$docs-src/test/kotlin/org/springframework/security/kt/docs'
+1
View File
@@ -0,0 +1 @@
../../../src
@@ -29,30 +29,7 @@ In this case, the `Filter` typically writes the `HttpServletResponse`.
The power of the `Filter` comes from the `FilterChain` that is passed into it.
.`FilterChain` Usage Example
[tabs]
======
Java::
+
[source,java,role="primary"]
----
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
// do something before the rest of the application
chain.doFilter(request, response); // invoke the rest of the application
// do something after the rest of the application
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
fun doFilter(request: ServletRequest, response: ServletResponse, chain: FilterChain) {
// do something before the rest of the application
chain.doFilter(request, response) // invoke the rest of the application
// do something after the rest of the application
}
----
======
include-code::./FilterChainUsage[tag=dofilter,indent=0]
Since a `Filter` impacts only downstream `Filter` instances and the `Servlet`, the order in which each `Filter` is invoked is extremely important.
@@ -589,6 +589,13 @@ public class MaximumSessionsPreventLoginTests {
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
[NOTE]
=====
If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
=====
== Detecting Timeouts
Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.
+29
View File
@@ -1,7 +1,10 @@
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
plugins {
id 'org.antora' version '1.0.0'
id 'io.spring.antora.generate-antora-yml' version '0.0.1'
id 'io.spring.convention.repository'
id 'kotlin'
}
apply plugin: 'io.spring.convention.docs'
@@ -33,10 +36,23 @@ tasks.register("generateAntoraResources") {
dependencies {
testImplementation platform(project(':spring-security-dependencies'))
testImplementation project(':spring-security-config')
testImplementation project(path : ':spring-security-config', configuration : 'tests')
testImplementation project(':spring-security-test')
testImplementation 'com.unboundid:unboundid-ldapsdk'
testImplementation libs.webauthn4j.core
testImplementation 'org.jetbrains.kotlin:kotlin-reflect'
testImplementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
testImplementation 'org.apache.directory.server:apacheds-core'
testImplementation 'org.springframework:spring-core'
testImplementation 'org.springframework:spring-test'
testImplementation 'org.springframework:spring-webmvc'
testImplementation 'jakarta.servlet:jakarta.servlet-api'
testImplementation "org.junit.jupiter:junit-jupiter-api"
testImplementation "org.junit.jupiter:junit-jupiter-params"
testImplementation "org.junit.jupiter:junit-jupiter-engine"
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
}
def generateAttributes() {
@@ -78,3 +94,16 @@ def resolvedVersions(Configuration configuration) {
.resolvedArtifacts
.collectEntries { [(it.name + '-version'): it.moduleVersion.id.version] }
}
test {
useJUnitPlatform()
}
tasks.withType(KotlinCompile).configureEach {
kotlinOptions {
languageVersion = "1.7"
apiVersion = "1.7"
freeCompilerArgs = ["-Xjsr305=strict", "-Xsuppress-version-warnings"]
jvmTarget = "17"
}
}
@@ -0,0 +1,42 @@
/*
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.docs.servlet.servletfiltersreview;
import java.io.IOException;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
/**
* Demos FilterChain Usage.
* @author Rob Winch
*/
public class FilterChainUsage implements Filter {
// tag::dofilter[]
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// do something before the rest of the application
chain.doFilter(request, response); // invoke the rest of the application
// do something after the rest of the application
}
// end::dofilter[]
}
@@ -0,0 +1,37 @@
/*
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.kt.docs.servlet.servletfiltersreview
import jakarta.servlet.*
import java.io.IOException
/**
* Demos FilterChain Usage.
* @author Rob Winch
*/
class FilterChainUsage : Filter {
// tag::dofilter[]
@Throws(IOException::class, ServletException::class)
override fun doFilter(request: ServletRequest?, response: ServletResponse?, chain: FilterChain) {
// do something before the rest of the application
chain.doFilter(request, response) // invoke the rest of the application
// do something after the rest of the application
}
// end::dofilter[]
}
+1 -1
View File
@@ -14,7 +14,7 @@
# limitations under the License.
#
springBootVersion=3.3.3
version=6.5.0
version=6.5.1
samplesBranch=main
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true
+7 -7
View File
@@ -1,7 +1,7 @@
[versions]
com-squareup-okhttp3 = "3.14.9"
io-rsocket = "1.1.5"
io-spring-javaformat = "0.0.43"
io-spring-javaformat = "0.0.46"
io-spring-nohttp = "0.0.11"
jakarta-websocket = "2.2.0"
org-apache-directory-server = "1.5.5"
@@ -18,7 +18,7 @@ org-springframework = "6.2.7"
[libraries]
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.18"
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.18.4"
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.18.4.1"
com-google-inject-guice = "com.google.inject:guice:3.0"
com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:9.37.3"
@@ -29,9 +29,9 @@ com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:6.0.11"
com-unboundid-unboundid-ldapsdk7 = "com.unboundid:unboundid-ldapsdk:7.0.1"
commons-collections = "commons-collections:commons-collections:3.2.2"
io-micrometer-context-propagation = "io.micrometer:context-propagation:1.1.3"
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.7"
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.8"
io-mockk = "io.mockk:mockk:1.14.2"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.18"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.19"
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }
@@ -57,7 +57,7 @@ org-apache-directory-server-apacheds-protocol-shared = { module = "org.apache.di
org-apache-directory-server-apacheds-server-jndi = { module = "org.apache.directory.server:apacheds-server-jndi", version.ref = "org-apache-directory-server" }
org-apache-directory-shared-shared-ldap = "org.apache.directory.shared:shared-ldap:0.9.15"
org-apache-httpcomponents-httpclient = "org.apache.httpcomponents:httpclient:4.5.14"
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.9"
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.10"
org-apache-maven-resolver-maven-resolver-connector-basic = { module = "org.apache.maven.resolver:maven-resolver-connector-basic", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-impl = { module = "org.apache.maven.resolver:maven-resolver-impl", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-transport-http = { module = "org.apache.maven.resolver:maven-resolver-transport-http", version.ref = "org-apache-maven-resolver" }
@@ -71,7 +71,7 @@ org-bouncycastle-bcprov-jdk15on = { module = "org.bouncycastle:bcprov-jdk18on",
org-eclipse-jetty-jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "org-eclipse-jetty" }
org-eclipse-jetty-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "org-eclipse-jetty" }
org-hamcrest = "org.hamcrest:hamcrest:2.2"
org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.15.Final"
org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.17.Final"
org-hsqldb = "org.hsqldb:hsqldb:2.7.4"
org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" }
org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.25"
@@ -108,7 +108,7 @@ org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-inf
org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969"
org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1"
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.29.2.RELEASE'
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.29.3.RELEASE'
[plugins]
+1 -1
View File
@@ -5,7 +5,7 @@ pluginManagement {
}
plugins {
id "io.spring.develocity.conventions" version "0.0.22"
id "io.spring.develocity.conventions" version "0.0.23"
}
dependencyResolutionManagement {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -64,6 +64,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
* </ul>
*
* @author Sergey Bespalov
* @author Andrey Litvitski
* @since 5.2.0
*/
public class AuthenticationFilter extends OncePerRequestFilter {
@@ -193,6 +194,15 @@ public class AuthenticationFilter extends OncePerRequestFilter {
}
}
@Override
protected String getAlreadyFilteredAttributeName() {
String name = getFilterName();
if (name == null) {
name = getClass().getName().concat("-" + System.identityHashCode(this));
}
return name + ALREADY_FILTERED_SUFFIX;
}
private void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
this.securityContextHolderStrategy.clearContext();
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -75,6 +75,7 @@ public final class ClearSiteDataHeaderWriter implements HeaderWriter {
if (!response.containsHeader(CLEAR_SITE_DATA_HEADER)) {
response.setHeader(CLEAR_SITE_DATA_HEADER, this.headerValue);
}
return;
}
this.logger.debug(
LogMessage.format("Not injecting Clear-Site-Data header since it did not match the requestMatcher %s",
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
package org.springframework.security.web.authentication;
import jakarta.servlet.FilterChain;
import jakarta.servlet.Servlet;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
@@ -57,6 +58,7 @@ import static org.mockito.Mockito.verifyNoMoreInteractions;
/**
* @author Sergey Bespalov
* @author Andrey Litvitski
* @since 5.2.0
*/
@ExtendWith(MockitoExtension.class)
@@ -318,4 +320,18 @@ public class AuthenticationFilterTests {
assertThat(securityContextArg.getValue().getAuthentication()).isEqualTo(authentication);
}
@Test
public void filterWhenMultipleInChainThenAllFiltered() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
MockHttpServletResponse response = new MockHttpServletResponse();
AuthenticationFilter filter1 = new AuthenticationFilter(this.authenticationManager,
this.authenticationConverter);
AuthenticationConverter converter2 = mock(AuthenticationConverter.class);
AuthenticationFilter filter2 = new AuthenticationFilter(this.authenticationManager, converter2);
FilterChain chain = new MockFilterChain(mock(Servlet.class), filter1, filter2);
chain.doFilter(request, response);
verify(this.authenticationConverter).convert(any());
verify(converter2).convert(any());
}
}