1
0
mirror of synced 2026-07-08 20:30:04 +00:00

Compare commits

...

172 Commits

Author SHA1 Message Date
github-actions[bot] ffe73b4920 Release 7.0.3 2026-02-13 15:26:51 +00:00
Joe Grandja f0ffda89e0 Update to spring-data-bom 2025.1.3
Closes gh-18735
2026-02-13 08:18:47 -05:00
dependabot[bot] 746c6e124e Bump org.springframework:spring-framework-bom from 7.0.3 to 7.0.4
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 7.0.3 to 7.0.4.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v7.0.3...v7.0.4)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-13 06:48:23 -05:00
dependabot[bot] 123a2d79cf Bump io.projectreactor:reactor-bom from 2025.0.2 to 2025.0.3
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2025.0.2 to 2025.0.3.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2025.0.2...2025.0.3)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2025.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-13 06:40:14 -05:00
dependabot[bot] 0c3e483432 Bump org.springframework.ldap:spring-ldap-core from 4.0.1 to 4.0.2
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/4.0.1...4.0.2)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 4.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-13 06:31:35 -05:00
Josh Cummings b804da974d Update Test to Align with webauthn4j
The latest webauthn4j exposes Jackson 3 instead of Jackson 2,
as such this test now uses Jackson 3 where needed.

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-12 16:45:13 -07:00
dependabot[bot] b9bb5e0b52 Bump com.webauthn4j:webauthn4j-core
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.7.RELEASE to 0.31.0.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.7.RELEASE...0.31.0.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.31.0.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-12 16:45:13 -07:00
Josh Cummings 4fd8e1d596 Remove Trailing Bytes from AttestationStatement
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-12 16:45:13 -07:00
Josh Cummings c59fb0cd35 Add Jackson 2 Databind as Optional Dependency
Since spring-security-webauthn has Jackson 2 Mixins, it would
be clearer to set Jackson 2 explicitly as an optional dependency

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-12 16:45:13 -07:00
dependabot[bot] 50aba3aaf3 Bump io.spring.gradle:spring-security-release-plugin
Bumps [io.spring.gradle:spring-security-release-plugin](https://github.com/spring-io/spring-security-release-tools) from 1.0.13 to 1.0.14.
- [Release notes](https://github.com/spring-io/spring-security-release-tools/releases)
- [Changelog](https://github.com/spring-io/spring-security-release-tools/blob/main/RELEASE.adoc)
- [Commits](https://github.com/spring-io/spring-security-release-tools/compare/v1.0.13...v1.0.14)

---
updated-dependencies:
- dependency-name: io.spring.gradle:spring-security-release-plugin
  dependency-version: 1.0.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-12 10:35:14 -07:00
Josh Cummings 6cbbf6c561 Merge branch '6.5.x' into 7.0.x 2026-02-12 10:27:46 -07:00
Josh Cummings 10cb6f7003 Update spring-security-release-tools 1.0.14 2026-02-12 10:25:47 -07:00
Josh Cummings 252c69460e Merge remote-tracking branch 'origin/6.5.x' into 7.0.x 2026-02-10 13:41:29 -07:00
dependabot[bot] 3131642aae Bump io.micrometer:context-propagation from 1.1.3 to 1.1.4
Bumps [io.micrometer:context-propagation](https://github.com/micrometer-metrics/context-propagation) from 1.1.3 to 1.1.4.
- [Release notes](https://github.com/micrometer-metrics/context-propagation/releases)
- [Commits](https://github.com/micrometer-metrics/context-propagation/compare/v1.1.3...v1.1.4)

---
updated-dependencies:
- dependency-name: io.micrometer:context-propagation
  dependency-version: 1.1.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 13:41:09 -07:00
dependabot[bot] 552d8d1d29 Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.28 to 1.5.29.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.28...v_1.5.29)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 13:39:59 -07:00
dependabot[bot] f240f29433 Bump gradle-wrapper from 8.14 to 8.14.4
Bumps gradle-wrapper from 8.14 to 8.14.4.

---
updated-dependencies:
- dependency-name: gradle-wrapper
  dependency-version: 8.14.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 13:39:38 -07:00
dependabot[bot] 06caf327c1 Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5
Bumps [jakarta.xml.bind:jakarta.xml.bind-api](https://github.com/jakartaee/jaxb-api) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/jakartaee/jaxb-api/releases)
- [Commits](https://github.com/jakartaee/jaxb-api/compare/4.0.4...4.0.5)

---
updated-dependencies:
- dependency-name: jakarta.xml.bind:jakarta.xml.bind-api
  dependency-version: 4.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 10:47:51 -07:00
dependabot[bot] 4cc6687916 Bump io.micrometer:context-propagation from 1.1.3 to 1.1.4
Bumps [io.micrometer:context-propagation](https://github.com/micrometer-metrics/context-propagation) from 1.1.3 to 1.1.4.
- [Release notes](https://github.com/micrometer-metrics/context-propagation/releases)
- [Commits](https://github.com/micrometer-metrics/context-propagation/compare/v1.1.3...v1.1.4)

---
updated-dependencies:
- dependency-name: io.micrometer:context-propagation
  dependency-version: 1.1.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 10:47:18 -07:00
dependabot[bot] 108dc5996b Bump gradle-wrapper from 8.14 to 8.14.4
Bumps gradle-wrapper from 8.14 to 8.14.4.

---
updated-dependencies:
- dependency-name: gradle-wrapper
  dependency-version: 8.14.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 10:40:49 -07:00
dependabot[bot] 8c3453dfd2 Bump ch.qos.logback:logback-classic from 1.5.28 to 1.5.29
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.28 to 1.5.29.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.28...v_1.5.29)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.29
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-10 10:40:25 -07:00
Robert Winch ce963c744c Merge Remove unnecessary Gradle wrapper from buildSrc
Closes gh-18693
2026-02-06 13:08:41 -06:00
Robert Winch 1efacf1ad8 Remove unnecessary Gradle wrapper from buildSrc
buildSrc does not need its own Gradle wrapper and should use
the parent project's wrapper. Having a separate wrapper causes
Dependabot to detect and attempt to update it independently,
creating confusion and unnecessary PRs.

Closes gh-18692
2026-02-06 13:06:17 -06:00
Robert Winch 71a10cef0b Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22 2026-02-06 12:14:22 -06:00
Robert Winch 784e6efcf5 Bump io.mockk:mockk from 1.14.7 to 1.14.9 2026-02-06 12:14:19 -06:00
Robert Winch 1caefd748b Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 2026-02-06 12:14:15 -06:00
Robert Winch b427587d27 Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 2026-02-06 12:14:12 -06:00
Robert Winch 832635c9e8 Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28 2026-02-06 12:14:09 -06:00
Robert Winch e45258a8bc Merge branch '6.5.x' into 7.0.x 2026-02-06 12:13:35 -06:00
dependabot[bot] fa7c6ea583 Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22
Bumps [spring-io/spring-doc-actions](https://github.com/spring-io/spring-doc-actions) from 0.0.20 to 0.0.22.
- [Commits](https://github.com/spring-io/spring-doc-actions/compare/e28269199d1d27975cf7f65e16d6095c555b3cd0...415e2b11a766ba64799fffb5c97a4f7e17f677cf)

---
updated-dependencies:
- dependency-name: spring-io/spring-doc-actions
  dependency-version: 0.0.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:12:57 -06:00
dependabot[bot] 3841e0f6b3 Bump jakarta.xml.bind:jakarta.xml.bind-api from 4.0.4 to 4.0.5
Bumps [jakarta.xml.bind:jakarta.xml.bind-api](https://github.com/jakartaee/jaxb-api) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/jakartaee/jaxb-api/releases)
- [Commits](https://github.com/jakartaee/jaxb-api/compare/4.0.4...4.0.5)

---
updated-dependencies:
- dependency-name: jakarta.xml.bind:jakarta.xml.bind-api
  dependency-version: 4.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:12:56 -06:00
Robert Winch 50fad46df6 Bump @antora/atlas-extension in /docs
---
updated-dependencies:
- dependency-name: "@antora/atlas-extension"
  dependency-version: 1.0.0-alpha.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:12:48 -06:00
dependabot[bot] e28eea208b Bump @springio/antora-extensions from 1.14.4 to 1.14.7 in /docs
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.4 to 1.14.7.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.4...v1.14.7)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-version: 1.14.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:11:58 -06:00
dependabot[bot] f646392542 Bump @antora/collector-extension from 1.0.1 to 1.0.2 in /docs
---
updated-dependencies:
- dependency-name: "@antora/collector-extension"
  dependency-version: 1.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:11:57 -06:00
dependabot[bot] ffeda7a1b3 Bump ch.qos.logback:logback-classic from 1.5.27 to 1.5.28
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.27 to 1.5.28.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.27...v_1.5.28)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 12:11:57 -06:00
dependabot[bot] c85e7a0828 Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.28
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.24 to 1.5.28.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.24...v_1.5.28)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 17:54:04 +00:00
dependabot[bot] 14cf90a7b9 Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25
Bumps [io.spring.develocity.conventions](https://github.com/spring-io/develocity-conventions) from 0.0.24 to 0.0.25.
- [Release notes](https://github.com/spring-io/develocity-conventions/releases)
- [Commits](https://github.com/spring-io/develocity-conventions/compare/v0.0.24...v0.0.25)

---
updated-dependencies:
- dependency-name: io.spring.develocity.conventions
  dependency-version: 0.0.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 17:53:25 +00:00
dependabot[bot] 729e58b9de Bump org.assertj:assertj-core from 3.27.6 to 3.27.7
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.6 to 3.27.7.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.6...assertj-build-3.27.7)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 17:53:06 +00:00
dependabot[bot] 5c678bd78a Bump io.mockk:mockk from 1.14.7 to 1.14.9
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.7 to 1.14.9.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.7...1.14.9)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 17:52:45 +00:00
dependabot[bot] 52ca16fa4b Bump antora from 3.2.0-alpha.8 to 3.2.0-alpha.11 in /docs
Bumps [antora](https://gitlab.com/antora/antora) from 3.2.0-alpha.8 to 3.2.0-alpha.11.
- [Changelog](https://gitlab.com/antora/antora/blob/main/CHANGELOG.adoc)
- [Commits](https://gitlab.com/antora/antora/compare/v3.2.0-alpha.8...v3.2.0-alpha.11)

---
updated-dependencies:
- dependency-name: antora
  dependency-version: 3.2.0-alpha.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 17:52:25 +00:00
Robert Winch 31993e72ea Update to Spring Framework 7.0.3 2026-02-06 09:24:43 -06:00
Robert Winch 0bd3aa9a02 Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2 2026-02-06 09:02:42 -06:00
Robert Winch dc7edcaf95 Bump org.springframework:spring-framework-bom from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT 2026-02-06 09:02:35 -06:00
Robert Winch 310abcf23b Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2 2026-02-06 09:02:29 -06:00
Robert Winch 5807da104b Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4 2026-02-06 09:02:23 -06:00
Robert Winch 24e5f2f910 Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2 2026-02-06 09:02:15 -06:00
dependabot[bot] 4f8fcea4de Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2025.1.1 to 2025.1.2.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2025.1.1...2025.1.2)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2025.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 09:00:01 -06:00
dependabot[bot] 659aedbe96 Bump org.springframework:spring-framework-bom
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.4-SNAPSHOT
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 09:00:01 -06:00
dependabot[bot] d589707385 Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2025.0.1 to 2025.0.2.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2025.0.1...2025.0.2)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2025.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 09:00:01 -06:00
dependabot[bot] 4734af6856 Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4
Bumps [tools.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 3.0.3 to 3.0.4.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-3.0.3...jackson-bom-3.0.4)

---
updated-dependencies:
- dependency-name: tools.jackson:jackson-bom
  dependency-version: 3.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 09:00:01 -06:00
dependabot[bot] ac09b73725 Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2
Bumps [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.20.1 to 2.20.2.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.20.1...jackson-bom-2.20.2)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.20.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-06 09:00:01 -06:00
Vincent Stradiot 075c48c0d8 Fix typo in documentation
Signed-off-by: Vincent Stradiot <vincentstradiot@hotmail.com>
2026-02-05 17:22:43 -07:00
Josh Cummings 31090f7a18 Merge branch '6.5.x' into 7.0.x 2026-02-05 16:58:16 -07:00
Josh Cummings 447e76bd06 Update to actions/checkout 6.0.2 2026-02-05 16:57:30 -07:00
dependabot[bot] dfde3295cd Bump com.fasterxml.jackson:jackson-bom from 2.20.1 to 2.20.2
Bumps [com.fasterxml.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 2.20.1 to 2.20.2.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-2.20.1...jackson-bom-2.20.2)

---
updated-dependencies:
- dependency-name: com.fasterxml.jackson:jackson-bom
  dependency-version: 2.20.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:47:35 +00:00
dependabot[bot] 32b60e0f26 Bump tools.jackson:jackson-bom from 3.0.3 to 3.0.4
Bumps [tools.jackson:jackson-bom](https://github.com/FasterXML/jackson-bom) from 3.0.3 to 3.0.4.
- [Commits](https://github.com/FasterXML/jackson-bom/compare/jackson-bom-3.0.3...jackson-bom-3.0.4)

---
updated-dependencies:
- dependency-name: tools.jackson:jackson-bom
  dependency-version: 3.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:47:12 +00:00
dependabot[bot] 4b65d1c763 Bump io.projectreactor:reactor-bom from 2025.0.1 to 2025.0.2
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2025.0.1 to 2025.0.2.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2025.0.1...2025.0.2)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2025.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:47:05 +00:00
dependabot[bot] ce5e28e3f1 Bump org.springframework:spring-framework-bom
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 7.0.3-SNAPSHOT to 7.0.4-SNAPSHOT.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/commits)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 7.0.4-SNAPSHOT
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:46:50 +00:00
dependabot[bot] 355f6ccc64 Bump org.springframework.data:spring-data-bom from 2025.1.1 to 2025.1.2
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2025.1.1 to 2025.1.2.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2025.1.1...2025.1.2)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2025.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:46:41 +00:00
dependabot[bot] 20663e2849 Bump spring-io/spring-doc-actions from 0.0.20 to 0.0.22
Bumps [spring-io/spring-doc-actions](https://github.com/spring-io/spring-doc-actions) from 0.0.20 to 0.0.22.
- [Commits](https://github.com/spring-io/spring-doc-actions/compare/e28269199d1d27975cf7f65e16d6095c555b3cd0...415e2b11a766ba64799fffb5c97a4f7e17f677cf)

---
updated-dependencies:
- dependency-name: spring-io/spring-doc-actions
  dependency-version: 0.0.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-05 23:46:14 +00:00
Josh Cummings 41e7af70b5 Merge branch '6.5.x' into 7.0.x 2026-02-05 13:46:21 -07:00
Josh Cummings 46a9514420 Update to setup-gradle 5.0.1
note that gradle/gradle-build-action is superceded by
setup-gradle.

Issue gh-18648

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-05 13:44:02 -07:00
Josh Cummings 8432df498e Update upload-artifact to 6.0.0
Issue gh-18648

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-05 13:44:00 -07:00
Josh Cummings 63162eb5f1 Update to setup-java 5.2.0
Issue gh-18648

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-05 13:43:56 -07:00
Josh Cummings 5c3b8c513b Update spring-gradle-build-action to 2.0.5
Issue gh-18648
2026-02-05 13:43:11 -07:00
Josh Cummings d276c943fc Update actions/checkout to 6.0.2
Issue gh-18648

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-05 13:43:06 -07:00
Josh Cummings 18d9dd77ec Use SHA Hashes for spring-security-release-tools Workflows
Issue gh-18648

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
2026-02-05 13:42:22 -07:00
Joe Grandja d3c42a7a4f Polish OAuth2ConfigurerUtils 2026-02-05 04:52:02 -05:00
Joe Grandja e61c03f7c3 Fix to allow multiple PasswordEncoder beans
Closes gh-18645
2026-02-05 04:51:51 -05:00
Elayne Bloom 2c97b3376b Document Client PKCE settings
Updated the documentation to reflect recent changes to enable PKCE by default for `authorization_code` flows in the documentation for the client.

Closes gh-18304

Signed-off-by: Elayne Bloom <5840349+bloomsei@users.noreply.github.com>
2026-02-02 16:30:27 -05:00
Robert Winch 9273f411c1 Merge branch '6.5.x' into 7.0.x 2026-02-02 11:12:53 -06:00
Robert Winch d6e3ec78cd Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27 2026-02-02 11:12:18 -06:00
dependabot[bot] 48c1023fd6 Bump org.hibernate.orm:hibernate-core from 6.6.41.Final to 6.6.42.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.41.Final to 6.6.42.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.42/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.41...6.6.42)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.42.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-02 03:11:29 +00:00
dependabot[bot] 04dbdc8588 Bump ch.qos.logback:logback-classic from 1.5.26 to 1.5.27
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.26 to 1.5.27.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.26...v_1.5.27)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-02 03:11:13 +00:00
Robert Winch 6ca04d9b77 Merge branch '6.5.x' into 7.0.x 2026-01-27 11:16:43 -06:00
Robert Winch 3960bf950d Bump org.assertj:assertj-core from 3.27.6 to 3.27.7 2026-01-27 10:00:00 -06:00
Robert Winch bc6ac7c8c6 Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26 2026-01-27 09:59:50 -06:00
Robert Winch 74b93a19f6 Externalize java-toolchain configuration
We should not use subprojects to perform configuration becaause it
does not allow for lazy loading and it can cause ordering problems.
In this case, the toolchain was not being used but instead it was
using the JAVA_HOME.

By splitting the configuration into a plugin and applying it to each
project it fixes the toolchain configuration
2026-01-26 22:06:36 -06:00
Robert Winch 6dd6e8ebb1 Merge branch '6.5.x' into 7.0.x
Closes gh-18235
2026-01-26 12:06:19 -06:00
Garvit Joshi edd82ba82c gh-18234: Create SHA-1 MessageDigest for every new check request
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
2026-01-26 11:06:25 -06:00
dependabot[bot] cf656ce6e1 Bump ch.qos.logback:logback-classic from 1.5.25 to 1.5.26
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.25 to 1.5.26.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.25...v_1.5.26)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.26
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-26 03:11:50 +00:00
dependabot[bot] f75e9c7138 Bump org.assertj:assertj-core from 3.27.6 to 3.27.7
Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.6 to 3.27.7.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.6...assertj-build-3.27.7)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-26 03:11:34 +00:00
Daniel Garnier-Moiroux 7cfcfaefae BearerTokenAuthenticationEntryPoint uses context path
Closes gh-18528

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
2026-01-23 06:27:26 -05:00
Robert Winch f7f5165321 Merge branch '6.5.x' into 7.0.x 2026-01-21 15:33:03 -06:00
Robert Winch 27f91e03f9 Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final 2026-01-21 15:32:25 -06:00
Robert Winch b7230c367e Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 2026-01-21 15:32:20 -06:00
Robert Winch cd72cb1f2e Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25 2026-01-21 15:32:16 -06:00
Robert Winch a865671526 Merge branch '6.4.x' into 6.5.x 2026-01-21 15:31:53 -06:00
Robert Winch 4f52b71be8 Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final 2026-01-21 15:31:04 -06:00
Robert Winch 398430f672 Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25 2026-01-21 15:30:50 -06:00
dependabot[bot] 03b3b852f5 Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25
Bumps [io.spring.develocity.conventions](https://github.com/spring-io/develocity-conventions) from 0.0.24 to 0.0.25.
- [Release notes](https://github.com/spring-io/develocity-conventions/releases)
- [Commits](https://github.com/spring-io/develocity-conventions/compare/v0.0.24...v0.0.25)

---
updated-dependencies:
- dependency-name: io.spring.develocity.conventions
  dependency-version: 0.0.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-21 03:08:52 +00:00
dependabot[bot] e54bb9f3f5 Bump io.spring.develocity.conventions from 0.0.24 to 0.0.25
Bumps [io.spring.develocity.conventions](https://github.com/spring-io/develocity-conventions) from 0.0.24 to 0.0.25.
- [Release notes](https://github.com/spring-io/develocity-conventions/releases)
- [Commits](https://github.com/spring-io/develocity-conventions/compare/v0.0.24...v0.0.25)

---
updated-dependencies:
- dependency-name: io.spring.develocity.conventions
  dependency-version: 0.0.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-21 03:06:52 +00:00
dependabot[bot] 30be114a5e Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.24 to 1.5.25.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.24...v_1.5.25)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-19 03:22:36 +00:00
dependabot[bot] 75121bf455 Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.40.Final to 6.6.41.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.41/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.40...6.6.41)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.41.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-19 03:22:23 +00:00
dependabot[bot] aa21e62fb8 Bump ch.qos.logback:logback-classic from 1.5.24 to 1.5.25
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.24 to 1.5.25.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.24...v_1.5.25)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-19 03:21:35 +00:00
dependabot[bot] b58187082a Bump org.hibernate.orm:hibernate-core from 6.6.40.Final to 6.6.41.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.40.Final to 6.6.41.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.41/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.40...6.6.41)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.41.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-19 03:21:26 +00:00
Robert Winch bd3441caac Merge branch '6.5.x' into 7.0.x 2026-01-16 15:18:39 -06:00
Robert Winch 8879aa83a3 Bump io.projectreactor:reactor-bom from 2024.0.13 to 2024.0.14 2026-01-16 15:17:34 -06:00
Josh Cummings 1f39a3dd3e Merge branch '6.5.x' into 7.0.x 2026-01-15 12:41:22 -07:00
Josh Cummings 84b124d29d Merge branch '6.4.x' into 6.5.x 2026-01-15 12:41:16 -07:00
songhee fee6a9bb0e docs: add CurrentSecurityContext section and link references
Signed-off-by: songhee <songhee9327@gmail.com>
2026-01-15 12:31:58 -07:00
Josh Cummings d2ed8321b4 Merge branch '6.5.x' into 7.0.x 2026-01-14 14:46:36 -07:00
Guillaume Husta dd1f097131 Add @FunctionalInterface to RequestMatcher
Add `@FunctionalInterface` to `RequestMatcher`.

According to the documentation, it is a FunctionalInterface.

See: https://docs.spring.io/spring-security/reference/6.5/servlet/authorization/authorize-http-requests.html#match-by-custom

Signed-off-by: Guillaume Husta <guillaume.husta@gmail.com>
2026-01-14 14:45:22 -07:00
Josh Cummings 7690c284c0 Merge branch '6.5.x' into 7.0.x 2026-01-14 14:35:59 -07:00
Guillaume Husta 508b3f26e3 docs: Typo in page Preparing for 7.0 / Web (version 6.5)
In section 'Include the Servlet Path Prefix in Authorization Rules', `PathPatternRequestParser` should be replaced by `PathPatternRequestMatcher`.

Signed-off-by: Guillaume Husta <guillaume.husta@gmail.com>
2026-01-14 14:35:26 -07:00
dependabot[bot] f2e674ff77 Bump io.projectreactor:reactor-bom from 2024.0.13 to 2024.0.14
Bumps [io.projectreactor:reactor-bom](https://github.com/reactor/reactor) from 2024.0.13 to 2024.0.14.
- [Release notes](https://github.com/reactor/reactor/releases)
- [Commits](https://github.com/reactor/reactor/compare/2024.0.13...2024.0.14)

---
updated-dependencies:
- dependency-name: io.projectreactor:reactor-bom
  dependency-version: 2024.0.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-14 03:08:22 +00:00
Robert Winch 7fcbf642b8 Use project.artifactory(Username|Password) 2026-01-12 16:05:38 -06:00
Robert Winch a32d9f04e3 Revert "Use project.artifactory(Username|Password)"
This reverts commit 9c449000dc.
2026-01-12 16:04:56 -06:00
Robert Winch 9c449000dc Use project.artifactory(Username|Password) 2026-01-12 15:48:47 -06:00
Robert Winch 63c99b9438 Revert "Update to 7.1.0-SNAPSHOT"
This reverts commit b77ea8d3a3.
2026-01-12 14:31:57 -06:00
Pavel Vassiliev 641d8a362b Fix Gradle 9.0 deprecations
This commit addresses several build warnings and errors to prepare for
Gradle 9.0 and resolve static analysis issues.
Closes: gh-18472
Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>

Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>
2026-01-12 13:43:16 -06:00
Andrey Litvitski 13f6286e04 Use DefaultParameterNameDiscoverer#getSharedInstance
Closes: gh-18330

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2026-01-12 13:37:32 -06:00
Robert Winch b77ea8d3a3 Update to 7.1.0-SNAPSHOT 2026-01-12 13:37:32 -06:00
Fr05ty-hub e9a92a8e9a Replacing use of deprecated 'check' in authorization documentation
check() was deprecated in Spring Security 7, but is referenced in documentation

Signed-off-by: Fr05ty-hub <frostylucas@gmail.com>
2026-01-09 15:27:00 -06:00
Fr05ty-hub ed774d3595 Replacing use of deprecated 'check' in authorization documentation
check() was deprecated in Spring Security 7, but was referenced in documentation

Signed-off-by: Fr05ty-hub <frostylucas@gmail.com>
2026-01-09 15:27:00 -06:00
Robert Winch eb5cc89c69 Merge branch '6.5.x' into 7.0.x 2026-01-09 15:24:51 -06:00
Robert Winch d6f8a2e928 Merge branch '6.5.x' into 7.0.x 2026-01-09 15:23:06 -06:00
Robert Winch 6a47b5d573 Merge branch '6.4.x' into 6.5.x 2026-01-09 15:22:39 -06:00
github-actions[bot] e588a3528f Update Antora Spring UI to v0.4.25 2026-01-09 15:22:22 -06:00
github-actions[bot] 7ea5be4b98 Update Antora Spring UI to v0.4.25 2026-01-09 15:21:48 -06:00
Robert Winch 2344fe5ebb Use proper xref syntax
Incldue the required resource id and required # of the fragment.

See

- https://docs.antora.org/antora/latest/page/xref/#xref-macro
- https://docs.antora.org/antora/latest/page/resource-id-coordinates/#id-resource
2026-01-09 09:21:02 -06:00
Tran Ngoc Nhan ba18f681e5 Use xref anchor id
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2026-01-09 09:21:02 -06:00
Tran Ngoc Nhan 3d9bc6a5cf Update mfa.adoc
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2026-01-09 09:21:02 -06:00
Martin Boulais 1d8ea63a9e Fix typo in HTTP Basic Auth Provider documentation
The documentation states that setting the header `X-Requested-By` will remove the `WWW-Authenticate` header from the response.
However, after testing this and reading the library code it looks like the header to set is `X-Requested-With` (X-Requested-By is mentioned nowhere except in this documentation file), so I propose this simple PR to fix this.

Signed-off-by: Martin Boulais <31805063+martinboulais@users.noreply.github.com>
2026-01-08 13:59:34 -06:00
Tran Ngoc Nhan d20c88ecef Format code
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2026-01-08 13:35:43 -06:00
Tran Ngoc Nhan 79815e044e Fix typos
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
2026-01-08 13:35:43 -06:00
Rob Winch 04bba36ee5 Update supported branches in workflow file
Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>
2026-01-08 13:05:45 -06:00
Robert Winch 5bb99b654f Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2 2026-01-08 13:02:42 -06:00
Robert Winch 37c15f3b81 Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 2026-01-08 13:02:37 -06:00
Robert Winch 0b4dcc4328 Bump org.junit:junit-bom from 6.0.1 to 6.0.2 2026-01-08 13:02:32 -06:00
Robert Winch c09549970f Merge branch '6.5.x' 2026-01-08 13:01:08 -06:00
Robert Winch e7ba153d5d Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final 2026-01-08 13:00:49 -06:00
Robert Winch 05518f3402 Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 2026-01-08 13:00:44 -06:00
Robert Winch ffa2c195d8 Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24 2026-01-08 13:00:40 -06:00
Robert Winch 8901fe3d04 Merge branch '6.5.x' 2026-01-08 12:59:07 -06:00
Robert Winch e1256d1d2f Merge branch '6.4.x' into 6.5.x 2026-01-08 12:58:55 -06:00
Robert Winch 334df75c39 Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final 2026-01-08 12:58:34 -06:00
Robert Winch 11b601159d Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12 2026-01-08 12:58:25 -06:00
dependabot[bot] c77f42e80f Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.22 to 1.5.24.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.22...v_1.5.24)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-07 03:27:07 +00:00
dependabot[bot] 8521b7d5a6 Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.22 to 1.5.24.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.22...v_1.5.24)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-07 03:21:38 +00:00
dependabot[bot] 7af927ead4 Bump org.junit:junit-bom from 6.0.1 to 6.0.2
Bumps [org.junit:junit-bom](https://github.com/junit-team/junit-framework) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/junit-team/junit-framework/releases)
- [Commits](https://github.com/junit-team/junit-framework/compare/r6.0.1...r6.0.2)

---
updated-dependencies:
- dependency-name: org.junit:junit-bom
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-07 03:14:49 +00:00
dependabot[bot] 1529a2f5e3 Bump ch.qos.logback:logback-classic from 1.5.22 to 1.5.24
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.22 to 1.5.24.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.22...v_1.5.24)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-01-07 03:14:00 +00:00
Been24 beb3c78333 Replace method call with 'Builder.configureMessageConverters()'
Deprecated
since 7.0 in favor of configureMessageConverters(Consumer)

Closes gh-18378

Signed-off-by: Been24 <894661859qq@gmail.com>
2026-01-05 15:48:59 -05:00
dependabot[bot] f17a07e4c1 Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12
Bumps org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-22 03:12:20 +00:00
dependabot[bot] 687eb4faf6 Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.39.Final to 6.6.40.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.40/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.39...6.6.40)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.40.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-22 03:12:09 +00:00
dependabot[bot] 00fbe052f4 Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12
Bumps org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-22 03:10:38 +00:00
dependabot[bot] 5023cc7e4c Bump org.hibernate.orm:hibernate-core from 6.6.39.Final to 6.6.40.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.39.Final to 6.6.40.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.40/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.39...6.6.40)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.40.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-22 03:10:27 +00:00
dependabot[bot] f4bfa609ae Bump org.apache.httpcomponents.client5:httpclient5 from 5.5.1 to 5.5.2
Bumps [org.apache.httpcomponents.client5:httpclient5](https://github.com/apache/httpcomponents-client) from 5.5.1 to 5.5.2.
- [Changelog](https://github.com/apache/httpcomponents-client/blob/rel/v5.5.2/RELEASE_NOTES.txt)
- [Commits](https://github.com/apache/httpcomponents-client/compare/rel/v5.5.1...rel/v5.5.2)

---
updated-dependencies:
- dependency-name: org.apache.httpcomponents.client5:httpclient5
  dependency-version: 5.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-22 03:06:05 +00:00
dependabot[bot] 6d6552a602 Bump org-aspectj from 1.9.25 to 1.9.25.1
Bumps `org-aspectj` from 1.9.25 to 1.9.25.1.

Updates `org.aspectj:aspectjrt` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

Updates `org.aspectj:aspectjweaver` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

---
updated-dependencies:
- dependency-name: org.aspectj:aspectjrt
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.aspectj:aspectjweaver
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-19 17:13:40 -06:00
dependabot[bot] a259e49380 Bump org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12
Bumps org.apache.maven:maven-resolver-provider from 3.9.11 to 3.9.12.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-19 17:00:24 -06:00
dependabot[bot] d5b135ad0f Bump org.springframework.ldap:spring-ldap-core from 4.0.0 to 4.0.1
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/4.0.0...4.0.1)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-19 16:58:30 -06:00
dependabot[bot] 5ca0d8027d Bump org-apache-maven-resolver from 1.9.24 to 1.9.25
Bumps `org-apache-maven-resolver` from 1.9.24 to 1.9.25.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.24 to 1.9.25
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.24...maven-resolver-1.9.25)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.24 to 1.9.25
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.24...maven-resolver-1.9.25)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.24 to 1.9.25

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.25
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-19 16:57:59 -06:00
github-actions[bot] ac9c0a4313 Update Antora Spring UI to v0.4.25 2025-12-19 16:57:20 -06:00
Robert Winch 8a3e6a8fda Merge branch '6.5.x' 2025-12-19 16:53:27 -06:00
Robert Winch 811be0a927 Bump org.springframework.data:spring-data-bom from 2024.1.12 to 2024.1.13 2025-12-19 16:52:57 -06:00
Robert Winch 40e11752e0 Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22 2025-12-19 16:51:50 -06:00
Robert Winch bc8d630bbc Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16 2025-12-19 16:51:46 -06:00
Robert Winch 861c60a28f Bump org.springframework:spring-framework-bom from 6.2.14 to 6.2.15 2025-12-19 16:51:39 -06:00
Robert Winch 3cd8dc5c44 Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14 2025-12-19 16:47:42 -06:00
Robert Winch 97342f83fd Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16 2025-12-19 16:47:19 -06:00
Robert Winch dfe062b390 Bump org.hibernate.orm:hibernate-core from 6.6.38.Final to 6.6.39.Final 2025-12-19 16:45:18 -06:00
Robert Winch 703a81390e Bump org.springframework.data:spring-data-bom from 2024.1.12 to 2024.1.13 2025-12-19 16:45:10 -06:00
dependabot[bot] 0514ee4cc5 Bump org-aspectj from 1.9.25 to 1.9.25.1
Bumps `org-aspectj` from 1.9.25 to 1.9.25.1.

Updates `org.aspectj:aspectjrt` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

Updates `org.aspectj:aspectjweaver` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

---
updated-dependencies:
- dependency-name: org.aspectj:aspectjrt
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.aspectj:aspectjweaver
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 03:15:05 +00:00
dependabot[bot] 18c4c4c528 Bump org-aspectj from 1.9.25 to 1.9.25.1
Bumps `org-aspectj` from 1.9.25 to 1.9.25.1.

Updates `org.aspectj:aspectjrt` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

Updates `org.aspectj:aspectjweaver` from 1.9.25 to 1.9.25.1
- [Release notes](https://github.com/eclipse/org.aspectj/releases)
- [Commits](https://github.com/eclipse/org.aspectj/commits)

---
updated-dependencies:
- dependency-name: org.aspectj:aspectjrt
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.aspectj:aspectjweaver
  dependency-version: 1.9.25.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-17 03:12:14 +00:00
dependabot[bot] 9fd6d54268 Bump org.springframework:spring-framework-bom from 6.2.14 to 6.2.15
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.14 to 6.2.15.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.14...v6.2.15)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:16:05 +00:00
dependabot[bot] 3f04f42abb Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.15 to 3.2.16.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.15...3.2.16)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:15:51 +00:00
dependabot[bot] f585461427 Bump ch.qos.logback:logback-classic from 1.5.21 to 1.5.22
Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.5.21 to 1.5.22.
- [Release notes](https://github.com/qos-ch/logback/releases)
- [Commits](https://github.com/qos-ch/logback/compare/v_1.5.21...v_1.5.22)

---
updated-dependencies:
- dependency-name: ch.qos.logback:logback-classic
  dependency-version: 1.5.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:15:45 +00:00
dependabot[bot] a155c035e1 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.12 to 2024.1.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.12...2024.1.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:15:13 +00:00
dependabot[bot] 6d722edab1 Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.12 to 2024.1.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.12...2024.1.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:13:17 +00:00
dependabot[bot] e712531555 Bump org.hibernate.orm:hibernate-core from 6.6.38.Final to 6.6.39.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.38.Final to 6.6.39.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.39/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.38...6.6.39)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.39.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:13:08 +00:00
dependabot[bot] 100c07de98 Bump org.springframework.ldap:spring-ldap-core from 3.2.15 to 3.2.16
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.15 to 3.2.16.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.15...3.2.16)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-16 03:12:14 +00:00
github-actions[bot] 9095a1bffd Next development version 2025-12-15 20:58:49 +00:00
dependabot[bot] 279afe3e28 Bump io.micrometer:micrometer-observation from 1.14.13 to 1.14.14
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.13 to 1.14.14.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.13...v1.14.14)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-12-15 15:54:23 +00:00
101 changed files with 354 additions and 599 deletions
@@ -17,7 +17,7 @@ permissions:
jobs:
build:
name: Build
uses: spring-io/spring-security-release-tools/.github/workflows/build.yml@v1
uses: spring-io/spring-security-release-tools/.github/workflows/build.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
strategy:
matrix:
os: [ ubuntu-latest, windows-latest ]
@@ -30,7 +30,7 @@ jobs:
deploy-artifacts:
name: Deploy Artifacts
needs: [ build]
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
default-publish-milestones-central: true
@@ -38,14 +38,14 @@ jobs:
deploy-schema:
name: Deploy Schema
needs: [ build ]
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
secrets: inherit
perform-release:
name: Perform Release
needs: [ deploy-artifacts, deploy-schema ]
uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@v1
uses: spring-io/spring-security-release-tools/.github/workflows/perform-release.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
@@ -61,6 +61,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Send Notification
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
+1 -1
View File
@@ -17,7 +17,7 @@ jobs:
if: github.repository_owner == 'spring-projects'
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: docs-build
fetch-depth: 1
@@ -19,14 +19,14 @@ jobs:
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up JDK 17
uses: actions/setup-java@v4
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
java-version: '17'
distribution: 'temurin'
- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/setup-gradle@f29f5a9d7b09a7c6b29859002d29d24e1674c884 # v5.0.1
- name: Upgrade Wrappers
run: ./gradlew clean upgradeGradleWrapperAll --continue -Porg.gradle.java.installations.auto-download=false
env:
@@ -30,6 +30,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Send Notification
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
+6 -6
View File
@@ -11,9 +11,9 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.repository == 'spring-projects/spring-security' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up gradle
uses: spring-io/spring-gradle-build-action@v2
uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
with:
java-version: '17'
distribution: 'temurin'
@@ -24,9 +24,9 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.repository == 'spring-projects/spring-security' }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up gradle
uses: spring-io/spring-gradle-build-action@v2
uses: spring-io/spring-gradle-build-action@efc55f07f4dfa22f2afd97f9ea1be4212eeed737 # v2.0.5
with:
java-version: '17'
distribution: 'temurin'
@@ -34,7 +34,7 @@ jobs:
run: ./gradlew -PbuildSrc.skipTests=true :spring-security-docs:antora
- name: Upload Docs
id: upload
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: docs
path: docs/build/site
@@ -46,6 +46,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Send Notification
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
+1 -1
View File
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
- name: Dispatch
@@ -16,9 +16,9 @@ jobs:
name: Update on Supported Branches
strategy:
matrix:
branch: [ '5.8.x', '6.2.x', '6.3.x', 'main' ]
branch: [ '6.4.x', '6.5.x', 'main' ]
steps:
- uses: spring-io/spring-doc-actions/update-antora-spring-ui@e28269199d1d27975cf7f65e16d6095c555b3cd0
- uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
name: Update
with:
docs-branch: ${{ matrix.branch }}
@@ -28,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
name: Update on docs-build
steps:
- uses: spring-io/spring-doc-actions/update-antora-spring-ui@e28269199d1d27975cf7f65e16d6095c555b3cd0
- uses: spring-io/spring-doc-actions/update-antora-spring-ui@415e2b11a766ba64799fffb5c97a4f7e17f677cf
name: Update
with:
docs-branch: 'docs-build'
@@ -9,7 +9,7 @@ permissions:
jobs:
update-scheduled-release-version:
name: Update Scheduled Release Version
uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@v1
uses: spring-io/spring-security-release-tools/.github/workflows/update-scheduled-release-version.yml@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
secrets: inherit
send-notification:
name: Send Notification
@@ -18,6 +18,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Send Notification
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
uses: spring-io/spring-security-release-tools/.github/actions/send-notification@729fed56d42122f88583aff1be35c0800b7d77e9 # v1.0.14
with:
webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}
@@ -39,7 +39,7 @@ interface EvaluationContextPostProcessor<I> {
* that was passed in.
* @param context the original {@link EvaluationContext}
* @param invocation the security invocation object (i.e. Message)
* @return the upated context.
* @return the updated context.
*/
EvaluationContext postProcess(EvaluationContext context, I invocation);
@@ -20,7 +20,7 @@ import org.springframework.security.acls.model.Acl;
/**
* Strategy used by {@link AclImpl} to determine whether a principal is permitted to call
* adminstrative methods on the <code>AclImpl</code>.
* administrative methods on the <code>AclImpl</code>.
*
* @author Ben Alex
*/
@@ -42,7 +42,7 @@ public class GrantedAuthoritySid implements Sid {
public GrantedAuthoritySid(GrantedAuthority grantedAuthority) {
Assert.notNull(grantedAuthority, "GrantedAuthority required");
Assert.notNull(grantedAuthority.getAuthority(),
"This Sid is only compatible with GrantedAuthoritys that provide a non-null getAuthority()");
"This Sid is only compatible with GrantedAuthority that provide a non-null getAuthority()");
this.grantedAuthority = grantedAuthority.getAuthority();
}
@@ -160,7 +160,7 @@ public class JdbcAclService implements AclService {
this.findChildrenSql = DEFAULT_SELECT_ACL_WITH_PARENT_SQL_WITH_CLASS_ID_TYPE;
}
else {
log.debug("Find children statement has already been overridden, so not overridding the default");
log.debug("Find children statement has already been overridden, so not overriding the default");
}
}
}
@@ -50,7 +50,7 @@ import org.springframework.util.Assert;
* The default settings are for HSQLDB. If you are using a different database you will
* probably need to set the {@link #setSidIdentityQuery(String) sidIdentityQuery} and
* {@link #setClassIdentityQuery(String) classIdentityQuery} properties appropriately. The
* other queries, SQL inserts and updates can also be customized to accomodate schema
* other queries, SQL inserts and updates can also be customized to accommodate schema
* variations, but must produce results consistent with those expected by the defaults.
* <p>
* See the appendix of the Spring Security reference manual for more information on the
@@ -471,7 +471,7 @@ public class JdbcMutableAclService extends JdbcAclService implements MutableAclS
this.insertClass = DEFAULT_INSERT_INTO_ACL_CLASS_WITH_ID;
}
else {
log.debug("Insert class statement has already been overridden, so not overridding the default");
log.debug("Insert class statement has already been overridden, so not overriding the default");
}
}
}
+4 -4
View File
@@ -2,12 +2,12 @@ apply plugin: 'io.spring.convention.spring-module'
apply plugin: 'io.freefair.aspectj'
compileAspectj {
sourceCompatibility "17"
targetCompatibility "17"
sourceCompatibility = "17"
targetCompatibility = "17"
}
compileTestAspectj {
sourceCompatibility "17"
targetCompatibility "17"
sourceCompatibility = "17"
targetCompatibility = "17"
}
dependencies {
+9 -36
View File
@@ -10,7 +10,7 @@ buildscript {
classpath libs.com.netflix.nebula.nebula.project.plugin
}
repositories {
maven { url 'https://plugins.gradle.org/m2/' }
maven { url='https://plugins.gradle.org/m2/' }
}
}
@@ -35,7 +35,7 @@ ext.milestoneBuild = !(snapshotBuild || releaseBuild)
repositories {
mavenCentral()
maven { url "https://repo.spring.io/milestone" }
maven { url = "https://repo.spring.io/milestone" }
}
springRelease {
@@ -46,46 +46,19 @@ springRelease {
replaceSnapshotVersionInReferenceDocUrl = true
}
def toolchainVersion() {
if (project.hasProperty('testToolchain')) {
return project.property('testToolchain').toString().toInteger()
}
return 17
}
subprojects {
java {
toolchain {
languageVersion = JavaLanguageVersion.of(toolchainVersion())
}
}
kotlin {
jvmToolchain {
languageVersion = JavaLanguageVersion.of(17)
}
}
tasks.withType(JavaCompile).configureEach {
options.encoding = "UTF-8"
options.compilerArgs.add("-parameters")
options.release.set(17)
}
}
allprojects {
if (!['spring-security-bom', 'spring-security-docs'].contains(project.name)) {
apply plugin: 'io.spring.javaformat'
apply plugin: 'checkstyle'
pluginManager.withPlugin("io.spring.convention.checkstyle", { plugin ->
configure(plugin) {
dependencies {
checkstyle libs.io.spring.javaformat.spring.javaformat.checkstyle
}
checkstyle {
toolVersion = '8.34'
}
pluginManager.withPlugin("io.spring.convention.checkstyle") {
dependencies {
checkstyle libs.io.spring.javaformat.spring.javaformat.checkstyle
}
})
checkstyle {
toolVersion = '8.34'
}
}
if (project.name.contains('sample')) {
tasks.whenTaskAdded { task ->
+1 -1
View File
@@ -12,7 +12,7 @@ java {
repositories {
gradlePluginPortal()
mavenCentral()
maven { url 'https://repo.spring.io/snapshot' }
maven { url = 'https://repo.spring.io/snapshot' }
}
sourceSets {
Binary file not shown.
-5
View File
@@ -1,5 +0,0 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.5.1-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
-240
View File
@@ -1,240 +0,0 @@
#!/bin/sh
#
# Copyright © 2015-2021 the original authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##############################################################################
#
# Gradle start up script for POSIX generated by Gradle.
#
# Important for running:
#
# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
# noncompliant, but you have some other compliant shell such as ksh or
# bash, then to run this script, type that shell name before the whole
# command line, like:
#
# ksh Gradle
#
# Busybox and similar reduced shells will NOT work, because this script
# requires all of these POSIX shell features:
# * functions;
# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
# * compound commands having a testable exit status, especially «case»;
# * various built-in commands including «command», «set», and «ulimit».
#
# Important for patching:
#
# (2) This script targets any POSIX shell, so it avoids extensions provided
# by Bash, Ksh, etc; in particular arrays are avoided.
#
# The "traditional" practice of packing multiple parameters into a
# space-separated string is a well documented source of bugs and security
# problems, so this is (mostly) avoided, by progressively accumulating
# options in "$@", and eventually passing that to Java.
#
# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
# see the in-line comments for details.
#
# There are tweaks for specific operating systems such as AIX, CygWin,
# Darwin, MinGW, and NonStop.
#
# (3) This script is generated from the Groovy template
# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
# within the Gradle project.
#
# You can find Gradle at https://github.com/gradle/gradle/.
#
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
app_path=$0
# Need this for daisy-chained symlinks.
while
APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
[ -h "$app_path" ]
do
ls=$( ls -ld "$app_path" )
link=${ls#*' -> '}
case $link in #(
/*) app_path=$link ;; #(
*) app_path=$APP_HOME$link ;;
esac
done
APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
APP_NAME="Gradle"
APP_BASE_NAME=${0##*/}
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD=maximum
warn () {
echo "$*"
} >&2
die () {
echo
echo "$*"
echo
exit 1
} >&2
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "$( uname )" in #(
CYGWIN* ) cygwin=true ;; #(
Darwin* ) darwin=true ;; #(
MSYS* | MINGW* ) msys=true ;; #(
NONSTOP* ) nonstop=true ;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD=$JAVA_HOME/jre/sh/java
else
JAVACMD=$JAVA_HOME/bin/java
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD=java
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
case $MAX_FD in #(
max*)
MAX_FD=$( ulimit -H -n ) ||
warn "Could not query maximum file descriptor limit"
esac
case $MAX_FD in #(
'' | soft) :;; #(
*)
ulimit -n "$MAX_FD" ||
warn "Could not set maximum file descriptor limit to $MAX_FD"
esac
fi
# Collect all arguments for the java command, stacking in reverse order:
# * args from the command line
# * the main class name
# * -classpath
# * -D...appname settings
# * --module-path (only if needed)
# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
# For Cygwin or MSYS, switch paths to Windows format before running java
if "$cygwin" || "$msys" ; then
APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
JAVACMD=$( cygpath --unix "$JAVACMD" )
# Now convert the arguments - kludge to limit ourselves to /bin/sh
for arg do
if
case $arg in #(
-*) false ;; # don't mess with options #(
/?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
[ -e "$t" ] ;; #(
*) false ;;
esac
then
arg=$( cygpath --path --ignore --mixed "$arg" )
fi
# Roll the args list around exactly as many times as the number of
# args, so each arg winds up back in the position where it started, but
# possibly modified.
#
# NB: a `for` loop captures its iteration list before it begins, so
# changing the positional parameters here affects neither the number of
# iterations, nor the values presented in `arg`.
shift # remove old arg
set -- "$@" "$arg" # push replacement arg
done
fi
# Collect all arguments for the java command;
# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
# shell script including quotes and variable substitutions, so put them in
# double quotes to make sure that they get re-expanded; and
# * put everything else in single quotes, so that it's not re-expanded.
set -- \
"-Dorg.gradle.appname=$APP_BASE_NAME" \
-classpath "$CLASSPATH" \
org.gradle.wrapper.GradleWrapperMain \
"$@"
# Stop when "xargs" is not available.
if ! command -v xargs >/dev/null 2>&1
then
die "xargs is not available"
fi
# Use "xargs" to parse quoted args.
#
# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
#
# In Bash we could simply go:
#
# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
# set -- "${ARGS[@]}" "$@"
#
# but POSIX shell has neither arrays nor command substitution, so instead we
# post-process each arg (as a line of input to sed) to backslash-escape any
# character that might be a shell metacharacter, then use eval to reverse
# that process (while maintaining the separation between arguments), and wrap
# the whole thing up as a single "set" statement.
#
# This will of course break if any of these variables contains a newline or
# an unmatched quote.
#
eval "set -- $(
printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
xargs -n1 |
sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
tr '\n' ' '
)" '"$@"'
exec "$JAVACMD" "$@"
-91
View File
@@ -1,91 +0,0 @@
@rem
@rem Copyright 2004-present the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%"=="" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%"=="" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if %ERRORLEVEL% equ 0 goto execute
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto execute
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
:end
@rem End local scope for the variables with windows NT shell
if %ERRORLEVEL% equ 0 goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
set EXIT_CODE=%ERRORLEVEL%
if %EXIT_CODE% equ 0 set EXIT_CODE=1
if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
exit /b %EXIT_CODE%
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega
@@ -81,8 +81,8 @@ class ArtifactoryPlugin implements Plugin<Project> {
repository {
repoKey = isSnapshot ? snapshotRepository : isMilestone ? milestoneRepository : releaseRepository
if(project.hasProperty('artifactoryUsername')) {
username = artifactoryUsername
password = artifactoryPassword
username = project.artifactoryUsername
password = project.artifactoryPassword
}
}
}
@@ -31,12 +31,12 @@ public class DocsPlugin implements Plugin<Project> {
into 'api'
}
into 'docs'
duplicatesStrategy 'exclude'
duplicatesStrategy = 'exclude'
}
Task docs = project.tasks.create("docs") {
group = 'Documentation'
description 'An aggregator task to generate all the documentation'
description = 'An aggregator task to generate all the documentation'
dependsOn docsZip
}
project.tasks.assemble.dependsOn docs
@@ -90,7 +90,7 @@ public class IntegrationTestPlugin implements Plugin<Project> {
project.plugins.withType(IdeaPlugin) {
project.idea {
module {
testSourceDirs += project.file('src/integration-test/java')
testSources.from(project.file('src/integration-test/java'))
scopes.TEST.plus += [ project.configurations.integrationTestCompileClasspath ]
}
}
@@ -105,7 +105,7 @@ public class IntegrationTestPlugin implements Plugin<Project> {
project.plugins.withType(IdeaPlugin) {
project.idea {
module {
testSourceDirs += project.file('src/integration-test/groovy')
testSources.from(project.file('src/integration-test/groovy'))
}
}
}
@@ -26,7 +26,7 @@ import org.gradle.api.Action;
import org.gradle.api.JavaVersion
import org.gradle.api.Plugin;
import org.gradle.api.Project;
import org.gradle.api.plugins.JavaPluginConvention;
import org.gradle.api.plugins.JavaPluginExtension;
import org.gradle.api.tasks.SourceSet;
import org.gradle.api.tasks.javadoc.Javadoc;
import org.slf4j.Logger;
@@ -71,7 +71,7 @@ public class JavadocApiPlugin implements Plugin<Project> {
}
api.setMaxMemory("1024m");
api.setDestinationDir(new File(project.getBuildDir(), "api"));
api.setDestinationDir(project.layout.getBuildDirectory().dir("api").get().getAsFile());
project.getPluginManager().apply("io.spring.convention.javadoc-options");
}
@@ -99,7 +99,7 @@ public class JavadocApiPlugin implements Plugin<Project> {
public void execute(SpringModulePlugin plugin) {
logger.info("Added sources for {}", project);
JavaPluginConvention java = project.getConvention().getPlugin(JavaPluginConvention.class);
JavaPluginExtension java = project.getExtensions().getByType(JavaPluginExtension.class);
SourceSet mainSourceSet = java.getSourceSets().getByName("main");
api.setSource(api.getSource().plus(mainSourceSet.getAllJava()));
@@ -40,7 +40,7 @@ public class SchemaZipPlugin implements Plugin<Project> {
throw new IllegalStateException("Could not find schema file for resource name " + schemaResourceName + " in src/main/resources")
}
schemaZip.into (shortName) {
duplicatesStrategy 'exclude'
duplicatesStrategy = 'exclude'
from xsdFile.path
}
versionlessXsd.getInputFiles().from(xsdFile.path)
@@ -35,6 +35,7 @@ class SpringModulePlugin extends AbstractSpringJavaPlugin {
pluginManager.apply(SpringMavenPlugin.class);
pluginManager.apply(CheckClasspathForProhibitedDependenciesPlugin.class);
pluginManager.apply("io.spring.convention.jacoco");
pluginManager.apply("java-toolchain");
def deployArtifacts = project.task("deployArtifacts")
deployArtifacts.group = 'Deploy tasks'
@@ -0,0 +1,36 @@
import org.jetbrains.kotlin.gradle.dsl.JvmTarget
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
def toolchainVersion() {
if (project.hasProperty('testToolchain')) {
return project.property('testToolchain').toString().toInteger()
}
return 17
}
java {
toolchain {
languageVersion = JavaLanguageVersion.of(toolchainVersion())
}
}
tasks.withType(JavaCompile).configureEach {
options.encoding = "UTF-8"
options.compilerArgs.add("-parameters")
options.release = 17
}
pluginManager.withPlugin("org.jetbrains.kotlin.jvm") {
kotlin {
jvmToolchain {
languageVersion = JavaLanguageVersion.of(toolchainVersion())
}
}
tasks.withType(KotlinCompile).configureEach {
compilerOptions {
javaParameters = true
jvmTarget.set(JvmTarget.JVM_17)
}
}
}
@@ -326,7 +326,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
/**
* Use this {@code RequestMatcher} to match proxy receptor requests. Without setting
* this matcher, {@link CasAuthenticationFilter} will not capture any proxy receptor
* requets.
* requests.
* @param proxyReceptorMatcher the {@link RequestMatcher} to use
* @since 6.5
*/
@@ -383,8 +383,8 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
}
/**
* Indicates if the request is elgible to process a service ticket. This method exists
* for readability.
* Indicates if the request is eligible to process a service ticket. This method
* exists for readability.
* @param request
* @param response
* @return
@@ -396,7 +396,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
}
/**
* Indicates if the request is elgible to process a proxy ticket.
* Indicates if the request is eligible to process a proxy ticket.
* @param request
* @return
*/
@@ -419,7 +419,7 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
}
/**
* Indicates if the request is elgible to be processed as the proxy receptor.
* Indicates if the request is eligible to be processed as the proxy receptor.
* @param request
* @return
*/
+2 -2
View File
@@ -144,14 +144,14 @@ tasks.named('processResources', ProcessResources).configure {
into 'org/springframework/security/config/'
}
from(rncToXsd) {
duplicatesStrategy DuplicatesStrategy.EXCLUDE
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
into 'org/springframework/security/config/'
}
}
tasks.named('sourcesJar', Jar).configure {
from(rncToXsd) {
duplicatesStrategy DuplicatesStrategy.EXCLUDE
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
into 'org/springframework/security/config/'
}
}
@@ -177,7 +177,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
}
/**
* Gets a shared Object. Note that object heirarchies are not considered.
* Gets a shared Object. Note that object hierarchies are not considered.
* @param sharedType the type of the shared Object
* @return the shared Object or null if it is not found
*/
@@ -360,7 +360,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
/**
* Subclasses must implement this method to build the object that is being returned.
* @return the Object to be buit or null if the implementation allows it
* @return the Object to be built or null if the implementation allows it
*/
protected abstract O performBuild();
@@ -414,13 +414,13 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
private enum BuildState {
/**
* This is the state before the {@link Builder#build()} is invoked
* This is the state before the {@link SecurityBuilder#build()} is invoked
*/
UNBUILT(0),
/**
* The state from when {@link Builder#build()} is first invoked until all the
* {@link SecurityConfigurer#init(SecurityBuilder)} methods have been invoked.
* The state from when {@link SecurityBuilder#build()} is first invoked until all
* the {@link SecurityConfigurer#init(SecurityBuilder)} methods have been invoked.
*/
INITIALIZING(1),
@@ -82,7 +82,7 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>>
<C> void setSharedObject(Class<C> sharedType, C object);
/**
* Gets a shared Object. Note that object heirarchies are not considered.
* Gets a shared Object. Note that object hierarchies are not considered.
* @param sharedType the type of the shared Object
* @return the shared Object or null if it is not found
*/
@@ -133,7 +133,7 @@ final class FilterOrderRegistration {
/**
* Register a {@link Filter} with its specific position. If the {@link Filter} was
* already registered before, the position previously defined is not going to be
* overriden
* overridden
* @param filter the {@link Filter} to register
* @param position the position to associate with the {@link Filter}
*/
@@ -305,7 +305,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
}
/**
* Gets the logoutSuccesUrl or null if a
* Gets the logoutSuccessUrl or null if a
* {@link #logoutSuccessHandler(LogoutSuccessHandler)} was configured.
* @return the logoutSuccessUrl
*/
@@ -146,7 +146,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
/**
* This should not use RequestAttributeSecurityContextRepository since that is
* stateless and sesison management is about state management.
* stateless and session management is about state management.
*/
private SecurityContextRepository sessionManagementSecurityContextRepository = new HttpSessionSecurityContextRepository();
@@ -16,14 +16,9 @@
package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
import java.util.Map;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
import org.springframework.context.ApplicationContext;
import org.springframework.core.ResolvableType;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -45,7 +40,6 @@ import org.springframework.security.oauth2.server.authorization.token.OAuth2Toke
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* Utility methods for the OAuth 2.0 Configurers.
@@ -207,41 +201,16 @@ final class OAuth2ConfigurerUtils {
}
static <T> T getBean(HttpSecurity httpSecurity, Class<T> type) {
return httpSecurity.getSharedObject(ApplicationContext.class).getBean(type);
}
@SuppressWarnings("unchecked")
static <T> T getBean(HttpSecurity httpSecurity, ResolvableType type) {
ApplicationContext context = httpSecurity.getSharedObject(ApplicationContext.class);
String[] names = context.getBeanNamesForType(type);
if (names.length == 1) {
return (T) context.getBean(names[0]);
}
if (names.length > 1) {
throw new NoUniqueBeanDefinitionException(type, names);
}
throw new NoSuchBeanDefinitionException(type);
return httpSecurity.getSharedObject(ApplicationContext.class).getBeanProvider(type).getObject();
}
static <T> T getOptionalBean(HttpSecurity httpSecurity, Class<T> type) {
Map<String, T> beansMap = BeanFactoryUtils
.beansOfTypeIncludingAncestors(httpSecurity.getSharedObject(ApplicationContext.class), type);
if (beansMap.size() > 1) {
throw new NoUniqueBeanDefinitionException(type, beansMap.size(),
"Expected single matching bean of type '" + type.getName() + "' but found " + beansMap.size() + ": "
+ StringUtils.collectionToCommaDelimitedString(beansMap.keySet()));
}
return (!beansMap.isEmpty() ? beansMap.values().iterator().next() : null);
return httpSecurity.getSharedObject(ApplicationContext.class).getBeanProvider(type).getIfUnique();
}
@SuppressWarnings("unchecked")
static <T> T getOptionalBean(HttpSecurity httpSecurity, ResolvableType type) {
ApplicationContext context = httpSecurity.getSharedObject(ApplicationContext.class);
String[] names = context.getBeanNamesForType(type);
if (names.length > 1) {
throw new NoUniqueBeanDefinitionException(type, names);
}
return (names.length == 1) ? (T) context.getBean(names[0]) : null;
return (T) httpSecurity.getSharedObject(ApplicationContext.class).getBeanProvider(type).getIfUnique();
}
}
@@ -95,7 +95,7 @@ public class Saml2MetadataConfigurer<H extends HttpSecurityBuilder<H>>
* If there is no {@code registrationId} and your
* {@link RelyingPartyRegistrationRepository} is {code Iterable}, the metadata
* endpoint will try and show all relying parties' metadata in a single
* {@code <md:EntitiesDecriptor} element.
* {@code <md:EntitiesDescriptor} element.
*
* <p>
* If you need a more sophisticated lookup strategy than these, use
@@ -167,7 +167,7 @@ class ServerHttpSecurityConfiguration {
}
/**
* Applies all {@code Custmizer<ServerHttpSecurity>} Beans to
* Applies all {@code Customizer<ServerHttpSecurity>} Beans to
* {@link ServerHttpSecurity}.
* @param context the {@link ApplicationContext}
* @param http the {@link ServerHttpSecurity}
@@ -538,7 +538,7 @@ final class AuthenticationConfigBuilder {
}
injectAuthenticationDetailsSource(x509Elt, filterBuilder);
filter = (RootBeanDefinition) filterBuilder.getBeanDefinition();
createPrauthEntryPoint(x509Elt);
createPreauthEntryPoint(x509Elt);
createX509Provider();
}
this.x509Filter = filter;
@@ -562,7 +562,7 @@ final class AuthenticationConfigBuilder {
this.x509ProviderRef = new RuntimeBeanReference(this.pc.getReaderContext().registerWithGeneratedName(provider));
}
private void createPrauthEntryPoint(Element source) {
private void createPreauthEntryPoint(Element source) {
if (this.preAuthEntryPoint == null) {
this.preAuthEntryPoint = new RootBeanDefinition(Http403ForbiddenEntryPoint.class);
this.preAuthEntryPoint.setSource(this.pc.extractSource(source));
@@ -595,7 +595,7 @@ final class AuthenticationConfigBuilder {
adsBldr.addPropertyValue("mappableRolesRetriever", mappableRolesRetriever);
filterBuilder.addPropertyValue("authenticationDetailsSource", adsBldr.getBeanDefinition());
filter = (RootBeanDefinition) filterBuilder.getBeanDefinition();
createPrauthEntryPoint(jeeElt);
createPreauthEntryPoint(jeeElt);
createJeeProvider();
}
this.jeeFilter = filter;
@@ -165,20 +165,20 @@ public class LdapServerBeanDefinitionParser implements BeanDefinitionParser {
}
private RootBeanDefinition getRootBeanDefinition(String mode) {
if (isUnboundidEnabled(mode)) {
if (isUnboundIdEnabled(mode)) {
return new RootBeanDefinition(UNBOUNDID_CONTAINER_CLASSNAME, null, null);
}
throw new IllegalStateException("Embedded LDAP server is not provided");
}
private String resolveBeanId(String mode) {
if (isUnboundidEnabled(mode)) {
if (isUnboundIdEnabled(mode)) {
return BeanIds.EMBEDDED_UNBOUNDID;
}
return null;
}
private boolean isUnboundidEnabled(String mode) {
private boolean isUnboundIdEnabled(String mode) {
return "unboundid".equals(mode) || unboundIdPresent;
}
@@ -1340,7 +1340,7 @@ public class AuthorizeHttpRequestsConfigurerTests {
static class ServletPathConfig {
@Bean
PathPatternRequestMatcherBuilderFactoryBean requesMatcherBuilder() {
PathPatternRequestMatcherBuilderFactoryBean requestMatcherBuilder() {
PathPatternRequestMatcherBuilderFactoryBean bean = new PathPatternRequestMatcherBuilderFactoryBean();
bean.setBasePath("/spring");
return bean;
@@ -45,6 +45,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.context.annotation.Primary;
import org.springframework.http.HttpHeaders;
import org.springframework.jdbc.core.JdbcOperations;
import org.springframework.jdbc.core.JdbcTemplate;
@@ -158,6 +159,8 @@ public class OAuth2ClientCredentialsGrantTests {
private static AuthenticationFailureHandler authenticationFailureHandler;
private static PasswordEncoder passwordEncoder;
public final SpringTestContext spring = new SpringTestContext(this);
@Autowired
@@ -183,6 +186,9 @@ public class OAuth2ClientCredentialsGrantTests {
authenticationProvidersConsumer = mock(Consumer.class);
authenticationSuccessHandler = mock(AuthenticationSuccessHandler.class);
authenticationFailureHandler = mock(AuthenticationFailureHandler.class);
passwordEncoder = mock(PasswordEncoder.class);
given(passwordEncoder.matches(any(), any())).willReturn(true);
given(passwordEncoder.upgradeEncoding(any())).willReturn(false);
db = new EmbeddedDatabaseBuilder().generateUniqueName(true)
.setType(EmbeddedDatabaseType.HSQL)
.setScriptEncoding("UTF-8")
@@ -496,6 +502,26 @@ public class OAuth2ClientCredentialsGrantTests {
.andExpect(jsonPath("$.token_type").value(OAuth2AccessToken.TokenType.DPOP.getValue()));
}
@Test
public void requestWhenTokenRequestWithMultiplePasswordEncodersThenPrimaryPasswordEncoderUsed() throws Exception {
this.spring.register(AuthorizationServerConfigurationWithMultiplePasswordEncoders.class).autowire();
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
this.registeredClientRepository.save(registeredClient);
this.mvc
.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
.header(HttpHeaders.AUTHORIZATION,
"Basic " + encodeBasicAuth(registeredClient.getClientId(), registeredClient.getClientSecret())))
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").isNotEmpty())
.andExpect(jsonPath("$.scope").value("scope1 scope2"));
verify(passwordEncoder).matches(any(), any());
}
private static String generateDPoPProof(String tokenEndpointUri) {
// @formatter:off
Map<String, Object> publicJwk = TestJwks.DEFAULT_EC_JWK
@@ -658,4 +684,16 @@ public class OAuth2ClientCredentialsGrantTests {
}
@EnableWebSecurity
@Configuration(proxyBeanMethods = false)
static class AuthorizationServerConfigurationWithMultiplePasswordEncoders extends AuthorizationServerConfiguration {
@Primary
@Bean
PasswordEncoder primaryPasswordEncoder() {
return passwordEncoder;
}
}
}
@@ -100,7 +100,7 @@ public interface SecurityExpressionOperations {
boolean isAnonymous();
/**
* Determines ifthe {@link #getAuthentication()} is authenticated
* Determines if the {@link #getAuthentication()} is authenticated
* @return true if the {@link #getAuthentication()} is authenticated, else false
*/
boolean isAuthenticated();
@@ -75,7 +75,7 @@ public class DefaultSecurityParameterNameDiscoverer extends PrioritizedParameter
annotationClassesToUse.add(DATA_PARAM_CLASSNAME);
}
addDiscoverer(new AnnotationParameterNameDiscoverer(annotationClassesToUse));
addDiscoverer(new DefaultParameterNameDiscoverer());
addDiscoverer(DefaultParameterNameDiscoverer.getSharedInstance());
}
}
+1 -1
View File
@@ -31,7 +31,7 @@ urls:
redirect_facility: httpd
ui:
bundle:
url: https://github.com/spring-io/antora-ui-spring/releases/download/v0.4.18/ui-bundle.zip
url: https://github.com/spring-io/antora-ui-spring/releases/download/v0.4.25/ui-bundle.zip
snapshot: true
runtime:
log:
@@ -77,7 +77,7 @@ Public Clients are supported using https://tools.ietf.org/html/rfc7636[Proof Key
If the client is running in an untrusted environment (eg. native application or web browser-based application) and therefore incapable of maintaining the confidentiality of it's credentials, PKCE will automatically be used when the following conditions are true:
. `client-secret` is omitted (or empty)
. `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`)
. `client-authentication-method` is set to `none` (`ClientAuthenticationMethod.NONE`)
or
@@ -85,7 +85,7 @@ or
[TIP]
====
If the OAuth 2.0 Provider supports PKCE for https://tools.ietf.org/html/rfc6749#section-2.1[Confidential Clients], you may (optionally) configure it using `DefaultServerOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce())`.
If the OAuth 2.0 Provider doesn't support PKCE for https://tools.ietf.org/html/rfc6749#section-2.1[Confidential Clients], you need to disable it by setting `ClientRegistration.clientSettings.requireProofKey` to `false`.
====
[[oauth2-client-authorization-code-redirect-uri]]
@@ -68,7 +68,7 @@ The name may be used in certain scenarios, such as when displaying the name of t
<15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
The supported values are *header*, *form* and *query*.
<16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
<17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: If `true` or if `authorizationGrantType` is `none`, then PKCE will be enabled by default.
<17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: If `true` or if `clientAuthenticationMethod` is `none`, then PKCE will be enabled. Defaults to `true` for `authorization_code` grant type and `false` for other grant types.
A `ClientRegistration` can be initially configured using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
@@ -414,7 +414,7 @@ If you build your project with Maven, adding the appropriate Spring Security mod
Any that are marked as "`optional`" in the Spring Security `pom.xml` files have to be added to your own `pom.xml` file if you need them.
[[appendix-faq-unboundid-deps]]
=== What dependences are needed to run an embedded UnboundID LDAP server?
=== What dependencies are needed to run an embedded UnboundID LDAP server?
You need to add the following dependency to your project:
@@ -137,7 +137,8 @@ fun method(authentication: Authentication?): String {
will always return "not anonymous", even for anonymous requests.
The reason is that Spring MVC resolves the parameter using `HttpServletRequest#getPrincipal`, which is `null` when the request is anonymous.
If you'd like to obtain the `Authentication` in anonymous requests, use `@CurrentSecurityContext` instead:
If you'd like to obtain the `Authentication` in anonymous requests, use
xref:servlet/integrations/mvc.adoc#mvc-current-security-context[`@CurrentSecurityContext`] instead:
.Use CurrentSecurityContext for Anonymous requests
[tabs]
@@ -97,7 +97,11 @@ val authorities = authentication.authorities
----
======
// FIXME: Add links to and relevant description of HttpServletRequest.getRemoteUser() and @CurrentSecurityContext @AuthenticationPrincipal
In Spring MVC, you can resolve the current principal with
xref:servlet/integrations/mvc.adoc#mvc-authentication-principal[`@AuthenticationPrincipal`]
and the full `SecurityContext` with
xref:servlet/integrations/mvc.adoc#mvc-current-security-context[`@CurrentSecurityContext`].
For Servlet API access, use `HttpServletRequest#getRemoteUser`.
By default, `SecurityContextHolder` uses a `ThreadLocal` to store these details, which means that the `SecurityContext` is always available to methods in the same thread, even if the `SecurityContext` is not explicitly passed around as an argument to those methods.
Using a `ThreadLocal` in this way is quite safe if you take care to clear the thread after the present principal's request is processed.
@@ -12,7 +12,7 @@ OWASP places factors into the following categories:
== `FactorGrantedAuthority`
At the time of authentication, Spring Security's authentication mechanisms add a javadoc:org.springframework.security.core.authority.FactorGrantedAuthority[].
For example, when a user authenticates using a password a `FactorGrantedAuthority` with the `authority` of `FactorGrantedAuthority.PASSWORD_AUTHORITY` is automatically added to the `Authentiation`.
For example, when a user authenticates using a password a `FactorGrantedAuthority` with the `authority` of `FactorGrantedAuthority.PASSWORD_AUTHORITY` is automatically added to the `Authentication`.
In order to require MFA with Spring Security you must:
- Specify an authorization rule that requires multiple factors
@@ -51,7 +51,7 @@ include-code::./UseAuthorizationManagerFactoryConfiguration[tag=authorizationMan
[[selective-mfa]]
== Selectively Requiring MFA
We have demonstrated how to configure an entire application to require MFA by using xref:./mfa.adoc#emfa[`@EnableMultiFactorAuthentication`]s `authorities` property.
We have demonstrated how to configure an entire application to require MFA by using xref:./mfa.adoc#emfa[``@EnableMultiFactorAuthentication``s] `authorities` property.
However, there are times that an application only wants parts of the application to require MFA.
Consider the following requirements:
@@ -118,7 +118,7 @@ To enable the MFA rules globally, we can publish an `AuthorizationManagerFactory
include-code::./AdminMfaAuthorizationManagerConfiguration[tag=authorizationManagerFactory,indent=0]
<1> Inject the custom `AuthorizationManager` as the javadoc:org.springframework.security.authorization.DefaultAuthorizationManagerFactory#setAdditionalAuthorization(org.springframework.security.authorization.AuthorizationManager)[DefaultAuthorization.additionalAuthorization].
This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply our custom `AuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")).
This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply our custom `AuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")`).
<2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
This should feel very similar to our previous example in xref:./mfa.adoc#authorization-manager-factory[].
@@ -153,10 +153,11 @@ Next we can define an `AuthorizationManagerFactory` that uses the `RequiredAutho
include-code::./RequiredAuthoritiesAuthorizationManagerConfiguration[tag=authorizationManagerFactory,indent=0]
<1> Inject the `RequiredAuthoritiesAuthorizationManager` as the javadoc:org.springframework.security.authorization.DefaultAuthorizationManagerFactory#setAdditionalAuthorization(org.springframework.security.authorization.AuthorizationManager)[DefaultAuthorization.additionalAuthorization].
This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply `RequiredAuthoritiesAuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")).
This instructs `DefaultAuthorizationManagerFactory` that any authorization rule should apply `RequiredAuthoritiesAuthorizationManager` along with any authorization requirements defined by the application (e.g. `hasRole("ADMIN")`).
<2> Publish `DefaultAuthorizationManagerFactory` as a Bean, so it is used globally
We can now define our authorization rules which are combined with `RequiredAuthoritiesAuthorizationManager`.
include-code::./RequiredAuthoritiesAuthorizationManagerConfiguration[tag=httpSecurity,indent=0]
<1> URLs that begin with `/admin/**` require `ROLE_ADMIN`.
If the username is `admin`, then `FACTOR_OTT` and `FACTOR_PASSWORD` are also required.
@@ -167,7 +168,7 @@ Our example uses an in memory mapping of usernames to the additional required au
For more dynamic use cases that can be determined by the username, a custom implementation of javadoc:org.springframework.security.authorization.RequiredAuthoritiesRepository[] can be created.
Possible examples would be looking up if a user has enabled MFA in an explicit setting, determining if a user has registered a passkey, etc.
For cases that need to determine MFA based upon the `Authentication`, a custom `AuthorizationManger` can be used as demonstrated in xref:./mfa.adoc#programmatic-mfa[]
For cases that need to determine MFA based upon the `Authentication`, a custom `AuthorizationManger` can be used as demonstrated in xref:./mfa.adoc#programmatic-mfa[].
[[hasallauthorities]]
@@ -196,7 +197,7 @@ Can you imagine what it would be like to declare hundreds of rules like this?
What's more that it becomes difficult to express more complicated authorization rules.
For example, how would you require two factors and either `ROLE_ADMIN` or `ROLE_USER`?
The answer to these questions, as we have already seen, is to use xref:./mfa.adoc#egmfa[]
The answer to these questions, as we have already seen, is to use xref:./mfa.adoc#emfa[]
[[re-authentication]]
== Re-authentication
@@ -211,7 +212,7 @@ By default, this application has two authentication mechanisms that it allows, m
If there is a set of endpoints that require a specific factor, we can specify that in `authorizeHttpRequests` as follows:
include-code::./RequireOttConfiguration[tag=httpSecurity,indent=0]
<1> - States that all `/profile/**` endpoints require one-time-token login to be authorized
<1> States that all `/profile/**` endpoints require one-time-token login to be authorized
Given the above configuration, users can log in with any mechanism that you support.
And, if they want to visit the profile page, then Spring Security will redirect them to the One-Time-Token Login page to obtain it.
@@ -24,7 +24,7 @@ The `RequestCache` is typically a `NullRequestCache` that does not save the requ
[NOTE]
====
The default HTTP Basic Auth Provider will suppress both Response body and `WWW-Authenticate` header in the 401 response when the request was made with a `X-Requested-By: XMLHttpRequest` header.
The default HTTP Basic Auth Provider will suppress both Response body and `WWW-Authenticate` header in the 401 response when the request was made with a `X-Requested-With: XMLHttpRequest` header.
This allows frontends to implement their own authentication code, instead of triggering the browser login dialog.
To override, implement your own javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[].
====
@@ -107,7 +107,7 @@ default void verify(Supplier<Authentication> authentication, Object secureObject
}
----
The ``AuthorizationManager``'s `check` method is passed all the relevant information it needs in order to make an authorization decision.
The ``AuthorizationManager``'s `authorize` method is passed all the relevant information it needs in order to make an authorization decision.
In particular, passing the secure `Object` enables those arguments contained in the actual secure object invocation to be inspected.
For example, let's assume the secure object was a `MethodInvocation`.
It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer.
@@ -118,7 +118,7 @@ A given invocation to `MyCustomerService#readCustomer` may look something like t
image::{figures}/methodsecurity.png[]
1. Spring AOP invokes its proxy method for `readCustomer`. Among the proxy's other advisors, it invokes an javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[] that matches <<annotation-method-pointcuts,the `@PreAuthorize` pointcut>>
2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#check`]
2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#authorize`]
3. The authorization manager uses a `MethodSecurityExpressionHandler` to parse the annotation's <<authorization-expressions,SpEL expression>> and constructs a corresponding `EvaluationContext` from a `MethodSecurityExpressionRoot` containing xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[a `Supplier<Authentication>`] and `MethodInvocation`.
4. The interceptor uses this context to evaluate the expression; specifically, it reads xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[the `Authentication`] from the `Supplier` and checks whether it has `permission:read` in its collection of xref:servlet/authorization/architecture.adoc#authz-authorities[authorities]
5. If the evaluation passes, then Spring AOP proceeds to invoke the method.
@@ -399,7 +399,7 @@ Second, each xref:#httpsecuritydsl-bean[HttpSecurityDsl.() -> Unit Beans] is app
This means that if there are multiple `HttpSecurity.() -> Unit` Beans, the https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/core/annotation/Order.html[@Order] annotation can be added to the Bean definitions to control the ordering.
Next, every xref:#top-level-dsl-bean[Top Level Security Dsl Beans] type is looked up and each is is applied using `ObjectProvider#orderedStream()`.
If there is are differt types of top level security Beans (.e.g. `HeadersDsl.() -> Unit` and `HttpsRedirectDsl.() -> Unit`), then the order that each Dsl type is invoked is undefined.
If there is are different types of top level security Beans (.e.g. `HeadersDsl.() -> Unit` and `HttpsRedirectDsl.() -> Unit`), then the order that each Dsl type is invoked is undefined.
However, the order that each instance of of the same top level security Bean type is defined by `ObjectProvider#orderedStream()` and can be controlled using `@Order` on the Bean the definitions.
Finally, the `HttpSecurityDsl` Bean is injected as a Bean.
@@ -448,6 +448,72 @@ open fun findMessagesForUser(@CurrentUser("user_id") userId: String?): ModelAndV
----
======
[[mvc-current-security-context]]
== @CurrentSecurityContext
Spring Security provides `CurrentSecurityContextArgumentResolver`, which can automatically resolve the current `SecurityContext` for Spring MVC arguments.
By using `@EnableWebSecurity`, you automatically have this added to your Spring MVC configuration.
If you use XML-based configuration, you must add this yourself:
[source,xml]
----
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="org.springframework.security.web.method.annotation.CurrentSecurityContextArgumentResolver" />
</mvc:argument-resolvers>
</mvc:annotation-driven>
----
Once `CurrentSecurityContextArgumentResolver` is configured, you can access the `SecurityContext` directly:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@GetMapping("/me")
public String me(@CurrentSecurityContext SecurityContext context) {
return context.getAuthentication().getName();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@GetMapping("/me")
fun me(@CurrentSecurityContext context: SecurityContext): String {
return context.authentication.name
}
----
======
You can also use a SpEL expression that is rooted at the `SecurityContext`:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@GetMapping("/me")
public String me(@CurrentSecurityContext(expression = "authentication") Authentication authentication) {
return authentication.getName();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@GetMapping("/me")
fun me(@CurrentSecurityContext(expression = "authentication") authentication: Authentication): String {
return authentication.name
}
----
======
[[mvc-async]]
== Spring MVC Async Integration
@@ -77,7 +77,7 @@ spring:
Public Clients are supported by using https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange] (PKCE).
If the client is running in an untrusted environment (such as a native application or web browser-based application) and is therefore incapable of maintaining the confidentiality of its credentials, PKCE is automatically used when the following conditions are true:
. `client-secret` is omitted (or empty) and
. `client-secret` is omitted (or empty)
. `client-authentication-method` is set to `none` (`ClientAuthenticationMethod.NONE`)
or
@@ -87,7 +87,7 @@ or
[TIP]
====
If the OAuth 2.0 Provider supports PKCE for https://tools.ietf.org/html/rfc6749#section-2.1[Confidential Clients], you may (optionally) configure it using `DefaultOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce())`.
If the OAuth 2.0 Provider doesn't support PKCE for https://tools.ietf.org/html/rfc6749#section-2.1[Confidential Clients], you need to disable it by setting `ClientRegistration.clientSettings.requireProofKey` to `false`.
====
[[oauth2-client-authorization-code-redirect-uri]]
@@ -69,7 +69,7 @@ This information is available only if the Spring Boot property `spring.security.
<15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
The supported values are *header*, *form*, and *query*.
<16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
<17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: If `true` or if `clientAuthenticationMethod` is `none`, then PKCE will be enabled.
<17> [[oauth2Client-client-registration-requireProofKey]]`requireProofKey`: If `true` or if `clientAuthenticationMethod` is `none`, then PKCE will be enabled. Defaults to `true` for `authorization_code` grant type and `false` for other grant types.
You can initially configure a `ClientRegistration` by using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
+1
View File
@@ -3,6 +3,7 @@ plugins {
id 'io.spring.antora.generate-antora-yml' version '0.0.1'
id 'io.spring.convention.repository'
id 'security-kotlin'
id 'java-toolchain'
}
apply plugin: 'io.spring.convention.docs'
@@ -34,7 +34,9 @@ class AdminMfaAuthorizationManagerConfiguration {
// @formatter:off
http
.authorizeHttpRequests((authorize) -> authorize
// <1>
.requestMatchers("/admin/**").hasRole("ADMIN")
// <2>
.anyRequest().authenticated()
)
.formLogin(Customizer.withDefaults())
@@ -28,8 +28,8 @@ class RequiredAuthoritiesAuthorizationManagerConfiguration {
// @formatter:off
http
.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
.requestMatchers("/admin/**").hasRole("ADMIN") // <1>
.anyRequest().authenticated() // <2>
)
.formLogin(Customizer.withDefaults())
.oneTimeTokenLogin(Customizer.withDefaults());
@@ -27,8 +27,8 @@ internal class RequiredAuthoritiesAuthorizationManagerConfiguration {
// @formatter:off
http {
authorizeHttpRequests {
authorize("/admin/**", hasRole("ADMIN"))
authorize(anyRequest, authenticated)
authorize("/admin/**", hasRole("ADMIN")) // <1>
authorize(anyRequest, authenticated) // <2>
}
formLogin { }
oneTimeTokenLogin { }
+1 -1
View File
@@ -14,7 +14,7 @@
# limitations under the License.
#
springBootVersion=4.0.0-SNAPSHOT
version=7.0.2
version=7.0.3
samplesBranch=main
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true
+20 -20
View File
@@ -4,20 +4,20 @@ io-rsocket = "1.1.5"
io-spring-javaformat = "0.0.47"
io-spring-nohttp = "0.0.11"
jakarta-websocket = "2.2.0"
org-apache-maven-resolver = "1.9.24"
org-aspectj = "1.9.25"
org-apache-maven-resolver = "1.9.25"
org-aspectj = "1.9.25.1"
org-bouncycastle = "1.80"
org-eclipse-jetty = "11.0.26"
org-jetbrains-kotlin = "2.2.21"
org-jetbrains-kotlinx = "1.10.2"
org-mockito = "5.17.0"
org-opensaml5 = "5.1.6"
org-springframework = "7.0.2"
org-springframework = "7.0.4"
com-password4j = "1.8.4"
[libraries]
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.22"
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.20.1"
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.29"
com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.20.2"
com-google-inject-guice = "com.google.inject:guice:3.0"
com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0"
com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:10.4"
@@ -27,16 +27,16 @@ com-squareup-okhttp3-okhttp = { module = "com.squareup.okhttp3:okhttp", version.
com-unboundid-unboundid-ldapsdk = "com.unboundid:unboundid-ldapsdk:7.0.4"
com-jayway-jsonpath-json-path = "com.jayway.jsonpath:json-path:2.9.0"
commons-collections = "commons-collections:commons-collections:3.2.2"
io-micrometer-context-propagation = "io.micrometer:context-propagation:1.1.3"
io-micrometer-context-propagation = "io.micrometer:context-propagation:1.1.4"
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.14"
io-mockk = "io.mockk:mockk:1.14.7"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2025.0.1"
io-mockk = "io.mockk:mockk:1.14.9"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2025.0.3"
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }
io-spring-nohttp-nohttp-checkstyle = { module = "io.spring.nohttp:nohttp-checkstyle", version.ref = "io-spring-nohttp" }
io-spring-nohttp-nohttp-gradle = { module = "io.spring.nohttp:nohttp-gradle", version.ref = "io-spring-nohttp" }
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.13"
io-spring-security-release-plugin = "io.spring.gradle:spring-security-release-plugin:1.0.14"
jakarta-annotation-jakarta-annotation-api = "jakarta.annotation:jakarta.annotation-api:3.0.0"
jakarta-inject-jakarta-inject-api = "jakarta.inject:jakarta.inject-api:2.0.1"
jakarta-persistence-jakarta-persistence-api = "jakarta.persistence:jakarta.persistence-api:3.2.0"
@@ -45,13 +45,13 @@ jakarta-servlet-jsp-jakarta-servlet-jsp-api = "jakarta.servlet.jsp:jakarta.servl
jakarta-servlet-jsp-jstl-jakarta-servlet-jsp-jstl-api = "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.2"
jakarta-websocket-jakarta-websocket-api = { module = "jakarta.websocket:jakarta.websocket-api", version.ref = "jakarta-websocket" }
jakarta-websocket-jakarta-websocket-client-api = { module = "jakarta.websocket:jakarta.websocket-client-api", version.ref = "jakarta-websocket" }
jakarta-xml-bind-jakarta-xml-bind-api = "jakarta.xml.bind:jakarta.xml.bind-api:4.0.4"
jakarta-xml-bind-jakarta-xml-bind-api = "jakarta.xml.bind:jakarta.xml.bind-api:4.0.5"
ldapsdk = "ldapsdk:ldapsdk:4.1"
net-sourceforge-htmlunit = "net.sourceforge.htmlunit:htmlunit:2.70.0"
org-htmlunit-htmlunit = "org.htmlunit:htmlunit:4.11.1"
org-apache-httpcomponents-httpclient = "org.apache.httpcomponents.client5:httpclient5:5.5.1"
org-apache-httpcomponents-httpclient = "org.apache.httpcomponents.client5:httpclient5:5.5.2"
org-apache-kerby-simplekdc='org.apache.kerby:kerb-simplekdc:2.1.1'
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.11"
org-apache-maven-maven-resolver-provider = "org.apache.maven:maven-resolver-provider:3.9.12"
org-apache-maven-resolver-maven-resolver-connector-basic = { module = "org.apache.maven.resolver:maven-resolver-connector-basic", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-impl = { module = "org.apache.maven.resolver:maven-resolver-impl", version.ref = "org-apache-maven-resolver" }
org-apache-maven-resolver-maven-resolver-transport-http = { module = "org.apache.maven.resolver:maven-resolver-transport-http", version.ref = "org-apache-maven-resolver" }
@@ -59,7 +59,7 @@ org-apereo-cas-client-cas-client-core = "org.apereo.cas.client:cas-client-core:4
io-freefair-gradle-aspectj-plugin = "io.freefair.gradle:aspectj-plugin:8.13.1"
org-aspectj-aspectjrt = { module = "org.aspectj:aspectjrt", version.ref = "org-aspectj" }
org-aspectj-aspectjweaver = { module = "org.aspectj:aspectjweaver", version.ref = "org-aspectj" }
org-assertj-assertj-core = "org.assertj:assertj-core:3.27.6"
org-assertj-assertj-core = "org.assertj:assertj-core:3.27.7"
org-bouncycastle-bcpkix-jdk15on = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref = "org-bouncycastle" }
org-bouncycastle-bcprov-jdk15on = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "org-bouncycastle" }
org-eclipse-jetty-jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "org-eclipse-jetty" }
@@ -70,7 +70,7 @@ org-hsqldb = "org.hsqldb:hsqldb:2.7.4"
org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" }
org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:2.2.21"
org-jetbrains-kotlinx-kotlinx-coroutines-bom = { module = "org.jetbrains.kotlinx:kotlinx-coroutines-bom", version.ref = "org-jetbrains-kotlinx" }
org-junit-junit-bom = "org.junit:junit-bom:6.0.1"
org-junit-junit-bom = "org.junit:junit-bom:6.0.2"
org-mockito-mockito-bom = { module = "org.mockito:mockito-bom", version.ref = "org-mockito" }
org-opensaml-opensaml5-saml-api = { module = "org.opensaml:opensaml-saml-api", version.ref = "org-opensaml5" }
org-opensaml-opensaml5-saml-impl = { module = "org.opensaml:opensaml-saml-impl", version.ref = "org-opensaml5" }
@@ -81,28 +81,28 @@ org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-sup
org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3"
org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.17"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2025.1.1"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:4.0.0"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2025.1.3"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:4.0.2"
org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" }
org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
tools-jackson-jackson-bom = "tools.jackson:jackson-bom:3.0.3"
tools-jackson-jackson-bom = "tools.jackson:jackson-bom:3.0.4"
com-google-code-gson-gson = "com.google.code.gson:gson:2.13.2"
com-thaiopensource-trag = "com.thaiopensource:trang:20091111"
net-sourceforge-saxon-saxon = "net.sourceforge.saxon:saxon:9.1.0.8"
org-yaml-snakeyaml = "org.yaml:snakeyaml:1.33"
org-apache-commons-commons-io = "org.apache.commons:commons-io:1.3.2"
io-github-gradle-nexus-publish-plugin = "io.github.gradle-nexus:publish-plugin:1.3.0"
io-github-gradle-nexus-publish-plugin = "io.github.gradle-nexus:publish-plugin:2.0.0"
org-gretty-gretty = "org.gretty:gretty:4.1.10"
com-github-ben-manes-gradle-versions-plugin = "com.github.ben-manes:gradle-versions-plugin:0.52.0"
com-github-spullara-mustache-java-compiler = "com.github.spullara.mustache.java:compiler:0.9.14"
org-hidetake-gradle-ssh-plugin = "org.hidetake:gradle-ssh-plugin:2.10.1"
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:4.34.2"
org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-info-extractor-gradle:6.0.4"
org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969"
org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1"
spring-nullability = 'io.spring.nullability:io.spring.nullability.gradle.plugin:0.0.6'
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.29.7.RELEASE'
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.31.0.RELEASE'
com-password4j-password4j = { module = "com.password4j:password4j", version.ref = "com-password4j" }
[plugins]
+2 -2
View File
@@ -1,7 +1,7 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionSha256Sum=61ad310d3c7d3e5da131b76bbf22b5a4c0786e9d892dae8c1658d4b484de3caa
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-bin.zip
distributionSha256Sum=f1771298a70f6db5a29daf62378c4e18a17fc33c9ba6b14362e0cdf40610380d
distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.4-bin.zip
networkTimeout=10000
validateDistributionUrl=true
zipStoreBase=GRADLE_USER_HOME
Vendored
+1 -1
View File
@@ -1,5 +1,5 @@
@rem
@rem Copyright 2004-present the original author or authors.
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@@ -1,4 +1,5 @@
apply plugin: 'io.spring.convention.spring-test'
apply plugin: 'java-toolchain'
dependencies {
implementation platform(project(":spring-security-dependencies"))
@@ -39,7 +39,7 @@ import org.springframework.util.Assert;
* It needs a <code>KerberosTicketValidator</code>, which contains the code to validate
* the ticket, as this code is different between SUN and IBM JRE.<br>
* It also needs an <code>UserDetailsService</code> to load the user properties and the
* <code>GrantedAuthorities</code>, as we only get back the username from Kerbeos
* <code>GrantedAuthorities</code>, as we only get back the username from Kerberos
* </p>
*
* You can see an example configuration in
@@ -31,7 +31,7 @@ public interface KerberosTicketValidator {
/**
* Validates a Kerberos/SPNEGO ticket.
* @param token Kerbeos/SPNEGO ticket
* @param token Kerberos/SPNEGO ticket
* @return authenticated kerberos principal
* @throws BadCredentialsException if the ticket is not valid
*/
@@ -76,7 +76,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
* &lt;/sec:authentication-manager&gt;
*
* &lt;bean id=&quot;kerberosServiceAuthenticationProvider&quot;
* class=&quot;org.springframework.security.kerberos.authenitcation.KerberosServiceAuthenticationProvider&quot;&gt;
* class=&quot;org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider&quot;&gt;
* &lt;property name=&quot;ticketValidator&quot;&gt;
* &lt;bean class=&quot;org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator&quot;&gt;
* &lt;property name=&quot;servicePrincipal&quot; value=&quot;HTTP/web.springsource.com&quot; /&gt;
@@ -103,7 +103,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
* <a href="https://bugs.sun.com/view_bug.do?bug_id=6851973">bug</a>.
* </p>
* <p>
* A workaround unti this is fixed in the JVM is to change
* A workaround until this is fixed in the JVM is to change
* </p>
* HKEY_LOCAL_MACHINE\System \CurrentControlSet\Control\LSA\SuppressExtendedProtection to
* 0x02
@@ -134,9 +134,9 @@ public final class PathPatternMessageMatcher implements MessageMatcher<Object> {
* The following are valid patterns and their meaning
* <ul>
* <li>{@code /path} - match exactly and only `/path`</li>
* <li>{@code /path/**} - match `/path` and any of its descendents</li>
* <li>{@code /path/**} - match `/path` and any of its descendants</li>
* <li>{@code /path/{value}/**} - match `/path/subdirectory` and any of its
* descendents, capturing the value of the subdirectory in
* descendants, capturing the value of the subdirectory in
* {@link MessageAuthorizationContext#getVariables()}</li>
* </ul>
*
@@ -169,9 +169,9 @@ public final class PathPatternMessageMatcher implements MessageMatcher<Object> {
* The following are valid patterns and their meaning
* <ul>
* <li>{@code /path} - match exactly and only `/path`</li>
* <li>{@code /path/**} - match `/path` and any of its descendents</li>
* <li>{@code /path/**} - match `/path` and any of its descendants</li>
* <li>{@code /path/{value}/**} - match `/path/subdirectory` and any of its
* descendents, capturing the value of the subdirectory in
* descendants, capturing the value of the subdirectory in
* {@link MessageAuthorizationContext#getVariables()}</li>
* </ul>
*
@@ -40,10 +40,8 @@ import org.springframework.cglib.proxy.Callback;
import org.springframework.cglib.proxy.Enhancer;
import org.springframework.cglib.proxy.Factory;
import org.springframework.cglib.proxy.MethodProxy;
import org.springframework.core.DefaultParameterNameDiscoverer;
import org.springframework.core.MethodIntrospector;
import org.springframework.core.MethodParameter;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.core.ResolvableType;
import org.springframework.core.annotation.AnnotatedElementUtils;
import org.springframework.core.annotation.AnnotationUtils;
@@ -132,8 +130,6 @@ public final class ResolvableMethod {
private static final SpringObjenesis objenesis = new SpringObjenesis();
private static final ParameterNameDiscoverer nameDiscoverer = new DefaultParameterNameDiscoverer();
// Matches ValueConstants.DEFAULT_NONE (spring-web and spring-messaging)
private static final String DEFAULT_VALUE_NONE = "\n\t\t\n\t\t\n\uE000\uE001\uE002\n\t\t\t\t\n";
@@ -634,7 +630,6 @@ public final class ResolvableMethod {
List<MethodParameter> matches = new ArrayList<>();
for (int i = 0; i < ResolvableMethod.this.method.getParameterCount(); i++) {
MethodParameter param = new SynthesizingMethodParameter(ResolvableMethod.this.method, i);
param.initParameterNameDiscovery(nameDiscoverer);
if (this.filters.stream().allMatch((p) -> p.test(param))) {
matches.add(param);
}
@@ -63,10 +63,9 @@ public abstract class AbstractRestClientOAuth2AccessTokenResponseClient<T extend
// @formatter:off
private RestClient restClient = RestClient.builder()
.messageConverters((messageConverters) -> {
messageConverters.clear();
messageConverters.add(new FormHttpMessageConverter());
messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
.configureMessageConverters((messageConverters) -> {
messageConverters.addCustomConverter(new FormHttpMessageConverter());
messageConverters.addCustomConverter(new OAuth2AccessTokenResponseHttpMessageConverter());
})
.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
.build();
@@ -98,9 +98,11 @@ public final class BearerTokenAuthenticationEntryPoint implements Authentication
}
private static String getResourceMetadataParameter(HttpServletRequest request) {
String path = request.getContextPath()
+ OAuth2ProtectedResourceMetadataFilter.DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI;
// @formatter:off
return UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))
.replacePath(OAuth2ProtectedResourceMetadataFilter.DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI)
.replacePath(path)
.replaceQuery(null)
.fragment(null)
.build()
@@ -65,6 +65,18 @@ public class BearerTokenAuthenticationEntryPointTests {
"Bearer realm=\"test\", resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\"");
}
@Test
public void commenceWhenNoBearerTokenErrorAndContextPathSetThenStatus401AndAuthHeaderWithContextPath() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setContextPath("/ctx");
MockHttpServletResponse response = new MockHttpServletResponse();
this.authenticationEntryPoint.commence(request, response, new BadCredentialsException("test"));
assertThat(response.getStatus()).isEqualTo(401);
assertThat(response.getHeader("WWW-Authenticate"))
.isEqualTo("Bearer resource_metadata=\"http://localhost/ctx/.well-known/oauth-protected-resource\"");
}
@Test
public void commenceWhenInvalidRequestErrorThenStatus400AndHeaderWithError() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
@@ -48,7 +48,7 @@ public final class Saml2X509Credential implements Serializable {
/**
* Creates a {@link Saml2X509Credential} using the provided parameters
* @param certificate the credential's public certificiate
* @param certificate the credential's public certificate
* @param types the credential's intended usages, must be one of
* {@link Saml2X509CredentialType#VERIFICATION} or
* {@link Saml2X509CredentialType#ENCRYPTION} or both.
+2 -2
View File
@@ -5,13 +5,13 @@ pluginManagement {
}
plugins {
id "io.spring.develocity.conventions" version "0.0.24"
id "io.spring.develocity.conventions" version "0.0.25"
}
dependencyResolutionManagement {
repositories {
mavenCentral()
maven { url "https://repo.spring.io/snapshot" }
maven { url = "https://repo.spring.io/snapshot" }
}
}
@@ -148,7 +148,7 @@ public final class SecurityMockMvcRequestPostProcessors {
/**
* Populates the provided X509Certificate instances on the request.
* @param certificates the X509Certificate instances to pouplate
* @param certificates the X509Certificate instances to populate
* @return the
* {@link org.springframework.test.web.servlet.request.RequestPostProcessor} to use.
*/
@@ -157,7 +157,7 @@ public final class SecurityMockMvcRequestPostProcessors {
}
/**
* Finds an X509Cetificate using a resoureName and populates it on the request.
* Finds an X509Certificate using a resourceName and populates it on the request.
* @param resourceName the name of the X509Certificate resource
* @return the
* {@link org.springframework.test.web.servlet.request.RequestPostProcessor} to use.
+1 -2
View File
@@ -1,9 +1,8 @@
plugins {
id 'io.spring.convention.spring-module'
id 'security-nullability'
}
apply plugin: 'io.spring.convention.spring-module'
configurations {
javascript {
canBeConsumed = false
@@ -38,7 +38,7 @@ interface EvaluationContextPostProcessor<I> {
* that was passed in.
* @param context the original {@link EvaluationContext}
* @param invocation the security invocation object (i.e. FilterInvocation)
* @return the upated context.
* @return the updated context.
*/
EvaluationContext postProcess(EvaluationContext context, I invocation);
@@ -52,20 +52,14 @@ public final class HaveIBeenPwnedRestApiPasswordChecker implements CompromisedPa
private final Log logger = LogFactory.getLog(getClass());
private final MessageDigest sha1Digest;
private RestClient restClient = RestClient.builder().baseUrl(API_URL).build();
public HaveIBeenPwnedRestApiPasswordChecker() {
this.sha1Digest = getSha1Digest();
}
@Override
public CompromisedPasswordDecision check(@Nullable String password) {
if (password == null) {
return new CompromisedPasswordDecision(false);
}
byte[] hash = this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8));
byte[] hash = getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8));
String encoded = new String(Hex.encode(hash)).toUpperCase(Locale.ROOT);
String prefix = encoded.substring(0, PREFIX_LENGTH);
String suffix = encoded.substring(PREFIX_LENGTH);
@@ -55,12 +55,6 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom
private WebClient webClient = WebClient.builder().baseUrl(API_URL).build();
private final MessageDigest sha1Digest;
public HaveIBeenPwnedRestApiReactivePasswordChecker() {
this.sha1Digest = getSha1Digest();
}
@Override
public Mono<CompromisedPasswordDecision> check(@Nullable String password) {
return getHash(password).map((hash) -> new String(Hex.encode(hash)))
@@ -98,7 +92,7 @@ public class HaveIBeenPwnedRestApiReactivePasswordChecker implements ReactiveCom
private Mono<byte[]> getHash(@Nullable String rawPassword) {
return Mono.justOrEmpty(rawPassword)
.map((password) -> this.sha1Digest.digest(password.getBytes(StandardCharsets.UTF_8)))
.map((password) -> getSha1Digest().digest(password.getBytes(StandardCharsets.UTF_8)))
.subscribeOn(Schedulers.boundedElastic())
.publishOn(Schedulers.parallel());
}
@@ -133,8 +133,8 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
return new ArrayList<>(groups);
}
catch (Exception ex) {
logger.error("Exception occured while looking up groups for user", ex);
throw new RuntimeException("Exception occured while looking up groups for user", ex);
logger.error("Exception occurred while looking up groups for user", ex);
throw new RuntimeException("Exception occurred while looking up groups for user", ex);
}
finally {
closeContext(context);
@@ -148,7 +148,7 @@ final class DefaultWASUsernameAndGroupsExtractor implements WASUsernameAndGroups
}
}
catch (NamingException ex) {
logger.debug("Exception occured while closing context", ex);
logger.debug("Exception occurred while closing context", ex);
}
}
@@ -164,7 +164,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements
* Called if the {@code AuthenticationManager} rejects the authentication object
* returned from the {@code RememberMeServices} {@code autoLogin} method. This method
* will not be called when no remember-me token is present in the request and
* {@code autoLogin} reurns null.
* {@code autoLogin} returns {@code null}.
*/
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) {
@@ -184,7 +184,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements
* successfully authenticated. By default, the filter will just allow the current
* request to proceed, but if an {@code AuthenticationSuccessHandler} is set, it will
* be invoked and the {@code doFilter()} method will return immediately, thus allowing
* the application to redirect the user to a specific URL, regardless of whatthe
* the application to redirect the user to a specific URL, regardless of what the
* original request was for.
* @param successHandler the strategy to invoke immediately before returning from
* {@code doFilter()}.
@@ -100,7 +100,7 @@ public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository
* @param sessionAttributeName the new attribute name to use
*/
public void setSessionAttributeName(String sessionAttributeName) {
Assert.hasLength(sessionAttributeName, "sessionAttributename cannot be null or empty");
Assert.hasLength(sessionAttributeName, "sessionAttributeName cannot be null or empty");
this.sessionAttributeName = sessionAttributeName;
}
@@ -799,17 +799,17 @@ public class StrictHttpFirewall implements HttpFirewall {
@Override
public Enumeration<String> getParameterNames() {
Enumeration<String> paramaterNames = super.getParameterNames();
Enumeration<String> parameterNames = super.getParameterNames();
return new Enumeration<>() {
@Override
public boolean hasMoreElements() {
return paramaterNames.hasMoreElements();
return parameterNames.hasMoreElements();
}
@Override
public String nextElement() {
String name = paramaterNames.nextElement();
String name = parameterNames.nextElement();
validateAllowedParameterName(name);
return name;
}
@@ -25,7 +25,7 @@ import org.springframework.util.Assert;
/**
* Provides support for
* <a href="https://w3c.github.io/webappsec-permissions-policy//">Permisisons Policy</a>.
* <a href="https://w3c.github.io/webappsec-permissions-policy//">Permissions Policy</a>.
* <p>
* Permissions Policy allows web developers to selectively enable, disable, and modify the
* behavior of certain APIs and web features in the browser.
@@ -23,7 +23,7 @@ import org.springframework.util.Assert;
/**
* Implementation which uses a regular expression to validate the supplied origin. If the
* value of the HTTP parameter matches the pattern, then the result will be ALLOW-FROM
* &lt;paramter-value&gt;.
* &lt;parameter-value&gt;.
*
* @author Marten Deinum
* @since 3.2
@@ -141,7 +141,7 @@ public final class FastHttpDateFormat {
* Parses date with given formatters.
* @param value The string to parse
* @param formats Array of formats to use
* @return Parsed date (or <code>null</code> if no formatter mached)
* @return Parsed date (or <code>null</code> if no formatter matched)
*/
private static @Nullable Long internalParseDate(String value, DateFormat[] formats) {
Date date = null;
@@ -268,9 +268,9 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
* The following are valid patterns and their meaning
* <ul>
* <li>{@code /path} - match exactly and only `/path`</li>
* <li>{@code /path/**} - match `/path` and any of its descendents</li>
* <li>{@code /path/**} - match `/path` and any of its descendants</li>
* <li>{@code /path/{value}/**} - match `/path/subdirectory` and any of its
* descendents, capturing the value of the subdirectory in
* descendants, capturing the value of the subdirectory in
* {@link RequestAuthorizationContext#getVariables()}</li>
* </ul>
*
@@ -303,9 +303,9 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
* The following are valid patterns and their meaning
* <ul>
* <li>{@code /path} - match exactly and only `/path`</li>
* <li>{@code /path/**} - match `/path` and any of its descendents</li>
* <li>{@code /path/**} - match `/path` and any of its descendants</li>
* <li>{@code /path/{value}/**} - match `/path/subdirectory` and any of its
* descendents, capturing the value of the subdirectory in
* descendants, capturing the value of the subdirectory in
* {@link RequestAuthorizationContext#getVariables()}</li>
* </ul>
*
@@ -73,7 +73,7 @@ public class ThrowableAnalyzer {
/**
* Map of registered cause extractors. key: Class&lt;Throwable&gt;; value:
* ThrowableCauseExctractor
* ThrowableCauseExtractor
*/
private final Map<Class<? extends Throwable>, ThrowableCauseExtractor> extractorMap;
@@ -87,8 +87,8 @@ public final class UrlUtils {
* (SEC-1255). This method is typically used to return a URL for matching against
* secured paths, hence the decoded form is used in preference to the requestURI for
* building the returned value. But this method may also be called using dummy request
* objects which just have the requestURI and contextPatth set, for example, so it
* will fall back to using those.
* objects which just have the requestURI and contextPath set, for example, so it will
* fall back to using those.
* @return the decoded URL, excluding any server name, context path or servlet path
*
*/
@@ -28,6 +28,7 @@ import jakarta.servlet.http.HttpServletRequest;
* @author Eddú Meléndez
* @since 3.0.2
*/
@FunctionalInterface
public interface RequestMatcher {
/**
@@ -40,10 +40,8 @@ import org.springframework.cglib.proxy.Callback;
import org.springframework.cglib.proxy.Enhancer;
import org.springframework.cglib.proxy.Factory;
import org.springframework.cglib.proxy.MethodProxy;
import org.springframework.core.DefaultParameterNameDiscoverer;
import org.springframework.core.MethodIntrospector;
import org.springframework.core.MethodParameter;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.core.ResolvableType;
import org.springframework.core.annotation.AnnotatedElementUtils;
import org.springframework.core.annotation.AnnotationUtils;
@@ -131,8 +129,6 @@ public final class ResolvableMethod {
private static final SpringObjenesis objenesis = new SpringObjenesis();
private static final ParameterNameDiscoverer nameDiscoverer = new DefaultParameterNameDiscoverer();
private final Method method;
private ResolvableMethod(Method method) {
@@ -620,7 +616,6 @@ public final class ResolvableMethod {
List<MethodParameter> matches = new ArrayList<>();
for (int i = 0; i < ResolvableMethod.this.method.getParameterCount(); i++) {
MethodParameter param = new SynthesizingMethodParameter(ResolvableMethod.this.method, i);
param.initParameterNameDiscovery(nameDiscoverer);
if (this.filters.stream().allMatch((p) -> p.test(param))) {
matches.add(param);
}
@@ -38,7 +38,7 @@ public class HttpSessionEventPublisherTests {
* It's not that complicated so we'll just run it straight through here.
*/
@Test
public void publishedEventIsReceivedbyListener() {
public void publishedEventIsReceivedByListener() {
HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
StaticWebApplicationContext context = new StaticWebApplicationContext();
MockServletContext servletContext = new MockServletContext();
@@ -66,7 +66,7 @@ public class HttpSessionEventPublisherTests {
}
@Test
public void publishedEventIsReceivedbyListenerChildContext() {
public void publishedEventIsReceivedByListenerChildContext() {
HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
StaticWebApplicationContext context = new StaticWebApplicationContext();
MockServletContext servletContext = new MockServletContext();
+2
View File
@@ -16,10 +16,12 @@ dependencies {
optional 'org.springframework:spring-jdbc'
optional 'org.springframework:spring-tx'
optional 'tools.jackson.core:jackson-databind'
optional 'com.fasterxml.jackson.core:jackson-databind'
provided 'jakarta.servlet:jakarta.servlet-api'
testImplementation project(path: ':spring-security-core', configuration: 'tests')
testImplementation 'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor'
testImplementation 'io.projectreactor:reactor-test'
testImplementation 'jakarta.xml.bind:jakarta.xml.bind-api'
testImplementation 'jakarta.websocket:jakarta.websocket-api'
@@ -71,7 +71,7 @@ public interface CredentialRecord {
/**
* The <a href=
* "https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-transports">transpots</a>
* "https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-transports">transports</a>
* is the value returned from {@code response.getTransports()}.
* @return
*/
@@ -203,7 +203,7 @@ public final class PublicKeyCredential<R extends AuthenticatorResponse> implemen
/**
* Sets the {@link #getAuthenticatorAttachment()} property.
* @param authenticatorAttachment the authenticator attachement
* @param authenticatorAttachment the authenticator attachment
* @return the PublicKeyCredentialBuilder
*/
public PublicKeyCredentialBuilder authenticatorAttachment(AuthenticatorAttachment authenticatorAttachment) {
@@ -105,7 +105,7 @@ public final class PublicKeyCredentialCreationOptions {
/**
* The <a href=
* "https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialcreationoptions-pubkeycredparams">publicKeyCredParams</a>
* params lisst the key types and signature algorithms the Relying Party Supports,
* params list the key types and signature algorithms the Relying Party Supports,
* ordered from most preferred to least preferred.
* @return the public key credential parameters
*/
@@ -19,7 +19,7 @@ package org.springframework.security.web.webauthn.api;
/**
* The <a href=
* "https://www.w3.org/TR/webauthn-3/#enumdef-residentkeyrequirement">ResidentKeyRequirement</a>
* describes the Relying Partys requirements for client-side discoverable credentials.
* describes the Relying Party requirements for client-side discoverable credentials.
*
* @author Rob Winch
* @since 6.4
@@ -21,7 +21,7 @@ public final class TestAuthenticatorAttestationResponses {
public static AuthenticatorAttestationResponse.AuthenticatorAttestationResponseBuilder createAuthenticatorAttestationResponse() {
return AuthenticatorAttestationResponse.builder()
.attestationObject(Bytes.fromBase64(
"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAALraVWanqkAfvZZFYZpVEg0AEDWRLOHq0Wxw4cOkCemynKqlAQIDJiABIVgg4Hkrn2kbGmpZTdoDZUNrppo93OqgQV7ONzVvo5GLCFciWCCrf6yIQggq2BfZntawxRsBBbWG_FWkYAoU8yPipS-5hg-p1VREax-qKTGn1Bp92fRMjRMunH7XwSlf9mMWJdY3VvAkicTChlxVd256yk4jEiXiJ5BuwugdpT7fBOYtymjpQECAyYgASFYIJK-2epPEw0ujHN-gvVp2Hp3ef8CzU3zqwO5ylx8L2OsIlggK5x5OlTGEPxLS-85TAABum4aqVK4CSWJ7LYDdkjuBLk"))
"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAALraVWanqkAfvZZFYZpVEg0AEDWRLOHq0Wxw4cOkCemynKqlAQIDJiABIVgg4Hkrn2kbGmpZTdoDZUNrppo93OqgQV7ONzVvo5GLCFciWCCrf6yIQggq2BfZntawxRsBBbWG_FWkYAoU8yPipS-5hg=="))
.clientDataJSON(Bytes.fromBase64(
"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoicTdsQ2RkM1NWUXhkQy12OHBuUkFHRW4xQjJNLXQ3WkVDV1B3Q0FtaFd2YyIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyIsImNyb3NzT3JpZ2luIjpmYWxzZX0"))
.transports(AuthenticatorTransport.HYBRID, AuthenticatorTransport.INTERNAL);

Some files were not shown because too many files have changed in this diff Show More