1
0
mirror of synced 2026-07-18 09:05:14 +00:00

Compare commits

...

114 Commits

Author SHA1 Message Date
github-actions[bot] 3512fc76f3 Release 6.5.2 2025-07-21 18:34:18 +00:00
Rob Winch 90584ef8ce Merge branch '6.4.x' into 6.5.x 2025-07-21 09:42:59 -05:00
Rob Winch 7b606362f8 Fix samples branch 2025-07-21 09:42:51 -05:00
Rob Winch e38c059e7c Fix samples branch 2025-07-21 09:42:08 -05:00
Rob Winch 80ccb9b3cf Merge branch '6.4.x' into 6.5.x
Closes gh-17580
2025-07-21 09:29:20 -05:00
Rob Winch 829af961f0 Use Meaningful Configurer Names in Test
This just renames the Configurer names used in
AbstractConfiguredSecurityBuilderTests to be more meaningful.

Issue gh-17020 gh-17011

Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>
2025-07-21 09:27:36 -05:00
Rob Winch fca704e61f Fix getConfigurersInInitializing Semantics
A getter should not mutate state. This removes getConfigurersInInitializing
in favor of inline code since this is just used once.

Issue gh-17020 gh-17011

Signed-off-by: Rob Winch <362503+rwinch@users.noreply.github.com>
2025-07-21 09:27:36 -05:00
Rob Winch ea9dd2728e Support add nested security configurers during builder initialization
Closes gh-17011

Signed-off-by: DingHao <dh.hiekn@gmail.com>
2025-07-21 09:27:27 -05:00
Rob Winch 409f845db2 Merge branch '6.4.x' into 6.5.x 2025-07-21 08:20:35 -05:00
Rob Winch 258aa66f0d Merge branch '6.3.x' into 6.4.x 2025-07-21 08:20:16 -05:00
Rob Winch fbaa15bae1 Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 2025-07-21 08:18:52 -05:00
Rob Winch e21a80a96d Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 2025-07-21 08:18:49 -05:00
Rob Winch 236ef46cf8 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-21 08:18:47 -05:00
Rob Winch a0b0d02965 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final 2025-07-21 08:18:45 -05:00
Rob Winch 97e5b103e8 Bump io.mockk:mockk from 1.14.4 to 1.14.5 2025-07-21 08:18:42 -05:00
Rob Winch d5d31a0892 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-21 08:11:46 -05:00
Rob Winch 1b3f8435ce Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final 2025-07-21 08:11:44 -05:00
Rob Winch 22fbbb9365 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-21 08:11:41 -05:00
Rob Winch f1622351e5 Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8 2025-07-21 08:11:39 -05:00
Rob Winch e5c45c9dda Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 2025-07-21 08:11:37 -05:00
Rob Winch 82fa658c9b Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-21 07:52:56 -05:00
dependabot[bot] 51a703a291 Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.8 to 6.2.9.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.8...v6.2.9)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:43:53 +00:00
dependabot[bot] ae689cd220 Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.7 to 2024.1.8.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.7...2024.1.8)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:41:51 +00:00
dependabot[bot] 2a3d1340d1 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.8 to 1.14.9.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.8...v1.14.9)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:40:58 +00:00
dependabot[bot] 9f40a72f19 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.20.Final to 6.6.22.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.22/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.20...6.6.22)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.22.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:36:16 +00:00
dependabot[bot] 470384597c Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:36:08 +00:00
dependabot[bot] c27f7206d9 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:23:35 +00:00
dependabot[bot] a5129a136d Bump io.mockk:mockk from 1.14.4 to 1.14.5
---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:20:57 +00:00
dependabot[bot] 150615eba5 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.22.Final
---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.22.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:18:57 +00:00
dependabot[bot] fb07dc9d3a Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:18:31 +00:00
dependabot[bot] 32f909ff64 Bump org.springframework.data:spring-data-bom from 2024.1.7 to 2024.1.8
---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:15:46 +00:00
dependabot[bot] 2aebb9ce9e Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9
---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-21 04:13:19 +00:00
Rob Winch 3db0b0ed95 Merge branch '6.4.x' into 6.5.x 2025-07-18 09:14:48 -05:00
Rob Winch 2cb200079c Merge branch '6.3.x' into 6.4.x 2025-07-18 09:14:35 -05:00
Rob Winch cb515e5c57 Merge branch 'npm_and_yarn/docs/6.3.x/springio/antora-extensions-1.14.6' into 6.3.x 2025-07-18 09:14:23 -05:00
Rob Winch 02dbb288d3 Merge branch '6.4.x' into 6.5.x 2025-07-18 09:12:01 -05:00
Rob Winch b56533c13c Merge branch '6.3.x' into 6.4.x 2025-07-18 09:11:45 -05:00
Rob Winch a3df90405f Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final 2025-07-18 09:10:38 -05:00
Rob Winch dd8763a572 Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 2025-07-18 09:10:36 -05:00
Rob Winch cf9375f441 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-18 09:10:34 -05:00
Rob Winch bf5496310e Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-18 09:10:32 -05:00
Rob Winch f2452c3732 Bump io.mockk:mockk from 1.14.4 to 1.14.5 2025-07-18 09:10:30 -05:00
Rob Winch b63a337015 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-18 09:09:33 -05:00
Rob Winch 880ba0e1aa Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9 2025-07-18 09:09:31 -05:00
Rob Winch 9262a8ecc8 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final 2025-07-18 09:09:29 -05:00
Rob Winch 4084b70335 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-18 09:09:28 -05:00
Rob Winch 59365e9ac5 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-18 09:05:22 -05:00
Joe Grandja ecec7cb98f Merge branch '6.4.x' into 6.5.x
Closes gh-17557
2025-07-18 08:40:31 -04:00
Marcus Hert da Coregio 2a38de48b8 Fix securityContextRepository() initialization in oauth2Login() DSL
Closes gh-17502

Signed-off-by: Marcus Hert da Coregio <marcusdacoregio@gmail.com>
2025-07-18 07:48:05 -04:00
dependabot[bot] 382f2788d3 Bump io.mockk:mockk from 1.14.4 to 1.14.5
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.4 to 1.14.5.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.4...1.14.5)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:44:04 +00:00
dependabot[bot] 385d10ebf1 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:43:59 +00:00
dependabot[bot] 5f243de06b Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.8 to 1.14.9.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.8...v1.14.9)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:43:48 +00:00
dependabot[bot] 6716a0c4fe Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.8 to 6.2.9.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.8...v6.2.9)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:43:25 +00:00
dependabot[bot] c1173dbab1 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.20.Final to 6.6.21.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.21/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.20...6.6.21)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.21.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:43:04 +00:00
dependabot[bot] 284a32c698 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:34:19 +00:00
dependabot[bot] 3d028b1c22 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final
---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.21.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:34:02 +00:00
dependabot[bot] 126166da1e Bump org.springframework:spring-framework-bom from 6.2.8 to 6.2.9
---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:33:55 +00:00
dependabot[bot] f4387f299a Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:33:52 +00:00
dependabot[bot] 854703cb47 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-18 03:15:01 +00:00
Josh Cummings 72eb3065de Remove AuthorizationWebProxyConfiguration From Reactive
Closes gh-17545
2025-07-17 17:42:45 -06:00
Rob Winch d2fcba82f7 Merge branch '6.4.x' into 6.5.x 2025-07-17 13:03:06 -05:00
Rob Winch b81d894cc8 Merge branch '6.3.x' into 6.4.x 2025-07-17 13:02:57 -05:00
Rob Winch ca108fe5dc Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-17 13:00:47 -05:00
Rob Winch 5ddbe18cb0 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final 2025-07-17 13:00:44 -05:00
Rob Winch ea8aad7865 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-17 13:00:41 -05:00
Rob Winch 8e563d6324 Bump io.mockk:mockk from 1.14.4 to 1.14.5 2025-07-17 13:00:39 -05:00
Rob Winch b2f4bf9b74 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9 2025-07-17 12:59:55 -05:00
Rob Winch ac7f6260b1 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final 2025-07-17 12:59:52 -05:00
Rob Winch ebca0df783 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-17 12:59:50 -05:00
Rob Winch 3395e061f0 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11 2025-07-17 12:58:50 -05:00
dependabot[bot] bc746e260f Bump io.mockk:mockk from 1.14.4 to 1.14.5
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.4 to 1.14.5.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.4...1.14.5)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-17 04:01:29 +00:00
dependabot[bot] e2f96480a4 Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 04:00:56 +00:00
dependabot[bot] ba17c3182b Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
Bumps org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11.

---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 03:51:21 +00:00
dependabot[bot] 92116773ea Bump org.apache.maven:maven-resolver-provider from 3.9.10 to 3.9.11
---
updated-dependencies:
- dependency-name: org.apache.maven:maven-resolver-provider
  dependency-version: 3.9.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-16 03:41:55 +00:00
dependabot[bot] 9377a9aad4 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.20.Final to 6.6.21.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.21/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.20...6.6.21)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.21.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 04:25:28 +00:00
dependabot[bot] 1e03085a12 Bump org.hibernate.orm:hibernate-core from 6.6.20.Final to 6.6.21.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.20.Final to 6.6.21.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.21/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.20...6.6.21)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.21.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 04:21:28 +00:00
dependabot[bot] 5d765f92b6 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.8 to 1.14.9.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.8...v1.14.9)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 04:20:00 +00:00
dependabot[bot] c92187a9a7 Bump io.micrometer:micrometer-observation from 1.14.8 to 1.14.9
Bumps [io.micrometer:micrometer-observation](https://github.com/micrometer-metrics/micrometer) from 1.14.8 to 1.14.9.
- [Release notes](https://github.com/micrometer-metrics/micrometer/releases)
- [Commits](https://github.com/micrometer-metrics/micrometer/compare/v1.14.8...v1.14.9)

---
updated-dependencies:
- dependency-name: io.micrometer:micrometer-observation
  dependency-version: 1.14.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 04:18:51 +00:00
dependabot[bot] 759736672d Bump @springio/antora-extensions from 1.14.4 to 1.14.6 in /docs
Bumps [@springio/antora-extensions](https://github.com/spring-io/antora-extensions) from 1.14.4 to 1.14.6.
- [Changelog](https://github.com/spring-io/antora-extensions/blob/main/CHANGELOG.adoc)
- [Commits](https://github.com/spring-io/antora-extensions/compare/v1.14.4...v1.14.6)

---
updated-dependencies:
- dependency-name: "@springio/antora-extensions"
  dependency-version: 1.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-14 01:05:46 +00:00
Josh Cummings 7960d2803d Add Migration Steps for PathMatcher Usage
Issue gh-17509
2025-07-10 14:53:39 -06:00
Josh Cummings 4b15b2b94e Add Migration Steps for Messaging
Closes gh-17509
2025-07-10 13:19:42 -06:00
Josh Cummings bc0d706275 Use PathPatternMessageMatcher.Builder in XML Config
Closes gh-17508
2025-07-10 13:16:14 -06:00
Josh Cummings 9209a33678 Remove References to Deprecated OpenSaml Components
Issue gh-11658
2025-07-09 14:10:33 -06:00
Rob Winch 7a7d2cacd2 Merge branch '6.4.x' into 6.5.x 2025-07-07 14:31:17 -05:00
dependabot[bot] fa2e4c67a0 Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.7 to 6.2.8.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.7...v6.2.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-07 14:31:11 -05:00
dependabot[bot] 45ce51fe8d Bump com.webauthn4j:webauthn4j-core
Bumps [com.webauthn4j:webauthn4j-core](https://github.com/webauthn4j/webauthn4j) from 0.29.3.RELEASE to 0.29.4.RELEASE.
- [Release notes](https://github.com/webauthn4j/webauthn4j/releases)
- [Changelog](https://github.com/webauthn4j/webauthn4j/blob/master/github-release-notes-generator.yml)
- [Commits](https://github.com/webauthn4j/webauthn4j/compare/0.29.3.RELEASE...0.29.4.RELEASE)

---
updated-dependencies:
- dependency-name: com.webauthn4j:webauthn4j-core
  dependency-version: 0.29.4.RELEASE
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-07 14:31:11 -05:00
dependabot[bot] 2d3a1dc210 Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.20.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.17.Final to 6.6.20.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.20/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.17...6.6.20)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.20.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-07 14:31:10 -05:00
dependabot[bot] 64bc37b5d6 Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7
---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-07 14:30:49 -05:00
dependabot[bot] afc25b1ea3 Bump org.hibernate.orm:hibernate-core from 6.6.19.Final to 6.6.20.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.19.Final to 6.6.20.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.20/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.19...6.6.20)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.20.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-07 14:30:49 -05:00
Josh Cummings bc20bd6340 Merge branch '6.4.x' into 6.5.x
Closes gh-17495
2025-07-07 12:53:59 -06:00
Josh Cummings 8461feb028 Merge branch '6.3.x' into 6.4.x
Closes gh-17494
2025-07-07 12:53:47 -06:00
Josh Cummings 4f5b17334e Pick Up csrfChannelInterceptor in XML
Closes gh-17493
2025-07-07 12:53:27 -06:00
Josh Cummings ea3ba62022 Correct Servlet Path JavaDoc
Initially PathPatternRequestMatcher was designed to match relative
to the servlet path. However, this was changed to be relative to
the context path. This commit updates the documentation and removes
references to the servlet path other than in the context of setting
a basePath to remove boilerplate.

Issue gh-16430
2025-07-07 11:34:29 -06:00
Josh Cummings 8fb8e26c01 Merge branch '6.4.x' into 6.5.x 2025-07-03 14:40:04 -06:00
Josh Cummings 3f4ef169f6 Merge branch '6.3.x' into 6.4.x 2025-07-03 14:38:39 -06:00
dependabot[bot] 192bafe9a5 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:38:21 -06:00
Josh Cummings b5ddf9ccd1 Merge branch '6.4.x' into 6.5.x 2025-07-03 14:19:31 -06:00
Josh Cummings 43042b6724 Merge branch '6.3.x' into 6.4.x 2025-07-03 14:19:20 -06:00
dependabot[bot] b144c37cad Bump org.springframework:spring-framework-bom from 6.1.20 to 6.1.21
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.1.20 to 6.1.21.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.1.20...v6.1.21)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.1.21
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:17:18 -06:00
dependabot[bot] 22992afbe8 Bump org-apache-maven-resolver from 1.9.23 to 1.9.24
Bumps `org-apache-maven-resolver` from 1.9.23 to 1.9.24.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.23 to 1.9.24

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:17:06 -06:00
dependabot[bot] 39b53ee0be Bump org.springframework.data:spring-data-bom
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.0.12 to 2024.0.13.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.0.12...2024.0.13)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.0.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:16:33 -06:00
dependabot[bot] 23fa7c3047 Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 14:16:20 -06:00
Josh Cummings 3bef5f9f40 Merge branch '6.4.x' into 6.5.x 2025-07-03 13:43:10 -06:00
dependabot[bot] 43e2e53b90 Bump org.springframework:spring-framework-bom from 6.2.7 to 6.2.8
Bumps [org.springframework:spring-framework-bom](https://github.com/spring-projects/spring-framework) from 6.2.7 to 6.2.8.
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v6.2.7...v6.2.8)

---
updated-dependencies:
- dependency-name: org.springframework:spring-framework-bom
  dependency-version: 6.2.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:42:46 -06:00
dependabot[bot] 3fec6959b1 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:41:32 -06:00
dependabot[bot] a8f8fcb046 Bump org-apache-maven-resolver from 1.9.23 to 1.9.24
Bumps `org-apache-maven-resolver` from 1.9.23 to 1.9.24.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.23 to 1.9.24

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:41:22 -06:00
dependabot[bot] 16956fe01c Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:41:08 -06:00
dependabot[bot] a66efc26f5 Bump org.hibernate.orm:hibernate-core from 6.6.17.Final to 6.6.19.Final
Bumps [org.hibernate.orm:hibernate-core](https://github.com/hibernate/hibernate-orm) from 6.6.17.Final to 6.6.19.Final.
- [Release notes](https://github.com/hibernate/hibernate-orm/releases)
- [Changelog](https://github.com/hibernate/hibernate-orm/blob/6.6.19/changelog.txt)
- [Commits](https://github.com/hibernate/hibernate-orm/compare/6.6.17...6.6.19)

---
updated-dependencies:
- dependency-name: org.hibernate.orm:hibernate-core
  dependency-version: 6.6.19.Final
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:40:58 -06:00
dependabot[bot] 86562760d9 Bump org.springframework.data:spring-data-bom from 2024.1.6 to 2024.1.7
Bumps [org.springframework.data:spring-data-bom](https://github.com/spring-projects/spring-data-bom) from 2024.1.6 to 2024.1.7.
- [Release notes](https://github.com/spring-projects/spring-data-bom/releases)
- [Commits](https://github.com/spring-projects/spring-data-bom/compare/2024.1.6...2024.1.7)

---
updated-dependencies:
- dependency-name: org.springframework.data:spring-data-bom
  dependency-version: 2024.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 13:20:01 -06:00
dependabot[bot] eba43dc03f Bump io.mockk:mockk from 1.14.2 to 1.14.4
Bumps [io.mockk:mockk](https://github.com/mockk/mockk) from 1.14.2 to 1.14.4.
- [Release notes](https://github.com/mockk/mockk/releases)
- [Commits](https://github.com/mockk/mockk/compare/1.14.2...1.14.4)

---
updated-dependencies:
- dependency-name: io.mockk:mockk
  dependency-version: 1.14.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 12:51:14 -06:00
dependabot[bot] 0b872588d3 Bump org.springframework.ldap:spring-ldap-core from 3.2.12 to 3.2.13
Bumps [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 3.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 12:51:04 -06:00
dependabot[bot] cfaac1963c Bump org-apache-maven-resolver from 1.9.23 to 1.9.24
Bumps `org-apache-maven-resolver` from 1.9.23 to 1.9.24.

Updates `org.apache.maven.resolver:maven-resolver-connector-basic` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-impl` from 1.9.23 to 1.9.24
- [Release notes](https://github.com/apache/maven-resolver/releases)
- [Commits](https://github.com/apache/maven-resolver/compare/maven-resolver-1.9.23...maven-resolver-1.9.24)

Updates `org.apache.maven.resolver:maven-resolver-transport-http` from 1.9.23 to 1.9.24

---
updated-dependencies:
- dependency-name: org.apache.maven.resolver:maven-resolver-connector-basic
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-impl
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.maven.resolver:maven-resolver-transport-http
  dependency-version: 1.9.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 12:50:51 -06:00
dependabot[bot] 8b5a43033f Bump io-spring-javaformat from 0.0.46 to 0.0.47
Bumps `io-spring-javaformat` from 0.0.46 to 0.0.47.

Updates `io.spring.javaformat:spring-javaformat-checkstyle` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

Updates `io.spring.javaformat:spring-javaformat-gradle-plugin` from 0.0.46 to 0.0.47
- [Release notes](https://github.com/spring-io/spring-javaformat/releases)
- [Commits](https://github.com/spring-io/spring-javaformat/compare/v0.0.46...v0.0.47)

---
updated-dependencies:
- dependency-name: io.spring.javaformat:spring-javaformat-checkstyle
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: io.spring.javaformat:spring-javaformat-gradle-plugin
  dependency-version: 0.0.47
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-03 12:50:45 -06:00
Andrey Litvitski 25d51a0d99 Include HTTP Method in equals and hashCode
Closes gh-17180

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
2025-07-02 13:18:36 -06:00
21 changed files with 459 additions and 125 deletions
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -50,6 +50,7 @@ import org.springframework.web.filter.DelegatingFilterProxy;
* @param <O> The object that this builder returns
* @param <B> The type of this builder (that is returned by the base class)
* @author Rob Winch
* @author DingHao
* @see WebSecurity
*/
public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
@@ -59,7 +60,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
private List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
private final Map<Class<?>, Object> sharedObjects = new HashMap<>();
@@ -386,8 +387,12 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer<O, B> configurer : this.configurersAddedInInitializing) {
configurer.init((B) this);
while (!this.configurersAddedInInitializing.isEmpty()) {
List<SecurityConfigurer<O, B>> toInit = this.configurersAddedInInitializing;
this.configurersAddedInInitializing = new ArrayList<>();
for (SecurityConfigurer<O, B> configurer : toInit) {
configurer.init((B) this);
}
}
}
@@ -38,9 +38,6 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
private static final boolean isDataPresent = ClassUtils
.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
private static final boolean isWebPresent = ClassUtils.isPresent("org.springframework.web.server.ServerWebExchange",
null);
private static final boolean isObservabilityPresent = ClassUtils
.isPresent("io.micrometer.observation.ObservationRegistry", null);
@@ -64,9 +61,6 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
if (isDataPresent) {
imports.add(AuthorizationProxyDataConfiguration.class.getName());
}
if (isWebPresent) {
imports.add(AuthorizationProxyWebConfiguration.class.getName());
}
if (isObservabilityPresent) {
imports.add(ReactiveMethodObservationConfiguration.class.getName());
}
@@ -181,6 +181,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
private OAuth2AuthorizedClientRepository authorizedClientRepository;
private SecurityContextRepository securityContextRepository;
/**
* Sets the repository of client registrations.
* @param clientRegistrationRepository the repository of client registrations
@@ -234,6 +236,17 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
return this;
}
/**
* Sets the {@link SecurityContextRepository} to use.
* @param securityContextRepository the {@link SecurityContextRepository} to use
* @return the {@link OAuth2LoginConfigurer} for further configuration
*/
@Override
public OAuth2LoginConfigurer<B> securityContextRepository(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository;
return this;
}
/**
* Sets the registry for managing the OIDC client-provider session link
* @param oidcSessionRegistry the {@link OidcSessionRegistry} to use
@@ -354,6 +367,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
RequestMatcher processUri = RequestMatcherFactory.matcher(this.loginProcessingUrl);
authenticationFilter.setRequiresAuthenticationRequestMatcher(processUri);
authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
if (this.securityContextRepository != null) {
authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
}
this.setAuthenticationFilter(authenticationFilter);
super.loginProcessingUrl(this.loginProcessingUrl);
if (this.loginPage != null) {
@@ -0,0 +1,78 @@
/*
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.security.messaging.util.matcher.MessageMatcher;
import org.springframework.security.messaging.util.matcher.PathPatternMessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.PathMatcher;
@Deprecated
public final class MessageMatcherFactoryBean implements FactoryBean<MessageMatcher<?>>, ApplicationContextAware {
private PathPatternMessageMatcher.Builder builder;
private final SimpMessageType method;
private final String path;
private PathMatcher pathMatcher = new AntPathMatcher();
public MessageMatcherFactoryBean(String path) {
this(path, null);
}
public MessageMatcherFactoryBean(String path, SimpMessageType method) {
this.method = method;
this.path = path;
}
@Override
public MessageMatcher<?> getObject() throws Exception {
if (this.builder != null) {
return this.builder.matcher(this.method, this.path);
}
if (this.method == SimpMessageType.SUBSCRIBE) {
return SimpDestinationMessageMatcher.createSubscribeMatcher(this.path, this.pathMatcher);
}
if (this.method == SimpMessageType.MESSAGE) {
return SimpDestinationMessageMatcher.createMessageMatcher(this.path, this.pathMatcher);
}
return new SimpDestinationMessageMatcher(this.path, this.pathMatcher);
}
@Override
public Class<?> getObjectType() {
return null;
}
public void setPathMatcher(PathMatcher pathMatcher) {
this.pathMatcher = pathMatcher;
}
@Override
public void setApplicationContext(ApplicationContext context) throws BeansException {
this.builder = context.getBeanProvider(PathPatternMessageMatcher.Builder.class).getIfUnique();
}
}
@@ -19,6 +19,7 @@ package org.springframework.security.config.web.messaging;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
import org.springframework.security.messaging.util.matcher.PathPatternMessageMatcher;
import org.springframework.web.util.pattern.PathPatternParser;
/**
* Use this factory bean to configure the {@link PathPatternMessageMatcher.Builder} bean
@@ -31,9 +32,30 @@ import org.springframework.security.messaging.util.matcher.PathPatternMessageMat
public final class PathPatternMessageMatcherBuilderFactoryBean
implements FactoryBean<PathPatternMessageMatcher.Builder> {
private PathPatternParser parser;
/**
* Create {@link PathPatternMessageMatcher}s using
* {@link PathPatternParser#defaultInstance}
*/
public PathPatternMessageMatcherBuilderFactoryBean() {
}
/**
* Create {@link PathPatternMessageMatcher}s using the given {@link PathPatternParser}
* @param parser the {@link PathPatternParser} to use
*/
public PathPatternMessageMatcherBuilderFactoryBean(PathPatternParser parser) {
this.parser = parser;
}
@Override
public PathPatternMessageMatcher.Builder getObject() throws Exception {
return PathPatternMessageMatcher.withDefaults();
if (this.parser == null) {
return PathPatternMessageMatcher.withDefaults();
}
return PathPatternMessageMatcher.withPathPatternParser(this.parser);
}
@Override
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -50,6 +50,7 @@ import org.springframework.security.access.vote.ConsensusBased;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.Elements;
import org.springframework.security.config.http.MessageMatcherFactoryBean;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -63,7 +64,6 @@ import org.springframework.security.messaging.access.intercept.MessageMatcherDel
import org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver;
import org.springframework.security.messaging.context.SecurityContextChannelInterceptor;
import org.springframework.security.messaging.util.matcher.MessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatcher;
import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
@@ -270,25 +270,18 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
matcher.addConstructorArgValue(messageType);
return matcher.getBeanDefinition();
}
String factoryName = null;
if (hasPattern && hasMessageType) {
BeanDefinitionBuilder matcher = BeanDefinitionBuilder.rootBeanDefinition(MessageMatcherFactoryBean.class);
matcher.addConstructorArgValue(matcherPattern);
if (hasMessageType) {
SimpMessageType type = SimpMessageType.valueOf(messageType);
if (SimpMessageType.MESSAGE == type) {
factoryName = "createMessageMatcher";
}
else if (SimpMessageType.SUBSCRIBE == type) {
factoryName = "createSubscribeMatcher";
}
else {
matcher.addConstructorArgValue(type);
if (SimpMessageType.SUBSCRIBE != type && SimpMessageType.MESSAGE != type) {
parserContext.getReaderContext()
.error("Cannot use intercept-websocket@message-type=" + messageType
+ " with a pattern because the type does not have a destination.", interceptMessage);
}
}
BeanDefinitionBuilder matcher = BeanDefinitionBuilder.rootBeanDefinition(SimpDestinationMessageMatcher.class);
matcher.setFactoryMethod(factoryName);
matcher.addConstructorArgValue(matcherPattern);
matcher.addConstructorArgValue(new RuntimeBeanReference("springSecurityMessagePathMatcher"));
matcher.addPropertyValue("pathMatcher", new RuntimeBeanReference("springSecurityMessagePathMatcher"));
return matcher.getBeanDefinition();
}
@@ -301,6 +294,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
private static final String INTERCEPTORS_PROP = "interceptors";
private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
@@ -364,7 +359,12 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
ManagedList<Object> interceptors = new ManagedList();
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
if (!this.sameOriginDisabled) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
}
else {
interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
}
}
interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
@@ -40,8 +40,6 @@ import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProce
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Role;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.annotation.Secured;
@@ -67,7 +65,6 @@ import org.springframework.security.test.context.annotation.SecurityTestExecutio
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.stereotype.Component;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.web.servlet.ModelAndView;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -364,48 +361,6 @@ public class PrePostReactiveMethodSecurityConfigurationTests {
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> flight.getAltitude().block());
}
@Test
@WithMockUser(authorities = "airplane:read")
public void findByIdWhenAuthorizedResponseEntityThenAuthorizes() {
this.spring.register(AuthorizeResultConfig.class).autowire();
FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class);
Flight flight = flights.webFindById("1").block().getBody();
assertThatNoException().isThrownBy(() -> flight.getAltitude().block());
assertThatNoException().isThrownBy(() -> flight.getSeats().block());
}
@Test
@WithMockUser(authorities = "seating:read")
public void findByIdWhenUnauthorizedResponseEntityThenDenies() {
this.spring.register(AuthorizeResultConfig.class).autowire();
FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class);
Flight flight = flights.webFindById("1").block().getBody();
assertThatNoException().isThrownBy(() -> flight.getSeats().block());
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> flight.getAltitude().block());
}
@Test
@WithMockUser(authorities = "airplane:read")
public void findByIdWhenAuthorizedModelAndViewThenAuthorizes() {
this.spring.register(AuthorizeResultConfig.class).autowire();
FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class);
Flight flight = (Flight) flights.webViewFindById("1").block().getModel().get("flight");
assertThatNoException().isThrownBy(() -> flight.getAltitude().block());
assertThatNoException().isThrownBy(() -> flight.getSeats().block());
assertThat(flights.webViewFindById("5").block().getModel().get("flight")).isNull();
}
@Test
@WithMockUser(authorities = "seating:read")
public void findByIdWhenUnauthorizedModelAndViewThenDenies() {
this.spring.register(AuthorizeResultConfig.class).autowire();
FlightRepository flights = this.spring.getContext().getBean(FlightRepository.class);
Flight flight = (Flight) flights.webViewFindById("1").block().getModel().get("flight");
assertThatNoException().isThrownBy(() -> flight.getSeats().block());
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> flight.getAltitude().block());
assertThat(flights.webViewFindById("5").block().getModel().get("flight")).isNull();
}
@Test
@WithMockUser(authorities = "seating:read")
public void findAllWhenUnauthorizedResultThenDenies() {
@@ -769,22 +724,6 @@ public class PrePostReactiveMethodSecurityConfigurationTests {
return Mono.empty();
}
Mono<ResponseEntity<Flight>> webFindById(String id) {
Flight flight = this.flights.get(id);
if (flight == null) {
return Mono.just(ResponseEntity.notFound().build());
}
return Mono.just(ResponseEntity.ok(flight));
}
Mono<ModelAndView> webViewFindById(String id) {
Flight flight = this.flights.get(id);
if (flight == null) {
return Mono.just(new ModelAndView("error", HttpStatusCode.valueOf(404)));
}
return Mono.just(new ModelAndView("flights", Map.of("flight", flight)));
}
}
@AuthorizeReturnObject
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -163,6 +163,36 @@ public class AbstractConfiguredSecurityBuilderTests {
assertThat(this.builder.getConfigurers(TestSecurityConfigurer.class)).hasSize(1);
}
@Test
public void withWhenConfigurerAddInitializing() throws Exception {
this.builder.with(new AppliesNestedConfigurer(), Customizer.withDefaults());
assertThat(this.builder.build()).isEqualTo("success");
}
private static class AppliesNestedConfigurer
extends SecurityConfigurerAdapter<Object, TestConfiguredSecurityBuilder> {
@Override
public void init(TestConfiguredSecurityBuilder builder) throws Exception {
builder.with(new NestedConfigurer(), Customizer.withDefaults());
}
}
private static class NestedConfigurer extends SecurityConfigurerAdapter<Object, TestConfiguredSecurityBuilder> {
@Override
public void init(TestConfiguredSecurityBuilder http) throws Exception {
http.with(new DoubleNestedConfigurer(), Customizer.withDefaults());
}
}
private static class DoubleNestedConfigurer
extends SecurityConfigurerAdapter<Object, TestConfiguredSecurityBuilder> {
}
private static class ApplyAndRemoveSecurityConfigurer
extends SecurityConfigurerAdapter<Object, TestConfiguredSecurityBuilder> {
@@ -105,6 +105,7 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
@@ -114,6 +115,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.BDDMockito.given;
@@ -729,6 +731,12 @@ public class OAuth2LoginConfigurerTests {
verify(this.context.getBean(SpyObjectPostProcessor.class).spy).authenticate(any());
}
// gh-16623
@Test
public void oauth2LoginWithCustomSecurityContextRepository() {
assertThatNoException().isThrownBy(() -> loadConfig(OAuth2LoginConfigSecurityContextRepository.class));
}
private void loadConfig(Class<?>... configs) {
AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext();
applicationContext.register(configs);
@@ -977,6 +985,24 @@ public class OAuth2LoginConfigurerTests {
}
@Configuration
@EnableWebSecurity
static class OAuth2LoginConfigSecurityContextRepository extends CommonSecurityFilterChainConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.oauth2Login((login) -> login
.clientRegistrationRepository(
new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION))
.securityContextRepository(new NullSecurityContextRepository()));
// @formatter:on
return super.configureFilterChain(http);
}
}
@Configuration
@EnableWebSecurity
static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonSecurityFilterChainConfig {
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2024 the original author or authors.
* Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -48,6 +48,7 @@ import org.springframework.messaging.handler.invocation.HandlerMethodArgumentRes
import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.messaging.support.ChannelInterceptor;
import org.springframework.messaging.support.ExecutorSubscribableChannel;
import org.springframework.messaging.support.GenericMessage;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.expression.SecurityExpressionOperations;
@@ -333,6 +334,32 @@ public class WebSocketMessageBrokerConfigTests {
.withCauseInstanceOf(AccessDeniedException.class);
}
@Test
public void sendWhenPathPatternFactoryBeanThenConstructsPatternsWithPathPattern() {
this.spring.configLocations(xml("SubscribeInterceptTypePathPattern")).autowire();
Message<?> message = message("/permitAll", SimpMessageType.SUBSCRIBE);
send(message);
message = message("/permitAll", SimpMessageType.UNSUBSCRIBE);
assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
.withCauseInstanceOf(AccessDeniedException.class);
message = message("/anyOther", SimpMessageType.SUBSCRIBE);
assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
.withCauseInstanceOf(AccessDeniedException.class);
}
@Test
public void sendWhenCaseInsensitivePathPatternParserThenMatchesMixedCase() {
this.spring.configLocations(xml("SubscribeInterceptTypePathPatternParser")).autowire();
Message<?> message = message("/peRmItAll", SimpMessageType.SUBSCRIBE);
send(message);
message = message("/peRmKtAll", SimpMessageType.UNSUBSCRIBE);
assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
.withCauseInstanceOf(AccessDeniedException.class);
message = message("/aNyOtHer", SimpMessageType.SUBSCRIBE);
assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
.withCauseInstanceOf(AccessDeniedException.class);
}
@Test
public void configureWhenUsingConnectMessageTypeThenAutowireFails() {
assertThatExceptionOfType(BeanDefinitionParsingException.class)
@@ -521,6 +548,16 @@ public class WebSocketMessageBrokerConfigTests {
verify(authorizationManager).check(any(), any());
}
@Test
public void configureWhenCsrfChannelInterceptorBeanThenUses() {
this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
ExecutorSubscribableChannel channel = this.spring.getContext()
.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
ChannelInterceptor interceptor = this.spring.getContext()
.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
assertThat(channel.getInterceptors()).contains(interceptor);
}
private String xml(String configName) {
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
}
@@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ https://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor" type="java.lang.Class"/>
</b:bean>
<websocket-message-broker use-authorization-manager="false">
<intercept-message pattern="/**" access="denyNile()"/>
</websocket-message-broker>
</b:beans>
@@ -0,0 +1,32 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ https://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
<websocket-message-broker>
<intercept-message pattern="/permitAll" type="SUBSCRIBE" access="permitAll"/>
<intercept-message pattern="/**" access="denyAll"/>
</websocket-message-broker>
<b:bean class="org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean"/>
</b:beans>
@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ https://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
<websocket-message-broker>
<intercept-message pattern="/permitAll" type="SUBSCRIBE" access="permitAll"/>
<intercept-message pattern="/**" access="denyAll"/>
</websocket-message-broker>
<b:bean name="pathPatternParser" class="org.springframework.web.util.pattern.PathPatternParser">
<b:property name="caseSensitive" value="false"/>
</b:bean>
<b:bean class="org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean">
<b:constructor-arg ref="pathPatternParser"/>
</b:bean>
</b:beans>
@@ -0,0 +1,86 @@
== Messaging Migrations
[[use-path-pattern]]
== Use PathPatternMessageMatcher by Default
In Spring Security 7, `SimpDestMessageMatcher` is no longer supported and will use `PathPatternMessageMatcher` by default.
To check how prepared you are for this change, you can publish this bean:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
PathPatternMessageMatcherBuilderFactoryBean messageMatcherBuilder() {
return new PathPatternMessageMatcherBuilderFactoryBean();
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun messageMatcherBuilder(): PathPatternMessageMatcherBuilderFactoryBean {
return PathPatternMessageMatcherBuilderFactoryBean()
}
----
Xml::
+
[source,xml,role="secondary"]
----
<b:bean class="org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean"/>
----
======
This will tell the Spring Security DSL to use `PathPatternMessageMatcher` for all message matchers that it constructs.
Use of `PathMatcher` is no longer supported in 7.
If you are using `PathMatcher` to change the path separator or to change case sensitivity for message matching, you can configure the `PathPatternParser` to do this instead like so:
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
PathPatternMessageMatcherBuilderFactoryBean messageMatcherBuilder() {
PathPatternParser pathPatternParser = new PathPatternParser();
pathPatternParser.setCaseSensitive(false);
// use . as path separator
pathPatternParser.setPathOptions(PathContainer.Options.MESSAGE_ROUTE);
return new PathPatternMessageMatcherBuilderFactoryBean(pathPatternParser);
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun messageMatcherBuilder(): PathPatternMessageMatcherBuilderFactoryBean {
val pathPatternParser = PathPatternParser()
pathPatternParser.setCaseSensitive(false)
// use . as path separator
pathPatternParser.setPathOptions(PathContainer.Options.MESSAGE_ROUTE)
return PathPatternMessageMatcherBuilderFactoryBean(pathPatternParser)
}
----
Xml::
+
[source,xml,role="secondary"]
----
<b:bean class="org.springframework.web.util.pattern.PathPatternParser">
<b:property name="caseSensitive" value="false"/>
<!-- use . as path separator -->
<b:property name="pathOptions" value="#{T(org.springframework.http.server.PathContainer.Options).MESSAGE_ROUTE"/>
</b:bean>
<b:bean class="org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean"/>
----
======
@@ -542,7 +542,7 @@ For example, you can throw a custom exception with any additional information av
----
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
provider.setResponseValidator((responseToken) -> {
Saml2ResponseValidatorResult result = OpenSamlAuthenticationProvider
Saml2ResponseValidatorResult result = OpenSaml4AuthenticationProvider
.createDefaultResponseValidator()
.convert(responseToken)
.concat(myCustomValidator.convert(responseToken));
@@ -49,7 +49,7 @@ This filter calls its configured `AuthenticationConverter` to create a `Saml2Aut
This converter additionally resolves the <<servlet-saml2login-relyingpartyregistration, `RelyingPartyRegistration`>> and supplies it to `Saml2AuthenticationToken`.
image:{icondir}/number_2.png[] Next, the filter passes the token to its configured xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`AuthenticationManager`].
By default, it uses the <<servlet-saml2login-architecture,`OpenSamlAuthenticationProvider`>>.
By default, it uses the <<servlet-saml2login-architecture,`OpenSaml4AuthenticationProvider`>>.
image:{icondir}/number_3.png[] If authentication fails, then _Failure_.
@@ -184,9 +184,9 @@ To achieve this, any interfaces or classes where Spring Security uses OpenSAML i
This makes it possible for you to switch out OpenSAML for some other library or an unsupported version of OpenSAML.
As a natural outcome of these two goals, Spring Security's SAML API is quite small relative to other modules.
Instead, such classes as `OpenSamlAuthenticationRequestFactory` and `OpenSamlAuthenticationProvider` expose `Converter` implementations that customize various steps in the authentication process.
Instead, such classes as `OpenSamlXAuthenticationRequestFactory` and `OpenSamlXAuthenticationProvider` expose `Converter` implementations that customize various steps in the authentication process.
For example, once your application receives a `SAMLResponse` and delegates to `Saml2WebSsoAuthenticationFilter`, the filter delegates to `OpenSamlAuthenticationProvider`:
For example, once your application receives a `SAMLResponse` and delegates to `Saml2WebSsoAuthenticationFilter`, the filter delegates to `OpenSamlXAuthenticationProvider`:
.Authenticating an OpenSAML `Response`
image:{figures}/opensamlauthenticationprovider.png[]
@@ -510,7 +510,7 @@ Java::
----
@Component
public class MyOpenSamlLogoutRequestValidator implements Saml2LogoutRequestValidator {
private final Saml2LogoutRequestValidator delegate = new OpenSamlLogoutRequestValidator();
private final Saml2LogoutRequestValidator delegate = new OpenSaml5LogoutRequestValidator();
@Override
public Saml2LogoutRequestValidator logout(Saml2LogoutRequestValidatorParameters parameters) {
@@ -529,7 +529,7 @@ Kotlin::
----
@Component
open class MyOpenSamlLogoutRequestValidator: Saml2LogoutRequestValidator {
private val delegate = OpenSamlLogoutRequestValidator()
private val delegate = OpenSaml5LogoutRequestValidator()
@Override
fun logout(parameters: Saml2LogoutRequestValidatorParameters): Saml2LogoutRequestValidator {
@@ -586,7 +586,7 @@ Java::
----
@Component
public class MyOpenSamlLogoutResponseValidator implements Saml2LogoutResponseValidator {
private final Saml2LogoutResponseValidator delegate = new OpenSamlLogoutResponseValidator();
private final Saml2LogoutResponseValidator delegate = new OpenSaml5LogoutResponseValidator();
@Override
public Saml2LogoutValidatorResult logout(Saml2LogoutResponseValidatorParameters parameters) {
@@ -58,7 +58,7 @@ public class RefreshableRelyingPartyRegistrationRepository
implements IterableRelyingPartyRegistrationRepository {
private final AssertingPartyMetadataRepository metadata =
OpenSamlAssertingPartyMetadataRepository
OpenSaml5AssertingPartyMetadataRepository
.fromTrustedMetadataLocation("https://idp.example.org/metadata").build();
@Override
@@ -93,7 +93,7 @@ Kotlin::
class RefreshableRelyingPartyRegistrationRepository : IterableRelyingPartyRegistrationRepository {
private val metadata: AssertingPartyMetadataRepository =
OpenSamlAssertingPartyMetadataRepository.fromTrustedMetadataLocation(
OpenSaml5AssertingPartyMetadataRepository.fromTrustedMetadataLocation(
"https://idp.example.org/metadata").build()
fun findByRegistrationId(registrationId:String?): RelyingPartyRegistration {
@@ -132,7 +132,7 @@ Java::
+
[source,java,role="primary"]
----
OpenSamlAssertingPartyMetadataRepository.withMetadataLocation("https://idp.example.org/metadata")
OpenSaml5AssertingPartyMetadataRepository.withMetadataLocation("https://idp.example.org/metadata")
.verificationCredentials((c) -> c.add(myVerificationCredential))
.build();
----
@@ -141,7 +141,7 @@ Kotlin::
+
[source,kotlin,role="secondary"]
----
OpenSamlAssertingPartyMetadataRepository.withMetadataLocation("https://idp.example.org/metadata")
OpenSaml5AssertingPartyMetadataRepository.withMetadataLocation("https://idp.example.org/metadata")
.verificationCredentials({ c : Collection<Saml2X509Credential> ->
c.add(myVerificationCredential) })
.build()
+2 -2
View File
@@ -14,8 +14,8 @@
# limitations under the License.
#
springBootVersion=3.3.3
version=6.5.2-SNAPSHOT
samplesBranch=main
version=6.5.2
samplesBranch=6.5.x
org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
org.gradle.parallel=true
org.gradle.caching=true
+8 -8
View File
@@ -1,11 +1,11 @@
[versions]
com-squareup-okhttp3 = "3.14.9"
io-rsocket = "1.1.5"
io-spring-javaformat = "0.0.46"
io-spring-javaformat = "0.0.47"
io-spring-nohttp = "0.0.11"
jakarta-websocket = "2.2.0"
org-apache-directory-server = "1.5.5"
org-apache-maven-resolver = "1.9.23"
org-apache-maven-resolver = "1.9.24"
org-aspectj = "1.9.24"
org-bouncycastle = "1.80"
org-eclipse-jetty = "11.0.25"
@@ -14,7 +14,7 @@ org-jetbrains-kotlinx = "1.10.2"
org-mockito = "5.17.0"
org-opensaml = "4.3.2"
org-opensaml5 = "5.1.2"
org-springframework = "6.2.7"
org-springframework = "6.2.8"
[libraries]
ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.18"
@@ -30,7 +30,7 @@ com-unboundid-unboundid-ldapsdk7 = "com.unboundid:unboundid-ldapsdk:7.0.1"
commons-collections = "commons-collections:commons-collections:3.2.2"
io-micrometer-context-propagation = "io.micrometer:context-propagation:1.1.3"
io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.8"
io-mockk = "io.mockk:mockk:1.14.2"
io-mockk = "io.mockk:mockk:1.14.4"
io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2023.0.19"
io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
@@ -71,7 +71,7 @@ org-bouncycastle-bcprov-jdk15on = { module = "org.bouncycastle:bcprov-jdk18on",
org-eclipse-jetty-jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "org-eclipse-jetty" }
org-eclipse-jetty-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "org-eclipse-jetty" }
org-hamcrest = "org.hamcrest:hamcrest:2.2"
org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.17.Final"
org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:6.6.20.Final"
org-hsqldb = "org.hsqldb:hsqldb:2.7.4"
org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" }
org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.25"
@@ -89,8 +89,8 @@ org-seleniumhq-selenium-selenium-support = "org.seleniumhq.selenium:selenium-sup
org-skyscreamer-jsonassert = "org.skyscreamer:jsonassert:1.5.3"
org-slf4j-log4j-over-slf4j = "org.slf4j:log4j-over-slf4j:1.7.36"
org-slf4j-slf4j-api = "org.slf4j:slf4j-api:2.0.17"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.1.6"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.12"
org-springframework-data-spring-data-bom = "org.springframework.data:spring-data-bom:2024.1.7"
org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.13"
org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" }
org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0"
@@ -108,7 +108,7 @@ org-jfrog-buildinfo-build-info-extractor-gradle = "org.jfrog.buildinfo:build-inf
org-sonarsource-scanner-gradle-sonarqube-gradle-plugin = "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8.0.1969"
org-instancio-instancio-junit = "org.instancio:instancio-junit:3.7.1"
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.29.3.RELEASE'
webauthn4j-core = 'com.webauthn4j:webauthn4j-core:0.29.4.RELEASE'
[plugins]
@@ -38,8 +38,8 @@ import org.springframework.web.util.pattern.PathPatternParser;
* (that is, it should exclude any context path).
*
* <p>
* You can provide the servlet path in {@link PathPatternRequestMatcher#servletPath} and
* reuse for multiple matchers.
* You can provide the servlet path in {@link PathPatternRequestMatcher.Builder#basePath}
* and reuse for multiple matchers.
*
* <p>
* Note that the {@link org.springframework.web.servlet.HandlerMapping} that contains the
@@ -55,14 +55,12 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
private final PathPattern pattern;
private RequestMatcher servletPath = AnyRequestMatcher.INSTANCE;
private RequestMatcher method = AnyRequestMatcher.INSTANCE;
/**
* Creates a {@link PathPatternRequestMatcher} that uses the provided {@code pattern}.
* <p>
* The {@code pattern} should be relative to the servlet path
* The {@code pattern} should be relative to the context path
* </p>
* @param pattern the pattern used to match
*/
@@ -102,9 +100,6 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
*/
@Override
public MatchResult matcher(HttpServletRequest request) {
if (!this.servletPath.matches(request)) {
return MatchResult.notMatch();
}
if (!this.method.matches(request)) {
return MatchResult.notMatch();
}
@@ -138,7 +133,7 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
if (!(o instanceof PathPatternRequestMatcher that)) {
return false;
}
return Objects.equals(this.pattern, that.pattern);
return Objects.equals(this.pattern, that.pattern) && Objects.equals(this.method, that.method);
}
/**
@@ -146,7 +141,7 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
*/
@Override
public int hashCode() {
return Objects.hash(this.pattern);
return Objects.hash(this.pattern, this.method);
}
/**
@@ -232,8 +227,9 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
* also be followed by {@code /**} to signify all URIs under a given path.
*
* <p>
* These must be specified relative to any servlet path prefix (meaning you should
* exclude the context path and any servlet path prefix in stating your pattern).
* These must be specified relative to any context path prefix. A
* {@link #basePath} may be specified to reuse a common prefix, for example a
* servlet path.
*
* <p>
* The following are valid patterns and their meaning
@@ -266,8 +262,9 @@ public final class PathPatternRequestMatcher implements RequestMatcher {
* also be followed by {@code /**} to signify all URIs under a given path.
*
* <p>
* These must be specified relative to any servlet path prefix (meaning you should
* exclude the context path and any servlet path prefix in stating your pattern).
* These must be specified relative to any context path prefix. A
* {@link #basePath} may be specified to reuse a common prefix, for example a
* servlet path.
*
* <p>
* The following are valid patterns and their meaning