While using the request's "isSecure" flag is a reasonable default, when webapps sit behind firewalls, sometimes the firewall does the SSL, and the traffic between the firewall and the app is plain HTTP (not HTTPS). In this case the "isSecure" flag on the request is always false, but we still want th XSRF-TOKEN cookie to be secure (the firewall forwards all cookies to the app, and the browser sends the secure cookie to the firewall).
It would be nice if we could configure the desired value for the secure flag of the cookie, just like we can configure the value for the httpOnly flag of the cookie.
Adds methods to configure validation of header names and values and
parameter names and values:
* setAllowedHeaderNames(Predicate)
* setAllowedHeaderValues(Predicate)
* setAllowedParameterNames(Predicate)
* setAllowedParameterValues(Predicate)
By default, header names, header values, and parameter names that
contain ISO control characters or unassigned unicode characters are
rejected. No parameter value validation is performed by default.
Issue gh-8644
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.
Fixes gh-8128
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.
Fixes gh-8128
The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.
Fixes gh-8128
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.
This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.
Closes gh-4760
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.
This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.
Closes gh-4760
Previously there was a problem with Servlet API logout integration
when Servlet API was configured before log out.
This ensures that logout handlers is a reference to the logout handlers
vs copying the logout handlers. This ensures that the ordering does not
matter.
Closes gh-4760
Rob Winch
Eleftheria Stein
Zeeshan Adnan
Josh Cummings
michal
Craig Andrews
Joe Grandja
Astushi Yoshikawa
cbornet
Artyom Tarynin
Mathieu Ouellet
Parikshit Dutta
Joe Grandja
Leonard Brünings
Oh Myung Woon
Mustafa Ulu