- Remove the dependency on Bootstrap CSS. Results in faster load times, no failures
in air-gapped or offline scenarios, and no dependency on an external CDN that may
go away some day.
Introduced public static final Predicates for allowed header names,
header values, parameter names, and parameter values for building
expressions.
Closes gh-13639
Prior to this commit, the implementation was placed in spring-security-core, however we do not want to introduce a dependency on spring-web and spring-webflux for that module.
Issue gh-7395
Delete WebSessionStoreReactiveSessionRegistry.java and gives the responsibility to remove the sessions from the WebSessionStore to the handler
Issue gh-6192
This commit changes the PreventLoginServerMaximumSessionsExceededHandler to invalidate the WebSession in addition to throwing the error, this is needed otherwise the session would still be saved with the security context. It also changes the SessionRegistryWebSession to first perform the operation on the delegate and then invoke the needed method on the ReactiveSessionRegistry
Issue gh-6192
This commit removes unnecessary main-branch merges starting from
8750608b5b and adds the following
needed commit(s) that were made afterward:
- 5dce82c48b
Depending on when a request is cancelled, the before and after observation
starts and stops may be called out of order due to the order in
which their doOnCancel handlers are invoked.
To address this, the before filter-wrapper now always closes both the
before observation and the after observation. Since the before filter-
wrapper wraps the entire request, this ensures that either that was
started is stopped, and either that has not been started yet cannot
inadvertently be started by any unexpected ordering of events that
follows.
Closes gh-14031
Prior to this commit, the ServletRequest#getParameter method was used in order to verify if the matchingRequestParameterName was present in the request. That method has some side effects like interfering in the execution of the ServletRequest#getInputStream and ServletRequest#getReader method when the request is an HTTP POST (if those methods are invoked after getParameter, or vice-versa, the content won't be available). This commit makes that we only use the query string to check for the parameter, avoiding draining the request's input stream.
Closes gh-13731
Daniel Garnier-Moiroux
baezzys
Josh Cummings
Max Batischev
Steve Riesenberg
Joaquin Santana
Marcus Hert Da Coregio
DingHao
Markus Heiden
Christian Becker
Rob Winch
Federico Herrera
Nermin Karapandzic
Steve Riesenberg
Mark Chesney
Tim te Beek
Olivier Vanekem
Kevin2Jordan
Jonas Bamberger