spring-security

Commit Graph

Author	SHA1	Message	Date
Josh Cummings	f4cc27c375	Change Default for (Server)AuthenticationEntryPointFailureHandler Closes gh-9429	3 years ago
Josh Cummings	099aaa33ff	Remove Deprecation Markers Since Spring Security still needs these methods and classes, we should wait on deprecating them if we can. Instead, this commit changes the original classes to have a boolean property that is currently false, but will switch to true in 6.0. At that time, BearerTokenAuthenticationFilter can change to use the handler. Closes gh-11932	3 years ago
Daniel Garnier-Moiroux	200b7fecd3	Add (Server)AuthenticationEntryPointFailureHandlerAdapter Issue gh-11932, gh-9429 (Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead when an AuthenticationServiceException is thrown, instead of HTTP 401. This commit deprecates the current behavior and introduces an opt-in (Server)AuthenticationEntryPointFailureHandlerAdapter with the expected behavior. BearerTokenAuthenticationFilter uses the new adapter, but with a closure to keep the current behavior re: entrypoint.	3 years ago
Evgeniy Cheban	56b9badcfe	AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> Closes gh-11900	3 years ago
Steve Riesenberg	45a963a011	Remove CsrfWebFilter.setTokenFromMultipartDataEnabled Closes gh-12019	3 years ago
Joe Grandja	753e113a13	RequestMatcherDelegatingAuthorizationManager defaults to deny Closes gh-11958	3 years ago
Steve Riesenberg	2407d07890	Default to Xor CSRF tokens in CsrfWebFilter Closes gh-11960	3 years ago
Steve Riesenberg	2a2051cd7b	Default to Xor CSRF tokens in CsrfFilter Issue gh-11960	3 years ago
Joe Grandja	185991a606	Revert "Add default AuthorizationManager" This reverts commit `4ddec07d0e`.	3 years ago
Josh Cummings	2713075d08	Mark Observations with Firewall Failures Closes gh-11994	3 years ago
Josh Cummings	46ab84684b	Mark Observations with CSRF Failures Closes gh-11993	3 years ago
Josh Cummings	99a87179dd	Instrument Filter Chain Closes gh-11911	3 years ago
Steve Riesenberg	8bd25f90e4	Polish XorServerCsrfTokenRequestAttributeHandlerTests	3 years ago
Steve Riesenberg	804f20045e	Polish XorCsrfTokenRequestAttributeHandlerTests	3 years ago
Steve Riesenberg	05e4a1dd20	Cache Xor CsrfToken Closes gh-11988	3 years ago
Marcus Da Coregio	4b6fed0667	Add static factory method to AntPathRequestMather and RegexRequestMatcher Closes gh-11938	3 years ago
Daniel Garnier-Moiroux	27059ced87	Default X-Xss-Protection header value to "0" Closes gh-9631	3 years ago
Steve Riesenberg	f462134e87	Add reactive support for BREACH Closes gh-11959	3 years ago
Steve Riesenberg	f4ca90e719	Add reactive interfaces for CSRF request handling Issue gh-11959	3 years ago
Marcus Da Coregio	c4d23f2b49	Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899	3 years ago
Josh Cummings	380a6a2564	Polish SecurityContextHolderStrategy Usage - Add to HttpSessionSecurityContextRepository#saveContext Issue gh-11060	3 years ago
Josh Cummings	f16d47c7b5	Polish DefaultHttpSecurityExpressionHandler Issue gh-11105	3 years ago
Josh Cummings	4ddec07d0e	Add default AuthorizationManager Closes gh-11963	3 years ago
Steve Riesenberg	ee9449dbfe	Fix tests for deferred CSRF tokens Issue gh-4001	3 years ago
Steve Riesenberg	521cdfd738	Use correct servlet imports Issue gh-4001	3 years ago
Steve Riesenberg	dce1c30522	Add support for BREACH Closes gh-4001	3 years ago
Steve Riesenberg	475b3bb6bb	Add deferred CsrfTokenRepository.loadDeferredToken * Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken> * Move RepositoryDeferredCsrfToken to top-level and make package-private * Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) * Update CsrfFilter * Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler Issue gh-11892 Closes gh-11918	3 years ago
Daniel Garnier-Moiroux	0e215a21ad	Add X-Xss-Protection headerValue to XML config Issue gh-9631	3 years ago
Marcus Da Coregio	039e0328e1	Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159	3 years ago
Marcus Da Coregio	64a19de4dc	Deprecate HPKP security header Closes gh-10144	3 years ago
Rob Winch	4479cefade	Default Require Explicit Session Management = true Closes gh-11763	3 years ago
Daniel Garnier-Moiroux	93250013e4	Make X-Xss-Protection configurable through ServerHttpSecurity OWASP recommends using "X-Xss-Protection: 0". The default is currently "X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0". This commits adds the ability to configure the xssProtection header value in ServerHttpSecurity. This commit deprecates the use of "enabled" and "block" booleans to configure XSS protection, as the state "!enabled + block" is invalid. This impacts HttpSecurity. Issue gh-9631	3 years ago
Steve Riesenberg	e0e6467d9b	Remove UsernamePasswordAuthenticationToken check This commit reverts `21dd050d7b`. Closes gh-10347	3 years ago
shazin	1e0e9a2c98	Allow authenticationIsRequired to be overridden Issue gh-10347	3 years ago
Steve Riesenberg	46696a9226	CsrfTokenRequestHandler extends CsrfTokenRequestResolver Closes gh-11896	3 years ago
Steve Riesenberg	3c66ef6305	Change default SecurityContextRepository Save SecurityContext in request attributes for stateless session management using RequestAttributeSecurityContextRepository. Closes gh-11026	3 years ago
Steve Riesenberg	d140d95305	Fix assertion in NullSecurityContextRepository Issue gh-11060	3 years ago
Steve Riesenberg	5d757919a2	Add SecurityContextHolderStrategy to new repository In 6.0, RequestAttributeSecurityContextRepository will be the default implementation of SecurityContextRepository. This commit adds the ability to configure a custom SecurityContextHolderStrategy, similar to other components. Issue gh-11060 Closes gh-11895	3 years ago
Rob Winch	d94677f87e	CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and moves usage from CsrfFilter into CsrfTokenRequestHandler. Closes gh-11892	3 years ago
Josh Cummings	2a487ae7f8	Updated hashcode and equals Closes gh-4133	3 years ago
Josh Cummings	3f8503f1b4	Deprecate AccessDecisionManager et al Closes gh-11302	3 years ago
Steve Riesenberg	088ebe2e00	Default CsrfTokenRequestProcessor.csrfRequestAttributeName = _csrf Issue gh-11764 Issue gh-4001	3 years ago
Steve Riesenberg	86fbb8db07	Add new interfaces for CSRF request processing Issue gh-4001 Issue gh-11456	3 years ago
Rob Winch	8cb97a090b	Default CsrfFilter.csrfRequestAttributeName = _csrf	3 years ago
Steve Riesenberg	0aa5850d22	Fix formatting Issue gh-11762	3 years ago
Rob Winch	2efc8dcd15	Default Require Explicit Save SecurityContext Closes gh-11762	3 years ago
Rob Winch	f84f08c4b9	Default HttpSessionRequestCache.matchingRequestParameterName=continue Closes gh-11757	3 years ago
Bert Vanwolleghem	a5351f3d89	LogoutPageGeneratingWebFilter Uses Context Path Closes gh-11716	3 years ago
shinD	4ff0724c87	slight improvement in HttpSessionRequestCache Closes gh-11666	3 years ago
Rob Winch	2fb625db84	Remove mockito deprecations Issue gh-11748	3 years ago

1 2 3 4 5 ...

1422 Commits (4e5332033e3906e091bedc907abdb44bab863cea)