spring-security

Commit Graph

Author	SHA1	Message	Date
Josh Cummings	24860d9fb0	Observe Filter Start and Stop Issue gh-11911	3 years ago
Josh Cummings	e08ed89403	Polish Span and Meter Names Closes gh-12156	3 years ago
Marcus Da Coregio	063f06e7bf	Register FilterChainProxy for all dispatcher types Closes gh-12180	3 years ago
Steve Riesenberg	57b163bb78	Polish gh-12141	3 years ago
Marcus Da Coregio	2a261e0583	Add Jakarta WebSocket 2.1 test dependency to spring-security-web Issue gh-12148	3 years ago
Marcus Da Coregio	3b5d19c8a4	Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1 Closes gh-12146 Closes gh-12148	3 years ago
Steve Riesenberg	6b0ed0205b	Re-generate tokens in CookieCsrfTokenRepository Fixes support for re-generating tokens within a request such as when CsrfAuthenticationStrategy removes a null token and saves an empty cookie value on the response. Closes gh-12141	3 years ago
Marcus Da Coregio	1f481aafff	Fix AuthorizationFilter incorrectly extending OncePerRequestFilter Closes gh-12102	3 years ago
David Becker	2b426872a3	Use InetSocketAddress#getHostString Sometimes InetSocketAddress#getAddress#getHostAddress retuns null. In that case, call InetSocketAddress#getHostString instead. There is no performance loss since IpAddressMatcher#matches attemptsi to re-parse and resolve the address anyway. Closes gh-11888	3 years ago
Steve Riesenberg	8554e70c09	Remove deprecated loadContext(request) Closes gh-12048	3 years ago
Steve Riesenberg	e238b721bb	Fix imports in DelegatingSecurityContextRepository Issue gh-12023	3 years ago
Steve Riesenberg	acc35aeb18	Add DelegatingSecurityContextRepository Issue gh-12023	3 years ago
Steve Riesenberg	c75ca10900	Add DeferredSecurityContext Issue gh-12023	3 years ago
Josh Cummings	f4cc27c375	Change Default for (Server)AuthenticationEntryPointFailureHandler Closes gh-9429	3 years ago
Josh Cummings	099aaa33ff	Remove Deprecation Markers Since Spring Security still needs these methods and classes, we should wait on deprecating them if we can. Instead, this commit changes the original classes to have a boolean property that is currently false, but will switch to true in 6.0. At that time, BearerTokenAuthenticationFilter can change to use the handler. Closes gh-11932	3 years ago
Daniel Garnier-Moiroux	200b7fecd3	Add (Server)AuthenticationEntryPointFailureHandlerAdapter Issue gh-11932, gh-9429 (Server)AuthenticationEntryPointFailureHandler should produce HTTP 500 instead when an AuthenticationServiceException is thrown, instead of HTTP 401. This commit deprecates the current behavior and introduces an opt-in (Server)AuthenticationEntryPointFailureHandlerAdapter with the expected behavior. BearerTokenAuthenticationFilter uses the new adapter, but with a closure to keep the current behavior re: entrypoint.	3 years ago
Evgeniy Cheban	56b9badcfe	AnonymousAuthenticationFilter should cache its Supplier<SecurityContext> Closes gh-11900	3 years ago
Steve Riesenberg	45a963a011	Remove CsrfWebFilter.setTokenFromMultipartDataEnabled Closes gh-12019	3 years ago
Joe Grandja	753e113a13	RequestMatcherDelegatingAuthorizationManager defaults to deny Closes gh-11958	3 years ago
Steve Riesenberg	2407d07890	Default to Xor CSRF tokens in CsrfWebFilter Closes gh-11960	3 years ago
Steve Riesenberg	2a2051cd7b	Default to Xor CSRF tokens in CsrfFilter Issue gh-11960	3 years ago
Joe Grandja	185991a606	Revert "Add default AuthorizationManager" This reverts commit `4ddec07d0e`.	3 years ago
Josh Cummings	2713075d08	Mark Observations with Firewall Failures Closes gh-11994	3 years ago
Josh Cummings	46ab84684b	Mark Observations with CSRF Failures Closes gh-11993	3 years ago
Josh Cummings	99a87179dd	Instrument Filter Chain Closes gh-11911	3 years ago
Steve Riesenberg	8bd25f90e4	Polish XorServerCsrfTokenRequestAttributeHandlerTests	3 years ago
Steve Riesenberg	804f20045e	Polish XorCsrfTokenRequestAttributeHandlerTests	3 years ago
Steve Riesenberg	05e4a1dd20	Cache Xor CsrfToken Closes gh-11988	3 years ago
Marcus Da Coregio	4b6fed0667	Add static factory method to AntPathRequestMather and RegexRequestMatcher Closes gh-11938	3 years ago
Daniel Garnier-Moiroux	27059ced87	Default X-Xss-Protection header value to "0" Closes gh-9631	3 years ago
Steve Riesenberg	f462134e87	Add reactive support for BREACH Closes gh-11959	3 years ago
Steve Riesenberg	f4ca90e719	Add reactive interfaces for CSRF request handling Issue gh-11959	3 years ago
Marcus Da Coregio	c4d23f2b49	Use MvcRequestMatcher by default if Spring MVC is present Closes gh-11899	3 years ago
Josh Cummings	380a6a2564	Polish SecurityContextHolderStrategy Usage - Add to HttpSessionSecurityContextRepository#saveContext Issue gh-11060	3 years ago
Josh Cummings	f16d47c7b5	Polish DefaultHttpSecurityExpressionHandler Issue gh-11105	3 years ago
Josh Cummings	4ddec07d0e	Add default AuthorizationManager Closes gh-11963	3 years ago
Steve Riesenberg	ee9449dbfe	Fix tests for deferred CSRF tokens Issue gh-4001	3 years ago
Steve Riesenberg	521cdfd738	Use correct servlet imports Issue gh-4001	3 years ago
Steve Riesenberg	dce1c30522	Add support for BREACH Closes gh-4001	3 years ago
Steve Riesenberg	475b3bb6bb	Add deferred CsrfTokenRepository.loadDeferredToken * Move DeferredCsrfToken to top-level and implement Supplier<CsrfToken> * Move RepositoryDeferredCsrfToken to top-level and make package-private * Add CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) * Update CsrfFilter * Rename CsrfTokenRepositoryRequestHandler to CsrfTokenRequestAttributeHandler Issue gh-11892 Closes gh-11918	3 years ago
Daniel Garnier-Moiroux	0e215a21ad	Add X-Xss-Protection headerValue to XML config Issue gh-9631	3 years ago
Marcus Da Coregio	039e0328e1	Simplify Java Configuration RequestMatcher Usage If Spring MVC is present in the classpath, use MvcRequestMatcher by default. This commit also adds a new securityMatcher method in HttpSecurity Closes gh-11347 Closes gh-9159	3 years ago
Marcus Da Coregio	64a19de4dc	Deprecate HPKP security header Closes gh-10144	3 years ago
Rob Winch	4479cefade	Default Require Explicit Session Management = true Closes gh-11763	3 years ago
Daniel Garnier-Moiroux	93250013e4	Make X-Xss-Protection configurable through ServerHttpSecurity OWASP recommends using "X-Xss-Protection: 0". The default is currently "X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0". This commits adds the ability to configure the xssProtection header value in ServerHttpSecurity. This commit deprecates the use of "enabled" and "block" booleans to configure XSS protection, as the state "!enabled + block" is invalid. This impacts HttpSecurity. Issue gh-9631	3 years ago
Steve Riesenberg	e0e6467d9b	Remove UsernamePasswordAuthenticationToken check This commit reverts `21dd050d7b`. Closes gh-10347	3 years ago
shazin	1e0e9a2c98	Allow authenticationIsRequired to be overridden Issue gh-10347	3 years ago
Steve Riesenberg	46696a9226	CsrfTokenRequestHandler extends CsrfTokenRequestResolver Closes gh-11896	3 years ago
Steve Riesenberg	3c66ef6305	Change default SecurityContextRepository Save SecurityContext in request attributes for stateless session management using RequestAttributeSecurityContextRepository. Closes gh-11026	3 years ago
Steve Riesenberg	d140d95305	Fix assertion in NullSecurityContextRepository Issue gh-11060	3 years ago

1 2 3 4 5 ...

1495 Commits (9fc699b0a8fc3b64ee330e2d441fa6a1f148def7)