Commit Graph

30 Commits (57eee66b8e4c972b4b1c8acc29ca345010e9e1b6)

Author SHA1 Message Date
Phillip Webb 00dc942e94 Migrate to Spring Security lambda config
Closes gh-35011
2 years ago
Phillip Webb c4de86c244 Merge branch '2.7.x' into 3.0.x 2 years ago
Phillip Webb df5898a146 Reformat code following spring-javaformat upgrade 2 years ago
Madhura Bhave 8cb615e9b6 Remove workarounds for SecurityContextRepository 2 years ago
Madhura Bhave f4cf722c27 Align default security filter dispatcher types with Spring Security
Fixes gh-33090
2 years ago
Madhura Bhave ce3c933f77 Adapt to Spring Security changes
Closes gh-32604
2 years ago
Madhura Bhave cedd553b83 Remove error page security filter
Spring Security now re-applies the authorization rules
to the error page by default. Additionally, it configures
RequestAttributeSecurityContextRepository as the default for
stateless applications allowing those applications to have access
to the original authentication during an error dispatch.

Closes gh-31703
2 years ago
Brian Clozel 5fb2a50ad0 Adapt build dependencies to httpclient5
As htttpclient 4.x is not supported anymore by `RestTemplate`, this
commit changes such dependencies to httpclient5 instead. In some cases,
the httpclient 4.x was transitively brought by a non-Spring dependency.

See gh-32461
2 years ago
Vedran Pavic 230f2cda84 Migrate to AuthorizationFilter in Spring Security auto-config
This commit updates Servlet based Spring Security auto-configuration
to use AuthorizationFilter, which is intended to supersede
FilterSecurityInterceptor.

See gh-31255
2 years ago
Andy Wilkinson 4bd3534b7d Adapt to change in Security's filtering behavior
Spring Security now filters every dispatch by default and not only
once-per-request. Security configuration has been updated in a number of
places to restore the old behavior as needed for the tests to pass.
gh-31703 has been opened to review this and to investigate if we can
now remove the error page security filter and rely on the filtering of
every dispatch instead.

In addition to switching to once-per-request filtering where needed,
this commit also restructures the configuration of the error page
security filter. The restructuring was necessary to ensure that the
privilege evaluator bean has been defined before the conditions on the
error page security filter are evaluated. Without the change, the filter
was no longer being configured as the privilege evaluator hadn't been
defined before the on bean condition was evaluated. We may want to back
port this change as the ordering doesn't appear to have been defined
before and we were just getting lucky.

See gh-31622
See spring-projects/spring-security#11466
2 years ago
Andy Wilkinson 48f8021d88 Migrate @Local*Port annotations to spring-boot-test
Closes gh-29589
3 years ago
Madhura Bhave 3460c24a16 Ignore context path when calling privilege evaluator
Previously, the error page security filter passed the request's URI
to the privilege evaluator. This was incorrect in applications with
a custom context path as the privilege evaluator must be passed a
path that does not include the context path and the request URI
includes the context path.

This commit updates the filter to use UrlPathHelper's
pathWithinApplication instead. The path within the application does
not include the context path. In addition, pathWithinAppliation
also correctly handles applications configured with a servlet
mapping other than the default of /.

Closes gh-29299

Co-Authored-By: Andy Wilkinson <wilkinsona@vmware.com>
3 years ago
Madhura Bhave d9d161cd6b Allow previously authorized users to access the error page
Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
 or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.

This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.

Fixes gh-28953
3 years ago
Scott Frederick 4eed637481 Merge branch '2.5.x'
Closes gh-28789
3 years ago
Scott Frederick 12244a8edd Remove use of Thymeleaf from smoke tests
Closes gh-28788
3 years ago
Madhura Bhave dd1d1482dc Deny unauthorized access to the error page
Fixes gh-26356

Co-authored-by Andy Wilkinson <wilkinsona@vmware.com>
3 years ago
Andy Wilkinson 2cec3971d7 Prohibit unwanted dependencies in all modules not just starters
Closes gh-28658
3 years ago
Andy Wilkinson 788a42d694 Merge branch '2.3.x' into 2.4.x
See gh-25076
4 years ago
Andy Wilkinson 67479b6380 Add junit-platform-launcher dependency by convention
Closes gh-25074
4 years ago
Phillip Webb 257608a3a3 Merge branch '2.3.x' into 2.4.x
Closes gh-25076
4 years ago
Phillip Webb 939b5dfc26 Add junit-platform-launcher dependency
Update `build.gradle` files to ensure that `junit-platform-launcher` is
a `testRuntimeOnly` dependency. This ensures that tests can be run from
Eclipse.

Closes gh-25074
4 years ago
Madhura Bhave 0818f27f44 Configure WebSecurity using WebSecurityCustomizer
Replace `WebSecurityConfigurer` and `WebSecurityConfigurerAdapter`
configurations with `WebSecurityCustomizer` or `SecurityFilterChain`
beans.

Closes gh-23421
4 years ago
Phillip Webb e0013454b5 Use parentheses when declaring dependencies
Update all dependencies declarations to use the form `scope(reference)`
rather than `scope reference`.

Prior to this commit we declared dependencies without parentheses unless
we were forced to add them due to an `exclude`.
5 years ago
Phillip Webb 0209cd3e4c Polish quote form used in Gradle scripts
Replace Gradle single quote strings with the double quote form
whenever possible. The change helps to being consistency to the
dependencies section where mostly single quotes were used, but
occasionally double quotes were required due to `${}` references.
5 years ago
Andy Wilkinson abbad9973a Polish smoke tests' Gradle configuration 5 years ago
Andy Wilkinson ce99db1902 Port the build to Gradle
Closes gh-19609
Closes gh-19608
5 years ago
Stephane Nicoll 4d21efcc0a Remove outdated comment in smoke tests
Closes gh-17741
5 years ago
Phillip Webb 6675f49334 Switch to multi-line security configuration
Now that we have lambda style security configuration we can further
improve readability by switching to one statement per line.

See gh-17525
5 years ago
Madhura Bhave 39a7b9da38 Switch to lambda style security configuration
Closes gh-17525
5 years ago
Madhura Bhave d9466f5659 Move smoke tests under spring-boot-test
See gh-17393
5 years ago