Spring Security

Overview
Gitter

Build Status

Revved up by Gradle Enterprise

Spring Security

Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also requires Java 8.

For a detailed list of features and access to the latest release, please visit Spring projects.

Code of Conduct

Please see our code of conduct

Downloading Artifacts

See Getting Spring Security for how to obtain Spring Security.

Documentation

Be sure to read the Spring Security Reference. Extensive JavaDoc for the Spring Security code is also available in the Spring Security API Documentation.

Quick Start

We recommend you visit Spring Security Reference and read the "Getting Started" page.

Building from Source

Spring Security uses a Gradle-based build system. In the instructions below, ./gradlew is invoked from the root of the source tree and serves as a cross-platform, self-contained bootstrap mechanism for the build.

Prerequisites

Git and the JDK11 build.

Be sure that your JAVA_HOME environment variable points to the jdk-11 folder extracted from the JDK download.

Check out sources

git clone [email protected]:spring-projects/spring-security.git

Install all spring-\* jars into your local Maven cache

./gradlew install

Compile and test; build all jars, distribution zips, and docs

./gradlew build

Discover more commands with ./gradlew tasks. See also the Gradle build and release FAQ.

Getting Support

Contributing

Pull requests are welcome; see the contributor guidelines for details.

License

Spring Security is Open Source software released under the Apache 2.0 license.

Issues
  • SEC-8: Windows NT Domain AuthenticationProvider

    SEC-8: Windows NT Domain AuthenticationProvider

    ["Ben Alex":https://jira.spring.io/secure/ViewProfile.jspa?name=balex](Migrated from ["SEC-8":https://jira.spring.io/browse/SEC-8?redirect=false]) said:

    http://opensource.cenqua.com/shaj/ provides a mechanism to authenticate against Windows NT Domains.

    See also http://forum.springframework.org/viewtopic.php?p=22163

    See also http://forum.springframework.org/viewtopic.php?t=4670 which discusses NTLM authentication and refers to some code that has already been written for this purpose.

    in: core type: enhancement type: jira 
    opened by spring-projects-issues 73
  • Support OAuth 2.0 Authorization Server

    Support OAuth 2.0 Authorization Server

    opened by jgrandja 47
  • Add support for OAuth 2.0 Client authentication methods

    Add support for OAuth 2.0 Client authentication methods

    Currently, Spring Security only supports basic and post authentication methods between client and authorization server. Would it be possible to add other support for other OpenID authentication methods in a future version of Spring Security, in particular client_secret_jwt and private_key_jwt (see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)?

    Related #8175

    in: oauth2 status: duplicate 
    opened by beuvenar 38
  • SEC-977: Add support for CAS gateway feature

    SEC-977: Add support for CAS gateway feature

    The opportunity and the implementation details of this new feature were discussed in Jira SEC-977.

    The new filter TriggerCasGatewayAuthenticationFilter has been added to call the CasAuthenticationEntryPoint when we want try a silent CAS authentication (typically on a public page). The trigger criteria is done with a requestMatcher instance. The method unsuccessfulAuthentication has been overridden in CasAuthenticationFilter in order to redirect to the saved url if there was no SSO session (no service ticket sent from CAS). To avoid infinite loop, we use the DefaultGatewayResolverImpl from Jasig Cas Client.

    I have signed and agree to the terms of the SpringSource Individual Contributor License Agreement.

    opened by miremond 34
  • BadCredentialsException is not serializable when using LDAP Authentication

    BadCredentialsException is not serializable when using LDAP Authentication

    Summary

    When using Spring Security (using LDAP) and Spring Session (jdbc) in combination, I'm running into a serialization error only when authentication fails. When the user logs in with correct credentials, everything works as expected. Session is duplicated across all nodes. But when the user enters invalid credentials, the server throws up an exception that I'm not sure how to catch (or mitigate)

    Actual Behavior

    The user logs in incorrectly and this error is thrown:

    Failed to convert from type [java.lang.Object] to type [byte[]] for value 'org.springframework.security.authentication.BadCredentialsException: Bad credentials'; nested exception is org.springframework.core.serializer.support.SerializationFailedException: Failed to serialize object using DefaultSerializer; nested exception is java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx

    Expected Behavior

    The LdapCtx object should be serialized or ignored

    Configuration

    		<dependency>
    			<groupId>org.springframework.session</groupId>
    			<artifactId>spring-session-jdbc</artifactId>
    		</dependency>
    

    spring.session.store-type=jdbc

    Version

    Spring Boot Starter version 1.5.10.RELEASE

    I have been redirected here from the spring session repo https://github.com/spring-projects/spring-session/issues/685

    in: ldap type: bug 
    opened by iKrushYou 34
  • adding query parameter to authorization_uri creates malformed url

    adding query parameter to authorization_uri creates malformed url

    Summary

    When creating the authorization uri to login with google, there is the option to add a query parameter in order to get back the refresh token. However, when the authorization_uri is set to:

    https://accounts.google.com/o/oauth2/v2/auth?access_type=offline

    The uri that I get redirect to is:

    https://accounts.google.com/o/oauth2/v2/auth?access_type=offline?response_type=code&client_id=[my client id]&scope=[scopes]&state=[state]&redirect_uri=[redirect uri]

    Note the ?access_type=offlince?response_type... This url is malformed and google complains saying response_type and basic query params are not passed in.

    Actual Behavior

    1. User goes to /login
    2. User sees an error from Google due to malformed URL

    Expected Behavior

    1. User goes to /login
    2. User sees the google login page and the following URL in the address bar: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&response_type=code&client_id=[my client id]&scope=[scopes]&state=[state]&redirect_uri=[redirect uri] The access_type query parameter is after the ? and following query parameters should have an & between them. The order of the query params does not matter.

    Configuration

    My application.yaml

    spring:
      security:
        oauth2:
          client:
            registration:
              google:
                client-id: xxxxx
                client-secret: yyyyy
                scope: profile,email,https://www.googleapis.com/auth/analytics
            provider:
              google:
                authorization-uri: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline
    

    My WebSecurityConfigurationAdapter

    @Configuration
    public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                    .antMatchers("/login").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .oauth2Login()
                        //.loginPage("/login")
                            .defaultSuccessUrl("/dashboard")
                            .failureUrl("/loginFailure")
                        .authorizationEndpoint()
                            .authorizationRequestRepository(authorizationRequestRepository())
                        .and()
                            .tokenEndpoint().accessTokenResponseClient(accessTokenResponseClient());
        }
    
        @Bean
        public AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository() {
            HttpSessionOAuth2AuthorizationRequestRepository request = new HttpSessionOAuth2AuthorizationRequestRepository();
            return request;
        }
    
        @Bean
        public OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
            return new NimbusAuthorizationCodeTokenResponseClient();
        }
    }
    

    My pom.xml (only including security and oauth2 dependencies)

    <dependency>
    			<groupId>org.springframework.boot</groupId>
    			<artifactId>spring-boot-starter-security</artifactId>
                <version>2.1.0.M2</version>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-oauth2-client</artifactId>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-oauth2-jose</artifactId>
                <version>5.1.0.RC1</version>
            </dependency>
    
    in: oauth2 type: bug 
    opened by mlevkovsky 33
  • Migrate Groovy to Java

    Migrate Groovy to Java

    Summary

    The tests that are written in Groovy are very convenient and easy to read, but place an unnecessary burden on contributors unfamiliar with Groovy. We should migrate the Groovy tests to Java.

    For the samples using Geb, take a look at https://github.com/spring-projects/spring-security/tree/b9152701a65df5b3fa78fe4bd2a946018f9ca352/samples/javaconfig/webflux-form/src/integration-test/java/sample

    The following commits in Spring Session might be useful as well

    https://github.com/spring-projects/spring-session/commit/1a318b89d907d01d80c9ba1b7c6ac99ca3cc3753

    and

    https://github.com/spring-projects/spring-session/commit/8e7c736a0aef27eda21371eaf7a237498098dcad

    Anyone taking on this task I'd encourage them to break it up into multiple PRs that migrate smaller portions at a time (i.e. a sample or a package) and include

    Migrate <what is migrated> groovy->java
    
    (optional additional details)
    
    Issue: gh-4939
    

    I'd also encourage contributors to comment on this issue to state which piece they are going to start working on migrating. This will allow multiple people to help tackle this large issue and avoid duplicating efforts.

    in: build type: enhancement 
    opened by rwinch 31
  • SEC-2078: Pre-authentication fails when using check for principal change and using non String principals

    SEC-2078: Pre-authentication fails when using check for principal change and using non String principals

    Henrik Baastrup (Migrated from SEC-2078) said:

    The problem occurs when using pre-authentication with "check for principal change" set and the class there extends org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter using non String principals but e.g. java.security.Principal. The problem is that the authentication manager will always authenticate even the principal has no changed, this can give problems with the authentication provider, and performance in the code.

    The error is in line 145 in the AbstractPreAuthenticatedProcessingFilter class, the code:

    if (currentUser.getName().equals(principal)) { return false; }

    should be changed to something like:

    if (principal instanceof Principal) { return !currentUser.getName().equals(((Principal)principal).getName()); } else { return !currentUser.getName().equals(principal.toString()); }

    The original code will only function when the passed principal parameter is of the type String. The code suggested will function for all type of objects there either implements the java.security.Principal interface or override the toString method.

    in: web type: bug type: jira 
    opened by spring-projects-issues 31
  • Ease controllers unit tests in OAuth2 secured apps

    Ease controllers unit tests in OAuth2 secured apps

    Summary

    I faced a few difficulties unit testing my controllers in a RESTful app secured with OAuth2 (JWT) and wrote a lib that quite improved my developer experience. Just wanted to share this work, maybe will you pick some ideas / code ?

    What I did can be reduced to a few steps:

    1. create two annotations to decorate test cases with desired OAuth2 authentication: @WithMockOauth2Client and @WithMockOauth2User (later relies on first for client configuration and on @WithMockUser for username and password configuration)
    2. mock ResourceServerTokenServices to intercept specific Authorization headers and populate OAuth2 security context according to authentication described with preceding annotations
    3. wrap MockMvc to add a specific Authorization header to the request when any of the two annotations described at step 1. was used
    4. this isn't security related (any kind of REST controller unit test could benefit it) but still in the same lib I wrote and maybe worth being contributed to the framework too (mvc-test ?). Wrap MockMvc to: 4.1. add Content-type header for each POST, PUT and PATCH request 4.2. add Accept header for each GET, POST and OPTION request 4.3. provide with fine grained MockHttpServletRequestBuilder factories (pre-configured for a get request, a post request with a body, etc.) 4.4. provide with shortcuts to create, configure, build and perform mocked MVC requests in one call 4.5. auto serialize requests payloads according to Content-type using registered message converters (see SerializationHelper)

    Actual Behavior

    Considering communities threads (stackoverflow being a sample), unit testing controllers in an app secured with OAuth2 is commonly considered as a painful task.

    Expected Behavior

    • Annotations to configure any kind of OAuth2 authentication (client connecting on behalf of an end-user or not)
    • Security context being populated as described with such annotations
    • less boiler-plate code when using MockMvc

    Sample

    Overall result in some controller unit tests:

    @WebMvcTest(UserController.class)
    @Import({ResourceServerConfig.class})
    @EnableSpringDataWebSupport
    public class UserControllerTest extends OAuth2ControllerTest {
    
        @MockBean
        UserRepository userRepo;
    
        @Test
        @WithMockOAuth2User(
        		client = @WithMockOAuth2Client(clientId = "webClient"), //of no use here, added for the show-case
        		user = @WithMockUser(username = "admin", authorities = {"READ_USERS"}))
        public void whenAuthenticatedWithReadUserPrivilegeThenListUsersReturnsUsersPage() throws Exception {
            final List<User> users = Arrays.asList(admin, user);
            when(userRepo.findAll(any(Pageable.class))).thenAnswer(invocation ->
                    new PageImpl<>(users, (Pageable) invocation.getArguments()[0], users.size()));
    
            api.get("/users/")
                    .andExpect(status().isOk())
                    .andExpect(jsonPath("$._embedded.elements", hasSize(users.size())))
                    .andDo(document("users-collection",
                            ignorePage(responseFields(), "elements"),
                            links()));
        }
    }
    

    In this sample:

    • api is a MockMvc wrapper instance
    • Authorization and Accept headers are transparently added
    • MockHttpServletRequestBuilder is created, configured, build and performed in one call
    • you can browse my source for additional samples involving further request builder configuration (cookies or additional headers)

    P.S.

    This is my first request to Spring framework, please point me to the right instructions if I do it the wrong way

    in: test type: enhancement 
    opened by ch4mpy 31
  • Exposing Beans for defaultMethodExpressionHandler can prevent Method Security

    Exposing Beans for defaultMethodExpressionHandler can prevent Method Security

    Updated Summary

    If a @Configuration provides a @Bean that is used to default GlobalMethodSecurityConfiguration's defaultMethodExpressionHandlers defaultMethodExpressionHandler it will prevent any @Bean that is @Autowired into the same @Configuration from having method security enabled. For example:

    @Configuration
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class SecurityConfig {
        // any one of the following @Bean will prevent DenyAllService from being
        // secured since DenyAllService is also Autowired into this same Configuration
        @Bean
        PermissionEvaluator permissionEvaluator() {
            return mock(PermissionEvaluator.class);
        }
    
        @Bean
        RoleHierarchy RoleHierarchy() {
            return mock(RoleHierarchy.class);
        }
    
        @Bean
        AuthenticationTrustResolver trustResolver() {
            return mock(AuthenticationTrustResolver.class);
        }
    
        @Autowired
        DenyAllService denyAll;
    }
    
    @Configuration
    public class ServiceConfig {
        @Bean
        DenyAllService denyAllService() {
            return new DenyAllService();
        }
    }
    
    @PreAuthorize("denyAll")
    public class DenyAllService {
        void denyAll() {
        }
    }
    

    Summary

    spring-data-rest @PreAuthorize annotated methods on a @RepositoryRestResource annotated PagingAndSortingRepository interface fail to be evaluated on invocation if the resulting repository bean instance is @Autowired into a @Configuration annotated class.

    Actual Behavior

    See this project for a runnable example: https://github.com/bitsofinfo/spring-boot-pre-authorize-issue-01

    Expected Behavior

    @PreAuthorize expressions should be evaluated on requests that hit the repository

    Configuration

    See this project for a runnable example: https://github.com/bitsofinfo/spring-boot-pre-authorize-issue-01

    Version

    All latest spring-boot components

    See this project for a runnable example: https://github.com/bitsofinfo/spring-boot-pre-authorize-issue-01

    Sample

    https://github.com/bitsofinfo/spring-boot-pre-authorize-issue-01

    in: config type: bug 
    opened by bitsofinfo 30
  • Add ServerHttpSecurity.preFlight()

    Add ServerHttpSecurity.preFlight()

    Similar to ServerHttpSecurity.cors() but only handles pre flight requests with the proposed PreFlightWebFilter

    See spring-projects/spring-framework#26885

    opened by rwinch 0
  • Prevent CI from running on forks

    Prevent CI from running on forks

    The project's GitHub Actions CI build has a hard dependency on some secrets (e.g. GRADLE_ENTERPRISE_CACHE_USERNAME), which causes the build to fail on the forks, causing unnecessary noise.

    I've been greeted by one such build failure after syncing my fork today: https://github.com/vpavic/spring-security/runs/2476329503?check_suite_focus=true

    in: build type: enhancement 
    opened by vpavic 2
  • Load ReactiveJwtAuthenticationConverter bean in OAuth2 Resource Server config

    Load ReactiveJwtAuthenticationConverter bean in OAuth2 Resource Server config

    When a bean of type ReactiveJwtAuthenticationConverter is defined, the OAuth2 Resource Server configuration will use it automatically when no other converter is defined through the DSL.

    Closes gh-9698

    in: oauth2 type: enhancement 
    opened by ThomasVitale 2
  • When ReactiveJwtAuthenticationConverter bean defined, use it in OAuth2 Resource Server config automatically

    When ReactiveJwtAuthenticationConverter bean defined, use it in OAuth2 Resource Server config automatically

    Expected Behavior

    When I define a bean of type ReactiveJwtAuthenticationConverter, I would expect it to be considered in the OAuth2 Resource Server configuration automatically like it happens with its imperative counterpart (JwtAuthenticationConverter).

    Current Behavior

    When I define a bean of type ReactiveJwtAuthenticationConverter, it's not considered in the OAuth2 Resource Server configuration. Instead, it requires explicit definition through the DSL as follows.

    .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt ->
    						jwt.jwtAuthenticationConverter(jwtAuthenticationConverter())))
    

    Context

    It would be nice to align the behaviour between reactive and non-reactive applications since it could generate some confusion.

    Proposed solution: https://github.com/spring-projects/spring-security/pull/9699

    status: waiting-for-triage type: enhancement 
    opened by ThomasVitale 0
  • SAML2 AuthnResponse custom type values are not mapped to Saml2AuthenticatedPrincipal

    SAML2 AuthnResponse custom type values are not mapped to Saml2AuthenticatedPrincipal

    My current authentication is working and i get values in my DefaultSaml2AuthenticationProvider but somehow i cant find these values.:

            <saml2:AttributeValue xmlns:example="http://www.example.de/schema/something/saml/extensions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="example:CustomType">
              <example:name>Springy</example:name>
            </saml2:AttributeValue>
    
    status: waiting-for-feedback type: bug 
    opened by leneinz 1
  • Update to Spring Security 5.6

    Update to Spring Security 5.6

    Create new schema files.

    Update SpringSecurityCoreVersion, taglib version, and base version.

    in: core type: enhancement 
    opened by jzheaux 0
  • WebSessionServerRequestCache only supports saving GET requests

    WebSessionServerRequestCache only supports saving GET requests

    Expected Behavior

    WebSessionServerRequestCache or another ServerRequestCache implementation should support saving POST requests for replaying after authentication is successful.

    Current Behavior

    WebSessionServerRequestCache only supports saving GET requests. It can be extended to support matching other requests with setSaveRequestMatcher() but it will only be able to save/replay the original GET url.

    Context

    We have internally implemented SAML in spring security by creating my own AuthenticationWebFilter that is configured to create and validate SAML requests and responses. Our SAML supports configuration as both an IDP and SP. The SAML core is implemented around org.opensaml XML and security api's. This is as requested in issue https://github.com/spring-projects/spring-security/issues/7954

    Background reading on SAML: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

    See section: SP-Initiated SSO: Redirect/POST Bindings

    When our server is configured as an IDP, a POST request may come to our server with a request for SAML verification. Our IDP endpoint looks like this:

    @RestController
    @RequestMapping("/saml/idp")
    public class SamlIdpController {
        @PostMapping(value = "/ls", produces = MediaType.TEXT_HTML_VALUE)
        public Mono<String> loginService(Principal principal, ServerWebExchange exchange) {
            return exchange.getFormData().flatMap(formData -> {
                String samlRequest = formData.getFirst("SAMLRequest");
                String relayState = formData.getFirst("RelayState");
                if (samlRequest != null) {
                    return processLoginRequest("POST", principal, samlRequest, relayState);
                }
                logger.info("Authentication did not succeed for SAMLRequest: {} from {}", samlRequest, getRemoteHostAddress(exchange.getRequest()));
                return Mono.empty();
            });
        }
    }
    

    Before the POST can be processed the authentication is handled with AuthenticationWebFilter . If the users is not authenticated they will be redirected for authentication. i.e. LoginForm/BasicAuth. Then they "should" be redirected back to the SAML IDP endpoint.

    This doesn't doesn't happen because the WebSessionServerRequestCache wired into AuthenticationWebFilter doesn't support replaying the SAML POST request.

    Workaround

    I have implemented a PostSavingWebSessionRequestCache. The does something like the below, and with another hack it works:

    public class PostSavingWebSessionRequestCache implements ServerRequestCache {
    
        @Override
        public Mono<Void> saveRequest(ServerWebExchange exchange) {
            String requestPath = pathInApplication(exchange.getRequest());
            if (exchange.getRequest().getMethod() == POST) {
                return this.postMatcher.matches(exchange).filter(ServerWebExchangeMatcher.MatchResult::isMatch)
                        .flatMap((m) -> exchange.getSession()).map(WebSession::getAttributes).doOnNext((attrs) -> {
                            attrs.put(SAVED_PATH_ATTR, requestPath);
                            attrs.put(SAVED_REQUEST_ATTR, serializePost(exchange));
                            logger.info("POST Request added to WebSession: {}", requestPath);
                        }).then();
            } else {
                return this.getMatcher.matches(exchange).filter(ServerWebExchangeMatcher.MatchResult::isMatch)
                        .flatMap((m) -> exchange.getSession()).map(WebSession::getAttributes).doOnNext((attrs) -> {
                            attrs.put(SAVED_PATH_ATTR, requestPath);
                            logger.info("{} Request added to WebSession: {}", exchange.getRequest().getMethod(),
                                    requestPath);
                        }).then();
            }
        }
    
        @Override
        public Mono<ServerHttpRequest> removeMatchingRequest(ServerWebExchange exchange) {
            return exchange.getSession().map(WebSession::getAttributes).flatMap((attributes) -> {
                String requestPath = pathInApplication(exchange.getRequest());
                boolean removed = attributes.remove(SAVED_PATH_ATTR, requestPath);
                if (removed) {
                    logger.debug(LogMessage.format("Request removed from WebSession: '%s'", requestPath));
                }
                if (removed) {
                    ServerHttpRequest request = (ServerHttpRequest) attributes.remove(SAVED_REQUEST_ATTR);
                    if (request == null) {
                        logger.info("{} Request continuing: {}", exchange.getRequest().getMethod(), requestPath);
                        return Mono.just(exchange.getRequest());
                    } else {
                        logger.info("POST Request replaying from cache: {}", requestPath);
                        return Mono.just(request);
                    }
                } else {
                    return Mono.empty();
                }
            });
        }
    }
    

    It would be nice if something like this existed out of the box in spring security.

    Possible Concerns

    • There may not be many use cases other than mine, but I did see other discussions here: https://stackoverflow.com/questions/21958224/how-to-enable-spring-security-post-redirect-after-log-in-with-csrf
    • There may be security issue with saving post details, also note SAML posts need to bypass CSRF.
    • It is hard to to serialize/save the formData in the reactive request. I end up actually converting the POST to a GET to get it to work.
    status: waiting-for-triage type: enhancement 
    opened by stffrdhrn 0
  • Access Token Response expires_in should be a JSON number

    Access Token Response expires_in should be a JSON number

    The expires_in parameter in an OAuth 2.0 Access Token response should be a JSON number.

    As per spec, in section 5.1 Successful Response:

    expires_in RECOMMENDED. The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

    Sample response:

    {
           "access_token":"2YotnFZFEjr1zCsicMWpAA",
           "token_type":"example",
           "expires_in":3600,
           "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
           "example_parameter":"example_value"
         }
    

    OAuth2AccessTokenResponseHttpMessageConverter should support Converter's that operate on Map<String, Object> NOT the current Map<String, String>.

    in: oauth2 type: bug 
    opened by jgrandja 0
  • When using custom MVC servlet path and jar packaging, form login page loading leads to infinite redirects

    When using custom MVC servlet path and jar packaging, form login page loading leads to infinite redirects

    I'm working with an old project that uses a custom MVC servlet path, was packaged as a war, and deployed in a tomcat. I wanted to migrate to jar packaging, but when trying to log in using form login I'm presented with an infinite redirect.

    Sample code, with spring boot 2.4.5 and just spring-web and spring-security dependencies:

    @RestController
    @SpringBootApplication
    public class FormloginApplication extends SpringBootServletInitializer {
    
    	public static void main(String[] args) {
    		SpringApplication.run(FormloginApplication.class, args);
    	}
    
    	@Override
    	protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
    		return application.sources(FormloginApplication.class);
    	}
    
    	@Bean
    	public SecurityFilterChain formLoginFilterChain(HttpSecurity http) throws Exception {
    		return http
    				.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
    				.formLogin().and()
    				.build();
    	}
    
    	@GetMapping("/hello")
    	public String hello(@AuthenticationPrincipal User user) {
    		return "Hello " + user.getUsername() + "!";
    	}
    
    }
    
    server:
      servlet:
        context-path: /formlogin
    
    spring:
      mvc:
        servlet:
          path: /api
    

    When packaging as formlogin.war, everything works fine. Accessing localhost:8080/formlogin/api/hello I am redirected to http://localhost:8080/formlogin/login, login page loads, I log in with the generated credentials, and I am greeted with "Hello user!".

    When packaging as jar or using the spring-boot:run maven goal, I still get redirected to http://localhost:8080/formlogin/login, but the login page doesn't load, instead it tries to redirect me again to http://localhost:8080/formlogin/login. After a few rounds, the browser gives up and displays the error "this page doesn't work".

    Removing the spring.mvc.servlet.path configuration makes it work again, but it's not a viable solution for me.

    Sample repo: https://github.com/gbaso/spring-security-9684

    status: waiting-for-triage type: bug 
    opened by gbaso 0
  • #9511: Fix for OidcClientInitiatedLogoutSuccessHandler. Now encodes a…

    #9511: Fix for OidcClientInitiatedLogoutSuccessHandler. Now encodes a…

    …lready encoded queryparameters in postLogoutRedirectUrl correctly

    in: oauth2 type: bug 
    opened by hosea 3
Releases(5.5.0-RC2)
  • 5.5.0-RC1(Apr 12, 2021)

    :star: New Features

    • Add Sections to What's New #9596
    • Add AfterMethodAuthorizationManager #9591
    • Add Kotlin DSL section to What's New #9589
    • Add Configuration section to What's New #9588
    • Add coroutine support to pre/post authorize #9586
    • Make OAuth2AuthorizationResponseType constructor public #9584
    • Deprecate OAuth2AuthorizationResponseType.TOKEN #9582
    • Support Create/Delete Release on spring.io #9577
    • Update to commons-codec 1.15 #9575
    • Fix deprecation warnings in DocsPlugin #9547
    • Fix deprecation warnings for SchemaZipPlugin #9546
    • Use Checkstyle.configDirectory #9545
    • Re-enable Gradle dependency cache #9544
    • Use Gradle Constraints + platform instead of DependencyManagementPlugin #9541
    • Use new api/implementation configurations #9540
    • Extract Build Conventions to buildSrc #9539
    • Update javadoc for AesBytesEncryptor constructors #9536
    • Add jwt-bearer authorization grant #9535
    • Change build to use GPG_PRIVATE_KEY_NO_HEADER #9531
    • Update ComparableVersion to version from Maven 3.6.3 #9521
    • Add Jwt Client Authentication support #9520
    • Add javadoc at constructors. #9518
    • Add Saml2MessageBinding#from #9515
    • Test method in PasswordOAuth2AuthorizedClientProviderTests has incorrect setup of token expiry #9506
    • Upgrade to Gradle 6.8.2 #9458
    • Update Spring Security build to require JDK 11 #9419
    • Add JavaDoc to AesBytesEncryptor #9361
    • Add OpenSAML 4 support #9267
    • Add OpenSaml 4 support #9095
    • Support JWT for Client Authentication #8175
    • Make EnableReactiveMethodSecurity compatible with Kotlin Coroutines #8143
    • Support JWT as an Authorization Grant for client #6053

    :beetle: Bug Fixes

    • Fix package tangle in Resource Server #9576
    • Add package-list #9562
    • Add null check in CsrfFilter and CsrfWebFilter #9561
    • Fix javadoc in crypto/encrypt/Encryptors.java #9537
    • Fix Javadoc errors in spring-security-saml2-service-provider #9530
    • @Order annotations cannot be used with @Bean methods #9154

    :hammer: Dependency Upgrades

    • Update htmlunit-driver to 2.49.1 #9624
    • Update htmlunit to 2.49.1 #9623
    • Update io.spring.nohttp to 0.0.6.RELEASE #9622
    • Update reactor-netty to 1.0.6 #9621
    • Update io.projectreactor to 2020.0.6 #9620
    • Update com.nimbusds to 9.3.3 #9619
    • Update jackson-datatype-jsr310 to 2.12.3 #9618
    • Update jackson-databind to 2.12.3 #9617
    • Update jackson-bom to 2.12.3 #9616
    • Update spring-data-bom to 2020.0.7 #9574
    • Update mockito-core to 3.9.0 #9573
    • Update hsqldb to 2.6.0 #9572
    • Update blockhound to 1.0.6.RELEASE #9571
    • Update aspectj-plugin to 5.3.3.3 #9570
    • Update com.nimbusds to 9.3.1 #9569
    • Update org.jetbrains.kotlin to 1.4.32 #9555
    • Update nohttp-checkstyle to 0.0.5.RELEASE #9554
    • Update io.spring.javaformat to 0.0.27 #9553
    • Update spring-doc-resources to 0.2.5 #9552
    • Update r2dbc-spi-test to 0.8.4.RELEASE #9551
    • Update aspectj-plugin to 5.3.0 #9550

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.3.9.RELEASE(Apr 12, 2021)

  • 5.4.6(Apr 12, 2021)

  • 5.2.10.RELEASE(Apr 12, 2021)

    :beetle: Bug Fixes

    • Add null check in CsrfFilter and CsrfWebFilter #9594

    :hammer: Dependency Upgrades

    • Update to nohttp 0.0.6.RELEASE #9609
    • Update to GAE 1.9.88 #9608
    • Update to OpenSAML 3.4.6 #9607
    • Update to hibernate-entitymanager 5.4.30.Final #9606
    • Update to Groovy 2.4.21 #9605
    • Update to embedded Apache Tomcat 9.0.45 #9604
    • Update blockhound to 1.0.6.RELEASE #9603
    • Update to RSocket 1.0.4 #9602
    • Update to Spring Data Moore-SR13 #9601
    • Update to Spring Framework 5.2.13.RELEASE #9600
    • Update to Reactor Dysprosium-SR18 #9599
    Source code(tar.gz)
    Source code(zip)
  • 5.5.0-M3(Mar 15, 2021)

    :star: New Features

    • Clarify in Javadoc that .csrf() enables CSRF protection #9489
    • Throw Saml2AuthenticationException in Saml2AuthenticationTokenConverter on deflation or decoding error #9468
    • Allow ACL to be owned by GrantedAuthoritySid #9454
    • Add setMetadataFilename method to Saml2MetadataFilter #9393
    • Improve HttpSessionSecurityContextRepository performance #9387
    • Kotlin DSL extension for HttpSecurity#rememberMe #9319
    • Add BearerTokenAuthenticationConverter #8975

    :beetle: Bug Fixes

    • Fix typo in ServerHttpSecurityDsl Javadoc #9485
    • Fix missing return in example #9482

    :hammer: Dependency Upgrades

    • Update to GAE 1.9.87 #9503
    • Update to Kotlin 1.4.31 #9502

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.4.5(Feb 17, 2021)

  • 5.5.0-M2(Feb 11, 2021)

    :star: New Features

    • Constrain Nimbus dependencies to compatible majors #9400
    • Misleading manifestation of error condition #9395
    • Remove private BearerTokenAuthenticationWebFilter #9377
    • Migrate SAML 2.0 Samples to Use PCFOne #9362
    • Add manual trigger to CI workflow #9360
    • Use Nimbus's SingleKeyJWSKeySelector #9348
    • Extend CorsDsl with CorsConfigurationSource property #9333
    • Make max-sessions configurable #9328
    • Add Revved up by Gradle Enterprise badge to README #9327
    • WebFlux oauth2Login with formLogin test #9326
    • No converter found for RSAPublicKey #9316
    • Extend CorsDsl with CorsConfigurationSource property #9314
    • Removes unused code #9294
    • Use constant time comparisons for CSRF tokens #9291
    • Introduced DispatcherType request matcher #9278
    • Add permissionsPolicy http header #9265
    • Add permissionsPolicy header in HeadersConfigurers #9262
    • Deprecate ClientAuthenticationMethod BASIC and POST #9220
    • Fix javadoc in Pbkdf2PasswordEncoder #9219
    • Added ClaimAccessor#hasClaim #9218
    • Improve handling of non-String principal claim values #9215
    • Improve handling of non-String principal claim values #9212
    • getRemoteUser() returns principal name #9211
    • Match requests based on servlet dispatcher type #9205
    • Return type of oauth2.core.ClaimAccessor#containsClaim(String) could be a primitive boolean #9201
    • Allow maximum age of csrf cookie to be configured #9196
    • SecurityWebApplicationContextUtils cleanup gh-8868 #9194
    • Decode cookie once in AbstractRememberMeServices #9192
    • Add convenience constructor in OAuth2AuthenticationException #9190
    • JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186
    • Make salt length configurable in Pbkdf2PasswordEncoder #9147
    • Resource Server should identify unauthorized REST requests like HTTP Basic does #9100
    • Add AuthorizationManager #8996
    • OpenSamlAuthenticationProvider should validate Response Status #8955
    • Build Github Actions CI pipeline #8698

    :beetle: Bug Fixes

    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9421
    • Update saml2-login.adoc #9408
    • Allow null or empty authorities for DefaultOAuth2User #9380
    • Wrong example name in Spring Security documentation #9379
    • Remove notEmpty check for authorities in DefaultOAuth2User #9366
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9337
    • Make user info response status check error only #9336
    • Fix bug with multiple AuthenticationManager beans #9329
    • Fixed NullPointerException with WWW-Authenticate #9303
    • Exception when declaring multiple AuthenticationManager beans #9256
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject #9222
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9210
    • CookieRequestCache handles URL encoded query parameters incorrectly #9203
    • Fix typo in JdbcDaoImpl Javadoc #9197
    • WithSecurityContextTestExecutionListener should respect NestedTestConfiguration #9193
    • Customizing the metadata endpoint does not work #9133

    :hammer: Dependency Upgrades

    • Update to GAE 1.9.86 #9445
    • Update to Kotlin 1.4.30 #9444
    • Update to Spring Boot 2.4.2 #9443
    • Update Gradle Enterprise Gradle Plugin #9335

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.4.4(Feb 11, 2021)

    This release fixes a problem with the release of 5.4.3

    :star: New Features

    • Migrate SAML 2.0 Samples to Use PCFOne #9369
    • Resolve artifacts from Maven Central first #9367
    • Use constant time comparisons for CSRF tokens #9357
    • Improve HttpSessionSecurityContextSessionRepository Performance #9388

    :beetle: Bug Fixes

    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
    • Fix custom marshaller example #9409
    • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
    • CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
    • Consider downgrading to Nimbus 8 #9399
    • Remove notEmpty check for authorities in DefaultOAuth2User #9396
    • Wrong example name in Spring Security documentation #9383
    • Make user info response status check error only #9376
    • Malformed WWW-Authenticate Causes NPE #9364
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
    • Exception when declaring multiple AuthenticationManager beans #9332
    • webflux-x509 sample cert needs renewal #9322
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258

    :hammer: Dependency Upgrades

    • Update to GAE 1.9.86 #9448
    • Update to Spring Boot 2.4.2 #9447
    • Update to Kotlin 1.4.30 #9446
    Source code(tar.gz)
    Source code(zip)
  • 5.4.3(Feb 11, 2021)

    :star: New Features

    • Migrate SAML 2.0 Samples to Use PCFOne #9369
    • Resolve artifacts from Maven Central first #9367
    • Use constant time comparisons for CSRF tokens #9357
    • Improve HttpSessionSecurityContextSessionRepository Performance #9388

    :beetle: Bug Fixes

    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9426
    • Fix custom marshaller example #9409
    • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9403
    • CurrentSecurityContextArgumentResolver should configure BeanResolver #9402
    • Consider downgrading to Nimbus 8 #9399
    • Remove notEmpty check for authorities in DefaultOAuth2User #9396
    • Wrong example name in Spring Security documentation #9383
    • Make user info response status check error only #9376
    • Malformed WWW-Authenticate Causes NPE #9364
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9338
    • Exception when declaring multiple AuthenticationManager beans #9332
    • webflux-x509 sample cert needs renewal #9322
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9258

    :hammer: Dependency Upgrades

    • Update to GAE 1.9.86 #9448
    • Update to Spring Boot 2.4.2 #9447
    • Update to Kotlin 1.4.30 #9446
    Source code(tar.gz)
    Source code(zip)
  • 5.2.9.RELEASE(Feb 11, 2021)

    :star: New Features

    • Improve HttpSessionSecurityContextSessionRepository Performance #9390
    • Migrate SAML 2.0 Samples to Use PCFOne #9371
    • Use constant time comparisons for CSRF tokens #9359

    :beetle: Bug Fixes

    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9428
    • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9406
    • Remove notEmpty check for authorities in DefaultOAuth2User #9398
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9340
    • webflux-x509 sample cert needs renewal #9321
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9260

    :hammer: Dependency Upgrades

    • Update to GAE 1.9.86 #9442
    • Update to Tomcat 9.0.43 #9441
    • Update to Jetty 9.4.36.v20210114 #9440
    • Update to hibernate-validator 6.1.7.Final #9439
    • Update to hibernate-entitymanager 5.4.28.Final #9438
    • Update to thymeleaf-spring5 3.0.12 #9437
    • Update to Spring Data Moore-SR12 #9436
    • Update to Reactor Dysprosium-SR16 #9435
    • Update to Spring Framework 5.2.12.RELEASE #9434
    • Update to Spring Boot 2.2.13.RELEASE #9433
    Source code(tar.gz)
    Source code(zip)
  • 5.3.8.RELEASE(Apr 9, 2021)

    This release fixes a problem with the release of 5.3.7.

    :star: New Features

    • Improve HttpSessionSecurityContextSessionRepository Performance #9391
    • Improve HttpSessionSecurityContextSessionRepository Performance #9389
    • Migrate SAML 2.0 Samples to Use PCFOne #9370
    • Resolve artifacts from Maven Central first #9368
    • Use constant time comparisons for CSRF tokens #9358

    :beetle: Bug Fixes

    • Fix the 5.3.7.RELEASE
    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9427
    • CurrentSecurityContextArgumentResolver should configure BeanResolver #9405
    • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9404
    • Remove notEmpty check for authorities in DefaultOAuth2User #9397
    • Wrong example name in Spring Security documentation #9384
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9339
    • webflux-x509 sample cert needs renewal #9323
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9259
    Source code(tar.gz)
    Source code(zip)
  • 5.3.7.RELEASE(Feb 11, 2021)

    :star: New Features

    • Improve HttpSessionSecurityContextSessionRepository Performance #9391
    • Improve HttpSessionSecurityContextSessionRepository Performance #9389
    • Migrate SAML 2.0 Samples to Use PCFOne #9370
    • Resolve artifacts from Maven Central first #9368
    • Use constant time comparisons for CSRF tokens #9358

    :beetle: Bug Fixes

    • OAuth2ResourceServerSpecTests and OAuth2WebClientControllerTests fail #9427
    • CurrentSecurityContextArgumentResolver should configure BeanResolver #9405
    • Fix beanResolver missing in CurrentSecurityContextArgumentResolver. #9404
    • Remove notEmpty check for authorities in DefaultOAuth2User #9397
    • Wrong example name in Spring Security documentation #9384
    • CsrfWebFilter creates CsrfException with incorrect message when no token is found #9339
    • webflux-x509 sample cert needs renewal #9323
    • OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray #9259
    Source code(tar.gz)
    Source code(zip)
  • 4.2.20.RELEASE(Dec 9, 2020)

  • 5.4.2(Dec 3, 2020)

    :star: New Features

    • Update snapshot build dependencies #9254
    • Update to Gradle 6.6.1 #9232

    :beetle: Bug Fixes

    • Tests should not combine Authentication and @AuthenticationPrincipal #9255
    • Remove empty Appendix Section from docs #9253
    • CookieRequestCache handles URL encoded query parameters incorrectly #9252
    • Improve Metadata URL Documentation #9251

    :hammer: Dependency Upgrades

    • Update to Google App Engine 1.9.83 #9250
    • Update to Kotlin 1.4.20 #9249
    • Update to Spring Boot 2.4.0 #9248
    • 5.4.x Snapshot Build Should Point to Other Maintenance Branches #9162
    Source code(tar.gz)
    Source code(zip)
  • 5.3.6.RELEASE(Dec 2, 2020)

    :beetle: Bug Fixes

    • Remove empty Appendix Section from docs #9161
    • Tests should not combine Authentication and @AuthenticationPrincipal #9125

    :hammer: Dependency Upgrades

    • Update to Google App Engine 1.9.83 #9247
    • Update to Spring Boot 2.2.11 #9246
    Source code(tar.gz)
    Source code(zip)
  • 5.2.8.RELEASE(Dec 2, 2020)

    :beetle: Bug Fixes

    • Remove empty Appendix Section from docs #9172
    • Tests should not combine Authentication and @AuthenticationPrincipal #9126

    :hammer: Dependency Upgrades

    • Update to Spring LDAP Core 2.3.3 #9245
    • Update to Powermock 2.0.9 #9244
    • Update to HSQLDB 2.5.1 #9243
    • Update to Hibernate EntityManager 5.4.25 #9242
    • Update to Jetty 9.4.35 #9241
    • Update to HttpComponents HttpClient 4.5.13 #9240
    • Update to RSocket 1.0.3 #9239
    • Update to Reactor Dysprosium-SR14 #9238
    • Update to Google App Engine 1.9.83 #9237
    • Update to Jackson Databind 2.10.5.1 #9236
    • Update to Spring Data Moore-SR11 #9235
    • Update to Spring 5.2.11 #9234
    • Update to Spring Boot 2.2.11 #9233
    Source code(tar.gz)
    Source code(zip)
  • 5.5.0-M1(Nov 3, 2020)

    :star: New Features

    • Add unsupported_token_type in OAuth2ErrorCodes #9184
    • Add token and token_type_hint to OAuth2ParameterNames #9183
    • Introduce JwaAlgorithm #9182
    • WithSecurityContextTestExecutionListener Should Support Nested Classes #9179
    • Add WebFlux Documentation for Multiple Filter Chains #9178
    • SAML 2.0 Asserting Party Metadata resolution should read SigningMethod elements #9177
    • Enable customization of BearerTokenResolver by adding a setter for JwtClaimIssuerConverter on JwtIssuerAuthenticationManagerResolver #9168
    • Reactive doc points to unit tests #9157
    • Invoke Kotlin MockMvc result matchers with parentheses #9155
    • Change guard expressions order #9153
    • It is not necessary to fetch all user sessions if unlimited sessions are set in the ConcurrentSessionControlAuthenticationStrategy. #9152
    • Add refresh token expiration support #9146
    • JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs #9137
    • OpenSamlAuthenticationProvider should decrypt attributes #9131
    • Update snapshot build dependencies #9124
    • spring-security-test should include jackson-datatype-jsr310 as a test dependency #9123
    • Update to Gradle 6.6.1 #9122
    • Use LobHandler in JdbcOAuth2AuthorizedClientService #9070
    • Changed metadata converter to accept files as well #9056
    • Add HSM Support for Decrypting Assertions #9055
    • File-based Configuration for Asserting Party Metadata #9028
    • Prevent PR builds from running on forks #8993
    • Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService #8765
    • Add support for dynamic JWS signature algorithm with JWKs (2) - Issue 7160 #8752
    • Support customization of BearerTokenResolver in JwtIssuerAuthenticationManagerResolver #8535
    • Provide reactive JDBC implementation of ReactiveOAuth2AuthorizedClientService #7890
    • JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint #7160
    • OAuth2Token interface for AbstractOAuth2Token #5502

    :beetle: Bug Fixes

    • [docs]Add white space before strong notation. #9145
    • Bug with JwtValidators.createDefaultWithIssuer(String)? #9136
    • Tests should not combine Authentication and @AuthenticationPrincipal #9121
    • Closes gh-8196 appendix indentation #9118
    • Fixes in documentation #9099

    :hammer: Dependency Upgrades

    • Set rsocketVersion to 1.1.0 #9167
    • Set reactorVersion to 2020.0.+ #9166
    • Set springVersion to 5.3.+ #9165

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 4.2.19.RELEASE(Oct 8, 2020)

  • 5.3.5.RELEASE(Oct 7, 2020)

    :beetle: Bug Fixes

    • SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9057
    • CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9024

    :hammer: Dependency Upgrades

    • Update to AspectJ 1.9.6 #9106
    • Update to Google App Engine 1.9.82 #9105
    • Update to Spring Boot 2.2.10.RELEASE #9104
    Source code(tar.gz)
    Source code(zip)
  • 5.4.1(Oct 7, 2020)

    :star: New Features

    • Replace expired msdn link with latest web archive copy #9050
    • Add documentation for StrictHttpFirewall enhancements #9038
    • Replace Tomcat6 URL for SSL Guide to Tomcat 10 #9034
    • Use AssertJ for exception testing #9013

    :beetle: Bug Fixes

    • Add try-with-resources to close stream #9053
    • RelyingPartyRegistrations Fails to Read Keycloak Metadata #9051
    • fix miswritten comment of FormLoginDsl.kt #9042
    • Adapt to WebClient's new exception wrapping #9031
    • StandardInterceptUrlRegistry should not refer to ExpressionUrlAuthorizationConfigurer #9026
    • Fix broken Mono chain #9022
    • Use Schedulers.boundedElastic for UUID.randomUUID #9021
    • CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9018
    • WebSessionServerCsrfTokenRepository#generateToken() don't use Schedulers.boundedElastic() #9017
    • NullPointerException SessionRegistryImpl.onApplicationEvent(SessionRegistryImpl.java:111) #9011
    • Quick javadoc fix for DelegatingPasswordEncoder #8890

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.1.13.RELEASE(Oct 7, 2020)

    :beetle: Bug Fixes

    • SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9059

    :hammer: Dependency Upgrades

    • Update to Spring Boot 2.1.17.RELEASE #9078
    • Update to Hibernate Validator 6.0.21 #9077
    • Update to org.aspectj 1.9.6 #9076
    • Update to GAE 1.9.82 #9075
    • Update to Jackson Databind 2.9.10.6 #9074
    • Update to Spring Data Lovelace-SR20 #9073
    • Update to Spring Framework 5.1.18 #9072
    • Update to Reactor Californium-SR21 #9071
    Source code(tar.gz)
    Source code(zip)
  • 5.0.19.RELEASE(Oct 7, 2020)

    :beetle: Bug Fixes

    • SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9060

    :hammer: Dependency Upgrades

    • Update to Hibernate Validator 6.0.21 #9069
    • Update to org.aspectj 1.9.6 #9067
    • Update to GAE 1.9.82 #9066
    • Update to Jackson Databind 2.9.10.6 #9065
    • Update to Spring Framework 5.0.19 #9064
    Source code(tar.gz)
    Source code(zip)
  • 5.2.7.RELEASE(Oct 7, 2020)

    :beetle: Bug Fixes

    • SpringSecurityCoreVersion.java getSpringVersion() method does not close stream. #9058
    • CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic #9025

    :hammer: Dependency Upgrades

    • Update to Spring Data Moore-SR10 #9088
    • Update to Hibernate Entity manager 5.4.22 #9087
    • Update to Hibernate Validator 6.1.6 #9086
    • Upgrade to embedded Apache Tomcat 9.0.38 #9085
    • Update to RSocket 1.0.2 #9084
    • Update to Spring Framework 5.2.9 #9083
    • Update to Reactor Dysprosium-SR12 #9082
    • Update to Spring Boot 2.2.10 #9081
    • Update to GAE 1.9.82 #9080
    • Update to org.aspectj 1.9.6 #9079
    Source code(tar.gz)
    Source code(zip)
  • 5.4.0(Sep 9, 2020)

    :star: New Features

    • Add What's New in 5.4 #9002
    • Add What's New in 5.4 Section to Docs #9001
    • Add Resource Server Servlet Logging #9000
    • Simplify saml2Login Samples #8990
    • Remove Framework Tests from saml2Login Sample #8989
    • Add authenticationManagerResolver to resource server Kotlin DSL #8981
    • Generalize SAML 2.0 Assertion Validation Support #8970
    • Update abstract-authentication-processing-filter.adoc #8965
    • Add spring-javaformat checkstyle and formatting #8946
    • Add hasAnyRole and hasAnyAuthority to authorizeRequests in Kotlin DSL #8926
    • Add hasAnyAuthority(String...) and hasAnyRole(String...) to authorizeRequests in Kotlin DSL #8892
    • Resolve oauth2 client-id, client-secret placeholders #8880
    • Restructure SAML 2.0 documentation #8763
    • security:client-registrations doesn't take propertyconfigurer properties #8453

    :beetle: Bug Fixes

    • Clickjacking demo in docs: YouTube link in X-Frame-Options section leads to private video #8986
    • NoClassDefFoundError: AuthMetadataFlyweight at o.s.s.r.m.SimpleAuthenticationEncoder #8948
    • SAML attributes not parsed correctly with prefixed XML elements #8864
    • Don't use oidc scopes_supported for scope as default in ClientRegistrations #8790
    • scopes_supported metadata should not be used as default in ClientRegistrations #8514

    :hammer: Dependency Upgrades

    • Set springDataVersion to Neumann-SR+ #9007
    • Set rsocketVersion to 1.0.+ #9006

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.4.0-RC1(Aug 5, 2020)

    :star: New Features

    • Deprecate CustomUserTypesOAuth2UserService #8908
    • Deprecate ClientRegistration.redirectUriTemplate #8906
    • Allow for custom ClientRegistration.clientAuthenticationMethod #8903
    • Deprecate ImplicitGrantConfigurer #8902
    • Remove use of Mono.deferWithContext() #8901
    • Consider adding RelyingPartyRegistrationResolver #8887
    • Add HttpMessageConverter that constructs a RelyingPartyRegistration #8877
    • RelyingPartyRegistration should default the ACS Location #8876
    • Update SimpleSaml2AuthenticatedPrincipal class name #8861
    • Introduce AuthenticationConverterServerWebExchangeMatcher #8854
    • Make class SimpleSaml2AuthenticatedPrincipal public #8852
    • Support custom filter in Server Kotlin DSL #8850
    • Saml2AuthenticationToken should take a RelyingPartyRegistration #8845
    • Wording changes #8832
    • -gh 8784 Document improvement for WebSecurityConfigure #8825
    • Consider making BearerTokenServerWebExchangeMatcher public and more generic #8824
    • Add custom HeaderWriter in Kotlin DSL #8823
    • Add Static Factories to Saml2X509Credential #8822
    • Allow disabling headers in Kotlin DSL #8816
    • Remove need for WebSecurityConfigurerAdapter #8805
    • Configure HTTP Security without extending WebSecurityConfigurerAdapter #8804
    • Fix #8693 Support SAML 2.0 SP Metadata Endpoints #8795
    • Add Static Factories to Saml2X509Credential #8789
    • RelyingPartyRegistration Credentials Should Be Split by Party #8788
    • Support custom filter in Server Kotlin DSL #8783
    • mongolian translation for messages.properties #8780
    • Mongolian translation required for messages.propeperties #8778
    • RelyingPartyRegistration should use metadata spec language #8777
    • ACS Binding should be in RelyingPartyRegistration #8776
    • Remove OpenSamlImplementation #8775
    • OpenSamlAuthenticationRequestFactory should use OpenSAML directly #8774
    • OpenSamlAuthenticationProvider should use OpenSAML directly #8773
    • OpenSAML should get initialized as part of container lifecycle #8772
    • SAML Assertion validation fails when OneTimeUse condition is sent from the IdP #8769
    • Improve error message when invalid content-type for UserInfo response #8764
    • Simplify retrieving Introspection-specific attributes #8740
    • Reactive SwitchUserWebFilter for user impersonation #8687
    • Change getMethod() to return configured value in SimpleSavedRequest #8675
    • gh-8589 Additional Jwt validation debug messages #8665
    • Adds cookie based RequestCache #8653
    • Missing Reactive SwitchUserWebFilter for user impersonation #8599
    • Use String to specify custom HTTP method in mock request #8592
    • Add logging #8589
    • Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484
    • SAML Authentication Provider assertions #8471
    • Throw exception when specified ldif file does not exist #8434
    • SAML: Add RequestedAuthnContext to AuthnRequest in OpenSamlAuthenticationRequestFactory #8141
    • Add request cache that uses cookie #8034
    • No log message or exception if expected ldif file does not exist #7791

    :beetle: Bug Fixes

    • Move RSocket Integration Tests to integration tests #8944
    • Fix snapshot build failure related to reactor-netty #8909
    • Resolve Bearer token after subscribing to publisher #8894
    • ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8865
    • Update README.adoc #8851
    • Saml2Error should be in a core package #8835
    • Fix #8797: Add OAuth2AuthenticationException to allowlist #8827
    • CookieRequestCache "REDIRECT_URI" removed by any request #8820
    • use CookieRequestCache something went wrong #8817
    • LoginPageGeneratingWebFilter should honor context path #8807
    • Fix ProviderManager Javadoc typo #8800
    • OAuth2AuthenticationException should be in allowlist #8797
    • tutorial uses hasRole but should use hasAuthority #8796
    • Saml2WebSsoAuthenticationFilter does not follow standard patterns for request matching. #8768
    • Bearer Token Padding #8511
    • Resolved bearer token has no padding indicators #8502

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 4.2.18.RELEASE(Aug 5, 2020)

    :star: New Features

    • Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8859
    • Use Github Actions PR pipeline and remove Travis for 4.2.x #8720
    • Use Github Actions PR pipeline in 4.2.x #8715

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.3.4.RELEASE(Aug 5, 2020)

    :star: New Features

    • Add logging #8888
    • Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8855
    • formLogin() does not work with REST Docs #8748
    • Use Github Actions PR pipeline and remove Travis for 5.3.x #8724

    :beetle: Bug Fixes

    • ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8896
    • OAuth2AuthenticationException should be in allowlist #8863
    • Resolved bearer token has no padding indicators #8837
    • Fix ProviderManager Javadoc typo #8811
    • LoginPageGeneratingWebFilter should honor context path #8808
    • OAuth2 Resource Server docs not in sync - authorityPrefix can't be set to "" #8803
    • RoleHierarchy is not used by AbstractAuthorizeTag #8678
    • OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8672
    • ReactorContext not available in PayloadSocketAcceptor delegate.accept #8655

    :hammer: Dependency Upgrades

    • Update to spring-build-conventions:0.0.34.RELEASE #8925
    • Update to nohttp 0.0.5.RELEASE #8924
    • Update to GAE 1.9.81 #8923
    • Update to Spring Boot 2.2.9.RELEASE #8922
    • Update to spring-build-conventions:0.0.33.RELEASE #8760

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.1.12.RELEASE(Aug 5, 2020)

    :star: New Features

    • Add logging #8891
    • Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8857
    • Use Github Actions PR pipeline and remove Travis for 5.1.x #8722
    • Use Github Actions PR pipeline in 5.1.x #8717

    :beetle: Bug Fixes

    • ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8898
    • Resolved bearer token has no padding indicators #8839
    • Fix ProviderManager Javadoc typo #8813
    • LoginPageGeneratingWebFilter should honor context path #8810
    • RoleHierarchy is not used by AbstractAuthorizeTag #8681
    • OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8674

    :hammer: Dependency Upgrades

    • Update to Spring Ldap 2.3.3 #8943
    • Update to Hibernate Validator 6.0.20 #8942
    • Update to Hibernate Entitymanager 5.3.17 #8941
    • Update to Groovy 2.4.20 #8940
    • Update to Spring Boot 2.1.16.RELEASE #8939
    • Update to Google App Engine 1.9.81 #8938
    • Update to Jackson Databind 2.9.10.5 #8937
    • Update to Project Reactor Californium-SR20 #8936
    • Update to Spring Framework 5.1.17 #8935
    • Update to Spring Data Lovelace-SR19 #8934

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.2.6.RELEASE(Aug 5, 2020)

    :star: New Features

    • Add logging #8889
    • Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8856
    • Use Github Actions PR pipeline and remove Travis for 5.2.x #8723

    :beetle: Bug Fixes

    • ServerBearerTokenAuthenticationConverter throws exceptions instead of signalling error #8897
    • Resolved bearer token has no padding indicators #8838
    • Fix ProviderManager Javadoc typo #8812
    • LoginPageGeneratingWebFilter should honor context path #8809
    • RoleHierarchy is not used by AbstractAuthorizeTag #8679
    • OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException #8673
    • ReactorContext not available in PayloadSocketAcceptor delegate.accept #8656

    :hammer: Dependency Upgrades

    • Update to nohttp 0.0.5.RELEASE #8927
    • Update to Spring Boot 2.2.9.RELEASE #8921
    • Update to Reactor Dysprosium-SR10 #8920
    • Update to Spring Framework 5.2.8.RELEASE #8919
    • Update to Spring Data Moore-SR9 #8918
    • Update to PowerMock Mockito2 2.0.7 #8917
    • Update blockhound to 1.0.4.RELEASE #8916
    • Update to groovy 2.4.20 #8915
    • Update to embedded Tomcat websocket 8.5.57 #8914
    • Upgrade to embedded Apache Tomcat 9.0.37 #8913
    • Update to jaxb-impl 2.3.3 #8912
    • Update to GAE 1.9.81 #8911
    • Update to Jackson 2.10.5 #8910
    • Update to spring-build-conventions:0.0.33.RELEASE #8761
    • Update to RSocket 1.0.1 #8664

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
  • 5.0.18.RELEASE(Aug 5, 2020)

    :star: New Features

    • Document improvement for configure(WebSecurity web) and configure(HttpSecurity http) #8858
    • Use Github Actions PR pipeline and remove Travis for 5.0.x #8721
    • Use Github Actions PR pipeline in 5.0.x #8716

    :beetle: Bug Fixes

    • Fix ProviderManager Javadoc typo #8814
    • RoleHierarchy is not used by AbstractAuthorizeTag #8683

    :hammer: Dependency Upgrades

    • Update to Spring Ldap 2.3.3 #8933
    • Update to Hibernate Validator 6.0.20 #8932
    • Update to Groovy 2.4.20 #8931
    • Update to Google App Engine 1.9.81 #8930
    • Update to Jackson Databind 2.9.10.5 #8929
    • Update to Spring Framework 5.0.18 #8928

    :heart: Contributors

    We'd like to thank all the contributors who worked on this release!

    Source code(tar.gz)
    Source code(zip)
Spring Security

Spring Security Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also r

Spring 5.7k Mar 13, 2021
Hdiv CE | Application Self-Protection

New to Hdiv? Check this out Hdiv: Application Self-Protection Hdiv is a leading provider of open source software for real-time, self-protected applica

Hdiv 195 Feb 10, 2021
Fluent builders with typesafe API for the JCA

Security Builders This library implements a set of "fluent" API builders for the java.security classes, and provides more typesafe, intuitive API to a

Terse Systems 39 Mar 11, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.2k Mar 12, 2021
Java JWT: JSON Web Token for Java and Android

Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JW

null 7.3k Mar 13, 2021
Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web appl

PAC4J 2k Mar 12, 2021
Password4j is a user-friendly cryptographic library that supports Argon2, Bcrypt, Scrypt, PBKDF2 and various cryptographic hash functions.

Password4j is a Java user-friendly cryptographic library for hashing and checking passwords with different Key derivation functions (KDFs) and Cryptog

Password4J 123 Mar 2, 2021
Multi-platform transparent client-side encryption of your files in the cloud

Supporting Cryptomator Cryptomator is provided free of charge as an open-source project despite the high development effort and is therefore dependent

Cryptomator 5.2k Mar 13, 2021
OACC (Object ACcess Control) is an advanced Java Application Security Framework

OACC Java Application Security Framework What is OACC? OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's

null 104 Feb 25, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Java

jCasbin News: still worry about how to write the correct jCasbin policy? Casbin online editor is coming to help! Try it at: http://casbin.org/editor/

Casbin 1.3k Mar 13, 2021
okta-auth-java

Okta Java Authentication SDK Release status Need help? Getting started Usage guide Configuration reference Building the SDK Contributing The Okta Auth

Okta, Inc 22 Mar 10, 2021
Open Source Identity and Access Management For Modern Applications and Services

Keycloak Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services. This repository contains the source

Keycloak 8.4k Mar 13, 2021
Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

Tink A multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. Ubuntu

Google 11.1k Mar 13, 2021
PicketLink is a security framework for securing Java EE applications.

PicketLink http://picketlink.org Java EE Application Security Identity Management Federation Social REST Security Standard-based Security This reposit

PicketLink 92 Oct 28, 2020