spring-security

spring-security copied to clipboard

BasicAuthenticationFilter skips re-authentication if username changes and Authentication object is not UsernamePasswordAuthenticationToken

2

**Describe the bug** The `BasicAuthenticationFilter` skips re-authentication if the username changes in the basic authentication header and the `Authentication` object is not an instance of `UsernamePasswordAuthenticationToken`. The `BasicAuthenticationFilter` contains an...

pgeyman

Artifacts (e.g. [org.springframework.security:spring-security-core:5.6.2](https://search.maven.org/artifact/org.springframework.security/spring-security-core/5.6.2/jar)) are currently published with historical metadata. For example: https://github.com/spring-projects/spring-security/blob/ce720ad38e99e3b27a318dba8f8f16befa4da176/buildSrc/src/main/java/org/springframework/gradle/maven/MavenPublishingConventionsPlugin.java#L44 https://github.com/spring-projects/spring-security/blob/ce720ad38e99e3b27a318dba8f8f16befa4da176/buildSrc/src/main/java/org/springframework/gradle/maven/MavenPublishingConventionsPlugin.java#L57-L59

sjohnr

In order to account for blockers to the release process such as checking dependency update exclusions, updating dependencies (until updates are automated), CVEs and any other pre-release tasks that should...

sjohnr

Provide guide for migrating from FilterSecurityInterceptor to AuthorizationFilter

7

After learning about the new authorization configuration support in `HttpSecurity::authorizeHttpRequests` and seeing [the docs](https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html) stating that `AuthorizationFilter` is intended to supersede the `FilterSecurityInterceptor`, I've opened the PR against Spring Boot...

vpavic

To compose two authorization managers, some boilerplate is necessary. For example, to achieve a logical "or" between two authorization managers, they can be composed like so: ```java (authentication, object) ->...

jzheaux

It would be easier to use `RequestMatcherDelegatingAuthorizationManager.Builder` if it used builder methods similar to `MessageMatcherDelegatingAuthorizationManager.Builder`. Specifically, it would be nice to be able to do things like the following: ```java...

jzheaux

gh-11602

o1i0

/cc @rwinch - [x] https://github.com/spring-projects/spring-security/issues/11466 - [x] https://github.com/spring-projects/spring-security/issues/11467 - [ ] https://github.com/spring-projects/spring-security/issues/11623

mbhave

The Kotlin `AuthorizeRequestsDsl` has multiple signatures for the `authorize` method including the following two: ```kotlin authorize(pattern: String, access: String = "authenticated") ``` and ```kotlin authorize(pattern: String, servletPath: String, access: String...

eleftherias

When going GA, the release automation should create the appropriate `for: backport-to-x.y.z` label.

jzheaux