profile
viewpoint

joshlong/the-spring-rest-stack 350

the deck to my talk on building more powerful REST APIs

bclozel/spring-flights 55

Demo application showcasing RSocket support in Spring

joshlong/bookmarks 40

code to accompany a talk on Microservices

jzheaux/spring-security-oauth2-resource-server 19

Spring Security OAuth2 Resource Server

rwinch/asciidoctor-gradle-examples 9

A collection of example projects that demonstrates how to use the Asciidoctor Gradle plugin http://asciidoctor.org/docs/asciidoctor-gradle-plugin

pivotalsoftware/github-cla-integration 5

A self-hostable application to enable GitHub pull request integration with a repository of CLA signers

rstoyanchev/context-holder 5

Test project for experimenting with request context feature for WebFlux

push eventspring-projects/spring-security

Spencer Gilson

commit sha 30736184ca88302055e02b368e96b9e0c796e612

Fixing typo in README Closes gh-8581

view details

push time in 5 minutes

issue closedspring-projects/spring-security

Typo in title of SAML2 Sample Readme

The title of the file samples/boot/saml2login/README.adoc is currently "OAuth 2.0 Login Sample". It should be "SAML 2.0 Login Sample".

closed time in 11 minutes

sgilson

issue commentspring-projects/spring-security

Typo in title of SAML2 Sample Readme

Closing in favour of gh-8581

sgilson

comment created time in 11 minutes

push eventspring-projects/spring-security

Spencer Gilson

commit sha 551f9114a93a9236c8047453518e8ac66fc425bb

Fixing typo in README @pivotal-issuemaster This is an Obvious Fix

view details

push time in 12 minutes

PR merged spring-projects/spring-security

Fixing typo in SAML 2.0 Sample README in: docs type: bug

@pivotal-issuemaster This is an Obvious Fix

+1 -1

0 comment

1 changed file

sgilson

pr closed time in 12 minutes

issue commentspring-projects/spring-security

Reactive equivalents for security expression handling and url-based access control

@RobMaskell I think that is the problem. We don't know the expressions ahead of time and they would need to be evaluated eagerly.

I think from the security side, the first thing we would need to do is support a SpEL implementation of ReactiveAuthorizationManager. This could probably help on the method security side as well.

This would at least empower Thymeleaf to be able to enhance things on their side to support authorization. Perhaps @danielfernandez has some ideas as to how that would be done.

danielfernandez

comment created time in 16 minutes

issue commentspring-projects/spring-security

Provide Cookie implementation of AuthorizationRequestRepository

We would not want to perform Java serialization/deserialization as that can lead to a lot of different types of attacks. The cookie would need to be written as a String that did not allow attackers to control the Java objects that were being created.

jgrandja

comment created time in 22 minutes

push eventspring-projects/spring-security

Eleftheria Stein

commit sha bc272ddf73d536cfc8c8e0f88d47092260b1c812

Resolve package tangles in Kotlin server package

view details

Eleftheria Stein

commit sha 67d2efde1cb6ab72bbfd692f01cd4c5ed0ede57d

Resolve package tangles with security marker annotation

view details

push time in 29 minutes

PR merged spring-projects/spring-security

Resolve package tangles in: config type: task

The Kotlin server package was added in 5.4.0-M1. These changes break passivity with 5.4.0-M1, but not with any GA releases.

The changes to the servlet package do not break passivity.

+164 -92

0 comment

42 changed files

eleftherias

pr closed time in 30 minutes

pull request commentspring-io/nohttp

Remove use of Spring Boot from CLI

Thanks for the Pull Request! This is now merged into master :smile:

wilkinsona

comment created time in 16 hours

push eventspring-io/nohttp

Andy Wilkinson

commit sha 94f39cca0d131d069cc059ba945436aed2995622

Remove use of Spring Boot from CLI Closes gh-35

view details

push time in 16 hours

PR merged spring-io/nohttp

Remove use of Spring Boot from CLI enhancement

Closes gh-35

+18 -20

0 comment

3 changed files

wilkinsona

pr closed time in 16 hours

issue closedspring-io/nohttp

Remove Spring Boot dependency so that Spring Boot can use nohttp without creating a cycle

Via https://github.com/spring-gradle-plugins/dependency-management-plugin/issues/277, I've just learned that the nohttp project depends on Spring Boot. Spring Boot uses nohttp in its own build, creating a circular dependency between the two projects. Can we please update NoHttp to break this cycle by removing the dependency on Spring Boot? I'd be happy to contribute something.

closed time in 16 hours

wilkinsona

issue commentspring-io/nohttp

Remove Spring Boot dependency so that Spring Boot can use nohttp without creating a cycle

Closing in favor of the pull request gh-36

wilkinsona

comment created time in 16 hours

pull request commentspring-projects/spring-security

Configuration defaults to SessionRegistry bean

Thanks for the Pull Request! This is now merged into master :smile:

candrews

comment created time in 4 days

push eventspring-projects/spring-security

Craig Andrews

commit sha dbdeec4216ae09f8014e31c6bbf3cf4c3149e0eb

Check for an existing SessionRegistry bean If a SessionRegistry is necessary, check for one in the ApplicationContext before creating one.

view details

Craig Andrews

commit sha f1db7167cbff8cab5baa7a2c2d5a38d746c9f676

Polish Use `getBeanOrNull` in `registerDelegateApplicationListener` to simplify implementation. This change does not alter behavior.

view details

push time in 4 days

PR merged spring-projects/spring-security

Configuration defaults to SessionRegistry bean in: config type: enhancement

If a SessionRegistry is necessary, check for one in the ApplicationContext before creating one.

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Before creating new features, we recommend creating an issue to discuss the feature. This ensures that everyone is on the same page before extensive work is done.

Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with gh-). --> See https://github.com/spring-projects/spring-session/issues/1629

+91 -7

1 comment

2 changed files

candrews

pr closed time in 4 days

CommitCommentEvent

issue commentspring-projects/spring-security

BindAuthenticator's attribute-related functionality should be better documented (designed?)

Thanks for the excellent and well thought out feedback. Could you create multiple tickets for each item? This will allow things to move more quickly. For example, I think the documentation updates will be pretty easy to get in. We can then try to figure out if any behavior changes need to be made and what they are.

m-aigner

comment created time in 4 days

push eventrwinch/spring-framework

Juergen Hoeller

commit sha dd0d0d51f667adb35a2df09a667b765090358f92

Introduce resolvable timeout attribute on @Transactional and <tx:method> Placeholders get resolved in timeoutString, qualifier and labels now. Closes gh-25052

view details

Juergen Hoeller

commit sha f09093132ea7759a2923a6040e97c5154455739d

Use proxyBeanMethods=false on remaining internal configuration classes Closes gh-24511

view details

Sam Brannen

commit sha a16d178d72a46498157f5e6eda3957a9a5ef038c

Polish Javadoc for NameMatchTransactionAttributeSource

view details

Rossen Stoyanchev

commit sha b31f2bdad2d538c2573e1583a6a48edcd4d147e9

@ExceptionHandler resolves nested exceptions See gh-23380

view details

Rossen Stoyanchev

commit sha e881d4b1441b4ade35806b6f06d5b7ebe1828e92

Allow use of JsonInclude.Value Closes gh-24824

view details

Rossen Stoyanchev

commit sha e88eb0ecf77b4973d4923367d5a939457cf578ac

Option for advanced ObjectMapper customization Closes gh-23017

view details

Rossen Stoyanchev

commit sha 875e7f8630bfa3410bb10849a4d3e298ece32d74

Match multiple values in HeaderAssertions Closes gh-23878

view details

Juergen Hoeller

commit sha a3c5625d4e1e2b5ca720b8e74797ee8bd30f54e4

Internal cache of pre-filtered BeanPostProcessors (for faster iteration) Also includes bulk addition in PostProcessorRegistrationDelegate. Closes gh-24681 Closes gh-24756

view details

Juergen Hoeller

commit sha 5de6ae6fca3246dd7a76f789727eb3070d2df01e

Ignore resolved bean from non-active scope in getIfAvailable/getIfUnique Closes gh-24822

view details

Brian Clozel

commit sha 67547e61c6803f15246dfa6c3d1e2f045015b9bd

Add JMH benchmark infrastructure Prior to this commit, the Spring Framework test suite would rely only on "Performance" tests associated with a specific CI build. As outlined in gh-24830, the way they're built and executed is not working well anymore. This commit introduces a new JMH benchmark infrastructure in the build. The goal here is not to run those benchmarks as part of a CI build, but rather provide a proper infrastructure for writing and locally running micro-benchmarks when working on specific optimizations. This commit adds and configures a Gradle JMH plugin to allow for JMH benchmark classes in Spring Framework modules (in `src/jmh/java` of each `spring-*` module). It's also relaxing the checkstyle rules for JMH classes, especially around Javadoc rules: this code is not meant to have Javadocs. Finally, this commit links to a new Wiki page on the project GitHub repository documenting the infrastructure and helping contributors to run and design benchmarks. See gh-24830

view details

Brian Clozel

commit sha 612a63c0f190b849dd1e31b958914cabf6d947ce

Optimize MediaType parsing Prior to this commit, `MediaType.parseMediaType` would already rely on the internal LRU cache in `MimeTypeUtils` for better performance. With that optimization, the parsing of raw media types is skipped for cached elements. But still, `MediaType.parseMediaType` would first get a cached `MimeType` instance from that cache and then instantiate a `new MediaType(type, subtype, parameters)`. This constructor not only replays the `MimeType` checks on type/subtyme tokens and parameters, but it also performs `MediaType`-specific checks on parameters. Such checks are not required, as we're using an existing `MimeType` instance in the first place. This commit adds a new protected copy constructor (skipping checks) in `MimeType` and uses it in `MediaType.parseMediaType` as a result. This yields interesting performance improvements, with +400% throughput and -40% allocation/call in benchmarks. This commit also introduces a new JMH benchmark for future optimization work. Closes gh-24769

view details

Brian Clozel

commit sha 60fac678844a5626f4f5c7150a648b981c4ce427

Polish

view details

Juergen Hoeller

commit sha 3c1ee64b7f05cd359d8ce8e398a75dce4c033ce9

Explicit nullability declarations for all AOP Alliance methods Includes consistent declarations in AOP Alliance related Spring AOP code. Closes gh-24117

view details

Juergen Hoeller

commit sha 99bd1a153363471bcaddeb086ca5cc528a3d555c

Defensive null check against name parameter in AutowireMode#from See gh-24285

view details

Juergen Hoeller

commit sha 8212aaf3bbc5b81daa06aea9627a6f0fa6ef7312

ResolvableType ignores TypeNotPresentException from generic signature Closes gh-25064

view details

Juergen Hoeller

commit sha fe33822fa79414d50424c0a7d166fcb7230a15bd

Polishing

view details

Juergen Hoeller

commit sha e660386670b956afc8492f43052ce6910d44b791

Upgrade to Checkstyle 8.32, Tomcat 9.0.35, Netty 4.1.50, Jackson 2.10.4, Hibernate ORM 5.4.15, Hibernate Validator 6.1.5

view details

Juergen Hoeller

commit sha 26c205589bbf8c1f6ec554574e066c896226866c

Merge branch '5.2.x' # Conflicts: # build.gradle # spring-beans/src/main/java/org/springframework/beans/factory/support/AbstractBeanFactory.java # spring-context/src/main/java/org/springframework/validation/beanvalidation/MethodValidationInterceptor.java

view details

Juergen Hoeller

commit sha 23498294de45546611eb26616631fa5eb104dca1

Upgrade to Undertow 2.1 and Jackson 2.11

view details

Sam Brannen

commit sha fe3b36af68d9659c7fddeb358061d33d554d849d

Polishing

view details

push time in 5 days

pull request commentspring-projects/spring-framework

Use io.spring.javadoc-aggregate

There seem to have been some changes that broke the build. I have rebased and updated the pull request and it now appears to execute, but with classpath warnings due to missing optional dependencies. I created https://github.com/spring-gradle-plugins/javadoc-plugin/issues/13

At the moment we are waiting on figuring out how to best address that issue.

rwinch

comment created time in 5 days

issue commentspring-gradle-plugins/javadoc-plugin

Support OptionalDependenciesPlugin

The latest efforts are being pushed to https://github.com/rwinch/javadoc-plugin/tree/gh-13-optional

rwinch

comment created time in 5 days

push eventrwinch/spring-framework

maxxedev

commit sha 9b827283f1502c7bf7d517597cad47ce26944625

Use more lambda expressions in data-access code examples Closes gh-24398

view details

Sam Brannen

commit sha 7dea2686b81509f7d42901da5f0d68ae2e69bee9

Polish contribution See gh-24398

view details

Sam Brannen

commit sha 5e1e689739a9d99edcca0166267c5cae3a14507c

Polishing

view details

Andrew Woodbury

commit sha 2fb13d410d3938a8c4e875247e5e50eee1406f4b

Include response body in UnknownHttpStatusCodeException Spring Framework 5.2.2 introduced a regression in DefaultResponseErrorHandler.handleError(ClientHttpResponse) Specifically, for use cases where the InputStream had already been consumed by the first invocation of getResponseBody(), the second invocation of getResponseBody() resulted in the response body being absent in the created UnknownHttpStatusCodeException. This commit fixes this by invoking getResponseBody() only once in DefaultResponseErrorHandler.handleError(ClientHttpReponse) in order to reuse the retrieved response body for creating the exception message and as a separate argument to the UnknownHttpStatusCodeException constructor. Closes gh-24595

view details

Sam Brannen

commit sha 17140c8d4b6f9bdd50b96c67fbcbd31dda74d113

Polish contribution See gh-24595

view details

Sam Brannen

commit sha 14f5032e972b1031a18b010e69644bf035fa9956

Update Kotlin example See gh-gh-24398

view details

Juergen Hoeller

commit sha d4b2860cc917451e87a6fc77a86beb4950b87bc4

Upgrade to Groovy 2.5.10 (and Netty 4.1.48) Closes gh-24719

view details

Sam Brannen

commit sha edb5e73d48a4f8bce8b675b9c94fd73f8cadae2c

Update Kotlin example based on feedback from @lnhrdt See gh-24398

view details

Yoo In Keun

commit sha eaabe21c7bab76b30286abddef82299c81008597

Delete empty .gitignore file Closes gh-24717

view details

Sam Brannen

commit sha 4bd0ad5d2e99f30d9843ff7144eded2bc3bf632f

Delete obsolete log4j config

view details

Sam Brannen

commit sha 678b6edad24f3c45d16e6d18f5b423a86ae007c2

Delete unused method in ConfigurationClassParser

view details

Sam Brannen

commit sha e6814f6609db0ea59e4a6c7db82126d46a3b4a25

Clean up warnings in Jsr354NumberFormatAnnotationFormatterFactory

view details

Sam Brannen

commit sha 7b94112ec66aa0e896a0a8573a2539900e94d054

Update documentation for custom-java-home.gradle See gh-24719

view details

Rossen Stoyanchev

commit sha e7329271fad7125995e37ab878d68d0be55cc47d

Switch to Reactor Dysprosium snapshots See gh-24725

view details

Juergen Hoeller

commit sha c2149e38fc62ed890a08d1998d23890ff076a4a7

Upgrade to Kotlin Coroutines 1.3.5 (and Checkstyle 8.30)

view details

Rossen Stoyanchev

commit sha 5b27df772aa8328ecc6db7a7f89aab98e3bd80e4

Suppress deprecation warning See gh-24725

view details

Rossen Stoyanchev

commit sha b121c0e2eac898d9762523af01895ca18219126d

Avoid ClassCastException in TomcatHttpHandlerAdapter Closes gh-24707

view details

Rossen Stoyanchev

commit sha a7fe6b8f5c74dd6ea0e531b3ba1e90a455ee15dd

Avoid NPE in ResponseCookie on null domain See gh-24663

view details

Rossen Stoyanchev

commit sha 0d42a1bd7fdd44b000873edd6cbbb35697fddc4a

Add retry for flaky test (suspected Tomcat issue)

view details

Rossen Stoyanchev

commit sha 7efb62091d1670e6937493e11328ef33003e802b

MessagingRSocket correctly handles unconsumed input Closes gh-24741

view details

push time in 5 days

push eventrwinch/javadoc-plugin

Rob Winch

commit sha 449837a27c4842e5638d793e701f7cc50d1401ff

Add (failing) Test for OptionalDependenciesPlugin

view details

push time in 5 days

startedfangfufu/Linux-Fake-Background-Webcam

started time in 5 days

issue commentspring-projects/spring-security

SEC-2083: Create a MethodSecurityExpressionHandler that can handle fixed-sized collections

It works fine with collections that allow for changing the size. For example, LinkedList and ArrayList work just fine. There are tests to back this up.

spring-issuemaster

comment created time in 5 days

create barnchrwinch/jwt-spring-boot-starter

branch : fixes

created branch time in 5 days

issue commentspring-projects/spring-security

Typo in title of SAML2 Sample Readme

Thanks for the fast response. Please feel free to resubmit and indicate it as an obvious fix using @pivotal-issuemaster This is an Obvious Fix That will make the bot happy.

sgilson

comment created time in 6 days

pull request commentspring-projects/spring-security

Replacing md5 with sha256 token based remember me services

Thanks for the PR. We need to remain passive, so we would want to allow configuring the algorithm vs changing it. We could consider changing it by default in Spring Security 6 though.

An alternative would be to do something like we did with passwords and have a prefix that specifies the algorithm that is being used. If no algorithm is specified it would default to MD5

islamazhar

comment created time in 6 days

issue commentspring-projects/spring-security

ApacheDSContainer should allow a zero port

Marking as duplicate of the PR

jzheaux

comment created time in 6 days

PR closed spring-projects/spring-security

Reviewers
Allow port=0 for ApacheDSContainer in: ldap type: enhancement

Fixes gh-8144

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Before creating new features, we recommend creating an issue to discuss the feature. This ensures that everyone is on the same page before extensive work is done.

Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with gh-). -->

+115 -55

4 comments

4 changed files

evgeniycheban

pr closed time in 6 days

pull request commentspring-projects/spring-security

Allow port=0 for ApacheDSContainer

Thanks for the Pull Request and your patience as we worked on finding the best solution! This is now merged into master via 0fa339f75b274d480f25b466d842d72eaeebe34d :smile:

evgeniycheban

comment created time in 6 days

push eventspring-projects/spring-security

Evgeniy Cheban

commit sha 0fa339f75b274d480f25b466d842d72eaeebe34d

Allow port=0 for ApacheDSContainer Fixes gh-8144

view details

push time in 6 days

issue closedspring-projects/spring-security

ApacheDSContainer should allow a zero port

ApacheDS's TcpTransport allows for a zero port, selecting any available port at startup. It does not correctly propagate that port up through the object graph, though.

For example, giving a TcpTransport a port of zero:

server = new LdapServer();
TcpTransport transport = new TcpTransport(port);
server.setTransports(transport);
server.start();

will result in a server that is listening on a random port, but server.getPort() still returns 0.

Because ApacheDS has not had a GA release in many years, it's unlikely that this enhancement will get applied to the ApacheDS project.

Still, it would be nice if ApacheDSContainer could accept 0 as a port value. One immediate benefit from this is reducing the likelihood of a port collision when multiple LDAP servers are started up simultaneously.

For this to happen, the following test would need to pass:

ApacheDSContainer container = new ApacheDSContainer("dc=springframework,dc=org",
		"classpath:test-server.ldif");
container.setPort(0);
container.afterPropertiesSet();
assertNotEquals(container.getPort(), 0);
assertNotEquals(container.server.getPort(), 0);
assertNotEquals(container.server.getPortSSL(), 0);

It may be possible to post-process the server instance in ApacheDSContainer#afterPropertiesSet into a state where the selected port is correctly returned.

Note that UnboundIdContainerTests has a test that would likely be good to port over into ApacheDSContainerTests for testing this feature.

closed time in 6 days

jzheaux

issue closedspring-projects/spring-security

Login success handler should be called in proper context

Login success handler should be called in proper context Describe the bug If it is called login success handler it is not ensured RequestContextHolder so exception could be called if there is any bean that it is using it. java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request. at org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(RequestContextHolder.java:131) ... at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:326) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:240) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) at org.springfaramework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1594) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ... To Reproduce org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer.successHandler(org.springframework.security.web.authentication.AuthenticationSuccessHandler) that set/use lambda that calls other bean or just org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(). Expected behavior To enclosed any call of onAuthenticationSuccess() to be properly set org.springframework.web.context.request.RequestContextHolder. Sample

closed time in 6 days

netbeansuser2019

issue commentspring-projects/spring-security

Login success handler should be called in proper context

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

netbeansuser2019

comment created time in 6 days

issue commentspring-cloud/spring-cloud-gateway

Have the ability to hide @RequestMapping endpoints that are meant to be used by forward scheme

How are you generating the token? Are you generating it using client credentials? If so, you could use ServerOAuth2AuthorizedClientExchangeFilterFunction. This obtains a token for the authorization server (if not found in storage), stores it for later, and then includes it in the request.

aosorio1

comment created time in 6 days

issue commentspring-projects/spring-security

Typo in title of SAML2 Sample Readme

Thanks for the report. I saw you sent a pull request at https://github.com/spring-projects/spring-security/pull/8561 but you delete the branch. Any particular reason you did that? Would you be interested in submitting a pull request?

sgilson

comment created time in 6 days

issue commentspring-cloud/spring-cloud-gateway

Have the ability to hide @RequestMapping endpoints that are meant to be used by forward scheme

Oops...my mistake. You can use ServerBearerExchangeFilterFunction to extract the token from the current AbstractOAuth2Token and then include it in the request from a WebClient instance. Does that help?

aosorio1

comment created time in 6 days

issue commentspring-cloud/spring-cloud-gateway

Have the ability to hide @RequestMapping endpoints that are meant to be used by forward scheme

We do not have any concept of forwarding within Spring Security. To do this, you would need support within Spring WebFlux itself. I believe the currently recommended approach is to use ServerHttpRequest.mutate() and then pass the mutated request through the chain. However, I'm not sure how that works from within a controller.

cc @rstoyanchev

aosorio1

comment created time in 6 days

push eventspring-projects/spring-security

justmehyp

commit sha ba81f6a06a144d4f60ec1cf42519af84a5f3f689

Remove unused field 'digester' in Md4PasswordEncoder `private Digester digester;` defined in Md4PasswordEncoder is never used. So remove it. Closes gh-8553

view details

push time in 6 days

push eventspring-projects/spring-security

justmehyp

commit sha f05d70a4a5de50334edf5ae4689f24633bef7ca2

Remove unused field 'digester' in Md4PasswordEncoder `private Digester digester;` defined in Md4PasswordEncoder is never used. So remove it. Closes gh-8553

view details

push time in 6 days

push eventspring-projects/spring-security

justmehyp

commit sha 774ea6980b130ea428ce47b969df087f0d92e4aa

Remove unused field 'digester' in Md4PasswordEncoder `private Digester digester;` defined in Md4PasswordEncoder is never used. So remove it. Closes gh-8553

view details

push time in 6 days

push eventspring-projects/spring-security

justmehyp

commit sha 5bcfaaf94df0df460e0785b0e7c55f41a4a0429e

Remove unused field 'digester' in Md4PasswordEncoder `private Digester digester;` defined in Md4PasswordEncoder is never used. So remove it. Closes gh-8553

view details

push time in 6 days

issue closedspring-projects/spring-security

Unused field in Md4PasswordEncoder

It seems that the following line in Md4PasswordEncoder is redundant:

https://github.com/spring-projects/spring-security/blob/1e211b6558f558a465d3653c38cd5d46694226be/crypto/src/main/java/org/springframework/security/crypto/password/Md4PasswordEncoder.java#L86

closed time in 6 days

justmehyp

issue commentspring-projects/spring-security

Unused field in Md4PasswordEncoder

Thanks for the PR! I'm closing this a duplicate of the PR

justmehyp

comment created time in 6 days

push eventspring-projects/spring-security

justmehyp

commit sha 06254a4fd45bfc94439afdc4396c857ff8d23b8c

Remove unused field 'digester' in Md4PasswordEncoder `private Digester digester;` defined in Md4PasswordEncoder is never used. So remove it.

view details

push time in 6 days

PR merged spring-projects/spring-security

Remove unused field 'digester' in Md4PasswordEncoder in: crypto type: bug

private Digester digester; defined in Md4PasswordEncoder is never used. So remove it.

+0 -2

0 comment

1 changed file

justmehyp

pr closed time in 6 days

pull request commentspring-projects/spring-security

Security issue: mentioning the default strength of `BCryptPasswordEncoder`

Thanks for the Pull Request! This is now merged into master :smile:

islamazhar

comment created time in 6 days

push eventspring-projects/spring-security

Mazharul Islam

commit sha e1f01c6d7722d9c20ea2baa3013496939c74c30c

mentioning the default strength of BCryptPasswordEncoder Fixes gh-8542

view details

push time in 6 days

push eventspring-projects/spring-security

Mazharul Islam

commit sha bf9e8295d6c606cad384483e281cb96d867a6a18

mentioning the default strength of BCryptPasswordEncoder

view details

push time in 6 days

PR merged spring-projects/spring-security

Security issue: mentioning the default strength of `BCryptPasswordEncoder` in: docs type: enhancement

Hi,

As mentioned in the Spring security doc on BCryptPasswordEncoder

The strength of BCryptPasswordEncoder should be tuned to take about 1 second to verify a password on your system.

However, the default implementation of BCryptPasswordEncoder uses a default strength of 10. On my system (Intel Core i5 CPU-1.60Hz 8 GM RAM), I found that the default implementation takes around 220~250 ms to verify a password which is clearly way less than 1 second lower limit.

I think it should be worth mentioning the default strength of BCryptPasswordEncoder since all of the Spring projects I have worked with developers tend not to change the default strength which according to the Spring security doc is not secure.

This can make the developers using the default strength of BCryptPasswordEncoder more conscious about setting a correct secure strength.

+2 -0

1 comment

1 changed file

islamazhar

pr closed time in 6 days

push eventspring-projects/spring-security

Thomas Turrell-Croft

commit sha c1f737c842338d4c83223caa47a7e10606fef541

Polish JDBC Authentication Doc * Correct documented default schema to match default schema exposed as classpath resource * Fix Java example of adding users to JdbcUserDetailsManager Fixes gh-8550

view details

push time in 6 days

push eventspring-projects/spring-security

Thomas Turrell-Croft

commit sha 014df98ebb9a77fb51eedc20e469be19a401d161

Polish * Correct documented default schema to match default schema exposed as classpath resource * Fix Java example of adding users to JdbcUserDetailsManager

view details

push time in 6 days

pull request commentspring-projects/spring-security

Polish JDBC Authentication documentation

Thanks for the Pull Request! This is now merged into master :smile:

thomasturrell

comment created time in 6 days

PR merged spring-projects/spring-security

Polish JDBC Authentication documentation in: docs type: bug
  • Correct documented default schema to match default schema exposed as classpath resource. A varchar of size 50 is not large enough for the encoded password.
  • Fix Java example of adding users to JdbcUserDetailsManager.
+3 -2

2 comments

1 changed file

thomasturrell

pr closed time in 6 days

issue closedspring-projects/spring-security

spring-security-custom-authenticationprovider-is-called-twice-and-fails

I have a similar problem mentioned in this SO thread - here.

I have tried both the recommended solution in above SO thread, but the problem still persist. When CustomAuthProvider fails with Bad credentials exception, the ProviderManager class is basically doing exception handling and it resend the call again to CustomAuthProvider for authentication. And this process is keep going on like infinite loop.

WebSecurityConfig

http.authorizeRequests().and().authenticationProvider(this.customAuthProvider());

CustomAuthProvider:

        if (!password.equals(userDetails.getPassword())) {
            throw new BadCredentialsException("Wrong password.");
        }

ProviderManager:

      while(var8.hasNext()) {
            AuthenticationProvider provider = (AuthenticationProvider)var8.next();
            if (provider.supports(toTest)) {
                if (debug) {
                    logger.debug("Authentication attempt using " + provider.getClass().getName());
                }

                try {
                    result = provider.authenticate(authentication);
                    if (result != null) {
                        this.copyDetails(authentication, result);
                        break;
                    }
                } catch (InternalAuthenticationServiceException | AccountStatusException var13) {
                    this.prepareException(var13, authentication);
                    throw var13;
                } catch (AuthenticationException var14) {
                    lastException = var14;
                }
            }
        }

        if (result == null && this.parent != null) {
            try {
                result = parentResult = this.parent.authenticate(authentication);
            } catch (ProviderNotFoundException var11) {
            } catch (AuthenticationException var12) {
                parentException = var12;
                lastException = var12;
            }
        }

Steps To Reproduce:

  1. Perform Basic Authentication
  2. Provide the wrong password
  3. CustomAuthProvider will throw BadCredentialsException
  4. ProviderManager will catch the exception - lastException = var14;
  5. And then infinite loop of calls between CustomAuthProvider and ProviderManager starts with the same exception BadCredentialsException more than twice.

Can you please let me know, how to avoid this infinite loop of exception chain. Why don't ProvideManager let the exception goes to the parent caller so the end-user know what the problem by looking at the exception? That it's Bad Credential exception due to wrong password.

Any help would be appreciated!

closed time in 6 days

d3minem

issue commentspring-projects/spring-security

spring-security-custom-authenticationprovider-is-called-twice-and-fails

Thanks for the response. I'm going to close this. If you end up getting a complete/minimal sample to reproduce, please feel free to create a new ticket with the sample.

d3minem

comment created time in 6 days

issue commentspring-projects/spring-security

Support Mono<Boolean> for Method Security

You are right this is the same issue. I had totally forgotten about it. Would you be interested in submitting a PR for the issue?

rwinch

comment created time in 6 days

issue commentspring-projects/spring-security

Replacing MD5 hashing for remember me token

Thanks for creating this issue.

In modern applications, I'd recommend using Spring Session's Remember Me support which allows you to easily offload the session into a data store without the need for cryptography.

I do agree that MD5 is not a good choice. Would you like to provide a pull request that provides the option to use SHA-256?

islamazhar

comment created time in 6 days

pull request commentspring-projects/spring-security

Check for an existing SessionRegistry bean

Thanks for the Pull Request. Could you please add a test that verifies this works when there is one SessionRegistry bean (should use that bean) and more than one SessionRegistry bean (should not break with NoUniqueBeanDefinitionException.

candrews

comment created time in 6 days

pull request commentspring-projects/spring-boot

Auto-configure Spring Security SessionRegistry

I want to emphasize my comments on the linked issue above. In particular, I'm not sure that this is a good candidate for Spring Boot's auto configuration because it is not clear that adding Spring Session + Spring Security someone wants to create a SessionRegistry. For this to be useful, the user also needs to opt into concurrency control. There really isn't a good way to determine if this active. I suppose one option might be to make the bean lazy since Spring Security will request the bean only if needed, but I'm not sure if there is precedent for lazy beans with Spring Boot.

candrews

comment created time in 6 days

issue closedspring-projects/spring-security-saml

Can't find replacement for SAMLCredential & SAMLUserdetailsservice in version 2

We are trying to upgrade opensaml to version 3 as a part of which we also need to upgrade spring security saml to 2.0.0.M31, as the earlier versions work with opensaml 2.6.4. We can't find replacement for below classes in the code, these classes were removed during a cleanup but can't find any details other than this. Any help is appreciated.

closed time in 6 days

ash213

issue commentspring-projects/spring-security-saml

Can't find replacement for SAMLCredential & SAMLUserdetailsservice in version 2

Please use Spring Security's SAML support instead since the 2.x branch never made it to GA (it went into Spring Security proper instead). Please see https://docs.spring.io/spring-security/site/docs/5.3.x/reference/html5/#servlet-saml2

ash213

comment created time in 6 days

issue commentspring-projects/spring-security

ACL : AclImpl.hashCode leads to StackOverflowError

Thanks for the ping @udayrajluhar This is now merged into master and backported through 5.0.x See the list of issues above for details

gpoissonnier

comment created time in 6 days

push eventspring-projects/spring-security

Maksim Vinogradov

commit sha a39efaf883d7a8c0f65d2fef2a6b82337e7d1493

Prevent StackOverflowError for AccessControlEntryImpl.hashCode Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode fixes gh-5401

view details

push time in 6 days

push eventspring-projects/spring-security

Maksim Vinogradov

commit sha 8bb4e72aff20008f7bcf99266fecc7f01826e518

Prevent StackOverflowError for AccessControlEntryImpl.hashCode Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode fixes gh-5401

view details

push time in 6 days

push eventspring-projects/spring-security

Maksim Vinogradov

commit sha 279ddbe2239fe60694cb2a9465df544feabc906c

Prevent StackOverflowError for AccessControlEntryImpl.hashCode Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode fixes gh-5401

view details

push time in 6 days

push eventspring-projects/spring-security

Maksim Vinogradov

commit sha 892f2f8843b176a57b95ba6e34c96132f9e9b02a

Prevent StackOverflowError for AccessControlEntryImpl.hashCode Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode fixes gh-5401

view details

push time in 6 days

PR closed spring-projects/spring-security

Prevent StackOverflowError for AccessControlEntryImpl.hashCode in: acl status: duplicate type: bug

Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl

Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode

fixes gh-5401

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with #). -->

+23 -5

1 comment

2 changed files

Maxvgrad

pr closed time in 6 days

pull request commentspring-projects/spring-security

Prevent StackOverflowError for AccessControlEntryImpl.hashCode

Thanks for the Pull Request! This is now merged into master via 4f58576952f6c89c6c9b7c9fd1c2c3c79e0d1669 :smile:

Maxvgrad

comment created time in 6 days

push eventspring-projects/spring-security

Maksim Vinogradov

commit sha 4f58576952f6c89c6c9b7c9fd1c2c3c79e0d1669

Prevent StackOverflowError for AccessControlEntryImpl.hashCode Getting StackOverflowError when invoke AclImpl.hashCode because of cross-references between AclImpl and AccessControlEntryImpl Remove from AccessControlEntryImpl.hashCode method invocation of acl.hashCode fixes gh-5401

view details

push time in 6 days

issue closedspring-projects/spring-security

ACL : AclImpl.hashCode leads to StackOverflowError

Summary

When calling method AclImpl.hashCode, a java.lang.StackOverflowError is throw

Actual Behavior

A cross-reference exists between AccessControlEntryImpl.hashCode and AclImpl.hasCode. This cross-reference leads to an infinite recursive loop and then to a stack overflow.

AclImpl.hasCode uses hash code of field "aces". "aces" field type is List<AccessControlEntry>. And AccessControlEntryImpl.hashCode uses hash code of field "acl". "acl" field type is Acl. The cross-reference is between this 2 fields : AclImpl.aces and AccessControlEntryImpl.acl. "acl" field reference always his Acl object (see AclImpl.insertAce).

Expected Behavior

No cross-reference on AclImpl.hashCode call.

Configuration

<!-- Please provide any configuration you have. -->

Version

spring-security-acl:5.0.1

Sample

java.lang.StackOverflowError: null at java.util.AbstractList.hashCode(AbstractList.java:541) ~[na:1.8.0_111] at org.springframework.security.acls.domain.AclImpl.hashCode(AclImpl.java:351) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at org.springframework.security.acls.domain.AccessControlEntryImpl.hashCode(AccessControlEntryImpl.java:134) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at java.util.AbstractList.hashCode(AbstractList.java:541) ~[na:1.8.0_111] at org.springframework.security.acls.domain.AclImpl.hashCode(AclImpl.java:351) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at org.springframework.security.acls.domain.AccessControlEntryImpl.hashCode(AccessControlEntryImpl.java:134) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at java.util.AbstractList.hashCode(AbstractList.java:541) ~[na:1.8.0_111] at org.springframework.security.acls.domain.AclImpl.hashCode(AclImpl.java:351) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at org.springframework.security.acls.domain.AccessControlEntryImpl.hashCode(AccessControlEntryImpl.java:134) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at java.util.AbstractList.hashCode(AbstractList.java:541) ~[na:1.8.0_111] at org.springframework.security.acls.domain.AclImpl.hashCode(AclImpl.java:351) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at org.springframework.security.acls.domain.AccessControlEntryImpl.hashCode(AccessControlEntryImpl.java:134) ~[spring-security-acl-5.0.1.RELEASE.jar:5.0.1.RELEASE] at java.util.AbstractList.hashCode(AbstractList.java:541) ~[na:1.8.0_111]

...

closed time in 6 days

gpoissonnier

issue commentspring-gradle-plugins/dependency-management-plugin

Cannot Resolve dependent bom that matches project group/name

This doesn't quite make sense to me. This would mean that slf4j couldn't have any configurations that include slf4j. This seems pretty limiting to me.

rwinch

comment created time in 7 days

issue commentspring-io/nohttp

Remove Spring Boot dependency so that Spring Boot can use nohttp without creating a cycle

Thanks for the PR. I'd be happy to accept a pull request

wilkinsona

comment created time in 7 days

issue openedrsocket/rsocket-java

Deadlock on Connection with Errors

When creating a connection with errors, deadlock often occurs. For example, if Spring Security's authorization fails at connection time this causes deadlock.

I have put together a minimal sample (only RSocket dependencies) that reproduces the issue here.

created time in 7 days

create barnchrwinch/rsocket-hangs

branch : master

created branch time in 7 days

created repositoryrwinch/rsocket-hangs

created time in 7 days

push eventspring-projects/spring-security

Rob Winch

commit sha dc514b369e94d17edcaec51ce496f5fc35fc21fc

FilterInvocation Support Default Methods on HttpServletRequest Closes gh-8566

view details

push time in 7 days

issue closedspring-projects/spring-security

FilterInvocation Support Default Methods on HttpServletRequest

FilterInvocation creates a dummy HttpServletRequest to allow creating dummy HttpServletRequest instances. The DummyRequest should support invoking default methods to support https://github.com/spring-projects/spring-framework/issues/25100

Without these changes we will see stack traces that look similar to:

java.lang.UnsupportedOperationException: public default javax.servlet.http.HttpServletMapping javax.servlet.http.HttpServletRequest.getHttpServletMapping() is not supported

	at org.springframework.security.web.UnsupportedOperationExceptionInvocationHandler.invoke(FilterInvocation.java:244)
	at com.sun.proxy.$Proxy36.getHttpServletMapping(Unknown Source)
	at javax.servlet.http.HttpServletRequestWrapper.getHttpServletMapping(HttpServletRequestWrapper.java:123)
	at javax.servlet.http.HttpServletRequestWrapper.getHttpServletMapping(HttpServletRequestWrapper.java:123)
	at org.springframework.web.util.UrlPathHelper.skipServletPathDetermination(UrlPathHelper.java:209)
	at org.springframework.web.util.UrlPathHelper.getLookupPathForRequest(UrlPathHelper.java:194)
	at org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher$DefaultMatcher.matches(MvcRequestMatcher.java:158)
	at org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.matches(MvcRequestMatcher.java:73)
	at org.springframework.security.web.DefaultSecurityFilterChain.matches(DefaultSecurityFilterChain.java:57)
	at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:234)
	at org.springframework.security.web.FilterChainProxy.getFilters(FilterChainProxy.java:249)
	at org.springframework.security.config.annotation.web.configurers.HttpSecurityRequestMatchersTests.mvcMatcherGetFiltersNoUnsupportedMethodExceptionFromDummyRequest(HttpSecurityRequestMatchersTests.java:105)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:230)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:58)

closed time in 7 days

rwinch

issue openedspring-projects/spring-security

FilterInvocation Support Default Methods on HttpServletRequest

FilterInvocation creates a dummy HttpServletRequest to allow creating dummy HttpServletRequest instances. The DummyRequest should support invoking default methods to support https://github.com/spring-projects/spring-framework/issues/25100

created time in 7 days

pull request commentspring-projects/spring-security

Fix Kotlin Sample Documentation

Thanks for the Pull Request! This is now merged into master :smile:

AndreasVolkmann

comment created time in 7 days

issue closedspring-projects/spring-security

Fix Kotlin Sample Documentation

Backport of gh-8540

closed time in 7 days

spring-issuemaster

issue commentspring-projects/spring-security

Fix Kotlin Sample Documentation

Fixed via 5eeeac8e513f3152aee139db5ebf637d1df83f10

spring-issuemaster

comment created time in 7 days

push eventspring-projects/spring-security

Andreas Volkmann

commit sha 5eeeac8e513f3152aee139db5ebf637d1df83f10

Update index.adoc

view details

push time in 7 days

push eventspring-projects/spring-security

Andreas Volkmann

commit sha 16b0a268d973f471650106891dccc5edf4828c0f

Update index.adoc

view details

push time in 7 days

PR merged spring-projects/spring-security

Update index.adoc in: docs type: bug

Fix typo in docs.

Also, the url here is broken https://docs.spring.io/spring-security/site/docs/5.3.0.RELEASE/reference/html5/#whats-new-documentation But not sure how to fix it.

+1 -1

0 comment

1 changed file

AndreasVolkmann

pr closed time in 7 days

PR opened Haybu/demo-spring-security-siteminder-preauth

Some Polish

See each commit for details

+168 -187

0 comment

12 changed files

pr created time in 8 days

create barnchrwinch/demo-spring-security-siteminder-preauth

branch : polish

created branch time in 8 days

pull request commentspring-projects/spring-security

Object ID Identicy conversion to long fails on old schema

Thanks for the Pull Request! You are really on a roll

This is now merged into master via 4ab9da1c534a77ccb2bfe3b129f1ff63e0c28196 :smile: and backported

dadikovi

comment created time in 8 days

PR closed spring-projects/spring-security

Object ID Identicy conversion to long fails on old schema in: acl type: bug

This change fixed a bug which tried to convert non-string object as string

Fixes gh-7621

<!-- For Security Vulnerabilities, please use https://pivotal.io/security#reporting -->

<!-- Before creating new features, we recommend creating an issue to discuss the feature. This ensures that everyone is on the same page before extensive work is done.

Thanks for contributing to Spring Security. Please provide a brief description of your pull-request and reference any related issue numbers (prefix references with gh-). -->

+12 -1

2 comments

2 changed files

dadikovi

pr closed time in 8 days

push eventspring-projects/spring-security

Dávid Kovács

commit sha eaaee899fcd367d42128c8cb1b3a4129e8b8ac74

Object ID Identicy conversion to long fails on old schema This change fixed a bug which tried to convert non-string object as string Fixes gh-7621

view details

push time in 8 days

push eventspring-projects/spring-security

Dávid Kovács

commit sha 8399375a8631c806b5ef8ccd795ed6b07e61b80f

Object ID Identicy conversion to long fails on old schema This change fixed a bug which tried to convert non-string object as string Fixes gh-7621

view details

push time in 8 days

push eventspring-projects/spring-security

Dávid Kovács

commit sha 4ab9da1c534a77ccb2bfe3b129f1ff63e0c28196

Object ID Identicy conversion to long fails on old schema This change fixed a bug which tried to convert non-string object as string Fixes gh-7621

view details

push time in 8 days

issue closedspring-projects/spring-security

Object ID Identicy conversion to long fails on old schema

Summary

In case of an old ACL schema where the object_id_identity is of type bigint instead of the current varchar(36), the conversion of the identity to a known type fails.

Actual Behavior

Conversion of ACL object ID identity fails.

Expected Behavior

Conversion of the ACL object ID identity should succeed to a known type, or long if no class_id_type is provided.

Configuration

<!-- Please provide any configuration you have. -->

Version

5.2.x

closed time in 8 days

nucatus

create barnchrwinch/spring-session-bom

branch : dependency-management-plugin-gh-277

created branch time in 8 days

more