Merge branch 'main' into spring-projectsgh-15818

Author: jonah1und1

.github/workflows/pr-build-workflow.yml

@@ -2,9 +2,6 @@ name: PR Build
 
 on: pull_request
 
-env:
-  DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
-
 permissions:
   contents: read
 
@@ -21,7 +18,7 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
       - name: Build with Gradle
-        run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue
+        run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue --scan
   generate-docs:
     name: Generate Docs
     runs-on: ubuntu-latest

acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java

@@ -202,7 +202,7 @@ public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean ad
 	public boolean isSidLoaded(List<Sid> sids) {
 		// If loadedSides is null, this indicates all SIDs were loaded
 		// Also return true if the caller didn't specify a SID to find
-		if ((this.loadedSids == null) || (sids == null) || (sids.size() == 0)) {
+		if ((this.loadedSids == null) || (sids == null) || sids.isEmpty()) {
 			return true;
 		}
 

acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -140,7 +140,7 @@ public Permission buildFromName(String name) {
 
 	@Override
 	public List<Permission> buildFromNames(List<String> names) {
-		if ((names == null) || (names.size() == 0)) {
+		if ((names == null) || names.isEmpty()) {
 			return Collections.emptyList();
 		}
 		List<Permission> permissions = new ArrayList<>(names.size());

build.gradle

@@ -106,7 +106,7 @@ develocity {
 }
 
 nohttp {
-	source.exclude "buildSrc/build/**"
+	source.exclude "buildSrc/build/**", "javascript/.gradle/**", "javascript/package-lock.json", "javascript/node_modules/**", "javascript/build/**", "javascript/dist/**"
 	source.builtBy(project(':spring-security-config').tasks.withType(RncToXsd))
 }
 

buildSrc/src/main/java/org/springframework/gradle/maven/PublishAllJavaComponentsPlugin.java

@@ -7,8 +7,6 @@
 import org.gradle.api.plugins.JavaPlatformPlugin;
 import org.gradle.api.plugins.JavaPlugin;
 import org.gradle.api.publish.PublishingExtension;
-import org.gradle.api.publish.VariantVersionMappingStrategy;
-import org.gradle.api.publish.VersionMappingStrategy;
 import org.gradle.api.publish.maven.MavenPublication;
 import org.gradle.api.publish.maven.plugins.MavenPublishPlugin;
 

buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,6 @@
 import org.gradle.api.artifacts.MinimalExternalModuleDependency;
 import org.gradle.api.artifacts.VersionCatalog;
 import org.gradle.api.artifacts.VersionCatalogsExtension;
-import org.gradle.api.file.RegularFile;
 import org.gradle.api.file.RegularFileProperty;
 import org.gradle.api.plugins.JavaBasePlugin;
 import org.gradle.api.provider.Property;
@@ -36,7 +35,6 @@
 import org.gradle.api.tasks.TaskProvider;
 import org.gradle.api.tasks.VerificationException;
 
-import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.Optional;

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -115,15 +115,8 @@ public boolean equals(final Object obj) {
 		if (!super.equals(obj)) {
 			return false;
 		}
-		if (obj instanceof CasAuthenticationToken) {
-			CasAuthenticationToken test = (CasAuthenticationToken) obj;
-			if (!this.assertion.equals(test.getAssertion())) {
-				return false;
-			}
-			if (this.getKeyHash() != test.getKeyHash()) {
-				return false;
-			}
-			return true;
+		if (obj instanceof CasAuthenticationToken test) {
+			return this.assertion.equals(test.getAssertion()) && this.getKeyHash() == test.getKeyHash();
 		}
 		return false;
 	}

config/spring-security-config.gradle

@@ -43,6 +43,7 @@ dependencies {
 	optional 'org.jetbrains.kotlin:kotlin-reflect'
 	optional 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
 	optional 'jakarta.annotation:jakarta.annotation-api'
+	optional libs.webauthn4j.core
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeAuthenticationProviderBeanManagerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -95,7 +95,7 @@ private <T> List<BeanWithName<T>> getBeansWithName(Class<T> type) {
 				.getBeanNamesForType(type);
 			for (String beanName : beanNames) {
 				T bean = InitializeAuthenticationProviderBeanManagerConfigurer.this.context.getBean(beanName, type);
-				beanWithNames.add(new BeanWithName<T>(bean, beanName));
+				beanWithNames.add(new BeanWithName<>(bean, beanName));
 			}
 			return beanWithNames;
 		}

config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/InitializeUserDetailsBeanManagerConfigurer.java

@@ -134,7 +134,7 @@ private <T> List<BeanWithName<T>> getBeansWithName(Class<T> type) {
 			String[] beanNames = InitializeUserDetailsBeanManagerConfigurer.this.context.getBeanNamesForType(type);
 			for (String beanName : beanNames) {
 				T bean = InitializeUserDetailsBeanManagerConfigurer.this.context.getBean(beanName, type);
-				beanWithNames.add(new BeanWithName<T>(bean, beanName));
+				beanWithNames.add(new BeanWithName<>(bean, beanName));
 			}
 			return beanWithNames;
 		}

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -97,7 +97,7 @@ public class GlobalMethodSecurityConfiguration implements ImportAware, SmartInit
 
 	private static final Log logger = LogFactory.getLog(GlobalMethodSecurityConfiguration.class);
 
-	private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<Object>() {
+	private ObjectPostProcessor<Object> objectPostProcessor = new ObjectPostProcessor<>() {
 
 		@Override
 		public <T> T postProcess(T object) {

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -67,6 +67,7 @@
 import org.springframework.security.config.annotation.web.configurers.SecurityContextConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ServletApiConfigurer;
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
+import org.springframework.security.config.annotation.web.configurers.WebAuthnConfigurer;
 import org.springframework.security.config.annotation.web.configurers.X509Configurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
@@ -3003,8 +3004,8 @@ public HttpSecurity oauth2ResourceServer(
 	 * 	}
 	 *
 	 * 	@Bean
-	 * 	public GeneratedOneTimeTokenHandler generatedOneTimeTokenHandler() {
-	 * 		return new MyMagicLinkGeneratedOneTimeTokenHandler();
+	 * 	public OneTimeTokenGenerationSuccessHandler oneTimeTokenGenerationSuccessHandler() {
+	 * 		return new MyMagicLinkOneTimeTokenGenerationSuccessHandler();
 	 * 	}
 	 *
 	 * }
@@ -3674,6 +3675,31 @@ public HttpSecurity securityMatcher(String... patterns) {
 		return this;
 	}
 
+	/**
+	 * Specifies webAuthn/passkeys based authentication.
+	 *
+	 * <pre>
+	 * 	&#064;Bean
+	 * 	SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+	 * 		http
+	 * 			// ...
+	 * 			.webAuthn((webAuthn) -&gt; webAuthn
+	 * 				.rpName("Spring Security Relying Party")
+	 * 				.rpId("example.com")
+	 * 				.allowedOrigins("https://example.com")
+	 * 			);
+	 * 		return http.build();
+	 * 	}
+	 * </pre>
+	 * @param webAuthn the customizer to apply
+	 * @return the {@link HttpSecurity} for further customizations
+	 * @throws Exception
+	 */
+	public HttpSecurity webAuthn(Customizer<WebAuthnConfigurer<HttpSecurity>> webAuthn) throws Exception {
+		webAuthn.customize(getOrApply(new WebAuthnConfigurer<>()));
+		return HttpSecurity.this;
+	}
+
 	private List<RequestMatcher> createAntMatchers(String... patterns) {
 		List<RequestMatcher> matchers = new ArrayList<>(patterns.length);
 		for (String pattern : patterns) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -170,7 +170,8 @@ private AuthorizationManager<HttpServletRequest> createAuthorizationManager() {
 							+ ". Try completing it with something like requestUrls().<something>.hasRole('USER')");
 			Assert.state(this.mappingCount > 0,
 					"At least one mapping is required (for example, authorizeHttpRequests().anyRequest().authenticated())");
-			RequestMatcherDelegatingAuthorizationManager manager = postProcess(this.managerBuilder.build());
+			AuthorizationManager<HttpServletRequest> manager = postProcess(
+					(AuthorizationManager<HttpServletRequest>) this.managerBuilder.build());
 			return AuthorizeHttpRequestsConfigurer.this.postProcessor.postProcess(manager);
 		}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -179,8 +179,7 @@ private void registerDefaults(B http) {
 		allMatcher.setUseEquals(true);
 		RequestMatcher notHtmlMatcher = new NegatedRequestMatcher(
 				new MediaTypeRequestMatcher(contentNegotiationStrategy, MediaType.TEXT_HTML));
-		RequestMatcher restNotHtmlMatcher = new AndRequestMatcher(
-				Arrays.<RequestMatcher>asList(notHtmlMatcher, restMatcher));
+		RequestMatcher restNotHtmlMatcher = new AndRequestMatcher(Arrays.asList(notHtmlMatcher, restMatcher));
 		RequestMatcher preferredMatcher = new OrRequestMatcher(
 				Arrays.asList(X_REQUESTED_WITH, restNotHtmlMatcher, allMatcher));
 		registerDefaultEntryPoint(http, preferredMatcher);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java

@@ -33,6 +33,7 @@
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.util.Assert;
@@ -296,6 +297,13 @@ public void configure(H http) {
 			rememberMeFilter.setSecurityContextRepository(securityContextRepository);
 		}
 		rememberMeFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
+
+		SessionAuthenticationStrategy sessionAuthenticationStrategy = http
+			.getSharedObject(SessionAuthenticationStrategy.class);
+		if (sessionAuthenticationStrategy != null) {
+			rememberMeFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy);
+		}
+
 		rememberMeFilter = postProcess(rememberMeFilter);
 		http.addFilter(rememberMeFilter);
 	}