Merge branch 'spring-projects:main' into gh-16825

Author: mapsu

.github/dco.yml

@@ -0,0 +1,2 @@
+require:
+  members: false

.github/dependabot.yml

@@ -4,6 +4,32 @@ registries:
     type: maven-repository
     url: https://repo.spring.io/milestone
 updates:
+  - package-ecosystem: gradle
+    target-branch: 6.4.x
+    directory: /
+    schedule:
+      interval: daily
+      time: '03:00'
+      timezone: Etc/UTC
+    labels:
+      - 'type: dependency-upgrade'
+    registries:
+      - spring-milestones
+    ignore:
+      - dependency-name: com.nimbusds:nimbus-jose-jwt
+      - dependency-name: org.python:jython
+      - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
+      - dependency-name: org.junit:junit-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: org.mockito:mockito-bom
+        update-types:
+          - version-update:semver-major
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+          - version-update:semver-minor
   - package-ecosystem: gradle
     target-branch: 6.3.x
     directory: /
@@ -19,6 +45,7 @@ updates:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
       - dependency-name: org.junit:junit-bom
         update-types:
           - version-update:semver-major
@@ -44,6 +71,7 @@ updates:
       - dependency-name: com.nimbusds:nimbus-jose-jwt
       - dependency-name: org.python:jython
       - dependency-name: org.apache.directory.server:*
+      - dependency-name: org.apache.directory.shared:*
       - dependency-name: org.junit:junit-bom
         update-types:
           - version-update:semver-major
@@ -58,6 +86,16 @@ updates:
         update-types:
           - version-update:semver-major
 
+  - package-ecosystem: github-actions
+    target-branch: 6.4.x
+    directory: /
+    schedule:
+      interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'
+    ignore:
+      - dependency-name: sjohnr/*
   - package-ecosystem: github-actions
     target-branch: 6.3.x
     directory: /
@@ -66,6 +104,8 @@ updates:
     labels:
       - 'type: task'
       - 'in: build'
+    ignore:
+      - dependency-name: sjohnr/*
   - package-ecosystem: github-actions
     target-branch: main
     directory: /

.github/workflows/gradle-wrapper-upgrade-execution.yml

@@ -25,7 +25,7 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
       - name: Set up Gradle
-        uses: gradle/gradle-build-action@v3
+        uses: gradle/gradle-build-action@v2
       - name: Upgrade Wrappers
         run: ./gradlew clean upgradeGradleWrapperAll --continue -Porg.gradle.java.installations.auto-download=false
         env:

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.3.x, 6.2.x, 5.8.x ]
+        branch: [ main, 6.4.x, 6.3.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

CONTRIBUTING.adoc

@@ -79,7 +79,7 @@ See https://github.com/spring-projects/spring-security/tree/main#building-from-s
 
 The wiki pages https://github.com/spring-projects/spring-framework/wiki/Code-Style[Code Style] and https://github.com/spring-projects/spring-framework/wiki/IntelliJ-IDEA-Editor-Settings[IntelliJ IDEA Editor Settings] define the source file coding standards we use along with some IDEA editor settings we customize.
 
-To format the code as well as check the style, run `./gradlew format check`.
+To format the code as well as check the style, run `./gradlew format && ./gradlew check`.
 
 [[submit-a-pull-request]]
 === Submit a Pull Request
@@ -89,41 +89,30 @@ We are excited for your pull request! :heart:
 Please do your best to follow these steps.
 Don't worry if you don't get them all correct the first time, we will help you.
 
-[[sign-cla]]
-1. If you have not previously done so, please sign the https://cla.spring.io/sign/spring[Contributor License Agreement].
-You will be reminded automatically when you submit the PR.
-[[create-an-issue]]
-1. Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
+For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.
-[[choose-a-branch]]
-1. Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
+3. [[choose-a-branch]] Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
 If there is no milestone, choose `main`.
 Once merged, the fix will be forwarded-ported to applicable branches including `main`.
-[[create-a-local-branch]]
-1. Create a local branch
+4. [[create-a-local-branch]] Create a local branch
 If this is for an issue, consider a branch name with the issue number, like `gh-22276`.
-[[write-tests]]
-1. Add documentation and JUnit Tests for your changes.
-[[update-copyright]]
-1. In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
-[[add-since]]
-1. If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
-[[change-rnc]]
-1. If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
-[[format-code]]
-1. For each commit, build the code using `./gradlew format check`.
+5. [[write-tests]] Add documentation and JUnit Tests for your changes.
+6. [[update-copyright]] In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
+7. [[add-since]] If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
+8. [[change-rnc]] If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
+9. [[format-code]] For each commit, build the code using `./gradlew format && ./gradlew check`.
 This command ensures the code meets most of <<code-style,the style guide>>; a notable exception is import order.
-[[commit-atomically]]
-1. Choose the granularity of your commits consciously and squash commits that represent
+10. [[commit-atomically]] Choose the granularity of your commits consciously and squash commits that represent
 multiple edits or corrections of the same logical change.
 See https://git-scm.com/book/en/Git-Tools-Rewriting-History[Rewriting History section of Pro Git] for an overview of streamlining the commit history.
-[[format-commit-messages]]
-1. Format commit messages using 55 characters for the subject line, 72 characters per line
+11. [[format-commit-messages]] Format commit messages using 55 characters for the subject line, 72 characters per line
 for the description, followed by the issue fixed, for example, `Closes gh-22276`.
 See the https://git-scm.com/book/en/Distributed-Git-Contributing-to-a-Project#Commit-Guidelines[Commit Guidelines section of Pro Git] for best practices around commit messages, and use `git log` to see some examples.
-Present tense is preferred.
+Favor imperative tense over present tense (use "Fix" instead of "Fixes"); avoid past tense (use "Fix" instead of "Fixed").
 +
 [indent=0]
 ----

acl/src/main/java/org/springframework/security/acls/AclEntryVoter.java

@@ -96,7 +96,11 @@
  * All comparisons and prefixes are case sensitive.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")}
  */
+@Deprecated
 public class AclEntryVoter extends AbstractAclVoter {
 
 	private static final Log logger = LogFactory.getLog(AclEntryVoter.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AbstractAclProvider.java

@@ -20,6 +20,7 @@
 
 import org.springframework.security.access.AfterInvocationProvider;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.domain.ObjectIdentityRetrievalStrategyImpl;
 import org.springframework.security.acls.domain.SidRetrievalStrategyImpl;
 import org.springframework.security.acls.model.Acl;
@@ -39,7 +40,11 @@
  * services.
  *
  * @author Ben Alex
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public abstract class AbstractAclProvider implements AfterInvocationProvider {
 
 	protected final AclService aclService;

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationCollectionFilteringProvider.java

@@ -26,6 +26,7 @@
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.AuthorizationServiceException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -62,7 +63,11 @@
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostFilter("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationCollectionFilteringProvider extends AbstractAclProvider {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationCollectionFilteringProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/AclEntryAfterInvocationProvider.java

@@ -27,6 +27,7 @@
 import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.acls.AclPermissionEvaluator;
 import org.springframework.security.acls.model.AclService;
 import org.springframework.security.acls.model.Permission;
 import org.springframework.security.core.Authentication;
@@ -59,7 +60,12 @@
  * granted and <code>null</code> will be returned.
  * <p>
  * All comparisons and prefixes are case sensitive.
+ *
+ * @deprecated please use {@link AclPermissionEvaluator} instead. Spring Method Security
+ * annotations may also prove useful, for example
+ * {@code @PostAuthorize("hasPermission(filterObject, read)")}
  */
+@Deprecated
 public class AclEntryAfterInvocationProvider extends AbstractAclProvider implements MessageSourceAware {
 
 	protected static final Log logger = LogFactory.getLog(AclEntryAfterInvocationProvider.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/ArrayFilterer.java

@@ -32,7 +32,9 @@
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class ArrayFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(ArrayFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/CollectionFilterer.java

@@ -31,7 +31,9 @@
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please see {@code PostFilter}
  */
+@Deprecated
 class CollectionFilterer<T> implements Filterer<T> {
 
 	protected static final Log logger = LogFactory.getLog(CollectionFilterer.class);

acl/src/main/java/org/springframework/security/acls/afterinvocation/Filterer.java

@@ -23,7 +23,9 @@
  *
  * @author Ben Alex
  * @author Paulo Neves
+ * @deprecated please use {@code PreFilter} and {@code @PostFilter} instead
  */
+@Deprecated
 interface Filterer<T> extends Iterable<T> {
 
 	/**

cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

@@ -51,6 +51,7 @@
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
@@ -215,6 +216,8 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
 	public CasAuthenticationFilter() {
 		super("/login/cas");
+		RequestMatcher processUri = PathPatternRequestMatcher.withDefaults().matcher("/login/cas");
+		setRequiresAuthenticationRequestMatcher(processUri);
 		setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
 		setSecurityContextRepository(this.securityContextRepository);
 	}
@@ -319,6 +322,18 @@ public final void setAuthenticationFailureHandler(AuthenticationFailureHandler f
 		super.setAuthenticationFailureHandler(new CasAuthenticationFailureHandler(failureHandler));
 	}
 
+	/**
+	 * Use this {@code RequestMatcher} to match proxy receptor requests. Without setting
+	 * this matcher, {@link CasAuthenticationFilter} will not capture any proxy receptor
+	 * requets.
+	 * @param proxyReceptorMatcher the {@link RequestMatcher} to use
+	 * @since 6.5
+	 */
+	public final void setProxyReceptorMatcher(RequestMatcher proxyReceptorMatcher) {
+		Assert.notNull(proxyReceptorMatcher, "proxyReceptorMatcher cannot be null");
+		this.proxyReceptorMatcher = proxyReceptorMatcher;
+	}
+
 	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
 		this.proxyReceptorMatcher = new AntPathRequestMatcher("/**" + proxyReceptorUrl);
 	}

cas/src/test/java/org/springframework/security/cas/web/CasAuthenticationFilterTests.java

@@ -43,6 +43,7 @@
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.test.util.ReflectionTestUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -78,7 +79,7 @@ public void testGettersSetters() {
 
 	@Test
 	public void testNormalOperation() throws Exception {
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/login/cas");
 		request.setServletPath("/login/cas");
 		request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ");
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
@@ -103,7 +104,7 @@ public void testRequiresAuthenticationFilterProcessUrl() {
 		String url = "/login/cas";
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
@@ -132,10 +133,11 @@ public void testRequiresAuthenticationAuthAll() {
 		CasAuthenticationFilter filter = new CasAuthenticationFilter();
 		filter.setFilterProcessesUrl(url);
 		filter.setServiceProperties(properties);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", url);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		request.setServletPath(url);
 		assertThat(filter.requiresAuthentication(request, response)).isTrue();
+		request = new MockHttpServletRequest("POST", "/other");
 		request.setServletPath("/other");
 		assertThat(filter.requiresAuthentication(request, response)).isFalse();
 		request.setParameter(properties.getArtifactParameter(), "value");
@@ -170,7 +172,7 @@ public void testDoFilterAuthenticateAll() throws Exception {
 		given(manager.authenticate(any(Authentication.class))).willReturn(authentication);
 		ServiceProperties serviceProperties = new ServiceProperties();
 		serviceProperties.setAuthenticateAllArtifacts(true);
-		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", "/authenticate");
 		request.setParameter("ticket", "ST-1-123");
 		request.setServletPath("/authenticate");
 		MockHttpServletResponse response = new MockHttpServletResponse();
@@ -266,4 +268,20 @@ void successfulAuthenticationWhenSecurityContextHolderStrategySetThenUses() thro
 		verify(securityContextRepository).setContext(any(SecurityContext.class));
 	}
 
+	@Test
+	public void requiresAuthenticationWhenProxyRequestMatcherThenMatches() {
+		CasAuthenticationFilter filter = new CasAuthenticationFilter();
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/pgtCallback");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setServletPath("/pgtCallback");
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyReceptorMatcher(PathPatternRequestMatcher.withDefaults().matcher(request.getServletPath()));
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+		filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class));
+		assertThat(filter.requiresAuthentication(request, response)).isTrue();
+		request.setRequestURI("/other");
+		request.setServletPath("/other");
+		assertThat(filter.requiresAuthentication(request, response)).isFalse();
+	}
+
 }

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -96,7 +96,7 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 			pc.getReaderContext()
 				.fatal("You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or "
 						+ "spring-security-3.1.xsd schema or spring-security-3.2.xsd schema or spring-security-4.0.xsd schema "
-						+ "with Spring Security 6.4. Please update your schema declarations to the 6.4 schema.",
+						+ "with Spring Security 6.5. Please update your schema declarations to the 6.5 schema.",
 						element);
 		}
 		String name = pc.getDelegate().getLocalName(element);
@@ -221,7 +221,7 @@ private boolean namespaceMatchesVersion(Element element) {
 
 	private boolean matchesVersionInternal(Element element) {
 		String schemaLocation = element.getAttributeNS("http://www.w3.org/2001/XMLSchema-instance", "schemaLocation");
-		return schemaLocation.matches("(?m).*spring-security-6\\.4.*.xsd.*")
+		return schemaLocation.matches("(?m).*spring-security-6\\.5.*.xsd.*")
 				|| schemaLocation.matches("(?m).*spring-security.xsd.*")
 				|| !schemaLocation.matches("(?m).*spring-security.*");
 	}