All Classes and Interfaces
Class
Description
Abstract processor of browser-based HTTP-based authentication requests.
Base class containing the logic used by strategies which handle redirection to a URL
and are passed an
Authentication
object as part of the contract.Base class for processing filters that handle pre-authenticated authentication
requests, where it is assumed that the principal has already been authenticated by an
external system.
Base class for RememberMeServices implementations.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Registers the
DelegatingFilterProxy
to use the springSecurityFilterChain before
any other registered Filter
.A base class for performing session fixation protection.
Used by
ExceptionTranslationFilter
to handle an
AccessDeniedException
.Base implementation of
AccessDeniedHandler
.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
RequestMatcher
that will return true if all of the passed in
RequestMatcher
instances match.Matches if all the provided
ServerWebExchangeMatcher
matchDetects if there is no
Authentication
object in the
SecurityContextHolder
, and populates it with one if needed.Detects if there is no
Authentication
object in the
ReactiveSecurityContextHolder
, and populates it with one if needed.Matcher which compares a pre-defined ant-style pattern against the URL (
servletPath + pathInfo
) of an HttpServletRequest
.Matches any supplied request.
A strategy used for converting from a
HttpServletRequest
to an
Authentication
of particular type.Used by
ExceptionTranslationFilter
to commence an authentication scheme.Adapts a
AuthenticationEntryPoint
into a AuthenticationFailureHandler
Strategy used to handle a failed authentication attempt.
A
Filter
that performs authentication of a particular request.Deprecated.
Use
AuthenticationPrincipal
instead.Deprecated.
Use
AuthenticationPrincipalArgumentResolver
instead.Allows resolving the
Authentication.getPrincipal()
using the
AuthenticationPrincipal
annotation.Resolves the Authentication
Strategy used to handle a successful user authentication.
Application event which indicates that a user context switch.
A
WebFilter
that performs authentication of a particular request.An authorization filter that restricts access to the URL using
AuthorizationManager
.An implementation of
WebInvocationPrivilegeEvaluator
which delegates the checks
to an instance of AuthorizationManager
Converts from a HttpServletRequest to
UsernamePasswordAuthenticationToken
that
can be authenticated.Used by the
ExceptionTranslationFilter
to commence authentication via the
BasicAuthenticationFilter
.Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder
.Inserts headers to prevent caching if no cache control headers have been specified.
Writes cache control related headers.
Uses
HttpServletRequest.changeSessionId()
to protect against session fixation
attacks.Decides whether a web channel provides sufficient security.
Implementation of
ChannelDecisionManager
.May be used by a
ChannelProcessor
to launch a web channel.Ensures a web request is delivered over the required channel.
Decides whether a web channel meets a specific security condition.
Provides support for Clear
Site Data.
Represents the directive values expected by the
ClearSiteDataHeaderWriter
.
Writes the
Clear-Site-Data
response header when the request is secure.
Represents the directive values expected by the
ClearSiteDataServerHttpHeadersWriter
A
HeaderWriter
that delegates to several other HeaderWriter
s.Performs a logout through all the
LogoutHandler
implementations.A
RequestRejectedHandler
that delegates to several other
RequestRejectedHandler
s.Combines multiple
ServerHttpHeadersWriter
instances into a single instance.A
SessionAuthenticationStrategy
that accepts multiple
SessionAuthenticationStrategy
implementations to delegate to.Strategy which handles concurrent session-control.
Filter required by concurrent session handling package.
Provides support for Content Security Policy
(CSP) Level 2.
Writes the
Contet-Security-Policy
response header with configured policy
directives.Adds X-Content-Type-Options: nosniff
A logout handler which clears either - A defined list of cookie names, using the
context path as the cookie path OR - A given list of Cookies
A
CsrfTokenRepository
that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An Implementation of
RequestCache
which saves the original request URI in a
cookie.A
ServerCsrfTokenRepository
that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An implementation of
ServerRequestCache
that saves the requested URI in a
cookie.Inserts Cross-Origin-Embedder-Policy header.
Inserts Cross-Origin-Embedder-Policy headers.
Inserts the Cross-Origin-Opener-Policy header
Inserts Cross-Origin-Opener-Policy header.
Inserts Cross-Origin-Resource-Policy header
Inserts Cross-Origin-Resource-Policy headers.
CsrfAuthenticationStrategy
is in charge of removing the CsrfToken
upon
authenticating.Thrown when an invalid or missing
CsrfToken
is found in the HttpServletRequestThrown when an invalid or missing
CsrfToken
is found in the HttpServletRequest
Applies
CSRF
protection using a synchronizer token pattern.
CsrfLogoutHandler
is in charge of removing the CsrfToken
upon logout.Integration with Spring Web MVC that automatically adds the
CsrfToken
into
forms with hidden inputs when using Spring tag libraries.CsrfServerLogoutHandler
is in charge of removing the CsrfToken
upon
logout.Provides the information about an expected CSRF token.
Allows resolving the current
CsrfToken
.An API to allow changing the method in which the expected
CsrfToken
is
associated to the HttpServletRequest
.An implementation of the
CsrfTokenRequestHandler
interface that is capable of
making the CsrfToken
available as a request attribute and resolving the token
value as either a header or parameter value of the request.A callback interface that is used to make the
CsrfToken
created by the
CsrfTokenRepository
available as a request attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken
from the provided HttpServletRequest
.
Applies
CSRF
protection using a synchronizer token pattern.
Allows resolving the
SecurityContext
using the CurrentSecurityContext
annotation.Resolves the
SecurityContext
Spring Security debugging filter.
A CSRF token that is used to protect against CSRF attacks.
A CSRF token that is used to protect against CSRF attacks.
Default implementation of FilterInvocationDefinitionSource.
User's should consider using
StrictHttpFirewall
because rather than trying to
sanitize a malicious URL it rejects the malicious URL providing better security
guarantees.A
SecurityExpressionHandler
that uses a RequestAuthorizationContext
to
create a WebSecurityExpressionRoot
.For internal use with namespace configuration in the case where a user doesn't
configure a login page.
Generates a default log out page.
Simple implementation of RedirectStrategy which is the default used throughout
the framework.
Default implementation of
RequestRejectedHandler
that simply rethrows the
exception.Represents central information from a
HttpServletRequest
.Standard implementation of
SecurityFilterChain
.The default
ServerRedirectStrategy
to use.Deprecated.
An interface that allows delayed access to a
CsrfToken
that may be generated.An
AccessDeniedHandler
that delegates to other AccessDeniedHandler
instances based upon the type of AccessDeniedException
passed into
DelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException)
.An
AuthenticationEntryPoint
which selects a concrete
AuthenticationEntryPoint
based on a RequestMatcher
evaluation.An
AuthenticationFailureHandler
that delegates to other
AuthenticationFailureHandler
instances based upon the type of
AuthenticationException
passed into
DelegatingAuthenticationFailureHandler.onAuthenticationFailure(HttpServletRequest, HttpServletResponse, AuthenticationException)
.Delegates to logout handlers based on matched request matchers
Delegates to the provided
HeaderWriter
when
RequestMatcher.matches(HttpServletRequest)
returns true.A
ServerAuthenticationEntryPoint
which delegates to multiple
ServerAuthenticationEntryPoint
based on a ServerWebExchangeMatcher
Delegates to a collection of
ServerAuthenticationSuccessHandler
implementations.Delegates to a collection of
ServerLogoutHandler
implementations.Used by the
SecurityEnforcementFilter
to commence authentication via the
DigestAuthenticationFilter
.Processes a HTTP request's Digest authorization headers, putting the result into the
SecurityContextHolder
.Disables encoding URLs using the
HttpServletResponse
to prevent including the
session id in URLs which is not considered URL because the session id can be leaked in
things like HTTP access logs.Checks the
DispatcherType
to decide whether to match a given request.A RequestMatcher implementation which uses a SpEL expression
Adapter that wraps an
Enumeration
around a Java 2 collection
Iterator
.Uses the internal map of exceptions types to URLs to determine the destination on
authentication failure.
Handles any
AccessDeniedException
and AuthenticationException
thrown within the filter chain.Web filter that redirects requests that match
ServerWebExchangeMatcher
to the
specified URL.Expression-based
FilterInvocationSecurityMetadataSource
.Utility class to generate HTTP dates.
Provides support for Feature
Policy.
Writes the
Feature-Policy
response header with configured policy directives.Delegates
Filter
requests to a list of Spring-managed filter beans.A strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain
for a given request.A
FilterChainProxy.FilterChainDecorator
that uses the FilterChainProxy.VirtualFilterChain
Holds objects associated with a HTTP filter.
Marker interface for
SecurityMetadataSource
implementations that are
designed to perform lookups keyed on FilterInvocation
s.Deprecated.
Use
AuthorizationFilter
insteadRequest wrapper which is returned by the
HttpFirewall
interface.Eagerly creates
HttpSession
if it does not already exist.
Forward Authentication Failure Handler
Forward Authentication Success Handler
LogoutSuccessHandler
implementation that will perform a request dispatcher
"forward" to the specified target URL.Represents a Header to be added to the
HttpServletResponse
Contract for writing headers to a
HttpServletResponse
Filter implementation to add headers to the current response.
A
ServerLogoutHandler
implementation which writes HTTP headers during logout.Deprecated.
see Certificate
and Public Key Pinning for more context
Provides support for HTTP Strict
Transport Security (HSTS).
In the pre-authenticated authentication case (unlike CAS, for example) the user will
already have been identified through some external mechanism and a secure context
established by the time the security-enforcement filter is invoked.
Prompts a user for HTTP Basic authentication.
Interface which can be used to reject potentially dangerous requests and/or wrap them
to control their behaviour.
Invokes a
ServerHttpHeadersWriter
on
ReactiveHttpOutputMessage.beforeCommit(java.util.function.Supplier)
.Published by the
HttpSessionEventPublisher
when an HttpSession
is
created by the containerPublished by the
HttpSessionEventPublisher
when a HttpSession is removed from
the containerDeclared in web.xml as
Published by the
HttpSessionEventPublisher
when an HttpSession
ID is
changed.RequestCache
which stores the SavedRequest
in the HttpSession.A
SecurityContextRepository
implementation which stores the security context in
the HttpSession
between requests.Redirects any non-HTTPS request to its HTTPS equivalent.
An
AuthenticationEntryPoint
that sends a generic HttpStatus
as a
response.A simple implementation of
RequestRejectedHandler
that sends an error with
configurable status code.Implementation of the
LogoutSuccessHandler
.Implementation of the
ServerLogoutSuccessHandler
.Sets the provided HTTP Status when access is denied.
A
ServerAuthenticationEntryPoint
that sends a generic HttpStatus
as a
response.Simple PersistentTokenRepository implementation backed by a Map.
Ensures channel security is inactive by review of
HttpServletRequest.isSecure()
responses.Exception thrown by a RememberMeServices implementation to indicate that a submitted
cookie is of an invalid format or has expired.
Thrown when an expected
CsrfToken
exists, but it does not match the value
present on the HttpServletRequest
An adapter of
InvalidSessionStrategy
to AccessDeniedHandler
Determines the behaviour of the
SessionManagementFilter
when an invalid session
Id is submitted and detected in the SessionManagementFilter
.Matches a request based on IP Address or subnet mask matching against the remote
address.
A
ReactiveAuthorizationManager
, that determines if the current request contains
the specified address or range of addressesMatches a request based on IP Address or subnet mask matching against the remote
address.
Implementation of AuthenticationDetailsSource which converts the user's J2EE roles (as
obtained by calling
HttpServletRequest.isUserInRole(String)
) into
GrantedAuthority
s and stores these in the authentication details object.This AbstractPreAuthenticatedProcessingFilter implementation is based on the J2EE
container-based authentication mechanism.
A
Filter
which attempts to obtain a JAAS Subject
and continue
the FilterChain
running as that Subject
.JDBC based persistent login token repository implementation.
Deprecated.
Generates a default log in page used for authenticating users.
Used by the
ExceptionTranslationFilter
to commence a form login authentication
via the UsernamePasswordAuthenticationFilter
.Logs a principal out.
Indicates a class that is able to participate in logout handling.
Generates a default log out page.
A logout handler which publishes
LogoutSuccessEvent
Strategy that is called after a successful logout by the
LogoutFilter
, to
handle redirection or forwarding to the appropriate destination.If the request matches, logs an authenticated user out by delegating to a
ServerLogoutHandler
.A
SecurityWebFilterChain
that leverages a ServerWebExchangeMatcher
to
determine which WebFilter
to execute.Allows matching
HttpServletRequest
based upon the MediaType
's resolved
from a ContentNegotiationStrategy
.Matches based upon the accept headers.
Thrown when no expected
CsrfToken
is found but is required.A
RequestMatcher
that uses Spring MVC's HandlerMappingIntrospector
to
match the path and extract variables.A builder for
MvcRequestMatcher
A
RequestMatcher
that will negate the RequestMatcher
passed in.Negates the provided matcher.
Thrown if an authentication request is rejected because the digest nonce has expired.
An implementation of
ServerRequestCache
that does nothing.A do nothing implementation of
ServerSecurityContextRepository
.Implementation of
NullRememberMeServices
that does nothing.Null implementation of RequestCache.
A
FilterChainProxy.FilterChainDecorator
that
wraps the chain in before and after observationsA
WebFilterChainProxy.WebFilterChainDecorator
that wraps the chain in before and after observationsBase class for response wrappers which encapsulate the logic for handling an event when
the
HttpServletResponse
is committed.RequestMatcher
that will return true if any of the passed in
RequestMatcher
instances match.Matches if any of the provided
ServerWebExchangeMatcher
matchMatches if the
PathPattern
matches the path within the application.Provides support for
Permisisons Policy.
Writes the
Permissions-Policy
response header with configured policy
directives.RememberMeServices
implementation based on Barry Jaspan's
Improved
Persistent Login Cookie Best Practice.The abstraction used by
PersistentTokenBasedRememberMeServices
to store the
persistent login tokens for a user.PortMapper
implementations provide callers with information about which
HTTP ports are associated with which HTTPS ports on the system, and vice versa.Concrete implementation of
PortMapper
that obtains HTTP:HTTPS pairs from the
application context.A
PortResolver
determines the port a web request was received on.Concrete implementation of
PortResolver
that obtains the port from
ServletRequest.getServerPort().
Processes a pre-authenticated authentication request.
Authentication
implementation for
pre-authenticated authentication.
This AuthenticationUserDetailsService implementation creates a UserDetails object based
solely on the information contained in the given PreAuthenticatedAuthenticationToken.
This WebAuthenticationDetails implementation allows for storing a list of
pre-authenticated Granted Authorities.
Reactive version of
PreAuthenticatedAuthenticationProvider
This manager receives a PreAuthenticatedAuthenticationToken
, checks that
associated account is not disabled, expired, or blocked, and returns new authenticated
PreAuthenticatedAuthenticationToken
.Uses a
ServerSecurityContextRepository
to provide the SecurityContext
to initialize the ReactiveSecurityContextHolder
.Performs a redirect to a specified location.
Performs a redirect to a specified location.
Performs a redirect on authentication success.
Performs a redirect on log out success.
Encapsulates the redirection logic for all classes in the framework which perform
redirects.
Internal class for building redirect URLs.
Provides support for Referrer
Policy.
Writes the
Referrer-Policy
response header.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Uses a regular expression to decide whether a supplied the URL of a supplied
HttpServletRequest
.Strategy used to register a user with the
SessionRegistry
after successful
Authentication
.This exception is thrown when an
Authentication
exception occurs while using
the remember-me authentication.Detects if there is no
Authentication
object in the SecurityContext
,
and populates the context with a remember-me authentication token if a
RememberMeServices
implementation so requests.Implement by a class that is capable of providing a remember-me service.
A simple pre-authenticated filter which obtains the username from request attributes,
for use with SSO systems such as
Stanford
WebAuth or Shibboleth.
Stores the
SecurityContext
on a
ServletRequest.setAttribute(String, Object)
so that it can be
restored when different dispatch types occur.An
HttpServletRequest
authorization context.Implements "saved request" logic, allowing a single request to be retrieved and
restarted after redirecting to an authentication mechanism.
Responsible for reconstituting the saved request if one is cached and it matches the
current request.
Performs a redirect to the original request URL when an invalid requested session is
detected by the
SessionManagementFilter
.A simple pre-authenticated filter which obtains the username from a request header, for
use with systems such as CA Siteminder.
A
RequestMatcher
that can be used to match request that contain a header with
an expected header name and an expected value.Simple strategy to match an HttpServletRequest.
The result of matching against an HttpServletRequest Contains the status, true or
false, of the match and if present, any variables extracted from the match
An
AccessDeniedHandler
that delegates to other AccessDeniedHandler
instances based upon the type of HttpServletRequest
passed into
RequestMatcherDelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException)
.An
AuthenticationManagerResolver
that returns a AuthenticationManager
instances based upon the type of HttpServletRequest
passed into
RequestMatcherDelegatingAuthenticationManagerResolver.resolve(HttpServletRequest)
.A builder for
RequestMatcherDelegatingAuthenticationManagerResolver
.An
AuthorizationManager
which delegates to a specific
AuthorizationManager
based on a RequestMatcher
evaluation.A builder for
RequestMatcherDelegatingAuthorizationManager
.A
WebInvocationPrivilegeEvaluator
which delegates to a list of
WebInvocationPrivilegeEvaluator
based on a
RequestMatcher
evaluationPropertyEditor which creates ELRequestMatcher instances from Strings
This allows to use a String in a BeanDefinition instead of an (inner) bean if a
RequestMatcher is required, e.g.
A rich object for associating a
RequestMatcher
to another object.Filter that redirects requests that match
RequestMatcher
to the specified URL.Used by
FilterChainProxy
to handle an
RequestRejectedException
.Deprecated.
Commences an insecure channel by retrying the original request using HTTP.
Commences a secure channel by retrying the original request using HTTPS.
Deprecated.
Stores off the values of a cookie in a serializable holder
Encapsulates the functionality required of a cached request for both an authentication
mechanism (typically form-based login) to redirect to the original URL and for a
RequestCache to build a wrapped request, reproducing the original request
data.
An authentication success strategy which can make use of the
DefaultSavedRequest
which may
have been stored in the session by the ExceptionTranslationFilter
.Ensures channel security is active by review of
HttpServletRequest.isSecure()
responses.
Allows for integration with Spring MVC's
Callable
support.A
Filter
which populates the ServletRequest
with a request
wrapper which implements the servlet API security methods.A Spring Security-aware
HttpServletRequestWrapper
, which uses the
SecurityContext
-defined Authentication
object to implement
the servlet API security methods:
SecurityContextHolderAwareRequestWrapper.getUserPrincipal()
SecurityContextHolderAwareRequestWrapper.isUserInRole(String)
HttpServletRequestWrapper.getRemoteUser()
.
A
Filter
that uses the SecurityContextRepository
to
obtain the SecurityContext
and set it on the SecurityContextHolder
.Performs a logout by modifying the
SecurityContextHolder
.Deprecated.
Strategy used for persisting a
SecurityContext
between requests.A
ServerLogoutHandler
which removes the SecurityContext using the provided
ServerSecurityContextRepository
Overrides the
ServerWebExchange.getPrincipal()
with the provided
SecurityContextOverride the
ServerWebExchange.getPrincipal()
to be looked up using
ReactiveSecurityContextHolder
.Defines a filter chain which is capable of being matched against an
HttpServletRequest
.Utilities for interacting with
HttpHeaders
Spring Security extension to Spring's
WebApplicationContextUtils
.Defines a filter chain which is capable of being matched against a
ServerWebExchange
in order to decide whether it applies to that request.A strategy used for converting from a
ServerWebExchange
to an
Authentication
used for authenticating with a provided
ReactiveAuthenticationManager
.Used to request authentication
Adapts a
ServerAuthenticationEntryPoint
into a
ServerAuthenticationFailureHandler
Handles authentication failure
Handles authentication success
An API to allow changing the method in which the expected
CsrfToken
is
associated to the ServerWebExchange
.An implementation of the
ServerCsrfTokenRequestHandler
interface that is
capable of making the CsrfToken
available as an exchange attribute and
resolving the token value as either a form data value or header of the request.A callback interface that is used to make the
CsrfToken
created by the
ServerCsrfTokenRepository
available as an exchange attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken
from the provided ServerWebExchange
.Converts a ServerWebExchange into a UsernamePasswordAuthenticationToken from the form
data HTTP parameters.
Deprecated.
use
ServerFormLoginAuthenticationConverter
instead.Converts from a
ServerWebExchange
to an Authentication
that can be
authenticated.Deprecated.
Use
ServerHttpBasicAuthenticationConverter
instead.Interface for writing headers just before the response is committed.
Handles log out
Strategy for when log out was successfully performed (typically after
ServerLogoutHandler
is invoked).A strategy for performing redirects.
Saves a
ServerHttpRequest
so it can be "replayed" later.A
WebFilter
that replays any matching request in ServerRequestCache
Strategy used for persisting a
SecurityContext
between requests.A
ReactiveAuthenticationManagerResolver
that returns a
ReactiveAuthenticationManager
instances based upon the type of
ServerWebExchange
passed into ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.resolve(ServerWebExchange)
.A builder for
RequestMatcherDelegatingAuthenticationManagerResolver
.A
ServerAccessDeniedHandler
which delegates to multiple
ServerAccessDeniedHandler
s based on a ServerWebExchangeMatcher
Delegates to a provided
ServerHttpHeadersWriter
if
ServerWebExchangeMatcher.matches(ServerWebExchange)
returns a match.An interface for determining if a
ServerWebExchangeMatcher
matches.The result of matching
A rich object for associating a
ServerWebExchangeMatcher
to another object.Provides factory methods for creating common
ServerWebExchangeMatcher
Converts from a
SslInfo
provided by a request to an
PreAuthenticatedAuthenticationToken
that can be authenticated.Thrown by an SessionAuthenticationStrategy to indicate that an authentication
object is not valid for the current session, typically because the same user has
exceeded the number of sessions they are allowed to have concurrently.
Allows pluggable support for HttpSession-related behaviour when an authentication
occurs.
Indicates a session ID was changed for the purposes of session fixation protection.
Uses
HttpServletRequest.invalidate()
to protect against session fixation
attacks.An event for when a
SessionInformation
is expired.Determines the behaviour of the
ConcurrentSessionFilter
when an expired session
is detected in the ConcurrentSessionFilter
.Detects that a user has been authenticated since the start of the request and, if they
have, calls the configured
SessionAuthenticationStrategy
to perform any
session-related activity such as activating session-fixation protection mechanisms or
checking for multiple concurrent logins.Performs a redirect to a fixed URL when an invalid requested session is detected by the
SessionManagementFilter
.Performs a redirect to a fixed URL when an expired session is detected by the
ConcurrentSessionFilter
.A Bean implementation of SavedRequest
AuthenticationFailureHandler which performs a redirect to the value of the
defaultFailureUrl
property when the
onAuthenticationFailure method is called.AuthenticationSuccessHandler which can be configured with a default URL which
users should be sent to upon successful authentication.
Handles the navigation on logout by delegating to the
AbstractAuthenticationTargetUrlRequestHandler
base class logic.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
HeaderWriter
implementation which writes the same Header
instance.Allows specifying
HttpHeaders
that should be written to the response.
A strict implementation of
HttpFirewall
that rejects any suspicious requests
with a RequestRejectedException
.Writes the Strict-Transport-Security if the request is secure.
Obtains the principal from a certificate using a regular expression match against the
Subject (as returned by a call to
X509Certificate.getSubjectDN()
).Allows subclasses to modify the
GrantedAuthority
list that will be assigned to
the principal when they assume the identity of a different principal.Switch User processing filter responsible for user context switching.
Custom
GrantedAuthority
used by
SwitchUserFilter
Switch User processing filter responsible for user context switching.
Internal utility for escaping characters in HTML strings.
Handler for analyzing
Throwable
instances.Interface for handlers extracting the cause out of a specific
Throwable
type.Identifies previously remembered users by a Base-64 encoded cookie.
Provides static methods for composing URLs.
Processes an authentication form submission.
Provides integration between the
SecurityContext
and Spring Web's
WebAsyncManager
by using the
SecurityContextCallableProcessingInterceptor.beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)
to populate the SecurityContext
on the Callable
.Well-known keys which are used to store Spring Security information in request or
session scope.
A holder of selected HTTP details related to a web authentication request.
Implementation of
AuthenticationDetailsSource
which builds the details object
from an HttpServletRequest object, creating a WebAuthenticationDetails
.An expression-based
AuthorizationManager
that determines the access by
evaluating the provided expression.Deprecated.
Use
WebExpressionAuthorizationManager
insteadUsed to delegate to a List of
SecurityWebFilterChain
instances.A
WebFilterChainProxy.WebFilterChainDecorator
that uses the DefaultWebFilterChain
A strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain
for a given request.Success handler that continues the filter chain after authentication success.
A composite of the
ServerWebExchange
and the WebFilterChain
.Allows users to determine whether they have privileges for a given web URI.
Jackson module for spring-security-web.
Jackson module for spring-security-web-flux.
Jackson module for spring-security-web related to servlet.
A
ServerLogoutHandler
which invalidates the active WebSession
.Stores the
SecurityContext
in the
WebSession
.This AbstractPreAuthenticatedProcessingFilter implementation is based on WebSphere
authentication.
This AuthenticationDetailsSource implementation will set the pre-authenticated granted
authorities based on the WebSphere groups for the current WebSphere user, mapped using
the configured Attributes2GrantedAuthoritiesMapper.
This MappableAttributesRetriever implementation reads the list of defined J2EE
roles from a web.xml file and returns these from {
WebXmlMappableAttributesRetriever.getMappableAttributes()
.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Obtains the principal from an X509Certificate for use within the framework.
A
StaticHeadersWriter
that inserts headers to prevent content sniffing.Adds X-Content-Type-Options: nosniff
HeaderWriter
implementation for the X-Frame-Options headers.The possible values for the X-Frame-Options header.
ServerHttpHeadersWriter
implementation for the X-Frame-Options headers.The X-Frame-Options values.
An implementation of the
CsrfTokenRequestHandler
interface that is capable of
masking the value of the CsrfToken
on each request and resolving the raw token
value from the masked value as either a header or parameter value of the request.An implementation of the
ServerCsrfTokenRequestAttributeHandler
and
ServerCsrfTokenRequestResolver
interfaces that is capable of masking the value
of the CsrfToken
on each request and resolving the raw token value from the
masked value as either a form data value or header of the request.Renders the X-XSS-Protection header.
The value of the x-xss-protection header.
Add the x-xss-protection header.
The value of the x-xss-protection header.