All Classes and Interfaces
Class
Description
Abstract processor of browser-based HTTP-based authentication requests.
Base class containing the logic used by strategies which handle redirection to a URL
and are passed an
Authentication object as part of the contract.Base class for processing filters that handle pre-authenticated authentication
requests, where it is assumed that the principal has already been authenticated by an
external system.
Base class for RememberMeServices implementations.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Registers the
DelegatingFilterProxy to use the springSecurityFilterChain before
any other registered Filter.A base class for performing session fixation protection.
Used by
ExceptionTranslationFilter to handle an
AccessDeniedException.Base implementation of
AccessDeniedHandler.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
RequestMatcher that will return true if all of the passed in
RequestMatcher instances match.Matches if all the provided
ServerWebExchangeMatcher matchDetects if there is no
Authentication object in the
SecurityContextHolder, and populates it with one if needed.Detects if there is no
Authentication object in the
ReactiveSecurityContextHolder, and populates it with one if needed.Matcher which compares a pre-defined ant-style pattern against the URL (
servletPath + pathInfo) of an HttpServletRequest.Matches any supplied request.
A strategy used for converting from a
HttpServletRequest to an
Authentication of particular type.Used by
ExceptionTranslationFilter to commence an authentication scheme.Adapts a
AuthenticationEntryPoint into a AuthenticationFailureHandlerStrategy used to handle a failed authentication attempt.
A
Filter that performs authentication of a particular request.Deprecated.
Use
AuthenticationPrincipal instead.Deprecated.
Use
AuthenticationPrincipalArgumentResolver
instead.Allows resolving the
Authentication.getPrincipal() using the
AuthenticationPrincipal annotation.Resolves the Authentication
Strategy used to handle a successful user authentication.
Application event which indicates that a user context switch.
A
WebFilter that performs authentication of a particular request.An authorization filter that restricts access to the URL using
AuthorizationManager.An implementation of
WebInvocationPrivilegeEvaluator which delegates the checks
to an instance of AuthorizationManagerUsed to transform the
HttpServletRequest prior to passing it into the
AuthorizationManager.Converts from a HttpServletRequest to
UsernamePasswordAuthenticationToken that
can be authenticated.Used by the
ExceptionTranslationFilter to commence authentication via the
BasicAuthenticationFilter.Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder.Inserts headers to prevent caching if no cache control headers have been specified.
Writes cache control related headers.
Uses
HttpServletRequest.changeSessionId() to protect against session fixation
attacks.Decides whether a web channel provides sufficient security.
Implementation of
ChannelDecisionManager.May be used by a
ChannelProcessor to launch a web channel.Ensures a web request is delivered over the required channel.
Decides whether a web channel meets a specific security condition.
Provides support for Clear
Site Data.
Represents the directive values expected by the
ClearSiteDataHeaderWriter.
Writes the
Clear-Site-Data response header when the request is secure.
Represents the directive values expected by the
ClearSiteDataServerHttpHeadersWriterA
HeaderWriter that delegates to several other HeaderWriters.Performs a logout through all the
LogoutHandler implementations.A
RequestRejectedHandler that delegates to several other
RequestRejectedHandlers.Combines multiple
ServerHttpHeadersWriter instances into a single instance.A
SessionAuthenticationStrategy that accepts multiple
SessionAuthenticationStrategy implementations to delegate to.Strategy which handles concurrent session-control.
Filter required by concurrent session handling package.
Provides support for Content Security Policy
(CSP) Level 2.
Writes the
Contet-Security-Policy response header with configured policy
directives.Adds X-Content-Type-Options: nosniff
A logout handler which clears either - A defined list of cookie names, using the
context path as the cookie path OR - A given list of Cookies
A
CsrfTokenRepository that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An Implementation of
RequestCache which saves the original request URI in a
cookie.A
ServerCsrfTokenRepository that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An implementation of
ServerRequestCache that saves the requested URI in a
cookie.Inserts Cross-Origin-Embedder-Policy header.
Inserts Cross-Origin-Embedder-Policy headers.
Inserts the Cross-Origin-Opener-Policy header
Inserts Cross-Origin-Opener-Policy header.
Inserts Cross-Origin-Resource-Policy header
Inserts Cross-Origin-Resource-Policy headers.
CsrfAuthenticationStrategy is in charge of removing the CsrfToken upon
authenticating.Thrown when an invalid or missing
CsrfToken is found in the HttpServletRequestThrown when an invalid or missing
CsrfToken is found in the HttpServletRequest
Applies
CSRF
protection using a synchronizer token pattern.
CsrfLogoutHandler is in charge of removing the CsrfToken upon logout.Integration with Spring Web MVC that automatically adds the
CsrfToken into
forms with hidden inputs when using Spring tag libraries.CsrfServerLogoutHandler is in charge of removing the CsrfToken upon
logout.Provides the information about an expected CSRF token.
Allows resolving the current
CsrfToken.An API to allow changing the method in which the expected
CsrfToken is
associated to the HttpServletRequest.An implementation of the
CsrfTokenRequestHandler interface that is capable of
making the CsrfToken available as a request attribute and resolving the token
value as either a header or parameter value of the request.A callback interface that is used to make the
CsrfToken created by the
CsrfTokenRepository available as a request attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken from the provided HttpServletRequest.
Applies
CSRF
protection using a synchronizer token pattern.
Allows resolving the
SecurityContext using the CurrentSecurityContext
annotation.Resolves the
SecurityContextSpring Security debugging filter.
A CSRF token that is used to protect against CSRF attacks.
A CSRF token that is used to protect against CSRF attacks.
Default implementation of FilterInvocationDefinitionSource.
User's should consider using
StrictHttpFirewall because rather than trying to
sanitize a malicious URL it rejects the malicious URL providing better security
guarantees.A
SecurityExpressionHandler that uses a RequestAuthorizationContext to
create a WebSecurityExpressionRoot.For internal use with namespace configuration in the case where a user doesn't
configure a login page.
Generates a default log out page.
Simple implementation of RedirectStrategy which is the default used throughout
the framework.
Default implementation of
RequestRejectedHandler that simply rethrows the
exception.Represents central information from a
HttpServletRequest.Standard implementation of
SecurityFilterChain.The default
ServerRedirectStrategy to use.Deprecated.
An interface that allows delayed access to a
CsrfToken that may be generated.An
AccessDeniedHandler that delegates to other AccessDeniedHandler
instances based upon the type of AccessDeniedException passed into
DelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException).An
AuthenticationEntryPoint which selects a concrete
AuthenticationEntryPoint based on a RequestMatcher evaluation.An
AuthenticationFailureHandler that delegates to other
AuthenticationFailureHandler instances based upon the type of
AuthenticationException passed into
DelegatingAuthenticationFailureHandler.onAuthenticationFailure(HttpServletRequest, HttpServletResponse, AuthenticationException)
.Delegates to logout handlers based on matched request matchers
Delegates to the provided
HeaderWriter when
RequestMatcher.matches(HttpServletRequest) returns true.A
ServerAuthenticationEntryPoint which delegates to multiple
ServerAuthenticationEntryPoint based on a ServerWebExchangeMatcherDelegates to a collection of
ServerAuthenticationSuccessHandler
implementations.Delegates to a collection of
ServerLogoutHandler implementations.Used by the
SecurityEnforcementFilter to commence authentication via the
DigestAuthenticationFilter.Processes a HTTP request's Digest authorization headers, putting the result into the
SecurityContextHolder.Disables encoding URLs using the
HttpServletResponse to prevent including the
session id in URLs which is not considered URL because the session id can be leaked in
things like HTTP access logs.Checks the
DispatcherType to decide whether to match a given request.A RequestMatcher implementation which uses a SpEL expression
Adapter that wraps an
Enumeration around a Java 2 collection
Iterator.Uses the internal map of exceptions types to URLs to determine the destination on
authentication failure.
Handles any
AccessDeniedException and AuthenticationException
thrown within the filter chain.Web filter that redirects requests that match
ServerWebExchangeMatcher to the
specified URL.Expression-based
FilterInvocationSecurityMetadataSource.Utility class to generate HTTP dates.
Provides support for Feature
Policy.
Writes the
Feature-Policy response header with configured policy directives.Delegates
Filter requests to a list of Spring-managed filter beans.A strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain for a given request.A
FilterChainProxy.FilterChainDecorator that uses the FilterChainProxy.VirtualFilterChainHolds objects associated with a HTTP filter.
Marker interface for
SecurityMetadataSource implementations that are
designed to perform lookups keyed on FilterInvocations.Deprecated.
Use
AuthorizationFilter insteadRequest wrapper which is returned by the
HttpFirewall interface.Eagerly creates
HttpSession if it does not already exist.
Forward Authentication Failure Handler
Forward Authentication Success Handler
LogoutSuccessHandler implementation that will perform a request dispatcher
"forward" to the specified target URL.Transforms by passing it into
HandlerMappingIntrospector.setCache(HttpServletRequest).Represents a Header to be added to the
HttpServletResponseContract for writing headers to a
HttpServletResponseFilter implementation to add headers to the current response.
A
ServerLogoutHandler implementation which writes HTTP headers during logout.Deprecated.
see Certificate
and Public Key Pinning for more context
Provides support for HTTP Strict
Transport Security (HSTS).
In the pre-authenticated authentication case (unlike CAS, for example) the user will
already have been identified through some external mechanism and a secure context
established by the time the security-enforcement filter is invoked.
Prompts a user for HTTP Basic authentication.
Interface which can be used to reject potentially dangerous requests and/or wrap them
to control their behaviour.
Invokes a
ServerHttpHeadersWriter on
ReactiveHttpOutputMessage.beforeCommit(java.util.function.Supplier).Published by the
HttpSessionEventPublisher when an HttpSession is
created by the containerPublished by the
HttpSessionEventPublisher when a HttpSession is removed from
the containerDeclared in web.xml as
Published by the
HttpSessionEventPublisher when an HttpSession ID is
changed.RequestCache which stores the SavedRequest in the HttpSession.A
SecurityContextRepository implementation which stores the security context in
the HttpSession between requests.Redirects any non-HTTPS request to its HTTPS equivalent.
An
AuthenticationEntryPoint that sends a generic HttpStatus as a
response.A simple implementation of
RequestRejectedHandler that sends an error with
configurable status code.Implementation of the
LogoutSuccessHandler.Implementation of the
ServerLogoutSuccessHandler.Sets the provided HTTP Status when access is denied.
A
ServerAuthenticationEntryPoint that sends a generic HttpStatus as a
response.Simple PersistentTokenRepository implementation backed by a Map.
Ensures channel security is inactive by review of
HttpServletRequest.isSecure() responses.Exception thrown by a RememberMeServices implementation to indicate that a submitted
cookie is of an invalid format or has expired.
Thrown when an expected
CsrfToken exists, but it does not match the value
present on the HttpServletRequestAn adapter of
InvalidSessionStrategy to AccessDeniedHandlerDetermines the behaviour of the
SessionManagementFilter when an invalid session
Id is submitted and detected in the SessionManagementFilter.Matches a request based on IP Address or subnet mask matching against the remote
address.
A
ReactiveAuthorizationManager, that determines if the current request contains
the specified address or range of addressesMatches a request based on IP Address or subnet mask matching against the remote
address.
Implementation of AuthenticationDetailsSource which converts the user's J2EE roles (as
obtained by calling
HttpServletRequest.isUserInRole(String)) into
GrantedAuthoritys and stores these in the authentication details object.This AbstractPreAuthenticatedProcessingFilter implementation is based on the J2EE
container-based authentication mechanism.
A
Filter which attempts to obtain a JAAS Subject and continue
the FilterChain running as that Subject.JDBC based persistent login token repository implementation.
Deprecated.
Generates a default log in page used for authenticating users.
Used by the
ExceptionTranslationFilter to commence a form login authentication
via the UsernamePasswordAuthenticationFilter.Logs a principal out.
Indicates a class that is able to participate in logout handling.
Generates a default log out page.
A logout handler which publishes
LogoutSuccessEventStrategy that is called after a successful logout by the
LogoutFilter, to
handle redirection or forwarding to the appropriate destination.If the request matches, logs an authenticated user out by delegating to a
ServerLogoutHandler.A
SecurityWebFilterChain that leverages a ServerWebExchangeMatcher to
determine which WebFilter to execute.Allows matching
HttpServletRequest based upon the MediaType's resolved
from a ContentNegotiationStrategy.Matches based upon the accept headers.
Thrown when no expected
CsrfToken is found but is required.A
RequestMatcher that uses Spring MVC's HandlerMappingIntrospector to
match the path and extract variables.A builder for
MvcRequestMatcherA
RequestMatcher that will negate the RequestMatcher passed in.Negates the provided matcher.
Thrown if an authentication request is rejected because the digest nonce has expired.
An
AccessDeniedHandler implementation that does nothing.An
AuthenticationEntryPoint implementation that does nothing.An implementation of
ServerRequestCache that does nothing.A do nothing implementation of
ServerSecurityContextRepository.Implementation of
NullRememberMeServices that does nothing.Null implementation of RequestCache.
A
FilterChainProxy.FilterChainDecorator that
wraps the chain in before and after observationsA
WebFilterChainProxy.WebFilterChainDecorator
that wraps the chain in before and after observationsBase class for response wrappers which encapsulate the logic for handling an event when
the
HttpServletResponse is committed.RequestMatcher that will return true if any of the passed in
RequestMatcher instances match.Matches if any of the provided
ServerWebExchangeMatcher matchMatches if the
PathPattern matches the path within the application.Provides support for
Permisisons Policy.
Writes the
Permissions-Policy response header with configured policy
directives.RememberMeServices implementation based on Barry Jaspan's
Improved
Persistent Login Cookie Best Practice.The abstraction used by
PersistentTokenBasedRememberMeServices to store the
persistent login tokens for a user.PortMapper implementations provide callers with information about which
HTTP ports are associated with which HTTPS ports on the system, and vice versa.Concrete implementation of
PortMapper that obtains HTTP:HTTPS pairs from the
application context.A
PortResolver determines the port a web request was received on.Concrete implementation of
PortResolver that obtains the port from
ServletRequest.getServerPort().
Processes a pre-authenticated authentication request.
Authentication implementation for
pre-authenticated authentication.
This AuthenticationUserDetailsService implementation creates a UserDetails object based
solely on the information contained in the given PreAuthenticatedAuthenticationToken.
This WebAuthenticationDetails implementation allows for storing a list of
pre-authenticated Granted Authorities.
Reactive version of
PreAuthenticatedAuthenticationProvider
This manager receives a PreAuthenticatedAuthenticationToken, checks that
associated account is not disabled, expired, or blocked, and returns new authenticated
PreAuthenticatedAuthenticationToken.Uses a
ServerSecurityContextRepository to provide the SecurityContext
to initialize the ReactiveSecurityContextHolder.Performs a redirect to a specified location.
Performs a redirect to a specified location.
Performs a redirect on authentication success.
Performs a redirect on log out success.
Encapsulates the redirection logic for all classes in the framework which perform
redirects.
Internal class for building redirect URLs.
Provides support for Referrer
Policy.
Writes the
Referrer-Policy response header.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Uses a regular expression to decide whether a supplied the URL of a supplied
HttpServletRequest.Strategy used to register a user with the
SessionRegistry after successful
Authentication.This exception is thrown when an
Authentication exception occurs while using
the remember-me authentication.Detects if there is no
Authentication object in the SecurityContext,
and populates the context with a remember-me authentication token if a
RememberMeServices implementation so requests.Implement by a class that is capable of providing a remember-me service.
A simple pre-authenticated filter which obtains the username from request attributes,
for use with SSO systems such as
Stanford
WebAuth or Shibboleth.
Stores the
SecurityContext on a
ServletRequest.setAttribute(String, Object) so that it can be
restored when different dispatch types occur.An
HttpServletRequest authorization context.Implements "saved request" logic, allowing a single request to be retrieved and
restarted after redirecting to an authentication mechanism.
Responsible for reconstituting the saved request if one is cached and it matches the
current request.
Performs a redirect to the original request URL when an invalid requested session is
detected by the
SessionManagementFilter.A simple pre-authenticated filter which obtains the username from a request header, for
use with systems such as CA Siteminder.
A
RequestMatcher that can be used to match request that contain a header with
an expected header name and an expected value.Simple strategy to match an HttpServletRequest.
The result of matching against an HttpServletRequest Contains the status, true or
false, of the match and if present, any variables extracted from the match
An
AccessDeniedHandler that delegates to other AccessDeniedHandler
instances based upon the type of HttpServletRequest passed into
RequestMatcherDelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException).An
AuthenticationManagerResolver that returns a AuthenticationManager
instances based upon the type of HttpServletRequest passed into
RequestMatcherDelegatingAuthenticationManagerResolver.resolve(HttpServletRequest).A builder for
RequestMatcherDelegatingAuthenticationManagerResolver.An
AuthorizationManager which delegates to a specific
AuthorizationManager based on a RequestMatcher evaluation.A builder for
RequestMatcherDelegatingAuthorizationManager.A
WebInvocationPrivilegeEvaluator which delegates to a list of
WebInvocationPrivilegeEvaluator based on a
RequestMatcher evaluationPropertyEditor which creates ELRequestMatcher instances from Strings
This allows to use a String in a BeanDefinition instead of an (inner) bean if a
RequestMatcher is required, e.g.
A rich object for associating a
RequestMatcher to another object.Filter that redirects requests that match
RequestMatcher to the specified URL.A factory class to create
RequestMatcher instances.Used by
FilterChainProxy to handle an
RequestRejectedException.Deprecated.
Commences an insecure channel by retrying the original request using HTTP.
Commences a secure channel by retrying the original request using HTTPS.
Deprecated.
Stores off the values of a cookie in a serializable holder
Encapsulates the functionality required of a cached request for both an authentication
mechanism (typically form-based login) to redirect to the original URL and for a
RequestCache to build a wrapped request, reproducing the original request
data.
An authentication success strategy which can make use of the
DefaultSavedRequest which may
have been stored in the session by the ExceptionTranslationFilter.Ensures channel security is active by review of
HttpServletRequest.isSecure() responses.
Allows for integration with Spring MVC's
Callable support.A
Filter which populates the ServletRequest with a request
wrapper which implements the servlet API security methods.A Spring Security-aware
HttpServletRequestWrapper, which uses the
SecurityContext-defined Authentication object to implement
the servlet API security methods:
SecurityContextHolderAwareRequestWrapper.getUserPrincipal()
SecurityContextHolderAwareRequestWrapper.isUserInRole(String)
HttpServletRequestWrapper.getRemoteUser().
A
Filter that uses the SecurityContextRepository to
obtain the SecurityContext and set it on the SecurityContextHolder.Performs a logout by modifying the
SecurityContextHolder.Deprecated.
Strategy used for persisting a
SecurityContext between requests.A
ServerLogoutHandler which removes the SecurityContext using the provided
ServerSecurityContextRepositoryOverrides the
ServerWebExchange.getPrincipal() with the provided
SecurityContextOverride the
ServerWebExchange.getPrincipal() to be looked up using
ReactiveSecurityContextHolder.Defines a filter chain which is capable of being matched against an
HttpServletRequest.Utilities for interacting with
HttpHeadersSpring Security extension to Spring's
WebApplicationContextUtils.Defines a filter chain which is capable of being matched against a
ServerWebExchange in order to decide whether it applies to that request.A strategy used for converting from a
ServerWebExchange to an
Authentication used for authenticating with a provided
ReactiveAuthenticationManager.Used to request authentication
Adapts a
ServerAuthenticationEntryPoint into a
ServerAuthenticationFailureHandlerHandles authentication failure
Handles authentication success
An API to allow changing the method in which the expected
CsrfToken is
associated to the ServerWebExchange.An implementation of the
ServerCsrfTokenRequestHandler interface that is
capable of making the CsrfToken available as an exchange attribute and
resolving the token value as either a form data value or header of the request.A callback interface that is used to make the
CsrfToken created by the
ServerCsrfTokenRepository available as an exchange attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken from the provided ServerWebExchange.Converts a ServerWebExchange into a UsernamePasswordAuthenticationToken from the form
data HTTP parameters.
Deprecated.
use
ServerFormLoginAuthenticationConverter
instead.Converts from a
ServerWebExchange to an Authentication that can be
authenticated.Deprecated.
Use
ServerHttpBasicAuthenticationConverter
instead.Interface for writing headers just before the response is committed.
Handles log out
Strategy for when log out was successfully performed (typically after
ServerLogoutHandler is invoked).A strategy for performing redirects.
Saves a
ServerHttpRequest so it can be "replayed" later.A
WebFilter that replays any matching request in ServerRequestCacheStrategy used for persisting a
SecurityContext between requests.A
ReactiveAuthenticationManagerResolver that returns a
ReactiveAuthenticationManager instances based upon the type of
ServerWebExchange passed into ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.resolve(ServerWebExchange).A builder for
RequestMatcherDelegatingAuthenticationManagerResolver.A
ServerAccessDeniedHandler which delegates to multiple
ServerAccessDeniedHandlers based on a ServerWebExchangeMatcherDelegates to a provided
ServerHttpHeadersWriter if
ServerWebExchangeMatcher.matches(ServerWebExchange) returns a match.An interface for determining if a
ServerWebExchangeMatcher matches.The result of matching
A rich object for associating a
ServerWebExchangeMatcher to another object.Provides factory methods for creating common
ServerWebExchangeMatcherConverts from a
SslInfo provided by a request to an
PreAuthenticatedAuthenticationToken that can be authenticated.Thrown by an SessionAuthenticationStrategy to indicate that an authentication
object is not valid for the current session, typically because the same user has
exceeded the number of sessions they are allowed to have concurrently.
Allows pluggable support for HttpSession-related behaviour when an authentication
occurs.
Indicates a session ID was changed for the purposes of session fixation protection.
Uses
HttpServletRequest.invalidate() to protect against session fixation
attacks.An event for when a
SessionInformation is expired.Determines the behaviour of the
ConcurrentSessionFilter when an expired session
is detected in the ConcurrentSessionFilter.Detects that a user has been authenticated since the start of the request and, if they
have, calls the configured
SessionAuthenticationStrategy to perform any
session-related activity such as activating session-fixation protection mechanisms or
checking for multiple concurrent logins.Performs a redirect to a fixed URL when an invalid requested session is detected by the
SessionManagementFilter.Performs a redirect to a fixed URL when an expired session is detected by the
ConcurrentSessionFilter.A Bean implementation of SavedRequest
AuthenticationFailureHandler which performs a redirect to the value of the
defaultFailureUrl property when the
onAuthenticationFailure method is called.AuthenticationSuccessHandler which can be configured with a default URL which
users should be sent to upon successful authentication.
Handles the navigation on logout by delegating to the
AbstractAuthenticationTargetUrlRequestHandler base class logic.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
HeaderWriter implementation which writes the same Header instance.Allows specifying
HttpHeaders that should be written to the response.
A strict implementation of
HttpFirewall that rejects any suspicious requests
with a RequestRejectedException.Writes the Strict-Transport-Security if the request is secure.
Obtains the principal from a certificate using a regular expression match against the
Subject (as returned by a call to
X509Certificate.getSubjectDN()).Allows subclasses to modify the
GrantedAuthority list that will be assigned to
the principal when they assume the identity of a different principal.Switch User processing filter responsible for user context switching.
Custom
GrantedAuthority used by
SwitchUserFilterSwitch User processing filter responsible for user context switching.
Internal utility for escaping characters in HTML strings.
Handler for analyzing
Throwable instances.Interface for handlers extracting the cause out of a specific
Throwable type.Identifies previously remembered users by a Base-64 encoded cookie.
Provides static methods for composing URLs.
Processes an authentication form submission.
Provides integration between the
SecurityContext and Spring Web's
WebAsyncManager by using the
SecurityContextCallableProcessingInterceptor.beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)
to populate the SecurityContext on the Callable.Well-known keys which are used to store Spring Security information in request or
session scope.
A holder of selected HTTP details related to a web authentication request.
Implementation of
AuthenticationDetailsSource which builds the details object
from an HttpServletRequest object, creating a WebAuthenticationDetails
.An expression-based
AuthorizationManager that determines the access by
evaluating the provided expression.Deprecated.
Use
WebExpressionAuthorizationManager insteadUsed to delegate to a List of
SecurityWebFilterChain instances.A
WebFilterChainProxy.WebFilterChainDecorator that uses the DefaultWebFilterChainA strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain for a given request.Success handler that continues the filter chain after authentication success.
A composite of the
ServerWebExchange and the WebFilterChain.Allows users to determine whether they have privileges for a given web URI.
Jackson module for spring-security-web.
Jackson module for spring-security-web-flux.
Jackson module for spring-security-web related to servlet.
A
ServerLogoutHandler which invalidates the active WebSession.Stores the
SecurityContext in the
WebSession.This AbstractPreAuthenticatedProcessingFilter implementation is based on WebSphere
authentication.
This AuthenticationDetailsSource implementation will set the pre-authenticated granted
authorities based on the WebSphere groups for the current WebSphere user, mapped using
the configured Attributes2GrantedAuthoritiesMapper.
This MappableAttributesRetriever implementation reads the list of defined J2EE
roles from a web.xml file and returns these from {
WebXmlMappableAttributesRetriever.getMappableAttributes().Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Obtains the principal from an X509Certificate for use within the framework.
A
StaticHeadersWriter that inserts headers to prevent content sniffing.Adds X-Content-Type-Options: nosniff
HeaderWriter implementation for the X-Frame-Options headers.The possible values for the X-Frame-Options header.
ServerHttpHeadersWriter implementation for the X-Frame-Options headers.The X-Frame-Options values.
An implementation of the
CsrfTokenRequestHandler interface that is capable of
masking the value of the CsrfToken on each request and resolving the raw token
value from the masked value as either a header or parameter value of the request.An implementation of the
ServerCsrfTokenRequestAttributeHandler and
ServerCsrfTokenRequestResolver interfaces that is capable of masking the value
of the CsrfToken on each request and resolving the raw token value from the
masked value as either a form data value or header of the request.Renders the X-XSS-Protection header.
The value of the x-xss-protection header.
Add the x-xss-protection header.
The value of the x-xss-protection header.