All Classes and Interfaces
Class
Description
Abstract processor of browser-based HTTP-based authentication requests.
Base class containing the logic used by strategies which handle redirection to a URL
and are passed an
Authentication object as part of the contract.Base class for processing filters that handle pre-authenticated authentication
requests, where it is assumed that the principal has already been authenticated by an
external system.
Base class for RememberMeServices implementations.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Deprecated.
please use
HttpsRedirectFilter and its
associated PortMapperRegisters the
DelegatingFilterProxy to use the springSecurityFilterChain before
any other registered Filter.A base class for performing session fixation protection.
Used by
ExceptionTranslationFilter to handle an
AccessDeniedException.Base implementation of
AccessDeniedHandler.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
RequestMatcher that will return true if all of the passed in
RequestMatcher instances match.Matches if all the provided
ServerWebExchangeMatcher matchDetects if there is no
Authentication object in the
SecurityContextHolder, and populates it with one if needed.Detects if there is no
Authentication object in the
ReactiveSecurityContextHolder, and populates it with one if needed.Deprecated, for removal: This API element is subject to removal in a future version.
please use
PathPatternRequestMatcher insteadMatches any supplied request.
WebAuthn Relying
Parties may use AttestationConveyancePreference
to specify their preference regarding attestation conveyance during credential
generation.
A strategy used for converting from a
HttpServletRequest to an
Authentication of particular type.Used by
ExceptionTranslationFilter to commence an authentication scheme.Adapts a
AuthenticationEntryPoint into a AuthenticationFailureHandlerA client extension
input entry in the
AuthenticationExtensionsClientInputs.AuthenticationExtensionsClientInputs
is a dictionary containing the
client extension
input values for zero or more
WebAuthn
Extensions.
AuthenticationExtensionsClientOutputs
is a dictionary containing the
client extension
output values for zero or more
WebAuthn
Extensions.
Strategy used to handle a failed authentication attempt.
A
Filter that performs authentication of a particular request.Deprecated.
Use
AuthenticationPrincipal instead.Deprecated.
Use
AuthenticationPrincipalArgumentResolver
instead.Allows resolving the
Authentication.getPrincipal() using the
AuthenticationPrincipal annotation.Resolves the Authentication
Strategy used to handle a successful user authentication.
Application event which indicates that a user context switch.
A
WebFilter that performs authentication of a particular request.The AuthenticatorAssertionResponse
interface represents an
authenticator's response
to a client's request for generation of a new
authentication
assertion given the
WebAuthn Relying
Party's challenge and OPTIONAL list of credentials it is aware of.
Builds a
AuthenticatorAssertionResponse.AuthenticatorAttestationResponse
represents the
authenticator's response
to a client's request for the creation of a new
public key
credential.
Builds
AuthenticatorAssertionResponse.AuthenticatorAttachment
can be used by
WebAuthn Relying
Parties to specify their requirements regarding authenticator attributes.
Creates a
AuthenticatorSelectionCriteriaAuthenticatorTransport
defines hints as to how clients might communicate with a particular authenticator in
order to obtain an assertion for a specific credential.
An authorization filter that restricts access to the URL using
AuthorizationManager.An implementation of
WebInvocationPrivilegeEvaluator which delegates the checks
to an instance of AuthorizationManagerUsed to transform the
HttpServletRequest prior to passing it into the
AuthorizationManager.Converts from a HttpServletRequest to
UsernamePasswordAuthenticationToken that
can be authenticated.Used by the
ExceptionTranslationFilter to commence authentication via the
BasicAuthenticationFilter.Processes a HTTP request's BASIC authorization headers, putting the result into the
SecurityContextHolder.An object representation of byte[].
Inserts headers to prevent caching if no cache control headers have been specified.
Writes cache control related headers.
Uses
HttpServletRequest.changeSessionId() to protect against session fixation
attacks.Deprecated.
no replacement is planned, though consider using a custom
RequestMatcher for any sophisticated decision-makingDeprecated.
no replacement is planned, though consider using a custom
RequestMatcher for any sophisticated decision-makingDeprecated.
please use
HttpsRedirectFilter and its
associated PortMapperDeprecated.
Deprecated.
no replacement is planned, though consider using a custom
RequestMatcher for any sophisticated decision-makingProvides support for Clear
Site Data.
Represents the directive values expected by the
ClearSiteDataHeaderWriter.
Writes the
Clear-Site-Data response header when the request is secure.
Represents the directive values expected by the
ClearSiteDataServerHttpHeadersWriterA
HeaderWriter that delegates to several other HeaderWriters.Performs a logout through all the
LogoutHandler implementations.A
RequestRejectedHandler that delegates to several other
RequestRejectedHandlers.Combines multiple
ServerHttpHeadersWriter instances into a single instance.A
SessionAuthenticationStrategy that accepts multiple
SessionAuthenticationStrategy implementations to delegate to.Strategy which handles concurrent session-control.
Controls the number of sessions a user can have concurrently authenticated in an
application.
Filter required by concurrent session handling package.
Provides support for Content Security Policy
(CSP) Level 2.
Writes the
Content-Security-Policy response header with configured policy
directives.Adds X-Content-Type-Options: nosniff
A logout handler which clears either - A defined list of cookie names, using the
context path as the cookie path OR - A given list of Cookies
A
CsrfTokenRepository that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An Implementation of
RequestCache which saves the original request URI in a
cookie.A
ServerCsrfTokenRepository that persists the CSRF token in a cookie named
"XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of
AngularJS.An implementation of
ServerRequestCache that saves the requested URI in a
cookie.COSEAlgorithmIdentifier is
used to identify a cryptographic algorithm.
CredentialPropertiesOutput
is the Client extension output.
The output for
CredentialPropertiesOutputRepresents a Credential
Record that is stored by the Relying Party
after
successful registration.
Implements
Credential Protection (credProtect).
Inserts Cross-Origin-Embedder-Policy header.
Inserts Cross-Origin-Embedder-Policy headers.
Inserts the Cross-Origin-Opener-Policy header
Inserts Cross-Origin-Opener-Policy header.
Inserts Cross-Origin-Resource-Policy header
Inserts Cross-Origin-Resource-Policy headers.
CsrfAuthenticationStrategy is in charge of removing the CsrfToken upon
authenticating.Thrown when an invalid or missing
CsrfToken is found in the HttpServletRequestThrown when an invalid or missing
CsrfToken is found in the ServerWebExchange
Applies
CSRF
protection using a synchronizer token pattern.
CsrfLogoutHandler is in charge of removing the CsrfToken upon logout.Integration with Spring Web MVC that automatically adds the
CsrfToken into
forms with hidden inputs when using Spring tag libraries.CsrfServerLogoutHandler is in charge of removing the CsrfToken upon
logout.Provides the information about an expected CSRF token.
Allows resolving the current
CsrfToken.An API to allow changing the method in which the expected
CsrfToken is
associated to the HttpServletRequest.An implementation of the
CsrfTokenRequestHandler interface that is capable of
making the CsrfToken available as a request attribute and resolving the token
value as either a header or parameter value of the request.A callback interface that is used to make the
CsrfToken created by the
CsrfTokenRepository available as a request attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken from the provided HttpServletRequest.
Applies
CSRF
protection using a synchronizer token pattern.
Allows resolving the
SecurityContext using the CurrentSecurityContext
annotation.Resolves the
SecurityContextSpring Security debugging filter.
A CSRF token that is used to protect against CSRF attacks.
A CSRF token that is used to protect against CSRF attacks.
Deprecated.
In modern Spring Security APIs, each API manages its own configuration
context.
Default implementation of
GenerateOneTimeTokenRequestResolver.
User's should consider using
StrictHttpFirewall because rather than trying to
sanitize a malicious URL it rejects the malicious URL providing better security
guarantees.A
SecurityExpressionHandler that uses a RequestAuthorizationContext to
create a WebSecurityExpressionRoot.For internal use with namespace configuration in the case where a user doesn't
configure a login page.
Generates a default log out page.
Creates a default one-time token submit page.
Simple implementation of RedirectStrategy which is the default used throughout
the framework.
Default implementation of
RequestRejectedHandler that simply rethrows the
exception.Serve common static assets used in default UIs, such as CSS or Javascript files.
Serve common static assets used in default UIs, such as CSS or Javascript files.
Represents central information from a
HttpServletRequest.Standard implementation of
SecurityFilterChain.Default implementation of
ServerGenerateOneTimeTokenRequestResolver.The default
ServerRedirectStrategy to use.A
Filter that renders a default WebAuthn registration page.Deprecated.
An interface that allows delayed access to a
CsrfToken that may be generated.An
AccessDeniedHandler that delegates to other AccessDeniedHandler
instances based upon the type of AccessDeniedException passed into
DelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException).A
AuthenticationConverter, that iterates over multiple
AuthenticationConverter.An
AuthenticationEntryPoint which selects a concrete
AuthenticationEntryPoint based on a RequestMatcher evaluation.An
AuthenticationFailureHandler that delegates to other
AuthenticationFailureHandler instances based upon the type of
AuthenticationException passed into
DelegatingAuthenticationFailureHandler.onAuthenticationFailure(HttpServletRequest, HttpServletResponse, AuthenticationException)
.Delegates to logout handlers based on matched request matchers
Delegates to the provided
HeaderWriter when
RequestMatcher.matches(HttpServletRequest) returns true.A
ServerAuthenticationConverter that delegates to other
ServerAuthenticationConverter instances.A
ServerAuthenticationEntryPoint which delegates to multiple
ServerAuthenticationEntryPoint based on a ServerWebExchangeMatcherDelegates to a collection of
ServerAuthenticationSuccessHandler
implementations.Delegates to a collection of
ServerLogoutHandler implementations.Used by the
SecurityEnforcementFilter to commence authentication via the
DigestAuthenticationFilter.Processes a HTTP request's Digest authorization headers, putting the result into the
SecurityContextHolder.Disables encoding URLs using the
HttpServletResponse to prevent including the
session id in URLs which is not considered URL because the session id can be leaked in
things like HTTP access logs.Checks the
DispatcherType to decide whether to match a given request.A RequestMatcher implementation which uses a SpEL expression
Adapter that wraps an
Enumeration around a Java 2 collection
Iterator.Uses the internal map of exceptions types to URLs to determine the destination on
authentication failure.
Handles any
AccessDeniedException and AuthenticationException
thrown within the filter chain.Web filter that redirects requests that match
ServerWebExchangeMatcher to the
specified URL.Deprecated.
In modern Spring Security APIs, each API manages its own configuration
context.
Utility class to generate HTTP dates.
Provides support for Feature
Policy.
Writes the
Feature-Policy response header with configured policy directives.Delegates
Filter requests to a list of Spring-managed filter beans.A strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain for a given request.A
FilterChainProxy.FilterChainDecorator that uses the FilterChainProxy.VirtualFilterChainHolds objects associated with a HTTP filter.
Deprecated.
In modern Spring Security APIs, each API manages its own configuration
context.
Deprecated.
Use
AuthorizationFilter insteadRequest wrapper which is returned by the
HttpFirewall interface.Eagerly creates
HttpSession if it does not already exist.Redirect using an auto-submitting HTML form using the POST method.
Redirect using an auto-submitting HTML form using the POST method.
Forward Authentication Failure Handler
Forward Authentication Success Handler
LogoutSuccessHandler implementation that will perform a request dispatcher
"forward" to the specified target URL.Filter that process a One-Time Token generation request.
A strategy for resolving a
GenerateOneTimeTokenRequest from the
HttpServletRequest.WebFilter implementation that process a One-Time Token generation request.Deprecated, for removal: This API element is subject to removal in a future version.
please use
PathPatternRequestTransformer insteadChecks if the provided password was leaked by relying on
Have I Been Pwned REST
API.
Checks if the provided password was leaked by relying on
Have I Been Pwned REST
API.
Represents a Header to be added to the
HttpServletResponseContract for writing headers to a
HttpServletResponseFilter implementation to add headers to the current response.
A
ServerLogoutHandler implementation which writes HTTP headers during logout.Deprecated.
see Certificate
and Public Key Pinning for more context
Provides support for HTTP Strict
Transport Security (HSTS).
In the pre-authenticated authentication case (unlike CAS, for example) the user will
already have been identified through some external mechanism and a secure context
established by the time the security-enforcement filter is invoked.
Prompts a user for HTTP Basic authentication.
Interface which can be used to reject potentially dangerous requests and/or wrap them
to control their behaviour.
Invokes a
ServerHttpHeadersWriter on
ReactiveHttpOutputMessage.beforeCommit(java.util.function.Supplier).An
AuthenticationSuccessHandler that writes a JSON response with the redirect
URL and an authenticated status similar to:
{
"redirectUrl": "/user/profile",
"authenticated": true
}
A response object used to write the JSON response for successful authentication.
Published by the
HttpSessionEventPublisher when an HttpSession is
created by the containerPublished by the
HttpSessionEventPublisher when a HttpSession is removed from
the containerDeclared in web.xml as
Published by the
HttpSessionEventPublisher when an HttpSession ID is
changed.A
PublicKeyCredentialRequestOptionsRepository that stores the
PublicKeyCredentialRequestOptions in the
HttpSession.RequestCache which stores the SavedRequest in the HttpSession.A
SecurityContextRepository implementation which stores the security context in
the HttpSession between requests.Redirects any non-HTTPS request to its HTTPS equivalent.
Redirects any non-HTTPS request to its HTTPS equivalent.
An
AccessDeniedHandler that sends an HttpStatus as a response.An
AuthenticationEntryPoint that sends a generic HttpStatus as a
response.A simple implementation of
ServerExchangeRejectedHandler that sends an error
with configurable status code.A simple implementation of
RequestRejectedHandler that sends an error with
configurable status code.Implementation of the
LogoutSuccessHandler.Implementation of the
ServerLogoutSuccessHandler.Sets the provided HTTP Status when access is denied.
A
ServerAuthenticationEntryPoint that sends a generic HttpStatus as a
response.An immutable
AuthenticationExtensionsClientInput.An immutable implementation of
AuthenticationExtensionsClientInputs.An immutable implementation of
AuthenticationExtensionsClientOutputs.An immutable
CredentialRecord.An immutable
PublicKeyCoseAn immutable implementation of
PublicKeyCredentialCreationOptionsRequest.PublicKeyCredentialUserEntity
is used to supply additional
user account attributes
when creating a new credential.
Used to build
PublicKeyCredentialUserEntity.Contains the information necessary to register a new Credential.
Simple PersistentTokenRepository implementation backed by a Map.
Deprecated.
no replacement is planned, though consider using a custom
RequestMatcher for any sophisticated decision-makingImplementation of
ServerMaximumSessionsExceededHandler that invalidates the
least recently used ReactiveSessionInformation and removes the related sessions
from the WebSessionStore.Exception thrown by a RememberMeServices implementation to indicate that a submitted
cookie is of an invalid format or has expired.
Thrown when an expected
CsrfToken exists, but it does not match the value
present on the HttpServletRequestAn adapter of
InvalidSessionStrategy to AccessDeniedHandlerDetermines the behaviour of the
SessionManagementFilter when an invalid session
Id is submitted and detected in the SessionManagementFilter.A
AuthorizationManager, that determines if the current request contains the
specified address or range of addressesMatches a request based on IP Address or subnet mask matching against the remote
address.
A
ReactiveAuthorizationManager, that determines if the current request contains
the specified address or range of addressesMatches a request based on IP Address or subnet mask matching against the remote
address.
Implementation of AuthenticationDetailsSource which converts the user's J2EE roles (as
obtained by calling
HttpServletRequest.isUserInRole(String)) into
GrantedAuthoritys and stores these in the authentication details object.This AbstractPreAuthenticatedProcessingFilter implementation is based on the J2EE
container-based authentication mechanism.
A
Filter which attempts to obtain a JAAS Subject and continue
the FilterChain running as that Subject.A JDBC implementation of an
PublicKeyCredentialUserEntityRepository that uses a
JdbcOperations for PublicKeyCredentialUserEntity persistence.JDBC based persistent login token repository implementation.
A JDBC implementation of an
UserCredentialRepository that uses a
JdbcOperations for CredentialRecord persistence.Deprecated.
Generates a default log in page used for authenticating users.
Used by the
ExceptionTranslationFilter to commence a form login authentication
via the UsernamePasswordAuthenticationFilter.Logs a principal out.
Indicates a class that is able to participate in logout handling.
Generates a default log out page.
A logout handler which publishes
LogoutSuccessEventStrategy that is called after a successful logout by the
LogoutFilter, to
handle redirection or forwarding to the appropriate destination.If the request matches, logs an authenticated user out by delegating to a
ServerLogoutHandler.A
Map based implementation of PublicKeyCredentialUserEntityRepository.A
Map based implementation of UserCredentialRepository.A
SecurityWebFilterChain that leverages a ServerWebExchangeMatcher to
determine which WebFilter to execute.Allows matching
HttpServletRequest based upon the MediaType's resolved
from a ContentNegotiationStrategy.Matches based upon the accept headers.
Thrown when no expected
CsrfToken is found but is required.Deprecated, for removal: This API element is subject to removal in a future version.
Please use
PathPatternRequestMatcher insteadA builder for
MvcRequestMatcherA
RequestMatcher that will negate the RequestMatcher passed in.Negates the provided matcher.
Thrown if an authentication request is rejected because the digest nonce has expired.
An
AccessDeniedHandler implementation that does nothing.An
AuthenticationEntryPoint implementation that does nothing.An implementation of
ServerRequestCache that does nothing.A do nothing implementation of
ServerSecurityContextRepository.Implementation of
NullRememberMeServices that does nothing.Null implementation of RequestCache.
A
FilterChainProxy.FilterChainDecorator that
wraps the chain in before and after observationsA
WebFilterChainProxy.WebFilterChainDecorator
that wraps the chain in before and after observationsBase class for response wrappers which encapsulate the logic for handling an event when
the
HttpServletResponse is committed.An implementation of
AuthenticationConverter that detects if the request
contains a token parameter and constructs a
OneTimeTokenAuthenticationToken with it.Filter that processes a one-time token for log in.
Defines a strategy to handle generated one-time tokens.
Creates a default one-time token submit page.
RequestMatcher that will return true if any of the passed in
RequestMatcher instances match.Matches if any of the provided
ServerWebExchangeMatcher matchA
RequestMatcher for matching on a request parameter and its value.Matches if the
PathPattern matches the path within the application.A builder for specifying various elements of a request for the purpose of creating
a
PathPatternRequestMatcher.Prepares the privilege evaluator's request for
PathPatternRequestMatcher
authorization rules.Provides support for
Permisisons Policy.
Writes the
Permissions-Policy response header with configured policy
directives.RememberMeServices implementation based on Barry Jaspan's Improved
Persistent Login Cookie Best Practice.The abstraction used by
PersistentTokenBasedRememberMeServices to store the
persistent login tokens for a user.PortMapper implementations provide callers with information about which
HTTP ports are associated with which HTTPS ports on the system, and vice versa.Concrete implementation of
PortMapper that obtains HTTP:HTTPS pairs from the
application context.Deprecated, for removal: This API element is subject to removal in a future version.
This existed for an old IE bug and is no longer need.
Deprecated, for removal: This API element is subject to removal in a future version.
This existed for an old IE bug and is no longer need.
Processes a pre-authenticated authentication request.
Authentication implementation for
pre-authenticated authentication.
This AuthenticationUserDetailsService implementation creates a UserDetails object based
solely on the information contained in the given PreAuthenticatedAuthenticationToken.
This WebAuthenticationDetails implementation allows for storing a list of
pre-authenticated Granted Authorities.
Returns a
Mono that terminates with SessionAuthenticationException when
the maximum number of sessions for a user has been reached.PublicKeyCredential
contains the attributes that are returned to the caller when a new credential is
created, or a new assertion is requested.
Represents the PublicKeyCredentialCreationOptions
which is an argument to creating
a new credential.
Used to build
PublicKeyCredentialCreationOptions.Saves
PublicKeyCredentialCreationOptions between a request to generate an
assertion and the validation of the assertion.A request to create a new
PublicKeyCredentialCreationOptions.PublicKeyCredentialDescriptor
identifies a specific public key credential.
Used to create
PublicKeyCredentialDescriptorThe PublicKeyCredentialParameters
is used to supply additional parameters when creating a new credential.
PublicKeyCredentialRequestOptions
contains the information to create an assertion used for authentication.
Used to build a
PublicKeyCredentialCreationOptions.Saves
PublicKeyCredentialRequestOptions between a request to generate an
assertion and the validation of the assertion.The PublicKeyCredentialRpEntity
dictionary is used to supply additional Relying Party attributes when creating a new
credential.
Used to create a
PublicKeyCredentialRpEntity.The PublicKeyCredentialType
defines the credential types.
PublicKeyCredentialUserEntity
is used to supply additional
user account attributes
when creating a new credential.
A repository for managing
PublicKeyCredentialUserEntity instances.Reactive version of
PreAuthenticatedAuthenticationProvider
This manager receives a PreAuthenticatedAuthenticationToken, checks that
associated account is not disabled, expired, or blocked, and returns new authenticated
PreAuthenticatedAuthenticationToken.Uses a
ServerSecurityContextRepository to provide the SecurityContext
to initialize the ReactiveSecurityContextHolder.A
OneTimeTokenGenerationSuccessHandler that performs a redirect to a specific
locationPerforms a redirect to a specified location.
Performs a redirect to a specified location.
Performs a redirect on authentication success.
Performs a redirect on log out success.
Encapsulates the redirection logic for all classes in the framework which perform
redirects.
Internal class for building redirect URLs.
Provides support for Referrer
Policy.
Writes the
Referrer-Policy response header.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Uses a regular expression to decide whether a supplied the URL of a supplied
HttpServletRequest.Strategy used to register a user with the
SessionRegistry after successful
Authentication.An implementation of
ServerAuthenticationSuccessHandler that will register a
ReactiveSessionInformation with the provided ReactiveSessionRegistry.The data object used to provide the information necessary to authenticate a user with
WebAuthn.
Submitted by a client to request registration of a new credential.
This exception is thrown when an
Authentication exception occurs while using
the remember-me authentication.Detects if there is no
Authentication object in the SecurityContext,
and populates the context with a remember-me authentication token if a
RememberMeServices implementation so requests.Implement by a class that is capable of providing a remember-me service.
A simple pre-authenticated filter which obtains the username from request attributes,
for use with SSO systems such as
Stanford
WebAuth or Shibboleth.
Stores the
SecurityContext on a
ServletRequest.setAttribute(String, Object) so that it can be
restored when different dispatch types occur.An
HttpServletRequest authorization context.Implements "saved request" logic, allowing a single request to be retrieved and
restarted after redirecting to an authentication mechanism.
Responsible for reconstituting the saved request if one is cached and it matches the
current request.
Performs a redirect to the original request URL when an invalid requested session is
detected by the
SessionManagementFilter.A simple pre-authenticated filter which obtains the username from a request header, for
use with systems such as CA Siteminder.
A
RequestMatcher that can be used to match request that contain a header with
an expected header name and an expected value.Simple strategy to match an HttpServletRequest.
The result of matching against an HttpServletRequest contains the status, true or
false, of the match and if present, any variables extracted from the match
An
AccessDeniedHandler that delegates to other AccessDeniedHandler
instances based upon the type of HttpServletRequest passed into
RequestMatcherDelegatingAccessDeniedHandler.handle(HttpServletRequest, HttpServletResponse, AccessDeniedException).An
AuthenticationManagerResolver that returns a AuthenticationManager
instances based upon the type of HttpServletRequest passed into
RequestMatcherDelegatingAuthenticationManagerResolver.resolve(HttpServletRequest).A builder for
RequestMatcherDelegatingAuthenticationManagerResolver.An
AuthorizationManager which delegates to a specific
AuthorizationManager based on a RequestMatcher evaluation.A builder for
RequestMatcherDelegatingAuthorizationManager.Deprecated.
please use
AuthorizationManagerWebInvocationPrivilegeEvaluator and
adapt any delegate WebInvocationPrivilegeEvaluators into
AuthorizationManagersPropertyEditor which creates ELRequestMatcher instances from Strings
This allows to use a String in a BeanDefinition instead of an (inner) bean if a
RequestMatcher is required, e.g.
A rich object for associating a
RequestMatcher to another object.Filter that redirects requests that match
RequestMatcher to the specified URL.A factory class to create
RequestMatcher instances.Used by
FilterChainProxy to handle an
RequestRejectedException.Deprecated.
The ResidentKeyRequirement
describes the Relying Partys requirements for client-side discoverable credentials.
Deprecated.
please use
HttpsRedirectFilter and its
associated PortMapperDeprecated.
please use
HttpsRedirectFilter and its
associated PortMapperDeprecated.
Stores off the values of a cookie in a serializable holder
Encapsulates the functionality required of a cached request for both an authentication
mechanism (typically form-based login) to redirect to the original URL and for a
RequestCache to build a wrapped request, reproducing the original request
data.
An authentication success strategy which can make use of the
DefaultSavedRequest which may
have been stored in the session by the ExceptionTranslationFilter.Deprecated.
no replacement is planned, though consider using a custom
RequestMatcher for any sophisticated decision-making
Allows for integration with Spring MVC's
Callable support.A
Filter which populates the ServletRequest with a request
wrapper which implements the servlet API security methods.A Spring Security-aware
HttpServletRequestWrapper, which uses the
SecurityContext-defined Authentication object to implement
the servlet API security methods:
SecurityContextHolderAwareRequestWrapper.getUserPrincipal()
SecurityContextHolderAwareRequestWrapper.isUserInRole(String)
HttpServletRequestWrapper.getRemoteUser().
A
Filter that uses the SecurityContextRepository to
obtain the SecurityContext and set it on the SecurityContextHolder.Performs a logout by modifying the
SecurityContextHolder.Deprecated.
Strategy used for persisting a
SecurityContext between requests.A
ServerLogoutHandler which removes the SecurityContext using the provided
ServerSecurityContextRepositoryOverrides the
ServerWebExchange.getPrincipal() with the provided
SecurityContextOverride the
ServerWebExchange.getPrincipal() to be looked up using
ReactiveSecurityContextHolder.Defines a filter chain which is capable of being matched against an
HttpServletRequest.Utilities for interacting with
HttpHeadersSpring Security extension to Spring's
WebApplicationContextUtils.Defines a filter chain which is capable of being matched against a
ServerWebExchange in order to decide whether it applies to that request.A strategy used for converting from a
ServerWebExchange to an
Authentication used for authenticating with a provided
ReactiveAuthenticationManager.Used to request authentication
Adapts a
ServerAuthenticationEntryPoint into a
ServerAuthenticationFailureHandlerHandles authentication failure
Handles authentication success
An API to allow changing the method in which the expected
CsrfToken is
associated to the ServerWebExchange.An implementation of the
ServerCsrfTokenRequestHandler interface that is
capable of making the CsrfToken available as an exchange attribute and
resolving the token value as either a form data value or header of the request.A callback interface that is used to make the
CsrfToken created by the
ServerCsrfTokenRepository available as an exchange attribute.Implementations of this interface are capable of resolving the token value of a
CsrfToken from the provided ServerWebExchange.Thrown when a
ServerWebExchange is rejected.Handles
ServerExchangeRejectedException thrown by
ServerWebExchangeFirewall.Converts a ServerWebExchange into a UsernamePasswordAuthenticationToken from the form
data HTTP parameters.
Deprecated.
use
ServerFormLoginAuthenticationConverter
instead.A strategy for resolving a
GenerateOneTimeTokenRequest from the
ServerWebExchange.Converts from a
ServerWebExchange to an Authentication that can be
authenticated.Deprecated.
Use
ServerHttpBasicAuthenticationConverter
instead.Interface for writing headers just before the response is committed.
Handles log out
Strategy for when log out was successfully performed (typically after
ServerLogoutHandler is invoked).Strategy for handling the scenario when the maximum number of sessions for a user has
been reached.
An implementation of
ServerAuthenticationConverter for resolving
OneTimeTokenAuthenticationToken from token parameter.Defines a reactive strategy to handle generated one-time tokens.
A
ServerOneTimeTokenGenerationSuccessHandler that performs a redirect to a
specific locationA strategy for performing redirects.
Saves a
ServerHttpRequest so it can be "replayed" later.A
WebFilter that replays any matching request in ServerRequestCacheStrategy used for persisting a
SecurityContext between requests.A
ReactiveAuthenticationManagerResolver that returns a
ReactiveAuthenticationManager instances based upon the type of
ServerWebExchange passed into ServerWebExchangeDelegatingReactiveAuthenticationManagerResolver.resolve(ServerWebExchange).A
ServerAccessDeniedHandler which delegates to multiple
ServerAccessDeniedHandlers based on a ServerWebExchangeMatcherDelegates to a provided
ServerHttpHeadersWriter if
ServerWebExchangeMatcher.matches(ServerWebExchange) returns a match.Interface which can be used to reject potentially dangerous requests and/or wrap them
to control their behaviour.
An interface for determining if a
ServerWebExchangeMatcher matches.The result of matching
A rich object for associating a
ServerWebExchangeMatcher to another object.Provides factory methods for creating common
ServerWebExchangeMatcherA
ThreadLocalAccessor for accessing a ServerWebExchange.Converts from a
SslInfo provided by a request to an
PreAuthenticatedAuthenticationToken that can be authenticated.Thrown by an
SessionAuthenticationStrategy or
ServerSessionAuthenticationStrategy to indicate that an authentication object
is not valid for the current session, typically because the same user has exceeded the
number of sessions they are allowed to have concurrently.Allows pluggable support for HttpSession-related behaviour when an authentication
occurs.
Indicates a session ID was changed for the purposes of session fixation protection.
Uses
HttpServletRequest.invalidate() to protect against session fixation
attacks.An event for when a
SessionInformation is expired.Determines the behaviour of the
ConcurrentSessionFilter when an expired session
is detected in the ConcurrentSessionFilter.Represents the maximum number of sessions allowed.
Represents the maximum number of sessions allowed.
Detects that a user has been authenticated since the start of the request and, if they
have, calls the configured
SessionAuthenticationStrategy to perform any
session-related activity such as activating session-fixation protection mechanisms or
checking for multiple concurrent logins.Performs a redirect to a fixed URL when an invalid requested session is detected by the
SessionManagementFilter.Performs a redirect to a fixed URL when an expired session is detected by the
ConcurrentSessionFilter.A Bean implementation of SavedRequest
AuthenticationFailureHandler which performs a redirect to the value of the
defaultFailureUrl property when the
onAuthenticationFailure method is called.AuthenticationSuccessHandler which can be configured with a default URL which
users should be sent to upon successful authentication.
Handles the navigation on logout by delegating to the
AbstractAuthenticationTargetUrlRequestHandler base class logic.Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
HeaderWriter implementation which writes the same Header instance.Allows specifying
HttpHeaders that should be written to the response.
A strict implementation of
HttpFirewall that rejects any suspicious requests
with a RequestRejectedException.
A strict implementation of
ServerWebExchangeFirewall that rejects any
suspicious requests with a ServerExchangeRejectedException.Writes the Strict-Transport-Security if the request is secure.
Obtains the principal from a certificate using a regular expression match against the
Subject (as returned by a call to
X509Certificate.getSubjectDN()).Allows subclasses to modify the
GrantedAuthority list that will be assigned to
the principal when they assume the identity of a different principal.Switch User processing filter responsible for user context switching.
Custom
GrantedAuthority used by
SwitchUserFilterSwitch User processing filter responsible for user context switching.
Internal utility for escaping characters in HTML strings.
Handler for analyzing
Throwable instances.Interface for handlers extracting the cause out of a specific
Throwable type.Identifies previously remembered users by a Base-64 encoded cookie.
Thrown if
securityFilterChain is not valid.Provides static methods for composing URLs.
A repository for managing
CredentialRecords associated to a user.Processes an authentication form submission.
UserVerificationRequirement
is used by the Relying Party to indicate if user verification is needed.
Provides integration between the
SecurityContext and Spring Web's
WebAsyncManager by using the
SecurityContextCallableProcessingInterceptor.beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)
to populate the SecurityContext on the Callable.Well-known keys which are used to store Spring Security information in request or
session scope.
A holder of selected HTTP details related to a web authentication request.
Implementation of
AuthenticationDetailsSource which builds the details object
from an HttpServletRequest object, creating a WebAuthenticationDetails
.A WebAuthn4j implementation
of
WebAuthnRelyingPartyOperations.A
WebAuthnAuthentication is used to represent successful authentication with
WebAuthn.Authenticates
PublicKeyCredential<AuthenticatorAssertionResponse> that is
parsed from the body of the HttpServletRequest using the
WebAuthnAuthenticationFilter.setConverter(GenericHttpMessageConverter).An
AuthenticationProvider that uses WebAuthnRelyingPartyOperations for
authentication using an WebAuthnAuthenticationRequestToken.An
Authentication used in
WebAuthnAuthenticationProvider for authenticating via WebAuthn.Adds Jackson support for Spring Security WebAuthn.
Authenticates
PublicKeyCredential<AuthenticatorAssertionResponse> that is
parsed from the body of the HttpServletRequest using the
WebAuthnRegistrationFilter.setConverter(HttpMessageConverter).An API for WebAuthn
Relying Party Operations
An expression-based
AuthorizationManager that determines the access by
evaluating the provided expression.Deprecated.
Use
WebExpressionAuthorizationManager insteadUsed to delegate to a List of
SecurityWebFilterChain instances.A
WebFilterChainProxy.WebFilterChainDecorator that uses the DefaultWebFilterChainA strategy for decorating the provided filter chain with one that accounts for the
SecurityFilterChain for a given request.Success handler that continues the filter chain after authentication success.
A composite of the
ServerWebExchange and the WebFilterChain.Allows users to determine whether they have privileges for a given web URI.
Jackson module for spring-security-web.
Jackson module for spring-security-web-flux.
Jackson module for spring-security-web related to servlet.
A
ServerLogoutHandler which invalidates the active WebSession.Stores the
SecurityContext in the
WebSession.This AbstractPreAuthenticatedProcessingFilter implementation is based on WebSphere
authentication.
This AuthenticationDetailsSource implementation will set the pre-authenticated granted
authorities based on the WebSphere groups for the current WebSphere user, mapped using
the configured Attributes2GrantedAuthoritiesMapper.
This MappableAttributesRetriever implementation reads the list of defined J2EE
roles from a web.xml file and returns these from {
WebXmlMappableAttributesRetriever.getMappableAttributes().Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern
browsers.
Obtains the principal from an X509Certificate for use within the framework.
A
StaticHeadersWriter that inserts headers to prevent content sniffing.Adds X-Content-Type-Options: nosniff
HeaderWriter implementation for the X-Frame-Options headers.The possible values for the X-Frame-Options header.
ServerHttpHeadersWriter implementation for the X-Frame-Options headers.The X-Frame-Options values.
An implementation of the
CsrfTokenRequestHandler interface that is capable of
masking the value of the CsrfToken on each request and resolving the raw token
value from the masked value as either a header or parameter value of the request.An implementation of the
ServerCsrfTokenRequestAttributeHandler and
ServerCsrfTokenRequestResolver interfaces that is capable of masking the value
of the CsrfToken on each request and resolving the raw token value from the
masked value as either a form data value or header of the request.Renders the X-XSS-Protection header.
The value of the x-xss-protection header.
Add the x-xss-protection header.
The value of the x-xss-protection header.