From cf59a66878363d93c2e34dd6a46d4228f1e2eaeb Mon Sep 17 00:00:00 2001 From: AB Date: Fri, 14 Mar 2025 14:29:58 +0100 Subject: [PATCH 1/7] Speed up check code --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d014f7ba..655f7887 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: cache: 'maven' - name: Build with Maven - run: ./mvnw -B clean package + run: ./mvnw -B clean package -T2C - name: Check for uncommited changes run: | From 823b0d68b848da23f7465dc6a6b36862b745f18f Mon Sep 17 00:00:00 2001 From: AB Date: Fri, 14 Mar 2025 14:51:28 +0100 Subject: [PATCH 2/7] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 801e17b8..6bb4faec 100644 --- a/README.md +++ b/README.md @@ -27,4 +27,4 @@ If you need support as soon as possible and you can't wait for any pull request, See the [contributing guide](./CONTRIBUTING.md) for detailed instructions on how to get started with our project. ## Dependencies and Licenses -View the [license of the current project](LICENSE) or the [summary including all dependencies](https://xdev-software.github.io/spring-security-extras/dependencies) +View the [license of the current project](LICENSE) or the [summary including all dependencies](https://xdev-software.github.io/spring-security-extras) From 73c689ffbd471294a0df804772c1484d1250c08b Mon Sep 17 00:00:00 2001 From: XDEV Renovate Bot Date: Mon, 17 Mar 2025 04:12:17 +0000 Subject: [PATCH 3/7] Update dependency org.junit.jupiter:junit-jupiter to v5.12.1 --- codec-sha256/pom.xml | 2 +- crypto-symmetric/pom.xml | 2 +- oauth2-oidc-remember-me/pom.xml | 2 +- oauth2-oidc/pom.xml | 2 +- web-sidecar-actuator/pom.xml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/codec-sha256/pom.xml b/codec-sha256/pom.xml index a7fc8f73..81c3220f 100644 --- a/codec-sha256/pom.xml +++ b/codec-sha256/pom.xml @@ -88,7 +88,7 @@ org.junit.jupiter junit-jupiter - 5.12.0 + 5.12.1 test diff --git a/crypto-symmetric/pom.xml b/crypto-symmetric/pom.xml index 50154172..b2371bed 100644 --- a/crypto-symmetric/pom.xml +++ b/crypto-symmetric/pom.xml @@ -88,7 +88,7 @@ org.junit.jupiter junit-jupiter - 5.12.0 + 5.12.1 test diff --git a/oauth2-oidc-remember-me/pom.xml b/oauth2-oidc-remember-me/pom.xml index c1c36d67..019e33c2 100644 --- a/oauth2-oidc-remember-me/pom.xml +++ b/oauth2-oidc-remember-me/pom.xml @@ -122,7 +122,7 @@ org.junit.jupiter junit-jupiter - 5.12.0 + 5.12.1 test diff --git a/oauth2-oidc/pom.xml b/oauth2-oidc/pom.xml index a3943ade..4e710e79 100644 --- a/oauth2-oidc/pom.xml +++ b/oauth2-oidc/pom.xml @@ -141,7 +141,7 @@ org.junit.jupiter junit-jupiter - 5.12.0 + 5.12.1 test diff --git a/web-sidecar-actuator/pom.xml b/web-sidecar-actuator/pom.xml index 9ee5da0e..043b0f3b 100644 --- a/web-sidecar-actuator/pom.xml +++ b/web-sidecar-actuator/pom.xml @@ -125,7 +125,7 @@ org.junit.jupiter junit-jupiter - 5.12.0 + 5.12.1 test From f36d63396ea3803cf30c3d2891da54423eee428a Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 17 Mar 2025 08:32:58 +0100 Subject: [PATCH 4/7] Fix sonar --- .../sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java | 2 +- .../java/software/xdev/sse/vaadin/SecureVaadinRequestCache.java | 1 + .../software/xdev/sse/vaadin/TotalVaadinFlowWebSecurity.java | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java index 1b58c59f..312244fd 100644 --- a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java +++ b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/OAuth2CookieRememberMeServices.java @@ -179,7 +179,7 @@ public class OAuth2CookieRememberMeServices implements RememberMeServices, OAuth protected final boolean enabled; - @SuppressWarnings("java:S2629") + @SuppressWarnings({"java:S2629", "java:S107"}) public OAuth2CookieRememberMeServices( final OAuth2CookieRememberMeServicesConfig config, final AutoLoginMetrics autoLoginMetrics, diff --git a/vaadin/src/main/java/software/xdev/sse/vaadin/SecureVaadinRequestCache.java b/vaadin/src/main/java/software/xdev/sse/vaadin/SecureVaadinRequestCache.java index 69d12770..e30b2200 100644 --- a/vaadin/src/main/java/software/xdev/sse/vaadin/SecureVaadinRequestCache.java +++ b/vaadin/src/main/java/software/xdev/sse/vaadin/SecureVaadinRequestCache.java @@ -44,6 +44,7 @@ * Same as {@link VaadinDefaultRequestCache}, however only existing Vaadin routes are cached, which results in no * invalid redirects (to e.g. PWA offline resources) and unused/useless (redirect-)sessions */ +@SuppressWarnings("java:S6813") @Component public class SecureVaadinRequestCache extends VaadinDefaultRequestCache { diff --git a/vaadin/src/main/java/software/xdev/sse/vaadin/TotalVaadinFlowWebSecurity.java b/vaadin/src/main/java/software/xdev/sse/vaadin/TotalVaadinFlowWebSecurity.java index 829d3993..7275951a 100644 --- a/vaadin/src/main/java/software/xdev/sse/vaadin/TotalVaadinFlowWebSecurity.java +++ b/vaadin/src/main/java/software/xdev/sse/vaadin/TotalVaadinFlowWebSecurity.java @@ -37,6 +37,7 @@ * Override of {@link VaadinWebSecurity} that doesn't allow any VaadinSession to be created without previous * authentication. */ +@SuppressWarnings("java:S6813") public abstract class TotalVaadinFlowWebSecurity extends VaadinWebSecurity { @Autowired From 48cda8e7d309e5380b8480504a8efa08fb2508d9 Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 17 Mar 2025 08:33:19 +0100 Subject: [PATCH 5/7] Make it possible for metrics to be missing --- ...th2CookieRememberMeServicesAutoConfig.java | 6 +- .../metrics/DummyAutoLoginMetrics.java | 67 +++++++++++++++++++ .../auto/OAuth2AuthCheckerAutoConfig.java | 2 + .../auto/OAuth2RefreshFilterAutoConfig.java | 7 +- ...myOAuth2RefreshFilterAuthCheckMetrics.java | 22 ++++++ .../auto/ActuatorWebSecurityAutoConfig.java | 2 + 6 files changed, 102 insertions(+), 4 deletions(-) create mode 100644 oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java create mode 100644 oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/auto/OAuth2CookieRememberMeServicesAutoConfig.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/auto/OAuth2CookieRememberMeServicesAutoConfig.java index 01d11379..d66998aa 100644 --- a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/auto/OAuth2CookieRememberMeServicesAutoConfig.java +++ b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/auto/OAuth2CookieRememberMeServicesAutoConfig.java @@ -37,6 +37,7 @@ import software.xdev.sse.oauth2.rememberme.crypt.RememberMeSymCryptManager; import software.xdev.sse.oauth2.rememberme.metrics.AutoLoginMetrics; import software.xdev.sse.oauth2.rememberme.metrics.DefaultAutoLoginMetrics; +import software.xdev.sse.oauth2.rememberme.metrics.DummyAutoLoginMetrics; import software.xdev.sse.oauth2.rememberme.secrets.AuthRememberMeSecretService; import software.xdev.sse.oauth2.rememberme.serializer.DefaultOAuth2CookieRememberMeAuthSerializer; import software.xdev.sse.oauth2.rememberme.serializer.OAuth2CookieRememberMeAuthSerializer; @@ -55,7 +56,7 @@ public class OAuth2CookieRememberMeServicesAutoConfig @Bean public OAuth2CookieRememberMeServices oAuth2CookieRememberMeServices( final OAuth2CookieRememberMeServicesConfig config, - final AutoLoginMetrics autoLoginMetrics, + @Autowired(required = false) final AutoLoginMetrics autoLoginMetrics, @Autowired(required = false) final RememberMeSymCryptManager cryptManager, final RememberMeClientStorageProcessorProvider clientStorageProcessorProvider, final AuthRememberMeSecretService authRememberMeSecretService, @@ -69,7 +70,7 @@ public OAuth2CookieRememberMeServices oAuth2CookieRememberMeServices( { final OAuth2CookieRememberMeServices rememberMeServices = new OAuth2CookieRememberMeServices( config, - autoLoginMetrics, + autoLoginMetrics != null ? autoLoginMetrics : new DummyAutoLoginMetrics(), cryptManager, clientStorageProcessorProvider, authRememberMeSecretService, @@ -119,6 +120,7 @@ public OAuth2CookieRememberMeAuthSerializer oAuth2CookieRememberMeAuthSerializer return new DefaultOAuth2CookieRememberMeAuthSerializer(); } + @ConditionalOnBean(MeterRegistry.class) @ConditionalOnMissingBean @Bean public AutoLoginMetrics autoLoginMetrics(final MeterRegistry meterRegistry) diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java new file mode 100644 index 00000000..62dfbf2d --- /dev/null +++ b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java @@ -0,0 +1,67 @@ +package software.xdev.sse.oauth2.rememberme.metrics; + +import software.xdev.sse.oauth2.checkauth.OAuth2AuthChecker; + + +public class DummyAutoLoginMetrics implements AutoLoginMetrics +{ + @Override + public void ignored() + { + } + + @Override + public void incompleteCookies() + { + } + + @Override + public void idCookieDecodeFailed() + { + } + + @Override + public void persistedSecretNotFound() + { + } + + @Override + public void decryptionAlgorithmNotFound() + { + } + + @Override + public void payloadDeserializeFailed() + { + } + + @Override + public void payloadClientRegIdMismatch() + { + } + + @Override + public void payloadEmailMismatch() + { + } + + @Override + public void payloadAccessTokenInvalid() + { + } + + @Override + public void payloadRefreshTokenInvalid() + { + } + + @Override + public void authCheckMetricsIncrement(final OAuth2AuthChecker.AuthCheckOutcome outcome) + { + } + + @Override + public void unexpectedError() + { + } +} diff --git a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/checkauth/auto/OAuth2AuthCheckerAutoConfig.java b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/checkauth/auto/OAuth2AuthCheckerAutoConfig.java index 7f0729ce..dbb5ebd7 100644 --- a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/checkauth/auto/OAuth2AuthCheckerAutoConfig.java +++ b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/checkauth/auto/OAuth2AuthCheckerAutoConfig.java @@ -18,6 +18,7 @@ import java.util.List; import org.springframework.boot.autoconfigure.AutoConfiguration; +import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -58,6 +59,7 @@ public OAuth2ProviderOfflineManager oAuth2ProviderOfflineManager( return new OAuth2ProviderOfflineManager(config, metricsHandlers); } + @ConditionalOnBean(MeterRegistry.class) @ConditionalOnMissingBean @Bean public OAuth2ProviderOfflineManagerMetricsHandler defaultoAuth2ProviderOfflineManagerMetricsHandler( diff --git a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/auto/OAuth2RefreshFilterAutoConfig.java b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/auto/OAuth2RefreshFilterAutoConfig.java index 0fa4d8ec..0821777f 100644 --- a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/auto/OAuth2RefreshFilterAutoConfig.java +++ b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/auto/OAuth2RefreshFilterAutoConfig.java @@ -20,6 +20,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.AutoConfiguration; import org.springframework.boot.autoconfigure.AutoConfigureAfter; +import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.ApplicationContext; @@ -33,6 +34,7 @@ import software.xdev.sse.oauth2.filter.OAuth2RefreshFilter; import software.xdev.sse.oauth2.filter.handler.OAuth2RefreshHandler; import software.xdev.sse.oauth2.filter.metrics.DefaultOAuth2RefreshFilterAuthCheckMetrics; +import software.xdev.sse.oauth2.filter.metrics.DummyOAuth2RefreshFilterAuthCheckMetrics; import software.xdev.sse.oauth2.filter.metrics.OAuth2RefreshFilterAuthCheckMetrics; import software.xdev.sse.oauth2.filter.reloadcom.OAuth2RefreshReloadCommunicator; import software.xdev.sse.oauth2.sidecar.compat.OtherWebSecurityPathsCompat; @@ -49,7 +51,7 @@ public class OAuth2RefreshFilterAutoConfig @ConditionalOnMissingBean @Bean public OAuth2RefreshFilter oAuth2RefreshFilter( - final OAuth2RefreshFilterAuthCheckMetrics metrics, + @Autowired(required = false) final OAuth2RefreshFilterAuthCheckMetrics metrics, // Some injections need to be lazy for connectionless start @Lazy final OAuth2AuthorizedClientService clientService, @Lazy final OAuth2AuthChecker oAuth2AuthChecker, @@ -58,7 +60,7 @@ public OAuth2RefreshFilter oAuth2RefreshFilter( ) { final OAuth2RefreshFilter filter = new OAuth2RefreshFilter( - metrics, + metrics != null ? metrics : new DummyOAuth2RefreshFilterAuthCheckMetrics(), clientService, oAuth2AuthChecker, new DynamicLazyBeanProvider<>(context, OAuth2RefreshHandler.class), @@ -82,6 +84,7 @@ public OAuth2RefreshFilter oAuth2RefreshFilter( return filter; } + @ConditionalOnBean(MeterRegistry.class) @ConditionalOnMissingBean @Bean public OAuth2RefreshFilterAuthCheckMetrics oAuth2RefreshFilterAuthCheckMetrics(final MeterRegistry meterRegistry) diff --git a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java new file mode 100644 index 00000000..b98d92c8 --- /dev/null +++ b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java @@ -0,0 +1,22 @@ +package software.xdev.sse.oauth2.filter.metrics; + +import software.xdev.sse.oauth2.checkauth.OAuth2AuthChecker; + + +public class DummyOAuth2RefreshFilterAuthCheckMetrics implements OAuth2RefreshFilterAuthCheckMetrics +{ + @Override + public void ignored() + { + } + + @Override + public void noAuth() + { + } + + @Override + public void authCheckMetricsIncrement(final OAuth2AuthChecker.AuthCheckOutcome outcome) + { + } +} diff --git a/web-sidecar-actuator/src/main/java/software/xdev/sse/web/sidecar/actuator/auto/ActuatorWebSecurityAutoConfig.java b/web-sidecar-actuator/src/main/java/software/xdev/sse/web/sidecar/actuator/auto/ActuatorWebSecurityAutoConfig.java index d484e3c3..2507ee69 100644 --- a/web-sidecar-actuator/src/main/java/software/xdev/sse/web/sidecar/actuator/auto/ActuatorWebSecurityAutoConfig.java +++ b/web-sidecar-actuator/src/main/java/software/xdev/sse/web/sidecar/actuator/auto/ActuatorWebSecurityAutoConfig.java @@ -18,6 +18,7 @@ import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties; import org.springframework.boot.autoconfigure.AutoConfiguration; import org.springframework.boot.autoconfigure.AutoConfigureBefore; +import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.context.properties.ConfigurationProperties; @@ -44,6 +45,7 @@ public ActuatorSecurityConfig actuatorConfig() return new ActuatorSecurityConfig(); } + @ConditionalOnBean(MeterRegistry.class) @ConditionalOnMissingBean @Bean public ActuatorSecurityMetricsHandler actuatorSecurityMetricsHandler( From 505357a6259b033f653909df0a95e522eff96b51 Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 17 Mar 2025 08:36:05 +0100 Subject: [PATCH 6/7] Ignore self --- renovate.json5 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json5 b/renovate.json5 index fef15d3a..98c91ed5 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -4,7 +4,7 @@ "packageRules": [ { "description": "Ignore project internal dependencies", - "packagePattern": "^software.xdev.spring-security-extras", + "packagePattern": "^software.xdev.sse", "datasources": [ "maven" ], From 43129ceb4d4bbb1316ae190c885cefbe294a042f Mon Sep 17 00:00:00 2001 From: AB Date: Mon, 17 Mar 2025 08:38:43 +0100 Subject: [PATCH 7/7] Add missing license header --- .../rememberme/metrics/DummyAutoLoginMetrics.java | 15 +++++++++++++++ .../DummyOAuth2RefreshFilterAuthCheckMetrics.java | 15 +++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java index 62dfbf2d..c4fbf95c 100644 --- a/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java +++ b/oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/metrics/DummyAutoLoginMetrics.java @@ -1,3 +1,18 @@ +/* + * Copyright © 2025 XDEV Software (https://xdev.software) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package software.xdev.sse.oauth2.rememberme.metrics; import software.xdev.sse.oauth2.checkauth.OAuth2AuthChecker; diff --git a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java index b98d92c8..881c655d 100644 --- a/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java +++ b/oauth2-oidc/src/main/java/software/xdev/sse/oauth2/filter/metrics/DummyOAuth2RefreshFilterAuthCheckMetrics.java @@ -1,3 +1,18 @@ +/* + * Copyright © 2025 XDEV Software (https://xdev.software) + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package software.xdev.sse.oauth2.filter.metrics; import software.xdev.sse.oauth2.checkauth.OAuth2AuthChecker;