All Classes and Interfaces

Class
Description
Deprecated.
Abstract AfterInvocationProvider which provides commonly-used ACL-related services.
Deprecated.
Now used by only-deprecated classes.
Represents an application authentication event.
Abstract application event which indicates authentication failure for some reason.
Base class for configuring AbstractAuthenticationFilterConfigurer.
Abstract processor of browser-based HTTP-based authentication requests.
Base class containing the logic used by strategies which handle redirection to a URL and are passed an Authentication object as part of the contract.
Base class for Authentication objects.
Deprecated.
Authorization events have moved.
A base class for an <authorize> tag that is independent of the tag rendering technology (JSP, Facelets).
Abstract class for using the provided CAS assertion to construct a new User object.
A base class for registering RequestMatcher's.
A base SecurityBuilder that allows SecurityConfigurer to be applied to it.
Allows configuring a DaoAuthenticationProvider
Deprecated.
Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
Adds a convenient base class for SecurityConfigurer instances that operate on HttpSecurity.
Deprecated.
An AuthenticationProvider implementation that retrieves user details from a JAAS login configuration.
Creates an AuthenticationManager that can perform LDAP authentication.
Base class for the standard LdapAuthenticationProvider and the ActiveDirectoryLdapAuthenticationProvider.
Base class for the authenticator implementations.
Abstract MessageMatcher containing multiple MessageMatcher
Deprecated.
Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
Base implementation of an OAuth 2.0 Authorization Grant request that holds an authorization grant credential and is used when initiating a request to the Authorization Server's Token Endpoint.
Base class for OAuth 2.0 Token implementations.
Base class for AbstractAuthenticationToken implementations that expose common attributes between different OAuth 2.0 Access Token Formats.
Abstract base class for password encoders
Provides an abstract superclass for Permission implementations.
Base class for processing filters that handle pre-authenticated authentication requests, where it is assumed that the principal has already been authenticated by an external system.
Base class for RememberMeServices implementations.
A base class for registering RequestMatcher's.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
 
Data holder for AuthNRequest parameters to be sent using either the Saml2MessageBinding.POST or Saml2MessageBinding.REDIRECT binding.
A builder for AbstractSaml2AuthenticationRequest and its subclasses.
A base SecurityBuilder that ensures the object being built is only built one time.
Base implementation of the facade which isolates Spring Security's requirements for evaluating security expressions from the implementation of the underlying expression objects.
Deprecated.
Registers the DelegatingFilterProxy to use the springSecurityFilterChain before any other registered Filter.
Deprecated.
 
Abstract superclass for all session related events.
A base class for performing session fixation protection.
 
A base AuthenticationProvider that allows subclasses to override and work with UserDetails objects.
A base ReactiveAuthenticationManager that allows subclasses to override and work with UserDetails objects.
 
Abstract base class for all of the WebClientReactive*TokenResponseClients that communicate to the Authorization Server's Token Endpoint.
Represents an individual permission assignment within an Acl.
An immutable default implementation of AccessControlEntry.
An implementation of Tag that allows its body through if all authorizations are granted to the request's principal.
Deprecated.
Deprecated.
Thrown if an Authentication object does not hold a required authority.
Used by ExceptionTranslationFilter to handle an AccessDeniedException.
Base implementation of AccessDeniedHandler.
Thrown if an authentication request is rejected because the account has expired.
Base class for authentication exceptions which are caused by a particular user account status (locked, disabled etc).
 
Represents an access control list (ACL) for a domain object.
Strategy used by AclImpl to determine whether a principal is permitted to call adminstrative methods on the AclImpl.
Default implementation of AclAuthorizationStrategy.
A caching layer for JdbcAclService.
Abstract base class for Acl data operations.
Given a Collection of domain object instances returned from a secure object invocation, remove any Collection elements the principal does not have appropriate permission to access as defined by the AclService.
Given a domain object instance returned from a secure object invocation, ensures the principal has appropriate permission as defined by the AclService.
Given a domain object instance passed as a method argument, ensures the principal has appropriate permission as indicated by the AclService.
Utility methods for displaying ACL information.
Base implementation of Acl.
Batch loads ACLs for collections of objects to allow optimised filtering.
Used by Spring Security's expression-based access control implementation to evaluate permissions for a particular object using the ACL module.
Provides retrieval of Acl instances.
Thrown as a translation of an AuthenticationException when attempting to authenticate against Active Directory using ActiveDirectoryLdapAuthenticationProvider.
Specialized LDAP authentication provider which uses Active Directory configuration conventions.
The Address Claim represents a physical mailing address defined by the OpenID Connect Core 1.0 specification that can be returned either in the UserInfo Response or the ID Token.
Encryptor that uses AES encryption.
 
Deprecated.
Deprecated.
Use delegation with AuthorizationManager
Deprecated.
Use delegation with AuthorizationManager
Deprecated.
Use delegation with AuthorizationManager
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
Thrown when AbstractSecurityBuilder.build() is two or more times.
Thrown if an Acl entry already exists for the object.
MessageMatcher that will return true if all of the passed in MessageMatcher instances match.
RequestMatcher that will return true if all of the passed in RequestMatcher instances match.
Matches if all the provided ServerWebExchangeMatcher match
Deprecated.
Used only by now-deprecated classes.
Allows finding parameter names using the value attribute of any number of Annotation instances.
Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
An AuthenticationProvider implementation that validates AnonymousAuthenticationTokens.
Represents an anonymous Authentication.
Detects if there is no Authentication object in the ReactiveSecurityContextHolder, and populates it with one if needed.
Configures Anonymous authentication (i.e.
If ReactiveSecurityContextHolder is empty populates an AnonymousAuthenticationToken
Matcher which compares a pre-defined ant-style pattern against the URL ( servletPath + pathInfo) of an HttpServletRequest.
Matches any supplied request.
Deprecated.
Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
Implementation of PasswordEncoder that uses the Argon2 hashing function.
Deprecated.
This class will be removed from the public API.
Deprecated.
This class will be removed from the public API.
Interface to be implemented by classes that can map a list of security attributes (such as roles or group names) to a collection of Spring Security GrantedAuthoritys.
Represents an ACE that provides auditing information.
A mutable ACL that provides audit capabilities.
Used by AclImpl to log audit events.
An AuthorizationManager that determines if the current user is authenticated.
Representation of an authenticated Principal once an Authentication request has been successfully authenticated by the AuthenticationManager.authenticate(Authentication) method.
An implementation of an OAuth2AuthorizedClientRepository that delegates to the provided OAuth2AuthorizedClientService if the current Principal is authenticated, otherwise, to the default (or provided) OAuth2AuthorizedClientRepository if the current request is unauthenticated (or anonymous).
An implementation of an ServerOAuth2AuthorizedClientRepository that delegates to the provided ServerOAuth2AuthorizedClientRepository if the current Principal is authenticated, otherwise, to the default (or provided) ServerOAuth2AuthorizedClientRepository if the current request is unauthenticated (or anonymous).
A ReactiveAuthorizationManager that determines if the current user is authenticated.
Deprecated.
Represents the token for an authentication request or for an authenticated principal once the request has been processed by the AuthenticationManager.authenticate(Authentication) method.
Exports the authentication Configuration
A strategy used for converting from a HttpServletRequest to an Authentication of particular type.
Matches if the ServerAuthenticationConverter can convert a ServerWebExchange to an Authentication.
Deprecated.
Authentication is now separated from authorization.
Thrown if an authentication request is rejected because there is no Authentication object in the SecurityContext.
Provides a Authentication.getDetails() object for a given web request.
Used by ExceptionTranslationFilter to commence an authentication scheme.
 
Abstract superclass for all exceptions related to an Authentication object being invalid for whatever reason.
Application event which indicates authentication failure due to invalid credentials being presented.
Application event which indicates authentication failure due to the user's credentials having expired.
Application event which indicates authentication failure due to the user's account being disabled.
Application event which indicates authentication failure due to the user's account having expired.
Strategy used to handle a failed authentication attempt.
Application event which indicates authentication failure due to the user's account having been locked.
Application event which indicates authentication failure due to there being no registered AuthenticationProvider that can process the request.
Application event which indicates authentication failure due to the CAS user's ticket being generated by an untrusted proxy.
Application event which indicates authentication failure due to there being a problem internal to the AuthenticationManager.
A Filter that performs authentication of a particular request.
Processes an Authentication request.
Registers the central ProviderManager used by the namespace configuration, and allows the configuration of an alias, allowing users to reference it in their beans and clearly see where the name is coming from.
Provider which doesn't provide any service.
Factory bean for the namespace AuthenticationManager, which allows a more meaningful error message to be reported in the NoSuchBeanDefinitionException, if the user has forgotten to declare the <authentication-manager> element.
An interface for resolving an AuthenticationManager based on the provided context
The authentication method used when sending bearer access tokens in resource requests to resource servers.
An Observation.Context used during authentications
An ObservationConvention for translating authentications into KeyValues.
Uses the provided ReactiveAuthenticationManager to authenticate a Payload.
Annotation that is used to resolve Authentication.getPrincipal() to a method argument.
Deprecated.
Allows resolving the Authentication.getPrincipal() using the AuthenticationPrincipal annotation.
Allows resolving the Authentication.getPrincipal() using the AuthenticationPrincipal annotation.
Deprecated.
Allows resolving the Authentication.getPrincipal() using the AuthenticationPrincipal annotation.
Resolves the Authentication
Indicates a class can process a specific Authentication implementation.
Wraps a UserDetailsService bean with a DaoAuthenticationProvider and registers the latter with the ProviderManager.
Thrown if an authentication request could not be processed due to a system problem.
Application event which indicates successful authentication.
Strategy used to handle a successful user authentication.
Application event which indicates that a user context switch.
An Tag implementation that allows convenient access to the current Authentication object.
Evaluates Authentication tokens
Basic implementation of AuthenticationTrustResolver.
Interface that allows for retrieving a UserDetails object based on an Authentication object.
A WebFilter that performs authentication of a particular request.
An AuthorizationManager that determines if the current user is authorized by evaluating if the Authentication contains any of the specified authorities.
Represents an AuthorizationDecision based on a collection of authorities
An AuthorizationManager that determines if the current user is authorized by evaluating if the Authentication contains a specified authority.
The AuthorityGranter interface is used to map a given principal to role names.
A ReactiveAuthorizationManager that determines if the current user is authorized by evaluating if the Authentication contains a specified authority.
Utility method for manipulating GrantedAuthority collections etc.
Authorizes Message resources using the provided AuthorizationManager
An implementation of an OAuth2AuthorizedClientProvider for the authorization_code grant.
An implementation of a ReactiveOAuth2AuthorizedClientProvider for the authorization_code grant.
 
 
An ApplicationEvent which indicates failed authorization.
A contract for publishing authorization events
Deprecated.
An authorization filter that restricts access to the URL using AuthorizationManager.
An ApplicationEvent which indicates successful authorization.
An authorization grant is a credential representing the resource owner's authorization (to access it's protected resources) to the client and used by the client to obtain an access token.
Ordering of Spring Security's authorization Advisors
An Authorization manager which can determine if an Authentication has access to a specific object.
A MethodInterceptor which can determine if an Authentication has access to the result of an MethodInvocation using an AuthorizationManager
A MethodInterceptor which can determine if an Authentication has access to the returned object from the MethodInvocation using the configured ReactiveAuthorizationManager.
A MethodInterceptor which uses a AuthorizationManager to determine if an Authentication may invoke the given MethodInvocation
A MethodInterceptor which can determine if an Authentication has access to the MethodInvocation using the configured ReactiveAuthorizationManager.
A factory class to create an AuthorizationManager instances.
An implementation of WebInvocationPrivilegeEvaluator which delegates the checks to an instance of AuthorizationManager
Used to transform the HttpServletRequest prior to passing it into the AuthorizationManager.
An Observation.Context used during authorizations
An ObservationConvention for translating authorizations into KeyValues.
Provides authorization of the PayloadExchange.
Implementations of this interface are responsible for the persistence of OAuth2AuthorizationRequest between requests.
Thrown if an authorization request could not be processed due to a system problem.
 
An implementation of an OAuth2AuthorizedClientManager that is capable of operating outside of the context of a HttpServletRequest, e.g.
The default implementation of the contextAttributesMapper.
An implementation of a ReactiveOAuth2AuthorizedClientManager that is capable of operating outside of the context of a ServerWebExchange, e.g.
The default implementation of the contextAttributesMapper.
Deprecated.
Adds a URL based authorization using AuthorizationManager.
A class used to get all the WebSecurityConfigurer instances from the current ApplicationContext but ignoring the parent.
Thrown if an authentication request is rejected because the credentials are invalid.
An exception similar to BadCredentialsException that indicates a Jwt that is invalid in some way.
An exception similar to BadCredentialsException that indicates an opaque token that is invalid in some way.
Deprecated.
Use java.util.Base64
A StringKeyGenerator that generates base64-encoded String keys.
A set of standard permissions.
Converts from a HttpServletRequest to UsernamePasswordAuthenticationToken that can be authenticated.
Deprecated.
Basic Authentication did not evolve into a standard.
Deprecated.
Basic Authentication did not evolve into a standard.
Used by the ExceptionTranslationFilter to commence authentication via the BasicAuthenticationFilter.
Processes a HTTP request's BASIC authorization headers, putting the result into the SecurityContextHolder.
Performs lookups in a manner that is compatible with ANSI SQL.
BCrypt implements OpenBSD-style Blowfish password hashing using the scheme described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazieres.
Implementation of PasswordEncoder that uses the BCrypt strong hashing function.
Stores the default bcrypt version for use in configuration.
Contains globally used default Bean IDs for beans created by the namespace support in Spring Security 2.
Translates any AccessDeniedException into an HTTP response in accordance with RFC 6750 Section 3: The WWW-Authenticate.
An Authentication token that represents a successful authentication as obtained through a bearer token.
An AuthenticationEntryPoint implementation used to commence authentication of protected resource requests using BearerTokenAuthenticationFilter.
Authenticates requests that contain an OAuth 2.0 Bearer Token.
Deprecated.
An Authentication that contains a Bearer Token.
Deprecated.
A representation of a Bearer Token Error.
Standard error codes defined by the OAuth 2.0 Authorization Framework: Bearer Token Usage.
A factory for creating BearerTokenError instances that correspond to the registered Bearer Token Error Codes.
Represents a bearer token that has been encoded into a Payload#metadata().
A strategy for resolving Bearer Tokens from the HttpServletRequest.
Translates any AccessDeniedException into an HTTP response in accordance with RFC 6750 Section 3: The WWW-Authenticate.
An AuthenticationEntryPoint implementation used to commence authentication of protected resource requests using BearerTokenAuthenticationFilter.
An authenticator which binds as a user.
An Encryptor equivalent to AesBytesEncryptor using AesBytesEncryptor.CipherAlgorithm.CBC that uses Bouncy Castle instead of JCE.
An Encryptor equivalent to AesBytesEncryptor using AesBytesEncryptor.CipherAlgorithm.GCM that uses Bouncy Castle instead of JCE.
Service interface for symmetric data encryption.
A generator for unique byte array-based keys.
Inserts headers to prevent caching if no cache control headers have been specified.
Writes cache control related headers.
 
Temporary authentication object needed to load the user details service.
Used by the ExceptionTranslationFilter to commence authentication via the JA-SIG Central Authentication Service (CAS).
Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.
An AuthenticationProvider implementation that integrates with JA-SIG Central Authentication Service (CAS).
Represents a successful CAS Authentication.
Jackson module for spring-security-cas.
An Authentication implementation that is designed to process CAS service ticket.
Uses HttpServletRequest.changeSessionId() to protect against session fixation attacks.
Used as a factory bean to create config attribute values for the requires-channel attribute.
Decides whether a web channel provides sufficient security.
Implementation of ChannelDecisionManager.
May be used by a ChannelProcessor to launch a web channel.
Ensures a web request is delivered over the required channel.
Decides whether a web channel meets a specific security condition.
Adds channel security (i.e.
Deprecated.
Thrown if an Acl cannot be deleted because children Acls exist.
An "accessor" for a set of claims that may be used for assertions.
A ConversionService configured with converters that provide type conversion for claim values.
A Converter that provides type conversion for claim values.
Provides support for Clear Site Data.
Represents the directive values expected by the ClearSiteDataHeaderWriter.
Writes the Clear-Site-Data response header when the request is secure.
Represents the directive values expected by the ClearSiteDataServerHttpHeadersWriter
The authentication method used when authenticating the client with the authorization server.
This exception is thrown on the client side when an attempt to authenticate or authorize an OAuth 2.0 client fails.
This exception is thrown when an OAuth 2.0 Client is required to obtain authorization from the Resource Owner.
An implementation of an OAuth2AuthorizedClientProvider for the client_credentials grant.
An implementation of a ReactiveOAuth2AuthorizedClientProvider for the client_credentials grant.
A representation of a client registration with an OAuth 2.0 or OpenID Connect 1.0 Provider.
A builder for ClientRegistration.
A repository for OAuth 2.0 / OpenID Connect 1.0 ClientRegistration(s).
Allows creating a ClientRegistration.Builder from an OpenID Provider Configuration or Authorization Server Metadata based on provided issuer.
 
Common OAuth2 Providers that can be used to create builders pre-configured with sensible defaults for the HttpSecurity.oauth2Login() flow.
 
A HeaderWriter that delegates to several other HeaderWriters.
Performs a logout through all the LogoutHandler implementations.
A RequestRejectedHandler that delegates to several other RequestRejectedHandlers.
Combines multiple ServerHttpHeadersWriter instances into a single instance.
A SessionAuthenticationStrategy that accepts multiple SessionAuthenticationStrategy implementations to delegate to.
Strategy which handles concurrent session-control.
Filter required by concurrent session handling package.
Stores a security system related configuration attribute.
Deprecated.
A basic implementation of AuditLogger.
Writes the Contet-Security-Policy response header with configured policy directives.
Adds X-Content-Type-Options: nosniff
Checks for the presence of a ContextSource instance.
A logout handler which clears either - A defined list of cookie names, using the context path as the cookie path OR - A given list of Cookies
A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS.
An Implementation of RequestCache which saves the original request URI in a cookie.
A ServerCsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS.
An implementation of ServerRequestCache that saves the requested URI in a cookie.
 
Jackson module for spring-security-core.
Parser for the CorsFilter.
Adds CorsFilter to the Spring Security filter chain.
Indicates that the implementing object contains sensitive data, which can be erased using the eraseCredentials method.
Thrown if an authentication request is rejected because the account's credentials have expired.
Inserts Cross-Origin-Embedder-Policy header.
 
Inserts Cross-Origin-Embedder-Policy headers.
 
Inserts the Cross-Origin-Opener-Policy header
 
Inserts Cross-Origin-Opener-Policy header.
 
Inserts Cross-Origin-Resource-Policy header
 
Inserts Cross-Origin-Resource-Policy headers.
 
CsrfAuthenticationStrategy is in charge of removing the CsrfToken upon authenticating.
Parser for the CsrfFilter.
ChannelInterceptor that validates that a valid CSRF is included in the header of any SimpMessageType.CONNECT message.
Adds CSRF protection for the methods as specified by CsrfConfigurer.requireCsrfProtectionMatcher(RequestMatcher).
Thrown when an invalid or missing CsrfToken is found in the HttpServletRequest
Thrown when an invalid or missing CsrfToken is found in the HttpServletRequest
Applies CSRF protection using a synchronizer token pattern.
A JSP tag that prints out a hidden form field for the CSRF token.
CsrfLogoutHandler is in charge of removing the CsrfToken upon logout.
A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
 
Integration with Spring Web MVC that automatically adds the CsrfToken into forms with hidden inputs when using Spring tag libraries.
CsrfServerLogoutHandler is in charge of removing the CsrfToken upon logout.
Provides the information about an expected CSRF token.
 
Allows resolving the current CsrfToken.
Loads a CsrfToken from the HttpServletRequest and HttpServletResponse to populate the WebSocket attributes.
An API to allow changing the method in which the expected CsrfToken is associated to the HttpServletRequest.
An implementation of the CsrfTokenRequestHandler interface that is capable of making the CsrfToken available as a request attribute and resolving the token value as either a header or parameter value of the request.
A callback interface that is used to make the CsrfToken created by the CsrfTokenRepository available as a request attribute.
Implementations of this interface are capable of resolving the token value of a CsrfToken from the provided HttpServletRequest.
Applies CSRF protection using a synchronizer token pattern.
Represents a Permission that is constructed at runtime from other permissions.
Annotation that is used to resolve the SecurityContext as a method argument.
Allows resolving the Authentication.getPrincipal() using the CurrentSecurityContext annotation.
Allows resolving the SecurityContext using the CurrentSecurityContext annotation.
Resolves the SecurityContext
Callback interface that accepts a single input argument and returns no result.
Exception that is thrown because of a cycle in the role hierarchy definition
Allows configuring a DaoAuthenticationProvider
An AuthenticationProvider implementation that retrieves user details from a UserDetailsService.
 
Spring Security debugging filter.
The default implementation of an Address Claim.
The default strategy for publishing authentication events.
The default implementation of an OAuth2AccessTokenResponseClient for the authorization_code grant.
The default BearerTokenResolver implementation based on RFC 6750.
The default implementation of an OAuth2AccessTokenResponseClient for the client_credentials grant.
A CSRF token that is used to protect against CSRF attacks.
A CSRF token that is used to protect against CSRF attacks.
 
Default implementation of FilterInvocationDefinitionSource.
User's should consider using StrictHttpFirewall because rather than trying to sanitize a malicious URL it rejects the malicious URL providing better security guarantees.
Creates a LoginContext using the Configuration provided to it.
The default implementation of an OAuth2AccessTokenResponseClient for the jwt-bearer grant.
The default strategy for obtaining user role information from the directory.
This implementation appends a name component to the userDnBase context using the usernameAttributeName property.
This LoginExceptionResolver simply wraps the LoginException with an AuthenticationServiceException.
Adds a Filter that will generate a login page if one is not specified otherwise when using EnableWebSecurity.
For internal use with namespace configuration in the case where a user doesn't configure a login page.
Generates a default log out page.
A Converter that converts the provided OAuth 2.0 Access Token Response parameters to an OAuth2AccessTokenResponse.
The default implementation of SecurityExpressionHandler which uses a MessageSecurityExpressionRoot.
The standard implementation of MethodSecurityExpressionHandler.
A Converter that converts the provided OAuth2AccessTokenResponse to a Map representation of the OAuth 2.0 Access Token Response parameters.
A domain object that wraps the attributes of an OAuth 2.0 token.
An implementation of an OAuth2AuthorizationRequestResolver that attempts to resolve an OAuth2AuthorizationRequest from the provided HttpServletRequest using the default request URI pattern /oauth2/authorization/{registrationId}.
The default implementation of an OAuth2AuthorizedClientManager for use within the context of a HttpServletRequest.
The default implementation of the contextAttributesMapper.
The default implementation of an OAuth2User.
An implementation of an OAuth2UserService that supports standard OAuth 2.0 Provider's.
The default implementation of an OidcUser.
Deprecated.
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant.
Default implementation of PayloadExchange
Default implementation of PermissionFactory.
 
The default implementation of a ReactiveOAuth2AuthorizedClientManager for use within the context of a ServerWebExchange.
The default implementation of the contextAttributesMapper.
An implementation of an ReactiveOAuth2UserService that supports standard OAuth 2.0 Provider's.
Simple implementation of RedirectStrategy which is the default used throughout the framework.
The default implementation of an OAuth2AccessTokenResponseClient for the refresh_token grant.
A Converter that resolves a RelyingPartyRegistration by extracting the registration id from the request, querying a RelyingPartyRegistrationRepository, and resolving any template values.
Default implementation of RequestRejectedHandler that simply rethrows the exception.
Default implementation of a Saml2AuthenticatedPrincipal.
Represents central information from a HttpServletRequest.
 
Standard implementation of SecurityFilterChain.
Spring Security's default ParameterNameDiscoverer which tries a number of ParameterNameDiscoverer depending on what is found on the classpath.
The default implementation of ServerOAuth2AuthorizationRequestResolver.
The default ServerRedirectStrategy to use.
ContextSource implementation which uses Spring LDAP's LdapContextSource as a base class.
The default implementation of Token.
 
An interface that allows delayed access to a CsrfToken that may be generated.
An interface that allows delayed access to a SecurityContext that may be generated.
Used for delegating to a number of SmartApplicationListener instances.
An AuthenticationEntryPoint which selects a concrete AuthenticationEntryPoint based on a RequestMatcher evaluation.
A Jwt to GrantedAuthority Converter that is a composite of converters.
Delegates to logout handlers based on matched request matchers
Deprecated.
Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
An implementation of an OAuth2AuthorizedClientProvider that simply delegates to it's internal List of OAuth2AuthorizedClientProvider(s).
A composite validator
An implementation of an OAuth2UserService that simply delegates to it's internal List of OAuth2UserService(s).
A password encoder that delegates to another PasswordEncoder based upon a prefixed identifier.
A ReactiveAuthenticationManager that delegates to other ReactiveAuthenticationManager instances using the result from the first non empty result.
 
 
An implementation of a ReactiveOAuth2AuthorizedClientProvider that simply delegates to it's internal List of ReactiveOAuth2AuthorizedClientProvider(s).
Delegates to the provided HeaderWriter when RequestMatcher.matches(HttpServletRequest) returns true.
An AsyncTaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable and each Callable in a DelegatingSecurityContextCallable.
Wraps a delegate Callable with logic for setting up a SecurityContext before invoking the delegate Callable and then removing the SecurityContext after the delegate has completed.
 
Wraps a delegate Runnable with logic for setting up a SecurityContext before invoking the delegate Runnable and then removing the SecurityContext after the delegate has completed.
An SchedulingTaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable and each Callable in a DelegatingSecurityContextCallable.
An TaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable.
An implementation of TaskScheduler invoking it whenever the trigger indicates a next execution time.
 
Delegates to a collection of ServerAuthenticationSuccessHandler implementations.
Delegates to a collection of ServerLogoutHandler implementations.
A null PermissionEvaluator which denies all access.
Used by the SecurityEnforcementFilter to commence authentication via the DigestAuthenticationFilter.
Processes a HTTP request's Digest authorization headers, putting the result into the SecurityContextHolder.
Thrown if an authentication request is rejected because the account is disabled.
Disables encoding URLs using the HttpServletResponse to prevent including the session id in URLs which is not considered URL because the session id can be leaked in things like HTTP access logs.
Checks the DispatcherType to decide whether to match a given request.
Contains all the element names used by Spring Security 3 namespace support.
A RequestMatcher implementation which uses a SpEL expression
Provides lifecycle services for an embedded LDAP server.
Creates a DefaultSpringSecurityContextSource used to perform LDAP authentication and starts and in-memory LDAP server.
The EnableGlobalAuthentication annotation signals that the annotated class can be used to configure a global instance of AuthenticationManagerBuilder.
Deprecated.
Enables Spring Security Method Security.
 
Add this annotation to a Configuration class to have Spring Security RSocketSecurity support added.
Add this annotation to a Configuration class to have Spring Security WebFlux support added.
Deprecated.
Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
Add this annotation to an @Configuration class to have the Spring Security configuration defined in any WebSecurityConfigurer or more likely by exposing a SecurityFilterChain bean:
Allows configuring WebSocket Authorization.
Static helper for encoding data.
Factory for commonly used encryptors.
Adapter that wraps an Enumeration around a Java 2 collection Iterator.
Adds exception handling for Spring Security related exceptions to an application.
Uses the internal map of exceptions types to URLs to determine the destination on authentication failure.
Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.
 
Web filter that redirects requests that match ServerWebExchangeMatcher to the specified URL.
Deprecated.
Represents an AuthorizationDecision based on a Expression
Deprecated.
Use AuthorizationManager interceptors instead
Expression-based FilterInvocationSecurityMetadataSource.
Deprecated.
 
Utility class to generate HTTP dates.
Provides support for Feature Policy.
Writes the Feature-Policy response header with configured policy directives.
Offers static methods for directly manipulating fields.
LdapUserSearch implementation which uses an Ldap filter to locate the user.
 
Sets the filter chain Map for a FilterChainProxy bean declaration.
Delegates Filter requests to a list of Spring-managed filter beans.
A strategy for decorating the provided filter chain with one that accounts for the SecurityFilterChain for a given request.
 
A FilterChainProxy.FilterChainDecorator that uses the FilterChainProxy.VirtualFilterChain
Holds objects associated with a HTTP filter.
Marker interface for SecurityMetadataSource implementations that are designed to perform lookups keyed on FilterInvocations.
Deprecated.
Use `use-authorization-manager` property instead
Deprecated.
Request wrapper which is returned by the HttpFirewall interface.
Eagerly creates HttpSession if it does not already exist.
 
Adds form based authentication.
Forward Authentication Failure Handler
Forward Authentication Success Handler
LogoutSuccessHandler implementation that will perform a request dispatcher "forward" to the specified target URL.
A SecurityConfigurer that can be exposed as a bean to configure the global AuthenticationManagerBuilder.
Deprecated.
Deprecated.
Use PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, or Jsr250MethodSecurityConfiguration instead
Indicates that a object stores GrantedAuthority objects.
Mapping interface which can be injected into the authentication layer to convert the authorities loaded from storage into those which will be used in the Authentication object.
Represents an authority granted to an Authentication object.
Allows providing defaults for GrantedAuthority
Populates the GrantedAuthoritys for a user by reading a list of attributes that were returned as part of the CAS response.
Represents a GrantedAuthority as a Sid.
Allows management of groups of authorities and their members.
Transforms by passing it into HandlerMappingIntrospector.setCache(HttpServletRequest).
Represents a Header to be added to the HttpServletResponse
Generic resolver extracting pre-authenticated JWT identity from a custom header.
Parser for the HeadersFilter.
Adds the Security HTTP headers to the response.
Contract for writing headers to a HttpServletResponse
Filter implementation to add headers to the current response.
 
A ServerLogoutHandler implementation which writes HTTP headers during logout.
Hex data encoder.
Deprecated.
In the pre-authenticated authentication case (unlike CAS, for example) the user will already have been identified through some external mechanism and a secure context established by the time the security-enforcement filter is invoked.
Adds HTTP basic based authentication.
Prompts a user for HTTP Basic authentication.
Interface which can be used to reject potentially dangerous requests and/or wrap them to control their behaviour.
Injects the supplied HttpFirewall bean reference into the FilterChainProxy.
Invokes a ServerHttpHeadersWriter on ReactiveHttpOutputMessage.beforeCommit(java.util.function.Supplier).
A HttpSecurity is similar to Spring Security's XML <http> element in the namespace configuration.
Sets up HTTP security: filter stack and protected URLs.
 
 
 
 
Published by the HttpSessionEventPublisher when an HttpSession is created by the container
A CsrfTokenRepository that stores the CsrfToken in the HttpSession.
Published by the HttpSessionEventPublisher when a HttpSession is removed from the container
Declared in web.xml as
Published by the HttpSessionEventPublisher when an HttpSession ID is changed.
An implementation of an Saml2LogoutRequestRepository that stores Saml2LogoutRequest in the HttpSession.
An implementation of an AuthorizationRequestRepository that stores OAuth2AuthorizationRequest in the HttpSession.
An implementation of an OAuth2AuthorizedClientRepository that stores OAuth2AuthorizedClient's in the HttpSession.
RequestCache which stores the SavedRequest in the HttpSession.
A Saml2AuthenticationRequestRepository implementation that uses HttpSession to store and retrieve the AbstractSaml2AuthenticationRequest
A SecurityContextRepository implementation which stores the security context in the HttpSession between requests.
Redirects any non-HTTPS request to its HTTPS equivalent.
An AuthenticationEntryPoint that sends a generic HttpStatus as a response.
A simple implementation of RequestRejectedHandler that sends an error with configurable status code.
Implementation of the LogoutSuccessHandler.
Implementation of the ServerLogoutSuccessHandler.
Sets the provided HTTP Status when access is denied.
A ServerAuthenticationEntryPoint that sends a generic HttpStatus as a response.
Thrown if an ACL identity could not be extracted from an object.
A ClaimAccessor for the "claims" that can be returned in the ID Token, which provides information about the authentication of an End-User by an Authorization Server.
The names of the "claims" defined by the OpenID Connect Core 1.0 specification that can be returned in the ID Token.
UserDetails implementation whose properties are based on a subset of the LDAP schema for inetOrgPerson.
 
 
An in memory representation of a JAAS configuration.
A Reactive ClientRegistrationRepository that stores ClientRegistration(s) in-memory.
An in-memory implementation of RelyingPartyRegistrationRepository.
An in memory implementation of Spring's Resource interface.
Simple PersistentTokenRepository implementation backed by a Map.
Non-persistent implementation of UserDetailsManager which is backed by an in-memory map.
Configures an AuthenticationManagerBuilder to have in memory authentication.
Ensures channel security is inactive by review of HttpServletRequest.isSecure() responses.
Thrown if an authentication request is rejected because the credentials are not sufficiently trusted.
Indicates an interactive authentication was successful.
 
Deprecated.
Use delegation with AuthorizationManager
Thrown if an authentication request could not be processed due to a system problem that occurred internally.
An OAuth2AuthenticationException that indicates an invalid bearer token.
Exception thrown by a RememberMeServices implementation to indicate that a submitted cookie is of an invalid format or has expired.
Thrown when an expected CsrfToken exists, but it does not match the value present on the HttpServletRequest
Determines the behaviour of the SessionManagementFilter when an invalid session Id is submitted and detected in the SessionManagementFilter.
Matches a request based on IP Address or subnet mask matching against the remote address.
A ReactiveAuthorizationManager, that determines if the current request contains the specified address or range of addresses
Matches a request based on IP Address or subnet mask matching against the remote address.
Implementation of AuthenticationDetailsSource which converts the user's J2EE roles (as obtained by calling HttpServletRequest.isUserInRole(String)) into GrantedAuthoritys and stores these in the authentication details object.
This AbstractPreAuthenticatedProcessingFilter implementation is based on the J2EE container-based authentication mechanism.
A Filter which attempts to obtain a JAAS Subject and continue the FilterChain running as that Subject.
The JaasAuthenticationCallbackHandler is similar to the javax.security.auth.callback.CallbackHandler interface in that it defines a handle method.
Parent class for events fired by the JaasAuthenticationProvider.
Fired when LoginContext.login throws a LoginException, or if any other exception is thrown during that time.
An AuthenticationProvider implementation that retrieves user details from a JAAS login configuration.
Fired by the JaasAuthenticationProvider after successfully logging the user into the LoginContext, handling all callbacks, and calling all AuthorityGranters.
UsernamePasswordAuthenticationToken extension to carry the Jaas LoginContext that the user was logged into
GrantedAuthority which, in addition to the assigned role, holds the principal that an AuthorityGranter used as a reason to grant this authority.
The most basic Callbacks to be handled when using a LoginContext from JAAS, are the NameCallback and PasswordCallback.
The most basic Callbacks to be handled when using a LoginContext from JAAS, are the NameCallback and PasswordCallback.
Simple JDBC-based implementation of AclService.
UserDetailsService implementation which retrieves the user details (username, password, enabled flag, and authorities) from a database using JDBC queries.
Provides a base JDBC implementation of MutableAclService.
A JDBC implementation of an OAuth2AuthorizedClientService that uses a JdbcOperations for OAuth2AuthorizedClient persistence.
A holder for an OAuth2AuthorizedClient and End-User Authentication (Resource Owner).
The default Function that maps JdbcOAuth2AuthorizedClientService.OAuth2AuthorizedClientHolder to a List of SqlParameterValue.
The default RowMapper that maps the current row in java.sql.ResultSet to OAuth2AuthorizedClient.
JDBC based persistent login token repository implementation.
Jdbc user management service, based on the same table structure as its parent class, JdbcDaoImpl.
Configures an AuthenticationManagerBuilder to have JDBC authentication.
 
Adds support for J2EE pre authentication.
The Registered Header Parameter Names defined by the JSON Web Token (JWT), JSON Web Signature (JWS) and JSON Web Encryption (JWE) specifications that may be contained in the JOSE Header of a JWT.
A JSP Tag implementation of AbstractAuthorizeTag.
An AuthorizationManager which can determine if an Authentication may invoke the MethodInvocation by evaluating if the Authentication contains a specified authority from the JSR-250 security annotations.
Deprecated.
Deprecated.
Super interface for cryptographic algorithms defined by the JSON Web Algorithms (JWA) specification and used by JSON Web Signature (JWS) to digitally sign or create a MAC of the contents and JSON Web Encryption (JWE) to encrypt the contents.
Super interface for cryptographic algorithms defined by the JSON Web Algorithms (JWA) specification and used by JSON Web Signature (JWS) to digitally sign or create a MAC of the contents of the JWS Protected Header and JWS Payload.
The cryptographic algorithms defined by the JSON Web Algorithms (JWA) specification and used by JSON Web Signature (JWS) to digitally sign or create a MAC of the contents of the JWS Protected Header and JWS Payload.
The JSON Web Signature (JWS) header is a JSON object representing the header parameters of a JSON Web Token, that describe the cryptographic operations used to digitally sign or create a MAC of the contents of the JWS Protected Header and JWS Payload.
A builder for JwsHeader.
An implementation of an AbstractOAuth2Token representing a JSON Web Token (JWT).
Helps configure a Jwt
 
An AuthenticationProvider implementation of the Jwt-encoded Bearer Tokens for protecting OAuth 2.0 Resource Servers.
An implementation of an AbstractOAuth2TokenAuthenticationToken representing a Jwt Authentication.
A JWT Bearer Grant request that holds a Jwt assertion.
An implementation of an AbstractOAuth2AuthorizationGrantRequestEntityConverter that converts the provided JwtBearerGrantRequest to a RequestEntity representation of an OAuth 2.0 Access Token Request for the JWT Bearer Grant.
An implementation of an OAuth2AuthorizedClientProvider for the jwt-bearer grant.
An implementation of an ReactiveOAuth2AuthorizedClientProvider for the jwt-bearer grant.
A Converter that takes a Jwt and converts it into a BearerTokenAuthentication.
A ClaimAccessor for the "claims" that may be contained in the JSON object JWT Claims Set of a JSON Web Token (JWT).
The Registered Claim Names defined by the JSON Web Token (JWT) specification that may be contained in the JSON object JWT Claims Set.
The JWT Claims Set is a JSON object representing the claims conveyed by a JSON Web Token.
A builder for JwtClaimsSet.
Validates a claim in a Jwt against a provided Predicate
Implementations of this interface are responsible for "decoding" a JSON Web Token (JWT) from it's compact claims representation format to a Jwt.
A factory for JwtDecoder(s).
An exception thrown when a JwtDecoder or ReactiveJwtDecoder's lazy initialization fails.
Allows creating a JwtDecoder from an OpenID Provider Configuration or Authorization Server Metadata Request based on provided issuer and method invoked.
Implementations of this interface are responsible for encoding a JSON Web Token (JWT) to it's compact claims representation format.
A holder of parameters containing the JWS headers and JWT Claims Set.
This exception is thrown when an error occurs while attempting to encode a JSON Web Token (JWT).
Base exception for all JSON Web Token (JWT) related errors.
Extracts the GrantedAuthoritys from scope attributes typically found in a Jwt.
An implementation of AuthenticationManagerResolver that resolves a JWT-based AuthenticationManager based on the Issuer in a signed JWT (JWS).
An implementation of ReactiveAuthenticationManagerResolver that resolves a JWT-based ReactiveAuthenticationManager based on the Issuer in a signed JWT (JWS).
Validates the "iss" claim in a Jwt, that is matches a configured value
An implementation of OAuth2TokenValidator for verifying claims in a Jwt-based access token
An exception that results from an unsuccessful OAuth2TokenValidatorResult
Provides factory methods for creating OAuth2TokenValidator<Jwt>
Basic implementation of TokenService that is compatible with clusters and across machine restarts, without requiring database persistence.
Factory for commonly used key generators.
An AuthenticationProvider implementation that authenticates against an LDAP server.
The strategy interface for locating and authenticating an Ldap user.
Obtains a list of granted authorities for an Ldap user.
An authority that contains at least a DN and a role name for an LDAP entry but can also contain other desired attributes to be fetched during an LDAP authority search.
Creates an AuthenticationManager that can perform LDAP authentication using bind authentication.
Jackson module for spring-security-ldap.
Creates an AuthenticationManager that can perform LDAP authentication using password comparison.
Ldap authentication provider namespace configuration.
 
Deprecated.
Digest based password encoding is not considered secure.
Captures the information for a user's LDAP entry.
A UserDetails implementation which is used internally by the Ldap services.
Variation of essence pattern.
An Ldap implementation of UserDetailsManager.
The context mapper used by the LDAP authentication provider to create an LDAP user object.
LDAP implementation of UserDetailsService based around an LdapUserSearch and an LdapAuthoritiesPopulator.
Constructs an Ldap Distinguished Name from a username.
Obtains a user's information from the LDAP directory given a login name.
 
LDAP Utility methods.
An API for notifying when the SecurityContext changes.
Thrown if an authentication request is rejected because the account is locked.
Deprecated.
Logging is now embedded in Spring Security components.
Outputs authentication-related application events to Commons Logging.
The JaasAuthenticationProvider takes an instance of LoginExceptionResolver to resolve LoginModule specific exceptions to Spring Security AuthenticationExceptions.
Generates a default log in page used for authenticating users.
Used by the ExceptionTranslationFilter to commence a form login authentication via the UsernamePasswordAuthenticationFilter.
Adds logout support.
Logs a principal out.
Indicates a class that is able to participate in logout handling.
Generates a default log out page.
Application event which indicates successful logout
A logout handler which publishes LogoutSuccessEvent
Strategy that is called after a successful logout by the LogoutFilter, to handle redirection or forwarding to the appropriate destination.
If the request matches, logs an authenticated user out by delegating to a ServerLogoutHandler.
Performs lookups for AclService.
An enumeration of the cryptographic algorithms defined by the JSON Web Algorithms (JWA) specification and used by JSON Web Signature (JWS) to create a MAC of the contents of the JWS Protected Header and JWS Payload.
This class implements the Attributes2GrantedAuthoritiesMapper and MappableAttributesRetriever interfaces based on the supplied Map.
Deprecated.
Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
Interface to be implemented by classes that can retrieve a list of mappable security attribute strings (for example the list of all available J2EE roles in a web or EJB application).
Converts a JWT claim set, claim by claim.
A Map based implementation of ReactiveUserDetailsService
A SecurityWebFilterChain that leverages a ServerWebExchangeMatcher to determine which WebFilter to execute.
Defines the RequestMatcher types supported by the namespace.
Deprecated.
Digest based password encoding is not considered secure.
Allows matching HttpServletRequest based upon the MediaType's resolved from a ContentNegotiationStrategy.
Matches based upon the accept headers.
An Message authorization context.
An expression handler for MessageAuthorizationContext.
Deprecated.
Digest based password encoding is not considered secure.
API for determining if a Message should be matched on.
 
The SecurityExpressionRoot used for Message expressions.
An expression-based AuthorizationManager that determines the access by evaluating the provided expression against the MethodInvocation.
Deprecated.
This class will be removed from the public API.
Deprecated.
A context object that contains a MethodInvocation and the result of that MethodInvocation.
Static utility methods for creating MethodInvocations usable within Spring Security.
Processes the top-level "method-security" element.
 
 
 
 
 
Extended expression-handler facade which adds methods which are specific to securing method invocations.
Interface which must be implemented if you want to use filtering in method security expressions.
Deprecated.
Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
Deprecated.
Use EnableMethodSecurity or publish interceptors directly
Deprecated.
Use <intercept-methods>, <method-security>, or @EnableMethodSecurity
Thrown when no expected CsrfToken is found but is required.
A mutable Acl.
Provides support for creating and storing Acl instances.
A RequestMatcher that uses Spring MVC's HandlerMappingIntrospector to match the path and extract variables.
A builder for MvcRequestMatcher
A RequestMatcher that will negate the RequestMatcher passed in.
Negates the provided matcher.
A LDAP authority populator that can recursively search static nested groups.
A Converter that customizes the OAuth 2.0 Access Token Request parameters by adding a signed JSON Web Token (JWS) to be used for client authentication at the Authorization Server's Token Endpoint.
A context that holds client authentication-specific state and is used by NimbusJwtClientAuthenticationParametersConverter when attempting to customize the JSON Web Token (JWS) client assertion.
A low-level Nimbus implementation of JwtDecoder which takes a raw Nimbus configuration.
A builder for creating NimbusJwtDecoder instances based on a JWK Set uri.
A builder for creating NimbusJwtDecoder instances based on a public key.
A builder for creating NimbusJwtDecoder instances based on a SecretKey.
An implementation of a JwtEncoder that encodes a JSON Web Token (JWT) using the JSON Web Signature (JWS) Compact Serialization format.
A Nimbus implementation of OpaqueTokenIntrospector that verifies and introspects a token using the configured OAuth 2.0 Introspection Endpoint.
An implementation of a ReactiveJwtDecoder that "decodes" a JSON Web Token (JWT) and additionally verifies it's digital signature if the JWT is a JSON Web Signature (JWS).
A builder for creating NimbusReactiveJwtDecoder instances based on a JWK Set uri.
A builder for creating NimbusReactiveJwtDecoder instances.
A builder for creating NimbusReactiveJwtDecoder instances based on a public key.
A builder for creating NimbusReactiveJwtDecoder instances based on a SecretKey.
A Nimbus implementation of ReactiveOpaqueTokenIntrospector that verifies and introspects a token using the configured OAuth 2.0 Introspection Endpoint.
Thrown if an authentication request is rejected because the digest nonce has expired.
Deprecated.
This PasswordEncoder is not secure.
An implementation of ServerRequestCache that does nothing.
A do nothing implementation of ServerSecurityContextRepository.
Thrown if an ACL-related object cannot be found.
 
 
 
Implementation of NullRememberMeServices that does nothing.
Null implementation of RequestCache.
 
 
Implementation of @link StatelessTicketCache that has no backing cache.
Does not perform any caching.
An implementation of an AbstractOAuth2Token representing an OAuth 2.0 Access Token.
Access Token Types.
A representation of an OAuth 2.0 Access Token Response.
A strategy for "exchanging" an authorization grant credential (e.g.
A HttpMessageConverter for an OAuth 2.0 Access Token Response.
An AuthenticatedPrincipal that represents the principal associated with an OAuth 2.0 token.
This exception is thrown for all OAuth 2.0 related Authentication errors.
An implementation of an AbstractAuthenticationToken that represents an OAuth 2.0 Authentication.
An implementation of an AuthenticationProvider for the OAuth 2.0 Authorization Code Grant.
An AbstractAuthenticationToken for the OAuth 2.0 Authorization Code Grant.
A Filter for the OAuth 2.0 Authorization Code Grant, which handles the processing of the OAuth 2.0 Authorization Response.
An OAuth 2.0 Authorization Code Grant request that holds an Authorization Code credential, which was granted by the Resource Owner to the Client.
An implementation of an AbstractOAuth2AuthorizationGrantRequestEntityConverter that converts the provided OAuth2AuthorizationCodeGrantRequest to a RequestEntity representation of an OAuth 2.0 Access Token Request for the Authorization Code Grant.
A Filter for the OAuth 2.0 Authorization Code Grant, which handles the processing of the OAuth 2.0 Authorization Response.
An implementation of an AuthenticationProvider for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
A context that holds authorization-specific state and is used by an OAuth2AuthorizedClientProvider when attempting to authorize (or re-authorize) an OAuth 2.0 Client.
Base exception for OAuth 2.0 Authorization errors.
An "exchange" of an OAuth 2.0 Authorization Request and Response for the authorization code grant type.
Handles when an OAuth 2.0 Client fails to authorize (or re-authorize) via the Authorization Server or Resource Server.
A representation of an OAuth 2.0 Authorization Request for the authorization code grant type.
A factory of customizers that customize the OAuth 2.0 Authorization Request via the OAuth2AuthorizationRequest.Builder.
This Filter initiates the authorization code grant flow by redirecting the End-User's user-agent to the Authorization Server's Authorization Endpoint.
This WebFilter initiates the authorization code grant flow by redirecting the End-User's user-agent to the Authorization Server's Authorization Endpoint.
Implementations of this interface are capable of resolving an OAuth2AuthorizationRequest from the provided HttpServletRequest.
A representation of an OAuth 2.0 Authorization Response for the authorization code grant type.
The response_type parameter is consumed by the authorization endpoint which is used by the authorization code grant type.
Handles when an OAuth 2.0 Client has been successfully authorized (or re-authorized) via the Authorization Server.
A representation of an OAuth 2.0 "Authorized Client".
An implementation of a HandlerMethodArgumentResolver that is capable of resolving a method parameter to an argument value of type OAuth2AuthorizedClient.
An implementation of a HandlerMethodArgumentResolver that is capable of resolving a method parameter to an argument value of type OAuth2AuthorizedClient.
The identifier for OAuth2AuthorizedClient.
Implementations of this interface are responsible for the overall management of Authorized Client(s).
A strategy for authorizing (or re-authorizing) an OAuth 2.0 Client.
A builder that builds a DelegatingOAuth2AuthorizedClientProvider composed of one or more OAuth2AuthorizedClientProvider(s) that implement specific authorization grants.
Implementations of this interface are responsible for the persistence of Authorized Client(s) between requests.
Implementations of this interface are responsible for the management of Authorized Client(s), which provide the purpose of associating an Access Token credential to a Client and Resource Owner, who is the Principal that originally granted the authorization.
Represents a request the OAuth2AuthorizedClientManager uses to authorize (or re-authorize) the client identified by the provided clientRegistrationId.
A builder for OAuth2AuthorizeRequest.
Static factory methods for OAuth2 BodyExtractor implementations.
An AbstractHttpConfigurer for OAuth 2.0 Client support.
An OAuth 2.0 Client Credentials Grant request that holds the client's credentials in AbstractOAuth2AuthorizationGrantRequest.getClientRegistration().
An implementation of an AbstractOAuth2AuthorizationGrantRequestEntityConverter that converts the provided OAuth2ClientCredentialsGrantRequest to a RequestEntity representation of an OAuth 2.0 Access Token Request for the Client Credentials Grant.
Jackson Module for spring-security-oauth2-client, that registers the following mix-in annotations: OAuth2AuthorizationRequestMixin ClientRegistrationMixin OAuth2AccessTokenMixin OAuth2RefreshTokenMixin OAuth2AuthorizedClientMixin OAuth2UserAuthorityMixin DefaultOAuth2UserMixin OidcIdTokenMixin OidcUserInfoMixin OidcUserAuthorityMixin DefaultOidcUserMixin OAuth2AuthenticationTokenMixin OAuth2AuthenticationExceptionMixin OAuth2ErrorMixin If not already enabled, default typing will be automatically enabled as type info is required to properly serialize/deserialize objects.
A representation of an OAuth 2.0 Device Authorization Response.
A HttpMessageConverter for an OAuth 2.0 Device Authorization Response.
An implementation of an AbstractOAuth2Token representing a device code as part of the OAuth 2.0 Device Authorization Grant.
A representation of an OAuth 2.0 Error.
Standard error codes defined by the OAuth 2.0 Authorization Framework.
A HttpMessageConverter for an OAuth 2.0 Error.
A ResponseErrorHandler that handles an OAuth 2.0 Error.
A domain object that wraps the attributes of OAuth 2.0 Token Introspection.
Base exception for all OAuth 2.0 Introspection related errors
An implementation of an AbstractAuthenticationProcessingFilter for OAuth 2.0 Login.
An implementation of an AuthenticationProvider for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
An AbstractAuthenticationToken for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
An AbstractHttpConfigurer for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
An implementation of an AuthenticationProvider for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
Standard and custom (non-standard) parameter names defined in the OAuth Parameters Registry and used by the authorization endpoint, token endpoint and token revocation endpoint.
Deprecated.
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant.
An implementation of an AbstractOAuth2AuthorizationGrantRequestEntityConverter that converts the provided OAuth2PasswordGrantRequest to a RequestEntity representation of an OAuth 2.0 Access Token Request for the Resource Owner Password Credentials Grant.
An implementation of an AbstractOAuth2Token representing an OAuth 2.0 Refresh Token.
An OAuth 2.0 Refresh Token Grant request that holds the refresh token credential granted to the client.
An implementation of an AbstractOAuth2AuthorizationGrantRequestEntityConverter that converts the provided OAuth2RefreshTokenGrantRequest to a RequestEntity representation of an OAuth 2.0 Access Token Request for the Refresh Token Grant.
An AbstractHttpConfigurer for OAuth 2.0 Resource Server Support.
Core interface representing an OAuth 2.0 Token.
A ClaimAccessor for the "claims" that may be contained in the Introspection Response.
The names of the "Introspection Claims" defined by an Introspection Response.
Implementations of this interface are responsible for "verifying" the validity and/or constraints of the attributes contained in an OAuth 2.0 Token.
A result emitted from an OAuth2TokenValidator validation attempt
A representation of a user Principal that is registered with an OAuth 2.0 Provider.
A GrantedAuthority that may be associated to an OAuth2User.
An implementation of an AbstractOAuth2Token representing a user code as part of the OAuth 2.0 Device Authorization Grant.
Represents a request the OAuth2UserService uses when initiating a request to the UserInfo Endpoint.
A Converter that converts the provided OAuth2UserRequest to a RequestEntity representation of a request for the UserInfo Endpoint.
Implementations of this interface are responsible for obtaining the user attributes of the End-User (Resource Owner) from the UserInfo Endpoint using the Access Token granted to the Client and returning an AuthenticatedPrincipal in the form of an OAuth2User.
Represents the identity of an individual domain object instance.
Strategy which creates an ObjectIdentity from an object identifier (such as a primary key) and type information.
Simple implementation of ObjectIdentity.
Strategy interface that provides the ability to determine which ObjectIdentity will be returned for a particular domain object
Basic implementation of ObjectIdentityRetrievalStrategy and ObjectIdentityGenerator that uses the constructors of ObjectIdentityImpl to create the ObjectIdentity.
Allows initialization of Objects.
Spring Configuration that exports the default ObjectPostProcessor.
An AuthenticationManager that observes the authentication
An AuthorizationManager that observes the authorization
A FilterChainProxy.FilterChainDecorator that wraps the chain in before and after observations
 
 
An ReactiveAuthenticationManager that observes the authentication
An ReactiveAuthorizationManager that observes the authentication
A SecurityContextChangedListener that adds events to an existing Observation If no Observation is present when an event is fired, then the event is unrecorded.
A WebFilterChainProxy.WebFilterChainDecorator that wraps the chain in before and after observations
An implementation of an AuthenticationProvider for the OpenID Connect Core 1.0 Authorization Code Grant Flow.
An implementation of an AuthenticationProvider for OAuth 2.0 Login, which leverages the OAuth 2.0 Authorization Code Grant Flow.
A logout success handler for initiating OIDC logout through the user agent.
A reactive logout success handler for initiating OIDC logout through the user agent.
An implementation of an AbstractOAuth2Token representing an OpenID Connect Core 1.0 ID Token.
A builder for OidcIdTokens
A factory that provides a JwtDecoder used for OidcIdToken signature verification.
An OAuth2TokenValidator responsible for validating the claims in an ID Token.
Standard parameter names defined in the OAuth Parameters Registry and used by the authorization endpoint and token endpoint.
An implementation of an ReactiveOAuth2UserService that supports OpenID Connect 1.0 Provider's.
The scope values defined by the OpenID Connect Core 1.0 specification that can be used to request claims.
A representation of a user Principal that is registered with an OpenID Connect 1.0 Provider.
A GrantedAuthority that may be associated to an OidcUser.
A representation of a UserInfo Response that is returned from the OAuth 2.0 Protected Resource UserInfo Endpoint.
A builder for OidcUserInfos
Represents a request the OidcUserService uses when initiating a request to the UserInfo Endpoint.
An implementation of an OAuth2UserService that supports OpenID Connect 1.0 Provider's.
Base class for response wrappers which encapsulate the logic for handling an event when the HttpServletResponse is committed.
Convert a successful introspection result into an authentication result.
An AuthenticationProvider implementation for opaque Bearer Tokens, using an OAuth 2.0 Introspection Endpoint to check the token's validity and reveal its attributes.
A contract for introspecting and verifying an OAuth 2.0 token.
An ReactiveAuthenticationManager implementation for opaque Bearer Tokens, using an OAuth 2.0 Introspection Endpoint to check the token's validity and reveal its attributes.
Implementation of AuthenticationProvider for SAML authentications when receiving a Response object containing an Assertion.
A tuple containing an OpenSAML Assertion and its associated authentication token.
A tuple containing an OpenSAML Response and its associated authentication token.
A strategy for resolving a SAML 2.0 Authentication Request from the HttpServletRequest using OpenSAML.
 
A Saml2LogoutRequestResolver for resolving SAML 2.0 Logout Requests with OpenSAML 4
 
A Saml2LogoutResponseResolver for resolving SAML 2.0 Logout Responses with OpenSAML 4
 
A RelyingPartyRegistration.AssertingPartyDetails that contains OpenSAML-specific members
An OpenSAML version of RelyingPartyRegistration.AssertingPartyDetails.Builder that contains the underlying EntityDescriptor
An AuthenticationConverter that generates a Saml2AuthenticationToken appropriate for authenticated a SAML 2.0 Assertion against an AuthenticationManager.
An initialization service for initializing OpenSAML.
A Saml2LogoutRequestValidator that authenticates a SAML 2.0 Logout Requests received from a SAML 2.0 Asserting Party using OpenSAML.
An OpenSAML-based implementation of Saml2LogoutRequestValidatorParametersResolver
A Saml2LogoutResponseValidator that authenticates a SAML 2.0 Logout Responses received from a SAML 2.0 Asserting Party using OpenSAML.
Resolves the SAML 2.0 Relying Party Metadata for a given RelyingPartyRegistration using the OpenSAML API.
A tuple containing an OpenSAML EntityDescriptor and its associated RelyingPartyRegistration
An OpenSAML implementation of RelyingPartyRegistration that contains OpenSAML objects like EntityDescriptor.
An OpenSAML version of RelyingPartyRegistration.AssertingPartyDetails.Builder that contains the underlying EntityDescriptor
An HttpMessageConverter that takes an IDPSSODescriptor in an HTTP response and converts it into a RelyingPartyRegistration.Builder.
MessageMatcher that will return true if any of the passed in MessageMatcher instances match.
RequestMatcher that will return true if any of the passed in RequestMatcher instances match.
Matches if any of the provided ServerWebExchangeMatcher match
A mutable ACL that provides ownership capabilities.
Deprecated.
use @{code org.springframework.security.core.parameters.P}
An annotation that can be used along with AnnotationParameterNameDiscoverer to specify parameter names.
An LdapAuthenticator which compares the login password with the value stored in the directory using a remote LDAP "compare" operation.
Service interface for encoding passwords.
Used for creating PasswordEncoder instances
Stateful parser for the <password-encoder> element.
Adds password management support.
Deprecated.
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant.
Extended version of the DefaultSpringSecurityContextSource which adds support for the use of PasswordPolicyControl to make use of user account data stored in the directory.
A Password Policy request control.
Obtains the PasswordPolicyControl from a context for use by other classes.
Transforms a control object to a PasswordPolicyResponseControl object, if appropriate.
 
Defines status codes for use with PasswordPolicyException, with error codes (for message source lookup) and default messages.
Generic exception raised by the ppolicy package.
Represents the response control received when a PasswordPolicyControl is used when binding to a directory.
Deprecated.
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant.
Matches if the PathPattern matches the path within the application.
Contract for a Payload interaction.
Converts from a PayloadExchange to an Authentication
 
An interface for determining if a PayloadExchangeMatcher matches.
The result of matching
 
Maps a @{code List} of PayloadExchangeMatcher instances to
 
 
Contract for interception-style, chained processing of Payloads that may be used to implement cross-cutting, application-agnostic requirements such as security, timeouts, and others.
Contract to allow a PayloadInterceptor to delegate to the next in the chain.
The standard order for PayloadInterceptor to be sorted.
A SocketAcceptorInterceptor that applies the PayloadInterceptors
A PasswordEncoder implementation that uses PBKDF2 with : a configurable random salt value length (default is 16 bytes) a configurable number of iterations (default is 310000) a configurable key derivation function (see Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm) a configurable secret appended to the random salt (default is empty) The algorithm is invoked on the concatenated bytes of the salt, secret and password.
The Algorithm used for creating the SecretKeyFactory
Represents a permission granted to a Sid for a given domain object.
Allows permissions to be pre-cached when using pre or post filtering with expressions
Strategy used in expression evaluation to determine whether a user has a permission or permissions for a given domain object.
Provides a simple mechanism to retrieve Permission instances from integer masks.
Allow customization of the logic for determining whether a permission or permissions are granted to a particular sid or sids by an Acl.
Provides support for Permisisons Policy.
Writes the Permissions-Policy response header with configured policy directives.
 
The abstraction used by PersistentTokenBasedRememberMeServices to store the persistent login tokens for a user.
UserDetails implementation whose properties are based on the LDAP schema for Person.
 
 
Standard parameter names defined in the OAuth Parameters Registry and used by the authorization endpoint and token endpoint.
PortMapper implementations provide callers with information about which HTTP ports are associated with which HTTPS ports on the system, and vice versa.
Allows configuring a shared PortMapper instance used to determine the ports when redirecting between HTTP and HTTPS.
Concrete implementation of PortMapper that obtains HTTP:HTTPS pairs from the application context.
A PortResolver determines the port a web request was received on.
Concrete implementation of PortResolver that obtains the port from ServletRequest.getServerPort().
Annotation for specifying a method access-control expression which will be evaluated after a method has been invoked.
An AuthorizationManager which can determine if an Authentication may return the result from an invoked MethodInvocation by evaluating an expression from the PostAuthorize annotation.
A ReactiveAuthorizationManager which can determine if an Authentication has access to the returned object from the MethodInvocation by evaluating an expression from the PostAuthorize annotation.
Annotation for specifying a method filtering expression which will be evaluated after a method has been invoked.
A MethodInterceptor which filters a returnedObject from the MethodInvocation by evaluating an expression from the PostFilter annotation.
A MethodInterceptor which filters the returned object from the MethodInvocation by evaluating an expression from the PostFilter annotation.
Processes a pre-authenticated authentication request.
Authentication implementation for pre-authenticated authentication.
 
This AuthenticationUserDetailsService implementation creates a UserDetails object based solely on the information contained in the given PreAuthenticatedAuthenticationToken.
This WebAuthenticationDetails implementation allows for storing a list of pre-authenticated Granted Authorities.
Annotation for specifying a method access-control expression which will be evaluated to decide whether a method invocation is allowed or not.
An AuthorizationManager which can determine if an Authentication may invoke the MethodInvocation by evaluating an expression from the PreAuthorize annotation.
A ReactiveAuthorizationManager which can determine if an Authentication has access to the MethodInvocation by evaluating an expression from the PreAuthorize annotation.
Annotation for specifying a method filtering expression which will be evaluated before a method has been invoked.
A MethodInterceptor which filters a method argument by evaluating an expression from the PreFilter annotation.
A MethodInterceptor which filters a reactive method argument by evaluating an expression from the PreFilter annotation.
Deprecated.
Use delegation with AuthorizationManager
Represents an Authentication.getPrincipal() as a Sid.
Iterates an Authentication request through a list of AuthenticationProviders.
Interface for operating on a SecurityBuilder that creates a ProviderManager
Thrown by ProviderManager if no AuthenticationProvider could be found that supports the presented Authentication object.
Deprecated.
Only used by now-deprecated classes.
A R2DBC implementation of ReactiveOAuth2AuthorizedClientService that uses a DatabaseClient for OAuth2AuthorizedClient persistence.
A holder for OAuth2AuthorizedClient data and End-User Authentication (Resource Owner).
The default Function that maps R2dbcReactiveOAuth2AuthorizedClientService.OAuth2AuthorizedClientHolder to a Map of String and Parameter.
The default BiFunction that maps the current io.r2dbc.spi.Row to a R2dbcReactiveOAuth2AuthorizedClientService.OAuth2AuthorizedClientHolder.
Determines if the provided Authentication can be authenticated.
Adapts an AuthenticationManager to the reactive APIs.
An interface for resolving a ReactiveAuthenticationManager based on the provided context
A reactive authorization manager which can determine if an Authentication has access to a specific object.
A reactive repository for OAuth 2.0 / OpenID Connect 1.0 ClientRegistration(s).
Reactive version of JwtAuthenticationConverter for converting a Jwt to a Mono<AbstractAuthenticationToken>.
A reactive Converter for adapting a non-blocking imperative Converter
Implementations of this interface are responsible for "decoding" a JSON Web Token (JWT) from it's compact claims representation format to a Jwt.
A factory for ReactiveJwtDecoder(s).
Allows creating a ReactiveJwtDecoder from an OpenID Provider Configuration or Authorization Server Metadata Request based on provided issuer and method invoked.
Adapts a Converter<Jwt, Collection<GrantedAuthority>> to a Converter<Jwt, Flux<GrantedAuthority>>.
A reactive strategy for "exchanging" an authorization grant credential (e.g.
Handles when an OAuth 2.0 Client fails to authorize (or re-authorize) via the authorization server or resource server.
Handles when an OAuth 2.0 Client has been successfully authorized (or re-authorized) via the authorization server.
Implementations of this interface are responsible for the overall management of Authorized Client(s).
A strategy for authorizing (or re-authorizing) an OAuth 2.0 Client.
A builder that builds a DelegatingReactiveOAuth2AuthorizedClientProvider composed of one or more ReactiveOAuth2AuthorizedClientProvider(s) that implement specific authorization grants.
Implementations of this interface are responsible for the management of Authorized Client(s), which provide the purpose of associating an Access Token credential to a Client and Resource Owner, who is the Principal that originally granted the authorization.
Implementations of this interface are responsible for obtaining the user attributes of the End-User (Resource Owner) from the UserInfo Endpoint using the Access Token granted to the Client and returning an AuthenticatedPrincipal in the form of an OAuth2User.
A factory that provides a ReactiveJwtDecoder used for OidcIdToken signature verification.
Convert a successful introspection result into an authentication result.
A contract for introspecting and verifying an OAuth 2.0 token.
Reactive version of PreAuthenticatedAuthenticationProvider This manager receives a PreAuthenticatedAuthenticationToken, checks that associated account is not disabled, expired, or blocked, and returns new authenticated PreAuthenticatedAuthenticationToken.
Allows getting and setting the Spring SecurityContext into a Context.
An API for changing a UserDetails password.
An API for finding the UserDetails by username.
Sets up the Reactor Context with the Authentication from the TestSecurityContextHolder and then clears the Reactor Context at the end of the tests.
Performs a redirect to a specified location.
Performs a redirect to a specified location.
Performs a redirect on authentication success.
Performs a redirect on log out success.
Encapsulates the redirection logic for all classes in the framework which perform redirects.
Internal class for building redirect URLs.
Provides support for Referrer Policy.
 
Writes the Referrer-Policy response header.
 
An implementation of an OAuth2AuthorizedClientProvider for the refresh_token grant.
An implementation of a ReactiveOAuth2AuthorizedClientProvider for the refresh_token grant.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
Uses a regular expression to decide whether a supplied the URL of a supplied HttpServletRequest.
This annotation may be used to resolve a method parameter to an argument value of type OAuth2AuthorizedClient.
Strategy used to register a user with the SessionRegistry after successful Authentication.
Represents a configured relying party (aka Service Provider) and asserting party (aka Identity Provider) pair.
The configuration metadata of the Asserting party
 
 
A factory for creating placeholder resolvers for RelyingPartyRegistration templates.
A class for resolving RelyingPartyRegistration URIs
A repository for RelyingPartyRegistrations
A contract for resolving a RelyingPartyRegistration from the HTTP request
A utility class for constructing instances of RelyingPartyRegistration
 
This exception is thrown when an Authentication exception occurs while using the remember-me authentication.
Detects if there is no Authentication object in the SecurityContext, and populates the context with a remember-me authentication token if a RememberMeServices implementation so requests.
An AuthenticationProvider implementation that validates RememberMeAuthenticationTokens.
Represents a remembered Authentication.
Configures Remember Me authentication.
Implement by a class that is capable of providing a remember-me service.
A simple pre-authenticated filter which obtains the username from request attributes, for use with SSO systems such as Stanford WebAuth or Shibboleth.
Stores the SecurityContext on a ServletRequest.setAttribute(String, Object) so that it can be restored when different dispatch types occur.
An HttpServletRequest authorization context.
Implements "saved request" logic, allowing a single request to be retrieved and restarted after redirecting to an authentication mechanism.
Responsible for reconstituting the saved request if one is cached and it matches the current request.
Adds request cache for Spring Security.
Performs a redirect to the original request URL when an invalid requested session is detected by the SessionManagementFilter.
A simple pre-authenticated filter which obtains the username from a request header, for use with systems such as CA Siteminder.
A RequestMatcher that can be used to match request that contain a header with an expected header name and an expected value.
 
Simple strategy to match an HttpServletRequest.
The result of matching against an HttpServletRequest Contains the status, true or false, of the match and if present, any variables extracted from the match
An AuthorizationManager which delegates to a specific AuthorizationManager based on a RequestMatcher evaluation.
A WebInvocationPrivilegeEvaluator which delegates to a list of WebInvocationPrivilegeEvaluator based on a RequestMatcher evaluation
PropertyEditor which creates ELRequestMatcher instances from Strings This allows to use a String in a BeanDefinition instead of an (inner) bean if a RequestMatcher is required, e.g.
A rich object for associating a RequestMatcher to another object.
An implementation of Saml2MetadataResponseResolver that identifies which RelyingPartyRegistrations to use with a RequestMatcher
Filter that redirects requests that match RequestMatcher to the specified URL.
A factory class to create RequestMatcher instances.
 
Used by FilterChainProxy to handle an RequestRejectedException.
Commences an insecure channel by retrying the original request using HTTP.
Commences a secure channel by retrying the original request using HTTPS.
The simple interface of a role hierarchy.
 
This class defines a role hierarchy for use with various access checking components.
Utility methods for RoleHierarchy.
Deprecated.
 
Adds RsaKeyConverters to the configured ConversionService or PropertyEditors
Used for creating Key converter instances
Allows configuring RSocket based security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Saml2 representation of an AuthenticatedPrincipal.
An implementation of an AbstractAuthenticationToken that represents an authenticated SAML 2.0 Authentication.
This exception is thrown for all SAML 2.0 related Authentication errors.
A strategy for resolving a SAML 2.0 Authentication Request from the HttpServletRequest.
Represents an incoming SAML 2.0 response containing an assertion that has not been validated.
An AuthenticationConverter that generates a Saml2AuthenticationToken appropriate for authenticated a SAML 2.0 Assertion against an AuthenticationManager.
A representation of an SAML 2.0 Error.
A list of SAML known 2 error codes used during SAML authentication.
 
Jackson module for saml2-service-provider.
An AbstractHttpConfigurer for SAML 2.0 Login, which leverages the SAML 2.0 Web Browser Single Sign On (WebSSO) Flow.
Adds SAML 2.0 logout support.
A class that represents a signed and serialized SAML 2.0 Logout Request
 
A filter for handling logout requests in the form of a <saml2:LogoutRequest> sent from the asserting party.
Implementations of this interface are responsible for the persistence of Saml2LogoutRequest between requests.
Creates a signed SAML 2.0 Logout Request based on information from the HttpServletRequest and current Authentication.
Validates SAML 2.0 Logout Requests
A holder of the parameters needed to invoke Saml2LogoutRequestValidator
Resolved a SAML 2.0 Logout Request and associated validation parameters from the given HttpServletRequest and current Authentication.
A class that represents a signed and serialized SAML 2.0 Logout Response
 
A filter for handling a <saml2:LogoutResponse> sent from the asserting party.
Creates a signed SAML 2.0 Logout Response based on information from the HttpServletRequest and current Authentication.
Validates SAML 2.0 Logout Responses
A holder of the parameters needed to invoke Saml2LogoutResponseValidator
A result emitted from a SAML 2.0 Logout validation attempt
 
The type of bindings that messages are exchanged using Supported bindings are urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.
An AbstractHttpConfigurer for SAML 2.0 Metadata.
A Filter that returns the metadata for a Relying Party
Resolves the SAML 2.0 Relying Party Metadata for a given RelyingPartyRegistration
 
Resolves Relying Party SAML 2.0 Metadata given details from the HttpServletRequest.
Standard parameter names defined in the SAML 2.0 Specification and used by the Authentication Request, Assertion Consumer Response, Logout Request, and Logout Response endpoints.
Data holder for information required to send an AuthNRequest over a POST binding from the service provider to the identity provider https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (line 2031)
Builder class for a Saml2PostAuthenticationRequest object.
Data holder for information required to send an AuthNRequest over a REDIRECT binding from the service provider to the identity provider https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (line 2031)
Builder class for a Saml2RedirectAuthenticationRequest object.
A success handler for issuing a SAML 2.0 Logout Request to the the SAML 2.0 Asserting Party
A result emitted from a SAML 2.0 Response validation attempt
 
This Filter formulates a SAML 2.0 AuthnRequest (line 1968) and redirects to a configured asserting party.
An object for holding a public certificate, any associated private key, and its intended usages (Line 584, Section 4.3 Credentials).
 
Sets the appropriate parameters for CAS's implementation of SAML (which is not guaranteed to be actually SAML compliant).
Stores off the values of a cookie in a serializable holder
Encapsulates the functionality required of a cached request for both an authentication mechanism (typically form-based login) to redirect to the original URL and for a RequestCache to build a wrapped request, reproducing the original request data.
An authentication success strategy which can make use of the DefaultSavedRequest which may have been stored in the session by the ExceptionTranslationFilter.
Implementation of PasswordEncoder that uses the SCrypt hashing function.
Ensures channel security is active by review of HttpServletRequest.isSecure() responses.
Java 5 annotation for describing service layer security attributes.
An AuthorizationManager which can determine if an Authentication may invoke the MethodInvocation by evaluating if the Authentication contains a specified authority from the Spring Security's Secured annotation.
Creates a SecureRandom instance.
Interface for building an Object
Stores a ConfigAttribute as a String.
Allows for configuring a SecurityBuilder.
A base class for SecurityConfigurer that allows subclasses to only implement the methods they are interested in.
Interface defining the minimum security information associated with the current thread of execution.
Allows for integration with Spring MVC's Callable support.
An event that represents a change in SecurityContext
Creates a ExecutorChannelInterceptor that will obtain the Authentication from the specified Message.getHeaders().
Allows persisting and restoring of the SecurityContext found on the SecurityContextHolder for each request by configuring the SecurityContextPersistenceFilter.
Associates a given SecurityContext with the current execution thread.
A Filter which populates the ServletRequest with a request wrapper which implements the servlet API security methods.
A Spring Security-aware HttpServletRequestWrapper, which uses the SecurityContext-defined Authentication object to implement the servlet API security methods: SecurityContextHolderAwareRequestWrapper.getUserPrincipal() SecurityContextHolderAwareRequestWrapper.isUserInRole(String) HttpServletRequestWrapper.getRemoteUser().
A Filter that uses the SecurityContextRepository to obtain the SecurityContext and set it on the SecurityContextHolder.
A strategy for storing security context information against a thread.
Base implementation of SecurityContext.
An implementation of LoginModule that uses a Spring Security SecurityContext to provide authentication.
Performs a logout by modifying the SecurityContextHolder.
Strategy used for persisting a SecurityContext between requests.
A ServerLogoutHandler which removes the SecurityContext using the provided ServerSecurityContextRepository
Overrides the ServerWebExchange.getPrincipal() with the provided SecurityContext
Override the ServerWebExchange.getPrincipal() to be looked up using ReactiveSecurityContextHolder.
 
By defining this object as a Bean, Spring Security is exposed as SpEL expressions for creating Spring Data queries.
Facade which isolates Spring Security's requirements for evaluating security expressions from the implementation of the underlying expression objects
Standard interface for expression root objects used with expression-based security.
Base root object for use in Spring Security expression evaluations.
Defines a filter chain which is capable of being matched against an HttpServletRequest.
Utilities for interacting with HttpHeaders
This utility class will find all the SecurityModules in classpath.
Implemented by classes that store and can identify the ConfigAttributes that applies to a given secure object invocation.
Provides Security related MockMvcConfigurer implementations.
Contains Spring Security related MockMvc RequestBuilders.
Creates a form based login request including any necessary CsrfToken.
Creates a logout request (including any necessary CsrfToken)
Contains MockMvc RequestPostProcessor implementations for Spring Security.
Populates a valid CsrfToken into the request.
 
 
 
 
 
 
Creates a UsernamePasswordAuthenticationToken and sets the principal to be a User and associates it to the MockHttpServletRequest.
Security related MockMvc ResultHandlers
Security related MockMvc ResultMatchers.
A MockMvc ResultMatcher that verifies a specific user is associated to the MvcResult.
Test utilities for working with Spring Security and WebTestClient.Builder.apply(WebTestClientConfigurer).
 
Updates the WebServerExchange using {@link SecurityMockServerConfigurers#mockAuthentication(Authentication)}.
 
 
 
 
Updates the WebServerExchange using {@link SecurityMockServerConfigurers#mockUser(UserDetails)}.
Parses elements from the "security" namespace (http://www.springframework.org/schema/security).
A SocketAcceptorInterceptor that applies Security through a delegate SocketAcceptorInterceptor.
There are many times a user may want to use Spring Security's test support (i.e.
Spring Security extension to Spring's WebApplicationContextUtils.
Defines a filter chain which is capable of being matched against a ServerWebExchange in order to decide whether it applies to that request.
 
 
A strategy used for converting from a ServerWebExchange to an Authentication used for authenticating with a provided ReactiveAuthenticationManager.
Used to request authentication
Handles authentication failure
Handles authentication success
Implementations of this interface are responsible for the persistence of OAuth2AuthorizationRequest between requests.
An ExchangeFilterFunction that adds the Bearer Token from an existing OAuth2Token tied to the current Authentication.
A strategy for resolving Bearer Tokens from the ServerWebExchange.
An API to allow changing the method in which the expected CsrfToken is associated to the ServerWebExchange.
An implementation of the ServerCsrfTokenRequestHandler interface that is capable of making the CsrfToken available as an exchange attribute and resolving the token value as either a form data value or header of the request.
A callback interface that is used to make the CsrfToken created by the ServerCsrfTokenRepository available as an exchange attribute.
Implementations of this interface are capable of resolving the token value of a CsrfToken from the provided ServerWebExchange.
Converts a ServerWebExchange into a UsernamePasswordAuthenticationToken from the form data HTTP parameters.
Deprecated.
Converts from a ServerWebExchange to an Authentication that can be authenticated.
Deprecated.
Interface for writing headers just before the response is committed.
A ServerHttpSecurity is similar to Spring Security's HttpSecurity but for WebFlux.
Handles log out
Strategy for when log out was successfully performed (typically after ServerLogoutHandler is invoked).
Converts from a ServerWebExchange to an OAuth2AuthorizationCodeAuthenticationToken that can be authenticated.
Implementations of this interface are capable of resolving an OAuth2AuthorizationRequest from the provided ServerWebExchange.
Provides an easy mechanism for using an OAuth2AuthorizedClient to make OAuth2 requests by including the token as a Bearer Token.
Implementations of this interface are responsible for the persistence of Authorized Client(s) between requests.
A strategy for performing redirects.
Saves a ServerHttpRequest so it can be "replayed" later.
A WebFilter that replays any matching request in ServerRequestCache
Strategy used for persisting a SecurityContext between requests.
 
An interface for determining if a ServerWebExchangeMatcher matches.
The result of matching
A rich object for associating a ServerWebExchangeMatcher to another object.
Provides factory methods for creating common ServerWebExchangeMatcher
Converts from a SslInfo provided by a request to an PreAuthenticatedAuthenticationToken that can be authenticated.
In order for the CasAuthenticationProvider to provide the correct service url to authenticate the ticket, the returned value of Authentication.getDetails() should implement this interface when tickets can be sent to any URL rather than only ServiceProperties.getService().
The AuthenticationDetailsSource that is set on the CasAuthenticationFilter should return a value that implements ServiceAuthenticationDetails if the application needs to authenticate dynamic service urls.
Stores properties related to this CAS service.
Implements select methods from the HttpServletRequest using the SecurityContext from the SecurityContextHolder.
An ExchangeFilterFunction that adds the Bearer Token from an existing OAuth2Token tied to the current Authentication.
Provides an easy mechanism for using an OAuth2AuthorizedClient to make OAuth 2.0 requests by including the access token as a bearer token.
Thrown by an SessionAuthenticationStrategy to indicate that an authentication object is not valid for the current session, typically because the same user has exceeded the number of sessions they are allowed to have concurrently.
Allows pluggable support for HttpSession-related behaviour when an authentication occurs.
Generic session creation event which indicates that a session (potentially represented by a security context) has begun.
Specifies the various session creation policies for Spring Security.
Generic "session termination" event which indicates that a session (potentially represented by a security context) has ended.
Indicates a session ID was changed for the purposes of session fixation protection.
Uses HttpServletRequest.invalidate() to protect against session fixation attacks.
Generic "session ID changed" event which indicates that a session identifier (potentially represented by a security context) has changed.
Represents a record of a session within the Spring Security framework.
An event for when a SessionInformation is expired.
Determines the behaviour of the ConcurrentSessionFilter when an expired session is detected in the ConcurrentSessionFilter.
Allows configuring session management.
Detects that a user has been authenticated since the start of the request and, if they have, calls the configured SessionAuthenticationStrategy to perform any session-related activity such as activating session-fixation protection mechanisms or checking for multiple concurrent logins.
Maintains a registry of SessionInformation instances.
Default implementation of SessionRegistry which listens for SessionDestroyedEvents published in the Spring application context.
Provides SHA512 digest methods.
A security identity recognised by the ACL system.
Strategy interface that provides an ability to determine the Sid instances applicable for an Authentication.
Basic implementation of SidRetrievalStrategy that creates a Sid for the principal, as well as every granted authority the principal holds.
An enumeration of the cryptographic algorithms defined by the JSON Web Algorithms (JWA) specification and used by JSON Web Signature (JWS) to digitally sign the contents of the JWS Protected Header and JWS Payload.
MessageMatcher which compares a pre-defined pattern against the destination of a Message.
This class implements the Attributes2GrantedAuthoritiesMapper interface by doing a one-to-one mapping from roles to Spring Security GrantedAuthorities.
Encodes Simple Authentication.
Simple one-to-one GrantedAuthoritiesMapper which allows for case conversion of the authority name and the addition of a string prefix (which defaults to ROLE_ ).
Basic concrete implementation of a GrantedAuthority.
Jackson Mixin class helps in serialize/deserialize SimpleGrantedAuthority.
This class implements the MappableAttributesRetriever interface by just returning a list of mappable attributes as previously set using the corresponding setter method.
Represents the AOP Alliance MethodInvocation.
Performs a redirect to a fixed URL when an invalid requested session is detected by the SessionManagementFilter.
Performs a redirect to a fixed URL when an expired session is detected by the ConcurrentSessionFilter.
A Bean implementation of SavedRequest
AuthenticationFailureHandler which performs a redirect to the value of the defaultFailureUrl property when the onAuthenticationFailure method is called.
AuthenticationSuccessHandler which can be configured with a default URL which users should be sent to upon successful authentication.
Handles the navigation on logout by delegating to the AbstractAuthenticationTargetUrlRequestHandler base class logic.
A MessageMatcher that matches if the provided Message has a type that is the same as the SimpMessageType that was specified in the constructor.
An implementation of AuthorizationEventPublisher that uses Spring's event publishing support.
Simple implementation of AclCache that delegates to Cache implementation.
Caches tickets using a Spring IoC defined Cache.
Caches UserDetails instances in a Spring defined Cache.
A Spring implementation of OpaqueTokenIntrospector that verifies and introspects a token using the configured OAuth 2.0 Introspection Endpoint.
A Spring implementation of ReactiveOpaqueTokenIntrospector that verifies and introspects a token using the configured OAuth 2.0 Introspection Endpoint.
An AuthenticationSource to retrieve authentication information stored in Spring Security's SecurityContextHolder.
Internal class used for checking version compatibility in a deployed application.
Extension of Spring LDAP's LdapTemplate class which adds extra functionality required by Spring Security.
The default MessageSource used by Spring Security.
A ClaimAccessor for the "Standard Claims" that can be returned either in the UserInfo Response or the ID Token.
The names of the "Standard Claims" defined by the OpenID Connect Core 1.0 specification that can be returned either in the UserInfo Response or the ID Token.
Deprecated.
Digest based password encoding is not considered secure.
Caches CAS service tickets and CAS proxy tickets for stateless connections.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
HeaderWriter implementation which writes the same Header instance.
Allows specifying HttpHeaders that should be written to the response.
 
A strict implementation of HttpFirewall that rejects any suspicious requests with a RequestRejectedException.
Writes the Strict-Transport-Security if the request is secure.
A generator for unique string keys.
Obtains the principal from a certificate using a regular expression match against the Subject (as returned by a call to X509Certificate.getSubjectDN()).
A JwtDecoder that lazily initializes another JwtDecoder
A ReactiveJwtDecoder that lazily initializes another ReactiveJwtDecoder
Allows subclasses to modify the GrantedAuthority list that will be assigned to the principal when they assume the identity of a different principal.
Switch User processing filter responsible for user context switching.
Custom GrantedAuthority used by SwitchUserFilter
Switch User processing filter responsible for user context switching.
internal configuration class for taglibs.
Represents the events on the methods of TestExecutionListener
An Authentication implementation that is designed for use whilst unit testing.
The TestSecurityContextHolder is very similar to SecurityContextHolder, but is necessary for testing.
 
Service interface for symmetric encryption of text strings.
Internal utility for escaping characters in HTML strings.
Handler for analyzing Throwable instances.
Interface for handlers extracting the cause out of a specific Throwable type.
A token issued by TokenService.
Identifies previously remembered users by a Base-64 encoded cookie.
 
Provides a mechanism to allocate and rebuild secure, randomised tokens.
A marker for Authentications that should never be stored across requests, for example a bearer token authentication
A SecurityContext that is annotated with @Transient and thus should never be stored across requests.
Deprecated.
 
Thrown if an Acl cannot perform an operation because it only loaded a subset of Sids and the caller has requested details for an unloaded Sid .
Deprecated.
Provides static methods for composing URLs.
Models core user information retrieved by a UserDetailsService.
Builds the user to be added.
Used by InMemoryUserDetailsManager to temporarily store the attributes associated with a user.
Property editor that creates a UserAttribute from a comma separated list of values.
Provides a cache of UserDetails objects.
Provides core user information.
Base class that allows access to the UserDetailsService for using as a default value with AuthenticationManagerBuilder.
This implementation for AuthenticationUserDetailsService wraps a regular Spring Security UserDetailsService implementation, to retrieve a UserDetails object based on the user name contained in an Authentication object.
Called by classes which make use of a UserDetailsService to check the status of the loaded UserDetails object.
Operations to map a UserDetails object to and from a Spring LDAP DirContextOperations implementation.
An extension of the UserDetailsService which provides the ability to create new users and update existing ones.
Base class for populating an AuthenticationManagerBuilder with a UserDetailsManager.
Constructs an InMemoryUserDetailsManager from a resource using UserDetailsResourceFactoryBean.
Creates a Collection<UserDetails> from a @{code Map} in the format of
An API for changing a UserDetails password.
A ReactiveAuthenticationManager that uses a ReactiveUserDetailsService to validate the provided username and password.
Parses a Resource that is a Properties file in the format of: username=password[,enabled|disabled],roles...
Core interface which loads user-specific data.
Allows configuring a UserDetailsService within a AuthenticationManagerBuilder.
Bean used to lookup a named UserDetailsService or AuthenticationUserDetailsService.
Simple LdapAuthoritiesPopulator which delegates to a UserDetailsService, using the name which was supplied at login as the username.
Thrown if an UserDetailsService implementation cannot locate a User by its username.
Processes an authentication form submission.
An Authentication implementation that is designed for simple presentation of a username and password.
Represents a username and password that have been encoded into a Payload.metadata().
 
UTF-8 Charset encoder/decoder.
Well-known keys which are used to store Spring Security information in request or session scope.
A holder of selected HTTP details related to a web authentication request.
Implementation of AuthenticationDetailsSource which builds the details object from an HttpServletRequest object, creating a WebAuthenticationDetails .
An implementation of a ReactiveOAuth2AccessTokenResponseClient that "exchanges" an authorization code credential for an access token credential at the Authorization Server's Token Endpoint.
An implementation of a ReactiveOAuth2AccessTokenResponseClient that "exchanges" a client credential for an access token credential at the Authorization Server's Token Endpoint.
The default implementation of an ReactiveOAuth2AccessTokenResponseClient for the jwt-bearer grant.
Deprecated.
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant.
An implementation of a ReactiveOAuth2AccessTokenResponseClient for the refresh_token grant.
An expression-based AuthorizationManager that determines the access by evaluating the provided expression.
Deprecated.
Used to delegate to a List of SecurityWebFilterChain instances.
A WebFilterChainProxy.WebFilterChainDecorator that uses the DefaultWebFilterChain
A strategy for decorating the provided filter chain with one that accounts for the SecurityFilterChain for a given request.
Success handler that continues the filter chain after authentication success.
A composite of the ServerWebExchange and the WebFilterChain.
Allows users to determine whether they have privileges for a given web URI.
Jackson module for spring-security-web.
Deprecated.
This is applied internally using SpringWebMvcImportSelector
The WebSecurity is created by WebSecurityConfiguration to create the FilterChainProxy known as the Spring Security Filter Chain (springSecurityFilterChain).
Uses a WebSecurity to create the FilterChainProxy that performs the web based security for Spring Security.
WebSecurityConfigurer<T extends SecurityBuilder<jakarta.servlet.Filter>>
Allows customization to the WebSecurity.
Callback interface for customizing WebSecurity.
 
Jackson module for spring-security-web-flux.
Jackson module for spring-security-web related to servlet.
An implementation of an ServerAuthorizationRequestRepository that stores OAuth2AuthorizationRequest in the WebSession.
A ServerCsrfTokenRepository that stores the CsrfToken in the HttpSession.
A ServerLogoutHandler which invalidates the active WebSession.
An implementation of an OAuth2AuthorizedClientRepository that stores OAuth2AuthorizedClient's in the HttpSession.
An implementation of ServerRequestCache that saves the ServerHttpRequest in the WebSession.
Stores the SecurityContext in the WebSession.
Parses Spring Security's websocket namespace support.
This AbstractPreAuthenticatedProcessingFilter implementation is based on WebSphere authentication.
This AuthenticationDetailsSource implementation will set the pre-authenticated granted authorities based on the WebSphere groups for the current WebSphere user, mapped using the configured Attributes2GrantedAuthoritiesMapper.
A utility class for testing spring security
This MappableAttributesRetriever implementation reads the list of defined J2EE roles from a web.xml file and returns these from { WebXmlMappableAttributesRetriever.getMappableAttributes().
The bean definition parser for a Well-Known URL for Changing Passwords.
Deprecated.
ALLOW-FROM is an obsolete directive that no longer works in modern browsers.
When used with WithSecurityContextTestExecutionListener this annotation can be added to a test method to emulate running with an anonymous user.
When used with WithSecurityContextTestExecutionListener this annotation can be added to a test method to emulate running with a mocked user.
An annotation to determine what SecurityContext to use.
An API that works with WithUserTestExcecutionListener for creating a SecurityContext that is populated in the TestSecurityContextHolder.
A TestExecutionListener that will find annotations that are annotated with WithSecurityContext on a test method or at the class level.
When used with WithSecurityContextTestExecutionListener this annotation can be added to a test method to emulate running with a UserDetails returned from the UserDetailsService.
 
Adds X509 based pre authentication to an application.
Obtains the principal from an X509Certificate for use within the framework.
A StaticHeadersWriter that inserts headers to prevent content sniffing.
Adds X-Content-Type-Options: nosniff
HeaderWriter implementation for the X-Frame-Options headers.
The possible values for the X-Frame-Options header.
ServerHttpHeadersWriter implementation for the X-Frame-Options headers.
The X-Frame-Options values.
ChannelInterceptor that validates a CSRF token masked by the XorCsrfTokenRequestAttributeHandler in the header of any SimpMessageType.CONNECT message.
An implementation of the CsrfTokenRequestHandler interface that is capable of masking the value of the CsrfToken on each request and resolving the raw token value from the masked value as either a header or parameter value of the request.
An implementation of the ServerCsrfTokenRequestAttributeHandler and ServerCsrfTokenRequestResolver interfaces that is capable of masking the value of the CsrfToken on each request and resolving the raw token value from the masked value as either a form data value or header of the request.
The value of the x-xss-protection header.
Add the x-xss-protection header.
The value of the x-xss-protection header.