Merge branch 'main' of https://github.com/ngocnhan-tran1996/spring-security into gh-16431

Author: ngocnhan-tran1996

.github/workflows/check-snapshots.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch: # Manual trigger
+
+env:
+  DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+
+permissions:
+  contents: read
+
+jobs:
+  snapshot-test:
+    name: Test Against Snapshots
+    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
+    strategy:
+      matrix:
+        include:
+          - java-version: 21-ea
+            toolchain: 21
+          - java-version: 17
+            toolchain: 17
+    with:
+      java-version: ${{ matrix.java-version }}
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
+    secrets: inherit
+  send-notification:
+    name: Send Notification
+    needs: [ snapshot-test ]
+    if: ${{ !success() }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send Notification
+        uses: spring-io/spring-security-release-tools/.github/actions/send-notification@v1
+        with:
+          webhook-url: ${{ secrets.SPRING_SECURITY_CI_GCHAT_WEBHOOK_URL }}

.github/workflows/continuous-integration-workflow.yml

@@ -27,37 +27,24 @@ jobs:
       java-version: ${{ matrix.jdk }}
       distribution: temurin
     secrets: inherit
-  test:
-    name: Test Against Snapshots
-    uses: spring-io/spring-security-release-tools/.github/workflows/test.yml@v1
-    strategy:
-      matrix:
-        include:
-          - java-version: 21-ea
-            toolchain: 21
-          - java-version: 17
-            toolchain: 17
-    with:
-      java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot,https://oss.sonatype.org/content/repositories/snapshots -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=7.+ -PreactorVersion=2025.+ -PspringDataVersion=2025.+ --stacktrace
-    secrets: inherit
   deploy-artifacts:
     name: Deploy Artifacts
-    needs: [ build, test]
+    needs: [ build]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-artifacts.yml@v1
     with:
       should-deploy-artifacts: ${{ needs.build.outputs.should-deploy-artifacts }}
+      default-publish-milestones-central: true
     secrets: inherit
   deploy-docs:
     name: Deploy Docs
-    needs: [ build, test ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-docs.yml@v1
     with:
       should-deploy-docs: ${{ needs.build.outputs.should-deploy-artifacts }}
     secrets: inherit
   deploy-schema:
     name: Deploy Schema
-    needs: [ build, test ]
+    needs: [ build ]
     uses: spring-io/spring-security-release-tools/.github/workflows/deploy-schema.yml@v1
     with:
       should-deploy-schema: ${{ needs.build.outputs.should-deploy-artifacts }}
@@ -69,7 +56,7 @@ jobs:
     with:
       should-perform-release: ${{ needs.deploy-artifacts.outputs.artifacts-deployed }}
       project-version: ${{ needs.deploy-artifacts.outputs.project-version }}
-      milestone-repo-url: https://repo.spring.io/artifactory/milestone
+      milestone-repo-url: https://repo1.maven.org/maven2
       release-repo-url: https://repo1.maven.org/maven2
       artifact-path: org/springframework/security/spring-security-core
       slack-announcing-id: spring-security-announcing

buildSrc/build.gradle

@@ -64,6 +64,7 @@ configurations {
 dependencies {
 	implementation platform(libs.io.projectreactor.reactor.bom)
 
+	implementation libs.spring.nullability
 	implementation libs.com.google.code.gson.gson
 	implementation libs.com.thaiopensource.trag
 	implementation libs.net.sourceforge.saxon.saxon

buildSrc/src/main/groovy/security-nullability.gradle

@@ -0,0 +1,3 @@
+plugins {
+    id 'io.spring.nullability'
+}

config/spring-security-config.gradle

@@ -31,6 +31,7 @@ dependencies {
 	optional project(':spring-security-oauth2-resource-server')
 	optional project(':spring-security-rsocket')
 	optional project(':spring-security-web')
+	optional project(':spring-security-webauthn')
 	optional 'io.projectreactor:reactor-core'
 	optional 'org.aspectj:aspectjweaver'
 	optional 'org.springframework:spring-jdbc'
@@ -43,7 +44,6 @@ dependencies {
 	optional 'org.jetbrains.kotlin:kotlin-reflect'
 	optional 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
 	optional 'jakarta.annotation:jakarta.annotation-api'
-	optional libs.webauthn4j.core
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
@@ -57,6 +57,7 @@ dependencies {
 	testImplementation project(':spring-security-saml2-service-provider')
 	testImplementation project(path : ':spring-security-saml2-service-provider', configuration : 'tests')
 	testImplementation project(path : ':spring-security-web', configuration : 'tests')
+	testImplementation project(path : ':spring-security-webauthn', configuration : 'tests')
 	testImplementation "jakarta.inject:jakarta.inject-api"
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"

config/src/main/java/org/springframework/security/config/annotation/AbstractConfiguredSecurityBuilder.java

@@ -50,6 +50,7 @@
  * @param <O> The object that this builder returns
  * @param <B> The type of this builder (that is returned by the base class)
  * @author Rob Winch
+ * @author DingHao
  * @see WebSecurity
  */
 public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBuilder<O>>
@@ -59,7 +60,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
 
 	private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<>();
 
-	private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
+	private List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<>();
 
 	private final Map<Class<?>, Object> sharedObjects = new HashMap<>();
 
@@ -369,8 +370,12 @@ private void init() throws Exception {
 		for (SecurityConfigurer<O, B> configurer : configurers) {
 			configurer.init((B) this);
 		}
-		for (SecurityConfigurer<O, B> configurer : this.configurersAddedInInitializing) {
-			configurer.init((B) this);
+		while (!this.configurersAddedInInitializing.isEmpty()) {
+			List<SecurityConfigurer<O, B>> toInit = this.configurersAddedInInitializing;
+			this.configurersAddedInInitializing = new ArrayList<>();
+			for (SecurityConfigurer<O, B> configurer : toInit) {
+				configurer.init((B) this);
+			}
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyDataConfiguration.java

@@ -49,7 +49,7 @@ DataTargetVisitor dataTargetVisitor() {
 		return new DataTargetVisitor();
 	}
 
-	private static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
+	static final class DataTargetVisitor implements AuthorizationAdvisorProxyFactory.TargetVisitor, Ordered {
 
 		private static final int DEFAULT_ORDER = 200;
 

config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecuritySelector.java

@@ -38,9 +38,6 @@ class ReactiveMethodSecuritySelector implements ImportSelector {
 	private static final boolean isDataPresent = ClassUtils
 		.isPresent("org.springframework.security.data.aot.hint.AuthorizeReturnObjectDataHintsRegistrar", null);
 
-	private static final boolean isWebPresent = ClassUtils.isPresent("org.springframework.web.server.ServerWebExchange",
-			null);
-
 	private static final boolean isObservabilityPresent = ClassUtils
 		.isPresent("io.micrometer.observation.ObservationRegistry", null);
 
@@ -64,9 +61,6 @@ public String[] selectImports(AnnotationMetadata importMetadata) {
 		if (isDataPresent) {
 			imports.add(AuthorizationProxyDataConfiguration.class.getName());
 		}
-		if (isWebPresent) {
-			imports.add(AuthorizationProxyWebConfiguration.class.getName());
-		}
 		if (isObservabilityPresent) {
 			imports.add(ReactiveMethodObservationConfiguration.class.getName());
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -180,6 +180,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 
 	private OAuth2AuthorizedClientRepository authorizedClientRepository;
 
+	private SecurityContextRepository securityContextRepository;
+
 	/**
 	 * Sets the repository of client registrations.
 	 * @param clientRegistrationRepository the repository of client registrations
@@ -233,6 +235,17 @@ public OAuth2LoginConfigurer<B> loginProcessingUrl(String loginProcessingUrl) {
 		return this;
 	}
 
+	/**
+	 * Sets the {@link SecurityContextRepository} to use.
+	 * @param securityContextRepository the {@link SecurityContextRepository} to use
+	 * @return the {@link OAuth2LoginConfigurer} for further configuration
+	 */
+	@Override
+	public OAuth2LoginConfigurer<B> securityContextRepository(SecurityContextRepository securityContextRepository) {
+		this.securityContextRepository = securityContextRepository;
+		return this;
+	}
+
 	/**
 	 * Sets the registry for managing the OIDC client-provider session link
 	 * @param oidcSessionRegistry the {@link OidcSessionRegistry} to use
@@ -299,6 +312,9 @@ public void init(B http) throws Exception {
 		RequestMatcher processUri = getRequestMatcherBuilder().matcher(this.loginProcessingUrl);
 		authenticationFilter.setRequiresAuthenticationRequestMatcher(processUri);
 		authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
+		if (this.securityContextRepository != null) {
+			authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
+		}
 		this.setAuthenticationFilter(authenticationFilter);
 		super.loginProcessingUrl(this.loginProcessingUrl);
 		if (this.loginPage != null) {

config/src/main/java/org/springframework/security/config/web/PathPatternRequestMatcherBuilderFactoryBean.java

@@ -46,6 +46,8 @@ public final class PathPatternRequestMatcherBuilderFactoryBean implements
 
 	private final PathPatternParser parser;
 
+	private String basePath;
+
 	private ApplicationContext context;
 
 	private String beanName;
@@ -78,23 +80,43 @@ public PathPatternRequestMatcherBuilderFactoryBean(PathPatternParser parser) {
 	public PathPatternRequestMatcher.Builder getObject() throws Exception {
 		if (!this.context.containsBean(MVC_PATTERN_PARSER_BEAN_NAME)) {
 			PathPatternParser parser = (this.parser != null) ? this.parser : PathPatternParser.defaultInstance;
-			return PathPatternRequestMatcher.withPathPatternParser(parser);
+			return withPathPatternParser(parser);
 		}
 		PathPatternParser mvc = this.context.getBean(MVC_PATTERN_PARSER_BEAN_NAME, PathPatternParser.class);
 		PathPatternParser parser = (this.parser != null) ? this.parser : mvc;
 		if (mvc.equals(parser)) {
-			return PathPatternRequestMatcher.withPathPatternParser(parser);
+			return withPathPatternParser(parser);
 		}
 		throw new IllegalArgumentException("Spring Security and Spring MVC must use the same path pattern parser. "
 				+ "To have Spring Security use Spring MVC's [" + describe(mvc, MVC_PATTERN_PARSER_BEAN_NAME)
 				+ "] simply publish this bean [" + describe(this, this.beanName) + "] using its default constructor");
 	}
 
+	private PathPatternRequestMatcher.Builder withPathPatternParser(PathPatternParser parser) {
+		if (this.basePath == null) {
+			return PathPatternRequestMatcher.withPathPatternParser(parser);
+		}
+		else {
+			return PathPatternRequestMatcher.withPathPatternParser(parser).basePath(this.basePath);
+		}
+	}
+
 	@Override
 	public Class<?> getObjectType() {
 		return PathPatternRequestMatcher.Builder.class;
 	}
 
+	/**
+	 * Use this as the base path for patterns built by the resulting
+	 * {@link PathPatternRequestMatcher.Builder} instance
+	 * @param basePath the base path to use
+	 * @since 7.0
+	 * @see PathPatternRequestMatcher.Builder#basePath(String)
+	 */
+	public void setBasePath(String basePath) {
+		this.basePath = basePath;
+	}
+
 	@Override
 	public void setApplicationContext(ApplicationContext context) throws BeansException {
 		this.context = context;