Merge branch 'spring-projects:main' into main

Author: leshalv

CONTRIBUTING.adoc

@@ -89,41 +89,30 @@ We are excited for your pull request! :heart:
 Please do your best to follow these steps.
 Don't worry if you don't get them all correct the first time, we will help you.
 
-[[sign-cla]]
-1. All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
+1. [[sign-cla]] All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin.
 For additional details, please refer to the blog post https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring[Hello DCO, Goodbye CLA: Simplifying Contributions to Spring].
-[[create-an-issue]]
-1. Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
+2. [[create-an-issue-list]] Must you https://github.com/spring-projects/spring-security/issues/new/choose[create an issue] first? No, but it is recommended for features and larger bug fixes. It's easier discuss with the team first to determine the right fix or enhancement.
 For typos and straightforward bug fixes, starting with a pull request is encouraged.
 Please include a description for context and motivation.
 Note that the team may close your pull request if it's not a fit for the project.
-[[choose-a-branch]]
-1. Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
+3. [[choose-a-branch]] Always check out the branch indicated in the milestone and submit pull requests against it (for example, for milestone `5.8.3` use the `5.8.x` branch).
 If there is no milestone, choose `main`.
 Once merged, the fix will be forwarded-ported to applicable branches including `main`.
-[[create-a-local-branch]]
-1. Create a local branch
+4. [[create-a-local-branch]] Create a local branch
 If this is for an issue, consider a branch name with the issue number, like `gh-22276`.
-[[write-tests]]
-1. Add documentation and JUnit Tests for your changes.
-[[update-copyright]]
-1. In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
-[[add-since]]
-1. If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
-[[change-rnc]]
-1. If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
-[[format-code]]
-1. For each commit, build the code using `./gradlew format check`.
+5. [[write-tests]] Add documentation and JUnit Tests for your changes.
+6. [[update-copyright]] In all files you edited, if the copyright header is of the form 2002-20xx, update the final copyright year to the current year.
+7. [[add-since]] If on `main`, add `@since` JavaDoc attributes to new public APIs that your PR adds
+8. [[change-rnc]] If you are updating the XSD, please instead update the RNC file and then run `./gradlew :spring-security-config:rncToXsd`.
+9. [[format-code]] For each commit, build the code using `./gradlew format check`.
 This command ensures the code meets most of <<code-style,the style guide>>; a notable exception is import order.
-[[commit-atomically]]
-1. Choose the granularity of your commits consciously and squash commits that represent
+10. [[commit-atomically]] Choose the granularity of your commits consciously and squash commits that represent
 multiple edits or corrections of the same logical change.
 See https://git-scm.com/book/en/Git-Tools-Rewriting-History[Rewriting History section of Pro Git] for an overview of streamlining the commit history.
-[[format-commit-messages]]
-1. Format commit messages using 55 characters for the subject line, 72 characters per line
+11. [[format-commit-messages]] Format commit messages using 55 characters for the subject line, 72 characters per line
 for the description, followed by the issue fixed, for example, `Closes gh-22276`.
 See the https://git-scm.com/book/en/Distributed-Git-Contributing-to-a-Project#Commit-Guidelines[Commit Guidelines section of Pro Git] for best practices around commit messages, and use `git log` to see some examples.
-Present tense is preferred.
+Favor imperative tense over present tense (use "Fix" instead of "Fixes"); avoid past tense (use "Fix" instead of "Fixed").
 +
 [indent=0]
 ----

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.authentication.ott.GenerateOneTimeTokenFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
@@ -101,6 +102,7 @@ final class FilterOrderRegistration {
 				"org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter",
 				order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
+		put(OneTimeTokenAuthenticationFilter.class, order.next());
 		order.next(); // gh-8105
 		put(DefaultResourcesFilter.class, order.next());
 		put(DefaultLoginPageGeneratingFilter.class, order.next());

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -57,8 +57,10 @@
 public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<AuthorizeHttpRequestsConfigurer<H>, H> {
 
-	static final AuthorizationManager<RequestAuthorizationContext> permitAllAuthorizationManager = (a,
-			o) -> new AuthorizationDecision(true);
+	static final AuthorizationDecision AUTHORIZATION_DECISION = new AuthorizationDecision(true);
+
+	static final AuthorizationManager<RequestAuthorizationContext> PERMIT_ALL_AUTHORIZATION_MANAGER = (a,
+			o) -> AUTHORIZATION_DECISION;
 
 	private final AuthorizationManagerRequestMatcherRegistry registry;
 
@@ -287,7 +289,7 @@ public AuthorizedUrl not() {
 		 * customizations
 		 */
 		public AuthorizationManagerRequestMatcherRegistry permitAll() {
-			return access(permitAllAuthorizationManager);
+			return access(PERMIT_ALL_AUTHORIZATION_MANAGER);
 		}
 
 		/**

config/src/main/java/org/springframework/security/config/annotation/web/configurers/PermitAllSupport.java

@@ -63,7 +63,7 @@ static void permitAll(HttpSecurityBuilder<? extends HttpSecurityBuilder<?>> http
 								SecurityConfig.createList(ExpressionUrlAuthorizationConfigurer.permitAll)));
 				}
 				else {
-					httpConfigurer.addFirst(matcher, AuthorizeHttpRequestsConfigurer.permitAllAuthorizationManager);
+					httpConfigurer.addFirst(matcher, AuthorizeHttpRequestsConfigurer.PERMIT_ALL_AUTHORIZATION_MANAGER);
 				}
 			}
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer.java

@@ -0,0 +1,164 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider;
+import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationFilter;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
+
+/**
+ * @author Joe Grandja
+ * @since 6.5
+ * @see DPoPAuthenticationProvider
+ */
+final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>>
+		extends AbstractHttpConfigurer<DPoPAuthenticationConfigurer<B>, B> {
+
+	private RequestMatcher requestMatcher;
+
+	private AuthenticationConverter authenticationConverter;
+
+	private AuthenticationSuccessHandler authenticationSuccessHandler;
+
+	private AuthenticationFailureHandler authenticationFailureHandler;
+
+	@Override
+	public void configure(B http) {
+		AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
+		http.authenticationProvider(new DPoPAuthenticationProvider(authenticationManager));
+		AuthenticationFilter authenticationFilter = new AuthenticationFilter(authenticationManager,
+				getAuthenticationConverter());
+		authenticationFilter.setRequestMatcher(getRequestMatcher());
+		authenticationFilter.setSuccessHandler(getAuthenticationSuccessHandler());
+		authenticationFilter.setFailureHandler(getAuthenticationFailureHandler());
+		authenticationFilter.setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
+		authenticationFilter = postProcess(authenticationFilter);
+		http.addFilter(authenticationFilter);
+	}
+
+	private RequestMatcher getRequestMatcher() {
+		if (this.requestMatcher == null) {
+			this.requestMatcher = new DPoPRequestMatcher();
+		}
+		return this.requestMatcher;
+	}
+
+	private AuthenticationConverter getAuthenticationConverter() {
+		if (this.authenticationConverter == null) {
+			this.authenticationConverter = new DPoPAuthenticationConverter();
+		}
+		return this.authenticationConverter;
+	}
+
+	private AuthenticationSuccessHandler getAuthenticationSuccessHandler() {
+		if (this.authenticationSuccessHandler == null) {
+			this.authenticationSuccessHandler = (request, response, authentication) -> {
+				// No-op - will continue on filter chain
+			};
+		}
+		return this.authenticationSuccessHandler;
+	}
+
+	private AuthenticationFailureHandler getAuthenticationFailureHandler() {
+		if (this.authenticationFailureHandler == null) {
+			this.authenticationFailureHandler = new AuthenticationEntryPointFailureHandler(
+					new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+		}
+		return this.authenticationFailureHandler;
+	}
+
+	private static final class DPoPRequestMatcher implements RequestMatcher {
+
+		@Override
+		public boolean matches(HttpServletRequest request) {
+			String authorization = request.getHeader(HttpHeaders.AUTHORIZATION);
+			if (!StringUtils.hasText(authorization)) {
+				return false;
+			}
+			return StringUtils.startsWithIgnoreCase(authorization, OAuth2AccessToken.TokenType.DPOP.getValue());
+		}
+
+	}
+
+	private static final class DPoPAuthenticationConverter implements AuthenticationConverter {
+
+		private static final Pattern AUTHORIZATION_PATTERN = Pattern.compile("^DPoP (?<token>[a-zA-Z0-9-._~+/]+=*)$",
+				Pattern.CASE_INSENSITIVE);
+
+		@Override
+		public Authentication convert(HttpServletRequest request) {
+			List<String> authorizationList = Collections.list(request.getHeaders(HttpHeaders.AUTHORIZATION));
+			if (CollectionUtils.isEmpty(authorizationList)) {
+				return null;
+			}
+			if (authorizationList.size() != 1) {
+				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
+						"Found multiple Authorization headers.", null);
+				throw new OAuth2AuthenticationException(error);
+			}
+			String authorization = authorizationList.get(0);
+			if (!StringUtils.startsWithIgnoreCase(authorization, OAuth2AccessToken.TokenType.DPOP.getValue())) {
+				return null;
+			}
+			Matcher matcher = AUTHORIZATION_PATTERN.matcher(authorization);
+			if (!matcher.matches()) {
+				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN, "DPoP access token is malformed.",
+						null);
+				throw new OAuth2AuthenticationException(error);
+			}
+			String accessToken = matcher.group("token");
+			List<String> dPoPProofList = Collections
+				.list(request.getHeaders(OAuth2AccessToken.TokenType.DPOP.getValue()));
+			if (CollectionUtils.isEmpty(dPoPProofList) || dPoPProofList.size() != 1) {
+				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
+						"DPoP proof is missing or invalid.", null);
+				throw new OAuth2AuthenticationException(error);
+			}
+			String dPoPProof = dPoPProofList.get(0);
+			return new DPoPAuthenticationToken(accessToken, dPoPProof, request.getMethod(),
+					request.getRequestURL().toString());
+		}
+
+	}
+
+}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -152,6 +152,8 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	private final ApplicationContext context;
 
+	private final DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
+
 	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
 
 	private BearerTokenResolver bearerTokenResolver;
@@ -283,6 +285,7 @@ public void configure(H http) {
 		filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		filter = postProcess(filter);
 		http.addFilter(filter);
+		this.dPoPAuthenticationConfigurer.configure(http);
 	}
 
 	private void validateConfiguration() {