Merge branch 'spring-projects:main' into patch-1

Author: joaquinjsb

.github/workflows/codeql.yml

@@ -1,80 +1,13 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
 name: "CodeQL Advanced"
 
 on:
-  push: # run if we update the workflow
+  push:
+  pull_request:
   workflow_dispatch:
   schedule:
-    - cron: '39 13 * * 4'
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#schedule
+    - cron: '0 5 * * *'
 
 jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners (github.com only)
-    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
-    runs-on: ubuntu-latest
-    permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - language: actions
-            build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      # Add any setup steps before running the `github/codeql-action/init` action.
-      # This includes steps like installing compilers or runtimes (`actions/setup-node`
-      # or others). This is typically only required for manual builds.
-      # - name: Setup runtime (example)
-      #   uses: actions/setup-example@v1
-
-      # Initializes the CodeQL tools for scanning.
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-          build-mode: ${{ matrix.build-mode }}
-          # If you wish to specify custom queries, you can do so here or in a config file.
-          # By default, queries listed here will override any specified in a config file.
-          # Prefix the list here with "+" to use these queries and those in the config file.
-
-          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-          queries: security-extended,security-and-quality
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: "/language:${{matrix.language}}"
+  codeql-analysis-call:
+    uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@1

aspects/src/test/java/org/springframework/security/authorization/method/aspectj/PreAuthorizeAspectTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -144,7 +144,7 @@ private void privateMethod() {
 		protected void protectedMethod() {
 		}
 
-		@PreAuthorize("hasRole('X')")
+		@PreAuthorize("hasRole('A')")
 		void publicCallsPrivate() {
 			privateMethod();
 		}

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelLogoutWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,12 +18,12 @@
 
 import java.util.Collections;
 
-import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import reactor.core.publisher.Mono;
 
 import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.codec.EncoderHttpMessageWriter;
 import org.springframework.http.codec.HttpMessageWriter;
@@ -47,6 +47,7 @@
  * A filter for the Client-side OIDC Back-Channel Logout endpoint
  *
  * @author Josh Cummings
+ * @author Andrey Litvitski
  * @since 6.2
  * @see <a target="_blank" href=
  * "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
@@ -108,7 +109,7 @@ public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 
 	private Mono<Void> handleAuthenticationFailure(ServerWebExchange exchange, Exception ex) {
 		this.logger.debug("Failed to process OIDC Back-Channel Logout", ex);
-		exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
+		exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
 		return this.errorHttpMessageConverter.write(Mono.just(oauth2Error(ex)), ResolvableType.forClass(Object.class),
 				ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
 				exchange.getResponse(), Collections.emptyMap());

config/src/main/java/org/springframework/security/config/web/server/OidcBackChannelServerLogoutHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,13 +22,13 @@
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicInteger;
 
-import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import reactor.core.publisher.Mono;
 
 import org.springframework.core.ResolvableType;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.codec.EncoderHttpMessageWriter;
@@ -54,7 +54,8 @@
  * Back-Channel Logout Token and invalidates each one.
  *
  * @author Josh Cummings
- * @since 6.4
+ * @author Andrey Litvitski
+ * @since 6.2
  * @see <a target="_blank" href=
  * "https://openid.net/specs/openid-connect-backchannel-1_0.html">OIDC Back-Channel Logout
  * Spec</a>
@@ -170,7 +171,7 @@ private OAuth2Error oauth2Error(Collection<?> errors) {
 	}
 
 	private Mono<Void> handleLogoutFailure(ServerWebExchange exchange, OAuth2Error error) {
-		exchange.getResponse().setRawStatusCode(HttpServletResponse.SC_BAD_REQUEST);
+		exchange.getResponse().setRawStatusCode(HttpStatus.BAD_REQUEST.value());
 		return this.errorHttpMessageConverter.write(Mono.just(error), ResolvableType.forClass(Object.class),
 				ResolvableType.forClass(Object.class), MediaType.APPLICATION_JSON, exchange.getRequest(),
 				exchange.getResponse(), Collections.emptyMap());

core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -267,7 +267,7 @@ private List<MergedAnnotation<A>> findDirectAnnotations(AnnotatedElement element
 
 	private static Method findMethod(Method method, Class<?> targetClass) {
 		for (Method candidate : targetClass.getDeclaredMethods()) {
-			if (candidate == method) {
+			if (candidate.equals(method)) {
 				return candidate;
 			}
 			if (isOverride(method, candidate)) {

docs/modules/ROOT/pages/servlet/authentication/session-management.adoc

@@ -589,6 +589,13 @@ public class MaximumSessionsPreventLoginTests {
 If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
 You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
 
+[NOTE]
+=====
+If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
+The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
+Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
+=====
+
 == Detecting Timeouts
 
 Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.

gradle.properties

@@ -13,8 +13,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+<<<<<<< HEAD
 springBootVersion=4.0.0-SNAPSHOT
 version=7.0.0-SNAPSHOT
+=======
+springBootVersion=3.3.3
+<<<<<<< HEAD
+version=6.5.1-SNAPSHOT
+=======
+version=6.4.7-SNAPSHOT
+>>>>>>> origin/6.4.x
+>>>>>>> 6.5.x
 samplesBranch=main
 org.gradle.jvmargs=-Xmx3g -XX:+HeapDumpOnOutOfMemoryError
 org.gradle.parallel=true

gradle/libs.versions.toml

@@ -1,7 +1,7 @@
 [versions]
 com-squareup-okhttp3 = "3.14.9"
 io-rsocket = "1.1.5"
-io-spring-javaformat = "0.0.43"
+io-spring-javaformat = "0.0.45"
 io-spring-nohttp = "0.0.11"
 jakarta-websocket = "2.2.0"
 org-apache-directory-server = "1.5.5"
@@ -71,7 +71,7 @@ org-bouncycastle-bcprov-jdk15on = { module = "org.bouncycastle:bcprov-jdk18on",
 org-eclipse-jetty-jetty-server = { module = "org.eclipse.jetty:jetty-server", version.ref = "org-eclipse-jetty" }
 org-eclipse-jetty-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "org-eclipse-jetty" }
 org-hamcrest = "org.hamcrest:hamcrest:2.2"
-org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:7.0.0.CR2"
+org-hibernate-orm-hibernate-core = "org.hibernate.orm:hibernate-core:7.0.0.Final"
 org-hsqldb = "org.hsqldb:hsqldb:2.7.4"
 org-jetbrains-kotlin-kotlin-bom = { module = "org.jetbrains.kotlin:kotlin-bom", version.ref = "org-jetbrains-kotlin" }
 org-jetbrains-kotlin-kotlin-gradle-plugin = "org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.25"

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,6 +79,10 @@
  * raised by the <tt>AuthenticationManager</tt> will the be re-thrown. Note that this will
  * not affect cases where the principal returned by {@link #getPreAuthenticatedPrincipal}
  * is null, when the chain will still proceed as normal.
+ * <p>
+ * The filter saves the {@link SecurityContext} using the configured
+ * {@link SecurityContextRepository}, which can be set via
+ * {@link #setSecurityContextRepository}.
  *
  * @author Luke Taylor
  * @author Ruud Senden
@@ -253,8 +257,8 @@ public void setApplicationEventPublisher(ApplicationEventPublisher anApplication
 
 	/**
 	 * Sets the {@link SecurityContextRepository} to save the {@link SecurityContext} on
-	 * authentication success. The default action is not to save the
-	 * {@link SecurityContext}.
+	 * authentication success. The default action is to save the {@link SecurityContext}
+	 * in {@link HttpSession} using {@link HttpSessionSecurityContextRepository}.
 	 * @param securityContextRepository the {@link SecurityContextRepository} to use.
 	 * Cannot be null.
 	 */