Fix attribute name in http.adoc

.github/dependabot.template.yml

@@ -36,6 +36,5 @@ updates:
     schedule:
       interval: weekly
     ignore:
-      - dependency-name: "sjohnr/*"
       - dependency-name: "spring-io/*"
       - dependency-name: "spring-security-release-tools/*"

.github/dependabot.yml

@@ -5,32 +5,7 @@ registries:
     url: https://repo.spring.io/milestone
 updates:
   - package-ecosystem: gradle
-    target-branch: 5.8.x
-    directory: /
-    schedule:
-      interval: daily
-      time: '03:00'
-      timezone: Etc/UTC
-    labels:
-      - 'type: dependency-upgrade'
-    registries:
-      - spring-milestones
-    ignore:
-      - dependency-name: com.nimbusds:nimbus-jose-jwt
-      - dependency-name: org.python:jython
-      - dependency-name: org.apache.directory.server:*
-      - dependency-name: org.junit:junit-bom
-        update-types:
-          - version-update:semver-major
-      - dependency-name: org.mockito:mockito-bom
-        update-types:
-          - version-update:semver-major
-      - dependency-name: '*'
-        update-types:
-          - version-update:semver-major
-          - version-update:semver-minor
-  - package-ecosystem: gradle
-    target-branch: 6.2.x
+    target-branch: 6.3.x
     directory: /
     schedule:
       interval: daily
@@ -82,17 +57,15 @@ updates:
       - dependency-name: '*'
         update-types:
           - version-update:semver-major
-          - version-update:semver-minor
+
   - package-ecosystem: github-actions
-    target-branch: 5.8.x
+    target-branch: 6.3.x
     directory: /
     schedule:
       interval: weekly
     labels:
       - 'type: task'
       - 'in: build'
-    ignore:
-      - dependency-name: sjohnr/*
   - package-ecosystem: github-actions
     target-branch: main
     directory: /
@@ -101,8 +74,6 @@ updates:
     labels:
       - 'type: task'
       - 'in: build'
-    ignore:
-      - dependency-name: sjohnr/*
   - package-ecosystem: github-actions
     target-branch: docs-build
     directory: /
@@ -111,27 +82,29 @@ updates:
     labels:
       - 'type: task'
       - 'in: build'
-    ignore:
-      - dependency-name: sjohnr/*
 
   - package-ecosystem: npm
     target-branch: docs-build
     directory: /
     schedule:
       interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'
 
   - package-ecosystem: npm
     target-branch: main
     directory: /docs
     schedule:
       interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'
   - package-ecosystem: npm
-    target-branch: 6.2.x
-    directory: /docs
-    schedule:
-      interval: weekly
-  - package-ecosystem: npm
-    target-branch: 5.8.x
+    target-branch: 6.3.x
     directory: /docs
     schedule:
       interval: weekly
+    labels:
+      - 'type: task'
+      - 'in: build'

.github/workflows/continuous-integration-workflow.yml

@@ -39,7 +39,7 @@ jobs:
             toolchain: 17
     with:
       java-version: ${{ matrix.java-version }}
-      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.1.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2023.1.+ --stacktrace
+      test-args: --refresh-dependencies -PforceMavenRepositories=snapshot -PisOverrideVersionCatalog -PtestToolchain=${{ matrix.toolchain }} -PspringFrameworkVersion=6.2.+ -PreactorVersion=2023.0.+ -PspringDataVersion=2024.0.+ --stacktrace
     secrets: inherit
   check-samples:
     name: Check Samples

.github/workflows/pr-build-workflow.yml

@@ -18,7 +18,7 @@ jobs:
           java-version: '17'
           distribution: 'temurin'
       - name: Build with Gradle
-        run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue
+        run: ./gradlew clean build -PskipCheckExpectedBranchVersion --continue --scan
   generate-docs:
     name: Generate Docs
     runs-on: ubuntu-latest

.github/workflows/release-scheduler.yml

@@ -11,7 +11,7 @@ jobs:
     strategy:
       matrix:
         # List of active maintenance branches.
-        branch: [ main, 6.2.x, 6.1.x, 5.8.x ]
+        branch: [ main, 6.3.x, 6.2.x, 5.8.x ]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

.github/workflows/update-antora-ui-spring.yml

@@ -0,0 +1,35 @@
+name: Update Antora UI Spring
+
+on:
+  schedule:
+    - cron: '0 10 * * *' # Once per day at 10am UTC
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  issues: write
+  contents: write
+
+jobs:
+  update-antora-ui-spring:
+    runs-on: ubuntu-latest
+    name: Update on Supported Branches
+    strategy:
+      matrix:
+        branch: [ '5.8.x', '6.2.x', '6.3.x', 'main' ]
+    steps:
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+        name: Update
+        with:
+          docs-branch: ${{ matrix.branch }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          antora-file-path: 'docs/antora-playbook.yml'
+  update-antora-ui-spring-docs-build:
+    runs-on: ubuntu-latest
+    name: Update on docs-build
+    steps:
+      - uses: spring-io/spring-doc-actions/update-antora-spring-ui@852920ba3fb1f28b35a2f13201133bc00ef33677
+        name: Update
+        with:
+          docs-branch: 'docs-build'
+          token: ${{ secrets.GITHUB_TOKEN }}

README.adoc

@@ -18,9 +18,11 @@ Please see our https://github.com/spring-projects/.github/blob/main/CODE_OF_COND
 See https://docs.spring.io/spring-security/reference/getting-spring-security.html[Getting Spring Security] for how to obtain Spring Security.
 
 == Documentation
-Be sure to read the https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
+Be sure to read the https://docs.spring.io/spring-security/reference/[Spring Security Reference].
 Extensive JavaDoc for the Spring Security code is also available in the https://docs.spring.io/spring-security/site/docs/current/api/[Spring Security API Documentation].
 
+You may also want to check out https://docs.spring.io/spring-security/reference/whats-new.html[what's new in the latest release].
+
 == Quick Start
 See https://docs.spring.io/spring-security/reference/servlet/getting-started.html[Hello Spring Security] to get started with a "Hello, World" application.
 

acl/src/main/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImpl.java

@@ -17,10 +17,13 @@
 package org.springframework.security.acls.domain;
 
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;
 import java.util.Set;
 
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.acls.model.Sid;
 import org.springframework.security.acls.model.SidRetrievalStrategy;
@@ -59,6 +62,8 @@ public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
 
 	private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
 
+	private RoleHierarchy roleHierarchy = new NullRoleHierarchy();
+
 	/**
 	 * Constructor. The only mandatory parameter relates to the system-wide
 	 * {@link GrantedAuthority} instances that can be held to always permit ACL changes.
@@ -100,7 +105,9 @@ public void securityCheck(Acl acl, int changeType) {
 		}
 
 		// Iterate this principal's authorities to determine right
-		Set<String> authorities = AuthorityUtils.authorityListToSet(authentication.getAuthorities());
+		Collection<? extends GrantedAuthority> reachableGrantedAuthorities = this.roleHierarchy
+			.getReachableGrantedAuthorities(authentication.getAuthorities());
+		Set<String> authorities = AuthorityUtils.authorityListToSet(reachableGrantedAuthorities);
 		if (acl.getOwner() instanceof GrantedAuthoritySid
 				&& authorities.contains(((GrantedAuthoritySid) acl.getOwner()).getGrantedAuthority())) {
 			return;
@@ -162,4 +169,14 @@ public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy secur
 		this.securityContextHolderStrategy = securityContextHolderStrategy;
 	}
 
+	/**
+	 * Sets the {@link RoleHierarchy} to use. The default is to use a
+	 * {@link NullRoleHierarchy}
+	 * @since 6.4
+	 */
+	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
+		Assert.notNull(roleHierarchy, "roleHierarchy cannot be null");
+		this.roleHierarchy = roleHierarchy;
+	}
+
 }

acl/src/main/java/org/springframework/security/acls/domain/AclImpl.java

@@ -202,7 +202,7 @@ public boolean isGranted(List<Permission> permission, List<Sid> sids, boolean ad
 	public boolean isSidLoaded(List<Sid> sids) {
 		// If loadedSides is null, this indicates all SIDs were loaded
 		// Also return true if the caller didn't specify a SID to find
-		if ((this.loadedSids == null) || (sids == null) || (sids.size() == 0)) {
+		if ((this.loadedSids == null) || (sids == null) || sids.isEmpty()) {
 			return true;
 		}
 

acl/src/main/java/org/springframework/security/acls/domain/DefaultPermissionFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -140,7 +140,7 @@ public Permission buildFromName(String name) {
 
 	@Override
 	public List<Permission> buildFromNames(List<String> names) {
-		if ((names == null) || (names.size() == 0)) {
+		if ((names == null) || names.isEmpty()) {
 			return Collections.emptyList();
 		}
 		List<Permission> permissions = new ArrayList<>(names.size());

acl/src/test/java/org/springframework/security/acls/domain/AclAuthorizationStrategyImplTests.java

@@ -25,6 +25,7 @@
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
 import org.springframework.security.acls.model.Acl;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
@@ -34,6 +35,7 @@
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.context.SecurityContextImpl;
 
+import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.verify;
 
@@ -86,6 +88,15 @@ public void securityCheckWhenAclOwnedByGrantedAuthority() {
 		this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL);
 	}
 
+	@Test
+	public void securityCheckWhenRoleReachableByHierarchyThenAuthorized() {
+		given(this.acl.getOwner()).willReturn(new GrantedAuthoritySid("ROLE_AUTH_B"));
+		this.strategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_SYSTEM_ADMIN"));
+		this.strategy.setRoleHierarchy(RoleHierarchyImpl.fromHierarchy("ROLE_AUTH > ROLE_AUTH_B"));
+		assertThatNoException()
+			.isThrownBy(() -> this.strategy.securityCheck(this.acl, AclAuthorizationStrategy.CHANGE_GENERAL));
+	}
+
 	@Test
 	public void securityCheckWhenCustomSecurityContextHolderStrategyThenUses() {
 		given(this.securityContextHolderStrategy.getContext()).willReturn(this.context);

aspects/src/test/java/org/springframework/security/authorization/method/aspectj/PreAuthorizeAspectTests.java

@@ -47,6 +47,8 @@ public class PreAuthorizeAspectTests {
 
 	private PrePostSecured prePostSecured = new PrePostSecured();
 
+	private MultipleInterfaces multiple = new MultipleInterfaces();
+
 	@BeforeEach
 	public final void setUp() {
 		MockitoAnnotations.initMocks(this);
@@ -110,6 +112,12 @@ public void nestedDenyAllPreAuthorizeDeniesAccess() {
 			.isThrownBy(() -> this.secured.myObject().denyAllMethod());
 	}
 
+	@Test
+	public void multipleInterfacesPreAuthorizeAllows() {
+		// aspectj doesn't inherit annotations
+		this.multiple.securedMethod();
+	}
+
 	interface SecuredInterface {
 
 		@PreAuthorize("hasRole('X')")
@@ -177,4 +185,19 @@ void denyAllMethod() {
 
 	}
 
+	interface AnotherSecuredInterface {
+
+		@PreAuthorize("hasRole('Y')")
+		void securedMethod();
+
+	}
+
+	static class MultipleInterfaces implements SecuredInterface, AnotherSecuredInterface {
+
+		@Override
+		public void securedMethod() {
+		}
+
+	}
+
 }

build.gradle

@@ -105,10 +105,14 @@ develocity {
 }
 
 nohttp {
-	source.exclude "buildSrc/build/**"
+	source.exclude "buildSrc/build/**", "javascript/.gradle/**", "javascript/package-lock.json", "javascript/node_modules/**", "javascript/build/**", "javascript/dist/**"
 	source.builtBy(project(':spring-security-config').tasks.withType(RncToXsd))
 }
 
+tasks.named('checkstyleNohttp') {
+	maxHeapSize = '1g'
+}
+
 tasks.register('cloneRepository', IncludeRepoTask) {
 	repository = project.getProperties().get("repositoryName")
 	ref = project.getProperties().get("ref")
@@ -120,7 +124,7 @@ wrapperUpgrade {
 	gradle {
 		'spring-security' {
 			repo = 'spring-projects/spring-security'
-			baseBranch = '6.1.x' // runs only on 6.1.x and the update is merged forward to main
+			baseBranch = '6.2.x' // runs only on 6.2.x and the update is merged forward to main
 		}
 	}
 }

buildSrc/src/main/java/org/springframework/gradle/maven/PublishAllJavaComponentsPlugin.java

@@ -7,8 +7,6 @@
 import org.gradle.api.plugins.JavaPlatformPlugin;
 import org.gradle.api.plugins.JavaPlugin;
 import org.gradle.api.publish.PublishingExtension;
-import org.gradle.api.publish.VariantVersionMappingStrategy;
-import org.gradle.api.publish.VersionMappingStrategy;
 import org.gradle.api.publish.maven.MavenPublication;
 import org.gradle.api.publish.maven.plugins.MavenPublishPlugin;
 

buildSrc/src/main/java/org/springframework/security/convention/versions/VerifyDependenciesVersionsPlugin.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,6 @@
 import org.gradle.api.artifacts.MinimalExternalModuleDependency;
 import org.gradle.api.artifacts.VersionCatalog;
 import org.gradle.api.artifacts.VersionCatalogsExtension;
-import org.gradle.api.file.RegularFile;
 import org.gradle.api.file.RegularFileProperty;
 import org.gradle.api.plugins.JavaBasePlugin;
 import org.gradle.api.provider.Property;
@@ -36,7 +35,6 @@
 import org.gradle.api.tasks.TaskProvider;
 import org.gradle.api.tasks.VerificationException;
 
-import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.util.Optional;