mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-12 21:33:30 +00:00
URL Cleanup
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener). These URLs were unable to be fixed. Please review them to see if they can be manually resolved. * [ ] http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html (200) with 1 occurrences could not be migrated: ([https](https://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html) result ClosedChannelException). * [ ] http://bouncy-castle.1462172.n4.nabble.com/Java-Bouncy-Castle-scrypt-implementation-td4656832.html (200) with 1 occurrences could not be migrated: ([https](https://bouncy-castle.1462172.n4.nabble.com/Java-Bouncy-Castle-scrypt-implementation-td4656832.html) result SSLHandshakeException). * [ ] http://cujojs.com/ (200) with 1 occurrences could not be migrated: ([https](https://cujojs.com/) result SSLHandshakeException). * [ ] http://erik.eae.net/archives/2007/07/27/18.54.15/ (200) with 1 occurrences could not be migrated: ([https](https://erik.eae.net/archives/2007/07/27/18.54.15/) result SSLHandshakeException). * [ ] http://javascript.nwbox.com/IEContentLoaded/ (200) with 1 occurrences could not be migrated: ([https](https://javascript.nwbox.com/IEContentLoaded/) result SSLHandshakeException). * [ ] http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html (200) with 1 occurrences could not be migrated: ([https](https://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html) result SSLHandshakeException). * [ ] http://monkeymachine.co.uk/ (200) with 2 occurrences could not be migrated: ([https](https://monkeymachine.co.uk/) result SSLHandshakeException). * [ ] http://perfectionkills.com/detecting-event-support-without-browser-sniffing/ (200) with 1 occurrences could not be migrated: ([https](https://perfectionkills.com/detecting-event-support-without-browser-sniffing/) result SSLHandshakeException). * [ ] http://somesite.com/login (200) with 3 occurrences could not be migrated: ([https](https://somesite.com/login) result AnnotatedConnectException). * [ ] http://someurl.com/ (200) with 2 occurrences could not be migrated: ([https](https://someurl.com/) result SSLHandshakeException). * [ ] http://webblaze.cs.berkeley.edu/papers/barth-caballero-song.pdf (200) with 1 occurrences could not be migrated: ([https](https://webblaze.cs.berkeley.edu/papers/barth-caballero-song.pdf) result 404). * [ ] http://www.example.com:80/ (200) with 1 occurrences could not be migrated: ([https](https://www.example.com:80/) result NotSslRecordException). * [ ] http://www.faqs.org/qa/rfcc-1940.html (200) with 3 occurrences could not be migrated: ([https](https://www.faqs.org/qa/rfcc-1940.html) result AnnotatedConnectException). * [ ] http://www.faqs.org/rfcs/rfc1945.html (200) with 2 occurrences could not be migrated: ([https](https://www.faqs.org/rfcs/rfc1945.html) result AnnotatedConnectException). * [ ] http://www.faqs.org/rfcs/rfc3548.html (200) with 3 occurrences could not be migrated: ([https](https://www.faqs.org/rfcs/rfc3548.html) result AnnotatedConnectException). * [ ] http://www.jasypt.org/springsecurity.html (200) with 1 occurrences could not be migrated: ([https](https://www.jasypt.org/springsecurity.html) result AnnotatedConnectException). * [ ] http://www.zytrax.com/books/ldap/ (200) with 2 occurrences could not be migrated: ([https](https://www.zytrax.com/books/ldap/) result AnnotatedConnectException). * [ ] http://blindsignals.com/index.php/2009/07/jquery-delay/ (301) with 1 occurrences could not be migrated: ([https](https://blindsignals.com/index.php/2009/07/jquery-delay/) result SSLHandshakeException). * [ ] http://www.faqs.org/ (301) with 1 occurrences could not be migrated: ([https](https://www.faqs.org/) result AnnotatedConnectException). * [ ] http://sam.zoy.org/wtfpl/ (301) with 2 occurrences could not be migrated: ([https](https://sam.zoy.org/wtfpl/) result SSLHandshakeException). * [ ] http://hey.openid.com/ (302) with 1 occurrences could not be migrated: ([https](https://hey.openid.com/) result SSLHandshakeException). * [ ] http://iharder.net/base64 (303) with 2 occurrences could not be migrated: ([https](https://iharder.net/base64) result AnnotatedConnectException). * [ ] http://jaspan.com/improved_persistent_login_cookie_best_practice (500) with 3 occurrences could not be migrated: ([https](https://jaspan.com/improved_persistent_login_cookie_best_practice) result AnnotatedConnectException). These URLs were fixed, but the https status was not OK. However, the https status was the same as the http request or http redirected to an https URL, so they were migrated. Your review is recommended. * [ ] http://www.relaxng.org/ (301) with 1 occurrences migrated to: https://relaxng.org/ ([https](https://www.relaxng.org/) result SSLHandshakeException). * [ ] http://www.relaxng.org (301) with 1 occurrences migrated to: https://relaxng.org/ ([https](https://www.relaxng.org) result SSLHandshakeException). * [ ] http://tools.ietf.org/html/draft-ietf-websec-x-frame-options (301) with 2 occurrences migrated to: https://tools.ietf.org/html/draft-ietf-websec-x-frame-options ([https](https://tools.ietf.org/html/draft-ietf-websec-x-frame-options) result ReadTimeoutException). * [ ] http://foo.test.com (302) with 2 occurrences migrated to: https://www.test.com ([https](https://foo.test.com) result SSLHandshakeException). * [ ] http://abc.test.com (302) with 2 occurrences migrated to: https://www.test.com ([https](https://abc.test.com) result SSLHandshakeException). * [ ] http://192.168.1:8080 (ConnectTimeoutException) with 2 occurrences migrated to: https://192.168.1:8080 ([https](https://192.168.1:8080) result ConnectTimeoutException). * [ ] http://www.example.com:8080/mycontext/secure/page.html (ConnectTimeoutException) with 1 occurrences migrated to: https://www.example.com:8080/mycontext/secure/page.html ([https](https://www.example.com:8080/mycontext/secure/page.html) result ConnectTimeoutException). * [ ] http://www.example.com:8888/bigWebApp/hello (ConnectTimeoutException) with 1 occurrences migrated to: https://www.example.com:8888/bigWebApp/hello ([https](https://www.example.com:8888/bigWebApp/hello) result ConnectTimeoutException). * [ ] http://www.example.com:8888/bigWebApp/hello/pathInfo.html?open=true (ConnectTimeoutException) with 1 occurrences migrated to: https://www.example.com:8888/bigWebApp/hello/pathInfo.html?open=true ([https](https://www.example.com:8888/bigWebApp/hello/pathInfo.html?open=true) result ConnectTimeoutException). * [ ] http://www.opensymphony.com/sitemesh/decorator (ConnectTimeoutException) with 1 occurrences migrated to: https://www.opensymphony.com/sitemesh/decorator ([https](https://www.opensymphony.com/sitemesh/decorator) result ConnectTimeoutException). * [ ] http://www.opensymphony.com/sitemesh/page (ConnectTimeoutException) with 1 occurrences migrated to: https://www.opensymphony.com/sitemesh/page ([https](https://www.opensymphony.com/sitemesh/page) result ConnectTimeoutException). * [ ] http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd (ReadTimeoutException) with 1 occurrences migrated to: https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd ([https](https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd) result ReadTimeoutException). * [ ] http://axschema.org/ (UnknownHostException) with 2 occurrences migrated to: https://axschema.org/ ([https](https://axschema.org/) result UnknownHostException). * [ ] http://axschema.org/contact/email (UnknownHostException) with 17 occurrences migrated to: https://axschema.org/contact/email ([https](https://axschema.org/contact/email) result UnknownHostException). * [ ] http://axschema.org/namePerson (UnknownHostException) with 5 occurrences migrated to: https://axschema.org/namePerson ([https](https://axschema.org/namePerson) result UnknownHostException). * [ ] http://axschema.org/namePerson/first (UnknownHostException) with 4 occurrences migrated to: https://axschema.org/namePerson/first ([https](https://axschema.org/namePerson/first) result UnknownHostException). * [ ] http://axschema.org/namePerson/last (UnknownHostException) with 4 occurrences migrated to: https://axschema.org/namePerson/last ([https](https://axschema.org/namePerson/last) result UnknownHostException). * [ ] http://context.blah.com/context/remainder (UnknownHostException) with 1 occurrences migrated to: https://context.blah.com/context/remainder ([https](https://context.blah.com/context/remainder) result UnknownHostException). * [ ] http://host/myapp/index.html;jsessionid=blah (UnknownHostException) with 1 occurrences migrated to: https://host/myapp/index.html;jsessionid=blah ([https](https://host/myapp/index.html;jsessionid=blah) result UnknownHostException). * [ ] http://http://context.blah.com/context/remainder (UnknownHostException) with 1 occurrences migrated to: https://http://context.blah.com/context/remainder ([https](https://https://context.blah.com/context/remainder) result UnknownHostException). * [ ] http://id.openid.zz (UnknownHostException) with 2 occurrences migrated to: https://id.openid.zz ([https](https://id.openid.zz) result UnknownHostException). * [ ] http://jimi.hendrix.myopenid.com/ (UnknownHostException) with 1 occurrences migrated to: https://jimi.hendrix.myopenid.com/ ([https](https://jimi.hendrix.myopenid.com/) result UnknownHostException). * [ ] http://joe.myopenid.com/ (UnknownHostException) with 3 occurrences migrated to: https://joe.myopenid.com/ ([https](https://joe.myopenid.com/) result UnknownHostException). * [ ] http://openid.aol.com/ (UnknownHostException) with 2 occurrences migrated to: https://openid.aol.com/ ([https](https://openid.aol.com/) result UnknownHostException). * [ ] http://pip.verisignlabs.com/server (UnknownHostException) with 2 occurrences migrated to: https://pip.verisignlabs.com/server ([https](https://pip.verisignlabs.com/server) result UnknownHostException). * [ ] http://schema.openid.net/contact/email (UnknownHostException) with 6 occurrences migrated to: https://schema.openid.net/contact/email ([https](https://schema.openid.net/contact/email) result UnknownHostException). * [ ] http://schema.openid.net/namePerson (UnknownHostException) with 2 occurrences migrated to: https://schema.openid.net/namePerson ([https](https://schema.openid.net/namePerson) result UnknownHostException). * [ ] http://schema.openid.net/namePerson/friendly (UnknownHostException) with 2 occurrences migrated to: https://schema.openid.net/namePerson/friendly ([https](https://schema.openid.net/namePerson/friendly) result UnknownHostException). * [ ] http://some.site.org/index.html (UnknownHostException) with 1 occurrences migrated to: https://some.site.org/index.html ([https](https://some.site.org/index.html) result UnknownHostException). * [ ] http://specs.openid.net/auth/2.0 (UnknownHostException) with 2 occurrences migrated to: https://specs.openid.net/auth/2.0 ([https](https://specs.openid.net/auth/2.0) result UnknownHostException). * [ ] http://specs.openid.net/auth/2.0/identifier_select (UnknownHostException) with 4 occurrences migrated to: https://specs.openid.net/auth/2.0/identifier_select ([https](https://specs.openid.net/auth/2.0/identifier_select) result UnknownHostException). * [ ] http://wiki.fasterxml.com/JacksonFeatureModules (UnknownHostException) with 1 occurrences migrated to: https://wiki.fasterxml.com/JacksonFeatureModules ([https](https://wiki.fasterxml.com/JacksonFeatureModules) result UnknownHostException). * [ ] http://www.faqs (UnknownHostException) with 1 occurrences migrated to: https://www.faqs ([https](https://www.faqs) result UnknownHostException). * [ ] http://www.test123.com (UnknownHostException) with 1 occurrences migrated to: https://www.test123.com ([https](https://www.test123.com) result UnknownHostException). * [ ] http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29 (301) with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Defense_in_depth_%2528computing%2529 ([https](https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29) result 400). * [ ] http://book.git-scm.com/4_interactive_rebasing.html (301) with 1 occurrences migrated to: https://book.git-scm.com/4_interactive_rebasing.html ([https](https://book.git-scm.com/4_interactive_rebasing.html) result 404). * [ ] http://docs.spring.io/spring-security/site/docs/current/apidocs/ (301) with 2 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/current/apidocs/ ([https](https://docs.spring.io/spring-security/site/docs/current/apidocs/) result 404). * [ ] http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html (404) with 1 occurrences migrated to: https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html ([https](https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html) result 404). * [ ] http://example.com/path?a=b&c=d (404) with 1 occurrences migrated to: https://example.com/path?a=b&c=d ([https](https://example.com/path?a=b&c=d) result 404). * [ ] http://example.com/pkp-report (404) with 5 occurrences migrated to: https://example.com/pkp-report ([https](https://example.com/pkp-report) result 404). * [ ] http://example.net/pkp-report (404) with 9 occurrences migrated to: https://example.net/pkp-report ([https](https://example.net/pkp-report) result 404). * [ ] http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ (301) with 1 occurrences migrated to: https://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ ([https](https://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/) result 404). * [ ] http://help.github.com/send-pull-requests (404) with 1 occurrences migrated to: https://help.github.com/send-pull-requests ([https](https://help.github.com/send-pull-requests) result 404). * [ ] http://html5shim.googlecode.com/svn/trunk/html5.js (404) with 6 occurrences migrated to: https://html5shim.googlecode.com/svn/trunk/html5.js ([https](https://html5shim.googlecode.com/svn/trunk/html5.js) result 404). * [ ] http://json.org/json2.js (404) with 1 occurrences migrated to: https://json.org/json2.js ([https](https://json.org/json2.js) result 404). * [ ] http://openid-selector.googlecode.com/svn/trunk/ (404) with 2 occurrences migrated to: https://openid-selector.googlecode.com/svn/trunk/ ([https](https://openid-selector.googlecode.com/svn/trunk/) result 404). * [ ] http://relaxng.org/ns/compatibility/annotations/1.0 (301) with 5 occurrences migrated to: https://relaxng.org/ns/compatibility/annotations/1.0 ([https](https://relaxng.org/ns/compatibility/annotations/1.0) result 404). * [ ] http://www.example.com/bigWebApp/hello (404) with 2 occurrences migrated to: https://www.example.com/bigWebApp/hello ([https](https://www.example.com/bigWebApp/hello) result 404). * [ ] http://www.example.com/bigWebApp/hello/pathInfo.html?open=true (404) with 1 occurrences migrated to: https://www.example.com/bigWebApp/hello/pathInfo.html?open=true ([https](https://www.example.com/bigWebApp/hello/pathInfo.html?open=true) result 404). * [ ] http://www.example.com/identity (404) with 1 occurrences migrated to: https://www.example.com/identity ([https](https://www.example.com/identity) result 404). * [ ] http://www.example.com/login/openid (404) with 2 occurrences migrated to: https://www.example.com/login/openid ([https](https://www.example.com/login/openid) result 404). * [ ] http://www.example.com/mycontext/HelloWorld (404) with 1 occurrences migrated to: https://www.example.com/mycontext/HelloWorld ([https](https://www.example.com/mycontext/HelloWorld) result 404). * [ ] http://www.example.com/mycontext/HelloWorld/some/more/segments.html (404) with 1 occurrences migrated to: https://www.example.com/mycontext/HelloWorld/some/more/segments.html ([https](https://www.example.com/mycontext/HelloWorld/some/more/segments.html) result 404). * [ ] http://www.example.com/mycontext/HelloWorld?foo=bar (404) with 1 occurrences migrated to: https://www.example.com/mycontext/HelloWorld?foo=bar ([https](https://www.example.com/mycontext/HelloWorld?foo=bar) result 404). * [ ] http://www.example.com/mycontext/secure/page.html (404) with 3 occurrences migrated to: https://www.example.com/mycontext/secure/page.html ([https](https://www.example.com/mycontext/secure/page.html) result 404). * [ ] http://www.example.com/realm (404) with 1 occurrences migrated to: https://www.example.com/realm ([https](https://www.example.com/realm) result 404). * [ ] http://www.example.com/redirect (404) with 1 occurrences migrated to: https://www.example.com/redirect ([https](https://www.example.com/redirect) result 404). * [ ] http://www.example.org/do/something (404) with 4 occurrences migrated to: https://www.example.org/do/something ([https](https://www.example.org/do/something) result 404). * [ ] http://www.ibm.com/developerworks/tivoli/library/t-ldap-controls/ (301) with 1 occurrences migrated to: https://www.ibm.com/developerworks/tivoli/library/t-ldap-controls/ ([https](https://www.ibm.com/developerworks/tivoli/library/t-ldap-controls/) result 404). * [ ] http://www.json.org/json2.js (404) with 1 occurrences migrated to: https://www.json.org/json2.js ([https](https://www.json.org/json2.js) result 404). * [ ] http://www.thymeleaf.org/thymeleaf-extras-springsecurity4 (301) with 2 occurrences migrated to: https://www.thymeleaf.org/thymeleaf-extras-springsecurity4 ([https](https://www.thymeleaf.org/thymeleaf-extras-springsecurity4) result 404). These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended. * [ ] http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html with 1 occurrences migrated to: https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html ([https](https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html) result 200). * [ ] http://bugs.jquery.com/ticket/12282 with 1 occurrences migrated to: https://bugs.jquery.com/ticket/12282 ([https](https://bugs.jquery.com/ticket/12282) result 200). * [ ] http://bugs.jquery.com/ticket/12359 with 1 occurrences migrated to: https://bugs.jquery.com/ticket/12359 ([https](https://bugs.jquery.com/ticket/12359) result 200). * [ ] http://claimid.com/ with 2 occurrences migrated to: https://claimid.com/ ([https](https://claimid.com/) result 200). * [ ] http://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html with 1 occurrences migrated to: https://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html ([https](https://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html) result 200). * [ ] http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html with 26 occurrences migrated to: https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html ([https](https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html) result 200). * [ ] http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html with 1 occurrences migrated to: https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html ([https](https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html) result 200). * [ ] http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html with 1 occurrences migrated to: https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html ([https](https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html) result 200). * [ ] http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html with 1 occurrences migrated to: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html ([https](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html) result 200). * [ ] http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html with 1 occurrences migrated to: https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html ([https](https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html) result 200). * [ ] http://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/ with 2 occurrences migrated to: https://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/ ([https](https://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/) result 200). * [ ] http://docs.spring.io/spring-framework/docs/4.1.x/spring-framework-reference/htmlsingle/ with 1 occurrences migrated to: https://docs.spring.io/spring-framework/docs/4.1.x/spring-framework-reference/htmlsingle/ ([https](https://docs.spring.io/spring-framework/docs/4.1.x/spring-framework-reference/htmlsingle/) result 200). * [ ] http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html (301) with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-services.html ([https](https://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html) result 200). * [ ] http://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html (301) with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html ([https](https://static.springsource.org/spring-security/site/docs/3.0.x/reference/remember-me.html) result 200). * [ ] http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html (301) with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html ([https](https://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html) result 200). * [ ] http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/ with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/ ([https](https://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/) result 200). * [ ] http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/apidocs/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.html with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/apidocs/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.html ([https](https://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/apidocs/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.html) result 200). * [ ] http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ with 3 occurrences migrated to: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/ ([https](https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/) result 200). * [ ] http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html with 2 occurrences migrated to: https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html ([https](https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html) result 200). * [ ] http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html with 1 occurrences migrated to: https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html ([https](https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html) result 200). * [ ] http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/htmlsingle/spring-framework-reference.html (301) with 1 occurrences migrated to: https://docs.spring.io/spring/docs/3.0.x/spring-framework-reference/htmlsingle/spring-framework-reference.html ([https](https://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/htmlsingle/spring-framework-reference.html) result 200). * [ ] http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html with 1 occurrences migrated to: https://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html ([https](https://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html) result 200). * [ ] http://docs.spring.io/spring/docs/3.2.x/javadoc-api/org/springframework/web/multipart/support/MultipartFilter.html with 1 occurrences migrated to: https://docs.spring.io/spring/docs/3.2.x/javadoc-api/org/springframework/web/multipart/support/MultipartFilter.html ([https](https://docs.spring.io/spring/docs/3.2.x/javadoc-api/org/springframework/web/multipart/support/MultipartFilter.html) result 200). * [ ] http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html with 3 occurrences migrated to: https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html ([https](https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html) result 200). * [ ] http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html with 1 occurrences migrated to: https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html ([https](https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html) result 200). * [ ] http://en.wikipedia.org/wiki/Clickjacking with 8 occurrences migrated to: https://en.wikipedia.org/wiki/Clickjacking ([https](https://en.wikipedia.org/wiki/Clickjacking) result 200). * [ ] http://en.wikipedia.org/wiki/Content_sniffing with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Content_sniffing ([https](https://en.wikipedia.org/wiki/Content_sniffing) result 200). * [ ] http://en.wikipedia.org/wiki/Cross-site_request_forgery with 11 occurrences migrated to: https://en.wikipedia.org/wiki/Cross-site_request_forgery ([https](https://en.wikipedia.org/wiki/Cross-site_request_forgery) result 200). * [ ] http://en.wikipedia.org/wiki/Cross-site_scripting with 7 occurrences migrated to: https://en.wikipedia.org/wiki/Cross-site_scripting ([https](https://en.wikipedia.org/wiki/Cross-site_scripting) result 200). * [ ] http://en.wikipedia.org/wiki/Firesheep with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Firesheep ([https](https://en.wikipedia.org/wiki/Firesheep) result 200). * [ ] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security with 4 occurrences migrated to: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security ([https](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) result 200). * [ ] http://en.wikipedia.org/wiki/Key_strengthening with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Key_strengthening ([https](https://en.wikipedia.org/wiki/Key_strengthening) result 200). * [ ] http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol ([https](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) result 200). * [ ] http://en.wikipedia.org/wiki/Man-in-the-middle_attack with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Man-in-the-middle_attack ([https](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) result 200). * [ ] http://en.wikipedia.org/wiki/Null_Object_pattern with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Null_Object_pattern ([https](https://en.wikipedia.org/wiki/Null_Object_pattern) result 200). * [ ] http://en.wikipedia.org/wiki/SRV_record with 2 occurrences migrated to: https://en.wikipedia.org/wiki/SRV_record ([https](https://en.wikipedia.org/wiki/SRV_record) result 200). * [ ] http://en.wikipedia.org/wiki/Same-origin_policy with 1 occurrences migrated to: https://en.wikipedia.org/wiki/Same-origin_policy ([https](https://en.wikipedia.org/wiki/Same-origin_policy) result 200). * [ ] http://en.wikipedia.org/wiki/Session_fixation with 6 occurrences migrated to: https://en.wikipedia.org/wiki/Session_fixation ([https](https://en.wikipedia.org/wiki/Session_fixation) result 200). * [ ] http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice with 2 occurrences migrated to: https://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice ([https](https://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice) result 200). * [ ] http://flywaydb.org/ with 1 occurrences migrated to: https://flywaydb.org/ ([https](https://flywaydb.org/) result 200). * [ ] http://gradle.org with 1 occurrences migrated to: https://gradle.org ([https](https://gradle.org) result 200). * [ ] http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/ with 1 occurrences migrated to: https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/ ([https](https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/) result 200). * [ ] http://jquery.com/ with 1 occurrences migrated to: https://jquery.com/ ([https](https://jquery.com/) result 200). * [ ] http://knockoutjs.com/ with 1 occurrences migrated to: https://knockoutjs.com/ ([https](https://knockoutjs.com/) result 200). * [ ] http://marketplace.eclipse.org/content/anyedit-tools with 1 occurrences migrated to: https://marketplace.eclipse.org/content/anyedit-tools ([https](https://marketplace.eclipse.org/content/anyedit-tools) result 200). * [ ] http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html with 4 occurrences migrated to: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html ([https](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html) result 200). * [ ] http://openid.net with 1 occurrences migrated to: https://openid.net ([https](https://openid.net) result 200). * [ ] http://openid.net/ with 1 occurrences migrated to: https://openid.net/ ([https](https://openid.net/) result 200). * [ ] http://openid.net/specs/openid-attribute-exchange-1_0.html with 3 occurrences migrated to: https://openid.net/specs/openid-attribute-exchange-1_0.html ([https](https://openid.net/specs/openid-attribute-exchange-1_0.html) result 200). * [ ] http://sizzlejs.com/ with 2 occurrences migrated to: https://sizzlejs.com/ ([https](https://sizzlejs.com/) result 200). * [ ] http://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time with 1 occurrences migrated to: https://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time ([https](https://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time) result 200). * [ ] http://blog.springsource.com/2010/03/06/behind-the-spring-security-namespace/ (301) with 1 occurrences migrated to: https://spring.io/blog/2010/03/06/behind-the-spring-security-namespace/ ([https](https://blog.springsource.com/2010/03/06/behind-the-spring-security-namespace/) result 200). * [ ] http://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/ (301) with 1 occurrences migrated to: https://spring.io/blog/2010/08/02/spring-security-in-google-app-engine/ ([https](https://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/) result 200). * [ ] http://spring.io/projects with 1 occurrences migrated to: https://spring.io/projects ([https](https://spring.io/projects) result 200). * [ ] http://spring.io/questions with 2 occurrences migrated to: https://spring.io/questions ([https](https://spring.io/questions) result 200). * [ ] http://spring.io/services with 1 occurrences migrated to: https://spring.io/services ([https](https://spring.io/services) result 200). * [ ] http://stackoverflow.com/questions/tagged/spring-security with 1 occurrences migrated to: https://stackoverflow.com/questions/tagged/spring-security ([https](https://stackoverflow.com/questions/tagged/spring-security) result 200). * [ ] http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html with 2 occurrences migrated to: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html ([https](https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) result 200). * [ ] http://tools.ietf.org/html/rfc6797 with 11 occurrences migrated to: https://tools.ietf.org/html/rfc6797 ([https](https://tools.ietf.org/html/rfc6797) result 200). * [ ] http://tools.ietf.org/html/rfc7469 with 18 occurrences migrated to: https://tools.ietf.org/html/rfc7469 ([https](https://tools.ietf.org/html/rfc7469) result 200). * [ ] http://vimeo.com/34436402 with 1 occurrences migrated to: https://vimeo.com/34436402 ([https](https://vimeo.com/34436402) result 200). * [ ] http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/ with 1 occurrences migrated to: https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/ ([https](https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/) result 200). * [ ] http://www.ja-sig.org/cas (301) with 1 occurrences migrated to: https://www.apereo.org ([https](https://www.ja-sig.org/cas) result 200). * [ ] http://ehcache.sourceforge.net (301) with 2 occurrences migrated to: https://www.ehcache.org/ ([https](https://ehcache.sourceforge.net) result 200). * [ ] http://www.html5rocks.com/en/tutorials/security/content-security-policy/ with 1 occurrences migrated to: https://www.html5rocks.com/en/tutorials/security/content-security-policy/ ([https](https://www.html5rocks.com/en/tutorials/security/content-security-policy/) result 200). * [ ] http://www.ietf.org/rfc/rfc2396.txt with 3 occurrences migrated to: https://www.ietf.org/rfc/rfc2396.txt ([https](https://www.ietf.org/rfc/rfc2396.txt) result 200). * [ ] http://www.ietf.org/rfc/rfc2617.txt with 1 occurrences migrated to: https://www.ietf.org/rfc/rfc2617.txt ([https](https://www.ietf.org/rfc/rfc2617.txt) result 200). * [ ] http://www.liquibase.org/ with 1 occurrences migrated to: https://www.liquibase.org/ ([https](https://www.liquibase.org/) result 200). * [ ] http://www.openbsd.org/papers/bcrypt-paper.ps with 1 occurrences migrated to: https://www.openbsd.org/papers/bcrypt-paper.ps ([https](https://www.openbsd.org/papers/bcrypt-paper.ps) result 200). * [ ] http://www.springframework.org/schema/aop/spring-aop-2.5.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/aop/spring-aop-2.5.xsd ([https](https://www.springframework.org/schema/aop/spring-aop-2.5.xsd) result 200). * [ ] http://www.springframework.org/schema/beans/spring-beans-2.5.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/beans/spring-beans-2.5.xsd ([https](https://www.springframework.org/schema/beans/spring-beans-2.5.xsd) result 200). * [ ] http://www.springframework.org/schema/beans/spring-beans-3.0.xsd with 2 occurrences migrated to: https://www.springframework.org/schema/beans/spring-beans-3.0.xsd ([https](https://www.springframework.org/schema/beans/spring-beans-3.0.xsd) result 200). * [ ] http://www.springframework.org/schema/beans/spring-beans.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/beans/spring-beans.xsd ([https](https://www.springframework.org/schema/beans/spring-beans.xsd) result 200). * [ ] http://www.springframework.org/schema/context/spring-context-2.5.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/context/spring-context-2.5.xsd ([https](https://www.springframework.org/schema/context/spring-context-2.5.xsd) result 200). * [ ] http://www.springframework.org/schema/mvc/spring-mvc.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/mvc/spring-mvc.xsd ([https](https://www.springframework.org/schema/mvc/spring-mvc.xsd) result 200). * [ ] http://www.springframework.org/schema/security/spring-security.xsd with 3 occurrences migrated to: https://www.springframework.org/schema/security/spring-security.xsd ([https](https://www.springframework.org/schema/security/spring-security.xsd) result 200). * [ ] http://www.springframework.org/schema/websocket/spring-websocket.xsd with 1 occurrences migrated to: https://www.springframework.org/schema/websocket/spring-websocket.xsd ([https](https://www.springframework.org/schema/websocket/spring-websocket.xsd) result 200). * [ ] http://www.test.com with 9 occurrences migrated to: https://www.test.com ([https](https://www.test.com) result 200). * [ ] http://www.thymeleaf.org with 19 occurrences migrated to: https://www.thymeleaf.org ([https](https://www.thymeleaf.org) result 200). * [ ] http://www.thymeleaf.org/ with 3 occurrences migrated to: https://www.thymeleaf.org/ ([https](https://www.thymeleaf.org/) result 200). * [ ] http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-3.dtd with 1 occurrences migrated to: https://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-3.dtd ([https](https://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-3.dtd) result 200). * [ ] http://www.thymeleaf.org/whatsnew21.html with 1 occurrences migrated to: https://www.thymeleaf.org/whatsnew21.html ([https](https://www.thymeleaf.org/whatsnew21.html) result 200). * [ ] http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html with 2 occurrences migrated to: https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html ([https](https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html) result 200). * [ ] http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html with 1 occurrences migrated to: https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html ([https](https://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html) result 200). * [ ] http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html with 1 occurrences migrated to: https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html ([https](https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html) result 200). * [ ] http://www.w3.org/TR/2011/REC-css3-selectors-20110929/ with 2 occurrences migrated to: https://www.w3.org/TR/2011/REC-css3-selectors-20110929/ ([https](https://www.w3.org/TR/2011/REC-css3-selectors-20110929/) result 200). * [ ] http://www.w3.org/TR/CSS21/syndata.html with 1 occurrences migrated to: https://www.w3.org/TR/CSS21/syndata.html ([https](https://www.w3.org/TR/CSS21/syndata.html) result 200). * [ ] http://www.w3.org/TR/selectors/ with 3 occurrences migrated to: https://www.w3.org/TR/selectors/ ([https](https://www.w3.org/TR/selectors/) result 200). * [ ] http://www.youtube.com/watch?v=3mk0RySeNsU with 1 occurrences migrated to: https://www.youtube.com/watch?v=3mk0RySeNsU ([https](https://www.youtube.com/watch?v=3mk0RySeNsU) result 200). * [ ] http://api.jquery.com/jQuery.browser with 1 occurrences migrated to: https://api.jquery.com/jQuery.browser ([https](https://api.jquery.com/jQuery.browser) result 301). * [ ] http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx with 1 occurrences migrated to: https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx ([https](https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx) result 301). * [ ] http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx with 2 occurrences migrated to: https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx ([https](https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx) result 301). * [ ] http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx with 2 occurrences migrated to: https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx ([https](https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx) result 301). * [ ] http://code.google.com/p/openid-selector/ with 3 occurrences migrated to: https://code.google.com/p/openid-selector/ ([https](https://code.google.com/p/openid-selector/) result 301). * [ ] http://contributor-covenant.org with 1 occurrences migrated to: https://contributor-covenant.org ([https](https://contributor-covenant.org) result 301). * [ ] http://contributor-covenant.org/version/1/3/0/ with 1 occurrences migrated to: https://contributor-covenant.org/version/1/3/0/ ([https](https://contributor-covenant.org/version/1/3/0/) result 301). * [ ] http://dev.w3.org/csswg/cssom/ with 1 occurrences migrated to: https://dev.w3.org/csswg/cssom/ ([https](https://dev.w3.org/csswg/cssom/) result 301). * [ ] http://docs.spring.io with 1 occurrences migrated to: https://docs.spring.io ([https](https://docs.spring.io) result 301). * [ ] http://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html with 1 occurrences migrated to: https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html ([https](https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html) result 301). * [ ] http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html with 7 occurrences migrated to: https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html ([https](https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html) result 301). * [ ] http://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971 (301) with 1 occurrences migrated to: https://forum.spring.io/showthread.php?102783-How-to-use-hasIpAddress&p=343971 ([https](https://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971) result 301). * [ ] http://help.github.com/set-up-git-redirect with 1 occurrences migrated to: https://help.github.com/set-up-git-redirect ([https](https://help.github.com/set-up-git-redirect) result 301). * [ ] http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_ with 1 occurrences migrated to: https://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_ ([https](https://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_) result 301). * [ ] http://jquery.org/license with 1 occurrences migrated to: https://jquery.org/license ([https](https://jquery.org/license) result 301). * [ ] http://msdn.microsoft.com/en-us/library/dd565647 with 4 occurrences migrated to: https://msdn.microsoft.com/en-us/library/dd565647 ([https](https://msdn.microsoft.com/en-us/library/dd565647) result 301). * [ ] http://msdn.microsoft.com/en-us/library/ie/gg622941 with 5 occurrences migrated to: https://msdn.microsoft.com/en-us/library/ie/gg622941 ([https](https://msdn.microsoft.com/en-us/library/ie/gg622941) result 301). * [ ] http://openid.net/get/ with 2 occurrences migrated to: https://openid.net/get/ ([https](https://openid.net/get/) result 301). * [ ] http://openid.net/what/ with 2 occurrences migrated to: https://openid.net/what/ ([https](https://openid.net/what/) result 301). * [ ] http://technorati.com/people/technorati/ with 2 occurrences migrated to: https://technorati.com/people/technorati/ ([https](https://technorati.com/people/technorati/) result 301). * [ ] http://twitter.github.com/bootstrap/javascript.html with 13 occurrences migrated to: https://twitter.github.com/bootstrap/javascript.html ([https](https://twitter.github.com/bootstrap/javascript.html) result 301). * [ ] http://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html with 1 occurrences migrated to: https://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html ([https](https://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html) result 301). * [ ] http://www.jasig.org/cas with 1 occurrences migrated to: https://www.jasig.org/cas ([https](https://www.jasig.org/cas) result 301). * [ ] http://www.modernizr.com/ with 1 occurrences migrated to: https://www.modernizr.com/ ([https](https://www.modernizr.com/) result 301). * [ ] http://www.opensource.org/licenses/mit-license.php with 1 occurrences migrated to: https://www.opensource.org/licenses/mit-license.php ([https](https://www.opensource.org/licenses/mit-license.php) result 301). * [ ] http://www.oracle.com/technetwork/java/javase/downloads with 1 occurrences migrated to: https://www.oracle.com/technetwork/java/javase/downloads ([https](https://www.oracle.com/technetwork/java/javase/downloads) result 301). * [ ] http://www.owasp.org/ with 1 occurrences migrated to: https://www.owasp.org/ ([https](https://www.owasp.org/) result 301). * [ ] http://www.springframework.org/security with 1 occurrences migrated to: https://www.springframework.org/security ([https](https://www.springframework.org/security) result 301). * [ ] http://www.springsource.com/ with 2 occurrences migrated to: https://www.springsource.com/ ([https](https://www.springsource.com/) result 301). * [ ] http://www.springsource.org with 1 occurrences migrated to: https://www.springsource.org ([https](https://www.springsource.org) result 301). * [ ] http://www.springsource.org/sts with 1 occurrences migrated to: https://www.springsource.org/sts ([https](https://www.springsource.org/sts) result 301). * [ ] http://www.thoughtcrime.org/software/sslstrip/ with 1 occurrences migrated to: https://www.thoughtcrime.org/software/sslstrip/ ([https](https://www.thoughtcrime.org/software/sslstrip/) result 301). * [ ] http://www.w3.org/TR/css3-selectors/ with 2 occurrences migrated to: https://www.w3.org/TR/css3-selectors/ ([https](https://www.w3.org/TR/css3-selectors/) result 301). * [ ] http://www.w3.org/TR/css3-syntax/ with 1 occurrences migrated to: https://www.w3.org/TR/css3-syntax/ ([https](https://www.w3.org/TR/css3-syntax/) result 301). * [ ] http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/ with 3 occurrences migrated to: https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/ ([https](https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/) result 302). * [ ] http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html with 1 occurrences migrated to: https://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html ([https](https://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html) result 302). * [ ] http://flickr.com/ with 2 occurrences migrated to: https://flickr.com/ ([https](https://flickr.com/) result 302). * [ ] http://git-scm.com/book/cs/ch7-3.html with 1 occurrences migrated to: https://git-scm.com/book/cs/ch7-3.html ([https](https://git-scm.com/book/cs/ch7-3.html) result 302). * [ ] http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd with 1 occurrences migrated to: https://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd ([https](https://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html ([https](https://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html with 4 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html ([https](https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html ([https](https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html ([https](https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html ([https](https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html) result 302). * [ ] http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html with 2 occurrences migrated to: https://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html ([https](https://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html) result 302). * [ ] http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html with 2 occurrences migrated to: https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html ([https](https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html) result 302). * [ ] http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html ([https](https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html) result 302). * [ ] http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html with 2 occurrences migrated to: https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html ([https](https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html) result 302). * [ ] http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html with 1 occurrences migrated to: https://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html ([https](https://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html) result 302). * [ ] http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html with 3 occurrences migrated to: https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html ([https](https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html) result 302). * [ ] http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd with 1 occurrences migrated to: https://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd ([https](https://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd) result 302). * [ ] http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd with 1 occurrences migrated to: https://java.sun.com/xml/ns/javaee/web-app_2_5.xsd ([https](https://java.sun.com/xml/ns/javaee/web-app_2_5.xsd) result 302). * [ ] http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd with 2 occurrences migrated to: https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd ([https](https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd) result 302). * [ ] http://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx with 1 occurrences migrated to: https://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx ([https](https://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx) result 302). * [ ] http://repo.spring.io/milestone with 1 occurrences migrated to: https://repo.spring.io/milestone ([https](https://repo.spring.io/milestone) result 302). * [ ] http://repo.spring.io/snapshot with 1 occurrences migrated to: https://repo.spring.io/snapshot ([https](https://repo.spring.io/snapshot) result 302). * [ ] http://spring.io/spring-security with 3 occurrences migrated to: https://spring.io/spring-security ([https](https://spring.io/spring-security) result 302). * [ ] http://spring.io/spring-security/ with 2 occurrences migrated to: https://spring.io/spring-security/ ([https](https://spring.io/spring-security/) result 302). * [ ] http://spring.io/tools/sts with 1 occurrences migrated to: https://spring.io/tools/sts ([https](https://spring.io/tools/sts) result 302). * [ ] http://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt with 2 occurrences migrated to: https://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt ([https](https://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt) result 302). * [ ] http://webauth.stanford.edu/manual/mod/mod_webauth.html with 1 occurrences migrated to: https://webauth.stanford.edu/manual/mod/mod_webauth.html ([https](https://webauth.stanford.edu/manual/mod/mod_webauth.html) result 302). * [ ] http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context with 1 occurrences migrated to: https://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context ([https](https://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context) result 302). * [ ] http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt with 1 occurrences migrated to: https://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt ([https](https://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt) result 302). These URLs were intentionally ignored. * http://java.sun.com/JSP/Page with 14 occurrences * http://java.sun.com/jsp/jstl/core with 31 occurrences * http://java.sun.com/jsp/jstl/fmt with 6 occurrences * http://java.sun.com/jsp/jstl/functions with 1 occurrences * http://java.sun.com/jstl/core with 1 occurrences * http://java.sun.com/jstl/core_rt with 3 occurrences * http://java.sun.com/xml/ns/j2ee with 2 occurrences * http://java.sun.com/xml/ns/javaee with 6 occurrences * http://localhost with 3 occurrences * http://localhost/ with 3 occurrences * http://localhost/Test</value></property> with 1 occurrences * http://localhost/appcontext/page with 1 occurrences * http://localhost/authentication/login with 2 occurrences * http://localhost/login with 21 occurrences * http://localhost/messages with 1 occurrences * http://localhost/some-url with 2 occurrences * http://localhost/tosave with 1 occurrences * http://localhost/user with 1 occurrences * http://localhost:8080 with 1 occurrences * http://localhost:8080/ with 4 occurrences * http://localhost:8080/SomeService with 1 occurrences * http://localhost:8080/contacts with 1 occurrences * http://localhost:8080/sample/ with 15 occurrences * http://localhost:8080/spring-security-samples-tutorial/listAccounts.html with 4 occurrences * http://localhost:8080/spring-security-samples-tutorial/post.html?id=1 with 4 occurrences * http://localhost:9080/user with 1 occurrences * http://someid with 1 occurrences * http://something/ with 1 occurrences * http://test.com with 1 occurrences * http://test.foobar.com with 1 occurrences * http://testopenid.com?openid.return_to= with 2 occurrences * http://www.springframework.org/schema/aop with 2 occurrences * http://www.springframework.org/schema/beans with 8 occurrences * http://www.springframework.org/schema/context with 2 occurrences * http://www.springframework.org/schema/mvc with 2 occurrences * http://www.springframework.org/schema/security with 36 occurrences * http://www.springframework.org/schema/security/spring-security- with 1 occurrences * http://www.springframework.org/schema/websocket with 2 occurrences * http://www.springframework.org/security/tags with 22 occurrences * http://www.springframework.org/tags with 12 occurrences * http://www.springframework.org/tags/form with 14 occurrences * http://www.w3.org/1999/XSL/Transform with 1 occurrences * http://www.w3.org/1999/xhtml with 20 occurrences * http://www.w3.org/2001/XMLSchema with 13 occurrences * http://www.w3.org/2001/XMLSchema-datatypes with 5 occurrences * http://www.w3.org/2001/XMLSchema-instance with 9 occurrences Fixes gh-6658
This commit is contained in:
Spring Operator
Joe Grandja
parent
6653a40ddd
commit
ac93f108d6
@ -40,5 +40,5 @@ appropriate to the circumstances. Maintainers are obligated to maintain confiden
|
||||
with regard to the reporter of an incident.
|
||||
|
||||
This Code of Conduct is adapted from the
|
||||
http://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at
|
||||
http://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/]
|
||||
https://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at
|
||||
https://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/]
|
||||
|
||||
@ -12,7 +12,7 @@ Each Spring module is slightly different than another in terms of team size, num
|
||||
|
||||
# Importing into IDE
|
||||
|
||||
The following provides information on setting up a development environment that can run the sample in [Spring Tool Suite 3.6.0+](http://www.springsource.org/sts). Other IDE's should work using Gradle's IDE support, but have not been tested.
|
||||
The following provides information on setting up a development environment that can run the sample in [Spring Tool Suite 3.6.0+](https://www.springsource.org/sts). Other IDE's should work using Gradle's IDE support, but have not been tested.
|
||||
|
||||
* IDE Setup
|
||||
* Install Spring Tool Suite 3.6.0+
|
||||
@ -59,8 +59,8 @@ Please carefully follow the whitespace and formatting conventions already presen
|
||||
|
||||
Whitespace management tips
|
||||
|
||||
1. You can use the [AnyEdit Eclipse plugin](http://marketplace.eclipse.org/content/anyedit-tools) to ensure spaces are used and to clean up trailing whitespaces.
|
||||
1. Use git's pre-commit.sample hook to prevent invalid whitespace from being pushed out. You can enable it by moving ~/spring-security/.git/hooks/pre-commit.sample to ~/spring-security/.git/hooks/pre-commit and ensuring it is executable. For more information on hooks refer to [Pro Git's Pre-Commit Hook's section](http://git-scm.com/book/cs/ch7-3.html)
|
||||
1. You can use the [AnyEdit Eclipse plugin](https://marketplace.eclipse.org/content/anyedit-tools) to ensure spaces are used and to clean up trailing whitespaces.
|
||||
1. Use git's pre-commit.sample hook to prevent invalid whitespace from being pushed out. You can enable it by moving ~/spring-security/.git/hooks/pre-commit.sample to ~/spring-security/.git/hooks/pre-commit and ensuring it is executable. For more information on hooks refer to [Pro Git's Pre-Commit Hook's section](https://git-scm.com/book/cs/ch7-3.html)
|
||||
|
||||
# Add Apache license header to all new classes
|
||||
|
||||
@ -111,7 +111,7 @@ Search the codebase to find related unit tests and add additional `@Test` method
|
||||
2. New test methods should not start with test. This is an old JUnit3 convention and is not necessary since the method is annotated with @Test.
|
||||
|
||||
# Update spring-security-x.y.rnc for schema changes
|
||||
Update the [RELAX NG](http://www.relaxng.org) schema `spring-security-x.y.rnc` instead of `spring-security-x.y.xsd` if you contribute changes to supported XML configuration. The XML schema file can be generated the following Gradle task:
|
||||
Update the [RELAX NG](https://relaxng.org/) schema `spring-security-x.y.rnc` instead of `spring-security-x.y.xsd` if you contribute changes to supported XML configuration. The XML schema file can be generated the following Gradle task:
|
||||
|
||||
<pre>
|
||||
./gradlew spring-security-config:rncToXsd
|
||||
@ -120,7 +120,7 @@ Update the [RELAX NG](http://www.relaxng.org) schema `spring-security-x.y.rnc` i
|
||||
Changes to the XML schema will be overwritten by the Gradle build task.
|
||||
|
||||
# Squash commits
|
||||
Use git rebase --interactive, git add --patch and other tools to "squash" multiple commits into atomic changes. In addition to the man pages for git, there are many resources online to help you understand how these tools work. Here is one: http://book.git-scm.com/4_interactive_rebasing.html.
|
||||
Use git rebase --interactive, git add --patch and other tools to "squash" multiple commits into atomic changes. In addition to the man pages for git, there are many resources online to help you understand how these tools work. Here is one: https://book.git-scm.com/4_interactive_rebasing.html.
|
||||
|
||||
# Use real name in git commits
|
||||
Please configure git to use your real first and last name for any commits you intend to submit as pull requests. For example, this is not acceptable:
|
||||
|
||||
22
README.adoc
22
README.adoc
@ -4,10 +4,10 @@ image:https://travis-ci.org/spring-projects/spring-security.svg?branch=master["B
|
||||
|
||||
= Spring Security
|
||||
|
||||
Spring Security provides security services for the http://docs.spring.io[Spring IO Platform]. Spring Security 3.1 requires Spring 3.0.3 as
|
||||
Spring Security provides security services for the https://docs.spring.io[Spring IO Platform]. Spring Security 3.1 requires Spring 3.0.3 as
|
||||
a minimum and also requires Java 5.
|
||||
|
||||
For a detailed list of features and access to the latest release, please visit http://spring.io/projects[Spring projects].
|
||||
For a detailed list of features and access to the latest release, please visit https://spring.io/projects[Spring projects].
|
||||
|
||||
== Code of Conduct
|
||||
This project adheres to the Contributor Covenant link:CODE_OF_CONDUCT.adoc[code of conduct].
|
||||
@ -17,19 +17,19 @@ By participating, you are expected to uphold this code. Please report unaccepta
|
||||
See https://github.com/spring-projects/spring-framework/wiki/Downloading-Spring-artifacts[downloading Spring artifacts] for Maven repository information.
|
||||
|
||||
== Documentation
|
||||
Be sure to read the http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
|
||||
Extensive JavaDoc for the Spring Security code is also available in the http://docs.spring.io/spring-security/site/docs/current/apidocs/[Spring Security API Documentation].
|
||||
Be sure to read the https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference].
|
||||
Extensive JavaDoc for the Spring Security code is also available in the https://docs.spring.io/spring-security/site/docs/current/apidocs/[Spring Security API Documentation].
|
||||
|
||||
== Quick Start
|
||||
We recommend you visit http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference] and read the "Getting Started" page.
|
||||
We recommend you visit https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/[Spring Security Reference] and read the "Getting Started" page.
|
||||
|
||||
== Building from Source
|
||||
Spring Security uses a http://gradle.org[Gradle]-based build system.
|
||||
In the instructions below, http://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as
|
||||
Spring Security uses a https://gradle.org[Gradle]-based build system.
|
||||
In the instructions below, https://vimeo.com/34436402[`./gradlew`] is invoked from the root of the source tree and serves as
|
||||
a cross-platform, self-contained bootstrap mechanism for the build.
|
||||
|
||||
=== Prerequisites
|
||||
http://help.github.com/set-up-git-redirect[Git] and the http://www.oracle.com/technetwork/java/javase/downloads[JDK8 build].
|
||||
https://help.github.com/set-up-git-redirect[Git] and the https://www.oracle.com/technetwork/java/javase/downloads[JDK8 build].
|
||||
|
||||
Be sure that your `JAVA_HOME` environment variable points to the `jdk1.8.0` folder extracted from the JDK download.
|
||||
|
||||
@ -55,11 +55,11 @@ Discover more commands with `./gradlew tasks`.
|
||||
See also the https://github.com/spring-projects/spring-framework/wiki/Gradle-build-and-release-FAQ[Gradle build and release FAQ].
|
||||
|
||||
== Getting Support
|
||||
Check out the http://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
|
||||
http://spring.io/services[Commercial support] is available too.
|
||||
Check out the https://stackoverflow.com/questions/tagged/spring-security[Spring Security tags on Stack Overflow].
|
||||
https://spring.io/services[Commercial support] is available too.
|
||||
|
||||
== Contributing
|
||||
http://help.github.com/send-pull-requests[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.md[contributor guidelines] for details.
|
||||
https://help.github.com/send-pull-requests[Pull requests] are welcome; see the https://github.com/spring-projects/spring-security/blob/master/CONTRIBUTING.md[contributor guidelines] for details.
|
||||
|
||||
== License
|
||||
Spring Security is Open Source software released under the
|
||||
|
||||
@ -13,7 +13,7 @@ public class MavenBomTask extends DefaultTask {
|
||||
|
||||
public MavenBomTask() {
|
||||
this.group = "Generate"
|
||||
this.description = "Generates a Maven Build of Materials (BOM). See http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies"
|
||||
this.description = "Generates a Maven Build of Materials (BOM). See https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies"
|
||||
this.projects = project.subprojects
|
||||
this.bomFile = project.file("${->project.buildDir}/maven-bom/${->project.name}-${->project.version}.txt")
|
||||
}
|
||||
@ -23,7 +23,7 @@ public class MavenBomTask extends DefaultTask {
|
||||
project.configurations.archives.artifacts.clear()
|
||||
|
||||
bomFile.parentFile.mkdirs()
|
||||
bomFile.write("Maven Build of Materials (BOM). See http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies")
|
||||
bomFile.write("Maven Build of Materials (BOM). See https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Importing_Dependencies")
|
||||
project.artifacts {
|
||||
// work around GRADLE-2406 by attaching text artifact
|
||||
archives(bomFile)
|
||||
|
||||
@ -26,7 +26,7 @@ import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Caches tickets using a Spring IoC defined <a
|
||||
* href="http://ehcache.sourceforge.net">EHCACHE</a>.
|
||||
* href="https://www.ehcache.org/">EHCACHE</a>.
|
||||
*
|
||||
* @author Ben Alex
|
||||
*/
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
/**
|
||||
* Spring Security support for Jasig's Central Authentication Service (<a href="http://www.jasig.org/cas">CAS</a>).
|
||||
* Spring Security support for Jasig's Central Authentication Service (<a href="https://www.jasig.org/cas">CAS</a>).
|
||||
*/
|
||||
package org.springframework.security.cas;
|
||||
|
||||
|
||||
@ -141,8 +141,8 @@ public class AuthenticationManagerBuilder
|
||||
*
|
||||
* <p>
|
||||
* When using with a persistent data store, it is best to add users external of
|
||||
* configuration using something like <a href="http://flywaydb.org/">Flyway</a> or <a
|
||||
* href="http://www.liquibase.org/">Liquibase</a> to create the schema and adding
|
||||
* configuration using something like <a href="https://flywaydb.org/">Flyway</a> or <a
|
||||
* href="https://www.liquibase.org/">Liquibase</a> to create the schema and adding
|
||||
* users to ensure these steps are only done once and that the optimal SQL is used.
|
||||
* </p>
|
||||
*
|
||||
@ -151,7 +151,7 @@ public class AuthenticationManagerBuilder
|
||||
* {@link #getDefaultUserDetailsService()} method. Note that additional
|
||||
* {@link UserDetailsService}'s may override this {@link UserDetailsService} as the
|
||||
* default. See the <a href=
|
||||
* "http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#user-schema"
|
||||
* "https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#user-schema"
|
||||
* >User Schema</a> section of the reference for the default schema.
|
||||
* </p>
|
||||
*
|
||||
|
||||
@ -201,17 +201,17 @@ public final class HttpSecurity extends
|
||||
* .authenticationUserDetailsService(
|
||||
* new AutoProvisioningUserDetailsService())
|
||||
* .attributeExchange("https://www.google.com/.*").attribute("email")
|
||||
* .type("http://axschema.org/contact/email").required(true).and()
|
||||
* .attribute("firstname").type("http://axschema.org/namePerson/first")
|
||||
* .type("https://axschema.org/contact/email").required(true).and()
|
||||
* .attribute("firstname").type("https://axschema.org/namePerson/first")
|
||||
* .required(true).and().attribute("lastname")
|
||||
* .type("http://axschema.org/namePerson/last").required(true).and().and()
|
||||
* .type("https://axschema.org/namePerson/last").required(true).and().and()
|
||||
* .attributeExchange(".*yahoo.com.*").attribute("email")
|
||||
* .type("http://schema.openid.net/contact/email").required(true).and()
|
||||
* .attribute("fullname").type("http://axschema.org/namePerson")
|
||||
* .type("https://schema.openid.net/contact/email").required(true).and()
|
||||
* .attribute("fullname").type("https://axschema.org/namePerson")
|
||||
* .required(true).and().and().attributeExchange(".*myopenid.com.*")
|
||||
* .attribute("email").type("http://schema.openid.net/contact/email")
|
||||
* .attribute("email").type("https://schema.openid.net/contact/email")
|
||||
* .required(true).and().attribute("fullname")
|
||||
* .type("http://schema.openid.net/namePerson").required(true);
|
||||
* .type("https://schema.openid.net/namePerson").required(true);
|
||||
* }
|
||||
* }
|
||||
*
|
||||
@ -906,7 +906,7 @@ public final class HttpSecurity extends
|
||||
* requiring HTTPS for some requests is supported, but not recommended since an
|
||||
* application that allows for HTTP introduces many security vulnerabilities. For one
|
||||
* such example, read about <a
|
||||
* href="http://en.wikipedia.org/wiki/Firesheep">Firesheep</a>.
|
||||
* href="https://en.wikipedia.org/wiki/Firesheep">Firesheep</a>.
|
||||
*
|
||||
* <pre>
|
||||
* @Configuration
|
||||
|
||||
@ -365,7 +365,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
|
||||
|
||||
/**
|
||||
* Specify that URLs requires a specific IP Address or <a href=
|
||||
* "http://forum.springsource.org/showthread.php?102783-How-to-use-hasIpAddress&p=343971#post343971"
|
||||
* "https://forum.spring.io/showthread.php?102783-How-to-use-hasIpAddress&p=343971#post343971"
|
||||
* >subnet</a>.
|
||||
*
|
||||
* @param ipaddressExpression the ipaddress (i.e. 192.168.1.79) or local subnet
|
||||
|
||||
@ -104,7 +104,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
|
||||
/**
|
||||
* Configures the {@link XContentTypeOptionsHeaderWriter} which inserts the <a href=
|
||||
* "http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
|
||||
* "https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx"
|
||||
* >X-Content-Type-Options</a>:
|
||||
*
|
||||
* <pre>
|
||||
@ -160,7 +160,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
*
|
||||
* <p>
|
||||
* Allows customizing the {@link XXssProtectionHeaderWriter} which adds the <a href=
|
||||
* "http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx"
|
||||
* "https://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx"
|
||||
* >X-XSS-Protection header</a>
|
||||
* </p>
|
||||
*
|
||||
@ -306,7 +306,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
|
||||
/**
|
||||
* Allows customizing the {@link HstsHeaderWriter} which provides support for <a
|
||||
* href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
|
||||
* href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
|
||||
* (HSTS)</a>.
|
||||
*
|
||||
* @return the {@link HeadersConfigurer} for additional customizations
|
||||
@ -331,7 +331,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* <p>
|
||||
* This instructs browsers how long to remember to keep this domain as a known
|
||||
* HSTS Host. See <a
|
||||
* href="http://tools.ietf.org/html/rfc6797#section-6.1.1">Section 6.1.1</a> for
|
||||
* href="https://tools.ietf.org/html/rfc6797#section-6.1.1">Section 6.1.1</a> for
|
||||
* additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -364,7 +364,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* See <a href="http://tools.ietf.org/html/rfc6797#section-6.1.2">Section
|
||||
* See <a href="https://tools.ietf.org/html/rfc6797#section-6.1.2">Section
|
||||
* 6.1.2</a> for additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -483,7 +483,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
|
||||
/**
|
||||
* Allows customizing the {@link HpkpHeaderWriter} which provides support for <a
|
||||
* href="http://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
|
||||
* href="https://tools.ietf.org/html/rfc7469">HTTP Public Key Pinning (HPKP)</a>.
|
||||
*
|
||||
* @return the {@link HeadersConfigurer} for additional customizations
|
||||
*
|
||||
@ -506,7 +506,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* <p>
|
||||
* The pin directive specifies a way for web host operators to indicate
|
||||
* a cryptographic identity that should be bound to a given web host.
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.1">Section 2.1.1</a> for additional details.
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.1">Section 2.1.1</a> for additional details.
|
||||
* </p>
|
||||
*
|
||||
* @param pins the map of base64-encoded SPKI fingerprint & cryptographic hash algorithm pairs.
|
||||
@ -525,7 +525,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* <p>
|
||||
* The pin directive specifies a way for web host operators to indicate
|
||||
* a cryptographic identity that should be bound to a given web host.
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.1">Section 2.1.1</a> for additional details.
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.1">Section 2.1.1</a> for additional details.
|
||||
* </p>
|
||||
*
|
||||
* @param pins a list of base64-encoded SPKI fingerprints.
|
||||
@ -544,7 +544,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
*
|
||||
* <p>
|
||||
* This instructs browsers how long they should regard the host (from whom the message was received)
|
||||
* as a known pinned host. See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.2">Section
|
||||
* as a known pinned host. See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.2">Section
|
||||
* 2.1.2</a> for additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -564,7 +564,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.3">Section 2.1.3</a>
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.3">Section 2.1.3</a>
|
||||
* for additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -581,7 +581,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1">Section 2.1</a>
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1">Section 2.1</a>
|
||||
* for additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -598,7 +598,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.4">Section 2.1.4</a>
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.4">Section 2.1.4</a>
|
||||
* for additional details.
|
||||
* </p>
|
||||
*
|
||||
@ -615,7 +615,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* </p>
|
||||
*
|
||||
* <p>
|
||||
* See <a href="http://tools.ietf.org/html/rfc7469#section-2.1.4">Section 2.1.4</a>
|
||||
* See <a href="https://tools.ietf.org/html/rfc7469#section-2.1.4">Section 2.1.4</a>
|
||||
* for additional details.
|
||||
* </p>
|
||||
*
|
||||
|
||||
@ -129,7 +129,7 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
|
||||
* <p>
|
||||
* It is considered best practice to use an HTTP POST on any action that changes state
|
||||
* (i.e. log out) to protect against <a
|
||||
* href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF attacks</a>. If
|
||||
* href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF attacks</a>. If
|
||||
* you really want to use an HTTP GET, you can use
|
||||
* <code>logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));</code>
|
||||
* </p>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
|
||||
|
||||
default namespace = "http://www.springframework.org/schema/security"
|
||||
@ -444,7 +444,7 @@ openid-attribute.attlist &=
|
||||
## Specifies the name of the attribute that you wish to get back. For example, email.
|
||||
attribute name {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
attribute type {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
|
||||
|
||||
@ -1439,7 +1439,7 @@
|
||||
</xs:attribute>
|
||||
<xs:attribute name="type" use="required" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Specifies the attribute type. For example, http://axschema.org/contact/email. See your
|
||||
<xs:documentation>Specifies the attribute type. For example, https://axschema.org/contact/email. See your
|
||||
OP's documentation for valid attribute types.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
|
||||
|
||||
default namespace = "http://www.springframework.org/schema/security"
|
||||
@ -444,7 +444,7 @@ openid-attribute.attlist &=
|
||||
## Specifies the name of the attribute that you wish to get back. For example, email.
|
||||
attribute name {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
attribute type {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
|
||||
|
||||
@ -1441,7 +1441,7 @@
|
||||
</xs:attribute>
|
||||
<xs:attribute name="type" use="required" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Specifies the attribute type. For example, http://axschema.org/contact/email. See your
|
||||
<xs:documentation>Specifies the attribute type. For example, https://axschema.org/contact/email. See your
|
||||
OP's documentation for valid attribute types.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
|
||||
|
||||
default namespace = "http://www.springframework.org/schema/security"
|
||||
@ -460,7 +460,7 @@ openid-attribute.attlist &=
|
||||
## Specifies the name of the attribute that you wish to get back. For example, email.
|
||||
attribute name {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
attribute type {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
|
||||
|
||||
@ -1509,7 +1509,7 @@
|
||||
</xs:attribute>
|
||||
<xs:attribute name="type" use="required" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Specifies the attribute type. For example, http://axschema.org/contact/email. See your
|
||||
<xs:documentation>Specifies the attribute type. For example, https://axschema.org/contact/email. See your
|
||||
OP's documentation for valid attribute types.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
|
||||
|
||||
default namespace = "http://www.springframework.org/schema/security"
|
||||
@ -469,7 +469,7 @@ openid-attribute.attlist &=
|
||||
## Specifies the name of the attribute that you wish to get back. For example, email.
|
||||
attribute name {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
attribute type {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
|
||||
|
||||
@ -1534,7 +1534,7 @@
|
||||
</xs:attribute>
|
||||
<xs:attribute name="type" use="required" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Specifies the attribute type. For example, http://axschema.org/contact/email. See your
|
||||
<xs:documentation>Specifies the attribute type. For example, https://axschema.org/contact/email. See your
|
||||
OP's documentation for valid attribute types.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
namespace a = "http://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
namespace a = "https://relaxng.org/ns/compatibility/annotations/1.0"
|
||||
datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes"
|
||||
|
||||
default namespace = "http://www.springframework.org/schema/security"
|
||||
@ -468,7 +468,7 @@ openid-attribute.attlist &=
|
||||
## Specifies the name of the attribute that you wish to get back. For example, email.
|
||||
attribute name {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
## Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
attribute type {xsd:token}
|
||||
openid-attribute.attlist &=
|
||||
## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false.
|
||||
|
||||
@ -1539,7 +1539,7 @@
|
||||
</xs:attribute>
|
||||
<xs:attribute name="type" use="required" type="xs:token">
|
||||
<xs:annotation>
|
||||
<xs:documentation>Specifies the attribute type. For example, http://axschema.org/contact/email. See your
|
||||
<xs:documentation>Specifies the attribute type. For example, https://axschema.org/contact/email. See your
|
||||
OP's documentation for valid attribute types.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
|
||||
@ -351,7 +351,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
then:
|
||||
responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="http://example.net/pkp-report"']
|
||||
responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="https://example.net/pkp-report"']
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@ -364,7 +364,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
|
||||
.defaultsDisabled()
|
||||
.httpPublicKeyPinning()
|
||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=")
|
||||
.reportUri(new URI("http://example.net/pkp-report"))
|
||||
.reportUri(new URI("https://example.net/pkp-report"))
|
||||
}
|
||||
}
|
||||
|
||||
@ -375,7 +375,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
then:
|
||||
responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="http://example.net/pkp-report"']
|
||||
responseHeaders == ['Public-Key-Pins-Report-Only' : 'max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; report-uri="https://example.net/pkp-report"']
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@ -388,7 +388,7 @@ class HeadersConfigurerTests extends BaseSpringSpec {
|
||||
.defaultsDisabled()
|
||||
.httpPublicKeyPinning()
|
||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=")
|
||||
.reportUri("http://example.net/pkp-report")
|
||||
.reportUri("https://example.net/pkp-report")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -83,21 +83,21 @@ public class NamespaceHttpOpenIDLoginTests extends BaseSpringSpec {
|
||||
|
||||
def googleAttrs = consumer.attributesToFetchFactory.createAttributeList("https://www.google.com/1")
|
||||
googleAttrs[0].name == "email"
|
||||
googleAttrs[0].type == "http://axschema.org/contact/email"
|
||||
googleAttrs[0].type == "https://axschema.org/contact/email"
|
||||
googleAttrs[0].required
|
||||
googleAttrs[1].name == "firstname"
|
||||
googleAttrs[1].type == "http://axschema.org/namePerson/first"
|
||||
googleAttrs[1].type == "https://axschema.org/namePerson/first"
|
||||
googleAttrs[1].required
|
||||
googleAttrs[2].name == "lastname"
|
||||
googleAttrs[2].type == "http://axschema.org/namePerson/last"
|
||||
googleAttrs[2].type == "https://axschema.org/namePerson/last"
|
||||
googleAttrs[2].required
|
||||
|
||||
def yahooAttrs = consumer.attributesToFetchFactory.createAttributeList("https://rwinch.yahoo.com/rwinch/id")
|
||||
yahooAttrs[0].name == "email"
|
||||
yahooAttrs[0].type == "http://schema.openid.net/contact/email"
|
||||
yahooAttrs[0].type == "https://schema.openid.net/contact/email"
|
||||
yahooAttrs[0].required
|
||||
yahooAttrs[1].name == "fullname"
|
||||
yahooAttrs[1].type == "http://axschema.org/namePerson"
|
||||
yahooAttrs[1].type == "https://axschema.org/namePerson"
|
||||
yahooAttrs[1].required
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(request,response,chain)
|
||||
@ -122,26 +122,26 @@ public class NamespaceHttpOpenIDLoginTests extends BaseSpringSpec {
|
||||
.openidLogin()
|
||||
.attributeExchange("https://www.google.com/.*") // attribute-exchange@identifier-match
|
||||
.attribute("email") // openid-attribute@name
|
||||
.type("http://axschema.org/contact/email") // openid-attribute@type
|
||||
.type("https://axschema.org/contact/email") // openid-attribute@type
|
||||
.required(true) // openid-attribute@required
|
||||
.count(1) // openid-attribute@count
|
||||
.and()
|
||||
.attribute("firstname")
|
||||
.type("http://axschema.org/namePerson/first")
|
||||
.type("https://axschema.org/namePerson/first")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("lastname")
|
||||
.type("http://axschema.org/namePerson/last")
|
||||
.type("https://axschema.org/namePerson/last")
|
||||
.required(true)
|
||||
.and()
|
||||
.and()
|
||||
.attributeExchange(".*yahoo.com.*")
|
||||
.attribute("email")
|
||||
.type("http://schema.openid.net/contact/email")
|
||||
.type("https://schema.openid.net/contact/email")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("fullname")
|
||||
.type("http://axschema.org/namePerson")
|
||||
.type("https://axschema.org/namePerson")
|
||||
.required(true)
|
||||
.and()
|
||||
.and()
|
||||
|
||||
@ -624,7 +624,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
|
||||
setup:
|
||||
httpAutoConfig {
|
||||
'headers'('defaults-disabled':true) {
|
||||
'hpkp'('report-uri':'http://example.net/pkp-report') {
|
||||
'hpkp'('report-uri':'https://example.net/pkp-report') {
|
||||
'pins'() {
|
||||
'pin'('algorithm':'sha256', 'E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=')
|
||||
}
|
||||
@ -637,7 +637,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
|
||||
when:
|
||||
springSecurityFilterChain.doFilter(new MockHttpServletRequest(secure: true), response, new MockFilterChain())
|
||||
then:
|
||||
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="http://example.net/pkp-report"'])
|
||||
assertHeaders(response, ['Public-Key-Pins-Report-Only': 'max-age=5184000 ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="https://example.net/pkp-report"'])
|
||||
}
|
||||
|
||||
// --- disable single default header ---
|
||||
|
||||
@ -118,7 +118,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
|
||||
response.getContentAsString().contains(AbstractRememberMeServices.DEFAULT_PARAMETER)
|
||||
when: "Login is submitted with remember-me selected"
|
||||
request.servletPath = "/login/openid"
|
||||
request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://hey.openid.com/")
|
||||
request.setParameter(OpenIDAuthenticationFilter.DEFAULT_CLAIMED_IDENTITY_FIELD, "http://ww1.openid.com")
|
||||
request.setParameter(AbstractRememberMeServices.DEFAULT_PARAMETER, "on")
|
||||
response = new MockHttpServletResponse();
|
||||
fc.doFilter(request, response, new MockFilterChain());
|
||||
@ -133,8 +133,8 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
|
||||
xml.http() {
|
||||
'openid-login'() {
|
||||
'attribute-exchange'() {
|
||||
'openid-attribute'(name: 'nickname', type: 'http://schema.openid.net/namePerson/friendly')
|
||||
'openid-attribute'(name: 'email', type: 'http://schema.openid.net/contact/email', required: 'true',
|
||||
'openid-attribute'(name: 'nickname', type: 'https://schema.openid.net/namePerson/friendly')
|
||||
'openid-attribute'(name: 'email', type: 'https://schema.openid.net/contact/email', required: 'true',
|
||||
'count': '2')
|
||||
}
|
||||
}
|
||||
@ -146,7 +146,7 @@ class OpenIDConfigTests extends AbstractHttpConfigTests {
|
||||
expect:
|
||||
attributes.size() == 2
|
||||
attributes[0].name == 'nickname'
|
||||
attributes[0].type == 'http://schema.openid.net/namePerson/friendly'
|
||||
attributes[0].type == 'https://schema.openid.net/namePerson/friendly'
|
||||
!attributes[0].required
|
||||
attributes[1].required
|
||||
attributes[1].getCount() == 2
|
||||
|
||||
@ -89,14 +89,14 @@ public class UserServiceBeanDefinitionParserTests {
|
||||
@Test
|
||||
public void worksWithOpenIDUrlsAsNames() {
|
||||
setContext("<user-service id='service'>"
|
||||
+ " <user name='http://joe.myopenid.com/' authorities='ROLE_A'/>"
|
||||
+ " <user name='https://joe.myopenid.com/' authorities='ROLE_A'/>"
|
||||
+ " <user name='https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9' authorities='ROLE_A'/>"
|
||||
+ "</user-service>");
|
||||
UserDetailsService userService = (UserDetailsService) appContext
|
||||
.getBean("service");
|
||||
assertThat(
|
||||
userService.loadUserByUsername("http://joe.myopenid.com/").getUsername())
|
||||
.isEqualTo("http://joe.myopenid.com/");
|
||||
userService.loadUserByUsername("https://joe.myopenid.com/").getUsername())
|
||||
.isEqualTo("https://joe.myopenid.com/");
|
||||
assertThat(
|
||||
userService.loadUserByUsername(
|
||||
"https://www.google.com/accounts/o8/id?id=MPtOaenBIk5yzW9n7n9")
|
||||
|
||||
@ -32,11 +32,11 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
|
||||
+ " xmlns:mvc='http://www.springframework.org/schema/mvc'\n"
|
||||
+ " xmlns:websocket='http://www.springframework.org/schema/websocket'\n"
|
||||
+ " xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n"
|
||||
+ " xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n"
|
||||
+ "http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n"
|
||||
+ "http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd\n"
|
||||
+ "http://www.springframework.org/schema/websocket http://www.springframework.org/schema/websocket/spring-websocket.xsd\n"
|
||||
+ "http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd\n"
|
||||
+ " xsi:schemaLocation='http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n"
|
||||
+ "http://www.springframework.org/schema/aop https://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n"
|
||||
+ "http://www.springframework.org/schema/mvc https://www.springframework.org/schema/mvc/spring-mvc.xsd\n"
|
||||
+ "http://www.springframework.org/schema/websocket https://www.springframework.org/schema/websocket/spring-websocket.xsd\n"
|
||||
+ "http://www.springframework.org/schema/context https://www.springframework.org/schema/context/spring-context-2.5.xsd\n"
|
||||
+ "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-";
|
||||
static final String BEANS_CLOSE = "</b:beans>\n";
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ import org.springframework.util.Assert;
|
||||
* <p>
|
||||
* This class can be used stand-alone, or one of the subclasses can be used for
|
||||
* compatiblity and convenience. When using this class directly you must specify a
|
||||
* <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* <a href="https://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* Message Digest Algorithm</a> to use as a constructor arg.
|
||||
* <p>
|
||||
* The encoded password hash is normally returned as Hex (32 char) version of the hash
|
||||
@ -45,7 +45,7 @@ import org.springframework.util.Assert;
|
||||
* </pre>
|
||||
* <p>
|
||||
* If desired, the {@link #setIterations iterations} property can be set to enable
|
||||
* "<a href="http://en.wikipedia.org/wiki/Key_strengthening">password stretching</a>" for
|
||||
* "<a href="https://en.wikipedia.org/wiki/Key_strengthening">password stretching</a>" for
|
||||
* the digest calculation.
|
||||
*
|
||||
* @author Ray Krueger
|
||||
@ -62,7 +62,7 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
|
||||
|
||||
/**
|
||||
* The digest algorithm to use Supports the named
|
||||
* <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* <a href="https://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* Message Digest Algorithms</a> in the Java environment.
|
||||
*
|
||||
* @param algorithm
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
/**
|
||||
* Password encoding implementations. Apart from the "null" implementations, they are all based on
|
||||
* password hashing using digest functions. See the
|
||||
* <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/reference/core-services.html#core-services-password-encoding">
|
||||
* <a href="https://docs.spring.io/spring-security/site/docs/3.0.x/reference/core-services.html#core-services-password-encoding">
|
||||
* reference manual</a> for more information.
|
||||
* <p>
|
||||
* Third part implementations such as those provided by <a href="http://www.jasypt.org/springsecurity.html">Jasypt</a>
|
||||
|
||||
@ -58,16 +58,16 @@ import org.springframework.util.ObjectUtils;
|
||||
*
|
||||
* <p>
|
||||
* This implementation is backed by a
|
||||
* <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html" >
|
||||
* <a href="https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html" >
|
||||
* JAAS</a> configuration that is provided by a subclass's implementation of
|
||||
* {@link #createLoginContext(CallbackHandler)}.
|
||||
*
|
||||
* <p>
|
||||
* When using JAAS login modules as the authentication source, sometimes the <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
|
||||
* "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
|
||||
* LoginContext</a> will require <i>CallbackHandler</i>s. The
|
||||
* AbstractJaasAuthenticationProvider uses an internal <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html"
|
||||
* "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html"
|
||||
* >CallbackHandler </a> to wrap the {@link JaasAuthenticationCallbackHandler}s configured
|
||||
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
|
||||
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
|
||||
|
||||
@ -41,9 +41,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
|
||||
* @see JaasNameCallbackHandler
|
||||
* @see JaasPasswordCallbackHandler
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html">
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html">
|
||||
* CallbackHandler</a>
|
||||
*/
|
||||
public interface JaasAuthenticationCallbackHandler {
|
||||
@ -52,7 +52,7 @@ public interface JaasAuthenticationCallbackHandler {
|
||||
|
||||
/**
|
||||
* Handle the <a href=
|
||||
* "http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html"
|
||||
* "https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html"
|
||||
* >Callback</a>. The handle method will be called for every callback instance sent
|
||||
* from the LoginContext. Meaning that The handle method may be called multiple times
|
||||
* for a given JaasAuthenticationCallbackHandler.
|
||||
|
||||
@ -48,7 +48,7 @@ import org.springframework.util.Assert;
|
||||
* </p>
|
||||
* <p>
|
||||
* This implementation is backed by a
|
||||
* <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html" >
|
||||
* <a href="https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html" >
|
||||
* JAAS</a> configuration. The loginConfig property must be set to a given JAAS
|
||||
* configuration file. This setter accepts a Spring
|
||||
* {@link org.springframework.core.io.Resource} instance. It should point to a JAAS
|
||||
@ -84,10 +84,10 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* <p>
|
||||
* When using JAAS login modules as the authentication source, sometimes the <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
|
||||
* "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html" >
|
||||
* LoginContext</a> will require <i>CallbackHandler</i>s. The JaasAuthenticationProvider
|
||||
* uses an internal <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html"
|
||||
* "https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html"
|
||||
* >CallbackHandler </a> to wrap the {@link JaasAuthenticationCallbackHandler}s configured
|
||||
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
|
||||
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
|
||||
@ -163,7 +163,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
|
||||
configureJaas(this.loginConfig);
|
||||
|
||||
Assert.notNull(Configuration.getConfiguration(),
|
||||
"As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html "
|
||||
"As per https://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html "
|
||||
+ "\"If a Configuration object was set via the Configuration.setConfiguration method, then that object is "
|
||||
+ "returned. Otherwise, a default Configuration object is returned\". Your JRE returned null to "
|
||||
+ "Configuration.getConfiguration().");
|
||||
@ -266,7 +266,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
|
||||
* @param loginConfig
|
||||
*
|
||||
* @see <a href=
|
||||
* "http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">JAAS
|
||||
* "https://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">JAAS
|
||||
* Reference</a>
|
||||
*/
|
||||
public void setLoginConfig(Resource loginConfig) {
|
||||
|
||||
@ -33,9 +33,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
|
||||
* @author Ray Krueger
|
||||
*
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html">NameCallback</a>
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/NameCallback.html">NameCallback</a>
|
||||
*/
|
||||
public class JaasNameCallbackHandler implements JaasAuthenticationCallbackHandler {
|
||||
// ~ Methods
|
||||
|
||||
@ -32,9 +32,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
|
||||
* @author Ray Krueger
|
||||
*
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/Callback.html">Callback</a>
|
||||
* @see <a
|
||||
* href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html">
|
||||
* href="https://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/PasswordCallback.html">
|
||||
* PasswordCallback</a>
|
||||
*/
|
||||
public class JaasPasswordCallbackHandler implements JaasAuthenticationCallbackHandler {
|
||||
|
||||
@ -28,7 +28,7 @@ import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Caches <code>User</code> objects using a Spring IoC defined <A
|
||||
* HREF="http://ehcache.sourceforge.net">EHCACHE</a>.
|
||||
* HREF="https://www.ehcache.org/">EHCACHE</a>.
|
||||
*
|
||||
* @author Ben Alex
|
||||
*/
|
||||
|
||||
@ -452,7 +452,7 @@ public class BCrypt {
|
||||
|
||||
/**
|
||||
* Perform the "enhanced key schedule" step described by Provos and Mazieres in
|
||||
* "A Future-Adaptable Password Scheme" http://www.openbsd.org/papers/bcrypt-paper.ps
|
||||
* "A Future-Adaptable Password Scheme" https://www.openbsd.org/papers/bcrypt-paper.ps
|
||||
* @param data salt information
|
||||
* @param key password information
|
||||
*/
|
||||
|
||||
@ -18,7 +18,7 @@ package org.springframework.security.crypto.codec;
|
||||
/**
|
||||
* Base64 encoder which is a reduced version of Robert Harder's public domain
|
||||
* implementation (version 2.3.7). See <a
|
||||
* href="http://iharder.net/base64">http://iharder.net/base64</a> for more information.
|
||||
* href="http://iharder.sourceforge.net/current/java/base64/">http://iharder.sourceforge.net/current/java/base64/</a> for more information.
|
||||
* <p>
|
||||
* For internal use only.
|
||||
*
|
||||
@ -42,7 +42,7 @@ public final class Base64 {
|
||||
/**
|
||||
* Encode using Base64-like encoding that is URL- and Filename-safe as described in
|
||||
* Section 4 of RFC3548: <a
|
||||
* href="http://www.faqs.org/rfcs/rfc3548.html">http://www.faqs
|
||||
* href="http://www.faqs.org/rfcs/rfc3548.html">https://www.faqs
|
||||
* .org/rfcs/rfc3548.html</a>. It is important to note that data encoded this way is
|
||||
* <em>not</em> officially valid Base64, or at the very least should not be called
|
||||
* Base64 without also specifying that is was encoded using the URL- and Filename-safe
|
||||
@ -192,7 +192,7 @@ public final class Base64 {
|
||||
/**
|
||||
* I don't get the point of this technique, but someone requested it, and it is
|
||||
* described here: <a
|
||||
* href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/
|
||||
* href="http://www.faqs.org/qa/rfcc-1940.html">http://www.faqs.org/faqs/
|
||||
* qa/rfcc-1940.html</a>.
|
||||
*/
|
||||
private final static byte[] _ORDERED_ALPHABET = { (byte) '-', (byte) '0', (byte) '1',
|
||||
|
||||
@ -90,7 +90,7 @@ public class MessageDigestPasswordEncoder implements PasswordEncoder {
|
||||
|
||||
/**
|
||||
* The digest algorithm to use Supports the named
|
||||
* <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* <a href="https://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA">
|
||||
* Message Digest Algorithms</a> in the Java environment.
|
||||
*
|
||||
* @param algorithm
|
||||
|
||||
@ -92,7 +92,7 @@ public class Pbkdf2PasswordEncoder implements PasswordEncoder {
|
||||
|
||||
/**
|
||||
* Sets the algorithm to use. See
|
||||
* <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory">SecretKeyFactory Algorithms</a>
|
||||
* <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory">SecretKeyFactory Algorithms</a>
|
||||
* @param secretKeyFactoryAlgorithm the algorithm to use (i.e.
|
||||
* {@code SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1},
|
||||
* {@code SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256},
|
||||
|
||||
@ -44,7 +44,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
* <li>Scrypt is based on Salsa20 which performs poorly in Java (on par with
|
||||
* AES) but performs awesome (~4-5x faster) on SIMD capable platforms</li>
|
||||
* <li>While there are some that would disagree, consider reading -
|
||||
* <a href="http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html">
|
||||
* <a href="https://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html">
|
||||
* Why I Don't Recommend Scrypt</a> (for password storage)</li>
|
||||
* </ul>
|
||||
*
|
||||
|
||||
@ -32,7 +32,7 @@ In order to use Spring Security you must add the necessary dependencies. For the
|
||||
</dependencies>
|
||||
----
|
||||
|
||||
<1> We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine
|
||||
<1> We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine
|
||||
and need to add an additional dependency for the https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration module].
|
||||
|
||||
After you have completed this, you need to ensure that STS knows about the updated dependencies by:
|
||||
@ -101,18 +101,18 @@ The <<security-config-java,SecurityConfig>> will:
|
||||
* Specifies the URL to send users to for form-based login
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
|
||||
@ -75,18 +75,18 @@ The <<security-config-java,SecurityConfig>> will:
|
||||
* Generate a login form for you
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
|
||||
@ -53,8 +53,8 @@ The next step is to create a Spring Security configuration.
|
||||
<b:beans xmlns="http://www.springframework.org/schema/security"
|
||||
xmlns:b="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
|
||||
http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">
|
||||
|
||||
<http />
|
||||
|
||||
@ -72,18 +72,18 @@ The <<security-config-xml,security-config-xml>> will:
|
||||
* Generate a login form for you
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
|
||||
@ -162,7 +162,7 @@ Our existing configuration means that all we need to do is create a *login.html*
|
||||
.src/main/resources/views/login.html
|
||||
[source,xml]
|
||||
----
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Please Login</title>
|
||||
</head>
|
||||
|
||||
@ -97,9 +97,9 @@ Now that we have authenticated, let's see how our application is displaying the
|
||||
</div>
|
||||
----
|
||||
|
||||
In our samples we use http://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>.
|
||||
In our samples we use https://www.thymeleaf.org/[Thymeleaf], but any view technology will work. Any technology can inspect the `HttpServletRequest#getRemoteUser()` to view the current user since Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>.
|
||||
|
||||
WARNING: The Thymeleaf ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
WARNING: The Thymeleaf ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
==== Logging out
|
||||
|
||||
@ -113,7 +113,7 @@ We can view the user name, but how are we able to log out? Below you can see how
|
||||
</form>
|
||||
----
|
||||
|
||||
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. Since we have used `@EnableWebSecurity` and are using Thymeleaf, the CSRF token is automatically added as a hidden input for you (view the source to see it).
|
||||
|
||||
@ -32,7 +32,7 @@ Now that we have authenticated, let's update the application to display the user
|
||||
[source,html]
|
||||
----
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
@ -57,7 +57,7 @@ Now that we have authenticated, let's update the application to display the user
|
||||
</html>
|
||||
----
|
||||
|
||||
NOTE: We are using http://www.thymeleaf.org/[Thymeleaf] for our view template engine and
|
||||
NOTE: We are using https://www.thymeleaf.org/[Thymeleaf] for our view template engine and
|
||||
https://github.com/thymeleaf/thymeleaf-extras-springsecurity[Thymeleaf - Spring Security integration modules]
|
||||
in order to utilize the _sec:authentication_ and _sec:authorize_ attributes.
|
||||
|
||||
@ -76,7 +76,7 @@ The last step is to update the _secured_ page to also display the currently auth
|
||||
[source,html]
|
||||
----
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -73,7 +73,7 @@ Now that we have authenticated, let's update the application to display the user
|
||||
</body>
|
||||
----
|
||||
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>
|
||||
|
||||
@ -99,7 +99,7 @@ Now that we can view the user name, let's update the application to allow loggin
|
||||
</body>
|
||||
----
|
||||
|
||||
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Java Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above.
|
||||
|
||||
@ -37,7 +37,7 @@ We have created the Spring Security configuration, but we still need to register
|
||||
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
|
||||
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
|
||||
https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
|
||||
|
||||
<!--
|
||||
- Location of the XML file that defines the root application context
|
||||
@ -96,7 +96,7 @@ Now that we have authenticated, let's update the application to display the user
|
||||
</body>
|
||||
----
|
||||
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid http://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
WARNING: The `<c:out />` tag ensures the username is escaped to avoid https://en.wikipedia.org/wiki/Cross-site_scripting[XSS vulnerabilities] Regardless of how an application renders user inputed values, it should ensure that the values are properly escaped.
|
||||
|
||||
Refresh the page at http://localhost:8080/sample/ and you will see the user name displayed. This works because Spring Security integrates with the <<servlet-api-integration,Servlet API methods>>
|
||||
|
||||
@ -122,7 +122,7 @@ Now that we can view the user name, let's update the application to allow loggin
|
||||
</body>
|
||||
----
|
||||
|
||||
In order to help protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Xml Configuration log out requires:
|
||||
In order to help protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attacks], by default, Spring Security Xml Configuration log out requires:
|
||||
|
||||
* the HTTP method must be a POST
|
||||
* the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above.
|
||||
|
||||
@ -146,7 +146,7 @@ It is normal and shouldn't be anything to worry about.
|
||||
[[appendix-faq-ldap-authentication]]
|
||||
==== I can't get LDAP authentication to work. What's wrong with my configuration?
|
||||
|
||||
Note that the permissions for an LDAP directory often do not allow you to read the password for a user. Hence it is often not possible to use the <<appendix-faq-what-is-userdetailservice>> where Spring Security compares the stored password with the one submitted by the user. The most common approach is to use LDAP "bind", which is one of the operations supported by http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol[the LDAP protocol]. With this approach, Spring Security validates the password by attempting to authenticate to the directory as the user.
|
||||
Note that the permissions for an LDAP directory often do not allow you to read the password for a user. Hence it is often not possible to use the <<appendix-faq-what-is-userdetailservice>> where Spring Security compares the stored password with the one submitted by the user. The most common approach is to use LDAP "bind", which is one of the operations supported by https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol[the LDAP protocol]. With this approach, Spring Security validates the password by attempting to authenticate to the directory as the user.
|
||||
|
||||
The most common problem with LDAP authentication is a lack of knowledge of the directory server tree structure and configuration. This will be different in different companies, so you have to find it out yourself. Before adding a Spring Security LDAP configuration to an application, it's a good idea to write a simple test using standard Java LDAP code (without Spring Security involved), and make sure you can get that to work first. For example, to authenticate a user, you could use the following code:
|
||||
|
||||
@ -188,7 +188,7 @@ With the default configuration, Spring Security changes the session ID when the
|
||||
[[appendix-faq-tomcat-https-session]]
|
||||
==== I'm using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn't work - I just end up back at the login page after authenticating.
|
||||
|
||||
This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure. However, Spring Security's http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-session-fixation[Session Fixation Protection] can interfere with this because it results in a new session ID cookie being sent back to the user's browser, usually with the secure flag. To get around this, you can disable session fixation protection, but in newer Servlet containers you can also configure session cookies to never use the secure flag. Note that switching between HTTP and HTTPS is not a good idea in general, as any application which uses HTTP at all is vulnerable to man-in-the-middle attacks. To be truly secure, the user should begin accessing your site in HTTPS and continue using it until they log out. Even clicking on an HTTPS link from a page accessed over HTTP is potentially risky. If you need more convincing, check out a tool like http://www.thoughtcrime.org/software/sslstrip/[sslstrip].
|
||||
This happens because sessions created under HTTPS, for which the session cookie is marked as "secure", cannot subsequently be used under HTTP. The browser will not send the cookie back to the server and any session state will be lost (including the security context information). Starting a session in HTTP first should work as the session cookie won't be marked as secure. However, Spring Security's https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-session-fixation[Session Fixation Protection] can interfere with this because it results in a new session ID cookie being sent back to the user's browser, usually with the secure flag. To get around this, you can disable session fixation protection, but in newer Servlet containers you can also configure session cookies to never use the secure flag. Note that switching between HTTP and HTTPS is not a good idea in general, as any application which uses HTTP at all is vulnerable to man-in-the-middle attacks. To be truly secure, the user should begin accessing your site in HTTPS and continue using it until they log out. Even clicking on an HTTPS link from a page accessed over HTTP is potentially risky. If you need more convincing, check out a tool like https://www.thoughtcrime.org/software/sslstrip/[sslstrip].
|
||||
|
||||
|
||||
==== I'm not switching between HTTP and HTTPS but my session is still getting lost
|
||||
@ -218,7 +218,7 @@ If you are having trouble working out where a session is being created, you can
|
||||
[[appendix-faq-forbidden-csrf]]
|
||||
==== I get a 403 Forbidden when performing a POST
|
||||
|
||||
If an HTTP 403 Forbidden is returned for HTTP POST, but works for HTTP GET then the issue is most likely related to http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf[CSRF]. Either provide the CSRF Token or disable CSRF protection (not recommended).
|
||||
If an HTTP 403 Forbidden is returned for HTTP POST, but works for HTTP GET then the issue is most likely related to https://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf[CSRF]. Either provide the CSRF Token or disable CSRF protection (not recommended).
|
||||
|
||||
[[appendix-faq-no-security-on-forward]]
|
||||
==== I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied.
|
||||
@ -264,7 +264,7 @@ The best way of locating classes is by installing the Spring Security source in
|
||||
[[appendix-faq-namespace-to-bean-mapping]]
|
||||
==== How do the namespace elements map to conventional bean configurations?
|
||||
|
||||
There is a general overview of what beans are created by the namespace in the namespace appendix of the reference guide. There is also a detailed blog article called "Behind the Spring Security Namespace" on http://blog.springsource.com/2010/03/06/behind-the-spring-security-namespace/[blog.springsource.com]. If want to know the full details then the code is in the `spring-security-config` module within the Spring Security 3.0 distribution. You should probably read the chapters on namespace parsing in the standard Spring Framework reference documentation first.
|
||||
There is a general overview of what beans are created by the namespace in the namespace appendix of the reference guide. There is also a detailed blog article called "Behind the Spring Security Namespace" on https://spring.io/blog/2010/03/06/behind-the-spring-security-namespace/[blog.springsource.com]. If want to know the full details then the code is in the `spring-security-config` module within the Spring Security 3.0 distribution. You should probably read the chapters on namespace parsing in the standard Spring Framework reference documentation first.
|
||||
|
||||
|
||||
[[appendix-faq-role-prefix]]
|
||||
@ -315,7 +315,7 @@ The other required jars should be pulled in transitively.
|
||||
|
||||
`UserDetailsService` is a DAO interface for loading data that is specific to a user account. It has no other function other to load that data for use by other components within the framework. It is not responsible for authenticating the user. Authenticating a user with a username/password combination is most commonly performed by the `DaoAuthenticationProvider`, which is injected with a `UserDetailsService` to allow it to load the password (and other data) for a user in order to compare it with the submitted value. Note that if you are using LDAP, <<appendix-faq-ldap-authentication,this approach may not work>>.
|
||||
|
||||
If you want to customize the authentication process then you should implement `AuthenticationProvider` yourself. See this http://blog.springsource.com/2010/08/02/spring-security-in-google-app-engine/[ blog article] for an example integrating Spring Security authentication with Google App Engine.
|
||||
If you want to customize the authentication process then you should implement `AuthenticationProvider` yourself. See this https://spring.io/blog/2010/08/02/spring-security-in-google-app-engine/[ blog article] for an example integrating Spring Security authentication with Google App Engine.
|
||||
|
||||
[[appendix-faq-howto]]
|
||||
=== Common "Howto" Requests
|
||||
@ -445,7 +445,7 @@ You would then add a bean of this type to your application context and inject it
|
||||
[[appendix-faq-namespace-post-processor]]
|
||||
==== I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it. What can I do short of abandoning namespace use?
|
||||
|
||||
The namespace functionality is intentionally limited, so it doesn't cover everything that you can do with plain beans. If you want to do something simple, like modify a bean, or inject a different dependency, you can do this by adding a `BeanPostProcessor` to your configuration. More information can be found in the http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/htmlsingle/spring-framework-reference.html#beans-factory-extension-bpp[Spring Reference Manual]. In order to do this, you need to know a bit about which beans are created, so you should also read the blog article in the above question on <<appendix-faq-namespace-to-bean-mapping,how the namespace maps to Spring beans>>.
|
||||
The namespace functionality is intentionally limited, so it doesn't cover everything that you can do with plain beans. If you want to do something simple, like modify a bean, or inject a different dependency, you can do this by adding a `BeanPostProcessor` to your configuration. More information can be found in the https://docs.spring.io/spring/docs/3.0.x/spring-framework-reference/htmlsingle/spring-framework-reference.html#beans-factory-extension-bpp[Spring Reference Manual]. In order to do this, you need to know a bit about which beans are created, so you should also read the blog article in the above question on <<appendix-faq-namespace-to-bean-mapping,how the namespace maps to Spring beans>>.
|
||||
|
||||
Normally, you would add the functionality you require to the `postProcessBeforeInitialization` method of `BeanPostProcessor`. Let's say that you want to customize the `AuthenticationDetailsSource` used by the `UsernamePasswordAuthenticationFilter`, (created by the `form-login` element). You want to extract a particular header called `CUSTOM_HEADER` from the request and make use of it while authenticating the user. The processor class would look like this:
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
Spring Security has added Jackson Support for persisting Spring Security related classes.
|
||||
This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).
|
||||
|
||||
To use it, register the `JacksonJacksonModules.getModules(ClassLoader)` as http://wiki.fasterxml.com/JacksonFeatureModules[Jackson Modules].
|
||||
To use it, register the `JacksonJacksonModules.getModules(ClassLoader)` as https://wiki.fasterxml.com/JacksonFeatureModules[Jackson Modules].
|
||||
|
||||
[source,java]
|
||||
----
|
||||
|
||||
@ -13,5 +13,5 @@ As a major release version, the Spring Security team took the opportunity to mak
|
||||
|
||||
For complete details on migrating from Spring Security 3 to Spring Security 4 refer to one of the guides below:
|
||||
|
||||
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html[Migrating from Spring Security 3.x to 4.x (XML Configuration)]
|
||||
* http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html[Migrating from Spring Security 3.x to 4.x (Java Configuration)]
|
||||
* https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html[Migrating from Spring Security 3.x to 4.x (XML Configuration)]
|
||||
* https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html[Migrating from Spring Security 3.x to 4.x (Java Configuration)]
|
||||
|
||||
@ -2,10 +2,10 @@
|
||||
== Proxy Server Configuration
|
||||
|
||||
When using a proxy server it is important to ensure that you have configured your application properly.
|
||||
For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at http://192.168.1:8080
|
||||
Without proper configuration, the application server will not know that the load balancer exists and treat the request as though http://192.168.1:8080 was requested by the client.
|
||||
For example, many applications will have a load balancer that responds to request for https://example.com/ by forwarding the request to an application server at https://192.168.1:8080
|
||||
Without proper configuration, the application server will not know that the load balancer exists and treat the request as though https://192.168.1:8080 was requested by the client.
|
||||
|
||||
To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify that a load balancer is being used.
|
||||
To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.
|
||||
For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
|
||||
For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
|
||||
Alternatively, Spring 4.3+ users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter].
|
||||
|
||||
@ -49,8 +49,8 @@ public class WithMockUserTests {
|
||||
|
||||
This is a basic example of how to setup Spring Security Test. The highlights are:
|
||||
|
||||
<1> `@RunWith` instructs the spring-test module that it should create an `ApplicationContext`. This is no different than using the existing Spring Test support. For additional information, refer to the http://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/#integration-testing-annotations-standard[Spring Reference]
|
||||
<2> `@ContextConfiguration` instructs the spring-test the configuration to use to create the `ApplicationContext`. Since no configuration is specified, the default configuration locations will be tried. This is no different than using the existing Spring Test support. For additional information, refer to the http://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/#testcontext-ctx-management[Spring Reference]
|
||||
<1> `@RunWith` instructs the spring-test module that it should create an `ApplicationContext`. This is no different than using the existing Spring Test support. For additional information, refer to the https://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/#integration-testing-annotations-standard[Spring Reference]
|
||||
<2> `@ContextConfiguration` instructs the spring-test the configuration to use to create the `ApplicationContext`. Since no configuration is specified, the default configuration locations will be tried. This is no different than using the existing Spring Test support. For additional information, refer to the https://docs.spring.io/spring-framework/docs/4.0.x/spring-framework-reference/htmlsingle/#testcontext-ctx-management[Spring Reference]
|
||||
|
||||
NOTE: Spring Security hooks into Spring Test support using the `WithSecurityContextTestExecutionListener` which will ensure our tests are ran with the correct user.
|
||||
It does this by populating the `SecurityContextHolder` prior to running our tests.
|
||||
@ -331,7 +331,7 @@ For example, this means we could create a meta annotation for `@WithUserDetails(
|
||||
[[test-mockmvc]]
|
||||
== Spring MVC Test Integration
|
||||
|
||||
Spring Security provides comprehensive integration with http://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test]
|
||||
Spring Security provides comprehensive integration with https://docs.spring.io/spring/docs/current/spring-framework-reference/html/testing.html#spring-mvc-test-framework[Spring MVC Test]
|
||||
|
||||
[[test-mockmvc-setup]]
|
||||
=== Setting Up MockMvc and Spring Security
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
[[websocket]]
|
||||
== WebSocket Security
|
||||
|
||||
Spring Security 4 added support for securing http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html[Spring's WebSocket support].
|
||||
Spring Security 4 added support for securing https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html[Spring's WebSocket support].
|
||||
This section describes how to use Spring Security's WebSocket support.
|
||||
|
||||
NOTE: You can find a complete working sample of WebSocket security in samples/javaconfig/chat.
|
||||
@ -9,7 +9,7 @@ NOTE: You can find a complete working sample of WebSocket security in samples/ja
|
||||
.Direct JSR-356 Support
|
||||
****
|
||||
Spring Security does not provide direct JSR-356 support because doing so would provide little value.
|
||||
This is because the format is unknown, so there is http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-intro-sub-protocol[little Spring can do to secure an unknown format].
|
||||
This is because the format is unknown, so there is https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-intro-sub-protocol[little Spring can do to secure an unknown format].
|
||||
Additionally, JSR-356 does not provide a way to intercept messages, so security would be rather invasive.
|
||||
****
|
||||
|
||||
@ -153,7 +153,7 @@ Consider a chat application.
|
||||
While we want clients to be able to SUBSCRIBE to "/topic/system/notifications", we do not want to enable them to send a MESSAGE to that destination.
|
||||
If we allowed sending a MESSAGE to "/topic/system/notifications", then clients could send a message directly to that endpoint and impersonate the system.
|
||||
|
||||
In general, it is common for applications to deny any MESSAGE sent to a message that starts with the http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp[broker prefix] (i.e. "/topic/" or "/queue/").
|
||||
In general, it is common for applications to deny any MESSAGE sent to a message that starts with the https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp[broker prefix] (i.e. "/topic/" or "/queue/").
|
||||
|
||||
[[websocket-authorization-notes-destinations]]
|
||||
===== WebSocket Authorization on Destinations
|
||||
@ -170,13 +170,13 @@ Consider a chat application.
|
||||
With the application above, we want to allow our client to listen to "/user/queue" which is transformed into "/queue/user/messages-<sessionid>".
|
||||
However, we do not want the client to be able to listen to "/queue/*" because that would allow the client to see messages for every user.
|
||||
|
||||
In general, it is common for applications to deny any SUBSCRIBE sent to a message that starts with the http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp[broker prefix] (i.e. "/topic/" or "/queue/").
|
||||
In general, it is common for applications to deny any SUBSCRIBE sent to a message that starts with the https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp[broker prefix] (i.e. "/topic/" or "/queue/").
|
||||
Of course we may provide exceptions to account for things like
|
||||
|
||||
[[websocket-authorization-notes-outbound]]
|
||||
==== Outbound Messages
|
||||
|
||||
Spring contains a section titled http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp-message-flow[Flow of Messages] that describes how messages flow through the system.
|
||||
Spring contains a section titled https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-stomp-message-flow[Flow of Messages] that describes how messages flow through the system.
|
||||
It is important to note that Spring Security only secures the `clientInboundChannel`.
|
||||
Spring Security does not attempt to secure the `clientOutboundChannel`.
|
||||
|
||||
@ -187,7 +187,7 @@ Instead of securing the outbound messages, we encourage securing the subscriptio
|
||||
[[websocket-sameorigin]]
|
||||
=== Enforcing Same Origin Policy
|
||||
|
||||
It is important to emphasize that the browser does not enforce the http://en.wikipedia.org/wiki/Same-origin_policy[Same Origin Policy] for WebSocket connections.
|
||||
It is important to emphasize that the browser does not enforce the https://en.wikipedia.org/wiki/Same-origin_policy[Same Origin Policy] for WebSocket connections.
|
||||
This is an extremely important consideration.
|
||||
|
||||
[[websocket-sameorigin-why]]
|
||||
@ -208,8 +208,8 @@ This means developers need to explicitly protect their applications from externa
|
||||
[[websocket-sameorigin-spring]]
|
||||
==== Spring WebSocket Allowed Origin
|
||||
|
||||
Fortunately, since Spring 4.1.5 Spring's WebSocket and SockJS support restricts access to the http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-server-allowed-origins[current domain].
|
||||
Spring Security adds an additional layer of protection to provide http://en.wikipedia.org/wiki/Defense_in_depth_%28computing%29[defence in depth].
|
||||
Fortunately, since Spring 4.1.5 Spring's WebSocket and SockJS support restricts access to the https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-server-allowed-origins[current domain].
|
||||
Spring Security adds an additional layer of protection to provide https://en.wikipedia.org/wiki/Defense_in_depth_%2528computing%2529[defence in depth].
|
||||
|
||||
[[websocket-sameorigin-csrf]]
|
||||
==== Adding CSRF to Stomp Headers
|
||||
@ -286,7 +286,7 @@ public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBro
|
||||
[[websocket-sockjs]]
|
||||
=== Working with SockJS
|
||||
|
||||
http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-fallback[SockJS] provides fallback transports to support older browsers.
|
||||
https://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-fallback[SockJS] provides fallback transports to support older browsers.
|
||||
When using the fallback options we need to relax a few security constraints to allow SockJS to work with Spring Security.
|
||||
|
||||
[[websocket-sockjs-sameorigin]]
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
= Spring Security Reference
|
||||
Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert
|
||||
:include-dir: _includes
|
||||
:security-api-url: http://docs.spring.io/spring-security/site/docs/current/apidocs/
|
||||
:security-api-url: https://docs.spring.io/spring-security/site/docs/current/apidocs/
|
||||
|
||||
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
|
||||
|
||||
@ -15,7 +15,7 @@ Of course, you will need to properly address all security layers mentioned above
|
||||
|
||||
With Spring Security being focused on helping you with the enterprise application security layer, you will find that there are as many different requirements as there are business problem domains. A banking application has different needs from an ecommerce application. An ecommerce application has different needs from a corporate sales force automation tool. These custom requirements make application security interesting, challenging and rewarding.
|
||||
|
||||
Please read <<getting-started>>, in its entirety to begin with. This will introduce you to the framework and the namespace-based configuration system with which you can get up and running quite quickly. To get more of an understanding of how Spring Security works, and some of the classes you might need to use, you should then read <<overall-architecture>>. The remaining parts of this guide are structured in a more traditional reference style, designed to be read on an as-required basis. We'd also recommend that you read up as much as possible on application security issues in general. Spring Security is not a panacea which will solve all security issues. It is important that the application is designed with security in mind from the start. Attempting to retrofit it is not a good idea. In particular, if you are building a web application, you should be aware of the many potential vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as a lot of useful reference information.
|
||||
Please read <<getting-started>>, in its entirety to begin with. This will introduce you to the framework and the namespace-based configuration system with which you can get up and running quite quickly. To get more of an understanding of how Spring Security works, and some of the classes you might need to use, you should then read <<overall-architecture>>. The remaining parts of this guide are structured in a more traditional reference style, designed to be read on an as-required basis. We'd also recommend that you read up as much as possible on application security issues in general. Spring Security is not a panacea which will solve all security issues. It is important that the application is designed with security in mind from the start. Attempting to retrofit it is not a good idea. In particular, if you are building a web application, you should be aware of the many potential vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be taking into account from the start. The OWASP web site (https://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as a lot of useful reference information.
|
||||
|
||||
We hope that you find this reference guide useful, and we welcome your feedback and <<jira,suggestions>>.
|
||||
|
||||
@ -26,7 +26,7 @@ Finally, welcome to the Spring Security <<community,community>>.
|
||||
== Getting Started
|
||||
The later parts of this guide provide an in-depth discussion of the framework architecture and implementation classes, which you need to understand if you want to do any serious customization. In this part, we'll introduce Spring Security 4.0, give a brief overview of the project's history and take a slightly gentler look at how to get started using the framework. In particular, we'll look at namespace configuration which provides a much simpler way of securing your application compared to the traditional Spring bean approach where you have to wire up all the implementation classes individually.
|
||||
|
||||
We'll also take a look at the sample applications that are available. It's worth trying to run these and experimenting with them a bit even before you read the later sections - you can dip back into them as your understanding of the framework increases. Please also check out the http://spring.io/spring-security[project website] as it has useful information on building the project, plus links to articles, videos and tutorials.
|
||||
We'll also take a look at the sample applications that are available. It's worth trying to run these and experimenting with them a bit even before you read the later sections - you can dip back into them as your understanding of the framework increases. Please also check out the https://spring.io/spring-security[project website] as it has useful information on building the project, plus links to articles, videos and tutorials.
|
||||
|
||||
|
||||
[[introduction]]
|
||||
@ -137,7 +137,7 @@ You should always test your application thoroughly before rolling out a new vers
|
||||
|
||||
[[get-spring-security]]
|
||||
=== Getting Spring Security
|
||||
You can get hold of Spring Security in several ways. You can download a packaged distribution from the main http://spring.io/spring-security[Spring Security] page, download individual jars from the Maven Central repository (or a Spring Maven repository for snapshot and milestone releases) or, alternatively, you can build the project from source yourself.
|
||||
You can get hold of Spring Security in several ways. You can download a packaged distribution from the main https://spring.io/spring-security[Spring Security] page, download individual jars from the Maven Central repository (or a Spring Maven repository for snapshot and milestone releases) or, alternatively, you can build the project from source yourself.
|
||||
|
||||
[[maven]]
|
||||
==== Usage with Maven
|
||||
@ -179,7 +179,7 @@ If you are using a SNAPSHOT version, you will need to ensure you have the Spring
|
||||
<repository>
|
||||
<id>spring-snapshot</id>
|
||||
<name>Spring Snapshot Repository</name>
|
||||
<url>http://repo.spring.io/snapshot</url>
|
||||
<url>https://repo.spring.io/snapshot</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
----
|
||||
@ -194,7 +194,7 @@ If you are using a milestone or release candidate version, you will need to ensu
|
||||
<repository>
|
||||
<id>spring-milestone</id>
|
||||
<name>Spring Milestone Repository</name>
|
||||
<url>http://repo.spring.io/milestone</url>
|
||||
<url>https://repo.spring.io/milestone</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
----
|
||||
@ -204,7 +204,7 @@ If you are using a milestone or release candidate version, you will need to ensu
|
||||
|
||||
Spring Security builds against Spring Framework {spring-version}, but should work with 4.0.x. The problem that many users will have is that Spring Security's transitive dependencies resolve Spring Framework {spring-version} which can cause strange classpath problems.
|
||||
|
||||
One (tedious) way to circumvent this issue would be to include all the Spring Framework modules in a http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management[<dependencyManagement>] section of your pom. An alternative approach is to include the `spring-framework-bom` within your `<dependencyManagement>` section of your `pom.xml` as shown below:
|
||||
One (tedious) way to circumvent this issue would be to include all the Spring Framework modules in a https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management[<dependencyManagement>] section of your pom. An alternative approach is to include the `spring-framework-bom` within your `<dependencyManagement>` section of your `pom.xml` as shown below:
|
||||
|
||||
.pom.xml
|
||||
[source,xml]
|
||||
@ -225,7 +225,7 @@ One (tedious) way to circumvent this issue would be to include all the Spring Fr
|
||||
|
||||
This will ensure that all the transitive dependencies of Spring Security use the Spring {spring-version} modules.
|
||||
|
||||
NOTE: This approach uses Maven's "bill of materials" (BOM) concept and is only available in Maven 2.0.9+. For additional details about how dependencies are resolved refer to http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html[Maven's Introduction to the Dependency Mechanism documentation].
|
||||
NOTE: This approach uses Maven's "bill of materials" (BOM) concept and is only available in Maven 2.0.9+. For additional details about how dependencies are resolved refer to https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html[Maven's Introduction to the Dependency Mechanism documentation].
|
||||
|
||||
[[gradle]]
|
||||
==== Gradle
|
||||
@ -278,7 +278,7 @@ repositories {
|
||||
[[gradle-resolutionStrategy]]
|
||||
===== Using Spring 4.0.x and Gradle
|
||||
|
||||
By default Gradle will use the newest version when resolving transitive versions. This means that often times no additional work is necessary when running Spring Security {spring-security-version} with Spring Framework {spring-version}. However, at times there can be issues that come up so it is best to mitigate this using http://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html[Gradle's ResolutionStrategy] as shown below:
|
||||
By default Gradle will use the newest version when resolving transitive versions. This means that often times no additional work is necessary when running Spring Security {spring-security-version} with Spring Framework {spring-version}. However, at times there can be issues that come up so it is best to mitigate this using https://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html[Gradle's ResolutionStrategy] as shown below:
|
||||
|
||||
.build.gradle
|
||||
[source,groovy]
|
||||
@ -388,14 +388,14 @@ Below you can find the highlights of this release.
|
||||
* https://github.com/spring-projects/spring-security/pull/4116[#4116] - <<headers-referrer,Referrer Policy>>
|
||||
* https://github.com/spring-projects/spring-security/pull/3938[#3938] - Add <<request-matching,HTTP response splitting prevention>>
|
||||
* https://github.com/spring-projects/spring-security/issues/3949[#3949] - Add <<mvc-authentication-principal,bean reference support to @AuthenticationPrincipal>>.
|
||||
* https://github.com/spring-projects/spring-security/pull/3978[#3978] - Support for Standford WebAuth and Shibboleth using the newly added http://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/apidocs/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.html[RequestAttributeAuthenticationFilter].
|
||||
* https://github.com/spring-projects/spring-security/pull/3978[#3978] - Support for Standford WebAuth and Shibboleth using the newly added https://docs.spring.io/spring-security/site/docs/4.2.x-SNAPSHOT/apidocs/org/springframework/security/web/authentication/preauth/RequestAttributeAuthenticationFilter.html[RequestAttributeAuthenticationFilter].
|
||||
* https://github.com/spring-projects/spring-security/issues/4076[#4076] - Document <<appendix-proxy-server,Proxy Server>> Configuration
|
||||
* https://github.com/spring-projects/spring-security/issues/3795[#3795] - `ConcurrentSessionFilter` supports `InvalidSessionStrategy`
|
||||
* https://github.com/spring-projects/spring-security/pull/3904[#3904] - Add `CompositeLogoutHandler`
|
||||
|
||||
=== Configuration Improvements
|
||||
|
||||
* https://github.com/spring-projects/spring-security/pull/3956[#3956] - Central configuration of the http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing[default role prefix]. See the issue for details.
|
||||
* https://github.com/spring-projects/spring-security/pull/3956[#3956] - Central configuration of the https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing[default role prefix]. See the issue for details.
|
||||
* https://github.com/spring-projects/spring-security/issues/4102[#4102] - Custom default configuration in `WebSecurityConfigurerAdapter`. See <<jc-custom-dsls>>
|
||||
* https://github.com/spring-projects/spring-security/issues/3899[#3899] - <<nsa-concurrency-control-max-sessions,concurrency-control@max-sessions>> supports unlimited sessions.
|
||||
* https://github.com/spring-projects/spring-security/issues/4097[#4097] - <<nsa-intercept-url-request-matcher-ref,intercept-url@request-matcher-ref>> adds more powerful request matching support to the XML namespace.
|
||||
@ -446,7 +446,7 @@ If you are looking to get started with Spring Security, the best place to start
|
||||
[[jc]]
|
||||
== Java Configuration
|
||||
|
||||
General support for http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-java[Java Configuration] was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.
|
||||
General support for https://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-java[Java Configuration] was added to Spring Framework in Spring 3.1. Since Spring Security 3.2 there has been Spring Security Java Configuration support which enables users to easily configure Spring Security without the use of any XML.
|
||||
|
||||
If you are familiar with the <<ns-config>> then you should find quite a few similarities between it and the Security Java Configuration support.
|
||||
|
||||
@ -483,24 +483,24 @@ There really isn't much to this configuration, but it does a lot. You can find a
|
||||
* Generate a login form for you
|
||||
* Allow the user with the *Username* _user_ and the *Password* _password_ to authenticate with form based authentication
|
||||
* Allow the user to logout
|
||||
* http://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* http://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* https://en.wikipedia.org/wiki/Cross-site_request_forgery[CSRF attack] prevention
|
||||
* https://en.wikipedia.org/wiki/Session_fixation[Session Fixation] protection
|
||||
* Security Header integration
|
||||
** http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security[HTTP Strict Transport Security] for secure requests
|
||||
** https://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx[X-Content-Type-Options] integration
|
||||
** Cache Control (can be overridden later by your application to allow caching of your static resources)
|
||||
** http://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent http://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
** https://msdn.microsoft.com/en-us/library/dd565647(v=vs.85).aspx[X-XSS-Protection] integration
|
||||
** X-Frame-Options integration to help prevent https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]
|
||||
* Integrate with the following Servlet API methods
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest#getRemoteUser()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.html#getUserPrincipal()]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.html#isUserInRole(java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login(java.lang.String,%20java.lang.String)[HttpServletRequest.html#login(java.lang.String, java.lang.String)]
|
||||
** https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout()[HttpServletRequest.html#logout()]
|
||||
|
||||
==== AbstractSecurityWebApplicationInitializer
|
||||
|
||||
The next step is to register the `springSecurityFilterChain` with the war. This can be done in Java Configuration with http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-container-config[Spring's WebApplicationInitializer support] in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class `AbstractSecurityWebApplicationInitializer` that will ensure the `springSecurityFilterChain` gets registered for you. The way in which we use `AbstractSecurityWebApplicationInitializer` differs depending on if we are already using Spring or if Spring Security is the only Spring component in our application.
|
||||
The next step is to register the `springSecurityFilterChain` with the war. This can be done in Java Configuration with https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-container-config[Spring's WebApplicationInitializer support] in a Servlet 3.0+ environment. Not suprisingly, Spring Security provides a base class `AbstractSecurityWebApplicationInitializer` that will ensure the `springSecurityFilterChain` gets registered for you. The way in which we use `AbstractSecurityWebApplicationInitializer` differs depending on if we are already using Spring or if Spring Security is the only Spring component in our application.
|
||||
|
||||
* <<abstractsecuritywebapplicationinitializer-without-existing-spring>> - Use these instructions if you are not using Spring already
|
||||
* <<abstractsecuritywebapplicationinitializer-with-spring-mvc>> - Use these instructions if you are already using Spring
|
||||
@ -1196,7 +1196,7 @@ public class Config extends WebSecurityConfigurerAdapter {
|
||||
|
||||
|
||||
=== Introduction
|
||||
Namespace configuration has been available since version 2.0 of the Spring Framework. It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. You can find more information in the Spring http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/[Reference Documentation]. A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user. A simple element may conceal the fact that multiple beans and processing steps are being added to the application context. For example, adding the following element from the security namespace to an application context will start up an embedded LDAP server for testing use within the application:
|
||||
Namespace configuration has been available since version 2.0 of the Spring Framework. It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema. You can find more information in the Spring https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/[Reference Documentation]. A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user. A simple element may conceal the fact that multiple beans and processing steps are being added to the application context. For example, adding the following element from the security namespace to an application context will start up an embedded LDAP server for testing use within the application:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
@ -1206,7 +1206,7 @@ Namespace configuration has been available since version 2.0 of the Spring Frame
|
||||
This is much simpler than wiring up the equivalent Apache Directory Server beans. The most common alternative configuration requirements are supported by attributes on the `ldap-server` element and the user is isolated
|
||||
from worrying about which beans they need to create and what the bean property names are. footnote:[You can find out more about the use of the `ldap-server` element in the chapter on pass:specialcharacters,macros[<<ldap>>]. ]. Use of a good XML
|
||||
editor while editing the application context file should provide information on the attributes and elements that are available. We would recommend that you try out the
|
||||
http://spring.io/tools/sts[Spring Tool Suite] as it has special features for working with standard Spring namespaces.
|
||||
https://spring.io/tools/sts[Spring Tool Suite] as it has special features for working with standard Spring namespaces.
|
||||
|
||||
|
||||
To start using the security namespace in your application context, you need to have the `spring-security-config` jar on your classpath. Then all you need to do is add the schema declaration to your application context file:
|
||||
@ -1217,9 +1217,9 @@ To start using the security namespace in your application context, you need to h
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
http://www.springframework.org/schema/security
|
||||
http://www.springframework.org/schema/security/spring-security.xsd">
|
||||
https://www.springframework.org/schema/security/spring-security.xsd">
|
||||
...
|
||||
</beans>
|
||||
----
|
||||
@ -1237,9 +1237,9 @@ In many of the examples you will see (and in the sample applications), we
|
||||
xmlns:beans="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
|
||||
http://www.springframework.org/schema/security
|
||||
http://www.springframework.org/schema/security/spring-security.xsd">
|
||||
https://www.springframework.org/schema/security/spring-security.xsd">
|
||||
...
|
||||
</beans:beans>
|
||||
----
|
||||
@ -1607,7 +1607,7 @@ If you are using a customized authentication filter for form-based login, then y
|
||||
|
||||
[[ns-session-fixation]]
|
||||
===== Session Fixation Attack Protection
|
||||
http://en.wikipedia.org/wiki/Session_fixation[Session fixation] attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behavior using the `session-fixation-protection` attribute on `<session-management>`, which has four options
|
||||
https://en.wikipedia.org/wiki/Session_fixation[Session fixation] attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behavior using the `session-fixation-protection` attribute on `<session-management>`, which has four options
|
||||
|
||||
* `none` - Don't do anything. The original session will be retained.
|
||||
|
||||
@ -1623,7 +1623,7 @@ When session fixation protection occurs, it results in a `SessionFixationProtect
|
||||
|
||||
[[ns-openid]]
|
||||
==== OpenID Support
|
||||
The namespace supports http://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
|
||||
The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
@ -1637,26 +1637,26 @@ You should then register yourself with an OpenID provider (such as myopenid.com)
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<user name="http://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
|
||||
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
|
||||
----
|
||||
|
||||
You should be able to login using the `myopenid.com` site to authenticate. It is also possible to select a specific `UserDetailsService` bean for use OpenID by setting the `user-service-ref` attribute on the `openid-login` element. See the previous section on <<ns-auth-providers,authentication providers>> for more information. Note that we have omitted the password attribute from the above user configuration, since this set of user data is only being used to load the authorities for the user. A random password will be generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
|
||||
|
||||
|
||||
===== Attribute Exchange
|
||||
Support for OpenID http://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange]. As an example, the following configuration would attempt to retrieve the email and full name from the OpenID provider, for use by the application:
|
||||
Support for OpenID https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange]. As an example, the following configuration would attempt to retrieve the email and full name from the OpenID provider, for use by the application:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
<openid-login>
|
||||
<attribute-exchange>
|
||||
<openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
|
||||
<openid-attribute name="name" type="http://axschema.org/namePerson"/>
|
||||
<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
|
||||
<openid-attribute name="name" type="https://axschema.org/namePerson"/>
|
||||
</attribute-exchange>
|
||||
</openid-login>
|
||||
----
|
||||
|
||||
The "type" of each OpenID attribute is a URI, determined by a particular schema, in this case http://axschema.org/[http://axschema.org/]. If an attribute must be retrieved for successful authentication, the `required` attribute can be set. The exact schema and attributes supported will depend on your OpenID provider. The attribute values are returned as part of the authentication process and can be accessed afterwards using the following code:
|
||||
The "type" of each OpenID attribute is a URI, determined by a particular schema, in this case https://axschema.org/[https://axschema.org/]. If an attribute must be retrieved for successful authentication, the `required` attribute can be set. The exact schema and attributes supported will depend on your OpenID provider. The attribute values are returned as part of the authentication process and can be accessed afterwards using the following code:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@ -1956,7 +1956,7 @@ Another common requirement is that another bean in the context may require a ref
|
||||
|
||||
[[sample-apps]]
|
||||
== Sample Applications
|
||||
There are several sample web applications that are available with the project. To avoid an overly large download, only the "tutorial" and "contacts" samples are included in the distribution zip file. The others can be built directly from the source which you can obtain as described in <<get-source,the introduction>>. It's easy to build the project yourself and there's more information on the project web site at http://spring.io/spring-security/[http://spring.io/spring-security/]. All paths referred to in this chapter are relative to the project source directory.
|
||||
There are several sample web applications that are available with the project. To avoid an overly large download, only the "tutorial" and "contacts" samples are included in the distribution zip file. The others can be built directly from the source which you can obtain as described in <<get-source,the introduction>>. It's easy to build the project yourself and there's more information on the project web site at https://spring.io/spring-security/[https://spring.io/spring-security/]. All paths referred to in this chapter are relative to the project source directory.
|
||||
|
||||
|
||||
[[tutorial-sample]]
|
||||
@ -2016,7 +2016,7 @@ The LDAP sample application provides a basic configuration and sets up both a na
|
||||
|
||||
[[openid-sample]]
|
||||
=== OpenID Sample
|
||||
The OpenID sample demonstrates how to use the namespace to configure OpenID and how to set up http://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange] configurations for Google, Yahoo and MyOpenID identity providers (you can experiment with adding others if you wish). It uses the JQuery-based http://code.google.com/p/openid-selector/[openid-selector] project to provide a user-friendly login page which allows the user to easily select a provider, rather than typing in the full OpenID identifier.
|
||||
The OpenID sample demonstrates how to use the namespace to configure OpenID and how to set up https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange] configurations for Google, Yahoo and MyOpenID identity providers (you can experiment with adding others if you wish). It uses the JQuery-based https://code.google.com/p/openid-selector/[openid-selector] project to provide a user-friendly login page which allows the user to easily select a provider, rather than typing in the full OpenID identifier.
|
||||
|
||||
The application differs from normal authentication scenarios in that it allows any user to access the site (provided their OpenID authentication is successful). The first time you login, you will get a "Welcome [your name]"" message. If you logout and log back in (with the same OpenID identity) then this should change to "Welcome Back". This is achieved by using a custom `UserDetailsService` which assigns a standard role to any user and stores the identities internally in a map. Obviously a real application would use a database instead. Have a look at the source form more information. This class also takes into account the fact that different attributes may be returned from different providers and builds the name with which it addresses the user accordingly.
|
||||
|
||||
@ -2058,7 +2058,7 @@ We welcome your involvement in the Spring Security project. There are many ways
|
||||
|
||||
[[further-info]]
|
||||
=== Further Information
|
||||
Questions and comments on Spring Security are welcome. You can use the Spring at Stack Overflow web site at http://spring.io/questions[http://spring.io/questions] to discuss Spring Security with other users of the framework. Remember to use JIRA for bug reports, as explained above.
|
||||
Questions and comments on Spring Security are welcome. You can use the Spring at Stack Overflow web site at https://spring.io/questions[https://spring.io/questions] to discuss Spring Security with other users of the framework. Remember to use JIRA for bug reports, as explained above.
|
||||
|
||||
[[overall-architecture]]
|
||||
= Architecture and Implementation
|
||||
@ -2677,7 +2677,7 @@ The Servlet Specification defines several properties for the `HttpServletRequest
|
||||
These are the `contextPath`, `servletPath`, `pathInfo` and `queryString`.
|
||||
Spring Security is only interested in securing paths within the application, so the `contextPath` is ignored.
|
||||
Unfortunately, the servlet spec does not define exactly what the values of `servletPath` and `pathInfo` will contain for a particular request URI.
|
||||
For example, each path segment of a URL may contain parameters, as defined in http://www.ietf.org/rfc/rfc2396.txt[RFC 2396]
|
||||
For example, each path segment of a URL may contain parameters, as defined in https://www.ietf.org/rfc/rfc2396.txt[RFC 2396]
|
||||
footnote:[You have probably seen this when a browser doesn't support cookies and the `jsessionid` parameter is appended to the URL after a semi-colon.
|
||||
However the RFC allows the presence of these parameters in any path segment of the URL].
|
||||
The Specification does not clearly state whether these should be included in the `servletPath` and `pathInfo` values and the behaviour varies between different servlet containers.
|
||||
@ -2905,7 +2905,7 @@ The default implementation is `HttpSessionSecurityContextRepository`, which stor
|
||||
</bean>
|
||||
----
|
||||
|
||||
Alternatively you could provide an instance of `NullSecurityContextRepository`, a http://en.wikipedia.org/wiki/Null_Object_pattern[null object] implementation, which will prevent the security context from being stored, even if a session has already been created during the request.
|
||||
Alternatively you could provide an instance of `NullSecurityContextRepository`, a https://en.wikipedia.org/wiki/Null_Object_pattern[null object] implementation, which will prevent the security context from being stored, even if a session has already been created during the request.
|
||||
|
||||
|
||||
[[form-login-filter]]
|
||||
@ -2951,12 +2951,12 @@ This section describes how Spring Security is integrated with the Servlet API. T
|
||||
|
||||
[[servletapi-remote-user]]
|
||||
==== HttpServletRequest.getRemoteUser()
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest.getRemoteUser()] will return the result of `SecurityContextHolder.getContext().getAuthentication().getName()` which is typically the current username. This can be useful if you want to display the current username in your application. Additionally, checking if this is null can be used to indicate if a user has authenticated or is anonymous. Knowing if the user is authenticated or not can be useful for determining if certain UI elements should be shown or not (i.e. a log out link should only be displayed if the user is authenticated).
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser()[HttpServletRequest.getRemoteUser()] will return the result of `SecurityContextHolder.getContext().getAuthentication().getName()` which is typically the current username. This can be useful if you want to display the current username in your application. Additionally, checking if this is null can be used to indicate if a user has authenticated or is anonymous. Knowing if the user is authenticated or not can be useful for determining if certain UI elements should be shown or not (i.e. a log out link should only be displayed if the user is authenticated).
|
||||
|
||||
|
||||
[[servletapi-user-principal]]
|
||||
==== HttpServletRequest.getUserPrincipal()
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.getUserPrincipal()] will return the result of `SecurityContextHolder.getContext().getAuthentication()`. This means it is an `Authentication` which is typically an instance of `UsernamePasswordAuthenticationToken` when using username and password based authentication. This can be useful if you need additional information about your user. For example, you might have created a custom `UserDetailsService` that returns a custom `UserDetails` containing a first and last name for your user. You could obtain this information with the following:
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#getUserPrincipal()[HttpServletRequest.getUserPrincipal()] will return the result of `SecurityContextHolder.getContext().getAuthentication()`. This means it is an `Authentication` which is typically an instance of `UsernamePasswordAuthenticationToken` when using username and password based authentication. This can be useful if you need additional information about your user. For example, you might have created a custom `UserDetailsService` that returns a custom `UserDetails` containing a first and last name for your user. You could obtain this information with the following:
|
||||
|
||||
|
||||
[source,java]
|
||||
@ -2976,7 +2976,7 @@ It should be noted that it is typically bad practice to perform so much logic th
|
||||
|
||||
[[servletapi-user-in-role]]
|
||||
==== HttpServletRequest.isUserInRole(String)
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.isUserInRole(String)] will determine if `SecurityContextHolder.getContext().getAuthentication().getAuthorities()` contains a `GrantedAuthority` with the role passed into `isUserInRole(String)`. Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#isUserInRole(java.lang.String)[HttpServletRequest.isUserInRole(String)] will determine if `SecurityContextHolder.getContext().getAuthentication().getAuthorities()` contains a `GrantedAuthority` with the role passed into `isUserInRole(String)`. Typically users should not pass in the "ROLE_" prefix into this method since it is added automatically. For example, if you want to determine if the current user has the authority "ROLE_ADMIN", you could use the following:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@ -2992,12 +2992,12 @@ The following section describes the Servlet 3 methods that Spring Security integ
|
||||
|
||||
[[servletapi-authenticate]]
|
||||
==== HttpServletRequest.authenticate(HttpServletResponse)
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#authenticate%28javax.servlet.http.HttpServletResponse%29[HttpServletRequest.authenticate(HttpServletResponse)] method can be used to ensure that a user is authenticated. If they are not authenticated, the configured AuthenticationEntryPoint will be used to request the user to authenticate (i.e. redirect to the login page).
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#authenticate%28javax.servlet.http.HttpServletResponse%29[HttpServletRequest.authenticate(HttpServletResponse)] method can be used to ensure that a user is authenticated. If they are not authenticated, the configured AuthenticationEntryPoint will be used to request the user to authenticate (i.e. redirect to the login page).
|
||||
|
||||
|
||||
[[servletapi-login]]
|
||||
==== HttpServletRequest.login(String,String)
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29[HttpServletRequest.login(String,String)] method can be used to authenticate the user with the current `AuthenticationManager`. For example, the following would attempt to authenticate with the username "user" and password "password":
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29[HttpServletRequest.login(String,String)] method can be used to authenticate the user with the current `AuthenticationManager`. For example, the following would attempt to authenticate with the username "user" and password "password":
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@ -3015,13 +3015,13 @@ It is not necessary to catch the ServletException if you want Spring Security to
|
||||
|
||||
[[servletapi-logout]]
|
||||
==== HttpServletRequest.logout()
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout%28%29[HttpServletRequest.logout()] method can be used to log the current user out.
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#logout%28%29[HttpServletRequest.logout()] method can be used to log the current user out.
|
||||
|
||||
Typically this means that the SecurityContextHolder will be cleared out, the HttpSession will be invalidated, any "Remember Me" authentication will be cleaned up, etc. However, the configured LogoutHandler implementations will vary depending on your Spring Security configuration. It is important to note that after HttpServletRequest.logout() has been invoked, you are still in charge of writing a response out. Typically this would involve a redirect to the welcome page.
|
||||
|
||||
[[servletapi-start-runnable]]
|
||||
==== AsyncContext.start(Runnable)
|
||||
The http://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#start%28java.lang.Runnable%29[AsynchContext.start(Runnable)] method that ensures your credentials will be propagated to the new Thread. Using Spring Security's concurrency support, Spring Security overrides the AsyncContext.start(Runnable) to ensure that the current SecurityContext is used when processing the Runnable. For example, the following would output the current user's Authentication:
|
||||
The https://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#start%28java.lang.Runnable%29[AsynchContext.start(Runnable)] method that ensures your credentials will be propagated to the new Thread. Using Spring Security's concurrency support, Spring Security overrides the AsyncContext.start(Runnable) to ensure that the current SecurityContext is used when processing the Runnable. For example, the following would output the current user's Authentication:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@ -3049,7 +3049,7 @@ If you are using Java Based configuration, you are ready to go. If you are using
|
||||
----
|
||||
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee https://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
|
||||
version="3.0">
|
||||
|
||||
</web-app>
|
||||
@ -3107,7 +3107,7 @@ The following section describes the Servlet 3.1 methods that Spring Security int
|
||||
|
||||
[[servletapi-change-session-id]]
|
||||
==== HttpServletRequest#changeSessionId()
|
||||
The http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#changeSessionId()[HttpServletRequest.changeSessionId()] is the default method for protecting against <<ns-session-fixation,Session Fixation>> attacks in Servlet 3.1 and higher.
|
||||
The https://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#changeSessionId()[HttpServletRequest.changeSessionId()] is the default method for protecting against <<ns-session-fixation,Session Fixation>> attacks in Servlet 3.1 and higher.
|
||||
|
||||
[[basic]]
|
||||
== Basic and Digest Authentication
|
||||
@ -3315,7 +3315,7 @@ The database schema is described above in <<remember-me-persistent-token>>.
|
||||
|
||||
[[csrf]]
|
||||
== Cross Site Request Forgery (CSRF)
|
||||
This section discusses Spring Security's http://en.wikipedia.org/wiki/Cross-site_request_forgery[ Cross Site Request Forgery (CSRF)] support.
|
||||
This section discusses Spring Security's https://en.wikipedia.org/wiki/Cross-site_request_forgery[ Cross Site Request Forgery (CSRF)] support.
|
||||
|
||||
|
||||
=== CSRF Attacks
|
||||
@ -3441,7 +3441,7 @@ So what are the steps necessary to use Spring Security's to protect our site aga
|
||||
==== Use proper HTTP verbs
|
||||
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs. Specifically, before Spring Security's CSRF support can be of use, you need to be certain that your application is using PATCH, POST, PUT, and/or DELETE for anything that modifies state.
|
||||
|
||||
This is not a limitation of Spring Security's support, but instead a general requirement for proper CSRF prevention. The reason is that including private information in an HTTP GET can cause the information to be leaked. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3[RFC 2616 Section 15.1.3 Encoding Sensitive Information in URI's] for general guidance on using POST instead of GET for sensitive information.
|
||||
This is not a limitation of Spring Security's support, but instead a general requirement for proper CSRF prevention. The reason is that including private information in an HTTP GET can cause the information to be leaked. See https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3[RFC 2616 Section 15.1.3 Encoding Sensitive Information in URI's] for general guidance on using POST instead of GET for sensitive information.
|
||||
|
||||
|
||||
[[csrf-configure]]
|
||||
@ -3499,7 +3499,7 @@ An easier approach is to use <<the-csrfinput-tag,the csrfInput tag>> from the Sp
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
If you are using Spring MVC `<form:form>` tag or http://www.thymeleaf.org/whatsnew21.html#reqdata[Thymeleaf 2.1+] and are using `@EnableWebSecurity`, the `CsrfToken` is automatically included for you (using the `CsrfRequestDataValueProcessor`).
|
||||
If you are using Spring MVC `<form:form>` tag or https://www.thymeleaf.org/whatsnew21.html#reqdata[Thymeleaf 2.1+] and are using `@EnableWebSecurity`, the `CsrfToken` is automatically included for you (using the `CsrfRequestDataValueProcessor`).
|
||||
====
|
||||
|
||||
[[csrf-include-csrf-token-ajax]]
|
||||
@ -3611,7 +3611,7 @@ One issue is that the expected CSRF token is stored in the HttpSession, so as so
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
One might ask why the expected `CsrfToken` isn't stored in a cookie by default. This is because there are known exploits in which headers (i.e. specify the cookies) can be set by another domain. This is the same reason Ruby on Rails http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips CSRF checks when the header X-Requested-With is present]. See http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit. Another disadvantage is that by removing the state (i.e. the timeout) you lose the ability to forcibly terminate the token if it is compromised.
|
||||
One might ask why the expected `CsrfToken` isn't stored in a cookie by default. This is because there are known exploits in which headers (i.e. specify the cookies) can be set by another domain. This is the same reason Ruby on Rails https://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/[no longer skips CSRF checks when the header X-Requested-With is present]. See http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007533.html[this webappsec.org thread] for details on how to perform the exploit. Another disadvantage is that by removing the state (i.e. the timeout) you lose the ability to forcibly terminate the token if it is compromised.
|
||||
====
|
||||
|
||||
A simple way to mitigate an active user experiencing a timeout is to have some JavaScript that lets the user know their session is about to expire. The user can click a button to continue and refresh the session.
|
||||
@ -3624,7 +3624,7 @@ As previously mentioned, this is not as secure as using a session, but in many c
|
||||
|
||||
[[csrf-login]]
|
||||
==== Logging In
|
||||
In order to protect against http://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests[forging log in requests] the log in form should be protected against CSRF attacks too. Since the `CsrfToken` is stored in HttpSession, this means an HttpSession will be created as soon as `CsrfToken` token attribute is accessed. While this sounds bad in a RESTful / stateless architecture the reality is that state is necessary to implement practical security. Without state, we have nothing we can do if a token is compromised. Practically speaking, the CSRF token is quite small in size and should have a negligible impact on our architecture.
|
||||
In order to protect against https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests[forging log in requests] the log in form should be protected against CSRF attacks too. Since the `CsrfToken` is stored in HttpSession, this means an HttpSession will be created as soon as `CsrfToken` token attribute is accessed. While this sounds bad in a RESTful / stateless architecture the reality is that state is necessary to implement practical security. Without state, we have nothing we can do if a token is compromised. Practically speaking, the CSRF token is quite small in size and should have a negligible impact on our architecture.
|
||||
|
||||
A common technique to protect the log in form is by using a JavaScript function to obtain a valid CSRF token before the form submission. By doing this, there is no need to think about session timeouts (discussed in the previous section) because the session is created right before the form submission (assuming that <<csrf-cookie,CookieCsrfTokenRepository>> isn't configured instead), so the user can stay on the login page and submit the username/password when he wants. In order to achieve this, you can take advantage of the `CsrfTokenArgumentResolver` provided by Spring Security and expose an endpoint like it's described on <<mvc-csrf-resolver,here>>.
|
||||
|
||||
@ -3661,7 +3661,7 @@ There are two options to using CSRF protection with multipart/form-data. Each op
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
Before you integrate Spring Security's CSRF protection with multipart file upload, ensure that you can upload without the CSRF protection first. More information about using multipart forms with Spring can be found within the http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-multipart[17.10 Spring's multipart (file upload) support] section of the Spring reference and the http://docs.spring.io/spring/docs/3.2.x/javadoc-api/org/springframework/web/multipart/support/MultipartFilter.html[MultipartFilter javadoc].
|
||||
Before you integrate Spring Security's CSRF protection with multipart file upload, ensure that you can upload without the CSRF protection first. More information about using multipart forms with Spring can be found within the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-multipart[17.10 Spring's multipart (file upload) support] section of the Spring reference and the https://docs.spring.io/spring/docs/3.2.x/javadoc-api/org/springframework/web/multipart/support/MultipartFilter.html[MultipartFilter javadoc].
|
||||
====
|
||||
|
||||
[[csrf-multipartfilter]]
|
||||
@ -3712,7 +3712,7 @@ If allowing unauthorized users to upload temporariy files is not acceptable, an
|
||||
<form action="./upload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data">
|
||||
----
|
||||
|
||||
The disadvantage to this approach is that query parameters can be leaked. More genearlly, it is considered best practice to place sensitive data within the body or headers to ensure it is not leaked. Additional information can be found in http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3[RFC 2616 Section 15.1.3 Encoding Sensitive Information in URI's].
|
||||
The disadvantage to this approach is that query parameters can be leaked. More genearlly, it is considered best practice to place sensitive data within the body or headers to ensure it is not leaked. Additional information can be found in https://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3[RFC 2616 Section 15.1.3 Encoding Sensitive Information in URI's].
|
||||
|
||||
==== HiddenHttpMethodFilter
|
||||
The HiddenHttpMethodFilter should be placed before the Spring Security filter. In general this is true, but it could have additional implications when protecting against CSRF attacks.
|
||||
@ -3729,7 +3729,7 @@ You can also specify a custom RequestMatcher to determine which requests are pro
|
||||
[[cors]]
|
||||
== CORS
|
||||
|
||||
Spring Framework provides http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#cors[first class support for CORS].
|
||||
Spring Framework provides https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#cors[first class support for CORS].
|
||||
CORS must be processed before Spring Security because the pre-flight request will not contain any cookies (i.e. the `JSESSIONID`).
|
||||
If the request does not contain any cookies and Spring Security is first, the request will determine the user is not authenticated (since there are no cookies in the request) and reject it.
|
||||
|
||||
@ -3994,7 +3994,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||
}
|
||||
----
|
||||
|
||||
If you actually want to cache specific responses, your application can selectively invoke http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setHeader(java.lang.String,java.lang.String)[HttpServletResponse.setHeader(String,String)] to override the header set by Spring Security. This is useful to ensure things like CSS, JavaScript, and images are properly cached.
|
||||
If you actually want to cache specific responses, your application can selectively invoke https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#setHeader(java.lang.String,java.lang.String)[HttpServletResponse.setHeader(String,String)] to override the header set by Spring Security. This is useful to ensure things like CSS, JavaScript, and images are properly cached.
|
||||
|
||||
When using Spring Web MVC, this is typically done within your configuration. For example, the following configuration will ensure that the cache headers are set for all of your resources:
|
||||
|
||||
@ -4017,7 +4017,7 @@ public class WebMvcConfiguration extends WebMvcConfigurerAdapter {
|
||||
|
||||
[[headers-content-type-options]]
|
||||
==== Content Type Options
|
||||
Historically browsers, including Internet Explorer, would try to guess the content type of a request using http://en.wikipedia.org/wiki/Content_sniffing[content sniffing]. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it.
|
||||
Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing]. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
@ -4068,13 +4068,13 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||
|
||||
[[headers-hsts]]
|
||||
==== HTTP Strict Transport Security (HSTS)
|
||||
When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to http://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks]. Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials).
|
||||
When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks]. Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials).
|
||||
|
||||
Many users omit the https protocol and this is why http://tools.ietf.org/html/rfc6797[HTTP Strict Transport Security (HSTS)] was created. Once mybank.example.com is added as a http://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as https://mybank.example.com. This greatly reduces the possibility of a Man in the Middle attack occurring.
|
||||
Many users omit the https protocol and this is why https://tools.ietf.org/html/rfc6797[HTTP Strict Transport Security (HSTS)] was created. Once mybank.example.com is added as a https://tools.ietf.org/html/rfc6797#section-5.1[HSTS host], a browser can know ahead of time that any request to mybank.example.com should be interpreted as https://mybank.example.com. This greatly reduces the possibility of a Man in the Middle attack occurring.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
In accordance with http://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses. In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate).
|
||||
In accordance with https://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses. In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate).
|
||||
====
|
||||
|
||||
One way for a site to be marked as a HSTS host is to have the host preloaded into the browser. Another is to add the "Strict-Transport-Security" header to the response. For example the following would instruct the browser to treat the domain as an HSTS host for a year (there are approximately 31536000 seconds in a year):
|
||||
@ -4140,7 +4140,7 @@ For example, the following would instruct the user-agent to only report pin vali
|
||||
|
||||
[source]
|
||||
----
|
||||
Public-Key-Pins-Report-Only: max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="http://example.net/pkp-report" ; includeSubDomains
|
||||
Public-Key-Pins-Report-Only: max-age=5184000 ; pin-sha256="d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" ; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" ; report-uri="https://example.net/pkp-report" ; includeSubDomains
|
||||
----
|
||||
|
||||
A https://tools.ietf.org/html/rfc7469#section-3[*_pin validation failure report_*] is a standard JSON structure that can be captured
|
||||
@ -4158,7 +4158,7 @@ Opposed to the other headers, Spring Security does not add HPKP by default. You
|
||||
<headers>
|
||||
<hpkp
|
||||
include-subdomains="true"
|
||||
report-uri="http://example.net/pkp-report">
|
||||
report-uri="https://example.net/pkp-report">
|
||||
<pins>
|
||||
<pin algorithm="sha256">d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=</pin>
|
||||
<pin algorithm="sha256">E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=</pin>
|
||||
@ -4183,7 +4183,7 @@ WebSecurityConfigurerAdapter {
|
||||
.headers()
|
||||
.httpPublicKeyPinning()
|
||||
.includeSubdomains(true)
|
||||
.reportUri("http://example.net/pkp-report")
|
||||
.reportUri("https://example.net/pkp-report")
|
||||
.addSha256Pins("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=", "E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";
|
||||
}
|
||||
}
|
||||
@ -4191,7 +4191,7 @@ WebSecurityConfigurerAdapter {
|
||||
|
||||
[[headers-frame-options]]
|
||||
==== X-Frame-Options
|
||||
Allowing your website to be added to a frame can be a security issue. For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (http://www.youtube.com/watch?v=3mk0RySeNsU[video demo]). For example, a user that is logged into their bank might click a button that grants access to other users. This sort of attack is known as http://en.wikipedia.org/wiki/Clickjacking[Clickjacking].
|
||||
Allowing your website to be added to a frame can be a security issue. For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (https://www.youtube.com/watch?v=3mk0RySeNsU[video demo]). For example, a user that is logged into their bank might click a button that grants access to other users. This sort of attack is known as https://en.wikipedia.org/wiki/Clickjacking[Clickjacking].
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
@ -4248,7 +4248,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||
==== X-XSS-Protection
|
||||
Some browsers have built in support for filtering out https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)[reflected XSS attacks]. This is by no means foolproof, but does assist in XSS protection.
|
||||
|
||||
The filtering is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected. For example, the filter might try to change the content in the least invasive way to still render everything. At times, this type of replacement can become a http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/[XSS vulnerability in itself]. Instead, it is best to block the content rather than attempt to fix it. To do this we can add the following header:
|
||||
The filtering is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected. For example, the filter might try to change the content in the least invasive way to still render everything. At times, this type of replacement can become a https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/[XSS vulnerability in itself]. Instead, it is best to block the content rather than attempt to fix it. To do this we can add the following header:
|
||||
|
||||
[source]
|
||||
----
|
||||
@ -4433,7 +4433,7 @@ protected void configure(HttpSecurity http) throws Exception {
|
||||
Applying Content Security Policy to a web application is often a non-trivial undertaking.
|
||||
The following resources may provide further assistance in developing effective security policies for your site.
|
||||
|
||||
http://www.html5rocks.com/en/tutorials/security/content-security-policy/[An Introduction to Content Security Policy]
|
||||
https://www.html5rocks.com/en/tutorials/security/content-security-policy/[An Introduction to Content Security Policy]
|
||||
|
||||
https://developer.mozilla.org/en-US/docs/Web/Security/CSP[CSP Guide - Mozilla Developer Network]
|
||||
|
||||
@ -4552,7 +4552,7 @@ Let's take a look at an example of using an custom instance of `XFrameOptionsHea
|
||||
</headers>
|
||||
</http>
|
||||
<!-- Requires the c-namespace.
|
||||
See http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-c-namespace
|
||||
See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-c-namespace
|
||||
-->
|
||||
<beans:bean id="frameOptionsWriter"
|
||||
class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"
|
||||
@ -4937,7 +4937,7 @@ When we've used the attribute `IS_AUTHENTICATED_ANONYMOUSLY` to grant anonymous
|
||||
|
||||
[[authz-custom-voter]]
|
||||
===== Custom Voters
|
||||
Obviously, you can also implement a custom `AccessDecisionVoter` and you can put just about any access-control logic you want in it. It might be specific to your application (business-logic related) or it might implement some security administration logic. For example, you'll find a http://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time[blog article] on the Spring web site which describes how to use a voter to deny access in real-time to users whose accounts have been suspended.
|
||||
Obviously, you can also implement a custom `AccessDecisionVoter` and you can put just about any access-control logic you want in it. It might be specific to your application (business-logic related) or it might implement some security administration logic. For example, you'll find a https://spring.io/blog/2009/01/03/spring-security-customization-part-2-adjusting-secured-session-in-real-time[blog article] on the Spring web site which describes how to use a voter to deny access in real-time to users whose accounts have been suspended.
|
||||
|
||||
|
||||
[[authz-after-invocation-handling]]
|
||||
@ -5676,7 +5676,7 @@ There are many different scenarios for how an LDAP server may be configured so S
|
||||
|
||||
You should be familiar with LDAP before trying to use it with Spring Security. The following link provides a good introduction to the concepts involved and a guide to setting up a directory using the free LDAP server OpenLDAP: http://www.zytrax.com/books/ldap/[http://www.zytrax.com/books/ldap/]. Some familiarity with the JNDI APIs used to access LDAP from Java may also be useful. We don't use any third-party LDAP libraries (Mozilla, JLDAP etc.) in the LDAP provider, but extensive use is made of Spring LDAP, so some familiarity with that project may be useful if you plan on adding your own customizations.
|
||||
|
||||
When using LDAP authentication, it is important to ensure that you configure LDAP connection pooling properly. If you are unfamiliar with how to do this, you can refer to the http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html[Java LDAP documentation].
|
||||
When using LDAP authentication, it is important to ensure that you configure LDAP connection pooling properly. If you are unfamiliar with how to do this, you can refer to the https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html[Java LDAP documentation].
|
||||
|
||||
=== Using LDAP with Spring Security
|
||||
LDAP authentication in Spring Security can be roughly divided into the following stages.
|
||||
@ -5796,7 +5796,7 @@ Often a more complicated strategy than simple DN-matching is required to locate
|
||||
|
||||
[[ldap-searchobjects-filter]]
|
||||
===== FilterBasedLdapUserSearch
|
||||
This bean uses an LDAP filter to match the user object in the directory. The process is explained in the Javadoc for the corresponding search method on the http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html#search(javax.naming.Name%2C%2520java.lang.String%2C%2520java.lang.Object%5B%5D%2C%2520javax.naming.directory.SearchControls)[JDK DirContext class]. As explained there, the search filter can be supplied with parameters. For this class, the only valid parameter is `{0}` which will be replaced with the user's login name.
|
||||
This bean uses an LDAP filter to match the user object in the directory. The process is explained in the Javadoc for the corresponding search method on the https://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html#search(javax.naming.Name%2C%2520java.lang.String%2C%2520java.lang.Object%5B%5D%2C%2520javax.naming.directory.SearchControls)[JDK DirContext class]. As explained there, the search filter can be supplied with parameters. For this class, the only valid parameter is `{0}` which will be replaced with the user's login name.
|
||||
|
||||
|
||||
[[ldap-authorities]]
|
||||
@ -6029,13 +6029,13 @@ You should place `csrfMetaTags` within an HTML `<head></head>` block, where you
|
||||
|
||||
// using XMLHttpRequest directly to send an x-www-form-urlencoded request
|
||||
var ajax = new XMLHttpRequest();
|
||||
ajax.open("POST", "http://www.example.org/do/something", true);
|
||||
ajax.open("POST", "https://www.example.org/do/something", true);
|
||||
ajax.setRequestHeader("Content-Type", "application/x-www-form-urlencoded data");
|
||||
ajax.send(csrfParameter + "=" + csrfToken + "&name=John&...");
|
||||
|
||||
// using XMLHttpRequest directly to send a non-x-www-form-urlencoded request
|
||||
var ajax = new XMLHttpRequest();
|
||||
ajax.open("POST", "http://www.example.org/do/something", true);
|
||||
ajax.open("POST", "https://www.example.org/do/something", true);
|
||||
ajax.setRequestHeader(csrfHeader, csrfToken);
|
||||
ajax.send("...");
|
||||
|
||||
@ -6045,7 +6045,7 @@ You should place `csrfMetaTags` within an HTML `<head></head>` block, where you
|
||||
data["name"] = "John";
|
||||
...
|
||||
$.ajax({
|
||||
url: "http://www.example.org/do/something",
|
||||
url: "https://www.example.org/do/something",
|
||||
type: "POST",
|
||||
data: data,
|
||||
...
|
||||
@ -6055,7 +6055,7 @@ You should place `csrfMetaTags` within an HTML `<head></head>` block, where you
|
||||
var headers = {};
|
||||
headers[csrfHeader] = csrfToken;
|
||||
$.ajax({
|
||||
url: "http://www.example.org/do/something",
|
||||
url: "https://www.example.org/do/something",
|
||||
type: "POST",
|
||||
headers: headers,
|
||||
...
|
||||
@ -6167,7 +6167,7 @@ class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticatio
|
||||
|
||||
[[jaas-jaasauthenticationprovider]]
|
||||
=== JaasAuthenticationProvider
|
||||
The `JaasAuthenticationProvider` assumes the default `Configuration` is an instance of http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html[ ConfigFile]. This assumption is made in order to attempt to update the `Configuration`. The `JaasAuthenticationProvider` then uses the default `Configuration` to create the `LoginContext`.
|
||||
The `JaasAuthenticationProvider` assumes the default `Configuration` is an instance of https://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/login/ConfigFile.html[ ConfigFile]. This assumption is made in order to attempt to update the `Configuration`. The `JaasAuthenticationProvider` then uses the default `Configuration` to create the `LoginContext`.
|
||||
|
||||
Let's assume we have a JAAS login configuration file, `/WEB-INF/login.conf`, with the following contents:
|
||||
|
||||
@ -6221,7 +6221,7 @@ This integration can easily be configured using the <<nsa-http-jaas-api-provisio
|
||||
=== Overview
|
||||
JA-SIG produces an enterprise-wide single sign on system known as CAS. Unlike other initiatives, JA-SIG's Central Authentication Service is open source, widely used, simple to understand, platform independent, and supports proxy capabilities. Spring Security fully supports CAS, and provides an easy migration path from single-application deployments of Spring Security through to multiple-application deployments secured by an enterprise-wide CAS server.
|
||||
|
||||
You can learn more about CAS at http://www.ja-sig.org/cas. You will also need to visit this site to download the CAS Server files.
|
||||
You can learn more about CAS at https://www.apereo.org. You will also need to visit this site to download the CAS Server files.
|
||||
|
||||
[[cas-how-it-works]]
|
||||
=== How CAS Works
|
||||
@ -6561,7 +6561,7 @@ The most common use of X.509 certificate authentication is in verifying the iden
|
||||
|
||||
You can also use SSL with "mutual authentication"; the server will then request a valid certificate from the client as part of the SSL handshake. The server will authenticate the client by checking that its certificate is signed by an acceptable authority. If a valid certificate has been provided, it can be obtained through the servlet API in an application. Spring Security X.509 module extracts the certificate using a filter. It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
|
||||
|
||||
You should be familiar with using certificates and setting up client authentication for your servlet container before attempting to use it with Spring Security. Most of the work is in creating and installing suitable certificates and keys. For example, if you're using Tomcat then read the instructions here http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html[http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html]. It's important that you get this working before trying it out with Spring Security
|
||||
You should be familiar with using certificates and setting up client authentication for your servlet container before attempting to use it with Spring Security. Most of the work is in creating and installing suitable certificates and keys. For example, if you're using Tomcat then read the instructions here https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html[https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html]. It's important that you get this working before trying it out with Spring Security
|
||||
|
||||
|
||||
=== Adding X.509 Authentication to Your Web Application
|
||||
@ -6934,7 +6934,7 @@ NOTE: As of Spring Security 4.0, `@EnableWebMvcSecurity` is deprecated. The repl
|
||||
|
||||
To enable Spring Security integration with Spring MVC add the `@EnableWebSecurity` annotation to your configuration.
|
||||
|
||||
NOTE: Spring Security provides the configuration using Spring MVC's http://docs.spring.io/spring-framework/docs/4.1.x/spring-framework-reference/htmlsingle/#mvc-config-customize[WebMvcConfigurerAdapter]. This means that if you are using more advanced options, like integrating with `WebMvcConfigurationSupport` directly, then you will need to manually provide the Spring Security configuration.
|
||||
NOTE: Spring Security provides the configuration using Spring MVC's https://docs.spring.io/spring-framework/docs/4.1.x/spring-framework-reference/htmlsingle/#mvc-config-customize[WebMvcConfigurerAdapter]. This means that if you are using more advanced options, like integrating with `WebMvcConfigurationSupport` directly, then you will need to manually provide the Spring Security configuration.
|
||||
|
||||
[[mvc-requestmatcher]]
|
||||
=== MvcRequestMatcher
|
||||
@ -7189,7 +7189,7 @@ public ModelAndView findMessagesForUser(@CurrentUser CustomUser customUser) {
|
||||
[[mvc-async]]
|
||||
=== Spring MVC Async Integration
|
||||
|
||||
Spring Web MVC 3.2+ has excellent support for http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-ann-async[Asynchronous Request Processing]. With no additional configuration, Spring Security will automatically setup the `SecurityContext` to the `Thread` that executes a `Callable` returned by your controllers. For example, the following method will automatically have its `Callable` executed with the `SecurityContext` that was available when the `Callable` was created:
|
||||
Spring Web MVC 3.2+ has excellent support for https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-ann-async[Asynchronous Request Processing]. With no additional configuration, Spring Security will automatically setup the `SecurityContext` to the `Thread` that executes a `Callable` returned by your controllers. For example, the following method will automatically have its `Callable` executed with the `SecurityContext` that was available when the `Callable` was created:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@ -7220,7 +7220,7 @@ However, you can still use <<concurrency,Concurrency Support>> to provide transp
|
||||
|
||||
==== Automatic Token Inclusion
|
||||
|
||||
Spring Security will automatically <<csrf-include-csrf-token,include the CSRF Token>> within forms that use the http://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag]. For example, the following JSP:
|
||||
Spring Security will automatically <<csrf-include-csrf-token,include the CSRF Token>> within forms that use the https://docs.spring.io/spring/docs/3.2.x/spring-framework-reference/html/view.html#view-jsp-formtaglib-formtag[Spring MVC form tag]. For example, the following JSP:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
@ -7673,7 +7673,7 @@ END;
|
||||
|
||||
[[appendix-namespace]]
|
||||
== The Security Namespace
|
||||
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <<ns-config,introductory chapter>> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in http://www.relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/master/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
|
||||
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <<ns-config,introductory chapter>> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/master/config/src/main/resources/org/springframework/security/config/spring-security-4.1.rnc[schema file] directly.
|
||||
|
||||
[[nsa-web]]
|
||||
=== Web Application Security
|
||||
@ -7864,9 +7864,9 @@ This element allows for configuring additional (security) headers to be send wit
|
||||
|
||||
** `Cache-Control`, `Pragma`, and `Expires` - Can be set using the <<nsa-cache-control,cache-control>> element. This ensures that the browser does not cache your secured pages.
|
||||
** `Strict-Transport-Security` - Can be set using the <<nsa-hsts,hsts>> element. This ensures that the browser automatically requests HTTPS for future requests.
|
||||
** `X-Frame-Options` - Can be set using the <<nsa-frame-options,frame-options>> element. The http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options[X-Frame-Options] header can be used to prevent clickjacking attacks.
|
||||
** `X-XSS-Protection` - Can be set using the <<nsa-xss-protection,xss-protection>> element. The http://en.wikipedia.org/wiki/Cross-site_scripting[X-XSS-Protection ] header can be used by browser to do basic control.
|
||||
** `X-Content-Type-Options` - Can be set using the <<nsa-content-type-options,content-type-options>> element. The http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[X-Content-Type-Options] header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
|
||||
** `X-Frame-Options` - Can be set using the <<nsa-frame-options,frame-options>> element. The https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options[X-Frame-Options] header can be used to prevent clickjacking attacks.
|
||||
** `X-XSS-Protection` - Can be set using the <<nsa-xss-protection,xss-protection>> element. The https://en.wikipedia.org/wiki/Cross-site_scripting[X-XSS-Protection ] header can be used by browser to do basic control.
|
||||
** `X-Content-Type-Options` - Can be set using the <<nsa-content-type-options,content-type-options>> element. The https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[X-Content-Type-Options] header prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.
|
||||
** `Public-Key-Pinning` or `Public-Key-Pinning-Report-Only` - Can be set using the <<nsa-hpkp,hpkp>> element. This allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
|
||||
** `Content-Security-Policy` or `Content-Security-Policy-Report-Only` - Can be set using the <<nsa-content-security-policy,content-security-policy>> element. https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS).
|
||||
** `Referrer-Policy` - Can be set using the <<nsa-referrer-policy,referrer-policy>> element, https://www.w3.org/TR/referrer-policy/[Referrer-Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last page the user was on.
|
||||
@ -7931,7 +7931,7 @@ Specifies if Cache Control should be disabled. Default false.
|
||||
|
||||
[[nsa-hsts]]
|
||||
==== <hsts>
|
||||
When enabled adds the http://tools.ietf.org/html/rfc6797[Strict-Transport-Security] header to the response for any secure request. This allows the server to instruct browsers to automatically use HTTPS for future requests.
|
||||
When enabled adds the https://tools.ietf.org/html/rfc6797[Strict-Transport-Security] header to the response for any secure request. This allows the server to instruct browsers to automatically use HTTPS for future requests.
|
||||
|
||||
|
||||
[[nsa-hsts-attributes]]
|
||||
@ -8073,7 +8073,7 @@ The policy for the Referrer-Policy header. Default "no-referrer".
|
||||
|
||||
[[nsa-frame-options]]
|
||||
==== <frame-options>
|
||||
When enabled adds the http://tools.ietf.org/html/draft-ietf-websec-x-frame-options[X-Frame-Options header] to the response, this allows newer browsers to do some security checks and prevent http://en.wikipedia.org/wiki/Clickjacking[clickjacking] attacks.
|
||||
When enabled adds the https://tools.ietf.org/html/draft-ietf-websec-x-frame-options[X-Frame-Options header] to the response, this allows newer browsers to do some security checks and prevent https://en.wikipedia.org/wiki/Clickjacking[clickjacking] attacks.
|
||||
|
||||
|
||||
[[nsa-frame-options-attributes]]
|
||||
@ -8128,7 +8128,7 @@ Specify the name of the request parameter to use when using regexp or whitelist
|
||||
|
||||
[[nsa-xss-protection]]
|
||||
==== <xss-protection>
|
||||
Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
|
||||
Adds the https://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx[X-XSS-Protection header] to the response to assist in protecting against https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] attacks. This is in no-way a full protection to XSS attacks!
|
||||
|
||||
|
||||
[[nsa-xss-protection-attributes]]
|
||||
@ -8137,12 +8137,12 @@ Adds the http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-
|
||||
|
||||
[[nsa-xss-protection-disabled]]
|
||||
* **xss-protection-disabled**
|
||||
Do not include the header for http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
|
||||
Do not include the header for https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
|
||||
|
||||
|
||||
[[nsa-xss-protection-enabled]]
|
||||
* **xss-protection-enabled**
|
||||
Explicitly enable or disable http://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
|
||||
Explicitly enable or disable https://en.wikipedia.org/wiki/Cross-site_scripting#Non-Persistent[reflected / Type-1 Cross-Site Scripting (XSS)] protection.
|
||||
|
||||
|
||||
[[nsa-xss-protection-block]]
|
||||
@ -8159,7 +8159,7 @@ When true and xss-protection-enabled is true, adds mode=block to the header. Thi
|
||||
|
||||
[[nsa-content-type-options]]
|
||||
==== <content-type-options>
|
||||
Add the X-Content-Type-Options header with the value of nosniff to the response. This http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[disables MIME-sniffing] for IE8+ and Chrome extensions.
|
||||
Add the X-Content-Type-Options header with the value of nosniff to the response. This https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx[disables MIME-sniffing] for IE8+ and Chrome extensions.
|
||||
|
||||
|
||||
[[nsa-content-type-options-attributes]]
|
||||
@ -8248,7 +8248,7 @@ The username that should be assigned to the anonymous request. This allows the p
|
||||
|
||||
[[nsa-csrf]]
|
||||
==== <csrf>
|
||||
This element will add http://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application. It also updates the default RequestCache to only replay "GET" requests upon successful authentication. Additional information can be found in the <<csrf,Cross Site Request Forgery (CSRF)>> section of the reference.
|
||||
This element will add https://en.wikipedia.org/wiki/Cross-site_request_forgery[Cross Site Request Forger (CSRF)] protection to the application. It also updates the default RequestCache to only replay "GET" requests upon successful authentication. Additional information can be found in the <<csrf,Cross Site Request Forgery (CSRF)>> section of the reference.
|
||||
|
||||
|
||||
[[nsa-csrf-parents]]
|
||||
@ -8707,7 +8707,7 @@ A regular expression which will be compared against the claimed identity, when d
|
||||
|
||||
[[nsa-openid-attribute]]
|
||||
==== <openid-attribute>
|
||||
Attributes used when making an OpenID AX http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request[ Fetch Request]
|
||||
Attributes used when making an OpenID AX https://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request[ Fetch Request]
|
||||
|
||||
|
||||
[[nsa-openid-attribute-parents]]
|
||||
@ -8739,7 +8739,7 @@ Specifies if this attribute is required to the OP, but does not error out if the
|
||||
|
||||
[[nsa-openid-attribute-type]]
|
||||
* **type**
|
||||
Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
Specifies the attribute type. For example, https://axschema.org/contact/email. See your OP's documentation for valid attribute types.
|
||||
|
||||
|
||||
[[nsa-port-mappings]]
|
||||
|
||||
@ -108,7 +108,7 @@ import org.springframework.util.Assert;
|
||||
* this means that if the LDAP directory is configured to allow unauthenticated access, it
|
||||
* might be possible to authenticate as <i>any</i> user just by supplying an empty
|
||||
* password. More information on the misuse of unauthenticated access can be found in
|
||||
* <a href="http://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt"> draft
|
||||
* <a href="https://www.ietf.org/internet-drafts/draft-ietf-ldapbis-authmeth-19.txt"> draft
|
||||
* -ietf-ldapbis-authmeth-19.txt</a>.
|
||||
*
|
||||
*
|
||||
|
||||
@ -51,7 +51,7 @@ import java.util.regex.Pattern;
|
||||
* conventions.
|
||||
* <p>
|
||||
* It will authenticate using the Active Directory <a
|
||||
* href="http://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx">
|
||||
* href="https://msdn.microsoft.com/en-us/library/ms680857%28VS.85%29.aspx">
|
||||
* {@code userPrincipalName}</a> or a custom {@link #setSearchFilter(String) searchFilter}
|
||||
* in the form {@code username@domain}. If the username does not already end with the
|
||||
* domain name, the {@code userPrincipalName} will be built by appending the configured
|
||||
|
||||
@ -23,7 +23,7 @@ import javax.naming.ldap.Control;
|
||||
* A Password Policy request control.
|
||||
* <p>
|
||||
* Based on the information in the corresponding <a href=
|
||||
* "http://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt"
|
||||
* "https://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt"
|
||||
* > internet draft on LDAP password policy</a>
|
||||
*
|
||||
* @author Stefan Zoerner
|
||||
|
||||
@ -46,7 +46,7 @@ import org.springframework.dao.DataRetrievalFailureException;
|
||||
* @author Luke Taylor
|
||||
*
|
||||
* @see org.springframework.security.ldap.ppolicy.PasswordPolicyControl
|
||||
* @see <a href="http://www.ibm.com/developerworks/tivoli/library/t-ldap-controls/">Stefan
|
||||
* @see <a href="https://www.ibm.com/developerworks/tivoli/library/t-ldap-controls/">Stefan
|
||||
* Zoerner's IBM developerworks article on LDAP controls.</a>
|
||||
*/
|
||||
public class PasswordPolicyResponseControl extends PasswordPolicyControl {
|
||||
|
||||
@ -15,7 +15,7 @@
|
||||
*/
|
||||
/**
|
||||
* Implementation of password policy functionality based on the
|
||||
* <a href="http://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt">
|
||||
* <a href="https://tools.ietf.org/draft/draft-behera-ldap-password-policy/draft-behera-ldap-password-policy-09.txt">
|
||||
* Password Policy for LDAP Directories</a>.
|
||||
* <p>
|
||||
* This code will not work with servers such as Active Directory, which do not implement this standard.
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
must include the following acknowledgement:
|
||||
|
||||
"This product includes software developed by Spring Security
|
||||
Project (http://www.springframework.org/security)."
|
||||
Project (https://www.springframework.org/security)."
|
||||
|
||||
Alternately, this acknowledgement may appear in the software itself,
|
||||
if and wherever such third-party acknowledgements normally appear.
|
||||
|
||||
@ -249,12 +249,12 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
|
||||
* Maps the <tt>return_to url</tt> to a realm, for example:
|
||||
*
|
||||
* <pre>
|
||||
* http://www.example.com/login/openid -> http://www.example.com/realm
|
||||
* https://www.example.com/login/openid -> https://www.example.com/realm
|
||||
* </pre>
|
||||
*
|
||||
* If no mapping is provided then the returnToUrl will be parsed to extract the
|
||||
* protocol, hostname and port followed by a trailing slash. This means that
|
||||
* <tt>http://www.example.com/login/openid</tt> will automatically become
|
||||
* <tt>https://www.example.com/login/openid</tt> will automatically become
|
||||
* <tt>http://www.example.com:80/</tt>
|
||||
*
|
||||
* @param realmMapping containing returnToUrl -> realm mappings
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<html>
|
||||
<body>
|
||||
Authenticates standard web browser users via <a href="http://openid.net">OpenID</a>.
|
||||
Authenticates standard web browser users via <a href="https://openid.net">OpenID</a>.
|
||||
</body>
|
||||
</html>
|
||||
@ -36,8 +36,8 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
|
||||
public class OpenIDAuthenticationFilterTests {
|
||||
|
||||
OpenIDAuthenticationFilter filter;
|
||||
private static final String REDIRECT_URL = "http://www.example.com/redirect";
|
||||
private static final String CLAIMED_IDENTITY_URL = "http://www.example.com/identity";
|
||||
private static final String REDIRECT_URL = "https://www.example.com/redirect";
|
||||
private static final String CLAIMED_IDENTITY_URL = "https://www.example.com/identity";
|
||||
private static final String REQUEST_PATH = "/login/openid";
|
||||
private static final String FILTER_PROCESS_URL = "http://localhost:8080"
|
||||
+ REQUEST_PATH;
|
||||
@ -95,7 +95,7 @@ public class OpenIDAuthenticationFilterTests {
|
||||
public void encodesUrlParameters() throws Exception {
|
||||
// Arbitrary parameter name and value that will both need to be encoded:
|
||||
String paramName = "foo&bar";
|
||||
String paramValue = "http://example.com/path?a=b&c=d";
|
||||
String paramValue = "https://example.com/path?a=b&c=d";
|
||||
MockHttpServletRequest req = new MockHttpServletRequest("GET", REQUEST_PATH);
|
||||
req.addParameter(paramName, paramValue);
|
||||
filter.setReturnToUrlParameters(Collections.singleton(paramName));
|
||||
|
||||
@ -57,7 +57,7 @@ public interface DnsResolver {
|
||||
* number in the DNS record) and if there are more than one records with the same
|
||||
* priority, it will return the one with the highest weight. You will find more
|
||||
* informatione about DNS service records at <a
|
||||
* href="http://en.wikipedia.org/wiki/SRV_record">Wikipedia</a>.
|
||||
* href="https://en.wikipedia.org/wiki/SRV_record">Wikipedia</a>.
|
||||
*
|
||||
* @param serviceType The service type you are searching for, e.g. ldap, kerberos, ...
|
||||
* @param domain The domain, in which you are searching for the service
|
||||
|
||||
@ -113,7 +113,7 @@ public class JndiDnsResolverTests {
|
||||
BasicAttribute record = new BasicAttribute("SRV");
|
||||
// the structure of the service records is:
|
||||
// priority weight port hostname
|
||||
// for more information: http://en.wikipedia.org/wiki/SRV_record
|
||||
// for more information: https://en.wikipedia.org/wiki/SRV_record
|
||||
record.add("20 80 389 kdc3.springsource.com.");
|
||||
record.add("10 70 389 kdc.springsource.com.");
|
||||
record.add("20 20 389 kdc4.springsource.com.");
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Login page</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Login page</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
<!DOCTYPE html>
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>Hello Spring Security</title>
|
||||
<meta charset="utf-8" />
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Please Login</title>
|
||||
</head>
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
/* ===================================================
|
||||
* bootstrap-transition.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#transitions
|
||||
* https://twitter.github.com/bootstrap/javascript.html#transitions
|
||||
* ===================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -23,7 +23,7 @@
|
||||
"use strict"; // jshint ;_;
|
||||
|
||||
|
||||
/* CSS TRANSITION SUPPORT (http://www.modernizr.com/)
|
||||
/* CSS TRANSITION SUPPORT (https://www.modernizr.com/)
|
||||
* ======================================================= */
|
||||
|
||||
$(function () {
|
||||
@ -59,7 +59,7 @@
|
||||
|
||||
}(window.jQuery);/* ==========================================================
|
||||
* bootstrap-alert.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#alerts
|
||||
* https://twitter.github.com/bootstrap/javascript.html#alerts
|
||||
* ==========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -157,7 +157,7 @@
|
||||
|
||||
}(window.jQuery);/* ============================================================
|
||||
* bootstrap-button.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#buttons
|
||||
* https://twitter.github.com/bootstrap/javascript.html#buttons
|
||||
* ============================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -261,7 +261,7 @@
|
||||
|
||||
}(window.jQuery);/* ==========================================================
|
||||
* bootstrap-carousel.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#carousel
|
||||
* https://twitter.github.com/bootstrap/javascript.html#carousel
|
||||
* ==========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -467,7 +467,7 @@
|
||||
|
||||
}(window.jQuery);/* =============================================================
|
||||
* bootstrap-collapse.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#collapse
|
||||
* https://twitter.github.com/bootstrap/javascript.html#collapse
|
||||
* =============================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -633,7 +633,7 @@
|
||||
|
||||
}(window.jQuery);/* ============================================================
|
||||
* bootstrap-dropdown.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#dropdowns
|
||||
* https://twitter.github.com/bootstrap/javascript.html#dropdowns
|
||||
* ============================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -802,7 +802,7 @@
|
||||
}(window.jQuery);
|
||||
/* =========================================================
|
||||
* bootstrap-modal.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#modals
|
||||
* https://twitter.github.com/bootstrap/javascript.html#modals
|
||||
* =========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -1049,7 +1049,7 @@
|
||||
}(window.jQuery);
|
||||
/* ===========================================================
|
||||
* bootstrap-tooltip.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#tooltips
|
||||
* https://twitter.github.com/bootstrap/javascript.html#tooltips
|
||||
* Inspired by the original jQuery.tipsy by Jason Frame
|
||||
* ===========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
@ -1410,7 +1410,7 @@
|
||||
}(window.jQuery);
|
||||
/* ===========================================================
|
||||
* bootstrap-popover.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#popovers
|
||||
* https://twitter.github.com/bootstrap/javascript.html#popovers
|
||||
* ===========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -1524,7 +1524,7 @@
|
||||
}(window.jQuery);
|
||||
/* =============================================================
|
||||
* bootstrap-scrollspy.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#scrollspy
|
||||
* https://twitter.github.com/bootstrap/javascript.html#scrollspy
|
||||
* =============================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -1685,7 +1685,7 @@
|
||||
|
||||
}(window.jQuery);/* ========================================================
|
||||
* bootstrap-tab.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#tabs
|
||||
* https://twitter.github.com/bootstrap/javascript.html#tabs
|
||||
* ========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -1828,7 +1828,7 @@
|
||||
|
||||
}(window.jQuery);/* =============================================================
|
||||
* bootstrap-typeahead.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#typeahead
|
||||
* https://twitter.github.com/bootstrap/javascript.html#typeahead
|
||||
* =============================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
@ -2163,7 +2163,7 @@
|
||||
}(window.jQuery);
|
||||
/* ==========================================================
|
||||
* bootstrap-affix.js v2.3.2
|
||||
* http://twitter.github.com/bootstrap/javascript.html#affix
|
||||
* https://twitter.github.com/bootstrap/javascript.html#affix
|
||||
* ==========================================================
|
||||
* Copyright 2012 Twitter, Inc.
|
||||
*
|
||||
|
||||
@ -1,13 +1,13 @@
|
||||
/*!
|
||||
* jQuery JavaScript Library v1.8.3
|
||||
* http://jquery.com/
|
||||
* https://jquery.com/
|
||||
*
|
||||
* Includes Sizzle.js
|
||||
* http://sizzlejs.com/
|
||||
* https://sizzlejs.com/
|
||||
*
|
||||
* Copyright 2012 jQuery Foundation and other contributors
|
||||
* Released under the MIT license
|
||||
* http://jquery.org/license
|
||||
* https://jquery.org/license
|
||||
*
|
||||
* Date: Tue Nov 13 2012 08:20:33 GMT-0500 (Eastern Standard Time)
|
||||
*/
|
||||
@ -515,7 +515,7 @@ jQuery.extend({
|
||||
}
|
||||
|
||||
// Make sure the incoming data is actual JSON
|
||||
// Logic borrowed from http://json.org/json2.js
|
||||
// Logic borrowed from https://json.org/json2.js
|
||||
if ( rvalidchars.test( data.replace( rvalidescape, "@" )
|
||||
.replace( rvalidtokens, "]" )
|
||||
.replace( rvalidbraces, "")) ) {
|
||||
@ -554,7 +554,7 @@ jQuery.extend({
|
||||
|
||||
// Evaluates a script in a global context
|
||||
// Workarounds based on findings by Jim Driscoll
|
||||
// http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
|
||||
// https://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
|
||||
globalEval: function( data ) {
|
||||
if ( data && core_rnotwhite.test( data ) ) {
|
||||
// We use execScript on Internet Explorer
|
||||
@ -846,7 +846,7 @@ jQuery.ready.promise = function( obj ) {
|
||||
|
||||
// Catch cases where $(document).ready() is called after the browser event has already occurred.
|
||||
// we once tried to use readyState "interactive" here, but it caused issues like the one
|
||||
// discovered by ChrisS here: http://bugs.jquery.com/ticket/12282#comment:15
|
||||
// discovered by ChrisS here: https://bugs.jquery.com/ticket/12282#comment:15
|
||||
if ( document.readyState === "complete" ) {
|
||||
// Handle it asynchronously to allow scripts the opportunity to delay ready
|
||||
setTimeout( jQuery.ready, 1 );
|
||||
@ -1945,7 +1945,7 @@ jQuery.fn.extend({
|
||||
});
|
||||
},
|
||||
// Based off of the plugin by Clint Helfers, with permission.
|
||||
// http://blindsignals.com/index.php/2009/07/jquery-delay/
|
||||
// http://blindsignals.com
|
||||
delay: function( time, type ) {
|
||||
time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time;
|
||||
type = type || "fx";
|
||||
@ -2452,7 +2452,7 @@ jQuery.extend({
|
||||
tabIndex: {
|
||||
get: function( elem ) {
|
||||
// elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set
|
||||
// http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
|
||||
// https://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/
|
||||
var attributeNode = elem.getAttributeNode("tabindex");
|
||||
|
||||
return attributeNode && attributeNode.specified ?
|
||||
@ -3279,7 +3279,7 @@ function returnTrue() {
|
||||
}
|
||||
|
||||
// jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding
|
||||
// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
|
||||
// https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html
|
||||
jQuery.Event.prototype = {
|
||||
preventDefault: function() {
|
||||
this.isDefaultPrevented = returnTrue;
|
||||
@ -3664,7 +3664,7 @@ jQuery.each( ("blur focus focusin focusout load resize scroll unload click dblcl
|
||||
* Sizzle CSS Selector Engine
|
||||
* Copyright 2012 jQuery Foundation and other contributors
|
||||
* Released under the MIT license
|
||||
* http://sizzlejs.com/
|
||||
* https://sizzlejs.com/
|
||||
*/
|
||||
(function( window, undefined ) {
|
||||
|
||||
@ -3731,17 +3731,17 @@ var cachedruns,
|
||||
|
||||
// Regex
|
||||
|
||||
// Whitespace characters http://www.w3.org/TR/css3-selectors/#whitespace
|
||||
// Whitespace characters https://www.w3.org/TR/css3-selectors/#whitespace
|
||||
whitespace = "[\\x20\\t\\r\\n\\f]",
|
||||
// http://www.w3.org/TR/css3-syntax/#characters
|
||||
// https://www.w3.org/TR/css3-syntax/#characters
|
||||
characterEncoding = "(?:\\\\.|[-\\w]|[^\\x00-\\xa0])+",
|
||||
|
||||
// Loosely modeled on CSS identifier characters
|
||||
// An unquoted value should be a CSS identifier (http://www.w3.org/TR/css3-selectors/#attribute-selectors)
|
||||
// Proper syntax: http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
|
||||
// An unquoted value should be a CSS identifier (https://www.w3.org/TR/css3-selectors/#attribute-selectors)
|
||||
// Proper syntax: https://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
|
||||
identifier = characterEncoding.replace( "w", "w#" ),
|
||||
|
||||
// Acceptable operators http://www.w3.org/TR/selectors/#attribute-selectors
|
||||
// Acceptable operators https://www.w3.org/TR/selectors/#attribute-selectors
|
||||
operators = "([*^$|!~]?=)",
|
||||
attributes = "\\[" + whitespace + "*(" + characterEncoding + ")" + whitespace +
|
||||
"*(?:" + operators + whitespace + "*(?:(['\"])((?:\\\\.|[^\\\\])*?)\\3|(" + identifier + ")|)|)" + whitespace + "*\\]",
|
||||
@ -4350,7 +4350,7 @@ Expr = Sizzle.selectors = {
|
||||
|
||||
"PSEUDO": function( pseudo, argument ) {
|
||||
// pseudo-class names are case-insensitive
|
||||
// http://www.w3.org/TR/selectors/#pseudo-classes
|
||||
// https://www.w3.org/TR/selectors/#pseudo-classes
|
||||
// Prioritize by case sensitivity in case custom pseudos are added with uppercase letters
|
||||
// Remember that setFilters inherits from pseudos
|
||||
var args,
|
||||
@ -4437,7 +4437,7 @@ Expr = Sizzle.selectors = {
|
||||
|
||||
"checked": function( elem ) {
|
||||
// In CSS3, :checked should return both checked and selected elements
|
||||
// http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
|
||||
// https://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
|
||||
var nodeName = elem.nodeName.toLowerCase();
|
||||
return (nodeName === "input" && !!elem.checked) || (nodeName === "option" && !!elem.selected);
|
||||
},
|
||||
@ -4457,7 +4457,7 @@ Expr = Sizzle.selectors = {
|
||||
},
|
||||
|
||||
"empty": function( elem ) {
|
||||
// http://www.w3.org/TR/selectors/#empty-pseudo
|
||||
// https://www.w3.org/TR/selectors/#empty-pseudo
|
||||
// :empty is only affected by element nodes and content nodes(including text(3), cdata(4)),
|
||||
// not comment, processing instructions, or others
|
||||
// Thanks to Diego Perini for the nodeName shortcut
|
||||
@ -5202,7 +5202,7 @@ if ( document.querySelectorAll ) {
|
||||
// This is to test IE's treatment of not explictly
|
||||
// setting a boolean content attribute,
|
||||
// since its presence should be enough
|
||||
// http://bugs.jquery.com/ticket/12359
|
||||
// https://bugs.jquery.com/ticket/12359
|
||||
div.innerHTML = "<select><option selected=''></option></select>";
|
||||
|
||||
// IE8 - Some boolean attributes are not treated correctly
|
||||
@ -5211,7 +5211,7 @@ if ( document.querySelectorAll ) {
|
||||
}
|
||||
|
||||
// Webkit/Opera - :checked should return selected option elements
|
||||
// http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
|
||||
// https://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked
|
||||
// IE8 throws error here (do not put tests after this one)
|
||||
if ( !div.querySelectorAll(":checked").length ) {
|
||||
rbuggyQSA.push(":checked");
|
||||
@ -6478,7 +6478,7 @@ jQuery.extend({
|
||||
var matched, browser;
|
||||
|
||||
// Use of jQuery.browser is frowned upon.
|
||||
// More details: http://api.jquery.com/jQuery.browser
|
||||
// More details: https://api.jquery.com/jQuery.browser
|
||||
// jQuery.uaMatch maintained for back-compat
|
||||
jQuery.uaMatch = function( ua ) {
|
||||
ua = ua.toLowerCase();
|
||||
@ -6837,7 +6837,7 @@ if ( window.getComputedStyle ) {
|
||||
// A tribute to the "awesome hack by Dean Edwards"
|
||||
// Chrome < 17 and Safari 5.0 uses "computed value" instead of "used value" for margin-right
|
||||
// Safari 5.1.7 (at least) returns percentage for a larger set of values, but width seems to be reliably pixels
|
||||
// this is against the CSSOM draft spec: http://dev.w3.org/csswg/cssom/#resolved-values
|
||||
// this is against the CSSOM draft spec: https://dev.w3.org/csswg/cssom/#resolved-values
|
||||
if ( rnumnonpx.test( ret ) && rmargin.test( name ) ) {
|
||||
width = style.width;
|
||||
minWidth = style.minWidth;
|
||||
@ -8444,7 +8444,7 @@ if ( jQuery.support.ajax ) {
|
||||
|
||||
// Firefox throws exceptions when accessing properties
|
||||
// of an xhr when a network error occurred
|
||||
// http://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_AVAILABLE)
|
||||
// https://helpful.knobs-dials.com/index.php/Component_returned_failure_code:_0x80040111_(NS_ERROR_NOT_AVAILABLE)
|
||||
try {
|
||||
|
||||
// Was never called and is aborted or complete
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
// Knockout JavaScript library v2.3.0
|
||||
// (c) Steven Sanderson - http://knockoutjs.com/
|
||||
// License: MIT (http://www.opensource.org/licenses/mit-license.php)
|
||||
// (c) Steven Sanderson - https://knockoutjs.com/
|
||||
// License: MIT (https://www.opensource.org/licenses/mit-license.php)
|
||||
|
||||
(function() {function F(q){return function(){return q}};(function(q){var w=this||(0,eval)("this"),s=w.document,H=w.navigator,t=w.jQuery,y=w.JSON;(function(q){"function"===typeof require&&"object"===typeof exports&&"object"===typeof module?q(module.exports||exports):"function"===typeof define&&define.amd?define(["exports"],q):q(w.ko={})})(function(C){function G(b,c,d,f){a.d[b]={init:function(b){a.a.f.set(b,I,{});return{controlsDescendantBindings:!0}},update:function(b,e,m,h,k){m=a.a.f.get(b,I);e=a.a.c(e());h=!d!==!e;var l=!m.fb;if(l||c||h!==m.vb)l&&(m.fb=
|
||||
a.a.Oa(a.e.childNodes(b),!0)),h?(l||a.e.P(b,a.a.Oa(m.fb)),a.Ja(f?f(k,e):k,b)):a.e.ba(b),m.vb=h}};a.g.S[b]=!1;a.e.L[b]=!0}function J(b,c,d){d&&c!==a.h.n(b)&&a.h.W(b,c);c!==a.h.n(b)&&a.q.I(a.a.Ga,null,[b,"change"])}var a="undefined"!==typeof C?C:{};a.b=function(b,c){for(var d=b.split("."),f=a,g=0;g<d.length-1;g++)f=f[d[g]];f[d[d.length-1]]=c};a.r=function(a,c,d){a[c]=d};a.version="2.3.0";a.b("version",a.version);a.a=function(){function b(a,b){for(var e in a)a.hasOwnProperty(e)&&b(e,a[e])}function c(b,
|
||||
@ -14,7 +14,7 @@ a.a.C.ia(b,function(){b.detachEvent(p,n)})}else throw Error("Browser doesn't sup
|
||||
typeof a.dispatchEvent)e=s.createEvent(f[b]||"HTMLEvents"),e.initEvent(b,!0,!0,w,0,0,0,0,0,!1,!1,!1,!1,0,a),a.dispatchEvent(e);else throw Error("The supplied element doesn't support dispatchEvent");else if("undefined"!=typeof a.fireEvent)c(a,b)&&(a.checked=!0!==a.checked),a.fireEvent("on"+b);else throw Error("Browser doesn't support triggering events");},c:function(b){return a.T(b)?b():b},ya:function(b){return a.T(b)?b.t():b},ga:function(b,e,c){if(e){var d=/\S+/g,g=b.className.match(d)||[];a.a.p(e.match(d),
|
||||
function(b){a.a.ja(g,b,c)});b.className=g.join(" ")}},ib:function(b,e){var c=a.a.c(e);if(null===c||c===q)c="";var d=a.e.firstChild(b);!d||3!=d.nodeType||a.e.nextSibling(d)?a.e.P(b,[s.createTextNode(c)]):d.data=c;a.a.Bb(b)},gb:function(a,b){a.name=b;if(7>=e)try{a.mergeAttributes(s.createElement("<input name='"+a.name+"'/>"),!1)}catch(c){}},Bb:function(a){9<=e&&(a=1==a.nodeType?a:a.parentNode,a.style&&(a.style.zoom=a.style.zoom))},zb:function(a){if(e){var b=a.style.width;a.style.width=0;a.style.width=
|
||||
b}},Qb:function(b,e){b=a.a.c(b);e=a.a.c(e);for(var c=[],d=b;d<=e;d++)c.push(d);return c},N:function(a){for(var b=[],e=0,c=a.length;e<c;e++)b.push(a[e]);return b},Ub:6===e,Vb:7===e,ca:e,Ua:function(b,e){for(var c=a.a.N(b.getElementsByTagName("input")).concat(a.a.N(b.getElementsByTagName("textarea"))),d="string"==typeof e?function(a){return a.name===e}:function(a){return e.test(a.name)},g=[],f=c.length-1;0<=f;f--)d(c[f])&&g.push(c[f]);return g},Nb:function(b){return"string"==typeof b&&(b=a.a.F(b))?
|
||||
y&&y.parse?y.parse(b):(new Function("return "+b))():null},Ca:function(b,e,c){if(!y||!y.stringify)throw Error("Cannot find JSON.stringify(). Some browsers (e.g., IE < 8) don't support it natively, but you can overcome this by adding a script reference to json2.js, downloadable from http://www.json.org/json2.js");return y.stringify(a.a.c(b),e,c)},Ob:function(e,c,d){d=d||{};var g=d.params||{},f=d.includeFields||this.Ta,p=e;if("object"==typeof e&&"form"===a.a.u(e))for(var p=e.action,r=f.length-1;0<=r;r--)for(var z=
|
||||
y&&y.parse?y.parse(b):(new Function("return "+b))():null},Ca:function(b,e,c){if(!y||!y.stringify)throw Error("Cannot find JSON.stringify(). Some browsers (e.g., IE < 8) don't support it natively, but you can overcome this by adding a script reference to json2.js, downloadable from https://www.json.org/json2.js");return y.stringify(a.a.c(b),e,c)},Ob:function(e,c,d){d=d||{};var g=d.params||{},f=d.includeFields||this.Ta,p=e;if("object"==typeof e&&"form"===a.a.u(e))for(var p=e.action,r=f.length-1;0<=r;r--)for(var z=
|
||||
a.a.Ua(e,f[r]),D=z.length-1;0<=D;D--)g[z[D].name]=z[D].value;c=a.a.c(c);var q=s.createElement("form");q.style.display="none";q.action=p;q.method="post";for(var v in c)e=s.createElement("input"),e.name=v,e.value=a.a.Ca(a.a.c(c[v])),q.appendChild(e);b(g,function(a,b){var e=s.createElement("input");e.name=a;e.value=b;q.appendChild(e)});s.body.appendChild(q);d.submitter?d.submitter(q):q.submit();setTimeout(function(){q.parentNode.removeChild(q)},0)}}}();a.b("utils",a.a);a.b("utils.arrayForEach",a.a.p);
|
||||
a.b("utils.arrayFirst",a.a.La);a.b("utils.arrayFilter",a.a.Y);a.b("utils.arrayGetDistinctValues",a.a.Ma);a.b("utils.arrayIndexOf",a.a.k);a.b("utils.arrayMap",a.a.Z);a.b("utils.arrayPushAll",a.a.R);a.b("utils.arrayRemoveItem",a.a.ka);a.b("utils.extend",a.a.extend);a.b("utils.fieldsIncludedWithJsonPost",a.a.Ta);a.b("utils.getFormFields",a.a.Ua);a.b("utils.peekObservable",a.a.ya);a.b("utils.postJson",a.a.Ob);a.b("utils.parseJson",a.a.Nb);a.b("utils.registerEventHandler",a.a.o);a.b("utils.stringifyJson",
|
||||
a.a.Ca);a.b("utils.range",a.a.Qb);a.b("utils.toggleDomNodeCssClass",a.a.ga);a.b("utils.triggerEvent",a.a.Ga);a.b("utils.unwrapObservable",a.a.c);a.b("utils.objectForEach",a.a.w);a.b("utils.addOrRemoveItem",a.a.ja);a.b("unwrap",a.a.c);Function.prototype.bind||(Function.prototype.bind=function(a){var c=this,d=Array.prototype.slice.call(arguments);a=d.shift();return function(){return c.apply(a,d.concat(Array.prototype.slice.call(arguments)))}});a.a.f=new function(){var b=0,c="__ko__"+(new Date).getTime(),
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head>
|
||||
<title>SecureMail</title>
|
||||
<link rel="icon" type="image/x-icon" th:href="@{/resources/img/favicon.ico}"/>
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
<meta name="_csrf" th:content="${_csrf.token}"/>
|
||||
<meta name="_csrf_header" th:content="${_csrf.headerName}"/>
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<link href="${bootstrapResponsiveUrl}" rel="stylesheet"></link>
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
</head>
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<!DOCTYPE html SYSTEM "http://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-3.dtd">
|
||||
<!DOCTYPE html SYSTEM "https://www.thymeleaf.org/dtd/xhtml1-strict-thymeleaf-spring4-3.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml"
|
||||
xmlns:th="http://www.thymeleaf.org">
|
||||
xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:fragment="head(title,links)">
|
||||
<title>SecureMail: <th:block th:include="${title}"></th:block></title>
|
||||
<link rel="icon" type="image/x-icon" th:href="@{/resources/img/favicon.ico}" href="../resources/img/favicon.ico"/>
|
||||
@ -68,7 +68,7 @@
|
||||
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
<th:block th:replace="${links}"/>
|
||||
</head>
|
||||
@ -114,7 +114,7 @@
|
||||
|
||||
<div id="footer">
|
||||
<div class="container">
|
||||
<p class="muted credit">Visit the <a href="http://spring.io/spring-security">Spring Security</a> site for more <a href="https://github.com/spring-projects/spring-security/blob/master/samples/">samples</a>.</p>
|
||||
<p class="muted credit">Visit the <a href="https://spring.io/spring-security">Spring Security</a> site for more <a href="https://github.com/spring-projects/spring-security/blob/master/samples/">samples</a>.</p>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Create</title>
|
||||
</head>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>View All</title>
|
||||
</head>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Create</title>
|
||||
</head>
|
||||
|
||||
@ -36,35 +36,35 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
.authenticationUserDetailsService(new CustomUserDetailsService())
|
||||
.attributeExchange("https://www.google.com/.*")
|
||||
.attribute("email")
|
||||
.type("http://axschema.org/contact/email")
|
||||
.type("https://axschema.org/contact/email")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("firstname")
|
||||
.type("http://axschema.org/namePerson/first")
|
||||
.type("https://axschema.org/namePerson/first")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("lastname")
|
||||
.type("http://axschema.org/namePerson/last")
|
||||
.type("https://axschema.org/namePerson/last")
|
||||
.required(true)
|
||||
.and()
|
||||
.and()
|
||||
.attributeExchange(".*yahoo.com.*")
|
||||
.attribute("email")
|
||||
.type("http://axschema.org/contact/email")
|
||||
.type("https://axschema.org/contact/email")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("fullname")
|
||||
.type("http://axschema.org/namePerson")
|
||||
.type("https://axschema.org/namePerson")
|
||||
.required(true)
|
||||
.and()
|
||||
.and()
|
||||
.attributeExchange(".*myopenid.com.*")
|
||||
.attribute("email")
|
||||
.type("http://schema.openid.net/contact/email")
|
||||
.type("https://schema.openid.net/contact/email")
|
||||
.required(true)
|
||||
.and()
|
||||
.attribute("fullname")
|
||||
.type("http://schema.openid.net/namePerson")
|
||||
.type("https://schema.openid.net/namePerson")
|
||||
.required(true);
|
||||
}
|
||||
// @formatter:on
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/**
|
||||
* jQuery.query - Query String Modification and Creation for jQuery
|
||||
* Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
|
||||
* Licensed under the WTFPL (http://sam.zoy.org/wtfpl/).
|
||||
* Licensed under the WTFPL (http://www.wtfpl.net/).
|
||||
* Date: 2009/02/08
|
||||
*
|
||||
* @author Blair Mitchelmore
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/*
|
||||
Defines the base of where the OpenID Provider redirects its response to.
|
||||
*/
|
||||
var server_root = "http://openid-selector.googlecode.com/svn/trunk/"
|
||||
var server_root = "https://openid-selector.googlecode.com/svn/trunk/"
|
||||
|
||||
/*
|
||||
On the server-side you'd accept an OpenID URL and perform discovery
|
||||
@ -16,5 +16,5 @@ var providers_endpoint = {
|
||||
google: 'https://www.google.com/accounts/o8/ud',
|
||||
yahoo: 'https://open.login.yahooapis.com/openid/op/auth',
|
||||
aol: 'https://api.screenname.aol.com/auth/openidServer',
|
||||
verisign: 'http://pip.verisignlabs.com/server'
|
||||
verisign: 'https://pip.verisignlabs.com/server'
|
||||
}
|
||||
@ -41,14 +41,14 @@ function getBaseOpenIDProviderURL(provider, claimed, immediate) {
|
||||
var providerEndpoint = providers_endpoint[provider];
|
||||
var providerURL = providerEndpoint; //From previous discovery
|
||||
providerURL += "?";
|
||||
providerURL += "openid.ns=" + encodeURIComponent("http://specs.openid.net/auth/2.0");
|
||||
providerURL += "openid.ns=" + encodeURIComponent("https://specs.openid.net/auth/2.0");
|
||||
if(providers[provider].label) {
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent(claimed);
|
||||
providerURL += "&openid.identity=" + encodeURIComponent(claimed);
|
||||
}
|
||||
else {
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.identity=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.identity=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
|
||||
}
|
||||
if(immediate) {
|
||||
providerURL += "&openid.return_to=" + encodeURIComponent(server_root + "openid-client/checkid_immediate_response.html");
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
/*
|
||||
Simple OpenID Plugin
|
||||
http://code.google.com/p/openid-selector/
|
||||
https://code.google.com/p/openid-selector/
|
||||
|
||||
This code is licenced under the New BSD License.
|
||||
*/
|
||||
@ -17,7 +17,7 @@ var providers_large = {
|
||||
aol: {
|
||||
name: 'AOL',
|
||||
label: 'Enter your AOL screenname.',
|
||||
url: 'http://openid.aol.com/{username}'
|
||||
url: 'https://openid.aol.com/{username}'
|
||||
},
|
||||
verisign: {
|
||||
name: 'Verisign',
|
||||
@ -44,12 +44,12 @@ var providers_small = {
|
||||
flickr: {
|
||||
name: 'Flickr',
|
||||
label: 'Enter your Flickr username.',
|
||||
url: 'http://flickr.com/{username}/'
|
||||
url: 'https://flickr.com/{username}/'
|
||||
},
|
||||
technorati: {
|
||||
name: 'Technorati',
|
||||
label: 'Enter your Technorati username.',
|
||||
url: 'http://technorati.com/people/technorati/{username}/'
|
||||
url: 'https://technorati.com/people/technorati/{username}/'
|
||||
},
|
||||
wordpress: {
|
||||
name: 'Wordpress',
|
||||
@ -69,7 +69,7 @@ var providers_small = {
|
||||
claimid: {
|
||||
name: 'ClaimID',
|
||||
label: 'Your ClaimID username',
|
||||
url: 'http://claimid.com/{username}'
|
||||
url: 'https://claimid.com/{username}'
|
||||
}
|
||||
};
|
||||
var providers = $.extend({}, providers_large, providers_small);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{::link})">
|
||||
<title>Messages : Login</title>
|
||||
<!-- /Simple OpenID Selector -->
|
||||
@ -28,7 +28,7 @@
|
||||
</div>
|
||||
<noscript>
|
||||
<p>OpenID is a service that allows you to log-on to many different websites using a single identity.
|
||||
Find out <a href="http://openid.net/what/">more about OpenID</a> and <a href="http://openid.net/get/">how to get an OpenID enabled account</a>.</p>
|
||||
Find out <a href="https://openid.net/what/">more about OpenID</a> and <a href="https://openid.net/get/">how to get an OpenID enabled account</a>.</p>
|
||||
</noscript>
|
||||
</fieldset>
|
||||
</form>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Messages : Login</title>
|
||||
<!-- /Simple OpenID Selector -->
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Please Login</title>
|
||||
</head>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
<html xmlns:th="http://www.thymeleaf.org">
|
||||
<html xmlns:th="https://www.thymeleaf.org">
|
||||
<head th:include="layout :: head(title=~{::title},links=~{})">
|
||||
<title>Please Login</title>
|
||||
</head>
|
||||
|
||||
@ -2,8 +2,8 @@
|
||||
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
|
||||
xmlns:c="http://java.sun.com/jsp/jstl/core"
|
||||
xmlns:fn="http://java.sun.com/jsp/jstl/functions"
|
||||
xmlns:decorator="http://www.opensymphony.com/sitemesh/decorator"
|
||||
xmlns:page="http://www.opensymphony.com/sitemesh/page"
|
||||
xmlns:decorator="https://www.opensymphony.com/sitemesh/decorator"
|
||||
xmlns:page="https://www.opensymphony.com/sitemesh/page"
|
||||
xmlns:form="http://www.springframework.org/tags/form"
|
||||
xmlns:spring="http://www.springframework.org/tags"
|
||||
xmlns:sec="http://www.springframework.org/security/tags"
|
||||
@ -84,7 +84,7 @@
|
||||
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
</head>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
|
||||
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee https://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
|
||||
|
||||
<login-config>
|
||||
<auth-method>FORM</auth-method>
|
||||
|
||||
@ -3,8 +3,8 @@
|
||||
<title>Frames</title>
|
||||
</head>
|
||||
<body>
|
||||
<p>This contains frames, but the frames will not be loaded due to the <a href="http://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options</a>
|
||||
being specified as denied. This protects against <a href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking attacks</a></p>
|
||||
<p>This contains frames, but the frames will not be loaded due to the <a href="https://tools.ietf.org/html/draft-ietf-websec-x-frame-options">X-Frame-Options</a>
|
||||
being specified as denied. This protects against <a href="https://en.wikipedia.org/wiki/Clickjacking">clickjacking attacks</a></p>
|
||||
<iframe src="./hello.htm" width="500" height="500"></iframe>
|
||||
</body>
|
||||
</html>
|
||||
@ -1,5 +1,5 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1" ?>
|
||||
<!DOCTYPE taglib PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN" "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
|
||||
<!DOCTYPE taglib PUBLIC "-//Sun Microsystems, Inc.//DTD JSP Tag Library 1.2//EN" "https://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd">
|
||||
|
||||
<taglib>
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<link href="${bootstrapResponsiveUrl}" rel="stylesheet"></link>
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
</head>
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
<link href="${bootstrapResponsiveUrl}" rel="stylesheet"></link>
|
||||
<!-- HTML5 shim, for IE6-8 support of HTML5 elements -->
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<script src="https://html5shim.googlecode.com/svn/trunk/html5.js"></script>
|
||||
<![endif]-->
|
||||
</head>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/**
|
||||
* jQuery.query - Query String Modification and Creation for jQuery
|
||||
* Written by Blair Mitchelmore (blair DOT mitchelmore AT gmail DOT com)
|
||||
* Licensed under the WTFPL (http://sam.zoy.org/wtfpl/).
|
||||
* Licensed under the WTFPL (http://www.wtfpl.net/).
|
||||
* Date: 2009/02/08
|
||||
*
|
||||
* @author Blair Mitchelmore
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/*
|
||||
Defines the base of where the OpenID Provider redirects its response to.
|
||||
*/
|
||||
var server_root = "http://openid-selector.googlecode.com/svn/trunk/"
|
||||
var server_root = "https://openid-selector.googlecode.com/svn/trunk/"
|
||||
|
||||
/*
|
||||
On the server-side you'd accept an OpenID URL and perform discovery
|
||||
@ -16,5 +16,5 @@ var providers_endpoint = {
|
||||
google: 'https://www.google.com/accounts/o8/ud',
|
||||
yahoo: 'https://open.login.yahooapis.com/openid/op/auth',
|
||||
aol: 'https://api.screenname.aol.com/auth/openidServer',
|
||||
verisign: 'http://pip.verisignlabs.com/server'
|
||||
verisign: 'https://pip.verisignlabs.com/server'
|
||||
}
|
||||
@ -41,14 +41,14 @@ function getBaseOpenIDProviderURL(provider, claimed, immediate) {
|
||||
var providerEndpoint = providers_endpoint[provider];
|
||||
var providerURL = providerEndpoint; //From previous discovery
|
||||
providerURL += "?";
|
||||
providerURL += "openid.ns=" + encodeURIComponent("http://specs.openid.net/auth/2.0");
|
||||
providerURL += "openid.ns=" + encodeURIComponent("https://specs.openid.net/auth/2.0");
|
||||
if(providers[provider].label) {
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent(claimed);
|
||||
providerURL += "&openid.identity=" + encodeURIComponent(claimed);
|
||||
}
|
||||
else {
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.identity=" + encodeURIComponent("http://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.claimed_id=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
|
||||
providerURL += "&openid.identity=" + encodeURIComponent("https://specs.openid.net/auth/2.0/identifier_select");
|
||||
}
|
||||
if(immediate) {
|
||||
providerURL += "&openid.return_to=" + encodeURIComponent(server_root + "openid-client/checkid_immediate_response.html");
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user