Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-09 06:50:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,676 Commits 35 Branches 337 Tags
Commit Graph

893 Commits

Author SHA1 Message Date
Luke Taylor
3049b933d9 Moved XML test snippet to ConfigTestUtils class and removed context files from core-tiger tests in favour of in-memory XML 2008-07-31 21:35:29 +00:00
Luke Taylor
d7926f3557 SEC-943: Forgot to commit tests. 2008-07-31 20:30:56 +00:00
Luke Taylor
000bb1cbed OPEN - issue SEC-881: PreAuthenticatedFilter continues filter chain after unsuccessfulAuthentication(...) 
http://jira.springframework.org/browse/SEC-881. Added test class.
 2008-07-31 15:42:04 +00:00
Luke Taylor
243c4f22d4 OPEN - issue SEC-899: GrantedAuthorityImpl.compareTo should handle null roles 
http://jira.springframework.org/browse/SEC-899. Changed to return -1 when compared to custom auhority which returns null from getAuthority()
 2008-07-31 13:01:22 +00:00
Luke Taylor
d4c105d8ba OPEN - issue SEC-934: security:intercept-url throws NPE if defined twice with the same url 
http://jira.springframework.org/browse/SEC-934. Added log warning when the same url is used multiple times.
 2008-07-30 15:03:47 +00:00
Luke Taylor
4bb3eb12c3 SEC-933: global-method-security and aop:aspectj-autoproxy throws NullPointerException in some situations 
http://jira.springframework.org/browse/SEC-933. Removed the setting of the attributeSource field from the interceptor in MethodDefinitionSourceAdvisor as this was overwriting the version supplied with the constructor with null (causing the NPE).
Also implemented lazy initialization of the authentication provider list from the bean factory in a custom NamespaceAuthenticationManager (extends ProviderManager and introspects the BeanFactory when getProviders() is first called). This should prevent the perennial problem of the eager initialization of UserDetailsService and other beans when the interceptor is eagerly initialized by something like aspectj-autoproxy.
 2008-07-30 11:01:23 +00:00
Luke Taylor
f453264bde SEC-909: custom remember me services doesn't get registered as logout handler 
http://jira.springframework.org/browse/SEC-909. HttpSecurityBeanDefinitionParser now passes the resolved RememberMeServices bean name to the LogoutBeanDefinitionparser so that it an use it explicitly.
 2008-07-15 18:22:53 +00:00
Luke Taylor
1ddc033fe5 SEC-903: Wrong attribute mapping when using jdbc-user-service bean 
http://jira.springframework.org/browse/SEC-903. Corrected property name set by JdbcUserServiceBeanDefinitionParser (was setting authorities query rather than groups one).
 2008-07-15 16:43:57 +00:00
Luke Taylor
e303e8b71a SEC-924: Implement automatic injection of namespace created RememberMeServices into custom AbstractProcessingFilter based beans. 
http://jira.springframework.org/browse/SEC-924. Delayed setting of NullRememberMeServices in AbstractProcessingFilter until afterPropertiesSet method is called, allowing the null value to be read by the namespace and the confgiured RememberMeServices bean injected.
 2008-07-15 14:52:13 +00:00
Luke Taylor
bf5896600e OPEN - issue SEC-913: SwitchUserProcessingFilter modifies the switchFailureUrl member variable on failure 
http://jira.springframework.org/browse/SEC-913. Applied patch as suggested (use sendRedirect method for failure URL).
 2008-07-15 13:42:30 +00:00
Luke Taylor
2cda6242c8 SEC-904: Moved multi-threaded tests into sandbox 2008-07-02 19:19:21 +00:00
Luke Taylor
479693ced7 SEC-900: Added extra checks on expiry time 2008-07-02 18:40:55 +00:00
Luke Taylor
3ee8733261 SEC-879: Added required BeanPostProcessor to set SessionRegistry is set on namespace registered AbstractProcessingFilter and SessionFixationProtectionFilter when using custom ConcurrentSessionController 
http://jira.springframework.org/browse/SEC-879.
 2008-06-20 22:08:05 +00:00
Luke Taylor
ff5bfccdba SEC-892: Linked use of create-session='never' in namespace to corresponding properties in ExceptionTranslationFilter and AbstractProcessingFilter 2008-06-19 13:46:45 +00:00
Luke Taylor
af5f193ec1 SEC-890: Corrected use of dataSource property name in RememberMeBDP. 2008-06-18 10:35:30 +00:00
Luke Taylor
32b8009bee SEC-875: Removed duplicated parameters from SavedRequestWrapper.getParameterValues() 2008-06-09 23:33:36 +00:00
Ben Alex
358f284f42 SEC-760: Correct bug where more than one concurrent JaasAuthenticationProvider used. 2008-06-06 06:13:14 +00:00
Luke Taylor
980a72f9a0 Removed TODO (done). 2008-05-29 15:54:50 +00:00
Luke Taylor
517a7f117a SEC-857: Make request wrapper getParameterValues() consistent with getParameterMap() etc. 2008-05-29 15:49:43 +00:00
Luke Taylor
d63536cc0d SEC-821: Added support for eternal session registry and concurrent session controller to the 2.0.2 namespace. 2008-05-27 13:14:21 +00:00
Luke Taylor
8b5bbe3800 SEC-830: Changed SavedRequestAwareWrapper to make wrapped request parameters take precedence over saved request ones. 2008-05-25 22:57:03 +00:00
Luke Taylor
45c3084502 SEC-836: Made LDAP namespace elements use subtree group searching by default. 2008-05-23 23:57:01 +00:00
Luke Taylor
871e529840 SEC-850: custom-authentication-provider Registering Separate Bean Definitions in App Context and Providers List 
http://jira.springframework.org/browse/SEC-850. Added extra test.
 2008-05-23 23:32:57 +00:00
Luke Taylor
d1005e4cfb SEC-850: custom-authentication-provider Registering Separate Bean Definitions in App Context and Providers List 
http://jira.springframework.org/browse/SEC-850. Changed bean decorator to add a bean reference to the ProviderManager rather than a bean definition.
 2008-05-23 23:25:09 +00:00
Luke Taylor
9ce0270226 Fixed typo in test name 2008-05-23 22:57:30 +00:00
Luke Taylor
fbe3ca48f4 SEC-823, SEC-843: Allow setting of custom RememberMeServices and token validity periodon remember-me namespace element 2008-05-21 16:03:05 +00:00
Luke Taylor
b60c578b25 SEC-844: Support for SHA-256 hashing. 2008-05-20 22:45:02 +00:00
Luke Taylor
29d31b72d0 SEC-837: Add special character filtering to LDAP search filters 2008-05-20 19:25:37 +00:00
Luke Taylor
3fb1f59fde SEC-837: Add special character filtering to LDAP search filterscore/src/test/java/org/springframework/security/ldap 2008-05-20 19:22:49 +00:00
Luke Taylor
d17a2da9e0 SEC-834: Session fixation attack protection will cause problems with URL rewriting 
http://jira.springframework.org/browse/SEC-834. Changed position of SessionFixationProtectionFilter and modified it to make a decision about whether authentication has taken place prior to calling doFilter(). Previously it did this on the return through the filter chain, which caused the problem described in this issue.
 2008-05-15 00:26:27 +00:00
Luke Taylor
1fee538c7e Fixed typo in setter method (uses of). 2008-05-13 15:32:30 +00:00
Luke Taylor
781d88bd30 OPEN - issue SEC-825: Query string isn't beig stripped from URLs when ant matcher is in use (regression issue) 
http://jira.springframework.org/browse/SEC-825. Make sure the property is set on DefaultFilterInvocationDefinitionSource when ant paths are in use.
 2008-05-09 18:08:32 +00:00
Luke Taylor
883b92e7bd SEC-822: Converted to long arithmetic to prevent integer overflowing with long token validity periods 2008-05-08 15:07:40 +00:00
Luke Taylor
8ad2d681ab SEC-818: Changed redirect URL validation to ignore potential property placeholders at parsing time and report a warning through the parser context rather than an error. Also validated the URLs in the beans themselves using Asserts, so an exception will occur later when the beans have been created rather than while assembling the bean definitions. 2008-05-07 13:49:20 +00:00
Luke Taylor
fca3a2a709 SEC-812: Added missing TextUtils file 2008-05-05 19:09:09 +00:00
Ben Alex
9961c7f867 Moved to correct build location. 2008-05-02 10:52:57 +00:00
Ben Alex
7a2e1e13d3 SEC-811: Provide a mechanism to allocate and rebuild cryptographically strong, randomised tokens. 2008-05-02 10:38:56 +00:00
Luke Taylor
4984d4be65 OPEN - issue SEC-757: Add validation of redirect URLs on namespace 
http://jira.springframework.org/browse/SEC-757. Added validation method to ConfigUtils and calls to it for url attributes.
 2008-05-01 16:39:31 +00:00
Luke Taylor
8281aeb0da SEC-807: Allow mapping to a standard Ldap UserDetails through the namespace 
http://jira.springframework.org/browse/SEC-807. Added extra test for Ldap provider parser.
 2008-04-29 18:01:59 +00:00
Luke Taylor
e4b32b8d29 OPEN - issue SEC-807: Allow mapping to a standard Ldap UserDetails through the namespace 
http://jira.springframework.org/browse/SEC-807. Added support for user-details-class attribute to ldap-authentication-provider and ldap-user-service.
 2008-04-29 16:53:24 +00:00
Luke Taylor
104716fedb SEC-805: Add extra fields to InetOrgPerson 
http://jira.springframework.org/browse/SEC-805. Added a substantial number of new fields to the class.
 2008-04-29 14:39:58 +00:00
Luke Taylor
2d692718e0 SEC-799: Add better detection of missing server-ref element for <ldap-user-service> and <ldap-authentication-provider /> 
http://jira.springframework.org/browse/SEC-799. Updated ContextSourceSettingPostProcessor to set the standard ContextSource as an alias if it is needed by a bean but has not been set (because the user specified their own server id on <ldap-server />).
 2008-04-28 15:01:20 +00:00
Luke Taylor
d3a0f05de9 SEC-783: GlobalMethodSecurityBeanDefinitionParser should support AfterInvocationProviders 
http://jira.springframework.org/browse/SEC-783. Added support for custom-after-invocation-provider
 2008-04-25 12:28:30 +00:00
Luke Taylor
1090072fff SEC-795: Add check for protected login page when using namespace 
http://jira.springframework.org/browse/SEC-795. I've added checks for the various scenarios which will result in a protected login page and suitable warning messages.
 2008-04-24 01:59:19 +00:00
Luke Taylor
5d51b35cfa SEC-792: Filters should only be added to the default stack if they are labelled using custom-filter. 
http://jira.springframework.org/browse/SEC-792. Updated FilterChainProxyPostProcessor to raise an exception if two filters have the same order, and also to unwrap wrapped filters once the sorting by order has been performed.
 2008-04-23 23:19:44 +00:00
Luke Taylor
38774ec94f SEC-792: Filters should only be added to the default stack if they are labelled using custom-filter. 
http://jira.springframework.org/browse/SEC-792. The filters are now maintained as a list in the context and have to be stored there explicitly on registration.
 2008-04-23 16:06:54 +00:00
Luke Taylor
01185475a1 OPEN - issue SEC-793: ldap-authentication-provider element parser ignores hash attribute. 
http://jira.springframework.org/browse/SEC-793. Added support for hash attribute. password-encoder still takes precendence with a warning if both are present.
 2008-04-23 12:50:09 +00:00
Luke Taylor
1ae167434a SEC-756: Add checks for duplicate use of namespace elements such as global-method-security 
http://jira.springframework.org/browse/SEC-756. Refactored HttpSecurityBDP and added check for duplicate usage of the element.
 2008-04-22 21:25:35 +00:00
Luke Taylor
88ea87642a SEC-791: RequestKey.equals throws NPE if method is null 
http://jira.springframework.org/browse/SEC-791. Fixed handling of equals when one http method is null.
 2008-04-22 12:32:33 +00:00
Luke Taylor
9eaa1cbbdd OPEN - issue SEC-789: Add support for optional role-prefix attribute to namespace 
http://jira.springframework.org/browse/SEC-789. Added role-prefix attribute to ldap provider and jdbc/ldap user-service elements.
 2008-04-21 18:29:54 +00:00