8d8475deb1
SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
...
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
2df5541905
SEC-2448: Update to HSQL 2.3.1
2013-12-14 10:19:06 -06:00
ca1080fb96
SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter
2013-12-13 15:47:28 -06:00
a34178bc40
SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA
2013-12-12 08:16:59 -06:00
aaa7cec32e
SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
...
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
7f714ebb23
SEC-2422: Session timeout detection with CSRF protection
2013-12-11 17:38:17 -06:00
4460e84b29
Updates to pom.xml author and repo
2013-12-09 08:57:30 -06:00
59e13e7bbb
SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken
2013-11-21 15:12:08 -06:00
2c8946c406
Next development version
2013-11-01 14:20:55 -05:00
9c703a3051
Release version 3.2.0.RC2
2013-11-01 14:20:49 -05:00
1a1f577a8b
SEC-2358: Add RequestHEaderRequestMatcher#toString()
2013-10-28 14:41:10 -05:00
e638f0a547
SEC-2357: old RequestMatcher interface extends new RequestMatcher
2013-10-23 17:09:33 -05:00
04b091c385
SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method
2013-10-17 16:18:43 -05:00
15a63c58a7
SEC-2368: DebugFilter outputs headers and HTTP method
2013-10-17 14:49:45 -05:00
1351c8bada
SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc
2013-10-15 13:53:23 -05:00
e50b587d60
SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd
2013-10-14 15:06:11 -05:00
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
2013-10-14 15:00:24 -05:00
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
2013-10-14 11:55:56 -05:00
45ad74a0bd
SEC-2357: Fix package cycles
2013-10-14 11:15:16 -05:00
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
2013-10-14 10:36:31 -05:00
7d99436740
SEC-2358: Add RequestHeaderRequestMatcher
2013-10-11 14:53:11 -05:00
0ac1176152
Polish RequestMatcher logging and toString
2013-10-07 15:45:42 -05:00
cffbefadd1
SEC-2306: Fix Session Fixation logging race condition
...
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.
The code now synchronizes on WebUtils.getSessionMutex(..).
2013-10-06 17:13:40 -05:00
611a97023d
SEC-2352: HttpSessionCsrfTokenRepository lazy session creation
2013-10-06 16:44:18 -05:00
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
2013-09-27 16:13:40 -05:00
cea0cf9260
SEC-2243: Remove additional Debug Filter
2013-09-26 11:38:16 -05:00
b591881e95
SEC-2302: Provide beforeSpringSecurityFilterChain hook
...
This allows inserting filters before the springSecurityFilterChain.
2013-09-25 14:52:40 -05:00
88f41cdf62
SEC-2341: Update to Gradle 1.8
...
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
2013-09-23 20:55:49 -05:00
788ba9a1fa
SEC-2329: Allow injecting of AuthenticationTrustResolver
2013-09-20 15:26:52 -05:00
9133c33f1d
SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache
...
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.
Now the cast is to SavedRequest.
2013-09-19 15:08:32 -05:00
8f8c6169e8
SEC-2331: Cache Control now includes Expires: 0
2013-09-19 14:06:37 -05:00
0114b457c0
SEC-2330: CacheControlHeadersWriter use a single header
2013-09-18 16:12:34 -05:00
32e9239fd2
SEC-2320: AuthenticationPrincipal can be null on invalid type
...
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
2013-09-13 15:21:13 -07:00
b22acd0768
SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet
2013-09-13 14:44:44 -07:00
8e74407381
SEC-2296: HttpServletRequest.login should throw ServletException if already authenticated
...
See throws documentation at
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29
2013-08-31 11:55:24 -05:00
e8ac11641b
SEC-2297: Add DispatchType.ASYNC as default for AbstractSecurityWebApplicationInitializer
2013-08-31 11:39:57 -05:00
3d2f23602f
SEC-2294: Update Spring Version to 3.2.4.RELEASE
2013-08-31 11:26:43 -05:00
43f4d01cf3
SEC-2292: Add test to assert CSRF bypass of methods is case sensitive
...
HTTP methods should be case sensitive, so add test to ensure that this is
the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
2013-08-31 10:40:49 -05:00
6e9fb7930b
SEC-2298: Add AuthenticationPrincipalArgumentResolver
2013-08-30 17:06:40 -05:00
086056f191
SEC-2289: Make compatible with Spring 4 as well
...
There are a few subtle changes in Spring 4 that this commit addresses
2013-08-27 16:43:10 -05:00
26166ef6e8
SEC-2272: CsrfRequestDataValueProcessor support Spring 4 and Spring 3
2013-08-27 16:26:16 -05:00
3f69847a4e
SEC-2286: Log invalid CSRF tokens at debug level
2013-08-25 22:35:20 -05:00
d60108eaf6
SEC-2229: Add optional dependencies to spring-security-config
...
spring-tx and spring-jdbc aren't pulled in transitively from
spring-security-web now, so we must include them as optional dependencies.
2013-08-25 19:47:57 -05:00
33db440961
SEC-2129: AntPathRequestMatcher also supports case sensitive comparisions
2013-08-25 16:26:18 -05:00
7d1d856729
SEC-2229: spring-security-web dependency polish
...
- remove direct dependency on spring-aop
- spring-tx and spring-jdbc optional
2013-08-25 15:52:17 -05:00
534989c8ea
SEC-2103: Fix tests to verify debug logging instead of info
2013-08-25 10:05:22 -05:00
acb2b680d0
SEC-2103: Change log of no results to debug
2013-08-24 23:39:56 -05:00
48283ec004
SEC-2276: Delay saving CsrfToken until token is accessed
...
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
2013-08-24 23:31:01 -05:00
e9bb9e766e
SEC-1574: Add CSRF Support
2013-08-15 14:49:21 -05:00
Rob Winch
Spring Buildmaster
Adrien be
kazuki43zoo