Commit Graph

448 Commits

Author SHA1 Message Date
Marten Deinum 0adf5aea91 SEC-2098, SEC-2099: Created HeadersFilter
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
Rob Winch f5a30e55a3 SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher 2013-07-23 13:06:51 -05:00
Rob Winch 686a7a8d62 SEC-2223: Correct FirewalledRequest#reset() javadoc 2013-07-21 14:30:20 -05:00
Rob Winch 04b7d5ca08 SEC-2156: Only configures COOKIE instead of SSL
Configuring SSL is only allowed for SSL enabled applications and should
be configured on its own (not in conjuction with other modes).
2013-07-20 10:29:54 -05:00
Rob Winch ac053dbda7 SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode
It also allows customization by overriding a method.
2013-07-19 17:09:58 -05:00
Rob Winch 4411ae3ff6 SEC-2221: Add MediaTypeRequestMatcher 2013-07-19 17:09:31 -05:00
Rob Winch eb15b19e50 SEC-2195: Update Groovy version on web module 2013-07-16 22:44:51 -05:00
Rob Winch 59e8551279 Fix package tangles 2013-07-16 17:08:03 -05:00
Rob Winch 5e6ca12b01 SEC-2097: Update integrationTestCompile to use optional and provided
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch 02551e1b7a SEC-2214: Update Spring Version 2013-07-16 15:15:47 -05:00
Rob Winch faa8b354b7 SEC-2209: add pom.xml 2013-07-16 15:15:47 -05:00
Rob Winch 1705c5d796 SEC-2207: Update Gradle to 1.6 2013-07-16 15:02:39 -05:00
Rob Winch e5c450a14c Merge in AbstractSecurityWebApplicationInitializerTests.groovy 2013-07-05 09:42:19 -05:00
Keesun Baik cf80cc88b5 SEC-2192: Create DEFAULT_FILTER_NAME 2013-07-05 09:41:53 -05:00
Rob Winch 7412fe0748 SEC-1953: Polish bundlor warnings 2013-06-30 21:45:45 -05:00
Rob Winch d0c4e6ca72 SEC-1953: Spring Security Java Config support
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
Rob Winch 7bc87cf13b SEC-2002: Polishing 2013-06-06 15:05:00 -05:00
Nicholas Williams d89ace26ab SEC-2002: Added events to notify of session ID change
Session fixation protection, whether by clean new session or
migrated session, now publishes an event when a session is
migrated or its ID is changed. This enables application developers
to keep track of the session ID of a particular authentication
from the time the authentication is successful until the time
of logout. Previously this was not possible since session
migration changed the session ID and there was no way to
reliably detect that.

Revised changes per Rob Winch's suggestions.
2013-06-05 14:44:17 -05:00
Rob Winch 3656dff720 SEC-2118: Include missing Bundlor packages 2013-02-25 17:07:09 -06:00
Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked
Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:

  - The SecurityContext was established on the SecurityContextHolder
  - An Async request was made
  - The SecurityContextHolder would be cleared out
  - The Async request times out
  - The Async request would be dispatched back to the container upon
    timing out. If the container reused the same Thread to process the
    timeout as the original request, Spring Security would attempt to
    save the SecurityContext when the response was committed. Since the
    SecurityContextHolder was still cleared out it removes the
    SecurityContext from the HttpSession

Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.
2013-01-10 13:26:43 -06:00
Balazs Zagyvai 73ea8b5c05 SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
2012-12-28 22:59:38 +01:00
Rob Winch 9c4563285e SEC-1998: Async tests with SecurityContextHolderAwareReqeustFilter 2012-12-11 17:26:31 -06:00
Rob Winch c8d45397fe SEC-2079: Add Servlet 3 Authentication methods
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
Rob Winch d04cf5ea68 Remove unused FilterInvocation.DummyResponse 2012-12-11 14:21:03 -06:00
Rob Winch 1a650acbcc SEC-1998: DummyRequest extend HttpServletRequestWrapper
Previously DummyRequest implemented HttpServletRequest which caused complications
since Servlet 2.5 and Servlet 3 had non passive changes. While we were "safe" if the
Servlet 3 methods were never invoked reflective access of the methods would also
problems. We could prevent users from accessing the methods of DummyRequest by
returning new HttpServletRequestWrapper(DummyRequest), but a debugger could
potentially try to iterate over the methods triggering a NoClassDefFoundError.

DummyRequest now extends HttpServletRequestWrapper which will be dynamically
linked to the proper version of HttpServletRequest. We use a Dynamic Proxy that
throws UnsupportedOperationException to implement any methods we are not
interested in.
2012-12-11 14:21:03 -06:00
Rob Winch 3437ef714a SEC-1998: SecurityContextCallableProcessingInterceptor uses postProcess
Previously SecurityContextCallableProcessingInterceptor used afterCompletion
to clear the SecurityContextHolder. This does not work since afterCompletion
is invoked on the Servlet Container thread.

Now SecurityContextCallableProcessingInterceptor clears the
SecurityContextHolder on postProcess which is invoked on the same thread
that the Callable is processed on.
2012-12-11 14:21:03 -06:00
Rob Winch 796de42105 Revert "SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals"
This reverts commit 3fe7791266.
2012-12-11 14:21:02 -06:00
Rob Winch 70849aa8d2 Revert "SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication"
This reverts commit ece4a0f067.
2012-12-11 14:21:02 -06:00
Rob Winch ece4a0f067 SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication 2012-12-06 09:04:14 -06:00
Rob Winch 3fe7791266 SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.

Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
2012-12-04 10:54:29 -06:00
Rob Winch 6e47834d77 SEC-2084: AntPathRequestMatcher and RegexpRequestMatcher support request.getMethod()
Previously a NullPointerException would occur if an HttpServletRequest.getMethod()
returned null.

Now AntPathRequestMatcher and RegexpRequestMatcher will handle if the
HttpServletRequest.getMethod() returns null. While under normal circumstances,
it is unlikely for the method to be null this can occur when using
DefaultWebInvocationPrivilegeEvaluator.isAllowed(String, Authentication).
2012-12-03 15:07:18 -06:00
Rob Winch d40ecba9e0 SEC-1998: SaveContextOnUpdateOrErrorResponseWrapper only saves SecurityContext on original Thread
Previously SaveContextOnUpdateOrErrorResponseWrapper would save the SecurityContext on a different
Threads than the one it was created on. This causes issues with Async Web requests which may write
to the response on a new Thread.

Now SaveContextOnUpdateOrErrorResponseWrapper will not save the SecurityContext when a different
Thread invokes any of the methods that commit the response. This prevents issues with Async
processing. However, explicit calls to SecurityContextRepository.save will still save the
SecurityContext since it invokes the saveRequest method rather than private doSave method within
the SaveContextOnUpdateOrErrorResponseWrapper which contains the logic to prevent saving from
another Thread.
2012-11-30 14:27:02 -06:00
Rob Winch 593e512558 SEC-1998: SecurityContext integration with AsyncContext.start 2012-11-28 17:57:41 -06:00
Rob Winch 1ed643ca1f SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing
Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
2012-11-28 17:56:03 -06:00
Rob Winch 30780baf24 Externalize powermock dependencies for reuse 2012-11-08 22:49:20 -06:00
Rob Winch ea6b444770 update to spring snapshot dependencies 2012-11-08 22:49:20 -06:00
Rob Winch 72aecaff05 SEC-1939: Update SwitchUserFilter logger to use debug
Previously the SwitchUserFilter was logging as an error and then
throwing an Exception immediately after. This is not correct, since
whomever is catching the Exception should choose to log an error or not.

Now the log statement is at a debug level.
2012-10-07 11:38:21 -05:00
Rob Winch d3339a1e32 SEC-2025: SecurityContextLogoutHandler removes Authentication from SecurityContext
Previously there was a race condition could occur when the user attempts to access
a slow resource and then logs out which would result in the user not being logged
out.

SecurityContextLogoutHandler will now remove the Authentication from the
SecurityContext to protect against this scenario.
2012-10-05 18:30:01 -05:00
Rob Winch f38df99730 SEC-2045: AbstractAuthorizeTag supports custom WebInvocationPrivilegeEvaluator 2012-10-04 11:34:36 -05:00
Rob Winch 9883c0e60b SEC-2060: Add constructor with caused by to PreAuthenticatedCredentialsNotFoundException 2012-10-02 14:26:27 -05:00
Rob Winch 906da97594 SEC-2038: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 15:23:03 -05:00
Rob Winch 8a54d597af Revert "SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super"
This commit contains the wrong JIRA ID.

This reverts commit c53fd99430.
2012-09-21 15:22:02 -05:00
Rob Winch 0a2fa03160 SEC-2036: Set cookie path to / when default context path in CookieClearingLogoutHandler 2012-09-21 14:12:48 -05:00
Rob Winch c53fd99430 SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 14:12:48 -05:00
Rob Winch 0e97e67083 SEC-2041: SaveContextServletOutputStream/SaveContextPrintWriter delegate all methods 2012-09-21 14:12:48 -05:00
Rob Winch dbc88f3226 SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super 2012-09-21 14:12:48 -05:00
mpigg a45ec0df2b SEC-1961: SubjectDnX509PrincipalExtractorTests for CN as last segment
See https://github.com/SpringSource/spring-security/pull/8
2012-08-17 14:57:48 -05:00
Rob Winch c2def26c3e SEC-1961: SubjectDnX509PrincipalExtractor supports CN as last segement 2012-08-17 14:45:38 -05:00
Rob Winch 1ab068a06d SEC-2005: Ensure SecurityContext saved prior to the response being committed
Previously Spring Security did not save the Security Context immediately prior
to the following methods being invoked:

   - HttpServletResonse.flushBuffer()
   - HttpServletResonse.getWriter().close()
   - HttpServletResonse.getWriter().flush()
   - HttpServletRespose.getOutputStream().close()
   - HttpServletRespose.getOutputStream().flush()

This meant that the client could get a response prior to the SecurityContext
being stored. After the client got the response, it would make another request
and this would not yet be authenticated. The reason this can occur is because
all of the above methods commit the response, which means that the server can
signal to the client the response is completed. A similar issue happened in
SEC-398.

Now the previously listed methods are wrapped in order to ensure the SecurityContext
is persisted prior to the response being committed.
2012-08-07 16:02:22 -05:00
Rob Winch ffe2834f4c SEC-2027: Invoke SecurityContextHolder.clearContext() only on outer invocation of FilterChainProxy
When SEC-1950 was introduced it caused problems when a <filter-mapping> was mapped
to multiple dispatchers (i.e. REQUEST and FORWARD) since when the second dispatcher
completed execution it cleared the SecurityContext and the original FilterChain
would then save the cleared out SecurityContext.

We now use a pattern similar to the OncePerRequestFilter to only invoke
SecurityContextHolder.clearContext() on the first invocation of the Filter. We do not simply extend
OncePerRequestFilter because we want to invoke the delegate filters for every request.
2012-08-07 15:56:34 -05:00
Rob Winch a5ec116e80 SEC-1919: Log error when fail to communicate with LDAP
Previously communication errors with LDAP were only logged at debug level.

Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
2012-07-31 16:55:48 -05:00
Rob Winch 9a9aafaeec SEC-1967: Restore original SecurityContext in finally when RunAsManager is used
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.

AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
2012-07-24 18:08:27 -05:00
Rob Winch 24c3bdfd90 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:12 -05:00
Rob Winch 1710f32a08 SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
2012-07-19 11:15:06 -05:00
Rob Winch b868daaa8c SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
2012-07-19 10:20:40 -05:00
Rob Winch aa4ec9a508 Cleaned up warnings in JdbcTokenRepositoryImpl and JdbcTokenRepositoryImplTests 2012-07-18 16:35:57 -05:00
Rob Winch 340534dadb SEC-1964: Handle missing series in JdbcTokenRepositoryImpl
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.

Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
2012-07-18 16:35:57 -05:00
Rob Winch f2345fcb21 SEC-1981: Remove dependency on Locale for the build 2012-07-05 13:30:41 -05:00
Rob Winch a2452ab514 SEC-1906: Update to Gradle 1.0 2012-07-05 12:41:56 -05:00
Rob Winch 2fba10ab61 Use powermock for testing servlet 3.0 functionality instead of distinct classpaths 2012-07-01 12:37:01 -05:00
Rob Winch f6902471fb SEC-1965: DefaultWebSecurityExpressionHandler is now passive from 3.0.x releases
There were two issues that needed resolved

 - Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
   type would not work. This caused failures in the JSF support.

 - The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
   parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
   method any class compiled against a previous version would cause a NoSuchMethodException.
2012-06-28 10:54:01 -05:00
Rob Winch b6ec700640 SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true 2012-06-27 15:49:18 -05:00
Rob Winch de3dfb5b3f SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice
This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
2012-06-26 16:36:41 -05:00
Rob Winch 520b65e2e3 SEC-1865: Remove invalid OWASP link in TextEscapeUtils 2012-06-11 14:49:28 -05:00
Rob Winch c446697de3 Cleaned up warnings in FilterChainProxyTests 2012-04-11 17:23:07 -05:00
Rob Winch bb8f3bae7c SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy 2012-04-11 17:22:19 -05:00
Rob Winch a4322d70ba Merge pull request #5 from tburch/setUseSecureCookie-typo
fix typo in AbstractRememberMeServices.setUseSecureCookie method documentation
2012-03-13 17:02:43 -07:00
Rob Winch 84141c4c76 SEC-1927: Corrected debug log in SessionManagementFilter to have a space between ID and the session and added guard to log statement 2012-03-11 18:35:38 -05:00
Tristan Burch e7f47964ee fix typo in setUseSecureCookie method documentation 2012-03-09 17:01:17 -07:00
Luke Taylor 5d71d2a4fa SEC-1887: Add MethodSecurityOperations interface.
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.

Also cleaning whitespace.
2012-02-01 15:49:56 +00:00
Luke Taylor 538e75ce1b SEC-1903: Use a static CRLF Pattern in FirewalledResponse
The Pattern was being recompiled for every request
when a single instance could be shared for performance
reasons.
2012-02-01 13:21:16 +00:00
Andrei Stefan 0f9ee81df1 SEC-1887: Improve extensibility of expression-based security classes
Introduces a new SecurityExpressionOperations interface which is
implemented by SecurityExpressionRoot
2012-01-31 19:06:43 +00:00
Rob Winch 22225effcc Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests 2011-12-30 16:05:35 -06:00
Rob Winch 5d94cd5e13 SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous 2011-12-30 16:04:02 -06:00
Rob Winch 6fe6e18939 SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names 2011-12-29 15:44:49 -06:00
Rob Winch 8ca2927761 Renamed **/Test.java to **/Tests.java to better follow conventions 2011-12-28 17:39:29 -06:00
Luke Taylor 0bccbbfc18 SEC-1779: Make new getters protected rather than public. 2011-11-01 00:20:34 +00:00
Luke Taylor f456db267f SEC-1779: Added getters for success and failure handlers to AbstractAuthenticationProcessingFilter. 2011-11-01 00:06:23 +00:00
Luke Taylor 09ac4bd8f9 SEC-1833: Remove unused securityContextClass from HttpSessionSecurityContextRepository. 2011-10-31 23:44:43 +00:00
Luke Taylor 44e2543015 Minor changes to make filter chain validation more robust with custom request matchers. 2011-10-24 21:21:10 +01:00
Luke Taylor f1e63f3008 SEC-1802: Add digits to valid URL scheme regex. 2011-10-21 17:25:50 +01:00
Luke Taylor 869c6a7c18 SEC-1800: Set input size to 30 for OpenID login. 2011-09-25 21:13:37 +01:00
Luke Taylor 824464516c SEC-1790: Reject redirect locations containing CR or LF. 2011-08-12 19:44:26 +01:00
Luke Taylor 6333909107 SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change. 2011-08-12 19:07:17 +01:00
Luke Taylor 0c2a950fa0 SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled. 2011-08-10 17:07:09 +01:00
Luke Taylor 8740efc0f5 Added constructor injection options to ConcurrentSessionFilter 2011-07-18 15:09:31 +01:00
Luke Taylor a1c714cff4 SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted. 2011-07-14 16:43:02 +01:00
Luke Taylor 8440743108 Remove Sql query objects from JdbcTokenRepositoryImpl in favour of direct JdbcTemplate use. 2011-07-13 23:28:41 +01:00
Luke Taylor 700fa9e0b6 SEC-1772: remote URL decoding of targetUrlParameter in AbstractAuthenticationTargetUrlRequestHandler. 2011-07-13 22:13:52 +01:00
Luke Taylor de97bac85b SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch. 2011-07-13 21:59:11 +01:00
Luke Taylor a504cfae1a SEC-1770: Call refreshLastRequest on the session registry rather than the SessionInformation object to make sure it works with alternative SessionRegistry implementations. 2011-07-13 20:56:47 +01:00
Rob Winch 330f82f562 SEC-1777: Corrected log in HttpSessionSecurityContextRepository to reference itself instead of HttpSessionContextIntegrationFilter 2011-07-09 19:24:12 -05:00
Rob Winch 825f0061fb SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0 2011-07-09 19:23:51 -05:00
Luke Taylor 56e86dd36f Adding assertions on constructor arg values. 2011-07-06 20:50:25 +01:00
Luke Taylor f92589f051 Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options. 2011-07-06 00:12:48 +01:00
Luke Taylor 2d271666a4 Add constructors to facilitate constructor-based injection for required/shared bean properties. 2011-07-05 20:25:49 +01:00
Luke Taylor 73442125de SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter. 2011-07-04 21:09:48 +01:00
Luke Taylor b15475ab3d SEC-1771: Change TokenBasedRememberMeServices to obtain password from UserDetailsService if necessary. 2011-07-02 20:36:42 +01:00
Luke Taylor 737a9d1825 Improved toString methods on request wrappers. 2011-07-02 20:36:41 +01:00
Luke Taylor 571bfc4869 Refactoring to use Utf8 encoder instead of String.getBytes("UTF-8"). 2011-06-14 18:47:50 +01:00