Commit Graph

4949 Commits

Author SHA1 Message Date
Rob Winch 0bc08f8a23 SEC-2230: Update contacts sample to use <headers> with no child elements 2013-08-01 09:47:57 -05:00
Rob Winch 283c906215 SEC-2230: Fix reference PDF 2013-07-31 12:22:41 -05:00
Rob Winch 94a73fee37 SEC-2230: Polish scoping and finals 2013-07-31 11:34:35 -05:00
Rob Winch a1bf28a697 SEC-2239: Remove duplicate SessionCreationPolicy 2013-07-31 10:44:22 -05:00
Rob Winch 606bddf598 SEC-2230: Add Header JavaConfig
Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.
2013-07-31 10:39:52 -05:00
Rob Winch 988e97e366 SEC-2230: Polish headers reference 2013-07-31 10:39:52 -05:00
Rob Winch bc8ff9590c SEC-2230: Defaults when using only <headers/>
Previously an error occurred when no child elements were specified with
<headers/>.

Now all the explicitly supported header elements are added with their
default settings.
2013-07-31 10:39:52 -05:00
Rob Winch c85328c5d1 SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
Rob Winch 8013cd54d6 SEC-2230: Added Cache Control support 2013-07-31 10:39:45 -05:00
Rob Winch 7b164bb5e1 SEC-2230: Polish pull request 2013-07-26 14:19:53 -05:00
Rob Winch 8acd205486 SEC-2232: HeaderFactory to HeaderWriter 2013-07-26 09:01:12 -05:00
Rob Winch fd754c5cab SEC-2098, SEC-2099: Fix build
- hf.doFilter is missing FilterChain argument
  - response.headers does not contain the exact values for the headers so
    should not be used for comparison (note it is a private member so this
    is acceptable)
  - hf does not need non-null check when hf.doFilter is invoked
  - some of the configurations are no longer valid (i.e. ALLOW-FROM
    requires strategy)
  - Some error messages needed updated (some could still use improvement)
  - No validation for missing header name or value
  - rebased off master / merged
  - nsa=frame-options-strategy id should use - not =
  - FramewOptionsHeaderFactory did not produce "ALLOW-FROM " prefix of origin
  - remove @Override on interface overrides to work with JDK5
2013-07-25 16:23:25 -05:00
Marten Deinum d0b40cd2ae - Created HeaderFactory abstraction
- Implemented different ALLOW-FROM strategies as specified in the proposal.

Conflicts:
	config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
	config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
2013-07-25 16:22:43 -05:00
Rob Winch a63baa8391 SEC-2098, SEC-2099: Polishing 2013-07-25 16:22:43 -05:00
Marten Deinum 0adf5aea91 SEC-2098, SEC-2099: Created HeadersFilter
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
Rob Winch f5a30e55a3 SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher 2013-07-23 13:06:51 -05:00
Rob Winch f34b459c80 SEC-2205: Create UserDetailsServiceDelegator
Ensure that the UserDetailsService is created lazily.
2013-07-22 16:38:09 -05:00
Rob Winch a39ff1b041 SEC-2202: http.authorizeUrls() to http.authorizeRequests()
This change is more meaningful since the requests can be matched on
anything not just the URL
2013-07-22 11:54:10 -05:00
Rob Winch e1d8db4e95 SEC-2197: Allow multiple invocations on HttpSecurity
Previously invoking methods like HttpSecurity#authorizeUrls() multiple
times would override one another. This has now changed to be more
intuitive. Initially this was required for the way that defaults were
provided so that they could be overriden, but this is no longer the case.
2013-07-21 22:56:23 -05:00
Rob Winch 686a7a8d62 SEC-2223: Correct FirewalledRequest#reset() javadoc 2013-07-21 14:30:20 -05:00
Rob Winch 04b7d5ca08 SEC-2156: Only configures COOKIE instead of SSL
Configuring SSL is only allowed for SSL enabled applications and should
be configured on its own (not in conjuction with other modes).
2013-07-20 10:29:54 -05:00
Rob Winch cf0fdc2d66 SEC-2222: Use auth parameter name instead of registry 2013-07-20 07:49:07 -05:00
Rob Winch ac053dbda7 SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode
It also allows customization by overriding a method.
2013-07-19 17:09:58 -05:00
Rob Winch 90bd241ce2 SEC-2199: Support multiple AuthenticationEntryPoint defaults 2013-07-19 17:09:58 -05:00
Rob Winch 87c9a14bff SEC-2198: http.httpBasic() defaults AuthenticationEntryPoint 2013-07-19 17:09:58 -05:00
Rob Winch 4411ae3ff6 SEC-2221: Add MediaTypeRequestMatcher 2013-07-19 17:09:31 -05:00
Rob Winch eb15b19e50 SEC-2195: Update Groovy version on web module 2013-07-16 22:44:51 -05:00
Rob Winch 0f281f9575 SEC-2215: ServletApiConfigurer populates properties on SecurityContextHolderAwareRequestFilter
Previously ServletApiConfigurer left the following properties null:
authenticationManager, logoutHandlers, and authenticationEntryPoint
2013-07-16 22:43:53 -05:00
Rob Winch 59e8551279 Fix package tangles 2013-07-16 17:08:03 -05:00
Rob Winch 5e6ca12b01 SEC-2097: Update integrationTestCompile to use optional and provided
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch 955a60cf49 SEC-2208: Use std docbook plugin and workspace cleanup 2013-07-16 15:15:47 -05:00
Rob Winch 7d9f0d688a SEC-2207: Workaround for GRADLE-1116 2013-07-16 15:15:47 -05:00
Rob Winch 00ed77af20 SEC-2207: Trick Gradle Eclipse to import project and not the build folders 2013-07-16 15:15:47 -05:00
Rob Winch 41b64e05d0 SEC-2211: check.dependsOn integrationTest 2013-07-16 15:15:47 -05:00
Rob Winch 02551e1b7a SEC-2214: Update Spring Version 2013-07-16 15:15:47 -05:00
Rob Winch faa8b354b7 SEC-2209: add pom.xml 2013-07-16 15:15:47 -05:00
Rob Winch e5fc063680 SEC-2206: Gradle Propdeps 2013-07-16 15:15:42 -05:00
Rob Winch 01230c76ef SEC-2217: Sonar Runner 2013-07-16 15:13:22 -05:00
Rob Winch 3c9a80433f SEC-2207: AspectJPlugin uses compileAspect and compileTestAspect 2013-07-16 15:02:39 -05:00
Rob Winch 07c3fdf8a7 SEC-2195: Update Groovy, Geb, Spock, httpcomponents, and Jetty 2013-07-16 15:02:39 -05:00
Rob Winch 1705c5d796 SEC-2207: Update Gradle to 1.6 2013-07-16 15:02:39 -05:00
Rob Winch fb45db11e9 SEC-2191: Remove AuthenticationManagerBuilder default constructor
This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.
2013-07-05 12:10:03 -05:00
Rob Winch e88800cd9b SEC-2187: Polish
Create private utf8UrlEncode method to improve readability
2013-07-05 10:24:10 -05:00
Tom Boettcher 54c1c20c69 SEC-2187: Encode query parameter names and values in return_to URL 2013-07-05 09:47:18 -05:00
Rob Winch e5c450a14c Merge in AbstractSecurityWebApplicationInitializerTests.groovy 2013-07-05 09:42:19 -05:00
Keesun Baik cf80cc88b5 SEC-2192: Create DEFAULT_FILTER_NAME 2013-07-05 09:41:53 -05:00
Rob Winch cd34c47643 Next development version 2013-07-01 14:05:22 -05:00
Spring Buildmaster b45f7b9585 [artifactory-release] Release version 3.2.0.M2 2013-07-01 11:42:45 -07:00
Rob Winch 3c178a339e remove snapshot repo references 2013-07-01 13:00:57 -05:00
Rob Winch 70b3a330ef #137 WebSecurityConfigurerAdapter no longer uses getClass() for logger
Previously it was difficult to change log levels due to CGLIB proxying of
the class which impacted the logger name.
2013-07-01 10:07:38 -05:00