Commit Graph

757 Commits

Author SHA1 Message Date
Luke Taylor 026517f674 Removal of deprecated methods and classes. 2010-06-26 16:23:42 +01:00
Luke Taylor 09176b0af4 SEC-1501: Fix bean classname in Javadoc for SwitchUserFilter. 2010-06-25 19:45:34 +01:00
Luke Taylor ea8d37892c SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy. 2010-06-18 03:33:49 +01:00
Luke Taylor 4d10d4b67f SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs. 2010-06-18 01:34:07 +01:00
Luke Taylor 76ebb759f3 Removed unnecessary casts. 2010-06-08 22:56:59 +01:00
Luke Taylor 7d74b7c87e SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping. 2010-05-27 15:54:15 +01:00
Luke Taylor e156d5339a Fix build when upload properties are missing. Added missing hsql test dependency 2010-05-24 17:01:19 +01:00
Luke Taylor 0e57ce2dc3 SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection. 2010-05-21 15:59:50 +01:00
Luke Taylor 978bb9f601 Remove commented-out code in ETF. 2010-05-16 15:16:40 +01:00
Luke Taylor f0c4cccb0d SEC-1479: Clarify that matching is against servletPath + pathInfo for ant pattern matching. Added some extra pointers to request-matching info in namespace doc. 2010-05-16 14:14:13 +01:00
Luke Taylor bf288101a0 Javadoc improvements 2010-05-16 14:14:13 +01:00
Luke Taylor b3aad4cf19 Javadoc fixes. 2010-05-06 20:02:08 +01:00
Luke Taylor 0c09780644 SEC-1476: Modify AbstractPreAuthenticatedProcessingFilter to store authentication exception in request instead of creating a new session. 2010-05-05 14:13:48 +01:00
Luke Taylor fcf33afce0 Formatting. 2010-05-03 14:53:05 +01:00
Luke Taylor bca6c1aeac SEC-1468: Doc and Javadoc updates. 2010-04-26 23:26:07 +01:00
Luke Taylor 024e6904ff SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager. 2010-04-25 04:27:09 +01:00
Luke Taylor ee1fd1bc50 SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins. 2010-04-20 23:47:48 +01:00
Luke Taylor 74896f217b SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>. 2010-04-20 23:47:47 +01:00
Luke Taylor a45d2a4fb2 SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client. 2010-04-20 18:04:22 +01:00
Luke Taylor 93deec8d40 SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized. 2010-04-16 16:12:38 +01:00
Luke Taylor 0521d10069 SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
Luke Taylor 2e2625873c SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
2010-03-23 00:45:06 +00:00
Luke Taylor d5df53f1db SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
Necessary to allow use of custom SecurityContextRepository.
2010-03-12 15:53:05 +00:00
Luke Taylor f3264ba9ab Addition of commons-logging exclusions and adjustments to pom generation. 2010-03-07 21:58:25 +00:00
Luke Taylor 43f0e11106 SEC-1429: Removed cached authentication from session after successful authentication. 2010-03-05 00:07:35 +00:00
Luke Taylor 89d8c8cc83 Additional test classes for authentication and logout success/failure handling. 2010-03-04 23:18:46 +00:00
Luke Taylor a3263753d9 Fix to Javadoc for AbstractAuthenticationProcessingFilter. 2010-03-04 22:06:04 +00:00
Luke Taylor 530ab3ae30 SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect. 2010-03-04 21:21:07 +00:00
Luke Taylor 43f3568b16 SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions. 2010-03-03 23:11:49 +00:00
Luke Taylor ae8027fa47 SEC-1425: Replace use of Java 1.6 String.isEmpty(). 2010-03-01 13:49:42 +00:00
Luke Taylor 93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
Luke Taylor cb0f3f677f SEC-1425: Add check for empty cookie in AbstractRememberMeServices.
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
2010-02-28 14:08:27 +00:00
Luke Taylor f0466b6488 SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all. 2010-02-27 00:22:21 +00:00
Luke Taylor e2f9be9015 SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved.
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
2010-02-26 16:01:40 +00:00
Luke Taylor 4dd10cd266 Refactor overly large doFilter() method in DigestAuthenticationFilter. 2010-02-22 01:48:53 +00:00
Luke Taylor f3f84da625 Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0. 2010-02-21 23:25:36 +00:00
Luke Taylor 2ee7696bf4 Update version number to 3.1.0.CI-SNAPSHOT. 2010-02-19 17:35:19 +00:00
Luke Taylor 44f45d21f0 3.0.2 release. Update version in build files. 2010-02-19 01:22:21 +00:00
Luke Taylor 14ae36ac3b SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
2010-02-18 00:32:49 +00:00
Luke Taylor bd635edc31 SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
2010-02-15 22:46:18 +00:00
Luke Taylor c1133d1ef3 Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name. 2010-02-14 23:31:31 +00:00
Luke Taylor d30e31d816 Remove unnecessary @SuppressWarnings and inline dependency from ELRequestMatcher (util package) to core ExpressionUtils. 2010-02-14 23:29:27 +00:00
Luke Taylor c12c43da9e Javadoc fixes. 2010-02-14 23:27:09 +00:00
Luke Taylor 36612377e2 Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents. 2010-02-14 23:23:23 +00:00
Luke Taylor 1e4f451352 Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources 2010-02-11 18:08:06 +00:00
Luke Taylor dcbdfc2026 SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
Mike Wiesner 90d6ff1fde SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 13:19:16 +01:00
Mike Wiesner d32b078a8c SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 09:05:28 +01:00
Mike Wiesner d2413cf237 SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-10 21:25:23 +01:00
Luke Taylor 08c7155ab5 SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions. 2010-02-10 15:06:01 +00:00
Luke Taylor 1ecd3e228b SEC-1405: added RequestMatcher interface. 2010-02-10 14:34:14 +00:00
Luke Taylor 984604b026 SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
2010-02-06 14:38:44 +00:00
Luke Taylor 0974e21fb6 SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
2010-01-23 02:12:30 +00:00
Luke Taylor 04447bdbf0 SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs). 2010-01-22 01:55:13 +00:00
Luke Taylor 0c10efbbf8 Revert SEC-1356.
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
2010-01-19 22:26:21 +00:00
Luke Taylor 1a7f71fc0f SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
Luke Taylor 51dfc0fb39 Set versions to 3.0.2-CI-SNAPSHOT, post release. 2010-01-15 18:15:19 +00:00
Luke Taylor 05634f97dc Updated version numbers for 3.0.1 release. 2010-01-15 18:04:28 +00:00
Luke Taylor a9567a58d8 SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos. 2010-01-13 15:36:58 +00:00
Luke Taylor 3a8daa1bf4 Gradle build improvements.
Added generation of source archives and trial support for maven deployment and pom generation, with "provided" configuration mapped to "provided" scope.
2010-01-13 00:44:05 +00:00
Luke Taylor f62d97b092 SEC-1356: Fix broken tests.
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
2010-01-12 01:32:02 +00:00
Luke Taylor 6eff4d90b7 SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
2010-01-12 00:49:53 +00:00
Luke Taylor 2023ca283e SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
2010-01-12 00:30:27 +00:00
Luke Taylor b323098167 Added gradle build files for taglibs, tutorial, contacts and openid.
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
Luke Taylor e211f9b35f SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
Luke Taylor bc02fc2de1 Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices. 2010-01-08 23:57:27 +00:00
Luke Taylor 052537c8b0 Removing $Id$ markers and stripping trailing whitespace from the codebase. 2010-01-08 21:05:13 +00:00
Luke Taylor f5d36aef65 SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
2010-01-05 16:01:55 +00:00
Luke Taylor c6b8fe5e55 SEC-1346: Added missing 'return' statements after redirects.
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
2010-01-03 19:06:58 +00:00
Luke Taylor 893f212fa5 Tidying 2010-01-02 19:53:19 +00:00
Luke Taylor 115d5b84ff [maven-release-plugin] prepare for next development iteration 2009-12-22 22:20:01 +00:00
Luke Taylor 6c6ef08353 [maven-release-plugin] prepare release spring-security-3.0.0.RELEASE 2009-12-22 22:19:38 +00:00
Luke Taylor e64866ae6a Updated bundlor templates and introduced spring.version variable 2009-12-22 01:10:04 +00:00
Luke Taylor 3418aab46e SEC-1327: Javadoc additions to clarify some behaviour 2009-12-21 17:32:54 +00:00
Luke Taylor fcce29f8df SEC-1326: Updating dependencies to match Spring versions. Removing unused deps. 2009-12-21 17:32:38 +00:00
Luke Taylor 97a31cae04 SEC-1333: Added error message for invalid redirect URL assertion 2009-12-18 19:29:36 +00:00
Luke Taylor aeed49393c Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting). 2009-12-18 18:44:42 +00:00
Luke Taylor 76731254c0 SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name. 2009-12-18 18:04:03 +00:00
Luke Taylor 06e092d46a Midor Javadoc correction. 2009-12-15 15:39:01 +00:00
Luke Taylor 6805761d85 Extra test to confirm http-method specific matching behaviour. 2009-12-14 13:55:48 +00:00
Luke Taylor cad32ffe39 SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface. 2009-12-13 17:37:24 +00:00
Luke Taylor 520e733cb2 [maven-release-plugin] prepare for next development iteration 2009-12-08 21:19:41 +00:00
Luke Taylor f2cf17bd49 [maven-release-plugin] prepare release spring-security-3.0.0.RC2 2009-12-08 21:19:20 +00:00
Luke Taylor 075e7a15ad Corrected package name in Javadoc. 2009-12-07 21:44:02 +00:00
Luke Taylor 444d93b13f SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter 2009-12-07 13:54:39 +00:00
Luke Taylor b27d7afd24 SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation. 2009-12-06 15:28:03 +00:00
Luke Taylor aee6b8f3f9 SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated. 2009-12-06 15:09:33 +00:00
Luke Taylor dab76249db Added gradle build files (experimental) 2009-12-04 21:33:17 +00:00
Luke Taylor 69699431b1 SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope 2009-11-24 09:31:03 +00:00
Luke Taylor 4d8956a227 SEC-1288: Changed claimedIdentityFieldName in OpenIDAuthenticationFilter to "openid_identifier", as recommended by the 2.0 spec. 2009-11-17 22:05:38 +00:00
Luke Taylor d84542cf88 SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information. 2009-11-17 15:29:07 +00:00
Luke Taylor 617e517e5e SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method. 2009-11-04 17:20:13 +00:00
Luke Taylor 930c1b6b53 Coverted to Junit 4 test. 2009-10-14 21:48:30 +00:00
Luke Taylor 11e476c486 Added issue numbers in comment. 2009-10-14 14:23:34 +00:00
Luke Taylor d4d45e1311 Make getHeader() methods check case-insensitive matching on header name. 2009-10-14 14:12:27 +00:00
Luke Taylor 7282eed197 Import cleaning. 2009-10-14 00:30:55 +00:00
Luke Taylor 799b96520b SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login 2009-10-14 00:30:28 +00:00
Luke Taylor 3f963ef8ca Restore versions and svn URLs in trunk (release plugin fail) 2009-10-11 21:59:38 +00:00
Luke Taylor af563e826c [maven-release-plugin] prepare release spring-security-3.0.0.RC1 2009-10-11 21:43:42 +00:00
Luke Taylor 881632cc08 SEC-1250: Removed duplicate property. 2009-10-11 15:20:24 +00:00
Luke Taylor 0da99171da SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type. Added exceptionIfHeaderMissing property. 2009-10-08 16:37:53 +00:00
Luke Taylor 3f72983a1e SEC-1257: Some additional API changes to use Collection instead of List... 2009-10-07 21:08:41 +00:00
Luke Taylor 1286741c7c SEC-1259: Improve consistency of authentication filter names. 2009-10-07 14:43:55 +00:00
Luke Taylor f213cc5d9e SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted. 2009-10-06 19:46:44 +00:00
Luke Taylor caff3ee9ba SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc). 2009-10-05 19:28:53 +00:00
Luke Taylor 07d7c0ddae Renamed form and openID filters to shorten names 2009-10-05 17:33:34 +00:00
Luke Taylor 1042305cfe Renamed web.wrapper to web.servletapi. Added some package.html files. 2009-10-05 16:59:37 +00:00
Luke Taylor 673cf300fb SEC-1229: Refactoring to remove package cycles. 2009-10-05 16:40:32 +00:00
Luke Taylor acf13c74ca SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session 2009-10-05 15:51:00 +00:00
Luke Taylor 2b89ebdfbb SEC-1229: Further doc and mods to namespace config/naming to make it more consistent 2009-10-03 16:08:51 +00:00
Luke Taylor 073198886d SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before. 2009-10-02 17:29:43 +00:00
Luke Taylor abba569282 Tidying. 2009-09-30 15:53:46 +00:00
Luke Taylor 1ead8472d1 SEC-1229: Added failure handler to the SessionManagementFilter to deal with concurrent login errors. 2009-09-29 16:14:31 +00:00
Luke Taylor bf39a5bb36 Added extra logging. 2009-09-29 16:13:16 +00:00
Luke Taylor 731402e9f5 SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context. 2009-09-16 00:23:13 +00:00
Luke Taylor 1c4a809e09 SEC-1245: Add role hierarchy support to expression handlers. Done. 2009-09-15 17:17:21 +00:00
Luke Taylor e7486fc203 Removed Ordered interface from Http403EntryPoint (unused). 2009-09-14 16:06:15 +00:00
Luke Taylor 40cf50fc98 SEC-1148: Javadoc. 2009-09-13 21:51:54 +00:00
Luke Taylor ff78ec00f7 SEC-1226: Additional Javadoc. 2009-09-13 21:22:17 +00:00
Luke Taylor 23c8f479b8 SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework. 2009-09-13 20:45:38 +00:00
Luke Taylor 593d2e227a SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework. 2009-09-13 20:44:52 +00:00
Luke Taylor 9c7423599e SEC-1167: Extended SavedRequest interface to allow it to be used by wrapper. Removed null checks in wrapper, as the SavedRequest cannot now be null. 2009-09-13 16:27:35 +00:00
Luke Taylor 4064b7b4f6 SEC-1167: Introduce more flexible SavedRequest handling. Introduced interface for SavedRequest. 2009-09-13 15:03:14 +00:00
Luke Taylor acd10dd716 SEC-1243: Make determineTargetUrl protected. 2009-09-11 20:48:41 +00:00
Luke Taylor ac4e7bbadb SEC-1241: Make sure saved request is removed after a match. 2009-09-09 10:11:45 +00:00
Luke Taylor f518da9d8b SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found. 2009-09-05 15:26:07 +00:00
Luke Taylor 5bdfd8cd77 Tidying imports etc to remove compiler warnings. 2009-09-05 14:14:58 +00:00
Luke Taylor 002b788a8c Minor refactoring. 2009-09-04 12:15:19 +00:00
Mike Wiesner 5623c13038 SEC-1047: Added an option to DigestProcessingFilter that the created Authentication object is now marked as "authenticated" 2009-09-02 16:12:19 +00:00
Luke Taylor 936326f4ab SEC-1180: Unreachable code inside UrlUtils.buildRequestUrl(...). Removed code block. 2009-09-01 18:13:28 +00:00
Luke Taylor 32dbb7e8bd import cleaning 2009-09-01 16:41:53 +00:00
Luke Taylor 2039200617 SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace. 2009-09-01 16:08:20 +00:00
Luke Taylor b2c2b93545 SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user. 2009-09-01 00:18:48 +00:00
Luke Taylor 3cc47c9c4d SEC-1190: Added "checkForPrincipalChanges" property to AbstactPreAuthenticatedProcessingFilter. 2009-08-31 23:28:40 +00:00
Luke Taylor dbcb13ad14 SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination. 2009-08-31 22:48:49 +00:00
Luke Taylor a4ccc4ac21 Make WebSecurityExpressionRoot public to allow reuse. 2009-08-28 14:02:02 +00:00
Luke Taylor 471206a29d SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy 2009-08-27 10:43:01 +00:00
Luke Taylor ab0d66071a SEC-1226: Introduce RedirectStrategy to replace RedirectUtils. Implemented strategy and applied throughout relevant classes. 2009-08-27 10:42:11 +00:00
Luke Taylor fe33f08b73 SEC-1201: Allow requires-channel attribute to take placeholders. 2009-08-23 16:42:06 +00:00
Luke Taylor 0b5160d155 Javadoc correction. 2009-08-22 18:02:39 +00:00
Luke Taylor 5a8772df5b Reset pom versions post release 2009-08-21 12:02:49 +00:00
Luke Taylor 0e5aa7008d [maven-release-plugin] prepare release spring-security-3.0.0.M2 2009-08-20 15:51:26 +00:00
Luke Taylor e6631be778 Import cleaning 2009-08-10 16:07:05 +00:00
Luke Taylor 6f76fe6fbb Import cleaning 2009-08-10 16:04:54 +00:00
Luke Taylor eb059cfd12 SEC-1211: removed SessionUtils (no longer used) 2009-08-10 14:30:17 +00:00
Luke Taylor f536c80020 SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web 2009-08-10 14:18:18 +00:00
Luke Taylor c12e5b4d0b SEC-1142: Renamed setter argument to match property. 2009-08-07 22:55:14 +00:00
Luke Taylor ea73fd0130 SEC-1142: Simplified implementation by removing template method. 2009-08-07 22:54:07 +00:00
Luke Taylor 90d76373cc SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request. 2009-08-07 17:12:12 +00:00
Luke Taylor 3e6054b69f SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy. 2009-07-29 00:52:30 +00:00
Luke Taylor 5e285b3692 SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour. 2009-07-28 23:57:46 +00:00
Luke Taylor 609a68b12a SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false. 2009-07-28 23:47:26 +00:00
Luke Taylor db90122179 SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these. 2009-07-28 18:00:24 +00:00
Luke Taylor 8b115e2a21 SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache. 2009-07-20 22:52:48 +00:00
Luke Taylor f404bb3d74 SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though. 2009-07-20 22:34:40 +00:00
Luke Taylor e63fba3a36 Tidying 2009-07-08 23:55:42 +00:00
Luke Taylor 8ddd96af2b SEC-1186: intermediate commit of namespace changes for improved tooling support 2009-06-26 12:44:46 +00:00
Luke Taylor c6b9371029 Updated to latest Spring build snapshot. Required minor EL changes to parser class name 2009-06-15 23:41:20 +00:00
Luke Taylor e92aac225f Minor javadoc. 2009-06-15 13:53:56 +00:00
Luke Taylor 5808da12ff SEC-1094: Simplified WebXml attribute mapping. Removed generic jaxen-based implementation on which it was based in favour of simple DOM model traversal. Updated sample. 2009-06-08 15:23:41 +00:00
Luke Taylor 33eef5ec7a Javadoc updates 2009-06-08 13:04:31 +00:00
Luke Taylor 66f7e8bcc8 SEC-1168: Added filter-security-metadat-source to namespace. 2009-06-08 12:59:13 +00:00
Luke Taylor bb7ef1fa8b Added HTML tags 2009-05-31 21:27:23 +00:00
Luke Taylor 131ba5c62e Reset poms to 3.0.0.CI-SNAPSHOT after tagging M1 release 2009-05-27 00:12:30 +00:00
Luke Taylor e2c218e8c9 [maven-release-plugin] prepare release spring-security-3.0.0.M1 2009-05-26 23:44:11 +00:00
Luke Taylor 0cb40d6ae4 Javadoc update 2009-05-26 22:16:11 +00:00
Luke Taylor 45c54c558c Updated build to use maven.springframework.org deps 2009-05-13 06:16:05 +00:00
Luke Taylor a8215fa2cb SEC-1160: Renaming of authentication filters and entry points and associated doc changes 2009-05-12 05:37:11 +00:00
Luke Taylor 5a03e842bd Correcting Javadoc. 2009-05-12 01:40:15 +00:00
Luke Taylor 4bad213b19 SEC-1132: Moved remaining preauth code from core to web 2009-05-12 00:11:06 +00:00
Luke Taylor d5b7ce69cc SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL. 2009-05-11 05:35:20 +00:00
Luke Taylor 29fafbbf18 Misc tidying up of old files and refactoring of tests 2009-05-05 13:29:59 +00:00
Luke Taylor 6d655aa514 SEC-1132: More refactoring to remove cycles ad reduce complexity metrics 2009-05-04 14:24:54 +00:00
Luke Taylor 5b543f83ec Removed web dependency on core-tests 2009-05-04 02:25:49 +00:00
Luke Taylor dca566ff1f SEC-1149: WebInvocationPrivilegeEvaluator now contains methods to evaluate the permissions on URIs directly. Deleted FilterInvocationUtils. 2009-05-02 06:02:17 +00:00
Luke Taylor d1cb85e4f3 Refactoring of methods names in UrlUtils for consistency. 2009-05-01 10:43:41 +00:00
Luke Taylor f6800fbe04 Refactored to remove dependency on FilterInvocationUtils. 2009-05-01 08:57:28 +00:00
Luke Taylor 4bc788828c SEC-1147: Remove use of SessionRegistryUtils. Inlined the methods. 2009-05-01 06:45:34 +00:00
Luke Taylor 6db9a3facc Minor debugging optimizations. 2009-04-30 05:21:54 +00:00
Luke Taylor e94baf38b3 Tidying up to remove warnings (generics, use of deprecated test classes etc). 2009-04-28 06:49:43 +00:00
Luke Taylor 530a7b5d21 Use context returned by SecurityContextHolder.createEmptyContext() as contextObject default value. 2009-04-27 07:31:35 +00:00
Luke Taylor 95ab95b6e3 SEC-1078: Missed commit of default strategy class. 2009-04-27 07:12:12 +00:00
Luke Taylor 6bd7421a1b SEC-1078: Converted WASSecurityHelper to an internal interface and added test for scenario from this issue. 2009-04-27 06:01:40 +00:00
Luke Taylor e45f6914ee Import cleaning. 2009-04-27 02:21:12 +00:00
Luke Taylor 1454cbb78e SEC-1132: Moved TextUtils to web module and StringSplit utils into Digest authentication package (as they aren't used elsewhere). 2009-04-25 08:04:26 +00:00
Luke Taylor a76cbee4bc SEC-1132: Moved ThrowableAnalyzer code to web module as it is only used in ExceptionTranslationFilter 2009-04-25 07:03:15 +00:00
Luke Taylor 22e7142f45 SEC-998: Bundlor enabled in web, ldap, config and core modules 2009-04-24 09:12:53 +00:00
Luke Taylor 21e36e0a57 Updated version number from 2.5.0-SNPSHOT to 3.0.0.CI-SNAPSHOT 2009-04-22 12:55:52 +00:00
Luke Taylor 23d7778484 Typo. 2009-04-22 12:53:50 +00:00
Luke Taylor cac2bce382 Refactored SessionRegistryImpl to remove servlet API deps and moved back into core, along with other concurrent authentication package classes. 2009-04-21 06:05:14 +00:00
Luke Taylor 271fbb7ddf SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem. 2009-04-20 09:08:35 +00:00
Luke Taylor 2ff089af62 Restructure to standard layout. 2009-04-20 04:17:59 +00:00
Luke Taylor c21300d3ad Tidying imports. 2009-04-19 02:29:16 +00:00
Luke Taylor 6b3d0eac40 SEC-1111: Fix for "java.io.CharConversionException: Not an ISO 8859-1 character". Use response.getWriter() instead of printing to ServletOutputStream. 2009-04-18 07:35:34 +00:00
Luke Taylor 23c23c6f3f Remove unused import. 2009-04-16 04:03:18 +00:00
Luke Taylor 292926518b SEC-1136: Converted base exceptions to extend RuntimeException rather than NestedRuntimeException. 2009-04-15 10:19:37 +00:00
Luke Taylor 93bdcccaee SEC-1132: Moved userdetails into core and added core/authority sub-package 2009-04-15 07:39:21 +00:00
Luke Taylor c770998d92 SEC-1132: Move authoritymapping to core as it is actually used in loading authorities for a use, not in making access decisions. 2009-04-14 04:22:57 +00:00
Luke Taylor 769041474e SEC-1136: Missed an import. 2009-04-14 02:35:13 +00:00
Luke Taylor 10673780db OPEN - issue SEC-1136: Removed SpringSecurityException. Introduced new AclException as base class for Acl module. Refactored JAAS authentication to map to AuthenticationExcpetions rather than SpringSecurityException. Modified ExceptionTranslationFilter to look explicitly for AuthenticationException or AccessDeniedException (which it should do since these are the only two it handles). 2009-04-13 14:56:49 +00:00
Luke Taylor ca7d055c2b SEC-1132: Created core and authentication packages within core module. 2009-04-13 13:43:23 +00:00
Luke Taylor 9efb5a7007 SEC-1132: Moved access-control/authorization specific code to org.sf.security.access package. Created provisioning package for user management classes to remove cyclical deps. Some other moving of classes to remove code tangles. Restructuring of portlet module under org.sf.security.portlet 2009-04-12 12:23:23 +00:00
Luke Taylor 7c4d54f356 SEC-1131: Applied patch for portlet upgrade 2009-04-12 05:52:20 +00:00
Luke Taylor 1b43e3661a SEC-1132: Moved switch user event class to web module as it is only used by SwitchUserProcessingFilter. 2009-04-12 04:16:46 +00:00
Luke Taylor f746a20ab4 SEC-1132: package refactoring of non-core modules 2009-03-27 05:01:03 +00:00
Luke Taylor bec84f874a SEC-1125: Further refactoring of web packages following creation of web module. Fixing samples. 2009-03-26 07:18:36 +00:00
Luke Taylor 2a9a8a41db SEC-1125: Created separate web module spring-security-web 2009-03-25 06:28:18 +00:00