Luke Taylor
|
d84542cf88
|
SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.
|
2009-11-17 15:29:07 +00:00 |
|
Luke Taylor
|
617e517e5e
|
SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.
|
2009-11-04 17:20:13 +00:00 |
|
Luke Taylor
|
930c1b6b53
|
Coverted to Junit 4 test.
|
2009-10-14 21:48:30 +00:00 |
|
Luke Taylor
|
11e476c486
|
Added issue numbers in comment.
|
2009-10-14 14:23:34 +00:00 |
|
Luke Taylor
|
d4d45e1311
|
Make getHeader() methods check case-insensitive matching on header name.
|
2009-10-14 14:12:27 +00:00 |
|
Luke Taylor
|
7282eed197
|
Import cleaning.
|
2009-10-14 00:30:55 +00:00 |
|
Luke Taylor
|
799b96520b
|
SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login
|
2009-10-14 00:30:28 +00:00 |
|
Luke Taylor
|
3f963ef8ca
|
Restore versions and svn URLs in trunk (release plugin fail)
|
2009-10-11 21:59:38 +00:00 |
|
Luke Taylor
|
af563e826c
|
[maven-release-plugin] prepare release spring-security-3.0.0.RC1
|
2009-10-11 21:43:42 +00:00 |
|
Luke Taylor
|
881632cc08
|
SEC-1250: Removed duplicate property.
|
2009-10-11 15:20:24 +00:00 |
|
Luke Taylor
|
0da99171da
|
SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type. Added exceptionIfHeaderMissing property.
|
2009-10-08 16:37:53 +00:00 |
|
Luke Taylor
|
3f72983a1e
|
SEC-1257: Some additional API changes to use Collection instead of List...
|
2009-10-07 21:08:41 +00:00 |
|
Luke Taylor
|
1286741c7c
|
SEC-1259: Improve consistency of authentication filter names.
|
2009-10-07 14:43:55 +00:00 |
|
Luke Taylor
|
f213cc5d9e
|
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
|
2009-10-06 19:46:44 +00:00 |
|
Luke Taylor
|
caff3ee9ba
|
SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).
|
2009-10-05 19:28:53 +00:00 |
|
Luke Taylor
|
07d7c0ddae
|
Renamed form and openID filters to shorten names
|
2009-10-05 17:33:34 +00:00 |
|
Luke Taylor
|
1042305cfe
|
Renamed web.wrapper to web.servletapi. Added some package.html files.
|
2009-10-05 16:59:37 +00:00 |
|
Luke Taylor
|
673cf300fb
|
SEC-1229: Refactoring to remove package cycles.
|
2009-10-05 16:40:32 +00:00 |
|
Luke Taylor
|
acf13c74ca
|
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
|
2009-10-05 15:51:00 +00:00 |
|
Luke Taylor
|
2b89ebdfbb
|
SEC-1229: Further doc and mods to namespace config/naming to make it more consistent
|
2009-10-03 16:08:51 +00:00 |
|
Luke Taylor
|
073198886d
|
SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before.
|
2009-10-02 17:29:43 +00:00 |
|
Luke Taylor
|
abba569282
|
Tidying.
|
2009-09-30 15:53:46 +00:00 |
|
Luke Taylor
|
1ead8472d1
|
SEC-1229: Added failure handler to the SessionManagementFilter to deal with concurrent login errors.
|
2009-09-29 16:14:31 +00:00 |
|
Luke Taylor
|
bf39a5bb36
|
Added extra logging.
|
2009-09-29 16:13:16 +00:00 |
|
Luke Taylor
|
731402e9f5
|
SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context.
|
2009-09-16 00:23:13 +00:00 |
|
Luke Taylor
|
1c4a809e09
|
SEC-1245: Add role hierarchy support to expression handlers. Done.
|
2009-09-15 17:17:21 +00:00 |
|
Luke Taylor
|
e7486fc203
|
Removed Ordered interface from Http403EntryPoint (unused).
|
2009-09-14 16:06:15 +00:00 |
|
Luke Taylor
|
40cf50fc98
|
SEC-1148: Javadoc.
|
2009-09-13 21:51:54 +00:00 |
|
Luke Taylor
|
ff78ec00f7
|
SEC-1226: Additional Javadoc.
|
2009-09-13 21:22:17 +00:00 |
|
Luke Taylor
|
23c8f479b8
|
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
|
2009-09-13 20:45:38 +00:00 |
|
Luke Taylor
|
593d2e227a
|
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
|
2009-09-13 20:44:52 +00:00 |
|
Luke Taylor
|
9c7423599e
|
SEC-1167: Extended SavedRequest interface to allow it to be used by wrapper. Removed null checks in wrapper, as the SavedRequest cannot now be null.
|
2009-09-13 16:27:35 +00:00 |
|
Luke Taylor
|
4064b7b4f6
|
SEC-1167: Introduce more flexible SavedRequest handling. Introduced interface for SavedRequest.
|
2009-09-13 15:03:14 +00:00 |
|
Luke Taylor
|
acd10dd716
|
SEC-1243: Make determineTargetUrl protected.
|
2009-09-11 20:48:41 +00:00 |
|
Luke Taylor
|
ac4e7bbadb
|
SEC-1241: Make sure saved request is removed after a match.
|
2009-09-09 10:11:45 +00:00 |
|
Luke Taylor
|
f518da9d8b
|
SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.
|
2009-09-05 15:26:07 +00:00 |
|
Luke Taylor
|
5bdfd8cd77
|
Tidying imports etc to remove compiler warnings.
|
2009-09-05 14:14:58 +00:00 |
|
Luke Taylor
|
002b788a8c
|
Minor refactoring.
|
2009-09-04 12:15:19 +00:00 |
Mike Wiesner
|
5623c13038
|
SEC-1047: Added an option to DigestProcessingFilter that the created Authentication object is now marked as "authenticated"
|
2009-09-02 16:12:19 +00:00 |
|
Luke Taylor
|
936326f4ab
|
SEC-1180: Unreachable code inside UrlUtils.buildRequestUrl(...). Removed code block.
|
2009-09-01 18:13:28 +00:00 |
|
Luke Taylor
|
32dbb7e8bd
|
import cleaning
|
2009-09-01 16:41:53 +00:00 |
|
Luke Taylor
|
2039200617
|
SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.
|
2009-09-01 16:08:20 +00:00 |
|
Luke Taylor
|
b2c2b93545
|
SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.
|
2009-09-01 00:18:48 +00:00 |
|
Luke Taylor
|
3cc47c9c4d
|
SEC-1190: Added "checkForPrincipalChanges" property to AbstactPreAuthenticatedProcessingFilter.
|
2009-08-31 23:28:40 +00:00 |
|
Luke Taylor
|
dbcb13ad14
|
SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.
|
2009-08-31 22:48:49 +00:00 |
|
Luke Taylor
|
a4ccc4ac21
|
Make WebSecurityExpressionRoot public to allow reuse.
|
2009-08-28 14:02:02 +00:00 |
|
Luke Taylor
|
471206a29d
|
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
|
2009-08-27 10:43:01 +00:00 |
|
Luke Taylor
|
ab0d66071a
|
SEC-1226: Introduce RedirectStrategy to replace RedirectUtils. Implemented strategy and applied throughout relevant classes.
|
2009-08-27 10:42:11 +00:00 |
|
Luke Taylor
|
fe33f08b73
|
SEC-1201: Allow requires-channel attribute to take placeholders.
|
2009-08-23 16:42:06 +00:00 |
|
Luke Taylor
|
0b5160d155
|
Javadoc correction.
|
2009-08-22 18:02:39 +00:00 |
|
Luke Taylor
|
5a8772df5b
|
Reset pom versions post release
|
2009-08-21 12:02:49 +00:00 |
|
Luke Taylor
|
0e5aa7008d
|
[maven-release-plugin] prepare release spring-security-3.0.0.M2
|
2009-08-20 15:51:26 +00:00 |
|
Luke Taylor
|
e6631be778
|
Import cleaning
|
2009-08-10 16:07:05 +00:00 |
|
Luke Taylor
|
6f76fe6fbb
|
Import cleaning
|
2009-08-10 16:04:54 +00:00 |
|
Luke Taylor
|
eb059cfd12
|
SEC-1211: removed SessionUtils (no longer used)
|
2009-08-10 14:30:17 +00:00 |
|
Luke Taylor
|
f536c80020
|
SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web
|
2009-08-10 14:18:18 +00:00 |
|
Luke Taylor
|
c12e5b4d0b
|
SEC-1142: Renamed setter argument to match property.
|
2009-08-07 22:55:14 +00:00 |
|
Luke Taylor
|
ea73fd0130
|
SEC-1142: Simplified implementation by removing template method.
|
2009-08-07 22:54:07 +00:00 |
|
Luke Taylor
|
90d76373cc
|
SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request.
|
2009-08-07 17:12:12 +00:00 |
|
Luke Taylor
|
3e6054b69f
|
SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.
|
2009-07-29 00:52:30 +00:00 |
|
Luke Taylor
|
5e285b3692
|
SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour.
|
2009-07-28 23:57:46 +00:00 |
|
Luke Taylor
|
609a68b12a
|
SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false.
|
2009-07-28 23:47:26 +00:00 |
|
Luke Taylor
|
db90122179
|
SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.
|
2009-07-28 18:00:24 +00:00 |
|
Luke Taylor
|
8b115e2a21
|
SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache.
|
2009-07-20 22:52:48 +00:00 |
|
Luke Taylor
|
f404bb3d74
|
SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though.
|
2009-07-20 22:34:40 +00:00 |
|
Luke Taylor
|
e63fba3a36
|
Tidying
|
2009-07-08 23:55:42 +00:00 |
|
Luke Taylor
|
8ddd96af2b
|
SEC-1186: intermediate commit of namespace changes for improved tooling support
|
2009-06-26 12:44:46 +00:00 |
|
Luke Taylor
|
c6b9371029
|
Updated to latest Spring build snapshot. Required minor EL changes to parser class name
|
2009-06-15 23:41:20 +00:00 |
|
Luke Taylor
|
e92aac225f
|
Minor javadoc.
|
2009-06-15 13:53:56 +00:00 |
|
Luke Taylor
|
5808da12ff
|
SEC-1094: Simplified WebXml attribute mapping. Removed generic jaxen-based implementation on which it was based in favour of simple DOM model traversal. Updated sample.
|
2009-06-08 15:23:41 +00:00 |
|
Luke Taylor
|
33eef5ec7a
|
Javadoc updates
|
2009-06-08 13:04:31 +00:00 |
|
Luke Taylor
|
66f7e8bcc8
|
SEC-1168: Added filter-security-metadat-source to namespace.
|
2009-06-08 12:59:13 +00:00 |
|
Luke Taylor
|
bb7ef1fa8b
|
Added HTML tags
|
2009-05-31 21:27:23 +00:00 |
|
Luke Taylor
|
131ba5c62e
|
Reset poms to 3.0.0.CI-SNAPSHOT after tagging M1 release
|
2009-05-27 00:12:30 +00:00 |
|
Luke Taylor
|
e2c218e8c9
|
[maven-release-plugin] prepare release spring-security-3.0.0.M1
|
2009-05-26 23:44:11 +00:00 |
|
Luke Taylor
|
0cb40d6ae4
|
Javadoc update
|
2009-05-26 22:16:11 +00:00 |
|
Luke Taylor
|
45c54c558c
|
Updated build to use maven.springframework.org deps
|
2009-05-13 06:16:05 +00:00 |
|
Luke Taylor
|
a8215fa2cb
|
SEC-1160: Renaming of authentication filters and entry points and associated doc changes
|
2009-05-12 05:37:11 +00:00 |
|
Luke Taylor
|
5a03e842bd
|
Correcting Javadoc.
|
2009-05-12 01:40:15 +00:00 |
|
Luke Taylor
|
4bad213b19
|
SEC-1132: Moved remaining preauth code from core to web
|
2009-05-12 00:11:06 +00:00 |
|
Luke Taylor
|
d5b7ce69cc
|
SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL.
|
2009-05-11 05:35:20 +00:00 |
|
Luke Taylor
|
29fafbbf18
|
Misc tidying up of old files and refactoring of tests
|
2009-05-05 13:29:59 +00:00 |
|
Luke Taylor
|
6d655aa514
|
SEC-1132: More refactoring to remove cycles ad reduce complexity metrics
|
2009-05-04 14:24:54 +00:00 |
|
Luke Taylor
|
5b543f83ec
|
Removed web dependency on core-tests
|
2009-05-04 02:25:49 +00:00 |
|
Luke Taylor
|
dca566ff1f
|
SEC-1149: WebInvocationPrivilegeEvaluator now contains methods to evaluate the permissions on URIs directly. Deleted FilterInvocationUtils.
|
2009-05-02 06:02:17 +00:00 |
|
Luke Taylor
|
d1cb85e4f3
|
Refactoring of methods names in UrlUtils for consistency.
|
2009-05-01 10:43:41 +00:00 |
|
Luke Taylor
|
f6800fbe04
|
Refactored to remove dependency on FilterInvocationUtils.
|
2009-05-01 08:57:28 +00:00 |
|
Luke Taylor
|
4bc788828c
|
SEC-1147: Remove use of SessionRegistryUtils. Inlined the methods.
|
2009-05-01 06:45:34 +00:00 |
|
Luke Taylor
|
6db9a3facc
|
Minor debugging optimizations.
|
2009-04-30 05:21:54 +00:00 |
|
Luke Taylor
|
e94baf38b3
|
Tidying up to remove warnings (generics, use of deprecated test classes etc).
|
2009-04-28 06:49:43 +00:00 |
|
Luke Taylor
|
530a7b5d21
|
Use context returned by SecurityContextHolder.createEmptyContext() as contextObject default value.
|
2009-04-27 07:31:35 +00:00 |
|
Luke Taylor
|
95ab95b6e3
|
SEC-1078: Missed commit of default strategy class.
|
2009-04-27 07:12:12 +00:00 |
|
Luke Taylor
|
6bd7421a1b
|
SEC-1078: Converted WASSecurityHelper to an internal interface and added test for scenario from this issue.
|
2009-04-27 06:01:40 +00:00 |
|
Luke Taylor
|
e45f6914ee
|
Import cleaning.
|
2009-04-27 02:21:12 +00:00 |
|
Luke Taylor
|
1454cbb78e
|
SEC-1132: Moved TextUtils to web module and StringSplit utils into Digest authentication package (as they aren't used elsewhere).
|
2009-04-25 08:04:26 +00:00 |
|
Luke Taylor
|
a76cbee4bc
|
SEC-1132: Moved ThrowableAnalyzer code to web module as it is only used in ExceptionTranslationFilter
|
2009-04-25 07:03:15 +00:00 |
|
Luke Taylor
|
22e7142f45
|
SEC-998: Bundlor enabled in web, ldap, config and core modules
|
2009-04-24 09:12:53 +00:00 |
|
Luke Taylor
|
21e36e0a57
|
Updated version number from 2.5.0-SNPSHOT to 3.0.0.CI-SNAPSHOT
|
2009-04-22 12:55:52 +00:00 |
|
Luke Taylor
|
23d7778484
|
Typo.
|
2009-04-22 12:53:50 +00:00 |
|
Luke Taylor
|
cac2bce382
|
Refactored SessionRegistryImpl to remove servlet API deps and moved back into core, along with other concurrent authentication package classes.
|
2009-04-21 06:05:14 +00:00 |
|
Luke Taylor
|
271fbb7ddf
|
SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem.
|
2009-04-20 09:08:35 +00:00 |
|
Luke Taylor
|
2ff089af62
|
Restructure to standard layout.
|
2009-04-20 04:17:59 +00:00 |
|
Luke Taylor
|
c21300d3ad
|
Tidying imports.
|
2009-04-19 02:29:16 +00:00 |
|
Luke Taylor
|
6b3d0eac40
|
SEC-1111: Fix for "java.io.CharConversionException: Not an ISO 8859-1 character". Use response.getWriter() instead of printing to ServletOutputStream.
|
2009-04-18 07:35:34 +00:00 |
|
Luke Taylor
|
23c23c6f3f
|
Remove unused import.
|
2009-04-16 04:03:18 +00:00 |
|
Luke Taylor
|
292926518b
|
SEC-1136: Converted base exceptions to extend RuntimeException rather than NestedRuntimeException.
|
2009-04-15 10:19:37 +00:00 |
|
Luke Taylor
|
93bdcccaee
|
SEC-1132: Moved userdetails into core and added core/authority sub-package
|
2009-04-15 07:39:21 +00:00 |
|
Luke Taylor
|
c770998d92
|
SEC-1132: Move authoritymapping to core as it is actually used in loading authorities for a use, not in making access decisions.
|
2009-04-14 04:22:57 +00:00 |
|
Luke Taylor
|
769041474e
|
SEC-1136: Missed an import.
|
2009-04-14 02:35:13 +00:00 |
|
Luke Taylor
|
10673780db
|
OPEN - issue SEC-1136: Removed SpringSecurityException. Introduced new AclException as base class for Acl module. Refactored JAAS authentication to map to AuthenticationExcpetions rather than SpringSecurityException. Modified ExceptionTranslationFilter to look explicitly for AuthenticationException or AccessDeniedException (which it should do since these are the only two it handles).
|
2009-04-13 14:56:49 +00:00 |
|
Luke Taylor
|
ca7d055c2b
|
SEC-1132: Created core and authentication packages within core module.
|
2009-04-13 13:43:23 +00:00 |
|
Luke Taylor
|
9efb5a7007
|
SEC-1132: Moved access-control/authorization specific code to org.sf.security.access package. Created provisioning package for user management classes to remove cyclical deps. Some other moving of classes to remove code tangles. Restructuring of portlet module under org.sf.security.portlet
|
2009-04-12 12:23:23 +00:00 |
|
Luke Taylor
|
7c4d54f356
|
SEC-1131: Applied patch for portlet upgrade
|
2009-04-12 05:52:20 +00:00 |
|
Luke Taylor
|
1b43e3661a
|
SEC-1132: Moved switch user event class to web module as it is only used by SwitchUserProcessingFilter.
|
2009-04-12 04:16:46 +00:00 |
|
Luke Taylor
|
f746a20ab4
|
SEC-1132: package refactoring of non-core modules
|
2009-03-27 05:01:03 +00:00 |
|
Luke Taylor
|
bec84f874a
|
SEC-1125: Further refactoring of web packages following creation of web module. Fixing samples.
|
2009-03-26 07:18:36 +00:00 |
|
Luke Taylor
|
2a9a8a41db
|
SEC-1125: Created separate web module spring-security-web
|
2009-03-25 06:28:18 +00:00 |