Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-13 15:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,027 Commits 44 Branches 345 Tags
Commit Graph

4027 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Luke Taylor
11a091f051 SEC-1680: Revert accidental updates to 3.0.x namespace appendix. 2011-02-16 15:01:15 +00:00
Luke Taylor
8e48658efb SEC-1675: Added missing "body-content" elements to taglib descriptor. 2011-02-14 21:31:15 +00:00
Rob Winch
afd556412e SEC-1672: Provide error message when ambiguous configuration of intercept-url contains attributes filters=none and (access or requires-channel) 2011-02-09 20:37:03 -06:00
Luke Taylor
187a530760 SEC-1670: Take account of JNDI CompositeName escaping in value of SearchResult.getName() when performing a search for a user entry in SpringSecurityLdapTemplate. 2011-02-03 18:00:03 +00:00
Rob Winch
1b6587a5d4 SEC-1666: Use constant time comparison for sensitive data. 
Constant time comparison helps to mitigate timing attacks. See the following link for more information

 * http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
 * http://en.wikipedia.org/wiki/Timing_attack for more information.
 2011-01-31 23:21:38 -06:00
Rob Winch
ece824fca2 SEC-1592: Updated CasAuthenticationFilter so that it does not continue FilterChain when handling proxy requests. 
The fix moves CommonUtils.readAndRespondToProxyReceptorRequest into CasAuthenticationFilter.attemptAuthentication. This makes sense since
The CAS server is authenticating that the proxy url is valid (i.e. it exists and the SSL handshake succeeds). It also allows the FilterChain
to not be processed by returning a null Authentication.
 2011-01-27 10:49:24 -06:00
Luke Taylor
e3644e2d27 SEC-1661: Use a DistinguishedName to wrap the search base to avoid the need for JNDI escaping. 2011-01-26 17:20:54 +00:00
Rob Winch
b3943ac268 SEC-1545: Removed unused i18n keys, changed keys to follow naming conventions, found missing keys based upon old keys, sorted keys, any unknown keys are entered as a comment with the English value. 
NOTE: The Groovy code that automated most of this is attached to SEC-1545

A mapping of Missing Key to the file that the key is found are as follows:

----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]

How unknown keys were gussed by existing keys

----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_es_ES.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_fr.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication

----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
   AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
   AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
   AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
   AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
   AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
   BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
   ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
   DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
   DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
   DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
   DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
   DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
   DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
   DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
   DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
   DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
   DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
   LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
   LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
   SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
   SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
   SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
 2011-01-21 10:24:07 -06:00
Luke Taylor
537d8f108a SEC-1654: Correct debug output in DigestAuthenticationFilter. 2011-01-11 14:27:45 +00:00
Luke Taylor
d0bada2bad SEC-1641: Correct code and test for null groupSearchBase. 2010-12-20 16:50:11 +00:00
Luke Taylor
952af853ac SEC-1641: Remove the private setGroupSearchBase method and allowed a null value to be set for the group search base in the constructor. 2010-12-19 16:18:30 +00:00
Rob Winch
4dea140331 SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers. 
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.

Conflicts:

	web/src/main/java/org/springframework/security/web/FilterChainProxy.java
	web/src/test/java/org/springframework/security/web/FilterChainProxyTests.java
 2010-12-16 23:53:15 -06:00
Luke Taylor
bb3a973fcb SEC-1636: Add optimizations for universal match cases in AntUrlPathMatcher (using "/**" and "**" equality checks on the path). 2010-12-11 20:57:49 +00:00
Luke Taylor
522e8db5da Javadoc fix 2010-12-09 12:39:23 +00:00
Luke Taylor
8f71f6febf SEC-1557: Added getter to DelegatingMethodSecurityMetadataSource. 2010-12-01 21:57:16 +00:00
Luke Taylor
69a1fb76d3 SEC-1615: Changed key generation for anonymous provider to only use SecureRandom on demand. 2010-12-01 20:51:13 +00:00
Luke Taylor
156a6924fa Move docs on request matching to correct file and delete unused one 2010-11-24 00:31:09 +00:00
Luke Taylor
d53db3ba13 Update version to 3.0.6.CI-SNAPSHOT. 2010-11-18 12:39:19 +00:00
Luke Taylor
90304f64c6 Update version for 3.0.5 release 3.0.5.RELEASE 2010-11-18 12:36:08 +00:00
Luke Taylor
6349359b77 Enable aspectj module in 3.0.x build. 2010-11-18 12:35:49 +00:00
Luke Taylor
e80853b698 SEC-1412: DefaultSavedRequest should ignore "If-Modified-Since" headers to prevent re-displaying the login form (the cached result of the original request). 2010-11-15 16:48:15 +00:00
Luke Taylor
82d105cbc3 SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous. 
Allows for the situation where a user is logged out without invalidating the session.
 2010-11-10 13:01:49 +00:00
Luke Taylor
e88f47a96a SEC-1561: Add check on whether the security context attribute is set in the current session to make sure it is stored when a new session has been created during the request. 2010-11-10 12:53:56 +00:00
Luke Taylor
979ea63980 SEC-1613: Corrected preauth docs. 2010-11-04 14:34:02 +00:00
Rob Winch
0bdc9c176b SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward 2010-11-03 14:25:52 -05:00
Luke Taylor
80fd238c3a Backport updates to TarUpload for easier uploading of docs to website. 2010-11-02 16:38:19 +00:00
Luke Taylor
5c597c8cde Update doc version number to 3.0.4 2010-11-02 16:31:01 +00:00
Luke Taylor
ec7b9703a6 Expand message on incorrect Spring version to suggest checking the classpath for unwanted jars. 2010-11-02 12:31:14 +00:00
Luke Taylor
71b2af31ee SEC-1608: Make sure FirewalledRequest.reset() is called when filter="none" 2010-11-02 12:19:22 +00:00
Luke Taylor
fc75b69ab8 SEC-1607: Report correct version for Spring Security (not Spring version). 2010-11-02 11:18:49 +00:00
Luke Taylor
6141ef79b3 Remove use of @Override with an interface method 2010-10-28 16:10:48 +01:00
Luke Taylor
3cfe23f60d Update versions to 3.0.5.CI-SNAPSHOT 2010-10-26 15:32:22 +01:00
Luke Taylor
82d140ffb1 Version 3.0.4.RELEASE 3.0.4.RELEASE 2010-10-26 15:32:22 +01:00
Luke Taylor
1563491322 SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version. 2010-10-26 15:32:21 +01:00
Luke Taylor
b688bb69ee SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception. 2010-10-26 15:32:21 +01:00
Luke Taylor
36f008643d SEC-1598: Removed invalid properties from SessionFixationProtectionStrategy bean declaration in Session Management chapter docbook. 2010-10-26 15:32:21 +01:00
Luke Taylor
cbdf77e991 SEC-1597: Corrected bean class name for RememberMeAuthenticationProvider in docbook source. 2010-10-26 15:32:21 +01:00
Luke Taylor
399e921d14 SEC-1599: Corrected docbook source. 2010-10-26 15:32:21 +01:00
Luke Taylor
c458311d2d SEC-1548: Added extra logging to Dao-authentication classes to clarify reasons for authentication failure (missing user vs wrong password etc.). 2010-10-26 15:32:21 +01:00
Luke Taylor
d6f408e8bf SEC-1583: Added hasAuthority and hasAnyAuthority imlementations to SecurityExpressionRoot. 2010-10-26 15:32:21 +01:00
Luke Taylor
1739628e6a SEC-1589: Add support for property placeholder in intercept-methods access attribute. 2010-10-26 15:32:21 +01:00
Luke Taylor
8e68fa1334 SEC-1584: Added namespace support for injecting custom HttpFirewall instance into FilterChainProxy. 2010-10-26 15:32:21 +01:00
Luke Taylor
82cd72768d doc updates to be merged with orgininal sec-1584 doc changes 2010-10-26 15:32:20 +01:00
Luke Taylor
161710cc87 SEC-1584: Doc updates to explain request matching process. 2010-10-26 15:32:20 +01:00
Luke Taylor
dc1b652512 SEC-1584: Additional integration tests. 2010-10-26 15:32:20 +01:00
Luke Taylor
ed9411c660 SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/". 2010-10-26 15:31:33 +01:00
Luke Taylor
e58f982351 Updating gitignore and removing unnecessary casts from FilterChainProxyConfigTests. 2010-10-05 13:31:49 +01:00
Luke Taylor
072b73354f Update namespace handler message to account for later schema versions being used by mistake. 2010-10-05 13:31:49 +01:00
Rob Winch
443231d1e8 SEC-1578: Use ThreadLocal.remove() instead of ThreadLocal.set(null) 2010-10-04 21:10:21 -05:00
Luke Taylor
45674a16ea SEC-1540: Apply patch to support HTTP method matching for requires-channel namespace attribute. 2010-08-18 13:17:21 +01:00