Previously DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable
would not setup the SecurityContext if it was on the same thread as it was created.
This was intended to fix SEC-3031 but simply caused more problems.
This commit changes the strategy to keep track of the previous SecurityContext
and restore it (or clear it out if it was originally empty).
Modifying the SecurityContext on the same Thread can cause issues. For example, with a
RejectedExecutionHandler the SecurityContext may be cleared out on the original Thread.
This change modifies both the DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable to,
by default, only modify the SecurityContext if they are invoked on a new Thread. The behavior can be changed
by setting the property enableOnOrigionalThread to true.
Previously there were some incorrect dependency versions. This commit fixes
that.
We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.
In addition to the new exclusions, notable other changes are:
- Spring Data JPA has been updated to 1.4.1. This brings its
transitive dependency upon spring-data-commons into line with
Spring LDAP's and prevents both spring-data-commons-core and
spring-data-commons from being on the classpath
- All Servlet API dependencies have been updated to use the official
artifact with all transitive dependencies on unofficial servlet API
artifacts being excluded.
- In places, groovy has been replaced with groovy-all. This removes
some duplicates caused by groovy's transitive dependencies.
- JUnit has been updated to 4.11 which brings its transitive Hamcrest
dependency into line with other components.
There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level
Conflicts:
samples/messages-jc/pom.xml
The method setPseudoRandomNumberBits actually sets the number of bytes. This
commit deprecates setPseudoRandomNumberBits and adds
setPseudoRandomNumberBytes. The default value is still 256 to remain passive
but will be updated in 4.x.
Previously the crypto module was not exported in Eclipse because it was
listed as a test dependency to have it added as a dependency. Note that
this was all to work around GRADLE-1116
Now we add an included configuration that is exported for Eclipse, but not
added to the Maven pom (since all the crypto module is included in core).
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of AbstractRememberMeServices.
This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.
The following changes were made:
- ExpressionBasedAnnotationAttributeFactory delays the invocation of
MethodSecurityExpressionHandler.getExpressionParser()
- MethodSecurityExpressionHandler is automatically wrapped in a
LazyInitTargetSource and marked as lazyInit=true
Provide abstractions for transferring a SecurityContext across threads.
The main concepts are the DelegatingSecurityContextCallable and the
DelegatingSecurityContextRunnable which contain a SecurityContext to establish before
delegating to a Callable or Runnable.
There are also wrapper implementations for each of the key java.util.concurrent and
spring task interfaces to make using the DelegatingSecurityContextCallable and
DelegatingSecurityContextRunnable transparent to users. For example a
DelegatingSecurityContextTaskExecutor which can be injected with a specific
SecurityContext or use the SecurityContext from the SecurityContextHolder at the time the
task is submitted. There are similar implementations for each of the key
java.util.concurrent and spring task interfaces.
Note that in order to get DelegatingSecurityContextExecutorService to compile with
JDK 5 or JDK 6 we could not use type safe methods. See
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6267833 for details.
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.
The code has been updated to do comparison against a dummy password
even when the the user was not found.
Previously communication errors with LDAP were only logged at debug level.
Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
Previously there was a bug introduced by SEC-546 that prevented any
AccountStatusException from being published.
Now AccountStatusExceptions are also published.
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.
AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.
The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.
Also cleaning whitespace.
NOTE: The Groovy code that automated most of this is attached to SEC-1545
A mapping of Missing Key to the file that the key is found are as follows:
----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
How unknown keys were gussed by existing keys
----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_es_ES.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_fr.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
This prevents situations where other data may have changed when a User object is reloaded (during a subsequent authentication attempt, in which case and Set.contains()/Map.containsKey() will return false even though the collection in question contains a principal representing the same user.
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
This is used by DefaultMethodSecurityExpressionHandler to allow permissions to be cached before repeatedly evaluating an expression for a collection of domain objects.
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
Rob Winch
Karol Lewandowski
hmolsen
petaure
zhanhb
/usr/local/ΕΨΗΕΛΩΝ
David Avenante
Thomas Darimont
Alex Panchenko
james
Spring Buildmaster
Rob Winch
Gamal Shaban
Alexander Kjäll
Guillaume Smet
Oliver Becker
Georges-Etienne Legendre
Marten Deinum
Luke Taylor
Andrei Stefan
Rob Winch
Scott Battaglia
Mike Wiesner