c12c43da9e
Javadoc fixes.
2010-02-14 23:27:09 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
1e4f451352
Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources
2010-02-11 18:08:06 +00:00
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
90d6ff1fde
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 13:19:16 +01:00
d32b078a8c
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 09:05:28 +01:00
d2413cf237
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-10 21:25:23 +01:00
08c7155ab5
SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions.
2010-02-10 15:06:01 +00:00
1ecd3e228b
SEC-1405: added RequestMatcher interface.
2010-02-10 14:34:14 +00:00
984604b026
SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
...
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
2010-02-06 14:38:44 +00:00
0974e21fb6
SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
...
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
2010-01-23 02:12:30 +00:00
04447bdbf0
SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs).
2010-01-22 01:55:13 +00:00
0c10efbbf8
Revert SEC-1356.
...
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
2010-01-19 22:26:21 +00:00
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
a9567a58d8
SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos.
2010-01-13 15:36:58 +00:00
f62d97b092
SEC-1356: Fix broken tests.
...
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
2010-01-12 01:32:02 +00:00
6eff4d90b7
SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
...
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
2010-01-12 00:49:53 +00:00
2023ca283e
SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
...
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
2010-01-12 00:30:27 +00:00
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
bc02fc2de1
Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices.
2010-01-08 23:57:27 +00:00
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
f5d36aef65
SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
...
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
2010-01-05 16:01:55 +00:00
c6b8fe5e55
SEC-1346: Added missing 'return' statements after redirects.
...
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
2010-01-03 19:06:58 +00:00
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
3418aab46e
SEC-1327: Javadoc additions to clarify some behaviour
2009-12-21 17:32:54 +00:00
97a31cae04
SEC-1333: Added error message for invalid redirect URL assertion
2009-12-18 19:29:36 +00:00
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
2009-12-18 18:44:42 +00:00
76731254c0
SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name.
2009-12-18 18:04:03 +00:00
06e092d46a
Midor Javadoc correction.
2009-12-15 15:39:01 +00:00
6805761d85
Extra test to confirm http-method specific matching behaviour.
2009-12-14 13:55:48 +00:00
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
2009-12-13 17:37:24 +00:00
075e7a15ad
Corrected package name in Javadoc.
2009-12-07 21:44:02 +00:00
444d93b13f
SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter
2009-12-07 13:54:39 +00:00
b27d7afd24
SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.
2009-12-06 15:28:03 +00:00
aee6b8f3f9
SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated.
2009-12-06 15:09:33 +00:00
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
4d8956a227
SEC-1288: Changed claimedIdentityFieldName in OpenIDAuthenticationFilter to "openid_identifier", as recommended by the 2.0 spec.
2009-11-17 22:05:38 +00:00
d84542cf88
SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.
2009-11-17 15:29:07 +00:00
617e517e5e
SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.
2009-11-04 17:20:13 +00:00
930c1b6b53
Coverted to Junit 4 test.
2009-10-14 21:48:30 +00:00
11e476c486
Added issue numbers in comment.
2009-10-14 14:23:34 +00:00
d4d45e1311
Make getHeader() methods check case-insensitive matching on header name.
2009-10-14 14:12:27 +00:00
7282eed197
Import cleaning.
2009-10-14 00:30:55 +00:00
799b96520b
SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login
2009-10-14 00:30:28 +00:00
881632cc08
SEC-1250: Removed duplicate property.
2009-10-11 15:20:24 +00:00
0da99171da
SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type. Added exceptionIfHeaderMissing property.
2009-10-08 16:37:53 +00:00
3f72983a1e
SEC-1257: Some additional API changes to use Collection instead of List...
2009-10-07 21:08:41 +00:00
1286741c7c
SEC-1259: Improve consistency of authentication filter names.
2009-10-07 14:43:55 +00:00
f213cc5d9e
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
2009-10-06 19:46:44 +00:00
caff3ee9ba
SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).
2009-10-05 19:28:53 +00:00
07d7c0ddae
Renamed form and openID filters to shorten names
2009-10-05 17:33:34 +00:00
1042305cfe
Renamed web.wrapper to web.servletapi. Added some package.html files.
2009-10-05 16:59:37 +00:00
673cf300fb
SEC-1229: Refactoring to remove package cycles.
2009-10-05 16:40:32 +00:00
acf13c74ca
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
2009-10-05 15:51:00 +00:00
2b89ebdfbb
SEC-1229: Further doc and mods to namespace config/naming to make it more consistent
2009-10-03 16:08:51 +00:00
073198886d
SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before.
2009-10-02 17:29:43 +00:00
abba569282
Tidying.
2009-09-30 15:53:46 +00:00
1ead8472d1
SEC-1229: Added failure handler to the SessionManagementFilter to deal with concurrent login errors.
2009-09-29 16:14:31 +00:00
bf39a5bb36
Added extra logging.
2009-09-29 16:13:16 +00:00
731402e9f5
SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context.
2009-09-16 00:23:13 +00:00
1c4a809e09
SEC-1245: Add role hierarchy support to expression handlers. Done.
2009-09-15 17:17:21 +00:00
e7486fc203
Removed Ordered interface from Http403EntryPoint (unused).
2009-09-14 16:06:15 +00:00
40cf50fc98
SEC-1148: Javadoc.
2009-09-13 21:51:54 +00:00
ff78ec00f7
SEC-1226: Additional Javadoc.
2009-09-13 21:22:17 +00:00
23c8f479b8
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
2009-09-13 20:45:38 +00:00
593d2e227a
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
2009-09-13 20:44:52 +00:00
9c7423599e
SEC-1167: Extended SavedRequest interface to allow it to be used by wrapper. Removed null checks in wrapper, as the SavedRequest cannot now be null.
2009-09-13 16:27:35 +00:00
4064b7b4f6
SEC-1167: Introduce more flexible SavedRequest handling. Introduced interface for SavedRequest.
2009-09-13 15:03:14 +00:00
acd10dd716
SEC-1243: Make determineTargetUrl protected.
2009-09-11 20:48:41 +00:00
ac4e7bbadb
SEC-1241: Make sure saved request is removed after a match.
2009-09-09 10:11:45 +00:00
f518da9d8b
SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.
2009-09-05 15:26:07 +00:00
5bdfd8cd77
Tidying imports etc to remove compiler warnings.
2009-09-05 14:14:58 +00:00
002b788a8c
Minor refactoring.
2009-09-04 12:15:19 +00:00
5623c13038
SEC-1047: Added an option to DigestProcessingFilter that the created Authentication object is now marked as "authenticated"
2009-09-02 16:12:19 +00:00
936326f4ab
SEC-1180: Unreachable code inside UrlUtils.buildRequestUrl(...). Removed code block.
2009-09-01 18:13:28 +00:00
32dbb7e8bd
import cleaning
2009-09-01 16:41:53 +00:00
2039200617
SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.
2009-09-01 16:08:20 +00:00
b2c2b93545
SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.
2009-09-01 00:18:48 +00:00
3cc47c9c4d
SEC-1190: Added "checkForPrincipalChanges" property to AbstactPreAuthenticatedProcessingFilter.
2009-08-31 23:28:40 +00:00
dbcb13ad14
SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.
2009-08-31 22:48:49 +00:00
a4ccc4ac21
Make WebSecurityExpressionRoot public to allow reuse.
2009-08-28 14:02:02 +00:00
471206a29d
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
2009-08-27 10:43:01 +00:00
ab0d66071a
SEC-1226: Introduce RedirectStrategy to replace RedirectUtils. Implemented strategy and applied throughout relevant classes.
2009-08-27 10:42:11 +00:00
fe33f08b73
SEC-1201: Allow requires-channel attribute to take placeholders.
2009-08-23 16:42:06 +00:00
0b5160d155
Javadoc correction.
2009-08-22 18:02:39 +00:00
e6631be778
Import cleaning
2009-08-10 16:07:05 +00:00
6f76fe6fbb
Import cleaning
2009-08-10 16:04:54 +00:00
eb059cfd12
SEC-1211: removed SessionUtils (no longer used)
2009-08-10 14:30:17 +00:00
f536c80020
SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web
2009-08-10 14:18:18 +00:00
c12e5b4d0b
SEC-1142: Renamed setter argument to match property.
2009-08-07 22:55:14 +00:00
ea73fd0130
SEC-1142: Simplified implementation by removing template method.
2009-08-07 22:54:07 +00:00
90d76373cc
SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request.
2009-08-07 17:12:12 +00:00
3e6054b69f
SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.
2009-07-29 00:52:30 +00:00
5e285b3692
SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour.
2009-07-28 23:57:46 +00:00
609a68b12a
SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false.
2009-07-28 23:47:26 +00:00
db90122179
SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.
2009-07-28 18:00:24 +00:00
8b115e2a21
SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache.
2009-07-20 22:52:48 +00:00
f404bb3d74
SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though.
2009-07-20 22:34:40 +00:00
e63fba3a36
Tidying
2009-07-08 23:55:42 +00:00
8ddd96af2b
SEC-1186: intermediate commit of namespace changes for improved tooling support
2009-06-26 12:44:46 +00:00
c6b9371029
Updated to latest Spring build snapshot. Required minor EL changes to parser class name
2009-06-15 23:41:20 +00:00
e92aac225f
Minor javadoc.
2009-06-15 13:53:56 +00:00
5808da12ff
SEC-1094: Simplified WebXml attribute mapping. Removed generic jaxen-based implementation on which it was based in favour of simple DOM model traversal. Updated sample.
2009-06-08 15:23:41 +00:00
33eef5ec7a
Javadoc updates
2009-06-08 13:04:31 +00:00
66f7e8bcc8
SEC-1168: Added filter-security-metadat-source to namespace.
2009-06-08 12:59:13 +00:00
bb7ef1fa8b
Added HTML tags
2009-05-31 21:27:23 +00:00
0cb40d6ae4
Javadoc update
2009-05-26 22:16:11 +00:00
a8215fa2cb
SEC-1160: Renaming of authentication filters and entry points and associated doc changes
2009-05-12 05:37:11 +00:00
5a03e842bd
Correcting Javadoc.
2009-05-12 01:40:15 +00:00
4bad213b19
SEC-1132: Moved remaining preauth code from core to web
2009-05-12 00:11:06 +00:00
d5b7ce69cc
SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL.
2009-05-11 05:35:20 +00:00
29fafbbf18
Misc tidying up of old files and refactoring of tests
2009-05-05 13:29:59 +00:00
6d655aa514
SEC-1132: More refactoring to remove cycles ad reduce complexity metrics
2009-05-04 14:24:54 +00:00
5b543f83ec
Removed web dependency on core-tests
2009-05-04 02:25:49 +00:00
dca566ff1f
SEC-1149: WebInvocationPrivilegeEvaluator now contains methods to evaluate the permissions on URIs directly. Deleted FilterInvocationUtils.
2009-05-02 06:02:17 +00:00
d1cb85e4f3
Refactoring of methods names in UrlUtils for consistency.
2009-05-01 10:43:41 +00:00
f6800fbe04
Refactored to remove dependency on FilterInvocationUtils.
2009-05-01 08:57:28 +00:00
4bc788828c
SEC-1147: Remove use of SessionRegistryUtils. Inlined the methods.
2009-05-01 06:45:34 +00:00
6db9a3facc
Minor debugging optimizations.
2009-04-30 05:21:54 +00:00
e94baf38b3
Tidying up to remove warnings (generics, use of deprecated test classes etc).
2009-04-28 06:49:43 +00:00
530a7b5d21
Use context returned by SecurityContextHolder.createEmptyContext() as contextObject default value.
2009-04-27 07:31:35 +00:00
95ab95b6e3
SEC-1078: Missed commit of default strategy class.
2009-04-27 07:12:12 +00:00
6bd7421a1b
SEC-1078: Converted WASSecurityHelper to an internal interface and added test for scenario from this issue.
2009-04-27 06:01:40 +00:00
e45f6914ee
Import cleaning.
2009-04-27 02:21:12 +00:00
1454cbb78e
SEC-1132: Moved TextUtils to web module and StringSplit utils into Digest authentication package (as they aren't used elsewhere).
2009-04-25 08:04:26 +00:00
a76cbee4bc
SEC-1132: Moved ThrowableAnalyzer code to web module as it is only used in ExceptionTranslationFilter
2009-04-25 07:03:15 +00:00
23d7778484
Typo.
2009-04-22 12:53:50 +00:00
cac2bce382
Refactored SessionRegistryImpl to remove servlet API deps and moved back into core, along with other concurrent authentication package classes.
2009-04-21 06:05:14 +00:00
271fbb7ddf
SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem.
2009-04-20 09:08:35 +00:00
2ff089af62
Restructure to standard layout.
2009-04-20 04:17:59 +00:00
c21300d3ad
Tidying imports.
2009-04-19 02:29:16 +00:00
6b3d0eac40
SEC-1111: Fix for "java.io.CharConversionException: Not an ISO 8859-1 character". Use response.getWriter() instead of printing to ServletOutputStream.
2009-04-18 07:35:34 +00:00
23c23c6f3f
Remove unused import.
2009-04-16 04:03:18 +00:00
292926518b
SEC-1136: Converted base exceptions to extend RuntimeException rather than NestedRuntimeException.
2009-04-15 10:19:37 +00:00
93bdcccaee
SEC-1132: Moved userdetails into core and added core/authority sub-package
2009-04-15 07:39:21 +00:00
c770998d92
SEC-1132: Move authoritymapping to core as it is actually used in loading authorities for a use, not in making access decisions.
2009-04-14 04:22:57 +00:00
769041474e
SEC-1136: Missed an import.
2009-04-14 02:35:13 +00:00
10673780db
OPEN - issue SEC-1136: Removed SpringSecurityException. Introduced new AclException as base class for Acl module. Refactored JAAS authentication to map to AuthenticationExcpetions rather than SpringSecurityException. Modified ExceptionTranslationFilter to look explicitly for AuthenticationException or AccessDeniedException (which it should do since these are the only two it handles).
2009-04-13 14:56:49 +00:00
ca7d055c2b
SEC-1132: Created core and authentication packages within core module.
2009-04-13 13:43:23 +00:00
9efb5a7007
SEC-1132: Moved access-control/authorization specific code to org.sf.security.access package. Created provisioning package for user management classes to remove cyclical deps. Some other moving of classes to remove code tangles. Restructuring of portlet module under org.sf.security.portlet
2009-04-12 12:23:23 +00:00
7c4d54f356
SEC-1131: Applied patch for portlet upgrade
2009-04-12 05:52:20 +00:00
1b43e3661a
SEC-1132: Moved switch user event class to web module as it is only used by SwitchUserProcessingFilter.
2009-04-12 04:16:46 +00:00
f746a20ab4
SEC-1132: package refactoring of non-core modules
2009-03-27 05:01:03 +00:00
bec84f874a
SEC-1125: Further refactoring of web packages following creation of web module. Fixing samples.
2009-03-26 07:18:36 +00:00
2a9a8a41db
SEC-1125: Created separate web module spring-security-web
2009-03-25 06:28:18 +00:00
Luke Taylor
Mike Wiesner