baa3b6f258
Add utility for loading properties of client types
...
Fixes gh-4560
2017-09-20 22:50:19 -04:00
8a66d0c78d
Polish PermissionEvaluator Autowired into Web Security
...
Issue gh-4077
2017-09-18 16:53:19 -05:00
3bf6bf10de
Configure permissionEvaluator and roleHierarchy by default
...
Implementations of AbstractSecurityExpressionHandler (such as the very commonly used DefaultWebSecurityExpressionHandler) get PermissionEvaluator and RoleHierarchy from the application context (if the application context is provided, and exactly one of such a bean exists in it). This approach matches that used in GlobalMethodSecurityConfiguration, making everything in Spring Security work the same way (including WebSecurity).
Issue gh-4077
2017-09-18 16:35:16 -05:00
f8ee9944ff
Copyright date range
2017-09-18 11:18:46 -05:00
1f4082e754
Fix copyright lines
2017-09-18 11:11:25 -05:00
01d4387f56
Fix empty lines in copyright
2017-09-18 10:53:04 -05:00
3ecf3ea034
Fix double * in Copyright headers
2017-09-18 10:47:26 -05:00
e14af37775
Add LogoutWebFilter
...
Fixes gh-4539
2017-09-13 16:43:04 -05:00
426e24c18e
Polish
...
Formatting changes
2017-09-13 15:31:32 -05:00
65b968f04a
Move servlet-specific classes to 'web' package
...
Fixes gh-4366
2017-09-13 16:13:32 -04:00
0a36359f11
WebFlux HTTP Basic & Form Login Sessions
...
By default both HTTP Basic and form log are enabled. Now HTTP Session will
not be used for HTTP Basic, but will be for form log in.
2017-09-13 14:47:44 -05:00
3d745e63f6
HttpSecurityConfiguration applies all defaults
...
HttpSecurity headers is off by default and relies on
HttpSecurityConfiguration to enable it. This is more consistent with the
other operators
2017-09-12 22:07:12 -05:00
b5edb58050
Polish reactive config
...
Code Checkstyle fixes
2017-09-12 21:56:09 -05:00
8b32b8db74
Polish
...
HeadersBuilder build is protected
2017-09-12 21:51:26 -05:00
d93c774691
Add FormLogin Configuration
...
Fixes gh-4537
2017-09-12 20:40:56 -05:00
a0a0a32bda
Add WebTestClient HtmlUnit Support
...
Fixes gh-4534
2017-09-12 20:40:56 -05:00
8d997fd079
Remove DefaultAuthenticationSuccessHandler
...
We always need to save the user after authentication, so it should be
part of AuthenticationWebFilter
Fixes gh-4524
2017-09-12 20:40:56 -05:00
4ff0b52f74
Remove HttpClientConfig
...
Issue gh-4478
2017-09-12 21:03:40 -04:00
d9bad2bc9d
Mono.currentContext()->subscriberContext()
...
Fixing refactoring by Reactor
2017-09-01 17:20:47 -05:00
be0081290b
EnableWebFluxSecurity uses PasswordEncoder Bean
2017-08-30 10:02:00 -05:00
9f2ea90f0d
Polish HttpSecurity
...
Code Style fixes
2017-08-29 20:34:20 -05:00
51ad53f76a
Remove Optional from Reactive HttpSecurity
2017-08-29 20:30:04 -05:00
20befc3702
Support .and() in Reactive HttpBasic & HeaderBuilder
2017-08-29 20:17:56 -05:00
c4917f359a
Fix for Reactor Refactor
...
- contextStart -> subscriberContext
2017-08-29 08:24:55 -05:00
bc6be86aec
Add in-memory AccessTokenRepository
...
Fixes gh-4508
2017-08-23 17:18:35 -04:00
91b0bd4ba5
Provide oauth2login.tokenEndpoint config
...
Fixes gh-4506
2017-08-23 17:18:01 -04:00
c06975080f
Allow configuring oauth2 authentication handlers
...
Fixes gh-4472
2017-08-23 17:17:34 -04:00
93c2b2533e
Allow configuring request paths for oauth2 filters
...
Fixes gh-4473
2017-08-23 17:17:01 -04:00
416ff3c77a
Add EnableReactiveMethodSecurity
...
Issue gh-4496
2017-08-17 16:42:01 -05:00
b0b9b32c0c
Add AuthenticationReactorContextFilter
...
Fixes gh-4501
2017-08-17 16:42:01 -05:00
e16b8e7976
Fix logback-test.xml
2017-08-17 16:42:01 -05:00
efc3cadd43
Fixed Circular Bean References in Java Config
...
Fixes gh-4489
2017-08-09 16:24:01 -05:00
bfaead6f68
Removal of ParsingPathMatcher
...
Changes needed for the removal of ParsingPathMatcher in Spring Framework
b1440b6816 (diff-972650c759c249004b9725f94b570db3R156)
2017-08-02 11:11:11 -05:00
c872499eee
Enable custom configuration for HTTP client
...
Fixes gh-4477
2017-07-28 16:43:44 -04:00
9b7883fe10
Add WEB_FILTER_CHAIN_FILTER_ORDER
...
Fixes gh-4475
2017-07-27 21:02:38 -05:00
96ae0fe8f8
Expose configuration for authorities mapping
...
Fixes gh-4409
2017-07-12 17:35:16 -04:00
9cfb890207
Use id_token for user authentication
...
Fixes gh-4410
2017-07-07 12:44:26 -04:00
0e100be333
Fix Groovy 2.5 Compile Errors
...
Fixes gh-4415
2017-06-22 13:31:21 -05:00
8130965259
Fixes for changes in SPR-15657
...
Fixes gh-4408
2017-06-20 16:42:24 -05:00
ca6348800e
HttpSecurity.authorizeExchange() allows Method Chaining
...
Fixes gh-4397
2017-06-15 15:50:30 -05:00
9d19b7337e
Ensure Unique Names
...
Issue: gh-4394
2017-06-15 13:00:59 -05:00
fda0220fad
Provide default reactive HttpSecurity
...
Fixes gh-4396
2017-06-15 13:00:19 -05:00
9141a8a7c0
Add Multiple Reactive HttpSecurity
...
Fixes gh-4395
2017-06-15 13:00:19 -05:00
406e1e6951
Extract out HttpSecurityConfiguration
...
Fixes gh-4394
2017-06-15 13:00:19 -05:00
335a01577a
Typo "he" -> "the"
2017-06-15 12:47:41 -05:00
30132892a0
Polish UserDetailsResourceFactoryBean Support
...
Issues: gh-4380 gh-4381 gh-4382
2017-06-13 15:15:21 -05:00
337317a060
WebFlux now uses ParsingPathMatcher
...
Fixes gh-4388
2017-06-09 22:25:45 -05:00
6428cb411e
Add UserDetailsRepositoryResourceFactoryBean
...
Add the ability to easily create a UserDetailsRepository from a Properties
in the standard Spring Security user format.
Fixes gh-4382
2017-06-09 16:07:18 -05:00
4cb77e5386
Add UserDetailsManagerResourceFactoryBean
...
Add the ability to easily create a UserDetailsManager from a Properties
in the standard Spring Security user format.
Fixes gh-4381
2017-06-09 16:07:18 -05:00
256d14ede0
Add UserDetailsResourceFactoryBean
...
Add the ability to create a Collection<UserDetails> from a Properties
Resource using the standard Spring Security user format.
Fixes gh-4380
2017-06-09 16:07:18 -05:00
d09fb5b500
Move UserDetailsRepository to core.userdetails
...
Fixes gh-4383
2017-06-09 16:07:09 -05:00
6c0ecea494
Use java.util.Function instead of Converter
...
Fixes gh-4323
2017-06-01 17:25:39 -04:00
e5eda24054
Add ServerWebExchangeMatcherEntry
2017-05-31 16:13:20 -05:00
68368c87ca
Resolve compile errors -> WebTestClient methods removed
...
Fixes gh-4355
2017-05-25 11:14:29 -04:00
bc141febdb
Demo mock support with RouterFunction
2017-05-23 16:29:30 -05:00
9e6b10ce46
Fix JavaDoc for HeadersConfigurer
...
Corrected copy-paste error.
2017-05-22 00:32:19 +02:00
247635ed92
WebFluxSecurityConfiguration defaults HTTP Basic
...
Fixes gh-4346
2017-05-19 21:50:06 -05:00
1cec497a50
Add method chaining for AuthorizeExchangeBuilder
...
Fixes gh-4345
2017-05-19 21:25:50 -05:00
0428cdd934
Add @EnableWebFluxSecurity
...
Fixes gh-4344
2017-05-19 21:11:42 -05:00
85719fcd64
Use Base64 implementation provided by Java 8
2017-05-10 00:27:36 -05:00
b4f2777755
Add WebFlux
...
Fixes gh-4128
2017-05-10 00:13:02 -05:00
829c386756
Add support for OAuth 2.0 Login
...
Fixes gh-3907
2017-04-28 10:58:59 -04:00
5a65da400d
Use ReflectionTestUtils rather than Whitebox
...
This is better because it no longer uses Mockito's internal API
Fixes gh-4305
2017-04-21 10:54:58 -05:00
f3edaa673a
Fix SecurityNamespaceHandler Version Error Message
...
Fixes gh-4210
2017-03-02 00:25:51 -06:00
546d44d6e7
Fix NPE in WebSocketMessageBrokerSecurityBeanDefinitionParser
...
Fixes gh-4112
Closes gh-4194
2017-03-01 23:58:02 -06:00
2ac51c9c7f
Fix class name in comment
2017-03-01 23:31:32 -06:00
9c03571bbb
Use message in all Assert
...
This ensures compatibility with Spring 5.
Fixes gh-4193
2017-01-30 19:58:24 -06:00
7a7ce11ebb
Release version 4.2.1.RELEASE
2016-12-21 17:23:28 +00:00
fc516b55a6
Fix Build Against Spring 5.0.0.BUILD-SNAPSHOT
...
Change Bean definition to static to avoid SPR-12646
Fixes gh-4150
2016-12-08 15:54:46 -06:00
f94399cff9
Polish
2016-11-17 09:49:41 -06:00
23294c4c57
Add Referrer-Policy header support
...
Fixes gh-4110
2016-11-08 13:21:35 -06:00
df3b8bc284
Add Spring MVC test for override cache control
...
Issue gh-3975
2016-10-24 15:57:32 -05:00
f432c04111
Create UserBuilder
...
This commit creates a UserBuilder and updates samples to use it. We do not
leverate it for JdbcUserDetailsManager because it requires the schema to
be created which is difficult with a single bean definition and
unpredicatble ordering. For this, it is still advised to use
AuthenticationManagerBuilder
Fixes gh-4095
2016-10-21 16:42:03 -05:00
94e580fe64
Add Support for Custom Default Configuration in Web Security
...
Fixes gh-4102
2016-10-19 16:15:56 -05:00
af9139b613
Add intercept-url@request-matcher-ref
...
Fixes gh-4097
2016-10-18 22:27:31 -05:00
f019ea89e7
Remove unused lowercase-comparisons from XSD
...
Fixes gh-3932
2016-10-18 22:27:28 -05:00
0d700628dc
Add spring-security-4.2.xsd to spring.schemas
...
Fixes gh-4098
2016-10-18 22:27:22 -05:00
aaa9708b95
Add BeanResolver to AuthenticationPrincipalArgumentResolver
...
Previously @AuthenticationPrincipal's expression attribute didn't support
bean references because the BeanResolver was not set on the SpEL context.
This commit adds a BeanResolver and ensures that the configuration
sets a BeanResolver.
Fixes gh-3949
2016-10-18 19:45:54 -05:00
badb466cc5
AuthenticationConfiguration imports ObjectPostProcessor
...
Fixes gh-4086
2016-10-17 20:00:27 -05:00
1222fc5f10
XML ref to bean
...
Spring 5 removes ref XML attribute in favor of bean XML attribute. This
commit updates all the samples and tests to use bean instead of ref.
Issue gh-4080
2016-10-17 17:00:17 -05:00
b443baef04
Polish GrantedAuthorityDefaults
...
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
ApplicationContextAware
Issue gh-3701
2016-09-22 15:13:05 -05:00
eabeaf35d6
Make single definition of `defaultRolePrefix` and `rolePrefix`
...
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.
Fixes gh-3701
2016-09-21 14:55:41 -05:00
49f7c98c3e
Fix headers@defaults-disabled=true with no children
...
Previously <headers defaults-disabled="true"/> would fail if there were
no children with an IllegalArgumentException. This allows using
defaults-disabled="true" and no children as an alias for disabled="true".
Fixes gh-3986
2016-09-19 14:53:51 -05:00
4cc899feab
Fix Typo in Javadoc
...
Issue gh-4063
2016-09-19 10:09:48 -05:00
6650429283
Polish SessionInformationExpiredStrategy
...
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1
Issue gh-3808
2016-09-15 14:30:52 -05:00
67c9f12964
Configuration of session management strategies
...
This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.
Fixes gh-3794
2016-09-15 11:10:36 -05:00
b88418b94a
Configuration of session management strategies
...
This commit adds an ExpiredSessionStrategy for the ConcurrentSessionFilter
analogous to the InvalidSessionStrategy for the SessionManagementFilter. It also
adds a configuration option for both the InvalidSessionStrategy and
ExpiredSessionStrategy to the XML namespace and Java configuration.
Fixes gh-3794
Fixes gh-3795
2016-09-15 11:10:17 -05:00
c6366baee2
Remove MvcRequestMatcher.afterPropertiesSet()
...
The validation does not work due to restrictions within the servlet
container. Specifically we cannot access the servlets that are registered.
This commit reverts the validation logic for MvcRequestMatcher to determine
if servletPath is required.
Fixes gh-4027
2016-08-19 14:18:07 -04:00
f8bfe19a98
Fix typo in autowiring warning ( #4026 )
...
Fixes a misleading message that warns about
PermissionEvaluator when MethodSecurityExpressionHandler
should be mentioned instead.
Fixes gh-3402
2016-08-16 08:39:49 -05:00
bb997eecde
Fix defaultMethodExpressionHandler autowiring
...
Previously if a Bean for GlobalMethodSecurityConfiguration's
defaultMethodExpressionHandler was found on a Configuration that also
@Autowired a Bean that enabled method security, the Bean that was
@Autowired would not have security enabled.
This fixes the issue by delaying the lookup of Beans populated on
GlobalMethodSecurityConfiguration's defaultMethodExpressionHandler.
Fixes gh-4020
2016-08-10 23:48:07 -05:00
e080905a79
MvcRequestMatcher servletPath Polish / XML Config
...
Fixes gh-4014
2016-08-09 16:29:30 -05:00
3befb1c8a6
MvcRequestMatcher servletPath / JavaConfig
...
Issue: gh-3987
2016-08-09 16:29:30 -05:00
519c15efb3
Logout is 204 for XMLHttpRequest
...
Fixes gh-3997
2016-08-02 11:26:52 -07:00
c23c7982ca
Add ObjectPostProcessor support for SmartInitializingSingleton
2016-07-21 08:59:17 -05:00
ca170f8479
DummyRequest supports methods for MvcRequestMatcher
...
To support MvcRequestMatcher DummyRequest needs to support
getCharacterEncoding() and getAttribute(String)
2016-07-14 14:18:31 -05:00
ada146244e
Add HttpSecurity.mvcMatcher
...
Fixes gh-3970
2016-07-14 10:50:49 -04:00
945e2e2ad4
Fix NPE requestMatchers().mvcMatchers
...
Fixes gh-3969
2016-07-14 10:50:49 -04:00
80ff267749
Check RememberMe in ExceptionTranslationFilter
...
This commit adds a check for rememberme to the ExceptionTranslationFilter.
Using this when someone isn't fully authenticated he will be prompted with a
login screen and after that will be redirected to the original requested URI.
Fixes gh-2427
2016-07-13 16:58:00 -04:00
1effc1882a
Add CompositeLogoutHandler
...
Fixes gh-3895
2016-07-08 13:30:38 -05:00
885f074ddf
Fix XsdDocumentedTests
2016-07-07 15:05:04 -05:00
e297706e8b
Polish allow unlimitted sessions
...
Update the rnc file
Issue gh-3900
2016-07-07 14:31:40 -05:00
e3ff4130a5
Allow negative values to configure unlimited sessions
2016-07-07 14:29:18 -05:00
50d7d3287f
Add spring-security-4.2.xsd
2016-07-07 14:19:01 -05:00
13b0ddb7e6
Fix test assertions
2016-07-07 13:29:00 -05:00
310bb39a0d
Fix typo
2016-07-06 16:22:33 -05:00
764a4d8414
Fix Error Message typo
...
Fixes gh-3953
2016-07-06 16:19:29 -05:00
b17870ee07
LogoutConfigurer: only allow suitable http methods
2016-07-06 16:17:11 -05:00
e4c13e3c0e
Add MvcRequestMatcher
...
Fixes gh-3964
2016-07-06 15:47:23 -05:00
13bc70f693
Add CorsFilter support
2016-07-05 14:28:04 -05:00
c935d857eb
Add mvc namespace to XmlApplicationContext
2016-07-01 22:04:55 -05:00
7f3b3a8b59
Polish
...
Issue gh-180
2016-07-01 13:17:52 -05:00
bd5f71bb0d
Polish
...
Fix checkstyle for LDAP JavaConfig Authority mapping
Issue gh-2768
2016-06-21 17:08:37 -05:00
b76e3be822
LDAP Java Config supports GrantedAuthoritiesMapper
...
Fixes gh-2768
2016-06-21 16:43:13 -05:00
26ad1cb4a5
Polish RememberMe Validation
...
Issue gh-3909
2016-06-21 14:57:15 -05:00
87224f62e4
RememberMe JavaConfig Validation
...
Add validation when rememberMeServices and rememberMeCookieName are
provided
Fixes gh-3909
2016-06-21 14:57:01 -05:00
66858e22ad
Disable XMLHttpRequest for formLogin entry point
...
Previously the following:
http http://localhost:8080/user \
"X-Requested-With:XMLHttpRequest" "Accept:text/plain"
Produced a 302 instead of a 401
Fixes gh-3887
2016-06-20 15:30:00 -05:00
39ed7d0eca
Propagate rolePrefix to LdapAuthoritiesPopulator
...
Previous to this commit, custom rolePrefix was not propagated to
LdapAuthoritiesPopulator populating a wrong authority. Now, rolePrefix
is propagated and the authority is as expected.
Fixes gh-3921
2016-06-20 12:44:02 -05:00
a2ead4cf7a
Polish
...
Fixes gh-3892
2016-06-20 12:35:43 -05:00
477573b3bc
Fix @EnableGlobalAuthentication & method seucrity on @Configuration class
...
Fixes gh-3934
2016-06-17 14:05:11 -05:00
fa1c484587
AuthenticationConfiguration.getAuthenticationManager() supports recursion
...
AuthenticationConfiguration.getAuthenticationManager() now supports
recursion. This is necessary in instances where something using
@EnableGlobalAuthentication requires an object using method level security.
Fixes gh-3935
2016-06-17 14:02:36 -05:00
9e3d2e2d99
HTTP Basic default logout ignores text/html
...
This fixes an issue where Chrome sends an accept header of application/xml
which triggers an HTTP 204 to be returned
Fixes gh-3902
2016-06-14 16:27:56 -05:00
d3b3f8e004
Fix WebSecurityConfigurerAdapter Javadoc
...
The constructor's Javadoc was incorrect. This commit
fixes it.
2016-05-23 08:12:50 -05:00
e68d8bfaea
Clarifies sessionAuthenticationStrategy setter
...
Fixes gh-234
2016-05-02 13:21:58 -05:00
491abf2600
Revert "Fix test for SessionManagementConfigurer"
...
This reverts commit 17b25d1477
2016-05-02 13:21:58 -05:00
0d2b797c2a
Revert "Fix sessionAuthenticationStrategy setter"
...
This reverts commit 8f5d46ad68
2016-05-02 13:21:58 -05:00
17b25d1477
Fix test for SessionManagementConfigurer
...
Fixes gh-234
2016-04-21 16:50:03 -04:00
8f5d46ad68
Fix sessionAuthenticationStrategy setter
...
sessionAuthenticationStrategy was setting sessionFixationAuthenticationStrategy instead
Fixes gh-234
2016-04-21 16:21:54 -04:00
24d0069668
Release version 4.1.0.RC2
2016-04-21 01:47:25 +00:00
7fe0a135ec
Default AntPathRequestMatcher to be case sensitive
...
Issue gh-3831
2016-04-20 13:29:18 -05:00
510cd59980
Default logout negotiation in Java Configuration
...
This commit adds content negotiation for log out.
Fixes gh-3282
2016-04-20 10:59:14 -05:00
51995dc187
Add Java Configuration InvalidSessionStrategy ( #3827 )
...
Allow configuring the InvalidSessionStrategy in Java Configuration.
Fixes gh-3371
2016-04-20 09:59:27 -04:00
a5a8aeb550
Message SecurityExpressionHandler is post processed ( #3820 )
...
Previously the SecurityExpressionHandler for message based configuration
did not have a beanResolver set.
This commit post processes the default message SecurityExpressionHandler
to ensure the beanResolver is set.
Fixes gh-3797
2016-04-19 13:21:58 -04:00
c872a77ad1
RoleHiearchy Bean used in GlobalMethodSecurity ( #3394 )
...
Previously it required quite a bit of extra work to use RoleHiearchy
within Java Based Spring Security configuration.
Now if a single RoleHiearchy Bean is defined it will automatically
be picked up and used by method security.
Fixes gh-3394
2016-04-19 12:47:38 -04:00
933a7e8363
Remove duplicate words
...
Fixes gh-3826
2016-04-18 23:21:20 -05:00
fb5776cb5c
Support Camel case URI variables ( #3814 )
...
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.
Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.
Fixes gh-3786
2016-04-18 17:54:48 -04:00
b6800bdb4d
Update ExpressionUrlAuthorizationConfigurer Error Message
...
Update error message
2016-04-14 15:33:48 -05:00
59db9413aa
Add SpEL Bean reference test ( #3815 )
...
Issue gh-3797
2016-04-14 12:11:40 -05:00
6f169267c4
HttpSecurity comparitor->comparator
...
Rename HttpSecurity's comparitor to comparator
Fixes gh-3810
2016-04-13 15:04:22 -05:00
a7fb6d2e58
Add HttpSecurity.addFilterAt ( #3809 )
...
Fixes gh-3784
2016-04-13 16:01:25 -04:00
d3a9cc6eae
Add CsrfTokenRepository ( #3805 )
...
* Create LazyCsrfTokenRepository
Fixes gh-3790
* Add CookieCsrfTokenRepository
Fixes gh-3009
2016-04-12 17:26:53 -04:00
b82df4ecf3
Add alwaysRemember to RememberMe Java Config
...
Allow setting alwaysRemember from RememberMeConfigurer
Fixes gh-180
2016-04-12 13:37:44 -05:00
bd0c8a7baa
Fix HttpSecurity logout JavaDoc
...
Removed error provoking extra logout() from example code
2016-04-12 13:24:40 -05:00
fe94d654ed
Fix typos ( #228 )
2016-04-12 11:11:51 -05:00
c57dba6b77
Fix typo in setMessageExpessionHandler ( #3803 )
2016-04-12 11:08:52 -05:00
d05fe8ec07
Fix typo in xsd
...
Fixes gh-3229
2016-04-05 09:47:48 -05:00
2f7f2ff589
Adds support for Content Security Policy
...
Fixes gh-2342
2016-03-22 21:59:13 -05:00
4b650dc58d
Allow AuthenticationProvider Bean in Java Config
...
This commit adds support for defaulting java configuration's
authentication by providing an AuthenticationProvider Bean.
Fixes gh-3091
2016-03-22 16:17:25 -05:00
533a5f0905
Fix <password-encoder> when authentication-manager@id specified
...
When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.
This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.
Fixes gh-3296
2016-03-21 22:48:49 -05:00
7bf014f678
Path Variables fail with different case
...
Fixes gh-3329
2016-03-21 10:09:50 -05:00
cf66487d3a
Add Java Configuration Test
...
Issue SEC-2256
2016-03-18 14:03:47 -05:00
41c6a797c3
Add RememberMeConfigurer set domain
...
Fixes gh-3408
2016-03-17 08:30:18 -05:00
f221920a19
Clean up code to conform to basic checkstyle
...
Issue gh-3746
2016-03-14 00:15:12 -05:00
35eff94e3d
Add Both Config names to duplicate WebSecurityConfigurer order
...
Previously the error message when multiple WebSecurityConfigurer with the
same Order did not include both WebSecurityConfigurer classes that were
involved in the duplicate Order. This made resolving errors difficult.
This commit ensures both WebSecurityConfigurers are include in the error
message.
Fixes gh-3380
2016-03-11 12:12:55 -06:00
e33e21fe6b
Add Forward after authentication attempt config support
...
Fixes gh-3728
2016-03-11 10:49:30 -06:00
5d6e8bc3c8
Remove SPR-11251 workaround from WebSecurityConfiguration
...
Fixes gh-3348
2016-03-09 16:48:24 -06:00
be36ddb614
Some formatting fixes for HttpSecurity Javadoc
2016-03-09 16:45:43 -06:00
2f4610e8b7
Update HttpSecurity.requestMatcher() Javadoc
...
Fixes gh-3365
2016-03-09 16:45:29 -06:00
71d4ce96ad
Convert to assertj
...
Fixes gh-3175
2016-03-09 14:30:17 -06:00
bb600a473e
Start AssertJ Migration
...
Issue gh-3175
2016-03-09 14:26:30 -06:00
3164bd6f8d
Polish Sorting ObjectPostProcessor
...
* Add Test
* Only sort on adding new entry
Issue gh-3572
2016-03-08 15:51:13 -06:00
a366489c3c
Sort ObjectPostProcessors prior to invoking them
...
Fixes gh-3572
2016-03-08 10:39:56 -06:00
db81977a1a
Polish HPKP
...
* Javadoc polish
* Whitespace cleanup
Issue gh-3706
2016-03-03 15:11:40 -06:00
331c7e91b7
HTTP Public Key Pinning
...
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.
This commit will add this new functionality.
Fixes gh-3706
2016-03-03 14:21:46 -06:00
337f1885ea
SEC-3170: Polish
...
* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
2015-12-15 09:50:54 -06:00
b28c62a6fe
SEC-3170: Null check for Java Config of RememberMeServices
...
Added a null check in LogoutConfigurer.addLogoutHandler() method to
ensure that a logout handler is always provided..
2015-12-15 09:50:54 -06:00
1182d35d3c
SEC-3159: Fix Javadoc
...
The HttpSecurity#headers() Javadoc did not accurately reflect changes made to the
HeadersConfigurer in Spring Security 4.x.
2015-11-21 19:39:15 -05:00
205ef42cfb
SEC-3147: Add error parameter for default authentication-failure-url
2015-11-12 15:00:21 -06:00
53f85e2151
SEC-2848: LogoutConfigurer allows setting clearAuthentication
2015-10-30 13:54:01 -05:00
15b4406015
SEC-3135: antMatchers(<method>,new String[0]) now passive
2015-10-30 10:08:42 -05:00
6f1bb705ac
SEC-3135: antMatchers now allows method and no pattern
...
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().
Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:48:29 -05:00
f76bf96e14
SEC-3132: securityBuilder cannot be null
...
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.
This commit fixes this.
2015-10-23 10:27:09 -05:00
b9f8af3096
SEC-3063: rm ConditionalOnMissingBean for @Primary
...
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.
Instead users that wish to override requestDataValueProcessor can use
@Primary.
2015-10-21 15:40:43 -05:00
8baafbb2f2
SEC-3116: Polish WebSecurity Javadoc
2015-10-01 15:50:22 -05:00
bac980cbcb
SEC-2868: Simplify custom UserDetailsService Java Config
...
Exposing a UserDetailsService as a bean is now all that is necessary
for Java based configuration. Additionally, an optional PasswordEncoder
bean can be used to configure password encoding.
2015-08-27 20:41:15 -05:00
6b05b298ff
SEC-2059: Support Path Variables in Web Expressions
2015-08-20 17:11:01 -05:00
cbed1d75ee
SEC-3076: Add Method Level Security Meta Annotations
2015-08-19 16:07:03 -05:00
41c9431fcc
Test that form log in requires CSRF
2015-08-03 12:24:37 -05:00
453e6332da
Fix indentation of CsrfConfigTests
2015-08-03 12:03:05 -05:00
ad1d858e2b
SEC-3056 - Fix JavaDoc errors.
...
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
dab4cf18b8
SEC-3032: Correct documented logout-success-url default
2015-07-22 13:48:07 -05:00
07fb2af74b
SEC-3011: AbstractUrlAuthorizationConfigurer postProcess default AccessDecisionManager
2015-07-21 08:52:36 -05:00
ab1b7a1eb6
Remove unnecessary @SuppressWarnings
2015-07-21 08:51:32 -05:00
9654df2cc3
SEC-3045: Conditionally add MethodSecurityMetadataSourceAdvisor
2015-07-17 15:16:09 -05:00
a3df41b380
Clean Import Statements
2015-07-17 14:52:23 -05:00
0e36f85dab
SEC-3019: Java Config for Http Basic supports Rememberme
2015-07-16 11:12:44 -05:00
474d624e8e
SEC-2988: Renamed OnBeanCondition.java to OnMissingBeanCondition.java
2015-07-13 22:51:45 -05:00
64938ebcfc
SEC-2996: Suport configuring SecurityExpressionHandler<Message<Object>>
2015-07-13 22:45:35 -05:00
ca0ffb8b5d
SEC-2948: Fix error message for wrong xsd schema
...
When using the wrong xsd schema < 4.0 a message was shown that the
schema needed to be version 3.2.
In reality this schema had to be version 4.0.
2015-07-09 23:17:16 -05:00
1f74ac811e
Fix Spring IO Tests
2015-07-08 11:09:29 -05:00
197ddb3cd1
SEC-3029: Fix Compatibility with Spring 4.2.x
2015-07-07 22:46:31 -05:00
0a118336d4
SEC-2955: Convert to "static" for inner classes
2015-04-30 12:54:52 -05:00
f1352ba492
SEC-2942: Add test EnableWebSecurity supports AuthenticationPrincipal
2015-04-23 16:34:04 -05:00
f548d89b27
SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository
2015-04-22 16:50:51 -05:00
09acc2b7a5
SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix
2015-04-21 11:42:48 -05:00
38e2e23b86
Fix indentation of InterceptUrlConfigTests
2015-04-21 09:38:17 -05:00
0bfbd2923a
SEC-2915: Fix defaut login page tests with tabs
2015-04-17 12:13:44 -05:00
4fdfb8caba
SEC-2915: More Tabs -> Spaces
2015-04-17 11:34:34 -05:00
5fa5630bc3
Polish ordering of Config and test in NamespaceRememberMeTests
...
The convention is to put the config just below the test.
This commit fixes the convention for NamespaceRememberMeTests
2015-04-17 11:20:39 -05:00
0c77c2071b
SEC-2880: Add a setter method to override the cookie name of remember-me
2015-04-17 11:14:58 -05:00
ec89fdcfaa
SEC-2919: Polish
...
Remove now unnecessary AuthenticationConfig.Builder#getLoginFormUrl
method.
2015-04-17 11:12:08 -05:00
052bd32f40
SEC-2919: DefaultLoginPageGeneratingFilter disabled when login-page specified
2015-04-17 11:12:08 -05:00
4ca936bb76
SEC-2913: Polish
2015-03-25 21:18:12 -05:00
6c541468f6
SEC-2913: Post Process default session fixation AuthenticationStrategy
...
Before the default session fixation AuthenticationStrategy used a
NullEventPublisher when using the Java Configuration. This was due to the
fact that it is not exposed as a Bean and is not post processed.
We now post process the default session fixation AuthenticationStrategy
which initializes the EventPublisher properly.
2015-03-25 21:11:52 -05:00
7b25b3e40d
SEC-2864: Default Spring Security WebSocket PathMatcher XML Namespace
2015-03-25 16:32:03 -05:00
db531d9100
SEC-2917: Update to Spring 4.1.6
2015-03-25 15:18:59 -05:00
57b06fb0b5
SEC-2864: Default Spring Security WebSocket PathMatcher
2015-03-25 13:14:15 -05:00
c94a5cf8e2
SEC-2916: disable-url-rewriting=true by default
2015-03-25 13:14:15 -05:00
ae6af5d73c
SEC-2915: Updated Java Code Formatting
2015-03-25 13:09:18 -05:00
0a2e496a84
SEC-2915: groovy/gradle spaces->tabs
2015-03-25 13:08:59 -05:00
cf9f58a4ac
SEC-2915: XML spaces->tabs
2015-03-25 13:08:52 -05:00
fbf3672eca
SEC-2908: mulitple invocations of http.requetMatchers() properly chains
2015-03-20 15:30:19 -05:00
e776a1fd35
SEC-2803: Add HttpStatusEntryPoint
2015-03-11 14:45:59 -05:00
bed20db905
Remove Unnecessary @Override
2015-02-27 16:18:31 -06:00
8b78194f31
SEC-2876: HttpSecurityBuilder addFilterAfter javadoc before->after
2015-02-24 22:19:50 -06:00
c8b79289c9
add setter for using a custom name for the rememberMeParameter
2015-02-24 21:45:23 -06:00
5f57e5b0c3
SEC-2873: Remember Me XML Configuration Defaults Should Match Java Config
2015-02-24 20:49:56 -06:00
67cd8465c3
SEC-2826: Add remember-me-cookie attribute in xml namespace
2015-02-24 17:54:54 -06:00
d2fd852711
SEC-2832: Fix config tests
2015-02-24 17:53:39 -06:00
2bf4f28db9
Fix .properites user
2015-02-24 16:25:24 -06:00
df96e5573f
Add test .properties Authentication Java Config
2015-02-24 16:14:15 -06:00
37740cd020
SEC-2861: Add WebSocket Documentation & Sample
2015-02-24 10:29:47 -06:00
b9563f6102
SEC-2830: Cleanup disabling Same Origin SockJS
...
- Defaults for properties false
- Add XML Namespace support
2015-02-24 10:28:33 -06:00
b9e2a57131
SEC-2854: Add intercept-message@message-type
2015-02-20 11:43:16 -06:00
fea03536d6
SEC-2853: Rename WebSocket XML Namespace elements
2015-02-20 11:43:15 -06:00
fb085cae25
Add session-management@session-fixation-protection=none test
2015-02-19 13:01:59 -06:00
6a8475adbb
SEC-2830: Provide Same Origin support for SockJS
2015-02-18 11:21:02 -06:00
a27c33754c
SEC-2859: Add CsrfTokenArgumentResolver
2015-02-18 10:51:30 -06:00
36fe0d0357
SEC-2845: SecurityContextChannelInterceptor support anonymous
2015-02-18 10:00:22 -06:00
c4fe630f8e
SEC-2846: Security HTTP Response Headers Configuration Cleanup
2015-02-10 10:36:00 -06:00
9b5f76f3d6
SEC-2833: Rossen's feedback on WebSocket
2015-02-04 10:43:12 -06:00
72e256b95a
Fix unchecked warning in AbstractSecurityWebSocketMessageBrokerConfigurer
2015-02-04 10:43:12 -06:00
55fde81a0f
SEC-2838
2015-01-31 11:04:55 +01:00
6627f76df7
SEC-2758: Make ROLE_ consistent
2015-01-29 17:08:43 -06:00
414f98bee0
SEC-2827: Clean up MessageMatcher Ambiguities
2015-01-23 17:29:54 -06:00
5b0f8918ce
Fix Eclipse import
2015-01-23 17:29:54 -06:00
1e5f7023c6
SEC-2822: Make EnableGlobalAuthenticationAutowiredConfigurer static Bean
...
This ensures that EnableGlobalAuthenticationAutowiredConfigurer is actually
used in newer versions of Spring. See SPR-12646
2015-01-20 14:28:17 -06:00
62649af0aa
SEC-2815: Delay looking up AuthenticationConfiguration
2015-01-20 10:23:43 -06:00
49b69196de
Release version 4.0.0.RC1
2014-12-11 20:36:55 -06:00
1677836d53
SEC-2790: Deprecate @EnableWebMvcConfig
2014-12-10 21:10:27 -06:00
62e127e978
SEC-2789: Add Default WebSecurityConfigurerAdapter
2014-12-10 21:10:26 -06:00
3171cc4364
SEC-2788: Add @Configuration as meta annotation to @Enable* annotations
2014-12-10 21:10:15 -06:00
c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
87a52ffbfd
SEC-2784: Update to Gradle 2.2.1
2014-12-08 13:29:07 -06:00
6e204fff72
SEC-2781: Remove deprecations
2014-12-04 15:28:40 -06:00
5bb0ce9a8f
SEC-2773: Add Test for static delegatingApplicationListener
2014-12-01 12:06:09 -06:00
0f7c2e4128
SEC-2773: Prevent premature container initialization in WebSecurityConfiguration.
...
Changed the bean definition method for the DelegatingApplicationListener
to be static to avoid the need to instantiate the configuration class which
caused further premature initializations to satisfy the dependencies
expressed in setFilterChainProxySecurityConfigurer(…).
2014-12-01 11:38:19 -06:00
2cb2657f5b
SEC-2702: Clean WebSocket Namespace documentation
2014-11-25 12:27:29 -06:00
8ad16b01f5
SEC-2702: Add WebSocket Security XML Namespace Support
2014-11-25 09:45:32 -06:00
3c487c0348
SEC-2348: Update doc headers enabled by default with XML
2014-11-21 21:55:03 -06:00
4392205f63
SEC-2347: CSRF Enabled by default w/ XML Config
2014-11-21 21:32:56 -06:00
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
2014-11-21 16:06:29 -06:00
30c5788b8b
SEC-1897: Remove raw types from AbstractAccessDecisionManager
2014-11-20 15:36:53 -06:00
1cca72e6d8
SEC-2749: CsrfConfigurer.requireCsrfProtectionMatcher correct null check
2014-11-20 14:40:51 -06:00
05882b5f24
SEC-2574: Polish
...
Handle null DelegatingApplicationListener
2014-11-19 17:09:24 -06:00
5810681b06
SEC-2574: JavaConfig default SessionRegistry processes SessionDestroyedEvents
2014-11-19 16:48:19 -06:00
24dec7ec3e
SEC-2737: Remove WebSocket Outbound Authorization
2014-10-10 15:56:25 -05:00
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
2014-09-23 16:28:48 -05:00
d2fa019fe5
SEC-2704: Separation of inbound and outbound security rules
2014-09-19 16:39:43 -05:00
28446284a6
SEC-2713: Support authorization by SimpMessageType
2014-09-19 16:38:56 -05:00
02c3565e22
Fix compiling in Eclipse
2014-09-16 10:18:46 -05:00
a932d6ecf3
Removed unnecessary params from anyRequest()'s javadoc
2014-08-20 11:24:15 +02:00
b9df7ba01f
SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher
2014-08-18 11:04:04 -05:00
3f30529039
SEC-2179: Add Spring Security Messaging Support
2014-08-15 20:46:58 -05:00
8a2a1b7a5b
SEC-2595: Polish
2014-07-25 16:27:19 -05:00
b2d66e2a78
SEC-2595: @EnableGlobalMethodSecurity AspectJ fixes
2014-07-25 16:03:18 -05:00
ecb4296540
SEC-2588: Javadoc fix channelSecurity->requiresChannel
2014-07-21 14:23:40 -05:00
75df42cb7c
SEC-2656: Fix <frame-options> with whitelist strategy
2014-06-18 09:10:28 -05:00
c3d05bea62
SEC-2657: Test for multi dynamic ports for LDAP Java Config
2014-06-17 17:25:08 -05:00
a3fd706335
SEC-2660: Move config integration-test *.groovy to groovy source folder
2014-06-17 17:22:42 -05:00
b255478b14
SEC-2658: Java Config triggers usePasswordAttrCompare to be set
2014-06-17 17:10:16 -05:00
a2b53fabce
SEC-2657: LdapAuthenticationProviderConfigurer find available port
2014-06-17 16:54:42 -05:00
63d1b531a1
SEC-2618: LdapAuthenticationProviderConfigurer passwordAttribute null check
...
If LdapAuthenticationProviderConfigurer passwordAttribute is null, do not
set on the PasswordComparisonAuthenticator
2014-06-17 16:51:01 -05:00
e6e35932ed
SEC-2603: Fix config groovy integration tests
2014-05-20 23:15:39 -05:00
cbd06a4994
SEC-2472: Support LDAP crypto PasswordEncoder
2014-05-20 23:15:36 -05:00
d95640d3e5
SEC-2600: Remove unused import
2014-05-19 12:29:04 -05:00
f73b579ad9
SEC-2543: Logout with CSRF enabled requires POST by default
2014-05-02 11:24:02 -05:00
1d7402e0cd
SEC-2532: Add disclaimer about jdbcAuthentication() with persistent data stores
2014-04-28 15:06:52 -05:00
37bb350883
SEC-2549: Remove LazyBean marker interface
2014-04-24 14:34:35 -05:00
c411014c24
SEC-2533: Global AuthenticationManagerBuilder disables clearing child credentials
2014-03-25 13:05:44 -05:00
cb0549a609
SEC-2498: RequestCache allows POST when CSRF is disabled
2014-03-25 10:50:59 -05:00
d079044592
SEC-2531: AuthenticationConfiguration#lazyBean should use BeanClassLoader
2014-03-24 14:58:19 -05:00
e4a58375cc
SEC-2515: Detect object cycle for AuthenticationManager configuration
2014-03-10 14:33:35 -05:00
4cdeacc277
SEC-2499: Allow MethodSecurityExpressionHandler in parent context
...
Previously a NoSuchBeanDefintionException was thrown when the
MethodSecurityExpressionHandler was defined in the parent context. This
happened due to trying to work around ordering issues related to SEC-2136
This commit resolves this by not marking the
MethodSecurityExpressionHandler bean as lazy unless it exists.
2014-03-06 21:14:35 -06:00
04a527d4ec
SEC-2495: CSRF disables logout on GET
2014-02-20 09:40:00 -06:00
85305050c0
SEC-2455: Fix XML default login generation
2014-02-18 13:52:05 -06:00
8a3a7961cb
SEC-2492: ExpressionUrlAuthorizationConfigurer private interceptUrl to void
2014-02-15 14:41:26 -06:00
bf2df220ca
SEC-2490: LdapAuthenticationProviderConfigurer allows custom LdapAuthoritiesPopulator
2014-02-13 16:37:33 -06:00
7a3da28987
SEC-2479: Search parent context for AuthenticationManager
2014-02-12 08:11:26 -06:00
6c35c33abe
SEC-2447: Fix AuthenticationManagerBuilder ordering issues
2014-02-09 21:17:51 -06:00
c42e13c966
loginProcessing test
2014-02-07 17:01:11 -06:00
6b42a2eae1
SEC-2461: Multi WebSecurityConfiguration does not create null springSecurityFilterChain
2014-02-07 17:01:11 -06:00
8d8475deb1
SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
...
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
1f833b0d6b
Add ExpressionUrlAuthorizationCOnfigurer tests
...
- Demo custom expression root
- Demo @Bean in expression example
2014-01-23 11:21:21 -06:00
994117ad75
SEC-2436: Fix CsrfConfigurerNoWebMvcTests
2013-12-14 14:48:47 -06:00
b7041ed00e
SEC-2436: Add @EnableWebMvcSecurity
2013-12-14 14:40:01 -06:00
053c890a69
SEC-2450: WebSecurityConfigurerAdapter have default Order of 100
2013-12-14 13:00:48 -06:00
2df5541905
SEC-2448: Update to HSQL 2.3.1
2013-12-14 10:19:06 -06:00
04fac30d75
SEC-2449: <ldap-server> default port should fallback to dynamic value
2013-12-14 10:19:06 -06:00
aaa7cec32e
SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
...
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
7f714ebb23
SEC-2422: Session timeout detection with CSRF protection
2013-12-11 17:38:17 -06:00
00d668dc5c
SEC-2431: UrlAuthorizationConfigurer missing <HttpSecurity> in doc
2013-12-11 11:07:05 -06:00
8e8bdad8e6
SEC-2386: Remove stack for AuthenticationManagerBuilder with no authenticationProviders
2013-12-04 15:53:32 -06:00
f2fdc9d1f5
SEC-2425: Add Test for EnableGlobalMethodSecurity works on parent config
2013-12-04 14:54:56 -06:00
595b16d836
SEC-2377: Fix tests
2013-12-03 11:48:25 -06:00
2a632a061e
SEC-2377: Hhandle EnableWebSecurity in both child & parent ApplicationContext
2013-12-03 10:45:25 -06:00
0b996c669f
SEC-2424: Document ObjectPostProcessor
2013-12-02 10:17:08 -06:00
13c5af5b91
SEC-2407: Better error message for missing securityFilterChainBuilders
2013-11-26 10:12:55 -06:00
c7b93e6cee
SEC-2404: Fix CSRF config tests
2013-11-21 15:35:26 -06:00
9dbe30c81d
SEC-2165: remember-me@token-validity-seconds can be parameterized
2013-11-15 14:58:53 -06:00
afddb5eb39
SEC-2373: Update XSD doc to state security="none"
2013-11-15 13:50:49 -06:00
6382b6341a
SEC-2355: Add test to validate intercept-url PATCH works
2013-11-15 11:57:47 -06:00
85cd5627b6
SEC-2355: Add PATCH to intercept-url xsd
2013-11-15 11:46:34 -06:00
dc317b3602
WebSecurityConfigurerAdapter implements WebSecurityConfigurer
2013-11-01 12:26:32 -05:00
cda23443ac
XsdDocumentedTests now uses asciidoc instead of asciidoctor
2013-11-01 09:32:05 -05:00
26be54653b
SEC-2382: AutowireBeanFactoryObjectPostProcessor works w/ BeanNameAutoProxyCreator
2013-10-30 11:20:42 -05:00
9e7fbf8067
SEC-2321: Refine to use X-Requested-With: XMLHttpRequest
2013-10-28 14:00:56 -05:00
5f290ba10f
SEC-2371: Remove ObjectPostProcessor.QUIESENT_POSTPROCESSOR
2013-10-18 14:31:13 -05:00
604c26eb0d
Shis simplifies the class hieararchy significantly.EC-2366: Extract AbstractRequestMatcherRegistry from AbstractRequestMatcherConfigurer
...
This simplifies the class hierarchy significantly.
2013-10-17 13:37:51 -05:00
348e3a22b6
SEC-2365: registerAuthentication->configure
2013-10-16 13:59:56 -05:00
0978c12c47
SEC-2361: Java Config Sampels use @Autowired AuthenticationManagerBuilder
2013-10-15 12:35:32 -05:00
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
2013-10-14 15:00:24 -05:00
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
2013-10-14 11:55:56 -05:00
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
2013-10-14 10:36:31 -05:00
f2b44e6beb
Fix javadoc whitespace issue in HttpBasicConfigurer
2013-10-11 14:53:11 -05:00
4ef0460ef6
SEC-2321: Improve Java Config defaults for JavaScript clients
2013-10-11 14:53:11 -05:00
5f10d84bf5
SEC-2303: WebSecurity sets the Bean resolver
2013-10-06 13:37:51 -05:00
dd1c2483b5
SEC-2349: Fix documentation tests
2013-10-03 17:03:17 -05:00
8087cde628
SEC-2331: Include Expires: 0 in xsd and appendix
2013-09-27 17:10:42 -05:00
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
2013-09-27 16:13:40 -05:00
614c94187e
SEC-2305: GlobalMethodSecurityConfiguration autowire PermissionEvaluator
...
If a single PermissionEvaluator bean is found the
DefaultMethodSecurityExpressionHandler is configured with the
PermissionEvaluator. If multiple PermissionEvaluator beans are found, the
beans are ignored.
2013-09-27 15:46:45 -05:00
a09756745f
SEC-2151: Support binding method arguments with Annotations
...
This allow utilizing method arguments for method access control on
interfaces prior to JDK 8.
2013-09-27 11:18:37 -05:00
cea0cf9260
SEC-2243: Remove additional Debug Filter
2013-09-26 11:38:16 -05:00
56ce7d284c
SEC-2336: WebSecurityConfigurerAdapter#registerAuthentication javadoc fixes
2013-09-26 09:08:25 -05:00
a888ddf8b3
SEC-2307: JavaConfig RequestCache ignores favicon.ico
2013-09-24 11:30:37 -05:00
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
2013-09-23 20:55:49 -05:00
28fb6ba14b
SEC-2328: Add hasAnyRole to ExpressionUrlAuthorizationConfiguration
2013-09-23 10:51:08 -05:00
b16c17f70b
SEC-2301: Remove invalid import
2013-09-20 16:09:23 -05:00
a3d112979f
SEC-2301: GlobalMethodSecurityConfiguration sets DefaultWebSecurityExpressionHandler BeanResolver
2013-09-20 15:53:58 -05:00
f294480e6b
SEC-2329: JC @Autowire(required=false) AuthenticationTrustResolver
...
Java Configuration now allows optional @Autowire of
AuthenticationTrustResolver. In the WebSecurityConfigurerAdapter this is
done by populating AuthenticationTrustResolver as a sharedObject.
2013-09-20 15:28:50 -05:00
7537dfc33a
SEC-2304: rm duplicate MethodExpressionHandler from GlobalMethodSecurityConfiguration
2013-09-20 15:13:02 -05:00
5082a04626
SEC-2311: LogoutConfigurer allows other HTTP methods if CSRF is disabled
2013-09-19 16:05:26 -05:00
8f8c6169e8
SEC-2331: Cache Control now includes Expires: 0
2013-09-19 14:06:37 -05:00
c5c1419521
SEC-2332: GlobalMethodSecurityConfiguration includes proper voters
...
Previously GlobalMethodSecurityConfiguration did not include the correct
voters. This updates the code and the tests to ensure that the proper
voters are added. Note this got past testing previously due to all the
voters abstaining, so tests were added for ensuring that methods could also
be invoked sucessfully using the configured annotation.
2013-09-18 18:27:12 -05:00
0114b457c0
SEC-2330: CacheControlHeadersWriter use a single header
2013-09-18 16:12:34 -05:00
be8aad8306
SEC-2196: Demonstrate Method Security works on Generic methods
2013-09-13 16:20:43 -07:00
662bb24370
SEC-1937: Added test to demonstrate SEC-1937 was invalid
2013-09-11 15:10:42 -07:00
3c82e63ded
Formatting cleanup
2013-09-11 15:10:20 -07:00
6e9fb7930b
SEC-2298: Add AuthenticationPrincipalArgumentResolver
2013-08-30 17:06:40 -05:00
ae368829f4
Tweak PermGen for tests
2013-08-28 13:30:25 -05:00
d89cf6db29
SEC-2283: Update headers documentation and tests
2013-08-28 12:35:40 -05:00
4761614c9f
SEC-2291: Fix internal links within reference
...
Instead of using xlink:href="# use linkend="
2013-08-28 09:12:27 -05:00
26166ef6e8
SEC-2272: CsrfRequestDataValueProcessor support Spring 4 and Spring 3
2013-08-27 16:26:16 -05:00
18bd82e7d4
SEC-2131: Update doc to state session authentication sends 401 if no page
2013-08-25 11:37:23 -05:00
f29505d657
SEC-2280: Fix SessionFixationConfigurer#changeSessionId Javadoc
...
The Javadoc for SessionFixationConfigurer#changeSessionId() was copied and pasted from
SessionFixationConfigurer#none() and never updated. It is incorrect. This commit fixes that.
2013-08-24 23:31:05 -05:00
48283ec004
SEC-2276: Delay saving CsrfToken until token is accessed
...
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
2013-08-24 23:31:01 -05:00
c131fb6379
SEC-2139: named-security-filter are all defined and ordered correctly
2013-08-24 15:18:22 -05:00
379cbd2a8b
SEC-2274: Add ApplicationContext as HttpSecurity shared object
2013-08-21 16:50:09 -05:00
0247dd124f
SEC-2271: LogoutConfigurer#logoutUrl explains about CSRF
2013-08-21 06:58:09 -05:00
110e769bd4
SEC-2257: Remove HttpSecurityBuilder#getAuthenticationManager()
...
Removed in favor of using shared object.
2013-08-19 15:22:04 -05:00
5fe32bb3c8
SEC-2216: Add withObjectPostProcessor
2013-08-16 15:38:58 -05:00
d62c2e0835
SEC-2244: Defaults based on loginPage are now updated when loginPage changes
2013-08-16 14:48:45 -05:00
e0cad0d684
SEC-2230: Fix Header tests
2013-08-15 16:52:58 -05:00
2e852f4613
SEC-2230: Remove stray import
2013-08-15 16:34:31 -05:00
a469f26b10
SEC-2230: Polish Headers JavaConfig
2013-08-15 16:31:43 -05:00
e9bb9e766e
SEC-1574: Add CSRF Support
2013-08-15 14:49:21 -05:00
797df51264
SEC-2135: Support HttpServletRequest#changeSessionId()
2013-08-15 13:59:16 -05:00
13da42ca1b
SEC-2137: Allow disabling session fixation and enable concurrency control
2013-08-15 12:50:40 -05:00
b13b87a1e7
Remove @Override from methods that override interfaces
...
Ensure JDK5 compatibility
2013-08-05 16:49:33 -05:00
2266f0ca3f
SEC-2238: Polish
2013-08-01 11:57:32 -05:00
2fef79f3d2
SEC-2238: WebAsyncManagerIntegrationFilter Java Config
2013-08-01 11:40:34 -05:00
94a73fee37
SEC-2230: Polish scoping and finals
2013-07-31 11:34:35 -05:00
a1bf28a697
SEC-2239: Remove duplicate SessionCreationPolicy
2013-07-31 10:44:22 -05:00
606bddf598
SEC-2230: Add Header JavaConfig
...
Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.
2013-07-31 10:39:52 -05:00
bc8ff9590c
SEC-2230: Defaults when using only <headers/>
...
Previously an error occurred when no child elements were specified with
<headers/>.
Now all the explicitly supported header elements are added with their
default settings.
2013-07-31 10:39:52 -05:00
c85328c5d1
SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
...
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
8013cd54d6
SEC-2230: Added Cache Control support
2013-07-31 10:39:45 -05:00
7b164bb5e1
SEC-2230: Polish pull request
2013-07-26 14:19:53 -05:00
8acd205486
SEC-2232: HeaderFactory to HeaderWriter
2013-07-26 09:01:12 -05:00
fd754c5cab
SEC-2098, SEC-2099: Fix build
...
- hf.doFilter is missing FilterChain argument
- response.headers does not contain the exact values for the headers so
should not be used for comparison (note it is a private member so this
is acceptable)
- hf does not need non-null check when hf.doFilter is invoked
- some of the configurations are no longer valid (i.e. ALLOW-FROM
requires strategy)
- Some error messages needed updated (some could still use improvement)
- No validation for missing header name or value
- rebased off master / merged
- nsa=frame-options-strategy id should use - not =
- FramewOptionsHeaderFactory did not produce "ALLOW-FROM " prefix of origin
- remove @Override on interface overrides to work with JDK5
2013-07-25 16:23:25 -05:00
d0b40cd2ae
- Created HeaderFactory abstraction
...
- Implemented different ALLOW-FROM strategies as specified in the proposal.
Conflicts:
config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
2013-07-25 16:22:43 -05:00
a63baa8391
SEC-2098, SEC-2099: Polishing
2013-07-25 16:22:43 -05:00
0adf5aea91
SEC-2098, SEC-2099: Created HeadersFilter
...
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
f5a30e55a3
SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher
2013-07-23 13:06:51 -05:00
f34b459c80
SEC-2205: Create UserDetailsServiceDelegator
...
Ensure that the UserDetailsService is created lazily.
2013-07-22 16:38:09 -05:00
a39ff1b041
SEC-2202: http.authorizeUrls() to http.authorizeRequests()
...
This change is more meaningful since the requests can be matched on
anything not just the URL
2013-07-22 11:54:10 -05:00
e1d8db4e95
SEC-2197: Allow multiple invocations on HttpSecurity
...
Previously invoking methods like HttpSecurity#authorizeUrls() multiple
times would override one another. This has now changed to be more
intuitive. Initially this was required for the way that defaults were
provided so that they could be overriden, but this is no longer the case.
2013-07-21 22:56:23 -05:00
cf0fdc2d66
SEC-2222: Use auth parameter name instead of registry
2013-07-20 07:49:07 -05:00
90bd241ce2
SEC-2199: Support multiple AuthenticationEntryPoint defaults
2013-07-19 17:09:58 -05:00
87c9a14bff
SEC-2198: http.httpBasic() defaults AuthenticationEntryPoint
2013-07-19 17:09:58 -05:00
0f281f9575
SEC-2215: ServletApiConfigurer populates properties on SecurityContextHolderAwareRequestFilter
...
Previously ServletApiConfigurer left the following properties null:
authenticationManager, logoutHandlers, and authenticationEntryPoint
2013-07-16 22:43:53 -05:00
fb45db11e9
SEC-2191: Remove AuthenticationManagerBuilder default constructor
...
This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.
2013-07-05 12:10:03 -05:00
cf80cc88b5
SEC-2192: Create DEFAULT_FILTER_NAME
2013-07-05 09:41:53 -05:00
70b3a330ef
#137 WebSecurityConfigurerAdapter no longer uses getClass() for logger
...
Previously it was difficult to change log levels due to CGLIB proxying of
the class which impacted the logger name.
2013-07-01 10:07:38 -05:00
17bef05c3c
#138 WebInvocationPrivilegeEvaluator has default value
2013-07-01 08:46:57 -05:00
d8ed429370
#138 Tests for WebSecurityExpressionHandler bean existing
2013-07-01 08:37:12 -05:00
4d282cbe0d
SEC-1953: Polish
2013-06-30 21:51:25 -05:00
d0c4e6ca72
SEC-1953: Spring Security Java Config support
...
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
fba4fec84b
SEC-2175: Correct XSD docs on auto-config.
2013-06-09 14:51:58 +01:00
ebba8ac514
SEC-2122: Update namespace to support bcrypt.
...
password-encoder now supports hash='bcrypt'.
2013-05-17 19:17:18 +01:00
f594ed76db
SEC-2087: GlobalMethodSecurityBeanDefinitionParser uses AuthenticationManager to create AuthenticationManagerDelegator
2013-04-25 08:56:46 -05:00
66357a2077
SEC-2143: Update XSD version mismatch error message
2013-03-06 10:57:41 -06:00
5eb5c91d86
SEC-2119: Rename rememberme-parameter to remember-me-parameter
...
This change extends pull request https://github.com/SpringSource/spring-security/pull/26
and its subsequent changes by renaming the attribute name 'rememberme-parameter' to
'remember-me-parameter'.
The spelling including the additional hyphen in 'remember-me-parameter' is more consistent
with the default spelling of the 'remember-me' functionality.
2013-03-05 14:47:25 -06:00
b014020955
SEC-2119: Polish remember-me@rememberme-parameter
...
- Change form-parameter to rememerme-parameter
- Use rnc file for generating the xsd
- Add test for deafult value of rememberme parameter
2013-03-01 17:03:09 -06:00
9eb34fe51c
SEC-2119: Add a 'form-parameter' attribute to <remember-me>
...
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of AbstractRememberMeServices.
This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
2013-03-01 17:03:02 -06:00
e8661913d1
SEC-2119: Update to 3.2 schema and use default schema version when available
2013-03-01 16:29:27 -06:00
f8ed3791f9
SEC-2142: Schema documentation states anonymous and remember-me ke defaults to SecureRandom
2013-03-01 12:23:36 -06:00
2a86c72436
Update XsdDocumentedTests to make easier to understand problems
2013-02-28 17:08:51 -06:00
914ec45e43
SEC-2136: Lazy load MethodSecurityExpressionHandler & MethodSecurityExpressionHandler.expressionParser
...
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.
The following changes were made:
- ExpressionBasedAnnotationAttributeFactory delays the invocation of
MethodSecurityExpressionHandler.getExpressionParser()
- MethodSecurityExpressionHandler is automatically wrapped in a
LazyInitTargetSource and marked as lazyInit=true
2013-02-28 10:26:12 -06:00
89c63fd752
Add spring-security-3.2.rnc
2013-01-03 18:32:33 -06:00
036e0505b3
Make rnc transform part of Gradle build
2013-01-03 18:32:32 -06:00
c8d45397fe
SEC-2079: Add Servlet 3 Authentication methods
...
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
1ed643ca1f
SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing
...
Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
2012-11-28 17:56:03 -06:00
1a7aaa85c4
SEC-2066: ProtectPointcutPostProcessor is now ThreadSafe
...
Previously a ConcurrentModificationException could occur when
PointcutExpression.matchesMethodExecution was performed in multiple threads. Another
issue was that beans may get processed multiple times.
Now a lock is performed to ensure that only a single thread has access to
PointcutExpression.matchesMethodExecution and that each bean only gets processed once.
2012-11-09 14:34:00 -06:00
4c50d1f5de
SEC-2072: <security:anonymous> granted-authority supports multiple authorities again
2012-11-02 16:24:14 -05:00
4f741bc914
SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersistenceFilter
...
Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.
The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
2012-10-03 09:27:24 -05:00
6af3e1958b
Update to Groovy 1.8
2012-09-04 09:48:29 -05:00
a19cc8f1c7
SEC-2020: Set eraseCredentialsAfterAuthentication when using http@authentication-manager-ref
...
Previously the namespace configuration did not properly set the eraseCredentialsAfterAuthentication
property on the parent AuthenticationProvider when using http@authentication-manager-ref.
Now the ProviderManager that is created by the namespace consults the original
AuthenticationManager to determine if eraseCredentialsAfterAuthentication should
be set on the wrapped instance. If the original is not a ProviderManager the
eraseCredentialsAfterAuthentication is set to false since we should not "magically"
add behavior to the custom AuthenticationManager without knowing the desired behavior.
2012-07-31 14:04:11 -05:00
d2a5ad6fd1
SEC-2016: Update config integration tests to use specific ldif to work in Eclipse
...
Due to Eclipse restrictions the classpath adding an project as a dependency picks up
the test dependencies of other projects. This caused problems when running the
config integration tests within Eclipse.
Now the tests specify a specific ldif to load. There is also one new test that ensures
that the ldif is defaulted properly, but does not rely on the ldif that is loaded.
2012-07-31 14:03:38 -05:00
a547f6922a
SEC-1996: Fix javadoc to work with jdk 1.5
...
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.
This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
2012-07-20 16:38:27 -05:00
7f9938c8e2
Organize imports on RememberMeConfigTests
2012-07-18 14:45:05 -05:00
c7c41ced84
Added test to verify LogoutHandlers added to LogoutFilter
2012-07-18 14:45:05 -05:00
3ce06333c5
SEC-1850: Namespace adds all LogoutHandlers to ConcurrentSessionFilter
...
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.
Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
2012-07-18 14:44:35 -05:00
06638db289
SEC-1909: Namespace configuration no longer uses deprecated API's
...
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.
Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
2012-07-17 14:08:36 -05:00
42b72bcbc4
SEC-1980: Prevent parser warning when URL's in configuration start with #
...
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
2012-07-10 14:24:42 -05:00
254333ce82
SEC-1957: DefaultFilterChainValidator no longer casts to DefaultFilterInvocationSecurityMetadataSource
2012-04-29 15:59:24 -05:00
488efbc97e
SEC-1901: Changed DebugFilter to no longer extend OncePerRequesetFilter so that the FilterChainProxy is invoked on forwards
2012-03-17 11:16:21 -05:00
f78c11650f
SEC-1893: Namespace now register PortMapper with custom mappings for all components that use a PortMapper
2012-03-11 20:52:17 -05:00
2d556c7b4f
SEC-1885: Change SecurityDebugBeanFactoryPostProcessor to only interact with BeanDefinitions rather than instances to prevent premature instatiation of FilterChainProxy and its dependencies
...
This issue occurred because the AutowiredAnnotationBeanPostProcessor had not been registered when the SecurityDebugBeanFactoryPostProcessor tried to obtain the FilterChainProxy. This caused
all of the FilterChainProxy's dependant beans to be resolved and if they used @Autowired they would not get processed properly.
2012-01-07 13:52:50 -06:00
448a42916d
SEC-1880: Corrected error message when using both logout-success-url and success-handler-ref
2011-12-30 11:31:24 -06:00
ea56a98883
SEC-1868: Remove error level logs from SecurityNamespaceHandler when the web classes are not available and not required
...
To get the detailed errors the FilterChainProxy is loaded again in reportMissingWebClasses
and included in the readerContext fatal log.
2011-12-30 10:51:17 -06:00
044861eb20
Renamed **/*Spec.groovy to **/*Tests.groovy to better follow conventions
2011-12-29 12:59:24 -06:00
aabb16912f
SEC-1878: DefaultFilterChainValidator properly handles AccessDecisionManager throwing exceptions other than AccessDeniedException
2011-12-28 16:43:19 -06:00
999adbc6ee
SEC-1827: If use-secure-cookie is set to false explicitly set useSecureCookie to false on AbstractRememberMeServices
2011-11-21 09:11:17 -06:00
ff495b698e
SEC-1858: Removed methods for generating docbook for xsd
...
Not squashing so this is around if needed again
2011-11-11 11:45:02 -06:00
c8b847f1ed
SEC-1858: Added integration tests to validate that the xsd is documented in the reference
2011-11-11 11:44:55 -06:00
de397bc0ce
SEC-1858: Updated xsd documentation to have documentation for all elements/attributes and added documentation of default values where appropriate
2011-11-11 09:00:53 -05:00
3b13a3fb25
SEC-1812: Replace assertion with warning message when overriding the global AuthenticationManager.
2011-11-02 14:23:59 +00:00
30088f19ae
SEC-1806: Log that bean definition is being created rather than bean in LdapServerBDP.
2011-10-31 23:50:06 +00:00
2f67bb3032
SEC-1847: Add authentication-manager-ref attribute to http and global-method-security namespace elements.
2011-10-30 21:51:02 +00:00
44e2543015
Minor changes to make filter chain validation more robust with custom request matchers.
2011-10-24 21:21:10 +01:00
f2786805e6
SEC-1841: Added request-matcher-ref attribute to namespace for defining a filter chain.
2011-10-21 20:04:35 +01:00
58f7d3acc6
SEC-1835: Changed xsd:ID to xsd:token.
2011-10-21 18:35:06 +01:00
ac6ed671a1
SEC-1830: Use constructor injection in namespace parsing code for creation of ProviderManager
2011-09-26 18:24:36 +01:00
a1c714cff4
SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted.
2011-07-14 16:43:02 +01:00
f92589f051
Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options.
2011-07-06 00:12:48 +01:00
73442125de
SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter.
2011-07-04 21:09:48 +01:00
5d20f57fa8
Import cleaning.
2011-07-02 20:36:42 +01:00
85807fdfd0
Removed @Overrides from method that implements interface instead of overriding superclass to resolve Java 1.5 error
2011-06-21 07:22:35 -05:00
5a1ddc660b
SEC-1768: Added tests to reproduce "double-proxying" issue combining intercept-methods and tx-annotation-driven. Problem is caused by use of ProxyFactoryBean with auto-proxying.
2011-06-18 14:32:31 +01:00
52c0ee6756
Improve error reporting of missing web classes in namespace handler. Now catches and logs the class-loading error.
2011-06-13 13:39:55 +01:00
Joe Grandja
Rob Winch
Craig Andrews
stonio
Thomas Darimont
Vedran Pavic
Rob Winch
Joris Kuipers
Kazuki Miyahara
Spring Buildmaster
Johnny Lim
Eddú Meléndez
Fred Cooke
Marten Deinum
novotnyr
Michael J. Simons
Jakob Englisch
Tony Dalbrekt
Sola
didiez
Matthias Merdes
Leon Radley
Jeffrey Walraven
Nicolai Ehemann
Quinten De Swaef
Shazin Sadakath
Billy Korando
Wallace Wadge
Tim Ysewyn
Nikos Kastamoulas
William Gorder
Kazuki Shimizu
Stijn
Alex Panchenko
Romain Fromi
Michael Cramer
Michael Oberwasserlechner
Oliver Gierke
Nándor István Krácser
Mirko Zeibig
Andy Wilkinson
Rob Winch
Collin Peters
Nick Williams
Keesun Baik
Luke Taylor
Oliver Becker
Mike Noordermeer
Rob Winch