Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-01-06 14:37:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,488 Commits 54 Branches 369 Tags
Commit Graph

715 Commits

Author SHA1 Message Date
Luke Taylor
7d97adc687 SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/". 2010-10-27 13:25:39 +01:00
Rossen Stoyanchev
70600a0277 SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering. 2010-10-26 12:33:51 +01:00
Rob Winch
ee12d54bec SEC-1536: moved web.authentication.jaas to web.jaasapi 
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
 2010-10-05 22:28:42 -05:00
Luke Taylor
1b2b371970 SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element. 
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.

Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
 2010-09-16 16:03:24 +01:00
Luke Taylor
551166a577 ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process. 2010-09-14 14:43:21 +01:00
rwinch
de819378fc SEC-1536: added JAAS API Integration, updated doc, updated jaas sample 2010-09-13 13:12:45 -05:00
Luke Taylor
1a1372ab84 Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests. 2010-08-28 21:41:19 +01:00
Luke Taylor
ba890cf7e5 Removed invalid test method. 2010-08-24 21:03:33 +01:00
Luke Taylor
d1e8b8e29d More tests. Minor refactoring. 2010-08-24 20:57:45 +01:00
Luke Taylor
1680807470 Added eclipse plugin to build. Some minor fixes to remove eclipse warnings. 2010-08-18 14:11:16 +01:00
Luke Taylor
3c02989d67 Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests). 2010-08-18 02:32:43 +01:00
Luke Taylor
281d77271e SEC-1486, SEC-1538, SEC-1537: Generification of AuthenticationDetailsSource. Deprecation of non-web pre-authentication classes and other unnecessary classes. Removal of reflection in WebAuthenticationDetailsSource. 2010-08-13 15:51:05 +01:00
Luke Taylor
2222a7be07 Use Integer.valueOf() in preference to new Integer() 2010-08-11 18:17:23 +01:00
Luke Taylor
db6da77a5f SEC-1413: Add RedirectStrategy to AbstractRetryEntryPoint. 2010-08-10 17:39:12 +01:00
Luke Taylor
183333d189 SEC-1430: Forgot to commit changes to new ExceptionMappingAuthenticationFailureHandlerTests. 2010-08-09 17:09:02 +01:00
Luke Taylor
2e98b84494 SEC-1430: internalize session key for SavedRequest. This should be accessed using the RequestCache interface if required. Additional refactoring of related tests which were still in AbstractAuthenticationProcessingFilterTests for historical reasons, but should be in their respective success/failure handler test classes. 2010-08-08 17:49:06 +01:00
Luke Taylor
a2bd1bc9af SEC-1498: Allow use of absolute URL fopr login form in LoginUrlAuthenticationEntryPoint. 2010-08-05 21:09:34 +01:00
Luke Taylor
63734cfcf9 SEC-1528: Remove logic which checks if context in the session is the same as the current context to make sure that session.setAttribute() is called when the value in the session has been modified directly. 2010-08-02 22:41:57 +01:00
Luke Taylor
8df356de29 SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest. 
Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
 2010-06-28 19:51:30 +01:00
Luke Taylor
026517f674 Removal of deprecated methods and classes. 2010-06-26 16:23:42 +01:00
Luke Taylor
ea8d37892c SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy. 2010-06-18 03:33:49 +01:00
Luke Taylor
4d10d4b67f SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs. 2010-06-18 01:34:07 +01:00
Luke Taylor
024e6904ff SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager. 2010-04-25 04:27:09 +01:00
Luke Taylor
74896f217b SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>. 2010-04-20 23:47:47 +01:00
Luke Taylor
0521d10069 SEC-1294: Enable access to beans from ApplicationContext in EL expressions. 
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
 2010-04-01 01:24:23 +01:00
Luke Taylor
2e2625873c SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager). 
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
 2010-03-23 00:45:06 +00:00
Luke Taylor
89d8c8cc83 Additional test classes for authentication and logout success/failure handling. 2010-03-04 23:18:46 +00:00
Luke Taylor
530ab3ae30 SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect. 2010-03-04 21:21:07 +00:00
Luke Taylor
93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy. 
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
 2010-03-01 01:21:06 +00:00
Luke Taylor
cb0f3f677f SEC-1425: Add check for empty cookie in AbstractRememberMeServices. 
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
 2010-02-28 14:08:27 +00:00
Luke Taylor
e2f9be9015 SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved. 
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
 2010-02-26 16:01:40 +00:00
Luke Taylor
14ae36ac3b SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header. 
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
 2010-02-18 00:32:49 +00:00
Luke Taylor
bd635edc31 SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones. 
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
 2010-02-15 22:46:18 +00:00
Luke Taylor
c1133d1ef3 Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name. 2010-02-14 23:31:31 +00:00
Luke Taylor
1e4f451352 Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources 2010-02-11 18:08:06 +00:00
Mike Wiesner
90d6ff1fde SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 13:19:16 +01:00
Mike Wiesner
d32b078a8c SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 09:05:28 +01:00
Mike Wiesner
d2413cf237 SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-10 21:25:23 +01:00
Luke Taylor
04447bdbf0 SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs). 2010-01-22 01:55:13 +00:00
Luke Taylor
0c10efbbf8 Revert SEC-1356. 
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
 2010-01-19 22:26:21 +00:00
Luke Taylor
f62d97b092 SEC-1356: Fix broken tests. 
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
 2010-01-12 01:32:02 +00:00
Luke Taylor
e211f9b35f SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL. 
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
 2010-01-09 01:04:13 +00:00
Luke Taylor
052537c8b0 Removing $Id$ markers and stripping trailing whitespace from the codebase. 2010-01-08 21:05:13 +00:00
Luke Taylor
c6b8fe5e55 SEC-1346: Added missing 'return' statements after redirects. 
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
 2010-01-03 19:06:58 +00:00
Luke Taylor
893f212fa5 Tidying 2010-01-02 19:53:19 +00:00
Luke Taylor
76731254c0 SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name. 2009-12-18 18:04:03 +00:00
Luke Taylor
6805761d85 Extra test to confirm http-method specific matching behaviour. 2009-12-14 13:55:48 +00:00
Luke Taylor
cad32ffe39 SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface. 2009-12-13 17:37:24 +00:00
Luke Taylor
444d93b13f SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter 2009-12-07 13:54:39 +00:00
Luke Taylor
b27d7afd24 SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation. 2009-12-06 15:28:03 +00:00