Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:
- The SecurityContext was established on the SecurityContextHolder
- An Async request was made
- The SecurityContextHolder would be cleared out
- The Async request times out
- The Async request would be dispatched back to the container upon
timing out. If the container reused the same Thread to process the
timeout as the original request, Spring Security would attempt to
save the SecurityContext when the response was committed. Since the
SecurityContextHolder was still cleared out it removes the
SecurityContext from the HttpSession
Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
Previously DummyRequest implemented HttpServletRequest which caused complications
since Servlet 2.5 and Servlet 3 had non passive changes. While we were "safe" if the
Servlet 3 methods were never invoked reflective access of the methods would also
problems. We could prevent users from accessing the methods of DummyRequest by
returning new HttpServletRequestWrapper(DummyRequest), but a debugger could
potentially try to iterate over the methods triggering a NoClassDefFoundError.
DummyRequest now extends HttpServletRequestWrapper which will be dynamically
linked to the proper version of HttpServletRequest. We use a Dynamic Proxy that
throws UnsupportedOperationException to implement any methods we are not
interested in.
Previously SecurityContextCallableProcessingInterceptor used afterCompletion
to clear the SecurityContextHolder. This does not work since afterCompletion
is invoked on the Servlet Container thread.
Now SecurityContextCallableProcessingInterceptor clears the
SecurityContextHolder on postProcess which is invoked on the same thread
that the Callable is processed on.
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.
Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
Previously a NullPointerException would occur if an HttpServletRequest.getMethod()
returned null.
Now AntPathRequestMatcher and RegexpRequestMatcher will handle if the
HttpServletRequest.getMethod() returns null. While under normal circumstances,
it is unlikely for the method to be null this can occur when using
DefaultWebInvocationPrivilegeEvaluator.isAllowed(String, Authentication).
Previously SaveContextOnUpdateOrErrorResponseWrapper would save the SecurityContext on a different
Threads than the one it was created on. This causes issues with Async Web requests which may write
to the response on a new Thread.
Now SaveContextOnUpdateOrErrorResponseWrapper will not save the SecurityContext when a different
Thread invokes any of the methods that commit the response. This prevents issues with Async
processing. However, explicit calls to SecurityContextRepository.save will still save the
SecurityContext since it invokes the saveRequest method rather than private doSave method within
the SaveContextOnUpdateOrErrorResponseWrapper which contains the logic to prevent saving from
another Thread.
Previously the SwitchUserFilter was logging as an error and then
throwing an Exception immediately after. This is not correct, since
whomever is catching the Exception should choose to log an error or not.
Now the log statement is at a debug level.
Previously there was a race condition could occur when the user attempts to access
a slow resource and then logs out which would result in the user not being logged
out.
SecurityContextLogoutHandler will now remove the Authentication from the
SecurityContext to protect against this scenario.
Previously Spring Security did not save the Security Context immediately prior
to the following methods being invoked:
- HttpServletResonse.flushBuffer()
- HttpServletResonse.getWriter().close()
- HttpServletResonse.getWriter().flush()
- HttpServletRespose.getOutputStream().close()
- HttpServletRespose.getOutputStream().flush()
This meant that the client could get a response prior to the SecurityContext
being stored. After the client got the response, it would make another request
and this would not yet be authenticated. The reason this can occur is because
all of the above methods commit the response, which means that the server can
signal to the client the response is completed. A similar issue happened in
SEC-398.
Now the previously listed methods are wrapped in order to ensure the SecurityContext
is persisted prior to the response being committed.
When SEC-1950 was introduced it caused problems when a <filter-mapping> was mapped
to multiple dispatchers (i.e. REQUEST and FORWARD) since when the second dispatcher
completed execution it cleared the SecurityContext and the original FilterChain
would then save the cleared out SecurityContext.
We now use a pattern similar to the OncePerRequestFilter to only invoke
SecurityContextHolder.clearContext() on the first invocation of the Filter. We do not simply extend
OncePerRequestFilter because we want to invoke the delegate filters for every request.
Previously communication errors with LDAP were only logged at debug level.
Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.
AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.
Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).
Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.
Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
There were two issues that needed resolved
- Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
type would not work. This caused failures in the JSF support.
- The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
method any class compiled against a previous version would cause a NoSuchMethodException.
This fixes two issues introduced by SEC-1229
* SessionRegistry.registerNewSession is invoked twice
* SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.
Also cleaning whitespace.
NOTE: The Groovy code that automated most of this is attached to SEC-1545
A mapping of Missing Key to the file that the key is found are as follows:
----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
JdbcDaoImpl.noAuthority=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
JdbcDaoImpl.notFound=[../core/src/main/java/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.java]
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
PersistentTokenBasedRememberMeServices.cookieStolen=[../web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java]
How unknown keys were gussed by existing keys
----------../core/src/main/resources/org/springframework/security/messages_cs_CZ.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_de.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using SwitchUserProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_es_ES.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_fr.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_it.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using SwitchUserProcessingFilter.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using AbstractUserDetailsAuthenticationProvider.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_ko_KR.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pl.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pt_BR.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_pt_PT.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_uk_UA.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
----------../core/src/main/resources/org/springframework/security/messages_zh_CN.properties----------
AccountStatusUserDetailsChecker.credentialsExpired was guessed using UserDetailsService.credentialsExpired
AccountStatusUserDetailsChecker.disabled was guessed using UserDetailsService.disabled
AccountStatusUserDetailsChecker.expired was guessed using SwitchUserProcessingFilter.expired
AccountStatusUserDetailsChecker.locked was guessed using AbstractUserDetailsAuthenticationProvider.locked
AclEntryAfterInvocationProvider.noPermission was guessed using BasicAclEntryAfterInvocationProvider.noPermission
BindAuthenticator.emptyPassword was guessed using LdapAuthenticationProvider.emptyPassword
ConcurrentSessionControlStrategy.exceededAllowed was guessed using ConcurrentSessionControllerImpl.exceededAllowed
DigestAuthenticationFilter.incorrectRealm was guessed using DigestProcessingFilter.incorrectRealm
DigestAuthenticationFilter.incorrectResponse was guessed using DigestProcessingFilter.incorrectResponse
DigestAuthenticationFilter.missingAuth was guessed using DigestProcessingFilter.missingAuth
DigestAuthenticationFilter.missingMandatory was guessed using DigestProcessingFilter.missingMandatory
DigestAuthenticationFilter.nonceCompromised was guessed using DigestProcessingFilter.nonceCompromised
DigestAuthenticationFilter.nonceEncoding was guessed using DigestProcessingFilter.nonceEncoding
DigestAuthenticationFilter.nonceExpired was guessed using DigestProcessingFilter.nonceExpired
DigestAuthenticationFilter.nonceNotNumeric was guessed using DigestProcessingFilter.nonceNotNumeric
DigestAuthenticationFilter.nonceNotTwoTokens was guessed using DigestProcessingFilter.nonceNotTwoTokens
DigestAuthenticationFilter.usernameNotFound was guessed using DigestProcessingFilter.usernameNotFound
LdapAuthenticationProvider.badCredentials was guessed using PasswordComparisonAuthenticator.badCredentials
LdapAuthenticationProvider.onlySupports was guessed using AbstractUserDetailsAuthenticationProvider.onlySupports
SubjectDnX509PrincipalExtractor.noMatching was guessed using DaoX509AuthoritiesPopulator.noMatching
SwitchUserFilter.noCurrentUser was guessed using SwitchUserProcessingFilter.noCurrentUser
SwitchUserFilter.noOriginalAuthentication was guessed using SwitchUserProcessingFilter.noOriginalAuthentication
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
Rob Winch
Balazs Zagyvai
mpigg
Rob Winch
Tristan Burch
Luke Taylor
Andrei Stefan
Rob Winch
Rossen Stoyanchev