Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-24 09:50:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,293 Commits 50 Branches 379 Tags
Commit Graph

168 Commits

Author SHA1 Message Date
Rob Winch
36fe0d0357 SEC-2845: SecurityContextChannelInterceptor support anonymous 2015-02-18 10:00:22 -06:00
Rob Winch
9b5f76f3d6 SEC-2833: Rossen's feedback on WebSocket 2015-02-04 10:43:12 -06:00
Rob Winch
6627f76df7 SEC-2758: Make ROLE_ consistent 2015-01-29 17:08:43 -06:00
Rob Winch
414f98bee0 SEC-2827: Clean up MessageMatcher Ambiguities 2015-01-23 17:29:54 -06:00
Rob Winch
1677836d53 SEC-2790: Deprecate @EnableWebMvcConfig 2014-12-10 21:10:27 -06:00
Rob Winch
3171cc4364 SEC-2788: Add @Configuration as meta annotation to @Enable* annotations 2014-12-10 21:10:15 -06:00
Rob Winch
c67ff42b8a SEC-2783: XML Configuration Defaults Should Match JavaConfig 
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
 2014-12-08 15:09:15 -06:00
Rob Winch
6e204fff72 SEC-2781: Remove deprecations 2014-12-04 15:28:40 -06:00
Rob Winch
8ad16b01f5 SEC-2702: Add WebSocket Security XML Namespace Support 2014-11-25 09:45:32 -06:00
Rob Winch
3c487c0348 SEC-2348: Update doc headers enabled by default with XML 2014-11-21 21:55:03 -06:00
Rob Winch
eedbf44235 SEC-2348: Security HTTP Response Headers enabled by default w/ XML 2014-11-21 16:06:29 -06:00
Rob Winch
28446284a6 SEC-2713: Support authorization by SimpMessageType 2014-09-19 16:38:56 -05:00
Rob Winch
b9df7ba01f SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher 2014-08-18 11:04:04 -05:00
Rob Winch
3f30529039 SEC-2179: Add Spring Security Messaging Support 2014-08-15 20:46:58 -05:00
Rob Winch
4cdeacc277 SEC-2499: Allow MethodSecurityExpressionHandler in parent context 
Previously a NoSuchBeanDefintionException was thrown when the
MethodSecurityExpressionHandler was defined in the parent context. This
happened due to trying to work around ordering issues related to SEC-2136

This commit resolves this by not marking the
MethodSecurityExpressionHandler bean as lazy unless it exists.
 2014-03-06 21:14:35 -06:00
Rob Winch
994117ad75 SEC-2436: Fix CsrfConfigurerNoWebMvcTests 2013-12-14 14:48:47 -06:00
Rob Winch
2df5541905 SEC-2448: Update to HSQL 2.3.1 2013-12-14 10:19:06 -06:00
Rob Winch
348e3a22b6 SEC-2365: registerAuthentication->configure 2013-10-16 13:59:56 -05:00
Rob Winch
51171efa7a SEC-2357: Move *RequestMatcher to .matcher package 2013-10-14 11:55:56 -05:00
Rob Winch
14b9050616 SEC-2357: Move *RequestMatchers to .matchers package 2013-10-14 10:36:31 -05:00
Rob Winch
cea0cf9260 SEC-2243: Remove additional Debug Filter 2013-09-26 11:38:16 -05:00
Rob Winch
be8aad8306 SEC-2196: Demonstrate Method Security works on Generic methods 2013-09-13 16:20:43 -07:00
Rob Winch
48283ec004 SEC-2276: Delay saving CsrfToken until token is accessed 
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
 2013-08-24 23:31:01 -05:00
Rob Winch
e9bb9e766e SEC-1574: Add CSRF Support 2013-08-15 14:49:21 -05:00
Rob Winch
797df51264 SEC-2135: Support HttpServletRequest#changeSessionId() 2013-08-15 13:59:16 -05:00
Marten Deinum
0adf5aea91 SEC-2098, SEC-2099: Created HeadersFilter 
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
 2013-07-25 16:22:43 -05:00
Luke Taylor
ebba8ac514 SEC-2122: Update namespace to support bcrypt. 
password-encoder now supports hash='bcrypt'.
 2013-05-17 19:17:18 +01:00
Rob Winch
f594ed76db SEC-2087: GlobalMethodSecurityBeanDefinitionParser uses AuthenticationManager to create AuthenticationManagerDelegator 2013-04-25 08:56:46 -05:00
Rob Winch
e8661913d1 SEC-2119: Update to 3.2 schema and use default schema version when available 2013-03-01 16:29:27 -06:00
Rob Winch
914ec45e43 SEC-2136: Lazy load MethodSecurityExpressionHandler & MethodSecurityExpressionHandler.expressionParser 
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and  would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.

The following changes were made:

    - ExpressionBasedAnnotationAttributeFactory delays the invocation of
      MethodSecurityExpressionHandler.getExpressionParser()
    - MethodSecurityExpressionHandler is automatically wrapped in a
      LazyInitTargetSource and marked as lazyInit=true
 2013-02-28 10:26:12 -06:00
Rob Winch
42b72bcbc4 SEC-1980: Prevent parser warning when URL's in configuration start with # 
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
 2012-07-10 14:24:42 -05:00
Rob Winch
254333ce82 SEC-1957: DefaultFilterChainValidator no longer casts to DefaultFilterInvocationSecurityMetadataSource 2012-04-29 15:59:24 -05:00
Rob Winch
488efbc97e SEC-1901: Changed DebugFilter to no longer extend OncePerRequesetFilter so that the FilterChainProxy is invoked on forwards 2012-03-17 11:16:21 -05:00
Rob Winch
2d556c7b4f SEC-1885: Change SecurityDebugBeanFactoryPostProcessor to only interact with BeanDefinitions rather than instances to prevent premature instatiation of FilterChainProxy and its dependencies 
This issue occurred because the AutowiredAnnotationBeanPostProcessor had not been registered when the SecurityDebugBeanFactoryPostProcessor tried to obtain the FilterChainProxy. This caused
all of the FilterChainProxy's dependant beans to be resolved and if they used @Autowired they would not get processed properly.
 2012-01-07 13:52:50 -06:00
Rob Winch
ea56a98883 SEC-1868: Remove error level logs from SecurityNamespaceHandler when the web classes are not available and not required 
To get the detailed errors the FilterChainProxy is loaded again in reportMissingWebClasses
and included in the readerContext fatal log.
 2011-12-30 10:51:17 -06:00
Rob Winch
aabb16912f SEC-1878: DefaultFilterChainValidator properly handles AccessDecisionManager throwing exceptions other than AccessDeniedException 2011-12-28 16:43:19 -06:00
Luke Taylor
2f67bb3032 SEC-1847: Add authentication-manager-ref attribute to http and global-method-security namespace elements. 2011-10-30 21:51:02 +00:00
Luke Taylor
f92589f051 Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options. 2011-07-06 00:12:48 +01:00
Luke Taylor
5d20f57fa8 Import cleaning. 2011-07-02 20:36:42 +01:00
Rob Winch
85807fdfd0 Removed @Overrides from method that implements interface instead of overriding superclass to resolve Java 1.5 error 2011-06-21 07:22:35 -05:00
Luke Taylor
5a1ddc660b SEC-1768: Added tests to reproduce "double-proxying" issue combining intercept-methods and tx-annotation-driven. Problem is caused by use of ProxyFactoryBean with auto-proxying. 2011-06-18 14:32:31 +01:00
Luke Taylor
04dc65c8fe SEC-1657: Corresponding namespace updates to use SecurityFilterChain list in place of filterChainMap. 2011-04-25 13:48:47 +01:00
Luke Taylor
8d99918798 SEC-1491: Add support for an external priority SecurityMetadataSource to be referenced from global-method-security. 2011-04-05 15:07:43 +01:00
Luke Taylor
27be72a81c SEC-1677: Split out LDAP server tests from config module. 2011-02-14 19:01:27 +00:00
Luke Taylor
4a40d80da1 SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority. 
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
 2010-12-03 16:41:46 +00:00
Luke Taylor
b9a98613eb SEC-1593: Added tests to try to reproduce issue. 2010-11-03 19:37:25 +00:00
Luke Taylor
f70942c6f5 SEC-1589: Add support for property placeholder in intercept-methods access attribute. 2010-10-27 13:25:39 +01:00
Luke Taylor
7d97adc687 SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/". 2010-10-27 13:25:39 +01:00
Luke Taylor
383211561c Moved LDAP placeholder config test into LDAP tests to prevent issues with parallel tests. Converted LdapProviderBDP tests to groovy/spock. Other misc tidying of config tests. 2010-09-16 12:31:23 +01:00
Luke Taylor
0217e98bdb Added an AppListener to collect events for use in tests 2010-09-13 14:20:21 +01:00