Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,929 Commits 30 Branches 330 Tags 114 MiB
Commit Graph

4929 Commits

Author SHA1 Message Date
Rob Winch 3e95f1c12e SEC-2282: Polish CSRF Documentation 2013-09-27 16:41:06 -05:00
Rob Winch ee33a6deeb SEC-2285: Headers doc explicitly state default headers 2013-09-27 16:29:10 -05:00
Rob Winch 17efd25717 SEC-2331: Include Expires: 0 in security headers documentation 2013-09-27 16:13:40 -05:00
Rob Winch 06a0ec1a9f SEC-2285: Polish Security Headers Documentation 
Explain why (passivity) XML Namespace doesn't enable security headers by
default.
 2013-09-27 16:13:18 -05:00
Rob Winch 9bb283044f SEC-2282: Polish CSRF Documentation 
Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
 2013-09-27 16:06:25 -05:00
Rob Winch 614c94187e SEC-2305: GlobalMethodSecurityConfiguration autowire PermissionEvaluator 
If a single PermissionEvaluator bean is found the
DefaultMethodSecurityExpressionHandler is configured with the
PermissionEvaluator. If multiple PermissionEvaluator beans are found, the
beans are ignored.
 2013-09-27 15:46:45 -05:00
Rob Winch e696890e8e SEC-2151: Fix spring4Test 2013-09-27 12:36:43 -05:00
Rob Winch 61e6acb3f4 SEC-2151: AnnotationParameterNameDiscoverer support single annotated param 
This makes sense since often times only a single argument is necessary in
the expression.
 2013-09-27 11:53:39 -05:00
Rob Winch e5f034bdef SEC-2151: Fix tests 2013-09-27 11:52:32 -05:00
Rob Winch a09756745f SEC-2151: Support binding method arguments with Annotations 
This allow utilizing method arguments for method access control on
interfaces prior to JDK 8.
 2013-09-27 11:18:37 -05:00
Rob Winch fb0a8d19e8 SEC-2322: Support StandardReflectionParameterNameDiscoverer 2013-09-26 15:55:11 -05:00
Rob Winch cea0cf9260 SEC-2243: Remove additional Debug Filter 2013-09-26 11:38:16 -05:00
Rob Winch 56ce7d284c SEC-2336: WebSecurityConfigurerAdapter#registerAuthentication javadoc fixes 2013-09-26 09:08:25 -05:00
Rob Winch 1f3b812a66 SEC-2282: Polish CSRF Documentation 2013-09-26 08:58:39 -05:00
Rob Winch ef7cc40389 SEC-2282: Polish CSRF Documentation 2013-09-25 17:30:50 -05:00
Rob Winch d16106ef56 SEC-2309: Document CSRF multipart/form-data 2013-09-25 15:14:32 -05:00
Rob Winch b591881e95 SEC-2302: Provide beforeSpringSecurityFilterChain hook 
This allows inserting filters before the springSecurityFilterChain.
 2013-09-25 14:52:40 -05:00
Rob Winch 88f41cdf62 SEC-2341: Update to Gradle 1.8 
Some dependencies were necessary to update due to issues with JUnit
integration.
 2013-09-24 15:35:51 -05:00
Rob Winch a888ddf8b3 SEC-2307: JavaConfig RequestCache ignores favicon.ico 2013-09-24 11:30:37 -05:00
Rob Winch ddc0ef7ab3 SEC-2339: Added Logical (Or, And, Negated) RequestMatchers 2013-09-23 20:55:49 -05:00
Rob Winch 28fb6ba14b SEC-2328: Add hasAnyRole to ExpressionUrlAuthorizationConfiguration 2013-09-23 10:51:08 -05:00
Rob Winch b16c17f70b SEC-2301: Remove invalid import 2013-09-20 16:09:23 -05:00
Rob Winch a3d112979f SEC-2301: GlobalMethodSecurityConfiguration sets DefaultWebSecurityExpressionHandler BeanResolver 2013-09-20 15:53:58 -05:00
Rob Winch f294480e6b SEC-2329: JC @Autowire(required=false) AuthenticationTrustResolver 
Java Configuration now allows optional @Autowire of
AuthenticationTrustResolver. In the WebSecurityConfigurerAdapter this is
done by populating AuthenticationTrustResolver as a sharedObject.
 2013-09-20 15:28:50 -05:00
Rob Winch 788ba9a1fa SEC-2329: Allow injecting of AuthenticationTrustResolver 2013-09-20 15:26:52 -05:00
Rob Winch 7537dfc33a SEC-2304: rm duplicate MethodExpressionHandler from GlobalMethodSecurityConfiguration 2013-09-20 15:13:02 -05:00
Rob Winch 5082a04626 SEC-2311: LogoutConfigurer allows other HTTP methods if CSRF is disabled 2013-09-19 16:05:26 -05:00
Rob Winch 9133c33f1d SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache 
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.

Now the cast is to SavedRequest.
 2013-09-19 15:08:32 -05:00
Rob Winch 8f8c6169e8 SEC-2331: Cache Control now includes Expires: 0 2013-09-19 14:06:37 -05:00
Rob Winch c5c1419521 SEC-2332: GlobalMethodSecurityConfiguration includes proper voters 
Previously GlobalMethodSecurityConfiguration did not include the correct
voters. This updates the code and the tests to ensure that the proper
voters are added. Note this got past testing previously due to all the
voters abstaining, so tests were added for ensuring that methods could also
be invoked sucessfully using the configured annotation.
 2013-09-18 18:27:12 -05:00
Rob Winch d33b9e2854 SEC-2324: Update Spring Security tld version 2013-09-18 17:40:00 -05:00
Rob Winch c156716be8 Ensure single version of org.slf4j 2013-09-18 16:13:03 -05:00
Rob Winch 0114b457c0 SEC-2330: CacheControlHeadersWriter use a single header 2013-09-18 16:12:34 -05:00
Rob Winch 05a7c58daa SEC-2228: Change openid4j to optional in template.mf 2013-09-13 22:06:42 -07:00
Rob Winch e5804d323b SEC-2256: Fix intercept-url doc precidence statement 
Previously the documentation incorrectly stated "If a request matches
multiple patterns, the method-specific match will take precedence
regardless of ordering."

This has now been removed and InterceptUrlConfigTests was added previously
to ensure this was true.
 2013-09-13 22:02:52 -07:00
Rob Winch be8aad8306 SEC-2196: Demonstrate Method Security works on Generic methods 2013-09-13 16:20:43 -07:00
Rob Winch d9c9cd7f84 Remove warnings from defaultSpringSecurityContextSource 2013-09-13 15:54:21 -07:00
Rob Winch b4cbcee7f0 SEC-2308: DefaultSpringSecurityContextSource allow empty baseUrl 2013-09-13 15:53:35 -07:00
Rob Winch f6587c8697 SEC-2312: Update javadoc link to Spring 3.2.x 2013-09-13 15:34:30 -07:00
Rob Winch 32e9239fd2 SEC-2320: AuthenticationPrincipal can be null on invalid type 
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
 2013-09-13 15:21:13 -07:00
Rob Winch b22acd0768 SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet 2013-09-13 14:44:44 -07:00
Rob Winch 53a0db6be1 SEC-2313: Gradle javadoc hotfix 2013-09-11 15:30:50 -07:00
Rob Winch 662bb24370 SEC-1937: Added test to demonstrate SEC-1937 was invalid 2013-09-11 15:10:42 -07:00
Rob Winch 3c82e63ded Formatting cleanup 2013-09-11 15:10:20 -07:00
Rob Winch 8e74407381 SEC-2296: HttpServletRequest.login should throw ServletException if already authenticated 
See throws documentation at
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29
 2013-08-31 11:55:24 -05:00
Rob Winch e8ac11641b SEC-2297: Add DispatchType.ASYNC as default for AbstractSecurityWebApplicationInitializer 2013-08-31 11:39:57 -05:00
Rob Winch 7203faf34f SEC-2300: Update Spring LDAP version to 1.3.2.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch 3d2f23602f SEC-2294: Update Spring Version to 3.2.4.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch 43f4d01cf3 SEC-2292: Add test to assert CSRF bypass of methods is case sensitive 
HTTP methods should be case sensitive, so add test to ensure that this is
the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
 2013-08-31 10:40:49 -05:00
Rob Winch 6e9fb7930b SEC-2298: Add AuthenticationPrincipalArgumentResolver 2013-08-30 17:06:40 -05:00