Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-25 08:58:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,296 Commits 34 Branches 337 Tags
Commit Graph

664 Commits

Author SHA1 Message Date
Rob Winch
0bfbd2923a SEC-2915: Fix defaut login page tests with tabs 2015-04-17 12:13:44 -05:00
Rob Winch
ae6af5d73c SEC-2915: Updated Java Code Formatting 2015-03-25 13:09:18 -05:00
Rob Winch
b85ad33aef SEC-2888: Polish 2015-03-13 16:10:39 -05:00
Pascal Gehl
85955015f7 SEC-2888 AntPathRequestMatcher ignores variables in pattern when pattern 
finishes with /**
 2015-03-13 16:03:08 -05:00
Rob Winch
e776a1fd35 SEC-2803: Add HttpStatusEntryPoint 2015-03-11 14:45:59 -05:00
Rob Winch
9d0085bb64 SEC-2882: DefaultLoginPageGeneratingFilter match on /login 
Previously DefaultLoginPageGeneratingFilter would match on /**/login
which was not ideal since other parts of the application may want to
match on the URL.

Now it matches on /login.
 2015-03-10 11:52:26 -05:00
Rob Winch
217152c8fd Polish Http403ForbiddenEntryPoint whitespace 2015-03-10 10:58:58 -05:00
Rob Winch
b04388ad62 SEC-2805: Remove unnecessary cast in Http403ForbiddenEntryPoint 2015-03-10 10:58:21 -05:00
Rob Winch
62d74aef3d Merge pull request #103 from bcecchinato/fix-logs 
Trivial logging fix in saveContext method in HttpSessionSecurityContextRepository
 2015-02-25 00:02:44 -06:00
Michael Cramer
8c0b16820b SEC-2879: JdbcTokenRepositoryImpl updateToken should use lastUsed arg 2015-02-24 23:18:38 -06:00
Marcin Mielnicki
9ea7372405 SEC-2878: Clean imports in UsernamePasswordAuthenticationFilter 2015-02-24 22:53:44 -06:00
Rob Winch
5f57e5b0c3 SEC-2873: Remember Me XML Configuration Defaults Should Match Java Config 2015-02-24 20:49:56 -06:00
Rob Winch
76d9ef4ec3 SEC-2872: CsrfAuthenticationStrategy Delay Saving CsrfToken 2015-02-24 17:30:57 -06:00
Stillglade
310e5bb285 SEC-2832: Update request attributes with new CsrfToken 2015-02-24 17:30:19 -06:00
Rob Winch
d973f5f80c SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals 
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.

Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
 2015-02-24 16:37:55 -06:00
Rob Winch
6a8475adbb SEC-2830: Provide Same Origin support for SockJS 2015-02-18 11:21:02 -06:00
Rob Winch
a27c33754c SEC-2859: Add CsrfTokenArgumentResolver 2015-02-18 10:51:30 -06:00
Rob Winch
1a35292750 SEC-2791: AbstractRememberMeServices sets the version 
If the maxAge < 1 then the version must be 1 otherwise browsers ignore
the value.
 2015-02-04 15:57:45 -06:00
Rob Winch
1a00c397a4 SEC-2835: Polish 2015-02-04 15:50:24 -06:00
Rob Winch
07c54e5d0e SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method 2015-02-04 11:57:46 -06:00
Kazuki Shimizu
31234ecef9 SEC-2835: Add DelegatingAuthenticationFailureHandler 
Add the DelegatingAuthenticationFailureHandler class to support
map each exception to AuthenticationFailureHandler. This class gives
more powerful options to customize default behavior for users.
 2015-02-04 10:49:13 -06:00
Kazuki Shimizu
1d0eee1d0b SEC-2840: Modify typo in DelegatingAccessDeniedHandler 2015-02-04 10:49:41 +09:00
Rob Winch
6627f76df7 SEC-2758: Make ROLE_ consistent 2015-01-29 17:08:43 -06:00
Rob Winch
c67ff42b8a SEC-2783: XML Configuration Defaults Should Match JavaConfig 
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
 2014-12-08 15:09:15 -06:00
Rob Winch
6e204fff72 SEC-2781: Remove deprecations 2014-12-04 15:28:40 -06:00
Rob Winch
eedbf44235 SEC-2348: Security HTTP Response Headers enabled by default w/ XML 2014-11-21 16:06:29 -06:00
Rob Winch
e2f7b38b87 SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch 2014-11-21 10:47:45 -06:00
Rob Winch
fa9e7999da SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies() 
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.

Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
 2014-11-18 13:17:27 -06:00
Rob Winch
5ba8f000a7 SEC-2714: Add AuthenticationPrincipal resolver for messaging support 2014-09-23 16:28:48 -05:00
Rob Winch
e14e5b42fc SEC-2599: HttpSessionEventPublisher get required ApplicationContext 
In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
 2014-07-22 09:19:50 -05:00
Rob Winch
3289c1c92a SEC-2683: Correct spelling of assignamble in AuthenticationPrincipalResolver Exception 2014-07-18 13:57:13 -05:00
bcecchinato
bb1762d4c3 Adding httpSession in logging for the saveContext method 2014-07-02 13:07:32 +02:00
Rob Winch
2082d3747a SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper 2014-05-02 15:06:50 -05:00
Mattias Severson
2b3becf666 SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo 2014-04-23 09:28:00 -05:00
Rob Winch
8baf82532c SEC-2015: Add spring-security-test 2014-04-22 16:47:48 -05:00
Maciej Zasada
7cf37856c0 SEC-2177: Striping off all leading schemes 
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
 2014-03-18 15:45:41 -05:00
Julien Dubois
7325b97c76 SEC-2519: RememberMeAuthenticationException supports root cause 
Added a constructor which keeps the root cause of the exception, and
added some documentation
 2014-03-11 16:11:52 -05:00
Rob Winch
91a074c744 Merge pull request #62 from dalbertom/typo 
Correct typo in AbstractRememberMeServices assertion
 2014-03-11 15:40:23 -05:00
Rob Winch
ea902e5829 SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation 2014-03-10 14:33:37 -05:00
getvictor
6de138c2f2 SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header. 
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
 2014-03-06 22:01:23 -06:00
Rob Winch
8d8475deb1 SEC-2455: form-login@login-processing-url & logout@logout-url use matchers 
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
 2014-01-29 15:35:18 -06:00
Rob Winch
ca1080fb96 SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter 2013-12-13 15:47:28 -06:00
Rob Winch
aaa7cec32e SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor 
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
 2013-12-12 08:07:22 -06:00
Rob Winch
7f714ebb23 SEC-2422: Session timeout detection with CSRF protection 2013-12-11 17:38:17 -06:00
David Alberto
f9998d582a Correct typo in AbstractRememberMeServices assertion 2013-11-26 18:06:55 -05:00
Rob Winch
59e13e7bbb SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken 2013-11-21 15:12:08 -06:00
Rob Winch
1a1f577a8b SEC-2358: Add RequestHEaderRequestMatcher#toString() 2013-10-28 14:41:10 -05:00
Rob Winch
e638f0a547 SEC-2357: old RequestMatcher interface extends new RequestMatcher 2013-10-23 17:09:33 -05:00
Rob Winch
04b091c385 SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method 2013-10-17 16:18:43 -05:00
Rob Winch
15a63c58a7 SEC-2368: DebugFilter outputs headers and HTTP method 2013-10-17 14:49:45 -05:00