247 Commits

Author SHA1 Message Date
Rob Winch
cf9f58a4ac SEC-2915: XML spaces->tabs 2015-03-25 13:08:52 -05:00
Rob Winch
706e7fd7a2 SEC-2863: Update to Spring 4.1.5 2015-02-20 11:43:04 -06:00
Rob Winch
8f0001f59a Next Development Version 2014-12-11 20:39:26 -06:00
Spring Buildmaster
49b69196de Release version 4.0.0.RC1 2014-12-11 20:36:55 -06:00
Rob Winch
11116c2b80 SEC-2787: Update Versions 2014-12-10 16:37:19 -06:00
Rob Winch
b56e5edbbd SEC-2784: Fix build plugins 2014-12-08 14:24:34 -06:00
Rob Winch
dfa17bdb98 SEC-2747: Remove spring-core dependency from spring-security-crypto 2014-11-20 16:16:22 -06:00
Rob Winch
3187ee8bf3 SEC-2700: Register WithSecurityContextTestExecutionListener by default 2014-08-15 16:41:33 -05:00
Rob Winch
b72c1ad314 SEC-2686: Create SecurityMockMvcConfigurer 2014-07-22 15:11:37 -05:00
Rob Winch
00e1094178 Add springio-platform plugin 2014-04-23 14:35:22 -05:00
Rob Winch
3118e39de8 SEC-2542: Use exclusions to remove duplicate dependencies
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.

In addition to the new exclusions, notable other changes are:

 - Spring Data JPA has been updated to 1.4.1. This brings its
   transitive dependency upon spring-data-commons into line with
   Spring LDAP's and prevents both spring-data-commons-core and
   spring-data-commons from being on the classpath
 - All Servlet API dependencies have been updated to use the official
   artifact with all transitive dependencies on unofficial servlet API
   artifacts being excluded.
 - In places, groovy has been replaced with groovy-all. This removes
   some duplicates caused by groovy's transitive dependencies.
 - JUnit has been updated to 4.11 which brings its transitive Hamcrest
   dependency into line with other components.

There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level

Conflicts:
	samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
Rob Winch
9988fa141c Update Spring Security version in pom.xml 2014-03-06 08:13:52 -06:00
Rob Winch
6be4e3a9fc SEC-2506: Remove Bundlor Support 2014-03-05 13:32:16 -06:00
Rob Winch
de4ed136ea Fix spring4 test 2014-02-19 16:13:30 -06:00
Rob Winch
7f99a2dfbb SEC-2487: Update to Spring 3.2.8.RELEASE 2014-02-19 09:30:40 -06:00
Rob Winch
ec8b48150d SEC-2474: Update poms 2014-02-07 17:01:11 -06:00
Rob Winch
a34178bc40 SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA 2013-12-12 08:16:59 -06:00
Rob Winch
4460e84b29 Updates to pom.xml author and repo 2013-12-09 08:57:30 -06:00
Rob Winch
2c8946c406 Next development version 2013-11-01 14:20:55 -05:00
Spring Buildmaster
9c703a3051 Release version 3.2.0.RC2 2013-11-01 14:20:49 -05:00
Rob Winch
88f41cdf62 SEC-2341: Update to Gradle 1.8
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
Rob Winch
3d2f23602f SEC-2294: Update Spring Version to 3.2.4.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch
aca2e4ff3a SEC-2289: Add spring4Test 2013-08-27 16:43:10 -05:00
Rob Winch
976d9a9016 SEC-2194: Polish java config sample apps 2013-08-08 14:33:54 -05:00
Rob Winch
5e6ca12b01 SEC-2097: Update integrationTestCompile to use optional and provided
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch
02551e1b7a SEC-2214: Update Spring Version 2013-07-16 15:15:47 -05:00
Rob Winch
faa8b354b7 SEC-2209: add pom.xml 2013-07-16 15:15:47 -05:00
Luke Taylor
743960d2d8 SEC-2122: Fix broken integration tests.
Modified BCryptPasswordEncoder to no longer throw an
IllegalArgumentException when the encoded password is empty or
the incorrect format for bcrypt. Instead it now logs a warning
that non bcrypt data was found.

The Dms integration tests were failing after being changed to
use bcrypt and this fixes the issue.
2013-05-21 23:13:08 +01:00
Luke Taylor
d6524feb62 SEC-2122: Change doc to prioritize bcrypt use 2013-05-17 18:42:47 +01:00
Rob Winch
4fabe939d0 SEC-2035: Add template.mf to crypto 2012-08-17 14:13:56 -05:00
Rob Winch
a6bded86c2 SEC-1990: Polishing code cleanup on BCrypt
- Formatting
 - Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
Joseph Walton
14a5135ac3 SEC-1990: Clean up jBCrypt and include its tests.
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
Luke Taylor
3760d792ea SEC-1890: Add checks for validity of stored bcrypt hash
When checking for a match, the BCryptPasswordEncoder validates
the stored hash against a pattern to check that it actually is
a bcrypt value.
2012-02-22 14:36:13 +00:00
Dave Syer
8565116f20 SEC-1472: Add crypto wrappers for BCrypt 2011-11-02 18:10:19 +00:00
Luke Taylor
45d938566c Some tests for Base64 encoding. 2011-08-12 19:44:27 +01:00
Luke Taylor
89b7b2b935 SEC-1764: Remove use of Java 6 method Arrays.copyOfRange. 2011-06-15 11:22:17 +01:00
Luke Taylor
e27f655e9d SEC-1689: Re-instate crypto as separate library (for use in non-Spring Security apps), as well as packaging with core. 2011-06-10 00:01:25 +01:00
Luke Taylor
50828cdd43 SEC-1689: Move crypto module code to core for simplicity. 2011-03-10 18:58:47 +00:00
Rob Winch
8c08eeb57b SEC-1666: Use constant time comparison for sensitive data.
Constant time comparison helps to mitigate timing attacks. See the following link for more information

 * http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
 * http://en.wikipedia.org/wiki/Timing_attack for more information.
2011-01-31 23:03:51 -06:00
Rob Winch
2e822e9abe SEC-1659: Ensure that Digester is returning digest(digest(value)...) instead of digesting the same value multiple times.
Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack
2011-01-30 22:30:01 -06:00
Luke Taylor
6b1b012e2c Added check for maximum AES key size in crypto.gradle to skip tests if limited strength crypto policy files are in place. 2011-01-20 02:13:33 +00:00
Luke Taylor
594f6694bb Add logging of jdk version to crypto build file 2011-01-20 01:31:30 +00:00
Luke Taylor
d686f64f26 Skip EncryptorsTests when using <JDK 1.6 as AES isn't available 2011-01-19 23:43:13 +00:00
Luke Taylor
162cb64baa SEC-1659: Label crypto utils package as only for internal use. 2011-01-19 18:19:58 +00:00
Keith Donald
b646e44646 SEC-1659: fixed bundlor step of build 2011-01-19 18:17:03 +00:00
Keith Donald
ea76efdb2c SEC-1659: favor AES encryption instead of DES as standard symmetric encryption algorithm 2011-01-19 18:17:02 +00:00
Keith Donald
ffa7301e7f SEC-1569: initial commit of spring-security-crypto module, consisting of encrypt, keygen, password, and util packages 2011-01-19 18:17:02 +00:00