Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-04-25 02:10:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,965 Commits 50 Branches 379 Tags
Commit Graph

100 Commits

Author SHA1 Message Date
Luke Taylor
472c1fac84 SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent. 
Ensures protect-pointcut expressions match methods with generic parameters.
 2010-03-24 20:57:03 +00:00
Luke Taylor
b38b8e55ac SEC-1432: Convert map keys to lower-case in UserMap.setUsers(). 
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
 2010-03-05 17:55:29 +00:00
Luke Taylor
93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy. 
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
 2010-03-01 01:21:06 +00:00
Luke Taylor
f0466b6488 SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all. 2010-02-27 00:22:21 +00:00
Luke Taylor
10dc72b017 SEC-1387: Support serialization of security advised beans. 
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
 2010-02-19 00:53:14 +00:00
Luke Taylor
5b5934144a Avoid infinite loop in InterceptMethodsBeanDefinitionDecoratorTests when upgrading to Spring 3.0.1. 
Converted test target to implement ApplicationListener<SessionCreatedEvent> so that it doesn't receive events from its own interceptor (which are in turn intercepted).
 2010-02-16 00:03:15 +00:00
Luke Taylor
dcbdfc2026 SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication. 
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
 2010-02-11 17:47:22 +00:00
Luke Taylor
70ef0d8b3e Added extra test to itest/context as POC of using extra interceptor with http ns. 2010-02-11 01:48:00 +00:00
Luke Taylor
5753d69465 SEC-1404: Updated test for placeholders in intercept-url elements to check they work for filter='none' elements 2010-02-10 16:49:53 +00:00
Luke Taylor
bd2fd3448b SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly. 2010-02-06 15:42:01 +00:00
Luke Taylor
d931495c8a SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig. 2010-01-23 02:12:30 +00:00
Luke Taylor
670297c55d SEC-1369: Make sure beans aren't registered twice in case allowBeanDefinitionOverriding=false in the app context. 
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
 2010-01-14 15:48:14 +00:00
Luke Taylor
e211f9b35f SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL. 
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
 2010-01-09 01:04:13 +00:00
Luke Taylor
51abedcbef Parameterize getFilter() method in HttpSecurityBeanDefinitionParserTests. 
Removes the need for casting to specific filter type.
 2010-01-08 23:20:16 +00:00
Luke Taylor
052537c8b0 Removing $Id$ markers and stripping trailing whitespace from the codebase. 2010-01-08 21:05:13 +00:00
Luke Taylor
dc5417f1d5 SEC-1352: Added support for placeholders in <user-service> 
The username, password and authorities attributes can now be placeholders.
 2010-01-05 22:34:10 +00:00
Luke Taylor
893f212fa5 Tidying 2010-01-02 19:53:19 +00:00
Luke Taylor
bcb1ff8921 SEC-1342: Introduced extra factory method in SecurityConfig to get round problem with Spring converting a string with commas to an array 2009-12-23 14:12:59 +00:00
Luke Taylor
85a58fd473 SEC-1331: Modify namespace to allow omission of user passwords in user-service element and generate random ones internally, preventing authentication against the data.. 2009-12-18 15:39:13 +00:00
Luke Taylor
1dc4bb112e SEC-1318: Correct logic for checking combination of session-management attributes. 2009-12-07 22:40:47 +00:00
Luke Taylor
ac564fc34e SEC-1317: Forgot to commit test from config module. 2009-12-07 21:39:49 +00:00
Luke Taylor
d4e4a09801 SEC-1312: Add detection of 2.0 schemas. Added check to SecurityNamespaceHandler and reinstated old schemas. 2009-12-06 21:15:11 +00:00
Luke Taylor
eddde8ea28 SEC-1309: Namespace configurations should support Spring EL. Removed premature conversion of URL paths to lower case, which messes up if they are case-sensitive expressions or placeholders. Some other minor changes to suppport EL configuration. 2009-12-01 14:23:58 +00:00
Luke Taylor
3444b31615 SEC-1291: Add logout namespace support for custom success handler. Added attribute "success-handler-ref" to <logout> element in namespace. 2009-11-17 17:29:43 +00:00
Luke Taylor
9eae7b899c SEC-1284: Added proxy-target-class attribute to method security namespace 2009-11-17 16:19:05 +00:00
Luke Taylor
afdd80235c SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Fixed Spring RC1 - RC2 regression problem with test (addApplicationListener() behaviour has changed). 2009-11-17 14:34:43 +00:00
Luke Taylor
d4d5012035 SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Update AuthenticationManagerBeanDefinitionParser to register a DefaultAuthenticationeventPublisher and set it on the registered ProviderManager. 2009-11-17 12:55:53 +00:00
Luke Taylor
a2468c523a SEC-1283: AuthenticationConfigBuilder.createAnonymousFilter uses httpElt instead of anonymousElt. Corrected element name. 2009-11-04 17:39:26 +00:00
Luke Taylor
197737a2b4 SEC-1281: make sure correct 'key' value is used for RememberMeAuthenticationProvider when external RememberMeServices is used 2009-11-04 14:55:58 +00:00
Luke Taylor
799b96520b SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login 2009-10-14 00:30:28 +00:00
Luke Taylor
ed2ddf9323 SEC-1263: Add FactoryBean for namespace AuthenticationManager. <http> now uses AuthenticationManagerFactoryBean. Method security already uses a delegate object to lookup the AuthenticationManager. This now uses the same error message if the bean isn't found, rather than allowing the BeanFactory NoSuchBeanDefinitionException to be thrown directly. 2009-10-09 14:41:34 +00:00
Luke Taylor
e398922f85 Removing elements that are no longer supported from the namespace 2009-10-08 14:40:52 +00:00
Luke Taylor
80eb47c6fe SEC-1261: Convert FilterChainOrder to an enum (SecurityFilters). 2009-10-08 13:18:32 +00:00
Luke Taylor
1286741c7c SEC-1259: Improve consistency of authentication filter names. 2009-10-07 14:43:55 +00:00
Luke Taylor
f213cc5d9e SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted. 2009-10-06 19:46:44 +00:00
Luke Taylor
5d486a51b6 SEC-1256: Added support for expression attributes in filter-security-metadata-source configuration. 2009-10-06 16:39:56 +00:00
Luke Taylor
07d7c0ddae Renamed form and openID filters to shorten names 2009-10-05 17:33:34 +00:00
Luke Taylor
1042305cfe Renamed web.wrapper to web.servletapi. Added some package.html files. 2009-10-05 16:59:37 +00:00
Luke Taylor
673cf300fb SEC-1229: Refactoring to remove package cycles. 2009-10-05 16:40:32 +00:00
Luke Taylor
acf13c74ca SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session 2009-10-05 15:51:00 +00:00
Luke Taylor
2b89ebdfbb SEC-1229: Further doc and mods to namespace config/naming to make it more consistent 2009-10-03 16:08:51 +00:00
Luke Taylor
073198886d SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before. 2009-10-02 17:29:43 +00:00
Luke Taylor
2a1430f1ce SEC-1229: Removed legacy concurrency classes 2009-09-29 16:18:25 +00:00
Luke Taylor
ebada9fd12 SEC-1229: Added support for parsing error URL in session-management 2009-09-29 16:17:05 +00:00
Luke Taylor
7109b7e183 Import cleaning. 2009-09-29 00:30:29 +00:00
Luke Taylor
aa153681bf SEC-1229: Added session-management element to namespace and refactored existing session-related attributes and concurrency control. Refactored <http> parsing code to split it up into more manageable units. 2009-09-29 00:29:09 +00:00
Luke Taylor
fa7404741b SEC-1167: Introduce more flexible SavedRequest handling. Add namespace support for a custom RequestCache through the request-cache element. 2009-09-09 21:40:12 +00:00
Luke Taylor
d099d14e9b SEC-1235: Added test to attempt to verify (failed to reproduce). 2009-09-05 14:14:12 +00:00
Luke Taylor
8632946f30 SEC-1213: Added "order" atrribute to global-method-security 2009-09-04 15:54:42 +00:00
Luke Taylor
2039200617 SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace. 2009-09-01 16:08:20 +00:00