Luke Taylor
883ca2a55d
Import cleaning.
2010-10-27 13:25:40 +01:00
Luke Taylor
1724d1eac6
SEC-1561: HttpSessionSecurityContextRepository should check whether the session contains the context attribute in case a new session has been created during the request. If the attribute is empty, then the context should be stored regardless of whether a change is detected or not.
2010-10-27 13:25:39 +01:00
Luke Taylor
a6d47203db
FilterInvocation should set queryString on dummy request.
2010-10-27 13:25:39 +01:00
Luke Taylor
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
2010-10-27 13:25:39 +01:00
Rossen Stoyanchev
70600a0277
SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering.
2010-10-26 12:33:51 +01:00
Rob Winch
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
2010-10-05 22:28:42 -05:00
Luke Taylor
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
2010-09-16 16:03:24 +01:00
Luke Taylor
551166a577
ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process.
2010-09-14 14:43:21 +01:00
rwinch
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
2010-09-13 13:12:45 -05:00
Luke Taylor
c5231fc213
SEC-1538: Deprecate PreAuthenticatedGrantedAuthoritiesAuthenticationDetails (forgot originally) and update documentation to remove reference to AbstractPreAuthenticationAuthenticationDetailsSource.
2010-09-13 12:19:21 +01:00
Luke Taylor
af56f4844d
SEC-1562: Created SecurityExpressionHandler interface and AbstractSecurityExpressionHandler.
2010-09-07 19:46:45 +01:00
Luke Taylor
b0998c01bc
SEC-1553: Make WebAuthenticationDetails serializable
2010-09-01 18:43:07 +01:00
Luke Taylor
f4d57ab5e8
SEC-1456: Remove maven poms as we are now using gradle for the build.
2010-08-30 19:02:19 +01:00
Luke Taylor
1a1372ab84
Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests.
2010-08-28 21:41:19 +01:00
Luke Taylor
ba890cf7e5
Removed invalid test method.
2010-08-24 21:03:33 +01:00
Luke Taylor
d1e8b8e29d
More tests. Minor refactoring.
2010-08-24 20:57:45 +01:00
Luke Taylor
bf9d4a9747
Remove unnecessary local variable.
2010-08-24 20:29:25 +01:00
Luke Taylor
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
2010-08-24 18:25:39 +01:00
Luke Taylor
102bc2d6a0
Reduce unnecessary use of aspectj as a build dependency
2010-08-19 23:23:03 +01:00
Luke Taylor
c37ca1c2a9
Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.
2010-08-19 22:41:51 +01:00
Luke Taylor
1680807470
Added eclipse plugin to build. Some minor fixes to remove eclipse warnings.
2010-08-18 14:11:16 +01:00
Luke Taylor
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
2010-08-18 02:32:43 +01:00
Luke Taylor
591bd532bd
Polishing FilterChainProxy and its tests.
2010-08-17 02:20:34 +01:00
Luke Taylor
4bd41cbf72
SEC-1133: Support for setting of authenticationDetailsSource property for form-login, openid-login, http-basic and x509 namespace elements. These elements now support an additional 'authentication-details-source-ref' attribute.
2010-08-14 15:10:03 +01:00
Luke Taylor
281d77271e
SEC-1486, SEC-1538, SEC-1537: Generification of AuthenticationDetailsSource. Deprecation of non-web pre-authentication classes and other unnecessary classes. Removal of reflection in WebAuthenticationDetailsSource.
2010-08-13 15:51:05 +01:00
Luke Taylor
2222a7be07
Use Integer.valueOf() in preference to new Integer()
2010-08-11 18:17:23 +01:00
Luke Taylor
db6da77a5f
SEC-1413: Add RedirectStrategy to AbstractRetryEntryPoint.
2010-08-10 17:39:12 +01:00
Luke Taylor
183333d189
SEC-1430: Forgot to commit changes to new ExceptionMappingAuthenticationFailureHandlerTests.
2010-08-09 17:09:02 +01:00
Luke Taylor
2e98b84494
SEC-1430: internalize session key for SavedRequest. This should be accessed using the RequestCache interface if required. Additional refactoring of related tests which were still in AbstractAuthenticationProcessingFilterTests for historical reasons, but should be in their respective success/failure handler test classes.
2010-08-08 17:49:06 +01:00
Luke Taylor
85c4c91e0e
IDEA inspection refactorings.
2010-08-05 23:28:07 +01:00
Luke Taylor
a3d27a9863
SEC-1314: cloneFromHttpSession accidentally go left behind, even though it is always false.
2010-08-05 21:21:09 +01:00
Luke Taylor
a2bd1bc9af
SEC-1498: Allow use of absolute URL fopr login form in LoginUrlAuthenticationEntryPoint.
2010-08-05 21:09:34 +01:00
Luke Taylor
64375484a1
More build and logging tuning.
2010-08-04 22:55:17 +01:00
Luke Taylor
63734cfcf9
SEC-1528: Remove logic which checks if context in the session is the same as the current context to make sure that session.setAttribute() is called when the value in the session has been modified directly.
2010-08-02 22:41:57 +01:00
Luke Taylor
9dd6a5eb8f
SEC-1499: Added some Javadoc and doc on the problems of using session-fixation protection with attributes that implement HttpSessionBindingListener.
2010-07-23 16:27:57 +01:00
Luke Taylor
d7d8448120
SEC-1521: Add check for null SecurityContextRepository and clarify related docs on use of null implementation (NullSecurityContextRepository).
2010-07-23 15:59:53 +01:00
Luke Taylor
5d35919ca3
SEC-1490: Code for GAE Sample webapp
2010-07-20 23:41:31 +01:00
Luke Taylor
69a10c48ae
Switch to using slf4j/logback for logging.
...
We still compile modules against commons-logging but all runtime logging and samples will use logback
2010-07-12 12:39:52 +01:00
Luke Taylor
8df356de29
SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest.
...
Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
2010-06-28 19:51:30 +01:00
Luke Taylor
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
Luke Taylor
09176b0af4
SEC-1501: Fix bean classname in Javadoc for SwitchUserFilter.
2010-06-25 19:45:34 +01:00
Luke Taylor
ea8d37892c
SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy.
2010-06-18 03:33:49 +01:00
Luke Taylor
4d10d4b67f
SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs.
2010-06-18 01:34:07 +01:00
Luke Taylor
76ebb759f3
Removed unnecessary casts.
2010-06-08 22:56:59 +01:00
Luke Taylor
7d74b7c87e
SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping.
2010-05-27 15:54:15 +01:00
Luke Taylor
e156d5339a
Fix build when upload properties are missing. Added missing hsql test dependency
2010-05-24 17:01:19 +01:00
Luke Taylor
0e57ce2dc3
SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection.
2010-05-21 15:59:50 +01:00
Luke Taylor
978bb9f601
Remove commented-out code in ETF.
2010-05-16 15:16:40 +01:00
Luke Taylor
f0c4cccb0d
SEC-1479: Clarify that matching is against servletPath + pathInfo for ant pattern matching. Added some extra pointers to request-matching info in namespace doc.
2010-05-16 14:14:13 +01:00
Luke Taylor
bf288101a0
Javadoc improvements
2010-05-16 14:14:13 +01:00
Luke Taylor
b3aad4cf19
Javadoc fixes.
2010-05-06 20:02:08 +01:00
Luke Taylor
0c09780644
SEC-1476: Modify AbstractPreAuthenticatedProcessingFilter to store authentication exception in request instead of creating a new session.
2010-05-05 14:13:48 +01:00
Luke Taylor
fcf33afce0
Formatting.
2010-05-03 14:53:05 +01:00
Luke Taylor
bca6c1aeac
SEC-1468: Doc and Javadoc updates.
2010-04-26 23:26:07 +01:00
Luke Taylor
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
2010-04-25 04:27:09 +01:00
Luke Taylor
ee1fd1bc50
SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins.
2010-04-20 23:47:48 +01:00
Luke Taylor
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
2010-04-20 23:47:47 +01:00
Luke Taylor
a45d2a4fb2
SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client.
2010-04-20 18:04:22 +01:00
Luke Taylor
93deec8d40
SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized.
2010-04-16 16:12:38 +01:00
Luke Taylor
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
Luke Taylor
2e2625873c
SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
...
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
2010-03-23 00:45:06 +00:00
Luke Taylor
d5df53f1db
SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
...
Necessary to allow use of custom SecurityContextRepository.
2010-03-12 15:53:05 +00:00
Luke Taylor
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
Luke Taylor
43f0e11106
SEC-1429: Removed cached authentication from session after successful authentication.
2010-03-05 00:07:35 +00:00
Luke Taylor
89d8c8cc83
Additional test classes for authentication and logout success/failure handling.
2010-03-04 23:18:46 +00:00
Luke Taylor
a3263753d9
Fix to Javadoc for AbstractAuthenticationProcessingFilter.
2010-03-04 22:06:04 +00:00
Luke Taylor
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
Luke Taylor
43f3568b16
SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions.
2010-03-03 23:11:49 +00:00
Luke Taylor
ae8027fa47
SEC-1425: Replace use of Java 1.6 String.isEmpty().
2010-03-01 13:49:42 +00:00
Luke Taylor
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
Luke Taylor
cb0f3f677f
SEC-1425: Add check for empty cookie in AbstractRememberMeServices.
...
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
2010-02-28 14:08:27 +00:00
Luke Taylor
f0466b6488
SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all.
2010-02-27 00:22:21 +00:00
Luke Taylor
e2f9be9015
SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved.
...
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
2010-02-26 16:01:40 +00:00
Luke Taylor
4dd10cd266
Refactor overly large doFilter() method in DigestAuthenticationFilter.
2010-02-22 01:48:53 +00:00
Luke Taylor
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
Luke Taylor
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
Luke Taylor
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
Luke Taylor
14ae36ac3b
SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.
...
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
2010-02-18 00:32:49 +00:00
Luke Taylor
bd635edc31
SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
...
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
2010-02-15 22:46:18 +00:00
Luke Taylor
c1133d1ef3
Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name.
2010-02-14 23:31:31 +00:00
Luke Taylor
d30e31d816
Remove unnecessary @SuppressWarnings and inline dependency from ELRequestMatcher (util package) to core ExpressionUtils.
2010-02-14 23:29:27 +00:00
Luke Taylor
c12c43da9e
Javadoc fixes.
2010-02-14 23:27:09 +00:00
Luke Taylor
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
Luke Taylor
1e4f451352
Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources
2010-02-11 18:08:06 +00:00
Luke Taylor
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
Mike Wiesner
90d6ff1fde
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 13:19:16 +01:00
Mike Wiesner
d32b078a8c
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 09:05:28 +01:00
Mike Wiesner
d2413cf237
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-10 21:25:23 +01:00
Luke Taylor
08c7155ab5
SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions.
2010-02-10 15:06:01 +00:00
Luke Taylor
1ecd3e228b
SEC-1405: added RequestMatcher interface.
2010-02-10 14:34:14 +00:00
Luke Taylor
984604b026
SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
...
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
2010-02-06 14:38:44 +00:00
Luke Taylor
0974e21fb6
SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
...
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
2010-01-23 02:12:30 +00:00
Luke Taylor
04447bdbf0
SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs).
2010-01-22 01:55:13 +00:00
Luke Taylor
0c10efbbf8
Revert SEC-1356.
...
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
2010-01-19 22:26:21 +00:00
Luke Taylor
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
Luke Taylor
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
Luke Taylor
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
Luke Taylor
a9567a58d8
SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos.
2010-01-13 15:36:58 +00:00
Luke Taylor
3a8daa1bf4
Gradle build improvements.
...
Added generation of source archives and trial support for maven deployment and pom generation, with "provided" configuration mapped to "provided" scope.
2010-01-13 00:44:05 +00:00
Luke Taylor
f62d97b092
SEC-1356: Fix broken tests.
...
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
2010-01-12 01:32:02 +00:00
Luke Taylor
6eff4d90b7
SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
...
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
2010-01-12 00:49:53 +00:00
Luke Taylor
2023ca283e
SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
...
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
2010-01-12 00:30:27 +00:00
Luke Taylor
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
Luke Taylor
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
Luke Taylor
bc02fc2de1
Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices.
2010-01-08 23:57:27 +00:00
Luke Taylor
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
Luke Taylor
f5d36aef65
SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
...
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
2010-01-05 16:01:55 +00:00
Luke Taylor
c6b8fe5e55
SEC-1346: Added missing 'return' statements after redirects.
...
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
2010-01-03 19:06:58 +00:00
Luke Taylor
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
Luke Taylor
115d5b84ff
[maven-release-plugin] prepare for next development iteration
2009-12-22 22:20:01 +00:00
Luke Taylor
6c6ef08353
[maven-release-plugin] prepare release spring-security-3.0.0.RELEASE
2009-12-22 22:19:38 +00:00
Luke Taylor
e64866ae6a
Updated bundlor templates and introduced spring.version variable
2009-12-22 01:10:04 +00:00
Luke Taylor
3418aab46e
SEC-1327: Javadoc additions to clarify some behaviour
2009-12-21 17:32:54 +00:00
Luke Taylor
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
Luke Taylor
97a31cae04
SEC-1333: Added error message for invalid redirect URL assertion
2009-12-18 19:29:36 +00:00
Luke Taylor
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
2009-12-18 18:44:42 +00:00
Luke Taylor
76731254c0
SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name.
2009-12-18 18:04:03 +00:00
Luke Taylor
06e092d46a
Midor Javadoc correction.
2009-12-15 15:39:01 +00:00
Luke Taylor
6805761d85
Extra test to confirm http-method specific matching behaviour.
2009-12-14 13:55:48 +00:00
Luke Taylor
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
2009-12-13 17:37:24 +00:00
Luke Taylor
520e733cb2
[maven-release-plugin] prepare for next development iteration
2009-12-08 21:19:41 +00:00
Luke Taylor
f2cf17bd49
[maven-release-plugin] prepare release spring-security-3.0.0.RC2
2009-12-08 21:19:20 +00:00
Luke Taylor
075e7a15ad
Corrected package name in Javadoc.
2009-12-07 21:44:02 +00:00
Luke Taylor
444d93b13f
SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter
2009-12-07 13:54:39 +00:00
Luke Taylor
b27d7afd24
SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.
2009-12-06 15:28:03 +00:00
Luke Taylor
aee6b8f3f9
SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated.
2009-12-06 15:09:33 +00:00
Luke Taylor
dab76249db
Added gradle build files (experimental)
2009-12-04 21:33:17 +00:00
Luke Taylor
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
Luke Taylor
4d8956a227
SEC-1288: Changed claimedIdentityFieldName in OpenIDAuthenticationFilter to "openid_identifier", as recommended by the 2.0 spec.
2009-11-17 22:05:38 +00:00
Luke Taylor
d84542cf88
SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.
2009-11-17 15:29:07 +00:00
Luke Taylor
617e517e5e
SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.
2009-11-04 17:20:13 +00:00
Luke Taylor
930c1b6b53
Coverted to Junit 4 test.
2009-10-14 21:48:30 +00:00
Luke Taylor
11e476c486
Added issue numbers in comment.
2009-10-14 14:23:34 +00:00
Luke Taylor
d4d45e1311
Make getHeader() methods check case-insensitive matching on header name.
2009-10-14 14:12:27 +00:00
Luke Taylor
7282eed197
Import cleaning.
2009-10-14 00:30:55 +00:00
Luke Taylor
799b96520b
SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login
2009-10-14 00:30:28 +00:00
Luke Taylor
3f963ef8ca
Restore versions and svn URLs in trunk (release plugin fail)
2009-10-11 21:59:38 +00:00
Luke Taylor
af563e826c
[maven-release-plugin] prepare release spring-security-3.0.0.RC1
2009-10-11 21:43:42 +00:00
Luke Taylor
881632cc08
SEC-1250: Removed duplicate property.
2009-10-11 15:20:24 +00:00
Luke Taylor
0da99171da
SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type. Added exceptionIfHeaderMissing property.
2009-10-08 16:37:53 +00:00
Luke Taylor
3f72983a1e
SEC-1257: Some additional API changes to use Collection instead of List...
2009-10-07 21:08:41 +00:00
Luke Taylor
1286741c7c
SEC-1259: Improve consistency of authentication filter names.
2009-10-07 14:43:55 +00:00
Luke Taylor
f213cc5d9e
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
2009-10-06 19:46:44 +00:00
Luke Taylor
caff3ee9ba
SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).
2009-10-05 19:28:53 +00:00
Luke Taylor
07d7c0ddae
Renamed form and openID filters to shorten names
2009-10-05 17:33:34 +00:00
Luke Taylor
1042305cfe
Renamed web.wrapper to web.servletapi. Added some package.html files.
2009-10-05 16:59:37 +00:00
Luke Taylor
673cf300fb
SEC-1229: Refactoring to remove package cycles.
2009-10-05 16:40:32 +00:00
Luke Taylor
acf13c74ca
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
2009-10-05 15:51:00 +00:00
Luke Taylor
2b89ebdfbb
SEC-1229: Further doc and mods to namespace config/naming to make it more consistent
2009-10-03 16:08:51 +00:00
Luke Taylor
073198886d
SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before.
2009-10-02 17:29:43 +00:00
Luke Taylor
abba569282
Tidying.
2009-09-30 15:53:46 +00:00
Luke Taylor
1ead8472d1
SEC-1229: Added failure handler to the SessionManagementFilter to deal with concurrent login errors.
2009-09-29 16:14:31 +00:00
Luke Taylor
bf39a5bb36
Added extra logging.
2009-09-29 16:13:16 +00:00
Luke Taylor
731402e9f5
SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context.
2009-09-16 00:23:13 +00:00
Luke Taylor
1c4a809e09
SEC-1245: Add role hierarchy support to expression handlers. Done.
2009-09-15 17:17:21 +00:00
Luke Taylor
e7486fc203
Removed Ordered interface from Http403EntryPoint (unused).
2009-09-14 16:06:15 +00:00
Luke Taylor
40cf50fc98
SEC-1148: Javadoc.
2009-09-13 21:51:54 +00:00
Luke Taylor
ff78ec00f7
SEC-1226: Additional Javadoc.
2009-09-13 21:22:17 +00:00
Luke Taylor
23c8f479b8
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
2009-09-13 20:45:38 +00:00
Luke Taylor
593d2e227a
SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework.
2009-09-13 20:44:52 +00:00
Luke Taylor
9c7423599e
SEC-1167: Extended SavedRequest interface to allow it to be used by wrapper. Removed null checks in wrapper, as the SavedRequest cannot now be null.
2009-09-13 16:27:35 +00:00
Luke Taylor
4064b7b4f6
SEC-1167: Introduce more flexible SavedRequest handling. Introduced interface for SavedRequest.
2009-09-13 15:03:14 +00:00
Luke Taylor
acd10dd716
SEC-1243: Make determineTargetUrl protected.
2009-09-11 20:48:41 +00:00
Luke Taylor
ac4e7bbadb
SEC-1241: Make sure saved request is removed after a match.
2009-09-09 10:11:45 +00:00
Luke Taylor
f518da9d8b
SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found.
2009-09-05 15:26:07 +00:00
Luke Taylor
5bdfd8cd77
Tidying imports etc to remove compiler warnings.
2009-09-05 14:14:58 +00:00
Luke Taylor
002b788a8c
Minor refactoring.
2009-09-04 12:15:19 +00:00
Mike Wiesner
5623c13038
SEC-1047: Added an option to DigestProcessingFilter that the created Authentication object is now marked as "authenticated"
2009-09-02 16:12:19 +00:00
Luke Taylor
936326f4ab
SEC-1180: Unreachable code inside UrlUtils.buildRequestUrl(...). Removed code block.
2009-09-01 18:13:28 +00:00
Luke Taylor
32dbb7e8bd
import cleaning
2009-09-01 16:41:53 +00:00
Luke Taylor
2039200617
SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.
2009-09-01 16:08:20 +00:00
Luke Taylor
b2c2b93545
SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.
2009-09-01 00:18:48 +00:00
Luke Taylor
3cc47c9c4d
SEC-1190: Added "checkForPrincipalChanges" property to AbstactPreAuthenticatedProcessingFilter.
2009-08-31 23:28:40 +00:00
Luke Taylor
dbcb13ad14
SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.
2009-08-31 22:48:49 +00:00
Luke Taylor
a4ccc4ac21
Make WebSecurityExpressionRoot public to allow reuse.
2009-08-28 14:02:02 +00:00
Luke Taylor
471206a29d
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
2009-08-27 10:43:01 +00:00
Luke Taylor
ab0d66071a
SEC-1226: Introduce RedirectStrategy to replace RedirectUtils. Implemented strategy and applied throughout relevant classes.
2009-08-27 10:42:11 +00:00
Luke Taylor
fe33f08b73
SEC-1201: Allow requires-channel attribute to take placeholders.
2009-08-23 16:42:06 +00:00
Luke Taylor
0b5160d155
Javadoc correction.
2009-08-22 18:02:39 +00:00
Luke Taylor
5a8772df5b
Reset pom versions post release
2009-08-21 12:02:49 +00:00
Luke Taylor
0e5aa7008d
[maven-release-plugin] prepare release spring-security-3.0.0.M2
2009-08-20 15:51:26 +00:00
Luke Taylor
e6631be778
Import cleaning
2009-08-10 16:07:05 +00:00
Luke Taylor
6f76fe6fbb
Import cleaning
2009-08-10 16:04:54 +00:00
Luke Taylor
eb059cfd12
SEC-1211: removed SessionUtils (no longer used)
2009-08-10 14:30:17 +00:00
Luke Taylor
f536c80020
SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web
2009-08-10 14:18:18 +00:00
Luke Taylor
c12e5b4d0b
SEC-1142: Renamed setter argument to match property.
2009-08-07 22:55:14 +00:00
Luke Taylor
ea73fd0130
SEC-1142: Simplified implementation by removing template method.
2009-08-07 22:54:07 +00:00
Luke Taylor
90d76373cc
SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request.
2009-08-07 17:12:12 +00:00
Luke Taylor
3e6054b69f
SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.
2009-07-29 00:52:30 +00:00
Luke Taylor
5e285b3692
SEC-1211: Set the default AuthenticatedSessionStrategy to a null implementation to preserve existing behaviour.
2009-07-28 23:57:46 +00:00
Luke Taylor
609a68b12a
SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false.
2009-07-28 23:47:26 +00:00
Luke Taylor
db90122179
SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.
2009-07-28 18:00:24 +00:00
Luke Taylor
8b115e2a21
SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache.
2009-07-20 22:52:48 +00:00
Luke Taylor
f404bb3d74
SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though.
2009-07-20 22:34:40 +00:00
Luke Taylor
e63fba3a36
Tidying
2009-07-08 23:55:42 +00:00
Luke Taylor
8ddd96af2b
SEC-1186: intermediate commit of namespace changes for improved tooling support
2009-06-26 12:44:46 +00:00
Luke Taylor
c6b9371029
Updated to latest Spring build snapshot. Required minor EL changes to parser class name
2009-06-15 23:41:20 +00:00
Luke Taylor
e92aac225f
Minor javadoc.
2009-06-15 13:53:56 +00:00
Luke Taylor
5808da12ff
SEC-1094: Simplified WebXml attribute mapping. Removed generic jaxen-based implementation on which it was based in favour of simple DOM model traversal. Updated sample.
2009-06-08 15:23:41 +00:00
Luke Taylor
33eef5ec7a
Javadoc updates
2009-06-08 13:04:31 +00:00
Luke Taylor
66f7e8bcc8
SEC-1168: Added filter-security-metadat-source to namespace.
2009-06-08 12:59:13 +00:00
Luke Taylor
bb7ef1fa8b
Added HTML tags
2009-05-31 21:27:23 +00:00
Luke Taylor
131ba5c62e
Reset poms to 3.0.0.CI-SNAPSHOT after tagging M1 release
2009-05-27 00:12:30 +00:00
Luke Taylor
e2c218e8c9
[maven-release-plugin] prepare release spring-security-3.0.0.M1
2009-05-26 23:44:11 +00:00
Luke Taylor
0cb40d6ae4
Javadoc update
2009-05-26 22:16:11 +00:00
Luke Taylor
45c54c558c
Updated build to use maven.springframework.org deps
2009-05-13 06:16:05 +00:00
Luke Taylor
a8215fa2cb
SEC-1160: Renaming of authentication filters and entry points and associated doc changes
2009-05-12 05:37:11 +00:00
Luke Taylor
5a03e842bd
Correcting Javadoc.
2009-05-12 01:40:15 +00:00
Luke Taylor
4bad213b19
SEC-1132: Moved remaining preauth code from core to web
2009-05-12 00:11:06 +00:00
Luke Taylor
d5b7ce69cc
SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL.
2009-05-11 05:35:20 +00:00
Luke Taylor
29fafbbf18
Misc tidying up of old files and refactoring of tests
2009-05-05 13:29:59 +00:00
Luke Taylor
6d655aa514
SEC-1132: More refactoring to remove cycles ad reduce complexity metrics
2009-05-04 14:24:54 +00:00
Luke Taylor
5b543f83ec
Removed web dependency on core-tests
2009-05-04 02:25:49 +00:00
Luke Taylor
dca566ff1f
SEC-1149: WebInvocationPrivilegeEvaluator now contains methods to evaluate the permissions on URIs directly. Deleted FilterInvocationUtils.
2009-05-02 06:02:17 +00:00
Luke Taylor
d1cb85e4f3
Refactoring of methods names in UrlUtils for consistency.
2009-05-01 10:43:41 +00:00
Luke Taylor
f6800fbe04
Refactored to remove dependency on FilterInvocationUtils.
2009-05-01 08:57:28 +00:00
Luke Taylor
4bc788828c
SEC-1147: Remove use of SessionRegistryUtils. Inlined the methods.
2009-05-01 06:45:34 +00:00
Luke Taylor
6db9a3facc
Minor debugging optimizations.
2009-04-30 05:21:54 +00:00
Luke Taylor
e94baf38b3
Tidying up to remove warnings (generics, use of deprecated test classes etc).
2009-04-28 06:49:43 +00:00
Luke Taylor
530a7b5d21
Use context returned by SecurityContextHolder.createEmptyContext() as contextObject default value.
2009-04-27 07:31:35 +00:00
Luke Taylor
95ab95b6e3
SEC-1078: Missed commit of default strategy class.
2009-04-27 07:12:12 +00:00
Luke Taylor
6bd7421a1b
SEC-1078: Converted WASSecurityHelper to an internal interface and added test for scenario from this issue.
2009-04-27 06:01:40 +00:00
Luke Taylor
e45f6914ee
Import cleaning.
2009-04-27 02:21:12 +00:00
Luke Taylor
1454cbb78e
SEC-1132: Moved TextUtils to web module and StringSplit utils into Digest authentication package (as they aren't used elsewhere).
2009-04-25 08:04:26 +00:00
Luke Taylor
a76cbee4bc
SEC-1132: Moved ThrowableAnalyzer code to web module as it is only used in ExceptionTranslationFilter
2009-04-25 07:03:15 +00:00
Luke Taylor
22e7142f45
SEC-998: Bundlor enabled in web, ldap, config and core modules
2009-04-24 09:12:53 +00:00
Luke Taylor
21e36e0a57
Updated version number from 2.5.0-SNPSHOT to 3.0.0.CI-SNAPSHOT
2009-04-22 12:55:52 +00:00
Luke Taylor
23d7778484
Typo.
2009-04-22 12:53:50 +00:00
Luke Taylor
cac2bce382
Refactored SessionRegistryImpl to remove servlet API deps and moved back into core, along with other concurrent authentication package classes.
2009-04-21 06:05:14 +00:00
Luke Taylor
271fbb7ddf
SEC-1081: Fix for PersistentTokenBasedRememberMeServices int overflow problem.
2009-04-20 09:08:35 +00:00
Luke Taylor
2ff089af62
Restructure to standard layout.
2009-04-20 04:17:59 +00:00
Luke Taylor
c21300d3ad
Tidying imports.
2009-04-19 02:29:16 +00:00
Luke Taylor
6b3d0eac40
SEC-1111: Fix for "java.io.CharConversionException: Not an ISO 8859-1 character". Use response.getWriter() instead of printing to ServletOutputStream.
2009-04-18 07:35:34 +00:00
Luke Taylor
23c23c6f3f
Remove unused import.
2009-04-16 04:03:18 +00:00
Luke Taylor
292926518b
SEC-1136: Converted base exceptions to extend RuntimeException rather than NestedRuntimeException.
2009-04-15 10:19:37 +00:00
Luke Taylor
93bdcccaee
SEC-1132: Moved userdetails into core and added core/authority sub-package
2009-04-15 07:39:21 +00:00
Luke Taylor
c770998d92
SEC-1132: Move authoritymapping to core as it is actually used in loading authorities for a use, not in making access decisions.
2009-04-14 04:22:57 +00:00
Luke Taylor
769041474e
SEC-1136: Missed an import.
2009-04-14 02:35:13 +00:00
Luke Taylor
10673780db
OPEN - issue SEC-1136: Removed SpringSecurityException. Introduced new AclException as base class for Acl module. Refactored JAAS authentication to map to AuthenticationExcpetions rather than SpringSecurityException. Modified ExceptionTranslationFilter to look explicitly for AuthenticationException or AccessDeniedException (which it should do since these are the only two it handles).
2009-04-13 14:56:49 +00:00
Luke Taylor
ca7d055c2b
SEC-1132: Created core and authentication packages within core module.
2009-04-13 13:43:23 +00:00
Luke Taylor
9efb5a7007
SEC-1132: Moved access-control/authorization specific code to org.sf.security.access package. Created provisioning package for user management classes to remove cyclical deps. Some other moving of classes to remove code tangles. Restructuring of portlet module under org.sf.security.portlet
2009-04-12 12:23:23 +00:00
Luke Taylor
7c4d54f356
SEC-1131: Applied patch for portlet upgrade
2009-04-12 05:52:20 +00:00
Luke Taylor
1b43e3661a
SEC-1132: Moved switch user event class to web module as it is only used by SwitchUserProcessingFilter.
2009-04-12 04:16:46 +00:00
Luke Taylor
f746a20ab4
SEC-1132: package refactoring of non-core modules
2009-03-27 05:01:03 +00:00
Luke Taylor
bec84f874a
SEC-1125: Further refactoring of web packages following creation of web module. Fixing samples.
2009-03-26 07:18:36 +00:00
Luke Taylor
2a9a8a41db
SEC-1125: Created separate web module spring-security-web
2009-03-25 06:28:18 +00:00