1ed5227d75
Removed @Override from HttpFirewallBeanDefinitionParser.parse since it does not override a method definition, it implements one.
...
Fixed The method parse(Element, ParserContext) of type HttpFirewallBeanDefinitionParser must override a superclass method HttpFirewallBeanDefinitionParser.java /spring-security-config/src/main/java/org/springframework/security/config/http line 23 Java Problem
2010-12-16 22:20:20 -06:00
2be2660b13
SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match.
2010-12-11 21:56:35 +00:00
4a40d80da1
SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority.
...
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
2010-12-03 16:41:46 +00:00
441aa25383
SEC-1615: Changed key generation for anonymous provider to only use SecureRandom on demand.
2010-12-01 20:52:37 +00:00
b9a98613eb
SEC-1593: Added tests to try to reproduce issue.
2010-11-03 19:37:25 +00:00
21ed5feb8d
SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version.
2010-10-27 13:25:40 +01:00
f70942c6f5
SEC-1589: Add support for property placeholder in intercept-methods access attribute.
2010-10-27 13:25:39 +01:00
173537f4f2
SEC-1584: Added namespace support for injecting custom HttpFirewall instance into FilterChainProxy.
2010-10-27 13:25:39 +01:00
0961671772
Reinstated missing 3.0.3 schema file
2010-10-27 13:25:39 +01:00
f455e9a5a4
SEC-1584: Documentation of request-checking and matching process. Logging of servletPath and and pathInfo in DebugFilter for comparison.
2010-10-27 13:25:39 +01:00
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
2010-10-27 13:25:39 +01:00
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
2010-10-05 22:28:42 -05:00
e69b981c72
Make method in MatcherType public for use in OAuth.
2010-09-25 20:09:12 +01:00
11a87d1fa0
Switch to using xsd:boolean in schema file.
2010-09-19 18:17:06 +01:00
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
2010-09-16 16:03:24 +01:00
383211561c
Moved LDAP placeholder config test into LDAP tests to prevent issues with parallel tests. Converted LdapProviderBDP tests to groovy/spock. Other misc tidying of config tests.
2010-09-16 12:31:23 +01:00
7dd8cd2fb9
Make sure ApacheDS work directory is set correctly for separate LDAP test task in config module.
2010-09-16 10:50:12 +01:00
a128e3b4fe
http://forum.springsource.org/showthread.php?p=318755 Added PlaceHolderAndELConfigTests.ldapAuthenticationProviderWorksWithPlaceholders
2010-09-13 13:44:12 -05:00
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
2010-09-13 13:12:45 -05:00
0217e98bdb
Added an AppListener to collect events for use in tests
2010-09-13 14:20:21 +01:00
f4d57ab5e8
SEC-1456: Remove maven poms as we are now using gradle for the build.
2010-08-30 19:02:19 +01:00
20988c8cf6
Minor refactoring of debug filter and tidying up tests.
2010-08-27 01:49:30 +01:00
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
2010-08-24 18:25:39 +01:00
1db83fc81e
Minor BD parser tidying.
2010-08-20 21:14:00 +01:00
c37ca1c2a9
Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.
2010-08-19 22:41:51 +01:00
5f6bcc0e1e
SEC-1540: Fix to add HTTP-method specific support for namespace requires-channel attribute.
2010-08-18 13:01:16 +01:00
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
2010-08-18 02:32:43 +01:00
aafc5f9038
File rename to correct case.
2010-08-17 02:27:36 +01:00
1f520b691f
SEC-1469: Initial support for debugging filter.
2010-08-17 02:23:34 +01:00
591bd532bd
Polishing FilterChainProxy and its tests.
2010-08-17 02:20:34 +01:00
6abfa2e887
Update minimum required schema to 3.1.
2010-08-17 02:19:55 +01:00
4bd41cbf72
SEC-1133: Support for setting of authenticationDetailsSource property for form-login, openid-login, http-basic and x509 namespace elements. These elements now support an additional 'authentication-details-source-ref' attribute.
2010-08-14 15:10:03 +01:00
4935aa07c7
SEC-1535: Added suggested doc fixes.
2010-08-12 20:41:29 +01:00
2222a7be07
Use Integer.valueOf() in preference to new Integer()
2010-08-11 18:17:23 +01:00
dca0fd871c
SEC-1532: Add cache of previously matched beans to ProtectPointcutPostProcessor to ensure that it doesn't perform pointcut matching every time a new prototype bean is created.
2010-08-09 17:16:43 +01:00
85c4c91e0e
IDEA inspection refactorings.
2010-08-05 23:28:07 +01:00
413b2a06e3
Improvements in up-to-date checking and use of parallel tests where possible.
2010-08-05 02:11:00 +01:00
64375484a1
More build and logging tuning.
2010-08-04 22:55:17 +01:00
2d9a848265
Added missing gradle build files for remaining samples. Some related reordering, dependency fixing etc. CAS sample no longer requires two separate subprojects as both client and server app can be run from a single gradle build.
2010-07-27 02:20:36 +01:00
c1c8fd1874
SEC-1171: Changed attribute name/value from secured="false" to security="none" to allow future extension by adding extra options (e.g. contextOnly to provide security context information during the request).
2010-07-20 19:46:47 +01:00
a4fd191499
Added check for use of "ref" with other attributes in <authentication-provider>.
2010-07-20 14:31:52 +01:00
4683273c2c
Correct message in namespace handler when web classes are missing.
2010-07-12 12:40:06 +01:00
69a10c48ae
Switch to using slf4j/logback for logging.
...
We still compile modules against commons-logging but all runtime logging and samples will use logback
2010-07-12 12:39:52 +01:00
443ac0487a
SEC-1093: Namespace support for jee element.
...
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
2010-07-07 22:42:26 +01:00
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
6a79cf7be2
SEC-1383: Make MethodSecurityMetadataSourceBeanDefinitionParser extend AbstractBeanDefinitionParser for automatic support of ID attribute.
2010-06-26 16:07:23 +01:00
cd946c4e23
SEC-1493: Added namespace support.
2010-06-20 21:09:38 +01:00
8bddc8f820
SEC-1484: Documentation for some namespace attributes.
2010-06-05 17:35:24 +01:00
2e865752ff
Upgraded groovy to 1.7.2 to avoid jansi dependency issue
2010-06-03 23:13:28 +01:00
efb600166a
SEC-1488: Remove commons-logging dependencies from maven poms.
2010-05-28 13:10:59 +01:00
f7405cef82
Removed original Java version of refactored http namespace tests.
2010-05-27 18:06:26 +01:00
34401416b0
SEC-1171: Implement parsing of empty filter chain patters via http 'secured' attribute and remove filters='none' support.
2010-05-27 15:54:15 +01:00
05c7abe191
SEC-1445: Tests for setting of username and password parameter names through the form-login element.
2010-05-27 15:54:15 +01:00
7d74b7c87e
SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping.
2010-05-27 15:54:15 +01:00
b0758dd8de
Refactoring HTTP config tests to use spock and groovy MarkupBuilder
2010-05-27 15:53:52 +01:00
b0308e41cb
SEC-1455: Load namespace parsers when required, rather than on init() call, to avoid classloaded issue with dmServer failing to resolve web classes when the namespace handler is first used.
2010-05-21 15:36:37 +01:00
a4ce14f604
Add "provisioning" package to config bundlor template.
2010-05-16 14:14:13 +01:00
d5ffdd9c27
Import cleaning
2010-05-03 18:46:06 +01:00
dccb30ad63
Remove use of wrong DOMUtils class (from com.sun package).
2010-05-01 15:06:48 +01:00
863ccecf55
SEC-1466: Report error if authentication-provider element has child elements when used with "ref" attribute.
2010-04-30 20:22:20 +01:00
165cbb0d19
SEC-1445: Added support for custom username and password parameters in form-login.
2010-04-30 18:14:50 +01:00
a421370a3d
SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.
2010-04-25 22:00:25 +01:00
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
2010-04-25 04:26:45 +01:00
2f025fba6c
SEC-1460: Added AxFetchListFactory which matches OpenID identifiers to lists of attributes to use in a fetch-request.
...
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
2010-04-20 23:47:48 +01:00
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
2010-04-20 23:47:47 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
a3ef8255d8
SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj'
...
Also added this syntax to the aspectj sample.
2010-03-31 18:31:28 +01:00
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-30 15:52:40 +01:00
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
2010-03-26 18:05:28 +00:00
57150a6717
SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter.
2010-03-26 12:47:24 +00:00
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 20:57:03 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2010-03-05 17:55:29 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
e5a875d752
SEC-1407: Correct logger category in MatcherType.
2010-03-01 02:03:32 +00:00
90a7f1f00e
SEC-1383: Namespace support for MethodSecurityMetadataSource. Initial commit.
2010-03-01 01:45:43 +00:00
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
b147652193
Make hsqldb a testRuntime/runtime dependency.
2010-03-01 01:10:58 +00:00
f0466b6488
SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all.
2010-02-27 00:22:21 +00:00
6a34807a07
SEC-1423: Cache PointcutExpression instances in ProtectPointcutPostProcessor for more efficient startup.
2010-02-26 17:21:25 +00:00
2f1479785e
Refactoring to remove remaining circular dependencies indicated by structure101.
2010-02-22 01:48:22 +00:00
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
26cf6f5528
SEC-1399: Remove MockAuthenticationManager in app context file for FilterChainProxy tests.
2010-02-20 21:59:44 +00:00
68f6afd905
SEC-1383: Added namespace support for method-security-metadata-source
2010-02-20 19:05:25 +00:00
b7fc5bc455
Update schema version to 3.1
2010-02-20 18:58:00 +00:00
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
2010-02-19 00:53:14 +00:00
5b5934144a
Avoid infinite loop in InterceptMethodsBeanDefinitionDecoratorTests when upgrading to Spring 3.0.1.
...
Converted test target to implement ApplicationListener<SessionCreatedEvent> so that it doesn't receive events from its own interceptor (which are in turn intercepted).
2010-02-16 00:03:15 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
70ef0d8b3e
Added extra test to itest/context as POC of using extra interceptor with http ns.
2010-02-11 01:48:00 +00:00
23511c930f
Standardising slf4j versions.
2010-02-11 01:33:31 +00:00
2173029216
SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.
...
Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
2010-02-10 23:49:26 +00:00
5753d69465
SEC-1404: Updated test for placeholders in intercept-url elements to check they work for filter='none' elements
2010-02-10 16:49:53 +00:00
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
2010-02-06 15:42:01 +00:00
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
2010-01-23 02:12:30 +00:00
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
670297c55d
SEC-1369: Make sure beans aren't registered twice in case allowBeanDefinitionOverriding=false in the app context.
...
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
2010-01-14 15:48:14 +00:00
Rob Winch
Luke Taylor
Rob Winch