c4ee46824c
Removing log4j.properties files and adding logback config ones.
2010-08-04 21:16:05 +01:00
ab248b2583
SEC-1454: Added use of Spring's new AopProxyUtils.ultimateTargetClass() method when resolving the target class in MethodSecurityEvaluationContext.
2010-07-30 14:36:41 +01:00
b854e67952
SEC-1522: Treat empty attribute collection the same as null when returned by SecurityMetadataSource. Both are now treated as public invocations.
2010-07-27 02:20:09 +01:00
2afccfc633
Remove commons-logging dependency properly and switch tutorial sample to logback/slf4j.
2010-07-23 01:57:31 +01:00
443ac0487a
SEC-1093: Namespace support for jee element.
...
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
2010-07-07 22:42:26 +01:00
03fa8fce4d
SEC-1507: Applied patch to return empty authority list rather than null from RoleHierarchyImpl.
2010-07-02 19:51:00 +01:00
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
db913f6857
SEC-1493: Added CredentialsContainer interface and implemented it in User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken. ProviderManager makes use of this to erase the credentials of the returned Authentication object (and its contents) if configured to do so by setting the 'eraseCredentialsAfterAuthentication' property.
2010-06-20 21:09:33 +01:00
d56adb8ffb
SEC-1495: Convert User class equals and hashcode methods to only use the "username" property.
...
This prevents situations where other data may have changed when a User object is reloaded (during a subsequent authentication attempt, in which case and Set.contains()/Map.containsKey() will return false even though the collection in question contains a principal representing the same user.
2010-06-10 22:27:50 +01:00
efb600166a
SEC-1488: Remove commons-logging dependencies from maven poms.
2010-05-28 13:10:59 +01:00
0e57ce2dc3
SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection.
2010-05-21 15:59:50 +01:00
c95cf6ec7d
SEC-1483: Change User constructor to use a generic wildcard for authorities collection.
2010-05-21 15:58:35 +01:00
b3aad4cf19
Javadoc fixes.
2010-05-06 20:02:08 +01:00
e7646a65f4
SEC-1421: Add setters to JdbcUserDetailsManager for group sql operations.
2010-05-03 14:53:06 +01:00
3c3aabf5be
SEC-1465: Change empty check to a null check for list of delegates for DelegatingMethodSecurityMetadataSource.
2010-04-25 22:11:35 +01:00
a421370a3d
SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.
2010-04-25 22:00:25 +01:00
3bbbf07235
SEC-1464: Fix broken test (flags in returned user object were not being copied from stored user).
2010-04-25 20:12:00 +01:00
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
2010-04-25 04:27:09 +01:00
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
2010-04-25 04:26:45 +01:00
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
2010-04-20 23:47:47 +01:00
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
2010-04-20 23:47:47 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-30 15:52:40 +01:00
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
2010-03-26 18:05:28 +00:00
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 20:57:03 +00:00
e60108ca8c
SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
...
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
2010-03-22 16:26:04 +00:00
9e049dfef4
SEC-1438: Removed JoinPoint support from AbstractMethodSecurityMetadataSource
2010-03-11 21:51:19 +00:00
c09cd3a9cb
Remove unused inner class in MethodSecurityMetadataSourceAdvisor
2010-03-11 01:52:07 +00:00
55de2cfcb1
SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances.
...
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
2010-03-11 01:51:59 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2010-03-05 17:55:29 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
0551dd89ac
SEC-1420: Add htmlEscape attribute to authentication JSP tag.
...
This allows HTML escaping to be disabled if required.
2010-03-04 00:47:22 +00:00
b147652193
Make hsqldb a testRuntime/runtime dependency.
2010-03-01 01:10:58 +00:00
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
ea7ccc718d
SEC-1399: Removed AbstractAuthenticationManager.
...
MockAuthenticationManager was the only other subclass (apart from the main ProviderManager) and has been removed also.
2010-02-20 21:35:39 +00:00
dacb8dd25a
SEC-1382: Removed deprecated label-based voter and related classes.
2010-02-20 20:50:16 +00:00
b37d2ed978
SEC-593: Added PermissionCacheOptimizer strategy interface and implementation in Acl module.
...
This is used by DefaultMethodSecurityExpressionHandler to allow permissions to be cached before repeatedly evaluating an expression for a collection of domain objects.
2010-02-20 18:02:12 +00:00
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
d2b2ca3bc6
SEC-1387: Use a transient object as the advice monitor, rather than a Serializable.
...
No need for an anonymous inner class.
2010-02-19 01:02:22 +00:00
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
2010-02-19 00:53:14 +00:00
dbee91002e
Deprecate EncryptionUtils.
2010-02-14 23:27:29 +00:00
c12c43da9e
Javadoc fixes.
2010-02-14 23:27:09 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
67c9a0b78d
SEC-1389: Added "iterations" property to BaseDigestpasswordEncoder to support "stretching" of passwords.
2010-02-06 17:34:07 +00:00
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
2010-02-06 15:42:01 +00:00
10d787ede2
Javadoc corrections to SessionRegistryImpl
2010-02-03 23:49:36 +00:00
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
2010-01-23 02:12:30 +00:00
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
0f90e69004
SEC-1362: Updated French messages translation.
2010-01-13 15:37:18 +00:00
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
93973a4b75
SEC-1304: Removed compareTo method from GrantedAuthorityImpl
...
This method had been left by mistake when the Comparable
interface was removed. See also SEC-1347.
2010-01-04 19:13:49 +00:00
80aacf447f
Refactored JaasAuthenticationProvider
...
The toUrl() method on File gives a deprecation warning with Java 6, so I reimplemented
the logic for building the Jaas config URL.
2010-01-03 16:28:44 +00:00
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
bcb1ff8921
SEC-1342: Introduced extra factory method in SecurityConfig to get round problem with Spring converting a string with commas to an array
2009-12-23 14:12:59 +00:00
115d5b84ff
[maven-release-plugin] prepare for next development iteration
2009-12-22 22:20:01 +00:00
6c6ef08353
[maven-release-plugin] prepare release spring-security-3.0.0.RELEASE
2009-12-22 22:19:38 +00:00
e64866ae6a
Updated bundlor templates and introduced spring.version variable
2009-12-22 01:10:04 +00:00
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
2009-12-18 18:44:42 +00:00
354b043fd1
SEC-1337: Add Serializable interface to internal comparator
2009-12-18 14:12:32 +00:00
55679971f0
SEC-1337: Make User serializable by moving anonymous comparator class
2009-12-18 13:49:02 +00:00
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
2009-12-13 17:37:24 +00:00
ef3d9c7877
Tidying Javadoc.
2009-12-13 16:20:28 +00:00
1e8ea55030
SEC-1320: JaasAuthenticationProvider can not find jaas realm defined inside service archive. Added flag to control refresh of configuration on startup.
2009-12-13 16:19:53 +00:00
520e733cb2
[maven-release-plugin] prepare for next development iteration
2009-12-08 21:19:41 +00:00
f2cf17bd49
[maven-release-plugin] prepare release spring-security-3.0.0.RC2
2009-12-08 21:19:20 +00:00
adfac7e718
Added gradle file for cas and standardised ehcache version
2009-12-08 01:54:15 +00:00
33b109f0b3
Made session maps final in SessionRegistryImpl.
2009-12-08 01:33:01 +00:00
558737363f
Added some extra tracing to SessionRegistryImpl.
2009-12-08 01:28:47 +00:00
cde9cd6b36
Correct toString() method in User class.
2009-12-08 00:16:08 +00:00
02a9db7bcf
SEC-1317: Removed check in ProviderManager.getProviders() for empty provider list. A ProviderManager with a non-null parent may have an empty provider list. The afterPropertiesSet() method performs the necessary checks.
2009-12-07 21:38:40 +00:00
dab76249db
Added gradle build files (experimental)
2009-12-04 21:33:17 +00:00
dada789814
NOJIRA
...
removed unnecessary cast and use StringBuilder rather than non-final String and concatenation.
2009-12-01 15:19:56 +00:00
ed92d5ea71
SEC-1304: Removed unused compareTo method from custom GrantedAuthority.
2009-12-01 14:32:57 +00:00
8a0f69b955
SEC-1295: Placing Security on Roo Aspected method fails. Added suggested fix - check for null target and use Signature.declaredType instead.
2009-11-30 22:00:49 +00:00
7e0c7ffc0e
SEC-1304: Removed "Comparable" from GrantedAuthority
2009-11-30 21:27:13 +00:00
e72cfd58d4
SEC-1304: Remove Comparable interface from GrantedAuthority to enable it to be imlemented by an enum.
2009-11-30 21:22:11 +00:00
1df82654e3
SEC-1310: Added toString() implementations to Pre and PostInvocationExpressionAttribute classes.
2009-11-30 17:32:03 +00:00
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
b39db5b711
Removed jaxen from template.mf
2009-11-17 14:25:20 +00:00
d4d5012035
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Update AuthenticationManagerBeanDefinitionParser to register a DefaultAuthenticationeventPublisher and set it on the registered ProviderManager.
2009-11-17 12:55:53 +00:00
1898b4df52
Updated scope of commons collections to 'test'
2009-11-17 00:00:59 +00:00
248e826342
SEC-1282: Clarified javadoc
2009-11-03 16:31:55 +00:00
3f963ef8ca
Restore versions and svn URLs in trunk (release plugin fail)
2009-10-11 21:59:38 +00:00
af563e826c
[maven-release-plugin] prepare release spring-security-3.0.0.RC1
2009-10-11 21:43:42 +00:00
0615b94f55
Converted expression test to use static method.
2009-10-09 23:42:23 +00:00
4dcb9de67a
SEC-1257: Some additional API changes to use Collection instead of List...
2009-10-07 21:08:20 +00:00
f213cc5d9e
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
2009-10-06 19:46:44 +00:00
caff3ee9ba
SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc).
2009-10-05 19:28:53 +00:00
acf13c74ca
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
2009-10-05 15:51:00 +00:00
2a1430f1ce
SEC-1229: Removed legacy concurrency classes
2009-09-29 16:18:25 +00:00
9639340fef
SEC-1049: RoleHierarchy in SidRetrievalStrategy. Added optional RoleHierarchy injection to SidRetrievalStrategyImpl
2009-09-16 19:59:37 +00:00
1c4a809e09
SEC-1245: Add role hierarchy support to expression handlers. Done.
2009-09-15 17:17:21 +00:00
897960cd70
Add expression string to failed expression evaluation exception message to help clarify the context.
2009-09-13 22:29:07 +00:00
6851655ea9
SEC-1177: MethodInvocationUtils Returns Null With Valid Method String and Class. Added very simple checking of declared methods on class.
2009-09-09 19:49:44 +00:00
ef2df77889
SEC-1239: Special characters in JAAS config file location. Fix - convert Resource to a File before obtaining the URL from it. The URL.toString() obtained this way is different from the one obtained from Resource.getURL().toString().
2009-09-09 17:41:35 +00:00
8081a1a3cc
Set Id svn keyword.
2009-09-03 19:55:18 +00:00
e14a904306
SEC-1181: fixed recursive import in template.mf
2009-09-02 15:31:22 +00:00
660b408e6e
SEC-1181: added import to template.mf for the DNS classes
2009-09-02 15:20:26 +00:00
58ee9a364e
SEC-1181: DNS helper classes, will primarily be use for lookup of Active Directory servers.
2009-09-02 14:29:35 +00:00
bfd421016e
SEC-1228
...
added constructor so a wrapper can be instanciated in one line of code.
2009-09-01 19:52:43 +00:00
471206a29d
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
2009-08-27 10:43:01 +00:00
9bf8656d66
SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Added use of ManagedMaps and BeanDefinitions to support placeholders in the pattern and access attributes.
2009-08-22 21:09:34 +00:00
bb4d818862
SEC-1188: Added "getContexHolderStrategy" method to SecurityContextHolder.
2009-08-22 13:31:13 +00:00
5a8772df5b
Reset pom versions post release
2009-08-21 12:02:49 +00:00
0e5aa7008d
[maven-release-plugin] prepare release spring-security-3.0.0.M2
2009-08-20 15:51:26 +00:00
b807f7cbdd
Added comment to pom to explain spring-web requirement
2009-08-10 14:05:16 +00:00
972cd0a53c
javadoc
2009-08-10 12:10:04 +00:00
d65b1b3581
SEC-1200: Ukranian messages file
2009-08-10 11:41:24 +00:00
0f6642d3ab
SEC-1216: Replacement of custom-after-invocation-provider with after-invocation-provider element. Some changes to help prevent proxying of aop infrastructure classes (use of AopInfrastructureBean marker interface)
2009-08-04 00:18:07 +00:00
5953af0f6b
SEC-1196: Change use of <authentication-manager> to actually register the global ProviderManager instance. This element now registers the global ProviderManager instance and must contain any authentication-provider elements (or ldap-authentication-provider elements).
2009-08-03 00:21:11 +00:00
fdb7325cbc
Javadoc update
2009-07-24 15:21:59 +00:00
efd1dbf54a
Removed public modifier from getSessionController() method on ProviderManager.
2009-07-17 23:37:45 +00:00
1afa67c954
SEC-1195: Added internal AuthenticationManager for use by beans which are generated by the <http> block.
2009-07-15 23:09:47 +00:00
6346e31517
SEC-1195: Change <http> parsing behaviour to use an internal AuthenticationManager instance. Implemented "parent" AuthenticationManager in ProviderManager which is delegated to when no authentication is returned by the instances list of authentication providers. Extracted the Authentication success/failure publishing into a separate strategy.
2009-07-15 01:28:28 +00:00
1ca2e6e6fc
Tidying.
2009-07-13 23:12:32 +00:00
5d389d953d
RoleVoter test class.
2009-07-13 23:11:15 +00:00
946f3d1067
Converted to use mockito.
2009-07-13 23:10:52 +00:00
3b1cdc3ab4
Tidying.
2009-07-08 23:27:53 +00:00
8a3930e673
Refactoring of ProviderManager to ensure that any AuthenticationException from the ConcurrentSessionController will prevent further polling of providers.
2009-07-08 23:20:46 +00:00
6b53703e37
SEC-1187: Moved pre-authentication status check inside try/catch block and repeated the call after reloading the user during the "cacheWasUsed" logic.
2009-07-07 17:09:44 +00:00
980b9b73b8
deprecate property editor
2009-06-26 12:49:23 +00:00
c6b9371029
Updated to latest Spring build snapshot. Required minor EL changes to parser class name
2009-06-15 23:41:20 +00:00
db3f08cce4
SEC-1156: Added check for enableAuthorities setting in deleteUser method of JdbcUserDetailsManager.
2009-06-14 22:31:14 +00:00
ab7f06c108
SEC-1156: Modified JdbcUserDetailsManager to only save/update authorities if enableAuthorities is set
2009-06-14 22:26:44 +00:00
05ba2ff3f3
Improved Javadoc
2009-06-14 20:50:29 +00:00
3f603dfdd8
Removed invalid Javadoc reference to HttpSCIF
2009-06-10 12:44:06 +00:00
4e0d3c644f
Committed deletion of previous AuthorityUtilsTests
2009-06-09 01:50:35 +00:00
4768e4b13c
Removed methods relating to current context from AuthorityUtils, making it a simple factory for GrantedAuthority lists etc.
2009-06-09 01:42:37 +00:00
ab69a0a101
SEC-884: As per discussion in this issue. Added Javadoc to specify that Authentication object passed to decide method must not be null.
2009-06-09 01:14:55 +00:00
d2a8e43a55
SEC-1170: Some updates to UserDetails-related Javadoc.
2009-06-09 00:57:34 +00:00
cb6aa81701
Forgot to remove file
2009-06-08 19:21:22 +00:00
5808da12ff
SEC-1094: Simplified WebXml attribute mapping. Removed generic jaxen-based implementation on which it was based in favour of simple DOM model traversal. Updated sample.
2009-06-08 15:23:41 +00:00
43144cd75d
Javadoc updates.
2009-05-31 21:29:36 +00:00
67ad0456a1
Javadoc updates.
2009-05-31 21:28:50 +00:00
206598172c
Javadoc updates.
2009-05-31 21:26:03 +00:00
d1efb4eeed
generifying RowMappers in JdbcDaoImpl.
2009-05-30 13:52:39 +00:00
131ba5c62e
Reset poms to 3.0.0.CI-SNAPSHOT after tagging M1 release
2009-05-27 00:12:30 +00:00
e2c218e8c9
[maven-release-plugin] prepare release spring-security-3.0.0.M1
2009-05-26 23:44:11 +00:00
b6f3d82dac
Remove commented-out dependencies.
2009-05-26 22:18:53 +00:00
45c54c558c
Updated build to use maven.springframework.org deps
2009-05-13 06:16:05 +00:00
ef388529ae
Javadoc update.
2009-05-12 00:12:22 +00:00
4bad213b19
SEC-1132: Moved remaining preauth code from core to web
2009-05-12 00:11:06 +00:00
c7a2e12c65
Moved python script to correct directory
2009-05-11 06:03:59 +00:00
03d39f1e88
Minor package info updates.
2009-05-11 05:48:09 +00:00
Luke Taylor
Scott Battaglia
Mike Wiesner