2c8946c406
Next development version
2013-11-01 14:20:55 -05:00
9c703a3051
Release version 3.2.0.RC2
2013-11-01 14:20:49 -05:00
dc317b3602
WebSecurityConfigurerAdapter implements WebSecurityConfigurer
2013-11-01 12:26:32 -05:00
cda23443ac
XsdDocumentedTests now uses asciidoc instead of asciidoctor
2013-11-01 09:32:05 -05:00
26be54653b
SEC-2382: AutowireBeanFactoryObjectPostProcessor works w/ BeanNameAutoProxyCreator
2013-10-30 11:20:42 -05:00
9e7fbf8067
SEC-2321: Refine to use X-Requested-With: XMLHttpRequest
2013-10-28 14:00:56 -05:00
5f290ba10f
SEC-2371: Remove ObjectPostProcessor.QUIESENT_POSTPROCESSOR
2013-10-18 14:31:13 -05:00
604c26eb0d
Shis simplifies the class hieararchy significantly.EC-2366: Extract AbstractRequestMatcherRegistry from AbstractRequestMatcherConfigurer
...
This simplifies the class hierarchy significantly.
2013-10-17 13:37:51 -05:00
348e3a22b6
SEC-2365: registerAuthentication->configure
2013-10-16 13:59:56 -05:00
0978c12c47
SEC-2361: Java Config Sampels use @Autowired AuthenticationManagerBuilder
2013-10-15 12:35:32 -05:00
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
2013-10-14 15:00:24 -05:00
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
2013-10-14 11:55:56 -05:00
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
2013-10-14 10:36:31 -05:00
f2b44e6beb
Fix javadoc whitespace issue in HttpBasicConfigurer
2013-10-11 14:53:11 -05:00
4ef0460ef6
SEC-2321: Improve Java Config defaults for JavaScript clients
2013-10-11 14:53:11 -05:00
5f10d84bf5
SEC-2303: WebSecurity sets the Bean resolver
2013-10-06 13:37:51 -05:00
dd1c2483b5
SEC-2349: Fix documentation tests
2013-10-03 17:03:17 -05:00
8087cde628
SEC-2331: Include Expires: 0 in xsd and appendix
2013-09-27 17:10:42 -05:00
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
2013-09-27 16:13:40 -05:00
614c94187e
SEC-2305: GlobalMethodSecurityConfiguration autowire PermissionEvaluator
...
If a single PermissionEvaluator bean is found the
DefaultMethodSecurityExpressionHandler is configured with the
PermissionEvaluator. If multiple PermissionEvaluator beans are found, the
beans are ignored.
2013-09-27 15:46:45 -05:00
a09756745f
SEC-2151: Support binding method arguments with Annotations
...
This allow utilizing method arguments for method access control on
interfaces prior to JDK 8.
2013-09-27 11:18:37 -05:00
cea0cf9260
SEC-2243: Remove additional Debug Filter
2013-09-26 11:38:16 -05:00
56ce7d284c
SEC-2336: WebSecurityConfigurerAdapter#registerAuthentication javadoc fixes
2013-09-26 09:08:25 -05:00
88f41cdf62
SEC-2341: Update to Gradle 1.8
...
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
a888ddf8b3
SEC-2307: JavaConfig RequestCache ignores favicon.ico
2013-09-24 11:30:37 -05:00
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
2013-09-23 20:55:49 -05:00
28fb6ba14b
SEC-2328: Add hasAnyRole to ExpressionUrlAuthorizationConfiguration
2013-09-23 10:51:08 -05:00
b16c17f70b
SEC-2301: Remove invalid import
2013-09-20 16:09:23 -05:00
a3d112979f
SEC-2301: GlobalMethodSecurityConfiguration sets DefaultWebSecurityExpressionHandler BeanResolver
2013-09-20 15:53:58 -05:00
f294480e6b
SEC-2329: JC @Autowire(required=false) AuthenticationTrustResolver
...
Java Configuration now allows optional @Autowire of
AuthenticationTrustResolver. In the WebSecurityConfigurerAdapter this is
done by populating AuthenticationTrustResolver as a sharedObject.
2013-09-20 15:28:50 -05:00
7537dfc33a
SEC-2304: rm duplicate MethodExpressionHandler from GlobalMethodSecurityConfiguration
2013-09-20 15:13:02 -05:00
5082a04626
SEC-2311: LogoutConfigurer allows other HTTP methods if CSRF is disabled
2013-09-19 16:05:26 -05:00
8f8c6169e8
SEC-2331: Cache Control now includes Expires: 0
2013-09-19 14:06:37 -05:00
c5c1419521
SEC-2332: GlobalMethodSecurityConfiguration includes proper voters
...
Previously GlobalMethodSecurityConfiguration did not include the correct
voters. This updates the code and the tests to ensure that the proper
voters are added. Note this got past testing previously due to all the
voters abstaining, so tests were added for ensuring that methods could also
be invoked sucessfully using the configured annotation.
2013-09-18 18:27:12 -05:00
0114b457c0
SEC-2330: CacheControlHeadersWriter use a single header
2013-09-18 16:12:34 -05:00
05a7c58daa
SEC-2228: Change openid4j to optional in template.mf
2013-09-13 22:06:42 -07:00
be8aad8306
SEC-2196: Demonstrate Method Security works on Generic methods
2013-09-13 16:20:43 -07:00
662bb24370
SEC-1937: Added test to demonstrate SEC-1937 was invalid
2013-09-11 15:10:42 -07:00
3c82e63ded
Formatting cleanup
2013-09-11 15:10:20 -07:00
7203faf34f
SEC-2300: Update Spring LDAP version to 1.3.2.RELEASE
2013-08-31 11:26:43 -05:00
3d2f23602f
SEC-2294: Update Spring Version to 3.2.4.RELEASE
2013-08-31 11:26:43 -05:00
6e9fb7930b
SEC-2298: Add AuthenticationPrincipalArgumentResolver
2013-08-30 17:06:40 -05:00
ae368829f4
Tweak PermGen for tests
2013-08-28 13:30:25 -05:00
d89cf6db29
SEC-2283: Update headers documentation and tests
2013-08-28 12:35:40 -05:00
4761614c9f
SEC-2291: Fix internal links within reference
...
Instead of using xlink:href="# use linkend="
2013-08-28 09:12:27 -05:00
26166ef6e8
SEC-2272: CsrfRequestDataValueProcessor support Spring 4 and Spring 3
2013-08-27 16:26:16 -05:00
d60108eaf6
SEC-2229: Add optional dependencies to spring-security-config
...
spring-tx and spring-jdbc aren't pulled in transitively from
spring-security-web now, so we must include them as optional dependencies.
2013-08-25 19:47:57 -05:00
18bd82e7d4
SEC-2131: Update doc to state session authentication sends 401 if no page
2013-08-25 11:37:23 -05:00
f29505d657
SEC-2280: Fix SessionFixationConfigurer#changeSessionId Javadoc
...
The Javadoc for SessionFixationConfigurer#changeSessionId() was copied and pasted from
SessionFixationConfigurer#none() and never updated. It is incorrect. This commit fixes that.
2013-08-24 23:31:05 -05:00
48283ec004
SEC-2276: Delay saving CsrfToken until token is accessed
...
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
2013-08-24 23:31:01 -05:00
c131fb6379
SEC-2139: named-security-filter are all defined and ordered correctly
2013-08-24 15:18:22 -05:00
379cbd2a8b
SEC-2274: Add ApplicationContext as HttpSecurity shared object
2013-08-21 16:50:09 -05:00
0247dd124f
SEC-2271: LogoutConfigurer#logoutUrl explains about CSRF
2013-08-21 06:58:09 -05:00
110e769bd4
SEC-2257: Remove HttpSecurityBuilder#getAuthenticationManager()
...
Removed in favor of using shared object.
2013-08-19 15:22:04 -05:00
5fe32bb3c8
SEC-2216: Add withObjectPostProcessor
2013-08-16 15:38:58 -05:00
d62c2e0835
SEC-2244: Defaults based on loginPage are now updated when loginPage changes
2013-08-16 14:48:45 -05:00
e0cad0d684
SEC-2230: Fix Header tests
2013-08-15 16:52:58 -05:00
2e852f4613
SEC-2230: Remove stray import
2013-08-15 16:34:31 -05:00
a469f26b10
SEC-2230: Polish Headers JavaConfig
2013-08-15 16:31:43 -05:00
e9bb9e766e
SEC-1574: Add CSRF Support
2013-08-15 14:49:21 -05:00
797df51264
SEC-2135: Support HttpServletRequest#changeSessionId()
2013-08-15 13:59:16 -05:00
13da42ca1b
SEC-2137: Allow disabling session fixation and enable concurrency control
2013-08-15 12:50:40 -05:00
976d9a9016
SEC-2194: Polish java config sample apps
2013-08-08 14:33:54 -05:00
b13b87a1e7
Remove @Override from methods that override interfaces
...
Ensure JDK5 compatibility
2013-08-05 16:49:33 -05:00
2266f0ca3f
SEC-2238: Polish
2013-08-01 11:57:32 -05:00
2fef79f3d2
SEC-2238: WebAsyncManagerIntegrationFilter Java Config
2013-08-01 11:40:34 -05:00
94a73fee37
SEC-2230: Polish scoping and finals
2013-07-31 11:34:35 -05:00
a1bf28a697
SEC-2239: Remove duplicate SessionCreationPolicy
2013-07-31 10:44:22 -05:00
606bddf598
SEC-2230: Add Header JavaConfig
...
Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.
2013-07-31 10:39:52 -05:00
bc8ff9590c
SEC-2230: Defaults when using only <headers/>
...
Previously an error occurred when no child elements were specified with
<headers/>.
Now all the explicitly supported header elements are added with their
default settings.
2013-07-31 10:39:52 -05:00
c85328c5d1
SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
...
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
8013cd54d6
SEC-2230: Added Cache Control support
2013-07-31 10:39:45 -05:00
7b164bb5e1
SEC-2230: Polish pull request
2013-07-26 14:19:53 -05:00
8acd205486
SEC-2232: HeaderFactory to HeaderWriter
2013-07-26 09:01:12 -05:00
fd754c5cab
SEC-2098, SEC-2099: Fix build
...
- hf.doFilter is missing FilterChain argument
- response.headers does not contain the exact values for the headers so
should not be used for comparison (note it is a private member so this
is acceptable)
- hf does not need non-null check when hf.doFilter is invoked
- some of the configurations are no longer valid (i.e. ALLOW-FROM
requires strategy)
- Some error messages needed updated (some could still use improvement)
- No validation for missing header name or value
- rebased off master / merged
- nsa=frame-options-strategy id should use - not =
- FramewOptionsHeaderFactory did not produce "ALLOW-FROM " prefix of origin
- remove @Override on interface overrides to work with JDK5
2013-07-25 16:23:25 -05:00
d0b40cd2ae
- Created HeaderFactory abstraction
...
- Implemented different ALLOW-FROM strategies as specified in the proposal.
Conflicts:
config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
2013-07-25 16:22:43 -05:00
a63baa8391
SEC-2098, SEC-2099: Polishing
2013-07-25 16:22:43 -05:00
0adf5aea91
SEC-2098, SEC-2099: Created HeadersFilter
...
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
f5a30e55a3
SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher
2013-07-23 13:06:51 -05:00
f34b459c80
SEC-2205: Create UserDetailsServiceDelegator
...
Ensure that the UserDetailsService is created lazily.
2013-07-22 16:38:09 -05:00
a39ff1b041
SEC-2202: http.authorizeUrls() to http.authorizeRequests()
...
This change is more meaningful since the requests can be matched on
anything not just the URL
2013-07-22 11:54:10 -05:00
e1d8db4e95
SEC-2197: Allow multiple invocations on HttpSecurity
...
Previously invoking methods like HttpSecurity#authorizeUrls() multiple
times would override one another. This has now changed to be more
intuitive. Initially this was required for the way that defaults were
provided so that they could be overriden, but this is no longer the case.
2013-07-21 22:56:23 -05:00
cf0fdc2d66
SEC-2222: Use auth parameter name instead of registry
2013-07-20 07:49:07 -05:00
90bd241ce2
SEC-2199: Support multiple AuthenticationEntryPoint defaults
2013-07-19 17:09:58 -05:00
87c9a14bff
SEC-2198: http.httpBasic() defaults AuthenticationEntryPoint
2013-07-19 17:09:58 -05:00
0f281f9575
SEC-2215: ServletApiConfigurer populates properties on SecurityContextHolderAwareRequestFilter
...
Previously ServletApiConfigurer left the following properties null:
authenticationManager, logoutHandlers, and authenticationEntryPoint
2013-07-16 22:43:53 -05:00
5e6ca12b01
SEC-2097: Update integrationTestCompile to use optional and provided
...
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
02551e1b7a
SEC-2214: Update Spring Version
2013-07-16 15:15:47 -05:00
faa8b354b7
SEC-2209: add pom.xml
2013-07-16 15:15:47 -05:00
e5fc063680
SEC-2206: Gradle Propdeps
2013-07-16 15:15:42 -05:00
07c3fdf8a7
SEC-2195: Update Groovy, Geb, Spock, httpcomponents, and Jetty
2013-07-16 15:02:39 -05:00
1705c5d796
SEC-2207: Update Gradle to 1.6
2013-07-16 15:02:39 -05:00
fb45db11e9
SEC-2191: Remove AuthenticationManagerBuilder default constructor
...
This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.
2013-07-05 12:10:03 -05:00
cf80cc88b5
SEC-2192: Create DEFAULT_FILTER_NAME
2013-07-05 09:41:53 -05:00
70b3a330ef
#137 WebSecurityConfigurerAdapter no longer uses getClass() for logger
...
Previously it was difficult to change log levels due to CGLIB proxying of
the class which impacted the logger name.
2013-07-01 10:07:38 -05:00
17bef05c3c
#138 WebInvocationPrivilegeEvaluator has default value
2013-07-01 08:46:57 -05:00
d8ed429370
#138 Tests for WebSecurityExpressionHandler bean existing
2013-07-01 08:37:12 -05:00
4d282cbe0d
SEC-1953: Polish
2013-06-30 21:51:25 -05:00
7412fe0748
SEC-1953: Polish bundlor warnings
2013-06-30 21:45:45 -05:00
d0c4e6ca72
SEC-1953: Spring Security Java Config support
...
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
fba4fec84b
SEC-2175: Correct XSD docs on auto-config.
2013-06-09 14:51:58 +01:00
ebba8ac514
SEC-2122: Update namespace to support bcrypt.
...
password-encoder now supports hash='bcrypt'.
2013-05-17 19:17:18 +01:00
f594ed76db
SEC-2087: GlobalMethodSecurityBeanDefinitionParser uses AuthenticationManager to create AuthenticationManagerDelegator
2013-04-25 08:56:46 -05:00
66357a2077
SEC-2143: Update XSD version mismatch error message
2013-03-06 10:57:41 -06:00
5eb5c91d86
SEC-2119: Rename rememberme-parameter to remember-me-parameter
...
This change extends pull request https://github.com/SpringSource/spring-security/pull/26
and its subsequent changes by renaming the attribute name 'rememberme-parameter' to
'remember-me-parameter'.
The spelling including the additional hyphen in 'remember-me-parameter' is more consistent
with the default spelling of the 'remember-me' functionality.
2013-03-05 14:47:25 -06:00
b014020955
SEC-2119: Polish remember-me@rememberme-parameter
...
- Change form-parameter to rememerme-parameter
- Use rnc file for generating the xsd
- Add test for deafult value of rememberme parameter
2013-03-01 17:03:09 -06:00
9eb34fe51c
SEC-2119: Add a 'form-parameter' attribute to <remember-me>
...
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of AbstractRememberMeServices.
This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
2013-03-01 17:03:02 -06:00
e8661913d1
SEC-2119: Update to 3.2 schema and use default schema version when available
2013-03-01 16:29:27 -06:00
f8ed3791f9
SEC-2142: Schema documentation states anonymous and remember-me ke defaults to SecureRandom
2013-03-01 12:23:36 -06:00
2a86c72436
Update XsdDocumentedTests to make easier to understand problems
2013-02-28 17:08:51 -06:00
914ec45e43
SEC-2136: Lazy load MethodSecurityExpressionHandler & MethodSecurityExpressionHandler.expressionParser
...
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.
The following changes were made:
- ExpressionBasedAnnotationAttributeFactory delays the invocation of
MethodSecurityExpressionHandler.getExpressionParser()
- MethodSecurityExpressionHandler is automatically wrapped in a
LazyInitTargetSource and marked as lazyInit=true
2013-02-28 10:26:12 -06:00
89c63fd752
Add spring-security-3.2.rnc
2013-01-03 18:32:33 -06:00
036e0505b3
Make rnc transform part of Gradle build
2013-01-03 18:32:32 -06:00
c8d45397fe
SEC-2079: Add Servlet 3 Authentication methods
...
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
1ed643ca1f
SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing
...
Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
2012-11-28 17:56:03 -06:00
1a7aaa85c4
SEC-2066: ProtectPointcutPostProcessor is now ThreadSafe
...
Previously a ConcurrentModificationException could occur when
PointcutExpression.matchesMethodExecution was performed in multiple threads. Another
issue was that beans may get processed multiple times.
Now a lock is performed to ensure that only a single thread has access to
PointcutExpression.matchesMethodExecution and that each bean only gets processed once.
2012-11-09 14:34:00 -06:00
30780baf24
Externalize powermock dependencies for reuse
2012-11-08 22:49:20 -06:00
4c50d1f5de
SEC-2072: <security:anonymous> granted-authority supports multiple authorities again
2012-11-02 16:24:14 -05:00
4f741bc914
SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersistenceFilter
...
Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.
The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
2012-10-03 09:27:24 -05:00
6af3e1958b
Update to Groovy 1.8
2012-09-04 09:48:29 -05:00
a19cc8f1c7
SEC-2020: Set eraseCredentialsAfterAuthentication when using http@authentication-manager-ref
...
Previously the namespace configuration did not properly set the eraseCredentialsAfterAuthentication
property on the parent AuthenticationProvider when using http@authentication-manager-ref.
Now the ProviderManager that is created by the namespace consults the original
AuthenticationManager to determine if eraseCredentialsAfterAuthentication should
be set on the wrapped instance. If the original is not a ProviderManager the
eraseCredentialsAfterAuthentication is set to false since we should not "magically"
add behavior to the custom AuthenticationManager without knowing the desired behavior.
2012-07-31 14:04:11 -05:00
d2a5ad6fd1
SEC-2016: Update config integration tests to use specific ldif to work in Eclipse
...
Due to Eclipse restrictions the classpath adding an project as a dependency picks up
the test dependencies of other projects. This caused problems when running the
config integration tests within Eclipse.
Now the tests specify a specific ldif to load. There is also one new test that ensures
that the ldif is defaulted properly, but does not rely on the ldif that is loaded.
2012-07-31 14:03:38 -05:00
a547f6922a
SEC-1996: Fix javadoc to work with jdk 1.5
...
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.
This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
2012-07-20 16:38:27 -05:00
7f9938c8e2
Organize imports on RememberMeConfigTests
2012-07-18 14:45:05 -05:00
c7c41ced84
Added test to verify LogoutHandlers added to LogoutFilter
2012-07-18 14:45:05 -05:00
3ce06333c5
SEC-1850: Namespace adds all LogoutHandlers to ConcurrentSessionFilter
...
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.
Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
2012-07-18 14:44:35 -05:00
06638db289
SEC-1909: Namespace configuration no longer uses deprecated API's
...
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.
Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
2012-07-17 14:08:36 -05:00
42b72bcbc4
SEC-1980: Prevent parser warning when URL's in configuration start with #
...
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
2012-07-10 14:24:42 -05:00
a2452ab514
SEC-1906: Update to Gradle 1.0
2012-07-05 12:41:56 -05:00
254333ce82
SEC-1957: DefaultFilterChainValidator no longer casts to DefaultFilterInvocationSecurityMetadataSource
2012-04-29 15:59:24 -05:00
488efbc97e
SEC-1901: Changed DebugFilter to no longer extend OncePerRequesetFilter so that the FilterChainProxy is invoked on forwards
2012-03-17 11:16:21 -05:00
f78c11650f
SEC-1893: Namespace now register PortMapper with custom mappings for all components that use a PortMapper
2012-03-11 20:52:17 -05:00
2d556c7b4f
SEC-1885: Change SecurityDebugBeanFactoryPostProcessor to only interact with BeanDefinitions rather than instances to prevent premature instatiation of FilterChainProxy and its dependencies
...
This issue occurred because the AutowiredAnnotationBeanPostProcessor had not been registered when the SecurityDebugBeanFactoryPostProcessor tried to obtain the FilterChainProxy. This caused
all of the FilterChainProxy's dependant beans to be resolved and if they used @Autowired they would not get processed properly.
2012-01-07 13:52:50 -06:00
448a42916d
SEC-1880: Corrected error message when using both logout-success-url and success-handler-ref
2011-12-30 11:31:24 -06:00
ea56a98883
SEC-1868: Remove error level logs from SecurityNamespaceHandler when the web classes are not available and not required
...
To get the detailed errors the FilterChainProxy is loaded again in reportMissingWebClasses
and included in the readerContext fatal log.
2011-12-30 10:51:17 -06:00
044861eb20
Renamed **/*Spec.groovy to **/*Tests.groovy to better follow conventions
2011-12-29 12:59:24 -06:00
aabb16912f
SEC-1878: DefaultFilterChainValidator properly handles AccessDecisionManager throwing exceptions other than AccessDeniedException
2011-12-28 16:43:19 -06:00
999adbc6ee
SEC-1827: If use-secure-cookie is set to false explicitly set useSecureCookie to false on AbstractRememberMeServices
2011-11-21 09:11:17 -06:00
ff495b698e
SEC-1858: Removed methods for generating docbook for xsd
...
Not squashing so this is around if needed again
2011-11-11 11:45:02 -06:00
c8b847f1ed
SEC-1858: Added integration tests to validate that the xsd is documented in the reference
2011-11-11 11:44:55 -06:00
de397bc0ce
SEC-1858: Updated xsd documentation to have documentation for all elements/attributes and added documentation of default values where appropriate
2011-11-11 09:00:53 -05:00
3b13a3fb25
SEC-1812: Replace assertion with warning message when overriding the global AuthenticationManager.
2011-11-02 14:23:59 +00:00
30088f19ae
SEC-1806: Log that bean definition is being created rather than bean in LdapServerBDP.
2011-10-31 23:50:06 +00:00
2f67bb3032
SEC-1847: Add authentication-manager-ref attribute to http and global-method-security namespace elements.
2011-10-30 21:51:02 +00:00
44e2543015
Minor changes to make filter chain validation more robust with custom request matchers.
2011-10-24 21:21:10 +01:00
f2786805e6
SEC-1841: Added request-matcher-ref attribute to namespace for defining a filter chain.
2011-10-21 20:04:35 +01:00
58f7d3acc6
SEC-1835: Changed xsd:ID to xsd:token.
2011-10-21 18:35:06 +01:00
ac6ed671a1
SEC-1830: Use constructor injection in namespace parsing code for creation of ProviderManager
2011-09-26 18:24:36 +01:00
a1c714cff4
SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted.
2011-07-14 16:43:02 +01:00
f92589f051
Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options.
2011-07-06 00:12:48 +01:00
73442125de
SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter.
2011-07-04 21:09:48 +01:00
5d20f57fa8
Import cleaning.
2011-07-02 20:36:42 +01:00
85807fdfd0
Removed @Overrides from method that implements interface instead of overriding superclass to resolve Java 1.5 error
2011-06-21 07:22:35 -05:00
5a1ddc660b
SEC-1768: Added tests to reproduce "double-proxying" issue combining intercept-methods and tx-annotation-driven. Problem is caused by use of ProxyFactoryBean with auto-proxying.
2011-06-18 14:32:31 +01:00
52c0ee6756
Improve error reporting of missing web classes in namespace handler. Now catches and logs the class-loading error.
2011-06-13 13:39:55 +01:00
e8a1a6e40b
Added spring-expression to config module testCompile to fix build.
2011-05-19 23:50:35 +01:00
27caecd53f
SEC-1452: Added namespace support for custom expression handler for use with web access expressions.
2011-05-19 15:27:58 +01:00
1b8eee6f07
Improve "missing web classes" message in SecurityNamespaceHandler, by indicating that a missing transitive dependency may also be the problem.
2011-05-16 00:19:30 +01:00
92face623a
SEC-1738: removed accidental commit of writeNewPom task
2011-05-10 23:23:13 -05:00
3d24d6f672
SEC-1738: Changed openid4java to be testCompile dependency of spring security config
2011-05-10 23:17:36 -05:00
6e91786f92
SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false).
2011-05-09 13:36:23 +01:00
25ebc5e5f4
Fix openid dep in config.gradle. Should be a testCompile dep.
2011-04-29 14:04:32 +01:00
bd74185e41
SEC-1729: Updated openid module and sample to openid4java 0.9.6 and httpclient 4.1.1
2011-04-26 23:39:51 -05:00
c4a1ce9f1a
SEC-1725: Update docs to remove references to filter-chain-map.
2011-04-25 23:38:44 +01:00
b5924db74d
SEC-1725: Add option to filter-chain to use an explicit request-matcher-ref instead of a "path" attribute.
2011-04-25 23:20:15 +01:00
04dc65c8fe
SEC-1657: Corresponding namespace updates to use SecurityFilterChain list in place of filterChainMap.
2011-04-25 13:48:47 +01:00
71ed6d7964
SEC-1720: Avoid bean-creation side-effects in ContextSourceSettingPostProcessor.
2011-04-20 11:58:00 +01:00
8d702a4f98
SEC-1699: Make sure a FilterInvocation is passed to the AccessDecisionManager when checking the login page access in DefaultFilterChainValidator.
2011-04-14 18:04:29 +01:00
160fed1bfe
SEC-1713: Fix typo in schema RNC file.
2011-04-08 17:22:57 +01:00
3f1d8782c3
Minor fix to bundlor template for config module.
2011-04-06 14:02:01 +01:00
8d99918798
SEC-1491: Add support for an external priority SecurityMetadataSource to be referenced from global-method-security.
2011-04-05 15:07:43 +01:00
ddaf9eb64f
SEC-1705: Make sure a single OpenIDAuthenticationFilter bean is created by the namespace. Likewise for UsernamePasswordAuthenticationFilter.
2011-03-31 21:09:54 +01:00
ccc548b9e4
Fixing bundlor warnings.
2011-03-08 16:20:37 +00:00
088042b3d0
Upgrade spock and groovy versions, and make sure apacheDS work directory is set for config integrationTest task.
2011-02-14 19:03:08 +00:00
bc2448419b
SEC-1679: Make sure whitespace is trimmed from cookie names when specifying multiple cookies.
2011-02-14 19:02:28 +00:00
27be72a81c
SEC-1677: Split out LDAP server tests from config module.
2011-02-14 19:01:27 +00:00
b0df1bd1b0
SEC-1673: Use a map to store the range values use in the bundlor templates.
2011-02-07 16:06:23 +00:00
866615ceaa
SEC-1662: Cater for the case where a user uses two <http> elements without patterns and the RequestMatcher does not have two arguments.
2011-01-26 16:39:50 +00:00
2eefbf3a23
SEC-1657: Added support for 'name' attribute in <http> element to expose filter chain as a list bean.
2011-01-14 17:21:22 +00:00
6de2197c0f
SEC-1653: Ensure UserDetailsServiceFactoryBean is registered using the tools API to prevent errors in STS.
2011-01-11 00:10:07 +00:00
6779822325
Remove GRADLE-1090 workarounds from config.gradle.
2011-01-07 18:28:21 +00:00
8d7830a1ee
SEC-1603: Add support in namespace for use of AuthenticationSuccessHandler with remember-me.
2011-01-06 15:16:13 +00:00
1ed5227d75
Removed @Override from HttpFirewallBeanDefinitionParser.parse since it does not override a method definition, it implements one.
...
Fixed The method parse(Element, ParserContext) of type HttpFirewallBeanDefinitionParser must override a superclass method HttpFirewallBeanDefinitionParser.java /spring-security-config/src/main/java/org/springframework/security/config/http line 23 Java Problem
2010-12-16 22:20:20 -06:00
2be2660b13
SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match.
2010-12-11 21:56:35 +00:00
4a40d80da1
SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority.
...
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
2010-12-03 16:41:46 +00:00
441aa25383
SEC-1615: Changed key generation for anonymous provider to only use SecureRandom on demand.
2010-12-01 20:52:37 +00:00
b9a98613eb
SEC-1593: Added tests to try to reproduce issue.
2010-11-03 19:37:25 +00:00
21ed5feb8d
SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version.
2010-10-27 13:25:40 +01:00
f70942c6f5
SEC-1589: Add support for property placeholder in intercept-methods access attribute.
2010-10-27 13:25:39 +01:00
173537f4f2
SEC-1584: Added namespace support for injecting custom HttpFirewall instance into FilterChainProxy.
2010-10-27 13:25:39 +01:00
0961671772
Reinstated missing 3.0.3 schema file
2010-10-27 13:25:39 +01:00
f455e9a5a4
SEC-1584: Documentation of request-checking and matching process. Logging of servletPath and and pathInfo in DebugFilter for comparison.
2010-10-27 13:25:39 +01:00
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
2010-10-27 13:25:39 +01:00
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
2010-10-05 22:28:42 -05:00
e69b981c72
Make method in MatcherType public for use in OAuth.
2010-09-25 20:09:12 +01:00
11a87d1fa0
Switch to using xsd:boolean in schema file.
2010-09-19 18:17:06 +01:00
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
2010-09-16 16:03:24 +01:00
383211561c
Moved LDAP placeholder config test into LDAP tests to prevent issues with parallel tests. Converted LdapProviderBDP tests to groovy/spock. Other misc tidying of config tests.
2010-09-16 12:31:23 +01:00
7dd8cd2fb9
Make sure ApacheDS work directory is set correctly for separate LDAP test task in config module.
2010-09-16 10:50:12 +01:00
a128e3b4fe
http://forum.springsource.org/showthread.php?p=318755 Added PlaceHolderAndELConfigTests.ldapAuthenticationProviderWorksWithPlaceholders
2010-09-13 13:44:12 -05:00
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
2010-09-13 13:12:45 -05:00
0217e98bdb
Added an AppListener to collect events for use in tests
2010-09-13 14:20:21 +01:00
f4d57ab5e8
SEC-1456: Remove maven poms as we are now using gradle for the build.
2010-08-30 19:02:19 +01:00
20988c8cf6
Minor refactoring of debug filter and tidying up tests.
2010-08-27 01:49:30 +01:00
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
2010-08-24 18:25:39 +01:00
1db83fc81e
Minor BD parser tidying.
2010-08-20 21:14:00 +01:00
c37ca1c2a9
Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.
2010-08-19 22:41:51 +01:00
5f6bcc0e1e
SEC-1540: Fix to add HTTP-method specific support for namespace requires-channel attribute.
2010-08-18 13:01:16 +01:00
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
2010-08-18 02:32:43 +01:00
aafc5f9038
File rename to correct case.
2010-08-17 02:27:36 +01:00
1f520b691f
SEC-1469: Initial support for debugging filter.
2010-08-17 02:23:34 +01:00
591bd532bd
Polishing FilterChainProxy and its tests.
2010-08-17 02:20:34 +01:00
6abfa2e887
Update minimum required schema to 3.1.
2010-08-17 02:19:55 +01:00
4bd41cbf72
SEC-1133: Support for setting of authenticationDetailsSource property for form-login, openid-login, http-basic and x509 namespace elements. These elements now support an additional 'authentication-details-source-ref' attribute.
2010-08-14 15:10:03 +01:00
4935aa07c7
SEC-1535: Added suggested doc fixes.
2010-08-12 20:41:29 +01:00
2222a7be07
Use Integer.valueOf() in preference to new Integer()
2010-08-11 18:17:23 +01:00
dca0fd871c
SEC-1532: Add cache of previously matched beans to ProtectPointcutPostProcessor to ensure that it doesn't perform pointcut matching every time a new prototype bean is created.
2010-08-09 17:16:43 +01:00
85c4c91e0e
IDEA inspection refactorings.
2010-08-05 23:28:07 +01:00
413b2a06e3
Improvements in up-to-date checking and use of parallel tests where possible.
2010-08-05 02:11:00 +01:00
64375484a1
More build and logging tuning.
2010-08-04 22:55:17 +01:00
2d9a848265
Added missing gradle build files for remaining samples. Some related reordering, dependency fixing etc. CAS sample no longer requires two separate subprojects as both client and server app can be run from a single gradle build.
2010-07-27 02:20:36 +01:00
c1c8fd1874
SEC-1171: Changed attribute name/value from secured="false" to security="none" to allow future extension by adding extra options (e.g. contextOnly to provide security context information during the request).
2010-07-20 19:46:47 +01:00
a4fd191499
Added check for use of "ref" with other attributes in <authentication-provider>.
2010-07-20 14:31:52 +01:00
4683273c2c
Correct message in namespace handler when web classes are missing.
2010-07-12 12:40:06 +01:00
69a10c48ae
Switch to using slf4j/logback for logging.
...
We still compile modules against commons-logging but all runtime logging and samples will use logback
2010-07-12 12:39:52 +01:00
443ac0487a
SEC-1093: Namespace support for jee element.
...
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
2010-07-07 22:42:26 +01:00
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
6a79cf7be2
SEC-1383: Make MethodSecurityMetadataSourceBeanDefinitionParser extend AbstractBeanDefinitionParser for automatic support of ID attribute.
2010-06-26 16:07:23 +01:00
cd946c4e23
SEC-1493: Added namespace support.
2010-06-20 21:09:38 +01:00
8bddc8f820
SEC-1484: Documentation for some namespace attributes.
2010-06-05 17:35:24 +01:00
2e865752ff
Upgraded groovy to 1.7.2 to avoid jansi dependency issue
2010-06-03 23:13:28 +01:00
efb600166a
SEC-1488: Remove commons-logging dependencies from maven poms.
2010-05-28 13:10:59 +01:00
f7405cef82
Removed original Java version of refactored http namespace tests.
2010-05-27 18:06:26 +01:00
34401416b0
SEC-1171: Implement parsing of empty filter chain patters via http 'secured' attribute and remove filters='none' support.
2010-05-27 15:54:15 +01:00
05c7abe191
SEC-1445: Tests for setting of username and password parameter names through the form-login element.
2010-05-27 15:54:15 +01:00
7d74b7c87e
SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping.
2010-05-27 15:54:15 +01:00
b0758dd8de
Refactoring HTTP config tests to use spock and groovy MarkupBuilder
2010-05-27 15:53:52 +01:00
b0308e41cb
SEC-1455: Load namespace parsers when required, rather than on init() call, to avoid classloaded issue with dmServer failing to resolve web classes when the namespace handler is first used.
2010-05-21 15:36:37 +01:00
a4ce14f604
Add "provisioning" package to config bundlor template.
2010-05-16 14:14:13 +01:00
d5ffdd9c27
Import cleaning
2010-05-03 18:46:06 +01:00
dccb30ad63
Remove use of wrong DOMUtils class (from com.sun package).
2010-05-01 15:06:48 +01:00
863ccecf55
SEC-1466: Report error if authentication-provider element has child elements when used with "ref" attribute.
2010-04-30 20:22:20 +01:00
165cbb0d19
SEC-1445: Added support for custom username and password parameters in form-login.
2010-04-30 18:14:50 +01:00
a421370a3d
SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.
2010-04-25 22:00:25 +01:00
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
2010-04-25 04:26:45 +01:00
2f025fba6c
SEC-1460: Added AxFetchListFactory which matches OpenID identifiers to lists of attributes to use in a fetch-request.
...
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
2010-04-20 23:47:48 +01:00
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
2010-04-20 23:47:47 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
a3ef8255d8
SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj'
...
Also added this syntax to the aspectj sample.
2010-03-31 18:31:28 +01:00
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-30 15:52:40 +01:00
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
2010-03-26 18:05:28 +00:00
57150a6717
SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter.
2010-03-26 12:47:24 +00:00
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 20:57:03 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2010-03-05 17:55:29 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
e5a875d752
SEC-1407: Correct logger category in MatcherType.
2010-03-01 02:03:32 +00:00
90a7f1f00e
SEC-1383: Namespace support for MethodSecurityMetadataSource. Initial commit.
2010-03-01 01:45:43 +00:00
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
b147652193
Make hsqldb a testRuntime/runtime dependency.
2010-03-01 01:10:58 +00:00
f0466b6488
SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all.
2010-02-27 00:22:21 +00:00
6a34807a07
SEC-1423: Cache PointcutExpression instances in ProtectPointcutPostProcessor for more efficient startup.
2010-02-26 17:21:25 +00:00
2f1479785e
Refactoring to remove remaining circular dependencies indicated by structure101.
2010-02-22 01:48:22 +00:00
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
26cf6f5528
SEC-1399: Remove MockAuthenticationManager in app context file for FilterChainProxy tests.
2010-02-20 21:59:44 +00:00
68f6afd905
SEC-1383: Added namespace support for method-security-metadata-source
2010-02-20 19:05:25 +00:00
b7fc5bc455
Update schema version to 3.1
2010-02-20 18:58:00 +00:00
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
2010-02-19 00:53:14 +00:00
5b5934144a
Avoid infinite loop in InterceptMethodsBeanDefinitionDecoratorTests when upgrading to Spring 3.0.1.
...
Converted test target to implement ApplicationListener<SessionCreatedEvent> so that it doesn't receive events from its own interceptor (which are in turn intercepted).
2010-02-16 00:03:15 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
70ef0d8b3e
Added extra test to itest/context as POC of using extra interceptor with http ns.
2010-02-11 01:48:00 +00:00
23511c930f
Standardising slf4j versions.
2010-02-11 01:33:31 +00:00
2173029216
SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.
...
Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
2010-02-10 23:49:26 +00:00
5753d69465
SEC-1404: Updated test for placeholders in intercept-url elements to check they work for filter='none' elements
2010-02-10 16:49:53 +00:00
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
2010-02-06 15:42:01 +00:00
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
2010-01-23 02:12:30 +00:00
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
670297c55d
SEC-1369: Make sure beans aren't registered twice in case allowBeanDefinitionOverriding=false in the app context.
...
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
2010-01-14 15:48:14 +00:00
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
51abedcbef
Parameterize getFilter() method in HttpSecurityBeanDefinitionParserTests.
...
Removes the need for casting to specific filter type.
2010-01-08 23:20:16 +00:00
f40a1fda34
SEC-1357: Use getClass().getClassLoader() in SecurityNamespaceHandler to check for web classes.
...
This is used in preference to ClassUtils.getDefaultClassLoader() which fails to find the web classes in some situations.
2010-01-08 21:12:36 +00:00
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
dc5417f1d5
SEC-1352: Added support for placeholders in <user-service>
...
The username, password and authorities attributes can now be placeholders.
2010-01-05 22:34:10 +00:00
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
bcb1ff8921
SEC-1342: Introduced extra factory method in SecurityConfig to get round problem with Spring converting a string with commas to an array
2009-12-23 14:12:59 +00:00
115d5b84ff
[maven-release-plugin] prepare for next development iteration
2009-12-22 22:20:01 +00:00
6c6ef08353
[maven-release-plugin] prepare release spring-security-3.0.0.RELEASE
2009-12-22 22:19:38 +00:00
e64866ae6a
Updated bundlor templates and introduced spring.version variable
2009-12-22 01:10:04 +00:00
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
fac07ba8ff
Schema updates to Spring 3.0
2009-12-18 18:44:17 +00:00
85a58fd473
SEC-1331: Modify namespace to allow omission of user passwords in user-service element and generate random ones internally, preventing authentication against the data..
2009-12-18 15:39:13 +00:00
520e733cb2
[maven-release-plugin] prepare for next development iteration
2009-12-08 21:19:41 +00:00
f2cf17bd49
[maven-release-plugin] prepare release spring-security-3.0.0.RC2
2009-12-08 21:19:20 +00:00
1dc4bb112e
SEC-1318: Correct logic for checking combination of session-management attributes.
2009-12-07 22:40:47 +00:00
3469a8d4a3
Javadoc.
2009-12-07 21:40:06 +00:00
ac564fc34e
SEC-1317: Forgot to commit test from config module.
2009-12-07 21:39:49 +00:00
d4e4a09801
SEC-1312: Add detection of 2.0 schemas. Added check to SecurityNamespaceHandler and reinstated old schemas.
2009-12-06 21:15:11 +00:00
dab76249db
Added gradle build files (experimental)
2009-12-04 21:33:17 +00:00
eddde8ea28
SEC-1309: Namespace configurations should support Spring EL. Removed premature conversion of URL paths to lower case, which messes up if they are case-sensitive expressions or placeholders. Some other minor changes to suppport EL configuration.
2009-12-01 14:23:58 +00:00
e9402fa0f9
Removed commented deps from pom.
2009-11-24 09:34:05 +00:00
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
5546698fef
SEC-1253: Decouple spring-security-config module from spring-security-web. Added ClassUtils.isPresent() check for FilterChainProxy before attempting to register web-related parsers and decorators. Added use of namespace to dms sample for testing.
2009-11-17 23:39:42 +00:00
66b1b1957c
SEC-1298: Deleted custom-filter BeanDefinitionDecorator
2009-11-17 21:36:11 +00:00
3444b31615
SEC-1291: Add logout namespace support for custom success handler. Added attribute "success-handler-ref" to <logout> element in namespace.
2009-11-17 17:29:43 +00:00
9eae7b899c
SEC-1284: Added proxy-target-class attribute to method security namespace
2009-11-17 16:19:05 +00:00
afdd80235c
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Fixed Spring RC1 - RC2 regression problem with test (addApplicationListener() behaviour has changed).
2009-11-17 14:34:43 +00:00
d4d5012035
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Update AuthenticationManagerBeanDefinitionParser to register a DefaultAuthenticationeventPublisher and set it on the registered ProviderManager.
2009-11-17 12:55:53 +00:00
a2468c523a
SEC-1283: AuthenticationConfigBuilder.createAnonymousFilter uses httpElt instead of anonymousElt. Corrected element name.
2009-11-04 17:39:26 +00:00
197737a2b4
SEC-1281: make sure correct 'key' value is used for RememberMeAuthenticationProvider when external RememberMeServices is used
2009-11-04 14:55:58 +00:00
799b96520b
SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login
2009-10-14 00:30:28 +00:00
3f963ef8ca
Restore versions and svn URLs in trunk (release plugin fail)
2009-10-11 21:59:38 +00:00
af563e826c
[maven-release-plugin] prepare release spring-security-3.0.0.RC1
2009-10-11 21:43:42 +00:00
73df14c912
Allow any ordering of authentication-provider elements within authentication-manager
2009-10-11 19:58:04 +00:00
ed2ddf9323
SEC-1263: Add FactoryBean for namespace AuthenticationManager. <http> now uses AuthenticationManagerFactoryBean. Method security already uses a delegate object to lookup the AuthenticationManager. This now uses the same error message if the bean isn't found, rather than allowing the BeanFactory NoSuchBeanDefinitionException to be thrown directly.
2009-10-09 14:41:34 +00:00
ac5237c127
SEC:1263: Added FactoryBean for AuthenticationManager
2009-10-09 12:11:45 +00:00
e398922f85
Removing elements that are no longer supported from the namespace
2009-10-08 14:40:52 +00:00
80eb47c6fe
SEC-1261: Convert FilterChainOrder to an enum (SecurityFilters).
2009-10-08 13:18:32 +00:00
4dcb9de67a
SEC-1257: Some additional API changes to use Collection instead of List...
2009-10-07 21:08:20 +00:00
1286741c7c
SEC-1259: Improve consistency of authentication filter names.
2009-10-07 14:43:55 +00:00
f213cc5d9e
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
2009-10-06 19:46:44 +00:00
5d486a51b6
SEC-1256: Added support for expression attributes in filter-security-metadata-source configuration.
2009-10-06 16:39:56 +00:00
07d7c0ddae
Renamed form and openID filters to shorten names
2009-10-05 17:33:34 +00:00
1042305cfe
Renamed web.wrapper to web.servletapi. Added some package.html files.
2009-10-05 16:59:37 +00:00
673cf300fb
SEC-1229: Refactoring to remove package cycles.
2009-10-05 16:40:32 +00:00
acf13c74ca
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
2009-10-05 15:51:00 +00:00
2b89ebdfbb
SEC-1229: Further doc and mods to namespace config/naming to make it more consistent
2009-10-03 16:08:51 +00:00
073198886d
SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before.
2009-10-02 17:29:43 +00:00
c34d719004
SEC-1252: Remove 2.0.x schemas from 3.0. Removed files and updated spring.schemas to remove 2.0.x versions
2009-09-29 17:56:01 +00:00
2a1430f1ce
SEC-1229: Removed legacy concurrency classes
2009-09-29 16:18:25 +00:00
ebada9fd12
SEC-1229: Added support for parsing error URL in session-management
2009-09-29 16:17:05 +00:00
203cc5a8dc
SEC-1229: Added error-url to concurrency-control element and changed "exception-if-max-exceeded" to "error-if-max-exceeded"
2009-09-29 16:16:06 +00:00
7109b7e183
Import cleaning.
2009-09-29 00:30:29 +00:00
aa153681bf
SEC-1229: Added session-management element to namespace and refactored existing session-related attributes and concurrency control. Refactored <http> parsing code to split it up into more manageable units.
2009-09-29 00:29:09 +00:00
731402e9f5
SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context.
2009-09-16 00:23:13 +00:00
71ab83255d
SEC-1242: Check that RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject a UserDetailsService.
2009-09-11 21:10:16 +00:00
fa7404741b
SEC-1167: Introduce more flexible SavedRequest handling. Add namespace support for a custom RequestCache through the request-cache element.
2009-09-09 21:40:12 +00:00
aec730ae7e
SEC-1238: Disable portlet module
2009-09-09 20:03:00 +00:00
6640eab9dc
SEC-1240: Added {ssha} support to PasswordEncoderParser.
2009-09-09 12:12:29 +00:00
d099d14e9b
SEC-1235: Added test to attempt to verify (failed to reproduce).
2009-09-05 14:14:12 +00:00
8632946f30
SEC-1213: Added "order" atrribute to global-method-security
2009-09-04 15:54:42 +00:00
245fc96137
SEC-1075: Update the embedded LDAP server to use Apache DS 1.5. Updated to use the new 1.5.5 release for the embedded server.
2009-09-01 23:21:44 +00:00
2039200617
SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.
2009-09-01 16:08:20 +00:00
dbcb13ad14
SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.
2009-08-31 22:48:49 +00:00
0d7b990e0a
SEC-1184: Moved ACL cache classes and interface out of jdbc package.
2009-08-31 22:15:37 +00:00
471206a29d
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
2009-08-27 10:43:01 +00:00
Rob Winch
Spring Buildmaster
Nick Williams
Marten Deinum
Keesun Baik
Luke Taylor
Oliver Becker
Mike Noordermeer
Rob Winch
Rob Winch