Marten Deinum
0adf5aea91
SEC-2098, SEC-2099: Created HeadersFilter
...
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
Rob Winch
f5a30e55a3
SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher
2013-07-23 13:06:51 -05:00
Rob Winch
f34b459c80
SEC-2205: Create UserDetailsServiceDelegator
...
Ensure that the UserDetailsService is created lazily.
2013-07-22 16:38:09 -05:00
Rob Winch
a39ff1b041
SEC-2202: http.authorizeUrls() to http.authorizeRequests()
...
This change is more meaningful since the requests can be matched on
anything not just the URL
2013-07-22 11:54:10 -05:00
Rob Winch
e1d8db4e95
SEC-2197: Allow multiple invocations on HttpSecurity
...
Previously invoking methods like HttpSecurity#authorizeUrls() multiple
times would override one another. This has now changed to be more
intuitive. Initially this was required for the way that defaults were
provided so that they could be overriden, but this is no longer the case.
2013-07-21 22:56:23 -05:00
Rob Winch
686a7a8d62
SEC-2223: Correct FirewalledRequest#reset() javadoc
2013-07-21 14:30:20 -05:00
Rob Winch
04b7d5ca08
SEC-2156: Only configures COOKIE instead of SSL
...
Configuring SSL is only allowed for SSL enabled applications and should
be configured on its own (not in conjuction with other modes).
2013-07-20 10:29:54 -05:00
Rob Winch
cf0fdc2d66
SEC-2222: Use auth parameter name instead of registry
2013-07-20 07:49:07 -05:00
Rob Winch
ac053dbda7
SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode
...
It also allows customization by overriding a method.
2013-07-19 17:09:58 -05:00
Rob Winch
90bd241ce2
SEC-2199: Support multiple AuthenticationEntryPoint defaults
2013-07-19 17:09:58 -05:00
Rob Winch
87c9a14bff
SEC-2198: http.httpBasic() defaults AuthenticationEntryPoint
2013-07-19 17:09:58 -05:00
Rob Winch
4411ae3ff6
SEC-2221: Add MediaTypeRequestMatcher
2013-07-19 17:09:31 -05:00
Rob Winch
eb15b19e50
SEC-2195: Update Groovy version on web module
2013-07-16 22:44:51 -05:00
Rob Winch
0f281f9575
SEC-2215: ServletApiConfigurer populates properties on SecurityContextHolderAwareRequestFilter
...
Previously ServletApiConfigurer left the following properties null:
authenticationManager, logoutHandlers, and authenticationEntryPoint
2013-07-16 22:43:53 -05:00
Rob Winch
59e8551279
Fix package tangles
2013-07-16 17:08:03 -05:00
Rob Winch
5e6ca12b01
SEC-2097: Update integrationTestCompile to use optional and provided
...
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch
955a60cf49
SEC-2208: Use std docbook plugin and workspace cleanup
2013-07-16 15:15:47 -05:00
Rob Winch
7d9f0d688a
SEC-2207: Workaround for GRADLE-1116
2013-07-16 15:15:47 -05:00
Rob Winch
00ed77af20
SEC-2207: Trick Gradle Eclipse to import project and not the build folders
2013-07-16 15:15:47 -05:00
Rob Winch
41b64e05d0
SEC-2211: check.dependsOn integrationTest
2013-07-16 15:15:47 -05:00
Rob Winch
02551e1b7a
SEC-2214: Update Spring Version
2013-07-16 15:15:47 -05:00
Rob Winch
faa8b354b7
SEC-2209: add pom.xml
2013-07-16 15:15:47 -05:00
Rob Winch
e5fc063680
SEC-2206: Gradle Propdeps
2013-07-16 15:15:42 -05:00
Rob Winch
01230c76ef
SEC-2217: Sonar Runner
2013-07-16 15:13:22 -05:00
Rob Winch
3c9a80433f
SEC-2207: AspectJPlugin uses compileAspect and compileTestAspect
2013-07-16 15:02:39 -05:00
Rob Winch
07c3fdf8a7
SEC-2195: Update Groovy, Geb, Spock, httpcomponents, and Jetty
2013-07-16 15:02:39 -05:00
Rob Winch
1705c5d796
SEC-2207: Update Gradle to 1.6
2013-07-16 15:02:39 -05:00
Rob Winch
fb45db11e9
SEC-2191: Remove AuthenticationManagerBuilder default constructor
...
This ensures that users must choose what ObjectPostProcessor is being used
with AuthenticationManagerBuilder. To make things easier for users, we now
automatically add an AuthenticationManagerBuilder object that can be used
for creating an AuthenticationManager with @Autowired.
2013-07-05 12:10:03 -05:00
Rob Winch
e88800cd9b
SEC-2187: Polish
...
Create private utf8UrlEncode method to improve readability
2013-07-05 10:24:10 -05:00
Tom Boettcher
54c1c20c69
SEC-2187: Encode query parameter names and values in return_to URL
2013-07-05 09:47:18 -05:00
Rob Winch
e5c450a14c
Merge in AbstractSecurityWebApplicationInitializerTests.groovy
2013-07-05 09:42:19 -05:00
Keesun Baik
cf80cc88b5
SEC-2192: Create DEFAULT_FILTER_NAME
2013-07-05 09:41:53 -05:00
Rob Winch
cd34c47643
Next development version
2013-07-01 14:05:22 -05:00
Spring Buildmaster
b45f7b9585
[artifactory-release] Release version 3.2.0.M2
2013-07-01 11:42:45 -07:00
Rob Winch
3c178a339e
remove snapshot repo references
2013-07-01 13:00:57 -05:00
Rob Winch
70b3a330ef
#137 WebSecurityConfigurerAdapter no longer uses getClass() for logger
...
Previously it was difficult to change log levels due to CGLIB proxying of
the class which impacted the logger name.
2013-07-01 10:07:38 -05:00
Rob Winch
17bef05c3c
#138 WebInvocationPrivilegeEvaluator has default value
2013-07-01 08:46:57 -05:00
Rob Winch
d8ed429370
#138 Tests for WebSecurityExpressionHandler bean existing
2013-07-01 08:37:12 -05:00
Rob Winch
4d282cbe0d
SEC-1953: Polish
2013-06-30 21:51:25 -05:00
Rob Winch
7412fe0748
SEC-1953: Polish bundlor warnings
2013-06-30 21:45:45 -05:00
Rob Winch
d0c4e6ca72
SEC-1953: Spring Security Java Config support
...
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
Luke Taylor
fba4fec84b
SEC-2175: Correct XSD docs on auto-config.
2013-06-09 14:51:58 +01:00
Rob Winch
7bc87cf13b
SEC-2002: Polishing
2013-06-06 15:05:00 -05:00
Nicholas Williams
d89ace26ab
SEC-2002: Added events to notify of session ID change
...
Session fixation protection, whether by clean new session or
migrated session, now publishes an event when a session is
migrated or its ID is changed. This enables application developers
to keep track of the session ID of a particular authentication
from the time the authentication is successful until the time
of logout. Previously this was not possible since session
migration changed the session ID and there was no way to
reliably detect that.
Revised changes per Rob Winch's suggestions.
2013-06-05 14:44:17 -05:00
Luke Taylor
743960d2d8
SEC-2122: Fix broken integration tests.
...
Modified BCryptPasswordEncoder to no longer throw an
IllegalArgumentException when the encoded password is empty or
the incorrect format for bcrypt. Instead it now logs a warning
that non bcrypt data was found.
The Dms integration tests were failing after being changed to
use bcrypt and this fixes the issue.
2013-05-21 23:13:08 +01:00
Luke Taylor
d8727638ab
SEC-1785: Remove auto-config from manual.
...
Changed the namespace doc to use an explicit form-login
and logout element and avoid mention of auto-config or its
effects. This makes the intro shorter and simpler.
2013-05-18 21:25:11 +01:00
Luke Taylor
ebba8ac514
SEC-2122: Update namespace to support bcrypt.
...
password-encoder now supports hash='bcrypt'.
2013-05-17 19:17:18 +01:00
Luke Taylor
896339087f
SEC-2122: Update samples to use bcrypt.
...
Data sources modified to store bcrypt hashes and configs now
use BCryptPassworEncoder.
2013-05-17 18:44:30 +01:00
Luke Taylor
d6524feb62
SEC-2122: Change doc to prioritize bcrypt use
2013-05-17 18:42:47 +01:00
Rob Winch
34893cd53a
Remove ApacheDSContainerTests successfulStartupAndShutdown since it was commented out
2013-04-25 11:21:23 -05:00