Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-23 15:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,456 Commits 33 Branches 337 Tags
Commit Graph

298 Commits

Author SHA1 Message Date
Luke Taylor
f0c4cccb0d SEC-1479: Clarify that matching is against servletPath + pathInfo for ant pattern matching. Added some extra pointers to request-matching info in namespace doc. 2010-05-16 14:14:13 +01:00
Luke Taylor
bf288101a0 Javadoc improvements 2010-05-16 14:14:13 +01:00
Luke Taylor
b3aad4cf19 Javadoc fixes. 2010-05-06 20:02:08 +01:00
Luke Taylor
0c09780644 SEC-1476: Modify AbstractPreAuthenticatedProcessingFilter to store authentication exception in request instead of creating a new session. 2010-05-05 14:13:48 +01:00
Luke Taylor
fcf33afce0 Formatting. 2010-05-03 14:53:05 +01:00
Luke Taylor
bca6c1aeac SEC-1468: Doc and Javadoc updates. 2010-04-26 23:26:07 +01:00
Luke Taylor
024e6904ff SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager. 2010-04-25 04:27:09 +01:00
Luke Taylor
ee1fd1bc50 SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins. 2010-04-20 23:47:48 +01:00
Luke Taylor
74896f217b SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>. 2010-04-20 23:47:47 +01:00
Luke Taylor
a45d2a4fb2 SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client. 2010-04-20 18:04:22 +01:00
Luke Taylor
93deec8d40 SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized. 2010-04-16 16:12:38 +01:00
Luke Taylor
0521d10069 SEC-1294: Enable access to beans from ApplicationContext in EL expressions. 
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
 2010-04-01 01:24:23 +01:00
Luke Taylor
2e2625873c SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager). 
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
 2010-03-23 00:45:06 +00:00
Luke Taylor
d5df53f1db SEC-1439: Make getters and setters public on HttpRequestResponseHolder. 
Necessary to allow use of custom SecurityContextRepository.
 2010-03-12 15:53:05 +00:00
Luke Taylor
f3264ba9ab Addition of commons-logging exclusions and adjustments to pom generation. 2010-03-07 21:58:25 +00:00
Luke Taylor
43f0e11106 SEC-1429: Removed cached authentication from session after successful authentication. 2010-03-05 00:07:35 +00:00
Luke Taylor
89d8c8cc83 Additional test classes for authentication and logout success/failure handling. 2010-03-04 23:18:46 +00:00
Luke Taylor
a3263753d9 Fix to Javadoc for AbstractAuthenticationProcessingFilter. 2010-03-04 22:06:04 +00:00
Luke Taylor
530ab3ae30 SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect. 2010-03-04 21:21:07 +00:00
Luke Taylor
43f3568b16 SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions. 2010-03-03 23:11:49 +00:00
Luke Taylor
ae8027fa47 SEC-1425: Replace use of Java 1.6 String.isEmpty(). 2010-03-01 13:49:42 +00:00
Luke Taylor
93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy. 
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
 2010-03-01 01:21:06 +00:00
Luke Taylor
cb0f3f677f SEC-1425: Add check for empty cookie in AbstractRememberMeServices. 
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
 2010-02-28 14:08:27 +00:00
Luke Taylor
f0466b6488 SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all. 2010-02-27 00:22:21 +00:00
Luke Taylor
e2f9be9015 SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved. 
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
 2010-02-26 16:01:40 +00:00
Luke Taylor
4dd10cd266 Refactor overly large doFilter() method in DigestAuthenticationFilter. 2010-02-22 01:48:53 +00:00
Luke Taylor
f3f84da625 Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0. 2010-02-21 23:25:36 +00:00
Luke Taylor
2ee7696bf4 Update version number to 3.1.0.CI-SNAPSHOT. 2010-02-19 17:35:19 +00:00
Luke Taylor
44f45d21f0 3.0.2 release. Update version in build files. 2010-02-19 01:22:21 +00:00
Luke Taylor
14ae36ac3b SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header. 
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
 2010-02-18 00:32:49 +00:00
Luke Taylor
bd635edc31 SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones. 
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
 2010-02-15 22:46:18 +00:00
Luke Taylor
c1133d1ef3 Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name. 2010-02-14 23:31:31 +00:00
Luke Taylor
d30e31d816 Remove unnecessary @SuppressWarnings and inline dependency from ELRequestMatcher (util package) to core ExpressionUtils. 2010-02-14 23:29:27 +00:00
Luke Taylor
c12c43da9e Javadoc fixes. 2010-02-14 23:27:09 +00:00
Luke Taylor
36612377e2 Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents. 2010-02-14 23:23:23 +00:00
Luke Taylor
1e4f451352 Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources 2010-02-11 18:08:06 +00:00
Luke Taylor
dcbdfc2026 SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication. 
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
 2010-02-11 17:47:22 +00:00
Mike Wiesner
90d6ff1fde SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 13:19:16 +01:00
Mike Wiesner
d32b078a8c SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 09:05:28 +01:00
Mike Wiesner
d2413cf237 SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-10 21:25:23 +01:00
Luke Taylor
08c7155ab5 SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions. 2010-02-10 15:06:01 +00:00
Luke Taylor
1ecd3e228b SEC-1405: added RequestMatcher interface. 2010-02-10 14:34:14 +00:00
Luke Taylor
984604b026 SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator. 
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
 2010-02-06 14:38:44 +00:00
Luke Taylor
0974e21fb6 SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid). 
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
 2010-01-23 02:12:30 +00:00
Luke Taylor
04447bdbf0 SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs). 2010-01-22 01:55:13 +00:00
Luke Taylor
0c10efbbf8 Revert SEC-1356. 
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
 2010-01-19 22:26:21 +00:00
Luke Taylor
1a7f71fc0f SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions() 
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
 2010-01-19 01:07:33 +00:00
Luke Taylor
51dfc0fb39 Set versions to 3.0.2-CI-SNAPSHOT, post release. 2010-01-15 18:15:19 +00:00
Luke Taylor
05634f97dc Updated version numbers for 3.0.1 release. 2010-01-15 18:04:28 +00:00
Luke Taylor
a9567a58d8 SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos. 2010-01-13 15:36:58 +00:00