a5ec116e80
SEC-1919: Log error when fail to communicate with LDAP
...
Previously communication errors with LDAP were only logged at debug level.
Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
2012-07-31 16:55:48 -05:00
734188206d
SEC-1940: ProviderManager publishes any AccountStatusException
...
Previously there was a bug introduced by SEC-546 that prevented any
AccountStatusException from being published.
Now AccountStatusExceptions are also published.
2012-07-30 14:09:50 -05:00
10e6a6f943
Remove compile warnings in AspectJMethodSecurityInterceptorTests
2012-07-24 18:13:52 -05:00
9a9aafaeec
SEC-1967: Restore original SecurityContext in finally when RunAsManager is used
...
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.
AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
2012-07-24 18:08:27 -05:00
1d701a2d8f
SEC-2012: Remove additional incorrect javadoc from UserDetails#getPassword()
2012-07-21 10:35:28 -05:00
b4fbabdbfd
SEC-2012: Remove incorrect javadoc from UserDetails#getPassword()
...
Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.
The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
2012-07-20 15:34:28 -05:00
638e92a3f7
SEC-1992: Updated Spring version to 3.0.7
2012-07-06 10:32:45 -05:00
f2345fcb21
SEC-1981: Remove dependency on Locale for the build
2012-07-05 13:30:41 -05:00
a2452ab514
SEC-1906: Update to Gradle 1.0
2012-07-05 12:41:56 -05:00
8b05d23832
SEC-1971: Allow injection of ExpressionParser in AbstractSecurityExpressionHandler
2012-06-15 08:21:52 -05:00
5d71d2a4fa
SEC-1887: Add MethodSecurityOperations interface.
...
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.
Also cleaning whitespace.
2012-02-01 15:49:56 +00:00
0f9ee81df1
SEC-1887: Improve extensibility of expression-based security classes
...
Introduces a new SecurityExpressionOperations interface which is
implemented by SecurityExpressionRoot
2012-01-31 19:06:43 +00:00
f97463cdb5
Minor comment fixes
2012-01-16 14:49:59 +00:00
1f835fec43
SEC-1867: Perform null check on Authentication.getCredentials() prior to calling toString()
2011-12-30 14:00:13 -06:00
8ca2927761
Renamed **/Test.java to **/Tests.java to better follow conventions
2011-12-28 17:39:29 -06:00
3dca70403d
Suppress compiler warnings and minor javadoc fix for ProviderManager
2011-11-11 11:45:02 -06:00
8fd2963e6b
Deprecate storage of Authentication object in AuthenticationException.
2011-11-01 13:05:53 +00:00
bce4d81142
Mark overriding "extraInformation" methods in account status exceptions as deprecated.
2011-10-30 21:47:04 +00:00
2953f56b2b
Remove ancient code formatter artifacts.
2011-09-25 21:17:21 +01:00
44364d0101
SEC-1826: Empty attribute list should be treated the same as null in DelegatingMethodSecurityMetadataSource.
2011-09-24 14:36:54 +01:00
be8ee61f82
PreInvocationAuthorizationAdviceVoter was checking the wrong type in its "supports" method.
...
This isn't actually used, but is still incorrect.
2011-09-24 13:13:38 +01:00
359bd7c468
SEC-1804: Updated Javadoc wrt immutability of User class.
2011-08-25 10:50:50 +01:00
8ce6c73802
Add check for empty attributes list as well as null, in DelegatingMethodSecurityMetadataSource
2011-08-19 15:24:44 -07:00
d6b7b52a79
Update to Spring 3.0.6.
2011-08-19 15:06:26 -07:00
a4c05239e5
SEC-1719: Lithuanian messages translation.
2011-08-19 11:17:05 -07:00
59a07175a6
SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider.
2011-08-12 19:44:27 +01:00
5fce0a58bd
SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread.
2011-08-12 19:44:27 +01:00
249610c7ed
SEC-1742: Remove deprecated "includeDetailsObject" field from DaoAuthenticationProvider.
2011-08-12 19:44:26 +01:00
1976cb1bf7
SEC-1742: Deprecate use of extraInformation field in AuthenticationException, making it transient and removing any sensitive data in UserDetails objects which are stored in it.
2011-08-12 19:44:26 +01:00
74daa68691
SEC-1796: Check for annotated annotations at class/interface level. Previously only the specific security annotation was checked for. By delegating to Spring's AnnotationUtils, custom annotations carrying the security annotation are also detected.
2011-08-12 14:29:55 +01:00
7399c9a7a5
SEC-1792: Fixed NullPointerException in RunAsUserToken#toString()
2011-07-29 09:55:18 -05:00
dfd467f26e
cleaned imports in RunAsUserToken
2011-07-29 09:39:02 -05:00
56e86dd36f
Adding assertions on constructor arg values.
2011-07-06 20:50:25 +01:00
2d271666a4
Add constructors to facilitate constructor-based injection for required/shared bean properties.
2011-07-05 20:25:49 +01:00
c3a3a5bfbf
Updated core.gradle to include crypto as referenced project in eclipse
2011-06-21 07:22:35 -05:00
d253f5e109
SEC-1768: Use AopProxyUtils.ultimateTargetClass() to cater for the situation where the security interceptor is being applied to a proxy.
2011-06-18 14:35:56 +01:00
571bfc4869
Refactoring to use Utf8 encoder instead of String.getBytes("UTF-8").
2011-06-14 18:47:50 +01:00
361b77685d
Add crypto as an exported dependency of core in IDEA configuration.
2011-06-14 18:47:49 +01:00
2b8d4684a1
SEC-1764: Ensure password encoders use UTF-8 charset when creating strings from byte arrays.
2011-06-14 18:47:49 +01:00
e27f655e9d
SEC-1689: Re-instate crypto as separate library (for use in non-Spring Security apps), as well as packaging with core.
2011-06-10 00:01:25 +01:00
6d04670f87
SEC-1695: Allow customization of the session key under which the SecurityContext is stored.
2011-05-25 19:51:47 +01:00
42e0e158b4
Simplify Digester utility class.
2011-05-25 19:09:08 +01:00
21295a58e5
SEC-1751: Applied patch to use zero-IV for queryable text encryption.
2011-05-23 20:10:16 +01:00
5a4aed238c
SEC-1752: Fixed Utf8 codec to take account of the limit of the ByteBuffer returned by CharsetEncoder.encode().
2011-05-23 18:55:25 +01:00
63f160dc72
SEC-1749: Add support for PageContext lookup of objects and use of PermissionEvaluator when using web access expressions.
2011-05-19 15:27:35 +01:00
c758f36629
Forgot to add version information test previously
2011-05-17 23:54:43 +01:00
295ea27526
SEC-1743: Separate remoting from core into separate module.
2011-05-16 00:19:30 +01:00
396eced291
Add test to check version information.
2011-05-07 17:15:02 +01:00
6a2a636fd7
Update Javadoc for UserDetailsManager to reflect that the new password doesn't need to be stored in the security context (and probably shouldn't be).
2011-05-07 16:20:12 +01:00
a2858240f1
SEC-1728: Remove references to SUN provider and incorrect seeding of SecureRandom in SecureRandomBytesKeyGenerator.
2011-04-27 22:10:17 +01:00
Rob Winch
Luke Taylor
Andrei Stefan
Rob Winch