3e95f1c12e
SEC-2282: Polish CSRF Documentation
2013-09-27 16:41:06 -05:00
ee33a6deeb
SEC-2285: Headers doc explicitly state default headers
2013-09-27 16:29:10 -05:00
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
2013-09-27 16:13:40 -05:00
06a0ec1a9f
SEC-2285: Polish Security Headers Documentation
...
Explain why (passivity) XML Namespace doesn't enable security headers by
default.
2013-09-27 16:13:18 -05:00
9bb283044f
SEC-2282: Polish CSRF Documentation
...
Explain why (passivity) XML Namespace doesn't enable csrf protection by
default.
2013-09-27 16:06:25 -05:00
a09756745f
SEC-2151: Support binding method arguments with Annotations
...
This allow utilizing method arguments for method access control on
interfaces prior to JDK 8.
2013-09-27 11:18:37 -05:00
1f3b812a66
SEC-2282: Polish CSRF Documentation
2013-09-26 08:58:39 -05:00
ef7cc40389
SEC-2282: Polish CSRF Documentation
2013-09-25 17:30:50 -05:00
d16106ef56
SEC-2309: Document CSRF multipart/form-data
2013-09-25 15:14:32 -05:00
e5804d323b
SEC-2256: Fix intercept-url doc precidence statement
...
Previously the documentation incorrectly stated "If a request matches
multiple patterns, the method-specific match will take precedence
regardless of ordering."
This has now been removed and InterceptUrlConfigTests was added previously
to ensure this was true.
2013-09-13 22:02:52 -07:00
f6587c8697
SEC-2312: Update javadoc link to Spring 3.2.x
2013-09-13 15:34:30 -07:00
98fe2322cd
SEC-2095: Fix Servlet API doc ids
2013-08-30 13:10:32 -05:00
fc16450344
Demonstrate rest.js CSRF support in reference docs
...
rest.js 0.9.4 added support for applying the CSRF header and token to
Ajax requests.
2013-08-30 12:21:32 -05:00
246c632f3a
SEC-2095: Document Servlet API support
2013-08-30 12:20:35 -05:00
86340b8016
SEC-2283: Polish headers doc
2013-08-29 13:47:54 -05:00
d89cf6db29
SEC-2283: Update headers documentation and tests
2013-08-28 12:35:40 -05:00
4761614c9f
SEC-2291: Fix internal links within reference
...
Instead of using xlink:href="# use linkend="
2013-08-28 09:12:27 -05:00
69aac09e1d
SEC-2285: Added headers to to reference
2013-08-28 08:58:45 -05:00
9483226d02
SEC-2282: Polish CSRF doc
2013-08-27 17:16:32 -05:00
98bdd32ca0
SEC-2282: Add CSRF documentation to the reference manual
2013-08-25 19:00:04 -05:00
18bd82e7d4
SEC-2131: Update doc to state session authentication sends 401 if no page
2013-08-25 11:37:23 -05:00
cd7055f725
SEC-2171: Include Information about pooling in Spring LDAP documentation
2013-08-25 11:27:50 -05:00
7f2308f46c
SEC-2146: Document AspectJ does not inherit annotations
2013-08-25 11:06:36 -05:00
03b235295e
SEC-2270: Remove duplicate version from guides index
2013-08-23 14:13:12 -05:00
efa9f4db93
SEC-2108: Fix typo in ldap section of manual
2013-08-23 14:09:58 -05:00
e8788f2657
SEC-2269: Fix markup for CSRF link
2013-08-21 10:08:39 -05:00
17c2a18fee
SEC-2269: Fix CSRF link in appendix
2013-08-21 10:01:19 -05:00
a3a432f7b6
SEC-2269: Fix additional links
2013-08-20 14:02:33 -05:00
3b2156969d
SEC-2269: Fix headers link
2013-08-20 10:06:00 -05:00
f707101fdb
SEC-2269: Fix headers documentation
2013-08-20 10:03:31 -05:00
eb95c500f5
Remove dockbook-reference from guides
2013-08-20 10:02:55 -05:00
658a93178c
SEC-2252: Add custom form guide
2013-08-19 15:22:04 -05:00
51b9c4a19a
Hide logout in main.jsp if not logged in
2013-08-17 14:38:39 -05:00
e9bb9e766e
SEC-1574: Add CSRF Support
2013-08-15 14:49:21 -05:00
5f35d9e3ec
SEC-2135: Document HttpServletRequest.changeSessionId() support
2013-08-15 13:59:16 -05:00
485676be8c
SEC-2251: Polish Hello World guides
...
* Correct how to add username and logout to mvc
* Externalize :revnumber:
2013-08-15 12:50:40 -05:00
13da42ca1b
SEC-2137: Allow disabling session fixation and enable concurrency control
2013-08-15 12:50:40 -05:00
e0cb931f69
SEC-2251: Create Hello World Java Configuration guides
2013-08-08 14:34:50 -05:00
333a7291a4
SEC-2242: Fixed typo in technical overview
...
Changed "source source" to "source"
2013-08-01 13:02:56 -05:00
e242aeff3e
SEC-2230: Polish and clickjacking demo
2013-08-01 10:19:36 -05:00
283c906215
SEC-2230: Fix reference PDF
2013-07-31 12:22:41 -05:00
988e97e366
SEC-2230: Polish headers reference
2013-07-31 10:39:52 -05:00
c85328c5d1
SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
...
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
8013cd54d6
SEC-2230: Added Cache Control support
2013-07-31 10:39:45 -05:00
7b164bb5e1
SEC-2230: Polish pull request
2013-07-26 14:19:53 -05:00
8acd205486
SEC-2232: HeaderFactory to HeaderWriter
2013-07-26 09:01:12 -05:00
fd754c5cab
SEC-2098, SEC-2099: Fix build
...
- hf.doFilter is missing FilterChain argument
- response.headers does not contain the exact values for the headers so
should not be used for comparison (note it is a private member so this
is acceptable)
- hf does not need non-null check when hf.doFilter is invoked
- some of the configurations are no longer valid (i.e. ALLOW-FROM
requires strategy)
- Some error messages needed updated (some could still use improvement)
- No validation for missing header name or value
- rebased off master / merged
- nsa=frame-options-strategy id should use - not =
- FramewOptionsHeaderFactory did not produce "ALLOW-FROM " prefix of origin
- remove @Override on interface overrides to work with JDK5
2013-07-25 16:23:25 -05:00
d0b40cd2ae
- Created HeaderFactory abstraction
...
- Implemented different ALLOW-FROM strategies as specified in the proposal.
Conflicts:
config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
2013-07-25 16:22:43 -05:00
a63baa8391
SEC-2098, SEC-2099: Polishing
2013-07-25 16:22:43 -05:00
0adf5aea91
SEC-2098, SEC-2099: Created HeadersFilter
...
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
955a60cf49
SEC-2208: Use std docbook plugin and workspace cleanup
2013-07-16 15:15:47 -05:00
d8727638ab
SEC-1785: Remove auto-config from manual.
...
Changed the namespace doc to use an explicit form-login
and logout element and avoid mention of auto-config or its
effects. This makes the intro shorter and simpler.
2013-05-18 21:25:11 +01:00
d6524feb62
SEC-2122: Change doc to prioritize bcrypt use
2013-05-17 18:42:47 +01:00
c0921b9ede
SEC-2133: Update doc from ChannelAuthenticationFilter to ChannelProcessingFilter
2013-04-25 08:56:47 -05:00
6ebb9abfb7
Fix HttpSessionEventPublisher package name in FAQ.
2013-04-06 14:53:53 +01:00
5eb5c91d86
SEC-2119: Rename rememberme-parameter to remember-me-parameter
...
This change extends pull request https://github.com/SpringSource/spring-security/pull/26
and its subsequent changes by renaming the attribute name 'rememberme-parameter' to
'remember-me-parameter'.
The spelling including the additional hyphen in 'remember-me-parameter' is more consistent
with the default spelling of the 'remember-me' functionality.
2013-03-05 14:47:25 -06:00
b014020955
SEC-2119: Polish remember-me@rememberme-parameter
...
- Change form-parameter to rememerme-parameter
- Use rnc file for generating the xsd
- Add test for deafult value of rememberme parameter
2013-03-01 17:03:09 -06:00
9eb34fe51c
SEC-2119: Add a 'form-parameter' attribute to <remember-me>
...
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of AbstractRememberMeServices.
This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
2013-03-01 17:03:02 -06:00
e8661913d1
SEC-2119: Update to 3.2 schema and use default schema version when available
2013-03-01 16:29:27 -06:00
83f1d76c16
SEC-2138: Fix code snippet in Hierarchical Roles section
...
The bean definition of RoleHierarchyVoter was syntactically incorrect.
2013-02-26 09:48:59 -06:00
5ba31dfd56
Use AspectJMethodSecurityInterceptor in reference
...
Change reference to use AspectJMethodSecurityInterceptor instead of
undefined AspectJSecurityInterceptor.
2012-12-04 10:06:27 -06:00
373fe3a9f1
SEC-2074: Update reference to use <method-security-metadata-source>
2012-12-04 10:05:22 -06:00
6cea2694dc
SEC-2069: Update doc to use FilterInvocationSecurityMetadataSource
2012-10-22 14:24:05 -05:00
4f741bc914
SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersistenceFilter
...
Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.
The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
2012-10-03 09:27:24 -05:00
8ad0e0e8e8
SEC-1995: Use Gradle Artifactory integration for releases
2012-08-09 14:20:57 -05:00
095dcb3a74
SEC-2010: Include missing <value> tag in Hierarchical Roles section of the reference
2012-07-19 10:18:12 -05:00
b196d70f99
SEC-1905: Added para tag to the digest encoded password footnote
2012-07-11 13:12:57 -05:00
bfd09f7603
SEC-1905: Added footnote to password encoding for digest authentication
...
Technically digest authentication can allow for encoded passwords, but
it needs to be in the correct format. This update adds a footnote to clarify this.
Previously the documentation stated that passwords must be in clear text.
2012-07-11 13:00:06 -05:00
3e4da4f60f
Updated to next snapshot version
2012-07-06 11:28:21 -05:00
f46a5bab40
Set to 3.1.1 Release
2012-07-06 10:32:55 -05:00
a2452ab514
SEC-1906: Update to Gradle 1.0
2012-07-05 12:41:56 -05:00
18230259b8
SEC-1985: Removed WebSecurityExpessionHandler from reference
2012-06-28 11:35:07 -05:00
954ba57cf2
SEC-1970: Cleanup of pre authentication documentation
...
* Removed custom-authentication-provider from documentation
* Rephrased to make the pre authentication documentation a little more concise
* Removed nested () within text (not code)
* Removed user which should have been use
2012-06-15 14:44:16 -05:00
ca741ab18f
SEC-1943: Corrected namespace doc to state SecurityContextHolderAwareRequestFilter instead of SecurityContextHolderAwareFilter
2012-03-20 19:18:26 -05:00
2434564d6c
SEC-1904: Fixed LDAP object class name in docs.
2012-02-01 14:37:32 +00:00
b493afa18c
SEC-1888: Improving the doc on (not) using multiple annotation types in the same class.
2012-01-31 19:05:43 +00:00
9b423a7726
Set 3.1.0 release version.
2011-12-05 23:42:39 +00:00
53483df1f5
SEC-1678: Added What's new section to reference
2011-11-18 13:52:37 -06:00
041cb1dcc3
SEC-1858: Included the updates for logout-success-url documentation
2011-11-18 11:22:22 -06:00
f88b6f75ff
SEC-1858: Overhall the namespace appendix of the reference to include missing elements and attributes
2011-11-11 09:00:53 -05:00
2fd0a65049
SEC-1839: Updated preauth example to use </security:authentication-manager> instead of </security-authentication-manager>
2011-10-18 19:18:56 -05:00
503ac9ae7c
SEC-1798: Remove internal evaluation of EL in JSP tag implementations.
2011-08-12 19:44:27 +01:00
a1c714cff4
SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted.
2011-07-14 16:43:02 +01:00
ac3d8b25f2
Expand LDAP authentication FAQ with information about bind authentication and unreadable password attributes.
2011-07-14 13:13:39 +01:00
d5946b81b4
Added FAQ on how to add ApacheDS entries to pom.
2011-07-13 17:50:29 +01:00
2e83d98c8f
SEC-1776: Corrected typo in manual
2011-07-09 19:24:12 -05:00
2861a951aa
Minor FAQ update on version info.
2011-06-17 11:45:56 +01:00
ecfffaaa3f
Make aspectj dependencies optional throughout and spring-jdbc/tx optional in core poms. Reduces exclusions required in third-party poms (e.g. spring-social).
2011-06-09 22:57:49 +01:00
132163ec2e
Add FAQ on accessing password from a UserDetailsService.
2011-05-26 18:38:45 +01:00
b53d430798
Doc update to reflect change in cas integration module name since 3.0.
2011-05-23 21:29:40 +01:00
3541099634
Correct typo in FAQ.
2011-05-17 18:23:48 +01:00
295ea27526
SEC-1743: Separate remoting from core into separate module.
2011-05-16 00:19:30 +01:00
6e91786f92
SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false).
2011-05-09 13:36:23 +01:00
bd74185e41
SEC-1729: Updated openid module and sample to openid4java 0.9.6 and httpclient 4.1.1
2011-04-26 23:39:51 -05:00
e473897fd9
SEC-1181: Add docs for ActiveDirectoryLdapAuthenticationProvider. Minor fix to initialization checks.
2011-04-26 18:39:01 +01:00
c4a1ce9f1a
SEC-1725: Update docs to remove references to filter-chain-map.
2011-04-25 23:38:44 +01:00
f28a09dfa4
Formatting changes to CAS documentation
2011-04-17 18:17:16 -05:00
01fb4bdb6d
SEC-1718: Update documentation and sample application to demonstrate how to use a PGT to authenticate to stateless services using a PT
2011-04-17 18:17:14 -05:00
11331d34d9
SEC-1717: Document how to perform Single Logout with CAS and added integration test for sample application to test Single Logout
2011-04-17 18:14:16 -05:00
04f1df2a1b
SEC-965: Updated CAS documentation to describe authenticating proxy tickets
2011-04-17 18:14:16 -05:00
Rob Winch
Scott Andrews
beamerblvd
Asaf David
Marten Deinum
Luke Taylor
Oliver Becker
@fbiville
Rob Winch
Florian Fankhauser