Commit Graph

629 Commits

Author SHA1 Message Date
Mattias Severson 2b3becf666 SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo 2014-04-23 09:28:00 -05:00
Rob Winch 8baf82532c SEC-2015: Add spring-security-test 2014-04-22 16:47:48 -05:00
Rob Winch ccf96a4d69 SEC-2542: Polish dependency exclusions
This cleans up exclusions so the pom.xml are not as cluttered.
2014-04-02 09:47:29 -05:00
Rob Winch 3118e39de8 SEC-2542: Use exclusions to remove duplicate dependencies
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.

In addition to the new exclusions, notable other changes are:

 - Spring Data JPA has been updated to 1.4.1. This brings its
   transitive dependency upon spring-data-commons into line with
   Spring LDAP's and prevents both spring-data-commons-core and
   spring-data-commons from being on the classpath
 - All Servlet API dependencies have been updated to use the official
   artifact with all transitive dependencies on unofficial servlet API
   artifacts being excluded.
 - In places, groovy has been replaced with groovy-all. This removes
   some duplicates caused by groovy's transitive dependencies.
 - JUnit has been updated to 4.11 which brings its transitive Hamcrest
   dependency into line with other components.

There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level

Conflicts:
	samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
Rob Winch c0590e614a SEC-2177: Polish 2014-03-18 15:48:54 -05:00
Maciej Zasada 7cf37856c0 SEC-2177: Striping off all leading schemes
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
2014-03-18 15:45:41 -05:00
Julien Dubois 7325b97c76 SEC-2519: RememberMeAuthenticationException supports root cause
Added a constructor which keeps the root cause of the exception, and
added some documentation
2014-03-11 16:11:52 -05:00
Rob Winch 91a074c744 Merge pull request #62 from dalbertom/typo
Correct typo in AbstractRememberMeServices assertion
2014-03-11 15:40:23 -05:00
Rob Winch ea902e5829 SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation 2014-03-10 14:33:37 -05:00
Rob Winch e15cee62f4 SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header 2014-03-06 22:01:25 -06:00
getvictor 6de138c2f2 SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
2014-03-06 22:01:23 -06:00
Rob Winch 9988fa141c Update Spring Security version in pom.xml 2014-03-06 08:13:52 -06:00
Rob Winch 6be4e3a9fc SEC-2506: Remove Bundlor Support 2014-03-05 13:32:16 -06:00
Rob Winch 7f99a2dfbb SEC-2487: Update to Spring 3.2.8.RELEASE 2014-02-19 09:30:40 -06:00
Rob Winch ec8b48150d SEC-2474: Update poms 2014-02-07 17:01:11 -06:00
Rob Winch 8d8475deb1 SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
Rob Winch 2df5541905 SEC-2448: Update to HSQL 2.3.1 2013-12-14 10:19:06 -06:00
Rob Winch ca1080fb96 SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter 2013-12-13 15:47:28 -06:00
Rob Winch a34178bc40 SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA 2013-12-12 08:16:59 -06:00
Rob Winch aaa7cec32e SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
Rob Winch 7f714ebb23 SEC-2422: Session timeout detection with CSRF protection 2013-12-11 17:38:17 -06:00
Rob Winch 4460e84b29 Updates to pom.xml author and repo 2013-12-09 08:57:30 -06:00
David Alberto f9998d582a Correct typo in AbstractRememberMeServices assertion 2013-11-26 18:06:55 -05:00
Rob Winch 59e13e7bbb SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken 2013-11-21 15:12:08 -06:00
Rob Winch 2c8946c406 Next development version 2013-11-01 14:20:55 -05:00
Spring Buildmaster 9c703a3051 Release version 3.2.0.RC2 2013-11-01 14:20:49 -05:00
Rob Winch 1a1f577a8b SEC-2358: Add RequestHEaderRequestMatcher#toString() 2013-10-28 14:41:10 -05:00
Rob Winch e638f0a547 SEC-2357: old RequestMatcher interface extends new RequestMatcher 2013-10-23 17:09:33 -05:00
Rob Winch 04b091c385 SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method 2013-10-17 16:18:43 -05:00
Rob Winch 15a63c58a7 SEC-2368: DebugFilter outputs headers and HTTP method 2013-10-17 14:49:45 -05:00
Rob Winch 1351c8bada SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc 2013-10-15 13:53:23 -05:00
Adrien be e50b587d60 SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd 2013-10-14 15:06:11 -05:00
Rob Winch 0b0e7dbea9 SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter 2013-10-14 15:00:24 -05:00
Rob Winch 51171efa7a SEC-2357: Move *RequestMatcher to .matcher package 2013-10-14 11:55:56 -05:00
Rob Winch 45ad74a0bd SEC-2357: Fix package cycles 2013-10-14 11:15:16 -05:00
Rob Winch 14b9050616 SEC-2357: Move *RequestMatchers to .matchers package 2013-10-14 10:36:31 -05:00
Rob Winch 7d99436740 SEC-2358: Add RequestHeaderRequestMatcher 2013-10-11 14:53:11 -05:00
Rob Winch 0ac1176152 Polish RequestMatcher logging and toString 2013-10-07 15:45:42 -05:00
Rob Winch cffbefadd1 SEC-2306: Fix Session Fixation logging race condition
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.

The code now synchronizes on WebUtils.getSessionMutex(..).
2013-10-06 17:13:40 -05:00
kazuki43zoo 611a97023d SEC-2352: HttpSessionCsrfTokenRepository lazy session creation 2013-10-06 16:44:18 -05:00
Rob Winch 17efd25717 SEC-2331: Include Expires: 0 in security headers documentation 2013-09-27 16:13:40 -05:00
Rob Winch cea0cf9260 SEC-2243: Remove additional Debug Filter 2013-09-26 11:38:16 -05:00
Rob Winch b591881e95 SEC-2302: Provide beforeSpringSecurityFilterChain hook
This allows inserting filters before the springSecurityFilterChain.
2013-09-25 14:52:40 -05:00
Rob Winch 88f41cdf62 SEC-2341: Update to Gradle 1.8
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
Rob Winch ddc0ef7ab3 SEC-2339: Added Logical (Or, And, Negated) RequestMatchers 2013-09-23 20:55:49 -05:00
Rob Winch 788ba9a1fa SEC-2329: Allow injecting of AuthenticationTrustResolver 2013-09-20 15:26:52 -05:00
Rob Winch 9133c33f1d SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.

Now the cast is to SavedRequest.
2013-09-19 15:08:32 -05:00
Rob Winch 8f8c6169e8 SEC-2331: Cache Control now includes Expires: 0 2013-09-19 14:06:37 -05:00
Rob Winch 0114b457c0 SEC-2330: CacheControlHeadersWriter use a single header 2013-09-18 16:12:34 -05:00
Rob Winch 32e9239fd2 SEC-2320: AuthenticationPrincipal can be null on invalid type
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
2013-09-13 15:21:13 -07:00
Rob Winch b22acd0768 SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet 2013-09-13 14:44:44 -07:00
Rob Winch 8e74407381 SEC-2296: HttpServletRequest.login should throw ServletException if already authenticated
See throws documentation at
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29
2013-08-31 11:55:24 -05:00
Rob Winch e8ac11641b SEC-2297: Add DispatchType.ASYNC as default for AbstractSecurityWebApplicationInitializer 2013-08-31 11:39:57 -05:00
Rob Winch 3d2f23602f SEC-2294: Update Spring Version to 3.2.4.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch 43f4d01cf3 SEC-2292: Add test to assert CSRF bypass of methods is case sensitive
HTTP methods should be case sensitive, so add test to ensure that this is
the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
2013-08-31 10:40:49 -05:00
Rob Winch 6e9fb7930b SEC-2298: Add AuthenticationPrincipalArgumentResolver 2013-08-30 17:06:40 -05:00
Rob Winch 086056f191 SEC-2289: Make compatible with Spring 4 as well
There are a few subtle changes in Spring 4 that this commit addresses
2013-08-27 16:43:10 -05:00
Rob Winch 26166ef6e8 SEC-2272: CsrfRequestDataValueProcessor support Spring 4 and Spring 3 2013-08-27 16:26:16 -05:00
Rob Winch 3f69847a4e SEC-2286: Log invalid CSRF tokens at debug level 2013-08-25 22:35:20 -05:00
Rob Winch d60108eaf6 SEC-2229: Add optional dependencies to spring-security-config
spring-tx and spring-jdbc aren't pulled in transitively from
spring-security-web now, so we must include them as optional dependencies.
2013-08-25 19:47:57 -05:00
Rob Winch 33db440961 SEC-2129: AntPathRequestMatcher also supports case sensitive comparisions 2013-08-25 16:26:18 -05:00
Rob Winch 7d1d856729 SEC-2229: spring-security-web dependency polish
- remove direct dependency on spring-aop
- spring-tx and spring-jdbc optional
2013-08-25 15:52:17 -05:00
Rob Winch 534989c8ea SEC-2103: Fix tests to verify debug logging instead of info 2013-08-25 10:05:22 -05:00
Rob Winch acb2b680d0 SEC-2103: Change log of no results to debug 2013-08-24 23:39:56 -05:00
Rob Winch 48283ec004 SEC-2276: Delay saving CsrfToken until token is accessed
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
2013-08-24 23:31:01 -05:00
Rob Winch e9bb9e766e SEC-1574: Add CSRF Support 2013-08-15 14:49:21 -05:00
Rob Winch 797df51264 SEC-2135: Support HttpServletRequest#changeSessionId() 2013-08-15 13:59:16 -05:00
Rob Winch 75fb971d23 SEC-2221: Fix the ignored media types to use includes instead of equals 2013-08-15 13:59:15 -05:00
Rob Winch 13da42ca1b SEC-2137: Allow disabling session fixation and enable concurrency control 2013-08-15 12:50:40 -05:00
Rob Winch 867f02e8ac SEC-2249: AbstractSecurityWebApplicationInitializer does not delegate WebApplicationInitializer
Previously AbstractSecurityWebApplicationInitializer delegated to a
WebApplicationInitializer, but it caused issues in some instances where
a container would pass the annonymous inner class to
SpringServletContainerInitializer which caused errors on startup.

Now AbstractSecurityWebApplicationInitializer registers the
ContextLoaderListener on its own instead of delegating.
2013-08-15 12:49:44 -05:00
Rob Winch e8278f3b9b SEC-2249: AbstractSecurityWebApplicationInitializer allows register config 2013-08-08 14:33:54 -05:00
Rob Winch 976d9a9016 SEC-2194: Polish java config sample apps 2013-08-08 14:33:54 -05:00
Rob Winch fdb73fac23 Remove @Override from interface define methods 2013-08-05 16:49:33 -05:00
Rob Winch 94a73fee37 SEC-2230: Polish scoping and finals 2013-07-31 11:34:35 -05:00
Rob Winch 606bddf598 SEC-2230: Add Header JavaConfig
Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.
2013-07-31 10:39:52 -05:00
Rob Winch c85328c5d1 SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
Rob Winch 8013cd54d6 SEC-2230: Added Cache Control support 2013-07-31 10:39:45 -05:00
Rob Winch 7b164bb5e1 SEC-2230: Polish pull request 2013-07-26 14:19:53 -05:00
Rob Winch 8acd205486 SEC-2232: HeaderFactory to HeaderWriter 2013-07-26 09:01:12 -05:00
Rob Winch fd754c5cab SEC-2098, SEC-2099: Fix build
- hf.doFilter is missing FilterChain argument
  - response.headers does not contain the exact values for the headers so
    should not be used for comparison (note it is a private member so this
    is acceptable)
  - hf does not need non-null check when hf.doFilter is invoked
  - some of the configurations are no longer valid (i.e. ALLOW-FROM
    requires strategy)
  - Some error messages needed updated (some could still use improvement)
  - No validation for missing header name or value
  - rebased off master / merged
  - nsa=frame-options-strategy id should use - not =
  - FramewOptionsHeaderFactory did not produce "ALLOW-FROM " prefix of origin
  - remove @Override on interface overrides to work with JDK5
2013-07-25 16:23:25 -05:00
Marten Deinum d0b40cd2ae - Created HeaderFactory abstraction
- Implemented different ALLOW-FROM strategies as specified in the proposal.

Conflicts:
	config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java
	config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy
2013-07-25 16:22:43 -05:00
Marten Deinum 0adf5aea91 SEC-2098, SEC-2099: Created HeadersFilter
Created HeadersFilter for setting security headers added including a
bean definition parser for easy configuration of the headers. Enables
easy configuration for the X-Frame-Options, X-XSS-Protection and
X-Content-Type-Options headers. Also allows for additional headers to
be added.
2013-07-25 16:22:43 -05:00
Rob Winch f5a30e55a3 SEC-2042: AbstractAuthenticationProcessingFilter supports RequestMatcher 2013-07-23 13:06:51 -05:00
Rob Winch 686a7a8d62 SEC-2223: Correct FirewalledRequest#reset() javadoc 2013-07-21 14:30:20 -05:00
Rob Winch 04b7d5ca08 SEC-2156: Only configures COOKIE instead of SSL
Configuring SSL is only allowed for SSL enabled applications and should
be configured on its own (not in conjuction with other modes).
2013-07-20 10:29:54 -05:00
Rob Winch ac053dbda7 SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode
It also allows customization by overriding a method.
2013-07-19 17:09:58 -05:00
Rob Winch 4411ae3ff6 SEC-2221: Add MediaTypeRequestMatcher 2013-07-19 17:09:31 -05:00
Rob Winch eb15b19e50 SEC-2195: Update Groovy version on web module 2013-07-16 22:44:51 -05:00
Rob Winch 59e8551279 Fix package tangles 2013-07-16 17:08:03 -05:00
Rob Winch 5e6ca12b01 SEC-2097: Update integrationTestCompile to use optional and provided
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
Rob Winch 02551e1b7a SEC-2214: Update Spring Version 2013-07-16 15:15:47 -05:00
Rob Winch faa8b354b7 SEC-2209: add pom.xml 2013-07-16 15:15:47 -05:00
Rob Winch 1705c5d796 SEC-2207: Update Gradle to 1.6 2013-07-16 15:02:39 -05:00
Rob Winch e5c450a14c Merge in AbstractSecurityWebApplicationInitializerTests.groovy 2013-07-05 09:42:19 -05:00
Keesun Baik cf80cc88b5 SEC-2192: Create DEFAULT_FILTER_NAME 2013-07-05 09:41:53 -05:00
Rob Winch 7412fe0748 SEC-1953: Polish bundlor warnings 2013-06-30 21:45:45 -05:00
Rob Winch d0c4e6ca72 SEC-1953: Spring Security Java Config support
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
Rob Winch 7bc87cf13b SEC-2002: Polishing 2013-06-06 15:05:00 -05:00
Nicholas Williams d89ace26ab SEC-2002: Added events to notify of session ID change
Session fixation protection, whether by clean new session or
migrated session, now publishes an event when a session is
migrated or its ID is changed. This enables application developers
to keep track of the session ID of a particular authentication
from the time the authentication is successful until the time
of logout. Previously this was not possible since session
migration changed the session ID and there was no way to
reliably detect that.

Revised changes per Rob Winch's suggestions.
2013-06-05 14:44:17 -05:00
Rob Winch 3656dff720 SEC-2118: Include missing Bundlor packages 2013-02-25 17:07:09 -06:00
Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked
Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:

  - The SecurityContext was established on the SecurityContextHolder
  - An Async request was made
  - The SecurityContextHolder would be cleared out
  - The Async request times out
  - The Async request would be dispatched back to the container upon
    timing out. If the container reused the same Thread to process the
    timeout as the original request, Spring Security would attempt to
    save the SecurityContext when the response was committed. Since the
    SecurityContextHolder was still cleared out it removes the
    SecurityContext from the HttpSession

Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.
2013-01-10 13:26:43 -06:00
Balazs Zagyvai 73ea8b5c05 SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
2012-12-28 22:59:38 +01:00
Rob Winch 9c4563285e SEC-1998: Async tests with SecurityContextHolderAwareReqeustFilter 2012-12-11 17:26:31 -06:00
Rob Winch c8d45397fe SEC-2079: Add Servlet 3 Authentication methods
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
Rob Winch d04cf5ea68 Remove unused FilterInvocation.DummyResponse 2012-12-11 14:21:03 -06:00
Rob Winch 1a650acbcc SEC-1998: DummyRequest extend HttpServletRequestWrapper
Previously DummyRequest implemented HttpServletRequest which caused complications
since Servlet 2.5 and Servlet 3 had non passive changes. While we were "safe" if the
Servlet 3 methods were never invoked reflective access of the methods would also
problems. We could prevent users from accessing the methods of DummyRequest by
returning new HttpServletRequestWrapper(DummyRequest), but a debugger could
potentially try to iterate over the methods triggering a NoClassDefFoundError.

DummyRequest now extends HttpServletRequestWrapper which will be dynamically
linked to the proper version of HttpServletRequest. We use a Dynamic Proxy that
throws UnsupportedOperationException to implement any methods we are not
interested in.
2012-12-11 14:21:03 -06:00
Rob Winch 3437ef714a SEC-1998: SecurityContextCallableProcessingInterceptor uses postProcess
Previously SecurityContextCallableProcessingInterceptor used afterCompletion
to clear the SecurityContextHolder. This does not work since afterCompletion
is invoked on the Servlet Container thread.

Now SecurityContextCallableProcessingInterceptor clears the
SecurityContextHolder on postProcess which is invoked on the same thread
that the Callable is processed on.
2012-12-11 14:21:03 -06:00
Rob Winch 796de42105 Revert "SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals"
This reverts commit 3fe7791266.
2012-12-11 14:21:02 -06:00
Rob Winch 70849aa8d2 Revert "SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication"
This reverts commit ece4a0f067.
2012-12-11 14:21:02 -06:00
Rob Winch ece4a0f067 SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication 2012-12-06 09:04:14 -06:00
Rob Winch 3fe7791266 SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.

Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
2012-12-04 10:54:29 -06:00
Rob Winch 6e47834d77 SEC-2084: AntPathRequestMatcher and RegexpRequestMatcher support request.getMethod()
Previously a NullPointerException would occur if an HttpServletRequest.getMethod()
returned null.

Now AntPathRequestMatcher and RegexpRequestMatcher will handle if the
HttpServletRequest.getMethod() returns null. While under normal circumstances,
it is unlikely for the method to be null this can occur when using
DefaultWebInvocationPrivilegeEvaluator.isAllowed(String, Authentication).
2012-12-03 15:07:18 -06:00
Rob Winch d40ecba9e0 SEC-1998: SaveContextOnUpdateOrErrorResponseWrapper only saves SecurityContext on original Thread
Previously SaveContextOnUpdateOrErrorResponseWrapper would save the SecurityContext on a different
Threads than the one it was created on. This causes issues with Async Web requests which may write
to the response on a new Thread.

Now SaveContextOnUpdateOrErrorResponseWrapper will not save the SecurityContext when a different
Thread invokes any of the methods that commit the response. This prevents issues with Async
processing. However, explicit calls to SecurityContextRepository.save will still save the
SecurityContext since it invokes the saveRequest method rather than private doSave method within
the SaveContextOnUpdateOrErrorResponseWrapper which contains the logic to prevent saving from
another Thread.
2012-11-30 14:27:02 -06:00
Rob Winch 593e512558 SEC-1998: SecurityContext integration with AsyncContext.start 2012-11-28 17:57:41 -06:00
Rob Winch 1ed643ca1f SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing
Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
2012-11-28 17:56:03 -06:00
Rob Winch 30780baf24 Externalize powermock dependencies for reuse 2012-11-08 22:49:20 -06:00
Rob Winch ea6b444770 update to spring snapshot dependencies 2012-11-08 22:49:20 -06:00
Rob Winch 72aecaff05 SEC-1939: Update SwitchUserFilter logger to use debug
Previously the SwitchUserFilter was logging as an error and then
throwing an Exception immediately after. This is not correct, since
whomever is catching the Exception should choose to log an error or not.

Now the log statement is at a debug level.
2012-10-07 11:38:21 -05:00
Rob Winch d3339a1e32 SEC-2025: SecurityContextLogoutHandler removes Authentication from SecurityContext
Previously there was a race condition could occur when the user attempts to access
a slow resource and then logs out which would result in the user not being logged
out.

SecurityContextLogoutHandler will now remove the Authentication from the
SecurityContext to protect against this scenario.
2012-10-05 18:30:01 -05:00
Rob Winch f38df99730 SEC-2045: AbstractAuthorizeTag supports custom WebInvocationPrivilegeEvaluator 2012-10-04 11:34:36 -05:00
Rob Winch 9883c0e60b SEC-2060: Add constructor with caused by to PreAuthenticatedCredentialsNotFoundException 2012-10-02 14:26:27 -05:00
Rob Winch 906da97594 SEC-2038: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 15:23:03 -05:00
Rob Winch 8a54d597af Revert "SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super"
This commit contains the wrong JIRA ID.

This reverts commit c53fd99430.
2012-09-21 15:22:02 -05:00
Rob Winch 0a2fa03160 SEC-2036: Set cookie path to / when default context path in CookieClearingLogoutHandler 2012-09-21 14:12:48 -05:00
Rob Winch c53fd99430 SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 14:12:48 -05:00
Rob Winch 0e97e67083 SEC-2041: SaveContextServletOutputStream/SaveContextPrintWriter delegate all methods 2012-09-21 14:12:48 -05:00
Rob Winch dbc88f3226 SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super 2012-09-21 14:12:48 -05:00
mpigg a45ec0df2b SEC-1961: SubjectDnX509PrincipalExtractorTests for CN as last segment
See https://github.com/SpringSource/spring-security/pull/8
2012-08-17 14:57:48 -05:00
Rob Winch c2def26c3e SEC-1961: SubjectDnX509PrincipalExtractor supports CN as last segement 2012-08-17 14:45:38 -05:00
Rob Winch 1ab068a06d SEC-2005: Ensure SecurityContext saved prior to the response being committed
Previously Spring Security did not save the Security Context immediately prior
to the following methods being invoked:

   - HttpServletResonse.flushBuffer()
   - HttpServletResonse.getWriter().close()
   - HttpServletResonse.getWriter().flush()
   - HttpServletRespose.getOutputStream().close()
   - HttpServletRespose.getOutputStream().flush()

This meant that the client could get a response prior to the SecurityContext
being stored. After the client got the response, it would make another request
and this would not yet be authenticated. The reason this can occur is because
all of the above methods commit the response, which means that the server can
signal to the client the response is completed. A similar issue happened in
SEC-398.

Now the previously listed methods are wrapped in order to ensure the SecurityContext
is persisted prior to the response being committed.
2012-08-07 16:02:22 -05:00
Rob Winch ffe2834f4c SEC-2027: Invoke SecurityContextHolder.clearContext() only on outer invocation of FilterChainProxy
When SEC-1950 was introduced it caused problems when a <filter-mapping> was mapped
to multiple dispatchers (i.e. REQUEST and FORWARD) since when the second dispatcher
completed execution it cleared the SecurityContext and the original FilterChain
would then save the cleared out SecurityContext.

We now use a pattern similar to the OncePerRequestFilter to only invoke
SecurityContextHolder.clearContext() on the first invocation of the Filter. We do not simply extend
OncePerRequestFilter because we want to invoke the delegate filters for every request.
2012-08-07 15:56:34 -05:00
Rob Winch a5ec116e80 SEC-1919: Log error when fail to communicate with LDAP
Previously communication errors with LDAP were only logged at debug level.

Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
2012-07-31 16:55:48 -05:00
Rob Winch 9a9aafaeec SEC-1967: Restore original SecurityContext in finally when RunAsManager is used
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.

AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
2012-07-24 18:08:27 -05:00
Rob Winch 24c3bdfd90 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:12 -05:00
Rob Winch 1710f32a08 SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
2012-07-19 11:15:06 -05:00
Rob Winch b868daaa8c SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
2012-07-19 10:20:40 -05:00
Rob Winch aa4ec9a508 Cleaned up warnings in JdbcTokenRepositoryImpl and JdbcTokenRepositoryImplTests 2012-07-18 16:35:57 -05:00
Rob Winch 340534dadb SEC-1964: Handle missing series in JdbcTokenRepositoryImpl
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.

Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
2012-07-18 16:35:57 -05:00
Rob Winch f2345fcb21 SEC-1981: Remove dependency on Locale for the build 2012-07-05 13:30:41 -05:00
Rob Winch a2452ab514 SEC-1906: Update to Gradle 1.0 2012-07-05 12:41:56 -05:00
Rob Winch 2fba10ab61 Use powermock for testing servlet 3.0 functionality instead of distinct classpaths 2012-07-01 12:37:01 -05:00
Rob Winch f6902471fb SEC-1965: DefaultWebSecurityExpressionHandler is now passive from 3.0.x releases
There were two issues that needed resolved

 - Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
   type would not work. This caused failures in the JSF support.

 - The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
   parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
   method any class compiled against a previous version would cause a NoSuchMethodException.
2012-06-28 10:54:01 -05:00
Rob Winch b6ec700640 SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true 2012-06-27 15:49:18 -05:00
Rob Winch de3dfb5b3f SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice
This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
2012-06-26 16:36:41 -05:00
Rob Winch 520b65e2e3 SEC-1865: Remove invalid OWASP link in TextEscapeUtils 2012-06-11 14:49:28 -05:00
Rob Winch c446697de3 Cleaned up warnings in FilterChainProxyTests 2012-04-11 17:23:07 -05:00
Rob Winch bb8f3bae7c SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy 2012-04-11 17:22:19 -05:00
Rob Winch a4322d70ba Merge pull request #5 from tburch/setUseSecureCookie-typo
fix typo in AbstractRememberMeServices.setUseSecureCookie method documentation
2012-03-13 17:02:43 -07:00
Rob Winch 84141c4c76 SEC-1927: Corrected debug log in SessionManagementFilter to have a space between ID and the session and added guard to log statement 2012-03-11 18:35:38 -05:00
Tristan Burch e7f47964ee fix typo in setUseSecureCookie method documentation 2012-03-09 17:01:17 -07:00
Luke Taylor 5d71d2a4fa SEC-1887: Add MethodSecurityOperations interface.
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.

Also cleaning whitespace.
2012-02-01 15:49:56 +00:00
Luke Taylor 538e75ce1b SEC-1903: Use a static CRLF Pattern in FirewalledResponse
The Pattern was being recompiled for every request
when a single instance could be shared for performance
reasons.
2012-02-01 13:21:16 +00:00
Andrei Stefan 0f9ee81df1 SEC-1887: Improve extensibility of expression-based security classes
Introduces a new SecurityExpressionOperations interface which is
implemented by SecurityExpressionRoot
2012-01-31 19:06:43 +00:00
Rob Winch 22225effcc Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests 2011-12-30 16:05:35 -06:00
Rob Winch 5d94cd5e13 SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous 2011-12-30 16:04:02 -06:00
Rob Winch 6fe6e18939 SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names 2011-12-29 15:44:49 -06:00
Rob Winch 8ca2927761 Renamed **/Test.java to **/Tests.java to better follow conventions 2011-12-28 17:39:29 -06:00
Luke Taylor 0bccbbfc18 SEC-1779: Make new getters protected rather than public. 2011-11-01 00:20:34 +00:00
Luke Taylor f456db267f SEC-1779: Added getters for success and failure handlers to AbstractAuthenticationProcessingFilter. 2011-11-01 00:06:23 +00:00
Luke Taylor 09ac4bd8f9 SEC-1833: Remove unused securityContextClass from HttpSessionSecurityContextRepository. 2011-10-31 23:44:43 +00:00
Luke Taylor 44e2543015 Minor changes to make filter chain validation more robust with custom request matchers. 2011-10-24 21:21:10 +01:00
Luke Taylor f1e63f3008 SEC-1802: Add digits to valid URL scheme regex. 2011-10-21 17:25:50 +01:00
Luke Taylor 869c6a7c18 SEC-1800: Set input size to 30 for OpenID login. 2011-09-25 21:13:37 +01:00
Luke Taylor 824464516c SEC-1790: Reject redirect locations containing CR or LF. 2011-08-12 19:44:26 +01:00
Luke Taylor 6333909107 SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change. 2011-08-12 19:07:17 +01:00
Luke Taylor 0c2a950fa0 SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled. 2011-08-10 17:07:09 +01:00
Luke Taylor 8740efc0f5 Added constructor injection options to ConcurrentSessionFilter 2011-07-18 15:09:31 +01:00
Luke Taylor a1c714cff4 SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted. 2011-07-14 16:43:02 +01:00
Luke Taylor 8440743108 Remove Sql query objects from JdbcTokenRepositoryImpl in favour of direct JdbcTemplate use. 2011-07-13 23:28:41 +01:00
Luke Taylor 700fa9e0b6 SEC-1772: remote URL decoding of targetUrlParameter in AbstractAuthenticationTargetUrlRequestHandler. 2011-07-13 22:13:52 +01:00
Luke Taylor de97bac85b SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch. 2011-07-13 21:59:11 +01:00
Luke Taylor a504cfae1a SEC-1770: Call refreshLastRequest on the session registry rather than the SessionInformation object to make sure it works with alternative SessionRegistry implementations. 2011-07-13 20:56:47 +01:00
Rob Winch 330f82f562 SEC-1777: Corrected log in HttpSessionSecurityContextRepository to reference itself instead of HttpSessionContextIntegrationFilter 2011-07-09 19:24:12 -05:00
Rob Winch 825f0061fb SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0 2011-07-09 19:23:51 -05:00
Luke Taylor 56e86dd36f Adding assertions on constructor arg values. 2011-07-06 20:50:25 +01:00
Luke Taylor f92589f051 Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options. 2011-07-06 00:12:48 +01:00
Luke Taylor 2d271666a4 Add constructors to facilitate constructor-based injection for required/shared bean properties. 2011-07-05 20:25:49 +01:00
Luke Taylor 73442125de SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter. 2011-07-04 21:09:48 +01:00
Luke Taylor b15475ab3d SEC-1771: Change TokenBasedRememberMeServices to obtain password from UserDetailsService if necessary. 2011-07-02 20:36:42 +01:00
Luke Taylor 737a9d1825 Improved toString methods on request wrappers. 2011-07-02 20:36:41 +01:00
Luke Taylor 571bfc4869 Refactoring to use Utf8 encoder instead of String.getBytes("UTF-8"). 2011-06-14 18:47:50 +01:00
Luke Taylor 685f12c5a0 SEC-1733: Support explicit zero netmask correctly. 2011-06-07 12:15:07 +01:00
Luke Taylor f5f410ae3b Clean unused imports. 2011-05-25 20:39:16 +01:00
Luke Taylor ec97b70df9 SEC-1668: Allow customization of username parameter in SwitchUserFilter. 2011-05-25 20:03:02 +01:00
Luke Taylor 6d04670f87 SEC-1695: Allow customization of the session key under which the SecurityContext is stored. 2011-05-25 19:51:47 +01:00
Luke Taylor 84902ebb50 Javadoc correction. 2011-05-24 12:01:04 +01:00
Luke Taylor 63f160dc72 SEC-1749: Add support for PageContext lookup of objects and use of PermissionEvaluator when using web access expressions. 2011-05-19 15:27:35 +01:00
Luke Taylor 6e91786f92 SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false). 2011-05-09 13:36:23 +01:00
Luke Taylor 04dc65c8fe SEC-1657: Corresponding namespace updates to use SecurityFilterChain list in place of filterChainMap. 2011-04-25 13:48:47 +01:00
Luke Taylor 37d0454fd7 SEC-1657: Create SecurityFilterChain class for use in configuring FilterChinProxy. Encapsulates a RequestMatcher and List<Filter>. 2011-04-23 22:15:35 +01:00
Luke Taylor 614d8c0321 SEC-1723: Use standard SpEL syntax for accessing beans in the app context by name. 2011-04-22 13:47:59 +01:00
Luke Taylor dd108041a0 SEC-1722: Correct javadoc 2011-04-22 11:49:48 +01:00
Luke Taylor 8178371927 SEC-1700: Add fixed serializationVersionUID values to security context, authentication tokens and related classes 2011-04-21 19:55:32 +01:00
Rob Winch a76a947b12 SEC-965: Added support for CAS proxy ticket authentication on any URL 2011-04-17 18:00:35 -05:00
Luke Taylor acf4b91a89 SEC-1674: Test to check that absolute URLs work in SimpleUrlLogoutSuccessHandler. 2011-04-14 15:06:05 +01:00
Luke Taylor ef72dd1986 SEC-1714: RegexRequestMatcher should prepend question mark to query string. 2011-04-11 14:02:54 +01:00
Luke Taylor 49dd928faa SEC-1712: Javadoc typo fix. 2011-04-08 17:24:12 +01:00
Luke Taylor 01c9c4e4db SEC-1697: Don't publish authorization success events in AbstractSecurityInterceptor by default. 2011-04-06 13:58:58 +01:00
Luke Taylor 78d5495945 SEC-1702: Add Burt's patch implementing hashcode method in AntPathRequestMatcher 2011-03-25 20:44:18 +00:00
Luke Taylor e470eaa41d SEC-1689: Moved core codec code into crypto package and removed existing duplication (Hex encoding etc). Refactoring of crypto code to use CharSequence for where possible instead of String. 2011-03-17 01:43:31 +00:00