Commit Graph

4750 Commits

Author SHA1 Message Date
Rob Winch 70b3a330ef #137 WebSecurityConfigurerAdapter no longer uses getClass() for logger
Previously it was difficult to change log levels due to CGLIB proxying of
the class which impacted the logger name.
2013-07-01 10:07:38 -05:00
Rob Winch 17bef05c3c #138 WebInvocationPrivilegeEvaluator has default value 2013-07-01 08:46:57 -05:00
Rob Winch d8ed429370 #138 Tests for WebSecurityExpressionHandler bean existing 2013-07-01 08:37:12 -05:00
Rob Winch 4d282cbe0d SEC-1953: Polish 2013-06-30 21:51:25 -05:00
Rob Winch 7412fe0748 SEC-1953: Polish bundlor warnings 2013-06-30 21:45:45 -05:00
Rob Winch d0c4e6ca72 SEC-1953: Spring Security Java Config support
This is the initial migration of Spring Security Java Config from the
external project at
https://github.com/SpringSource/spring-security-javaconfig
2013-06-30 17:28:33 -05:00
Luke Taylor fba4fec84b SEC-2175: Correct XSD docs on auto-config. 2013-06-09 14:51:58 +01:00
Rob Winch 7bc87cf13b SEC-2002: Polishing 2013-06-06 15:05:00 -05:00
Nicholas Williams d89ace26ab SEC-2002: Added events to notify of session ID change
Session fixation protection, whether by clean new session or
migrated session, now publishes an event when a session is
migrated or its ID is changed. This enables application developers
to keep track of the session ID of a particular authentication
from the time the authentication is successful until the time
of logout. Previously this was not possible since session
migration changed the session ID and there was no way to
reliably detect that.

Revised changes per Rob Winch's suggestions.
2013-06-05 14:44:17 -05:00
Luke Taylor 743960d2d8 SEC-2122: Fix broken integration tests.
Modified BCryptPasswordEncoder to no longer throw an
IllegalArgumentException when the encoded password is empty or
the incorrect format for bcrypt. Instead it now logs a warning
that non bcrypt data was found.

The Dms integration tests were failing after being changed to
use bcrypt and this fixes the issue.
2013-05-21 23:13:08 +01:00
Luke Taylor d8727638ab SEC-1785: Remove auto-config from manual.
Changed the namespace doc to use an explicit form-login
and logout element and avoid mention of auto-config or its
effects. This makes the intro shorter and simpler.
2013-05-18 21:25:11 +01:00
Luke Taylor ebba8ac514 SEC-2122: Update namespace to support bcrypt.
password-encoder now supports hash='bcrypt'.
2013-05-17 19:17:18 +01:00
Luke Taylor 896339087f SEC-2122: Update samples to use bcrypt.
Data sources modified to store bcrypt hashes and configs now
use BCryptPassworEncoder.
2013-05-17 18:44:30 +01:00
Luke Taylor d6524feb62 SEC-2122: Change doc to prioritize bcrypt use 2013-05-17 18:42:47 +01:00
Rob Winch 34893cd53a Remove ApacheDSContainerTests successfulStartupAndShutdown since it was commented out 2013-04-25 11:21:23 -05:00
Rob Winch 407b08956b SEC-2161: <ldap-server> creates unique dir for embedded LDAP 2013-04-25 11:21:21 -05:00
Rob Winch dd554e1842 SEC-2162: ApacheDSContainer throws RuntimeException on failure to start 2013-04-25 11:21:19 -05:00
Rob Winch c0921b9ede SEC-2133: Update doc from ChannelAuthenticationFilter to ChannelProcessingFilter 2013-04-25 08:56:47 -05:00
Rob Winch e469c93f9d SEC-2147: Deprecate .encoding.PasswordEncoding 2013-04-25 08:56:47 -05:00
Rob Winch f594ed76db SEC-2087: GlobalMethodSecurityBeanDefinitionParser uses AuthenticationManager to create AuthenticationManagerDelegator 2013-04-25 08:56:46 -05:00
Luke Taylor 6ebb9abfb7 Fix HttpSessionEventPublisher package name in FAQ. 2013-04-06 14:53:53 +01:00
Rob Winch 66357a2077 SEC-2143: Update XSD version mismatch error message 2013-03-06 10:57:41 -06:00
Oliver Becker 5eb5c91d86 SEC-2119: Rename rememberme-parameter to remember-me-parameter
This change extends pull request https://github.com/SpringSource/spring-security/pull/26
and its subsequent changes by renaming the attribute name 'rememberme-parameter' to
'remember-me-parameter'.

The spelling including the additional hyphen in 'remember-me-parameter' is more consistent
with the default spelling of the 'remember-me' functionality.
2013-03-05 14:47:25 -06:00
Rob Winch b014020955 SEC-2119: Polish remember-me@rememberme-parameter
- Change form-parameter to rememerme-parameter
  - Use rnc file for generating the xsd
  - Add test for deafult value of rememberme parameter
2013-03-01 17:03:09 -06:00
Oliver Becker 9eb34fe51c SEC-2119: Add a 'form-parameter' attribute to <remember-me>
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of  AbstractRememberMeServices.

This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
2013-03-01 17:03:02 -06:00
Rob Winch e8661913d1 SEC-2119: Update to 3.2 schema and use default schema version when available 2013-03-01 16:29:27 -06:00
Mike Noordermeer f8ed3791f9 SEC-2142: Schema documentation states anonymous and remember-me ke defaults to SecureRandom 2013-03-01 12:23:36 -06:00
Rob Winch 2a86c72436 Update XsdDocumentedTests to make easier to understand problems 2013-02-28 17:08:51 -06:00
Raghuram Devarakonda 047448464b SEC-2140: Correct javadoc order of security checkes for AclAuthorizationStrategyImpl 2013-02-28 11:56:55 -06:00
Rob Winch 914ec45e43 SEC-2136: Lazy load MethodSecurityExpressionHandler & MethodSecurityExpressionHandler.expressionParser
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and  would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.

The following changes were made:

    - ExpressionBasedAnnotationAttributeFactory delays the invocation of
      MethodSecurityExpressionHandler.getExpressionParser()
    - MethodSecurityExpressionHandler is automatically wrapped in a
      LazyInitTargetSource and marked as lazyInit=true
2013-02-28 10:26:12 -06:00
@fbiville 83f1d76c16 SEC-2138: Fix code snippet in Hierarchical Roles section
The bean definition of RoleHierarchyVoter was syntactically incorrect.
2013-02-26 09:48:59 -06:00
Rob Winch 0722c8c4eb Update CONTRIBUTING.md
Updated link to github pull requests
2013-02-25 18:15:23 -06:00
Rob Winch 960564ef50 Add CONTRIBUTING.md 2013-02-25 17:13:12 -06:00
Rob Winch 3656dff720 SEC-2118: Include missing Bundlor packages 2013-02-25 17:07:09 -06:00
Jean-Pierre Bergamin c02a1486c0 SEC-2118: Fixing spring and aspectj OSGi version ranges [3.2, 3.2) -> [3.2, 3.3) 2013-02-25 17:05:29 -06:00
Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked
Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:

  - The SecurityContext was established on the SecurityContextHolder
  - An Async request was made
  - The SecurityContextHolder would be cleared out
  - The Async request times out
  - The Async request would be dispatched back to the container upon
    timing out. If the container reused the same Thread to process the
    timeout as the original request, Spring Security would attempt to
    save the SecurityContext when the response was committed. Since the
    SecurityContextHolder was still cleared out it removes the
    SecurityContext from the HttpSession

Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.
2013-01-10 13:26:43 -06:00
Georges-Etienne Legendre 66d13642b7 SEC-2115: Improve French translation for "credentials"
"Créances" is not the right translation. "Identifications" is a lot better in this case.
2013-01-04 14:31:57 -06:00
Rob Winch 6b81f97081 SEC-2114: Polishing Spring Based Cache 2013-01-04 11:33:46 -06:00
Marten Deinum 01ea39ce35 SEC-2114: Provide Spring Cache Abstraction based cache implementations
As of Spring 3.1 spring has its own cache abstraction. This commit adds cache
imlpementations based on that abstraction.
2013-01-04 11:33:27 -06:00
Rob Winch 89c63fd752 Add spring-security-3.2.rnc 2013-01-03 18:32:33 -06:00
Rob Winch 036e0505b3 Make rnc transform part of Gradle build 2013-01-03 18:32:32 -06:00
Rob Winch d06eae9967 Merge pull request #22 from zagyi/SEC-2107
SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
2012-12-28 14:50:36 -08:00
Balazs Zagyvai 73ea8b5c05 SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
2012-12-28 22:59:38 +01:00
Rob Winch 7edb1089a8 SEC-2096: Added release-checks 2012-12-18 15:15:46 -06:00
Rob Winch ebb82e1aa9 SEC-2096: Update to Spring 3.2.0.RELEASE 2012-12-18 15:15:46 -06:00
Rob Winch 2e8a61660d Disable artifactoryPublish for projects without artifacts 2012-12-12 18:04:24 -06:00
Rob Winch 22e333b9c6 SEC-2092: Add servlet api example 2012-12-11 17:44:57 -06:00
Rob Winch 9c4563285e SEC-1998: Async tests with SecurityContextHolderAwareReqeustFilter 2012-12-11 17:26:31 -06:00
Rob Winch c8d45397fe SEC-2079: Add Servlet 3 Authentication methods
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
Rob Winch d04cf5ea68 Remove unused FilterInvocation.DummyResponse 2012-12-11 14:21:03 -06:00