Commit Graph

4750 Commits

Author SHA1 Message Date
Rob Winch 5174a8020d SEC-1995: Maven Central validation changes
Ensure projects have the following so that Maven Central publishing works

  - Project name
  - Project description
  - Project URL
  - SCM information
  - Javadoc jar
2012-08-09 23:11:58 -05:00
Rob Winch 8ad0e0e8e8 SEC-1995: Use Gradle Artifactory integration for releases 2012-08-09 14:20:57 -05:00
Rob Winch 25248c7536 SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor
Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
2012-08-09 09:56:07 -05:00
Rob Winch 1ab068a06d SEC-2005: Ensure SecurityContext saved prior to the response being committed
Previously Spring Security did not save the Security Context immediately prior
to the following methods being invoked:

   - HttpServletResonse.flushBuffer()
   - HttpServletResonse.getWriter().close()
   - HttpServletResonse.getWriter().flush()
   - HttpServletRespose.getOutputStream().close()
   - HttpServletRespose.getOutputStream().flush()

This meant that the client could get a response prior to the SecurityContext
being stored. After the client got the response, it would make another request
and this would not yet be authenticated. The reason this can occur is because
all of the above methods commit the response, which means that the server can
signal to the client the response is completed. A similar issue happened in
SEC-398.

Now the previously listed methods are wrapped in order to ensure the SecurityContext
is persisted prior to the response being committed.
2012-08-07 16:02:22 -05:00
Rob Winch ffe2834f4c SEC-2027: Invoke SecurityContextHolder.clearContext() only on outer invocation of FilterChainProxy
When SEC-1950 was introduced it caused problems when a <filter-mapping> was mapped
to multiple dispatchers (i.e. REQUEST and FORWARD) since when the second dispatcher
completed execution it cleared the SecurityContext and the original FilterChain
would then save the cleared out SecurityContext.

We now use a pattern similar to the OncePerRequestFilter to only invoke
SecurityContextHolder.clearContext() on the first invocation of the Filter. We do not simply extend
OncePerRequestFilter because we want to invoke the delegate filters for every request.
2012-08-07 15:56:34 -05:00
Rob Winch f441c352f6 Clean up warnings in AccessControlListTagTests 2012-08-02 09:49:19 -05:00
Rob Winch 4b86d49a9a SEC-2023: AccessControlListTag again supports bitmasks
Spring Security 3.1 has a regression i the AccessControlListTag
which should support using the bitmask in hasPermission.

Now hasPermission supports bit masks again.
2012-08-02 09:48:01 -05:00
Rob Winch b481a6c1ad SEC-2022: AccessControlListTag again supports , separated list of permissions
Spring Security 3.0.x allowed developers to pass in a , separated list of permissions.
However, this functionality was accidentally removed in SEC-1560.

The AcessControlListTag now splits the permissions using , as a delimiter
which fixes this passivity issue.
2012-08-02 09:47:48 -05:00
Rob Winch e6593151fc SEC-2017: Convert IncorrectResultsSizeException.size() == 0 to BadCredentialsException in ActiveDirectoryAuthenticationProvider 2012-08-01 16:19:57 -05:00
Rob Winch a5ec116e80 SEC-1919: Log error when fail to communicate with LDAP
Previously communication errors with LDAP were only logged at debug level.

Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
2012-07-31 16:55:48 -05:00
Rob Winch a19cc8f1c7 SEC-2020: Set eraseCredentialsAfterAuthentication when using http@authentication-manager-ref
Previously the namespace configuration did not properly set the eraseCredentialsAfterAuthentication
property on the parent AuthenticationProvider when using http@authentication-manager-ref.

Now the ProviderManager that is created by the namespace consults the original
AuthenticationManager to determine if eraseCredentialsAfterAuthentication should
be set on the wrapped instance. If the original is not a ProviderManager the
eraseCredentialsAfterAuthentication is set to false since we should not "magically"
add behavior to the custom AuthenticationManager without knowing the desired behavior.
2012-07-31 14:04:11 -05:00
Rob Winch d2a5ad6fd1 SEC-2016: Update config integration tests to use specific ldif to work in Eclipse
Due to Eclipse restrictions the classpath adding an project as a dependency picks up
the test dependencies of other projects. This caused problems when running the
config integration tests within Eclipse.

Now the tests specify a specific ldif to load. There is also one new test that ensures
that the ldif is defaulted properly, but does not rely on the ldif that is loaded.
2012-07-31 14:03:38 -05:00
Rob Winch 37aed0660d SEC-1938: Add ActiveDirectoryAuthenticationException as caused by for ActiveDirectoryAuthenticationProvider
Previously there was no way to extract the original exception or to easily
obtain details about the failure if Spring Security was not able to translate
the exception into a Spring Security AuthenticationException.

Now the caused by is an ActiveDirectoryAuthenticationException which contains
the original Active Directory error code.
2012-07-31 09:34:06 -05:00
Rob Winch 734188206d SEC-1940: ProviderManager publishes any AccountStatusException
Previously there was a bug introduced by SEC-546 that prevented any
AccountStatusException from being published.

Now AccountStatusExceptions are also published.
2012-07-30 14:09:50 -05:00
Rob Winch a0572418e6 SEC-1995: Move version to gradle.properties so Bamboo can update on releases 2012-07-26 17:26:50 -05:00
Rob Winch 67d6ebdc51 SEC-1999: Updated spring-context version for acs/template.mf
Previously the Spring Security version was being used
instead of the Spring Security version.

Now the Spring version is used.
2012-07-25 16:39:08 -05:00
Rob Winch 10e6a6f943 Remove compile warnings in AspectJMethodSecurityInterceptorTests 2012-07-24 18:13:52 -05:00
Rob Winch 9a9aafaeec SEC-1967: Restore original SecurityContext in finally when RunAsManager is used
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.

AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
2012-07-24 18:08:27 -05:00
Rob Winch a1df1ca66b SEC-2018: Removed mavenLocal() from gradle build 2012-07-23 11:42:06 -05:00
Rob Winch 1d701a2d8f SEC-2012: Remove additional incorrect javadoc from UserDetails#getPassword() 2012-07-21 10:35:28 -05:00
Rob Winch a547f6922a SEC-1996: Fix javadoc to work with jdk 1.5
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.

This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
2012-07-20 16:38:27 -05:00
Rob Winch b4fbabdbfd SEC-2012: Remove incorrect javadoc from UserDetails#getPassword()
Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.

The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
2012-07-20 15:34:28 -05:00
Rob Winch c025e8db46 Added comment to ide-integration.gradle about STS-2723 2012-07-19 17:46:13 -05:00
Rob Winch 23ef7dac48 SEC-2009: Support ./gradlew eclipse
Previously there were problems when importing with ./gradlew eclipse. For
example GRADLE-1116 and GRADLE-1422.

The changes provide workarounds that are compatible with Gradle 1.0. Note
when importing after using ./gradlew eclipse users may get errors stating
"Element not found". This is only at the time of import and can be ignored.
This is an Eclipse bug logged as
https://bugs.eclipse.org/bugs/show_bug.cgi?id=244315
2012-07-19 17:42:36 -05:00
Rob Winch 24c3bdfd90 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:12 -05:00
Rob Winch 1710f32a08 SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
2012-07-19 11:15:06 -05:00
Rob Winch b868daaa8c SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
2012-07-19 10:20:40 -05:00
Rob Winch 095dcb3a74 SEC-2010: Include missing <value> tag in Hierarchical Roles section of the reference 2012-07-19 10:18:12 -05:00
Rob Winch aa4ec9a508 Cleaned up warnings in JdbcTokenRepositoryImpl and JdbcTokenRepositoryImplTests 2012-07-18 16:35:57 -05:00
Rob Winch 340534dadb SEC-1964: Handle missing series in JdbcTokenRepositoryImpl
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.

Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
2012-07-18 16:35:57 -05:00
Rob Winch 7f9938c8e2 Organize imports on RememberMeConfigTests 2012-07-18 14:45:05 -05:00
Rob Winch c7c41ced84 Added test to verify LogoutHandlers added to LogoutFilter 2012-07-18 14:45:05 -05:00
Rob Winch 3ce06333c5 SEC-1850: Namespace adds all LogoutHandlers to ConcurrentSessionFilter
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.

Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
2012-07-18 14:44:35 -05:00
Rob Winch 06638db289 SEC-1909: Namespace configuration no longer uses deprecated API's
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.

Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
2012-07-17 14:08:36 -05:00
Rob Winch b196d70f99 SEC-1905: Added para tag to the digest encoded password footnote 2012-07-11 13:12:57 -05:00
Rob Winch bfd09f7603 SEC-1905: Added footnote to password encoding for digest authentication
Technically digest authentication can allow for encoded passwords, but
it needs to be in the correct format. This update adds a footnote to clarify this.

Previously the documentation stated that passwords must be in clear text.
2012-07-11 13:00:06 -05:00
Rob Winch 40ccbedefd SEC-1988: Add contributor guide link to readme.txt 2012-07-10 22:27:19 -05:00
Rob Winch 42b72bcbc4 SEC-1980: Prevent parser warning when URL's in configuration start with #
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
2012-07-10 14:24:42 -05:00
Rob Winch b28e3a0b2f SEC-1976: include *.aj files in sourceJar 2012-07-09 18:37:05 -05:00
Rob Winch 262ee099df SEC-1994: explicit sourceCompatibility and targetCompatibility of 1.5 in Gradle build 2012-07-08 15:55:48 -05:00
Rob Winch 3e4da4f60f Updated to next snapshot version 2012-07-06 11:28:21 -05:00
Rob Winch f46a5bab40 Set to 3.1.1 Release 2012-07-06 10:32:55 -05:00
Rob Winch 638e92a3f7 SEC-1992: Updated Spring version to 3.0.7 2012-07-06 10:32:45 -05:00
Rob Winch d14150c2e1 SEC-1906: Fix EmmaPlugin for Gradle 1.0 2012-07-05 22:57:16 -05:00
Rob Winch a6bded86c2 SEC-1990: Polishing code cleanup on BCrypt
- Formatting
 - Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
Joseph Walton 14a5135ac3 SEC-1990: Clean up jBCrypt and include its tests.
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
Rob Winch fde9142d8d SEC-1907: Exclude crypto dependency in core module since classes are bundled in core 2012-07-05 13:56:47 -05:00
Rob Winch f2345fcb21 SEC-1981: Remove dependency on Locale for the build 2012-07-05 13:30:41 -05:00
Rob Winch a2452ab514 SEC-1906: Update to Gradle 1.0 2012-07-05 12:41:56 -05:00
Rob Winch 2fba10ab61 Use powermock for testing servlet 3.0 functionality instead of distinct classpaths 2012-07-01 12:37:01 -05:00