Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,441 Commits 32 Branches 333 Tags 109 MiB
Commit Graph

5441 Commits

Author SHA1 Message Date
Rob Winch 3c487c0348 SEC-2348: Update doc headers enabled by default with XML 2014-11-21 21:55:03 -06:00
Rob Winch 4392205f63 SEC-2347: CSRF Enabled by default w/ XML Config 2014-11-21 21:32:56 -06:00
Rob Winch eedbf44235 SEC-2348: Security HTTP Response Headers enabled by default w/ XML 2014-11-21 16:06:29 -06:00
Rob Winch 2e1e9885ec SEC-2054: Polish 
Fix the tests to use .getName() for assertions
 2014-11-21 11:08:30 -06:00
Rob Winch e2f7b38b87 SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch 2014-11-21 10:47:45 -06:00
Rob Winch dfa17bdb98 SEC-2747: Remove spring-core dependency from spring-security-crypto 2014-11-20 16:16:22 -06:00
Rob Winch 30c5788b8b SEC-1897: Remove raw types from AbstractAccessDecisionManager 2014-11-20 15:36:53 -06:00
Rob Winch 1cca72e6d8 SEC-2749: CsrfConfigurer.requireCsrfProtectionMatcher correct null check 2014-11-20 14:40:51 -06:00
Rob Winch 4d738d8576 SEC-2491: KeyBasedPersistenceTokenService defaults to 32 bytes 2014-11-20 14:40:07 -06:00
Rob Winch 0704f88e99 SEC-2344: Remove check for DefaultParamterNameDiscoverer 
Spring Security not requires Spring 4, so there is no need to perform a
check if Spring 4 is present.
 2014-11-20 12:09:38 -06:00
Rob Winch 3089f1603e SEC-2682: DelegatingSecurityContextRunnable/Callable delegate toString() 2014-11-20 11:51:05 -06:00
Rob Winch 05882b5f24 SEC-2574: Polish 
Handle null DelegatingApplicationListener
 2014-11-19 17:09:24 -06:00
Rob Winch 5810681b06 SEC-2574: JavaConfig default SessionRegistry processes SessionDestroyedEvents 2014-11-19 16:48:19 -06:00
Rob Winch 4dcc89fab0 SEC-2674: Documentation refers to httpStrictTransportSecurity() instead of hsts() 2014-11-19 13:31:09 -06:00
Rob Winch 002a78d87d SEC-2768: DefaultMessageSecurityExpressionHandler sets PermissionEvaluator 2014-11-19 11:58:58 -06:00
Rob Winch 95c70f29bd SEC-2769: DefaultMessageSecurityExpressionHandler sets RoleHierarchy 2014-11-19 11:58:54 -06:00
Rob Winch ff95a34b1f SEC-2705: DefaultMessageSecurityExpressionHandler populates AuthenticationTrustResolver 2014-11-19 11:25:07 -06:00
Rob Winch 3b8f7fdd67 SEC-2732: ehcache-core -> ehcache 2014-11-18 17:14:30 -06:00
Rob Winch 55d6d5a86a SEC-2615: accesscontrollist tag hasPermission performs OR not AND 
In 3.1 the accesscontrollist tag began performing an and on the
permissions. This may have been accidental, but I think that it is more
intuitive & secure for it to behave this way. When compared to hasAnyRole
and hasRoles the hasPermission tag implies it is an and. If users end up
needing OR support, then the authorize tag can be used along with the
hasPermission expression. For example:

  <sec:authorize access="hasPermission(#domain, 'read') or hasPermission(#domain, 'write') ">

In general, the authorize tag should be preferred as it is the more
powerful way of performing authorization checks.
 2014-11-18 16:59:46 -06:00
Mikhail Stryzhonok f20219d541 Added possibility create custom Sid 2014-11-18 13:27:36 -06:00
Rob Winch fa9e7999da SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies() 
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.

Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
 2014-11-18 13:17:27 -06:00
Rob Winch 97df23e3b5 Add IDE Setup to CONTRIBUTING 2014-10-28 22:09:53 -05:00
Rob Winch 24dec7ec3e SEC-2737: Remove WebSocket Outbound Authorization 2014-10-10 15:56:25 -05:00
Rob Winch 4e7398eec0 SEC-2150: Support class level annotations on Spring Data Repositories 2014-09-26 13:47:37 -05:00
Rob Winch d429c96253 SEC-2150: Add tests to verify JSR-250 Spec behavior 2014-09-26 13:46:10 -05:00
Andy Wilkinson a28650c715 Provide a ClassLoader to be used to load LDIF files 
Prior to this change, ApacheDSContainer created a LdifFileLoader
without a ClassLoader. This limited its ability to load LDIF files
and causes a problem with an executable war in Spring Boot. See [1]
for details.

ApacheDSContainer now initialises LdifFileLoader with a ClassLoader.
This allows it to locate LDIF files packaged in WEB-INF/classes in
the case of an executable war file. The executable jar case was not
affected by this problem as, in that case, the LDIF file is pacakaged
in the root of the jar and is accessible via getSystemResourceAsStream

[1] https://github.com/spring-projects/spring-boot/issues/1550
 2014-09-24 13:49:15 -05:00
Rob Winch 5ba8f000a7 SEC-2714: Add AuthenticationPrincipal resolver for messaging support 2014-09-23 16:28:48 -05:00
Rob Winch d2fa019fe5 SEC-2704: Separation of inbound and outbound security rules 2014-09-19 16:39:43 -05:00
Rob Winch 28446284a6 SEC-2713: Support authorization by SimpMessageType 2014-09-19 16:38:56 -05:00
Rob Winch b717333707 Polish messaging generics and imports 2014-09-16 14:31:06 -05:00
Rob Winch b6fcde880a SEC-2703: ChannelSecurityInterceptor use ThreadLocal for InterceptorStatusToken 2014-09-16 13:46:10 -05:00
Rob Winch e7edb77cae SEC-2716: Fix doc spelling of AbstractPreAuthenticatedProcessingFilter 2014-09-16 10:56:52 -05:00
Rob Winch d316f661e8 SEC-2719: Fix order sensitive authenticated().withRoles(..) 2014-09-16 10:54:50 -05:00
Rob Winch 02c3565e22 Fix compiling in Eclipse 2014-09-16 10:18:46 -05:00
Rob Winch 39d544b901 Merge pull request #121 from bonifaido/patch-1 
Removed unnecessary params from anyRequest()'s javadoc
 2014-09-01 22:30:25 -05:00
Rob Winch 96ea4ddc7b Merge pull request #120 from bura/fix-clickjacking-url 
Fixed broken url to Clickjacking description.
 2014-09-01 22:29:39 -05:00
Nándor István Krácser a932d6ecf3 Removed unnecessary params from anyRequest()'s javadoc 2014-08-20 11:24:15 +02:00
Bloshchetsov Andrey Evgenyevich bd322542ca Fixed broken url to Clickjacking description. 2014-08-20 10:11:21 +04:00
Rob Winch 57ea75a7ce Merge pull request #118 from benmccann/patch-1 
Artifacts should be downloaded using https
 2014-08-18 17:03:36 -05:00
Rob Winch b9df7ba01f SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher 2014-08-18 11:04:04 -05:00
Ben McCann 613820a218 Artifacts should be downloaded using https 
See http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
 2014-08-16 14:52:34 -07:00
Rob Winch 533b71b9b8 SEC-2688: Remove ORDER constant 2014-08-15 21:14:12 -05:00
Rob Winch 6321665353 SEC-2676: Update to Spring Data Evans RC1 2014-08-15 20:46:59 -05:00
Rob Winch 3f30529039 SEC-2179: Add Spring Security Messaging Support 2014-08-15 20:46:58 -05:00
Rob Winch 934937d9c1 SEC-2688: CAS Proxy Ticket Authentication uses Service for host & port 2014-08-15 16:41:33 -05:00
Rob Winch f50e058d07 SEC-2697: Fix logging of Spring Version Check 2014-08-15 16:41:33 -05:00
Rob Winch 939df5f0f9 SEC-2547: Update to cas-client-core-3.3.3 2014-08-15 16:41:33 -05:00
Rob Winch 3187ee8bf3 SEC-2700: Register WithSecurityContextTestExecutionListener by default 2014-08-15 16:41:33 -05:00
Rob Winch 1eaa621619 SEC-2676: Fix data and sample data poms 2014-08-15 16:40:51 -05:00
Rob Winch 94a0816153 Exclude spring-data-commons from spring-ldap-core 2014-08-01 14:04:47 -05:00