Commit Graph

5972 Commits

Author SHA1 Message Date
Jitendra Singh 48ff518a41 Fix Jackson 2.7+
UnmodifiableSetDeserializer added which will ensure
Collection$UnmodifiableSet deserialize properly with jackson-databind 2.7+

Fixes gh-4073
2016-10-13 07:42:07 -05:00
Rob Winch 0b1e3b4e4a Fix Reference Typo
unlimitted->unlimited
2016-09-23 16:45:08 -05:00
Rob Winch 6b4a52715b Fix Typo in Reference 2016-09-23 14:57:52 -05:00
Spring Buildmaster 7fb052e7ae Next development version 2016-09-23 19:39:35 +00:00
Spring Buildmaster c1b8150439 Release version 4.2.0.M1 2016-09-23 19:39:33 +00:00
Rob Winch 8b89e804e3 Polish RequestAttributeAuthenticationFilter
Issue gh-3978
2016-09-23 13:08:08 -05:00
Rob Winch c0f5aaee78 Adds What's New Spring Security 4.2
Fixes gh-4070
2016-09-23 13:02:27 -05:00
Rob Winch 6fb564a629 Polish HTTP Response Splitting
Issue gh-3910
2016-09-23 12:49:01 -05:00
Rob Winch 9ae163e92d Rename to RequestAttributeAuthenticationFilter
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests

Polish gh-3978
2016-09-22 16:44:10 -05:00
Milan Ševčík a8120e74a7 Added authentication filter reading environment variables.
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
2016-09-22 16:30:54 -05:00
Rob Winch b443baef04 Polish GrantedAuthorityDefaults
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
  ApplicationContextAware

Issue gh-3701
2016-09-22 15:13:05 -05:00
Eddú Meléndez eabeaf35d6 Make single definition of `defaultRolePrefix` and `rolePrefix`
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.

Fixes gh-3701
2016-09-21 14:55:41 -05:00
Rob Winch 2e6656e9d3 Polish HTTP Response Splitting
* Use new test method name convention of
  methodNameWhen<Condition>Then<Expectation>
* Check null Cookie
* Check Cookie.getName() for crlf since we do not want to rely on the
  implementation. For example Cookie could be overriden by extending it.
* Use Crlf as convention instead of CLRF as style guide
* Create new FirewalledResponse before each test to ensure isolation
* Use Mock for HttpServletResponse delegate to keep test in isolation (i.e.
  we do not want our tests to fail if MockHttpServletRequest changes an
  Exception error message)

Issue gh-3910
2016-09-21 10:42:24 -05:00
Gabriel Lavoie 4a1f00b90f Add additional HTTP Response splitting prevention
- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.

Issue gh-3910
2016-09-21 10:42:18 -05:00
Rob Winch d8690a59e2 Fix ??? in reference 2016-09-19 16:29:46 -05:00
Rob Winch 49f7c98c3e Fix headers@defaults-disabled=true with no children
Previously <headers defaults-disabled="true"/> would fail if there were
no children with an IllegalArgumentException. This allows using
defaults-disabled="true" and no children as an alias for disabled="true".

Fixes gh-3986
2016-09-19 14:53:51 -05:00
Rob Winch 81ebdecd8a Update to Sonarqube 2.1-rc1
Issue gh-4052
2016-09-19 14:02:20 -05:00
Julio Valcarcel 6834467389 Add cookiePath to CookieCsrfTokenRepository
Allow the csrf cookie path to be set instead of inferred from the
request context.

Fixes gh-4062
2016-09-19 13:52:54 -05:00
Joe Grandja c75a5b7279 Polish RoleHierarchyUtils and add tests 2016-09-19 14:07:34 -04:00
Thomas Darimont 06c67070a6 Add convenience method for constructing RoleHierarchy from Map.
Introduced `RoleHierarchyUtils` which enables convenient
construction of `RoleHierarchy` from map based representation.
Where the map key is the role name and the map value is a list
of implied role names.

Here is a small example for that in action:
https://gist.github.com/thomasdarimont/ee9fffdef1adb9243b12ad247478aad4

Fixes #3990.

Signed-off-by: Thomas Darimont <thomas.darimont@gmail.com>

Signed-off-by: Thomas Darimont <thomas.darimont@gmail.com>
2016-09-19 14:07:34 -04:00
Rob Winch 7f54c8b8b4 Fix link to CSP in Reference Doc
Previously the link in the reference from x-frame-options to the
content security policy section was broken.

This commit fixes the link.

Issue gh-4063
2016-09-19 10:21:04 -05:00
Fred Cooke 12173c04ee Fix Typo in Reference Docs
Word substitution, it's foolproof, not full proof :-)

Fixes gh-4063
2016-09-19 10:11:16 -05:00
Fred Cooke 4cc899feab Fix Typo in Javadoc
Issue gh-4063
2016-09-19 10:09:48 -05:00
Rob Winch 6650429283 Polish SessionInformationExpiredStrategy
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
  to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1

Issue gh-3808
2016-09-15 14:30:52 -05:00
Marten Deinum 67c9f12964 Configuration of session management strategies
This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.

Fixes gh-3794
2016-09-15 11:10:36 -05:00
Marten Deinum b88418b94a Configuration of session management strategies
This commit adds an ExpiredSessionStrategy for the ConcurrentSessionFilter
analogous to the InvalidSessionStrategy for the SessionManagementFilter. It also
adds a configuration option for both the InvalidSessionStrategy and
ExpiredSessionStrategy to the XML namespace and Java configuration.

Fixes gh-3794
Fixes gh-3795
2016-09-15 11:10:17 -05:00
Joe Grandja a82cab7afd Revert "Add support for colons in remember-me token values"
This reverts commit aceba1f1cf.
2016-09-13 10:27:51 -04:00
Dennis Kieselhorst 2b6821622e Make DefaultRedirectStrategy more extensible
Fixes gh-2173
2016-09-08 17:23:13 -04:00
Stefan Penndorf d6397c2362 Remove dead code in SessionFixationProtectionStrategy
The retainedAttributes property is no longer used as a result of removing deprecations in 6e204fff72

Fixes gh-4057
Related gh-2757 gh-2918
2016-09-08 11:36:22 -04:00
Jeremy Waters aceba1f1cf Add support for colons in remember-me token values
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons. This
change urlencodes the individual tokens when creating the cookie
string; and urldecodes them decoding the cookie and extracting the
tokens.  This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.

Fixes gh-3355
2016-09-07 16:35:15 -04:00
Kazuki Shimizu 37c6605062 Add explanation for DelegatingAuthenticationFailureHandler (#207) 2016-09-02 13:27:23 -05:00
Rob Winch 92a59e0df7 Fix checkstyle
Issue gh-3736
2016-09-02 12:02:39 -05:00
Rob Winch 8ad0003456 Polish Whitespace
Issue gh-3736
2016-09-02 11:37:21 -05:00
Rob Winch 3531cc93c2 JSON tests ObjectMapper Cleanup
* Move to @Setup
* Consistently extend from AbstractMixinTests and reuse ObjectMapper

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch bd925313af Improve Readablility of JSON test strings
This improves the readability of the JSON strings used for
testing JSON serialize / deserialize of Spring Security

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch d4c48dd3e1 Remove MockitoJUnitRunner from JSON tests
Previously the JSON tests unnecessarily had MockitoJUnitRunner.

This commit removes MockitoJUnitRunner from the JSON tests.

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch df613ed4cc JSON UserDetails deserializes null
JSON UserDetails null use to be treated as "".

This changes null to be treated as a null

Issue gh-3736
2016-09-02 11:37:16 -05:00
Rob Winch 3fb77f3b59 Polish SecurityJacksonModules
Issue gh-3736
* ClassLoader argument - this is required because we do not want to assume
the ClassLoader that should be used
* Clean up logging - logging is now at debug level because we don't expect
all of the modules are loaded (they are quite possibly off the ClassPath)
* Remove ObjectUtils as it was being used on methods that expect a
Collection or Array with non collection based objects
* Polish Javadoc warnings
2016-09-02 11:37:13 -05:00
Rob Winch c2d8ea92d0 SimpleGrantedAuthorityMixin role->authority
Issue gh-3736
2016-09-02 11:36:33 -05:00
Rob Winch 6f2b24a62b Polish JSON warnings / javadoc
Issue gh-3736
2016-09-02 11:36:23 -05:00
Rob Winch 6d2003722e Polish JSON class scope
Use package scope when possible

Issue gh-3736
2016-09-02 11:36:06 -05:00
Rob Winch 03d8904a03 Polish constructor assertions
Previously the JSON modules didn't use Spring's Assert.

This commit changes the assertions to use Spring's Assert and does
some minor restructuring.

Issue gh-3736
2016-09-02 11:34:57 -05:00
Jitendra Singh Bisht d77ca17e95 Add JSON Serialization
Fixes gh-3812
2016-09-02 11:29:53 -05:00
Rob Winch 4d02a5c0a0 Update pom.xml dependencies 2016-08-30 11:27:29 -05:00
Rob Winch 22fe8b33c6 Update to Gradle 3.0
Fixes gh-4052
2016-08-30 11:27:02 -05:00
Rob Winch 927ef9ba05 Update to spring-io-plugin-0.0.5.RELEASE
Fixes gh-4051
2016-08-30 11:26:18 -05:00
Rob Winch 995d88952d Update to Spring Boot 1.4
Fixes gh-4050
2016-08-30 11:25:11 -05:00
Rob Winch 53352e336d Polish gh-4048 2016-08-30 09:42:28 -05:00
vitalii-dmytruk 422bc37115 Suppurt custom messages
According to the SpringSecurityMessageSource documentation class which uses
SpringSecurityMessageSource should also implement MessageSourceAware interface
in order to support alternative message source.

Issue gh-4048
2016-08-30 09:41:37 -05:00
Rob Winch 91c8cebf99 Remove only master from .travis.yml 2016-08-30 09:14:22 -05:00