Commit Graph

706 Commits

Author SHA1 Message Date
Spring Buildmaster 97b4cb0b73 Release version 4.2.0.RC1 2016-10-26 02:49:23 +00:00
Rob Winch 57d7ad05f9 Revert "Cache Control only written if not set"
This reverts commit 242b831f20.
Spring MVC fixed the issue we were working around and the changes
in Spring Security were unreliable.

Fixes gh-3975
2016-10-24 15:57:26 -05:00
Johnny Lim 50b72dddbc Fix typo in Javadoc
This commit simply fixes typo in Javadoc.
2016-10-20 21:07:15 -05:00
Rob Winch aaa9708b95 Add BeanResolver to AuthenticationPrincipalArgumentResolver
Previously @AuthenticationPrincipal's expression attribute didn't support
bean references because the BeanResolver was not set on the SpEL context.

This commit adds a BeanResolver and ensures that the configuration
sets a BeanResolver.

Fixes gh-3949
2016-10-18 19:45:54 -05:00
Rob Winch 2c99cd3bbf Remove MatcherAssertionErrors
Spring 5 removes MatcherAssertionErrors. We should not have been using
this class anyways.

This commit updates to using assertj in favor of MatcherAssertionErrors.

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch 08c1f500a7 Version bumps for Spring 5
Issue gh-4080
2016-10-17 17:00:17 -05:00
Spring Buildmaster c1b8150439 Release version 4.2.0.M1 2016-09-23 19:39:33 +00:00
Rob Winch 8b89e804e3 Polish RequestAttributeAuthenticationFilter
Issue gh-3978
2016-09-23 13:08:08 -05:00
Rob Winch 6fb564a629 Polish HTTP Response Splitting
Issue gh-3910
2016-09-23 12:49:01 -05:00
Rob Winch 9ae163e92d Rename to RequestAttributeAuthenticationFilter
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests

Polish gh-3978
2016-09-22 16:44:10 -05:00
Milan Ševčík a8120e74a7 Added authentication filter reading environment variables.
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
2016-09-22 16:30:54 -05:00
Rob Winch b443baef04 Polish GrantedAuthorityDefaults
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
  ApplicationContextAware

Issue gh-3701
2016-09-22 15:13:05 -05:00
Eddú Meléndez eabeaf35d6 Make single definition of `defaultRolePrefix` and `rolePrefix`
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.

Fixes gh-3701
2016-09-21 14:55:41 -05:00
Rob Winch 2e6656e9d3 Polish HTTP Response Splitting
* Use new test method name convention of
  methodNameWhen<Condition>Then<Expectation>
* Check null Cookie
* Check Cookie.getName() for crlf since we do not want to rely on the
  implementation. For example Cookie could be overriden by extending it.
* Use Crlf as convention instead of CLRF as style guide
* Create new FirewalledResponse before each test to ensure isolation
* Use Mock for HttpServletResponse delegate to keep test in isolation (i.e.
  we do not want our tests to fail if MockHttpServletRequest changes an
  Exception error message)

Issue gh-3910
2016-09-21 10:42:24 -05:00
Gabriel Lavoie 4a1f00b90f Add additional HTTP Response splitting prevention
- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.

Issue gh-3910
2016-09-21 10:42:18 -05:00
Julio Valcarcel 6834467389 Add cookiePath to CookieCsrfTokenRepository
Allow the csrf cookie path to be set instead of inferred from the
request context.

Fixes gh-4062
2016-09-19 13:52:54 -05:00
Rob Winch 6650429283 Polish SessionInformationExpiredStrategy
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
  to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1

Issue gh-3808
2016-09-15 14:30:52 -05:00
Marten Deinum b88418b94a Configuration of session management strategies
This commit adds an ExpiredSessionStrategy for the ConcurrentSessionFilter
analogous to the InvalidSessionStrategy for the SessionManagementFilter. It also
adds a configuration option for both the InvalidSessionStrategy and
ExpiredSessionStrategy to the XML namespace and Java configuration.

Fixes gh-3794
Fixes gh-3795
2016-09-15 11:10:17 -05:00
Joe Grandja a82cab7afd Revert "Add support for colons in remember-me token values"
This reverts commit aceba1f1cf.
2016-09-13 10:27:51 -04:00
Dennis Kieselhorst 2b6821622e Make DefaultRedirectStrategy more extensible
Fixes gh-2173
2016-09-08 17:23:13 -04:00
Stefan Penndorf d6397c2362 Remove dead code in SessionFixationProtectionStrategy
The retainedAttributes property is no longer used as a result of removing deprecations in 6e204fff72

Fixes gh-4057
Related gh-2757 gh-2918
2016-09-08 11:36:22 -04:00
Jeremy Waters aceba1f1cf Add support for colons in remember-me token values
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons. This
change urlencodes the individual tokens when creating the cookie
string; and urldecodes them decoding the cookie and extracting the
tokens.  This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.

Fixes gh-3355
2016-09-07 16:35:15 -04:00
Rob Winch 8ad0003456 Polish Whitespace
Issue gh-3736
2016-09-02 11:37:21 -05:00
Rob Winch 3531cc93c2 JSON tests ObjectMapper Cleanup
* Move to @Setup
* Consistently extend from AbstractMixinTests and reuse ObjectMapper

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch bd925313af Improve Readablility of JSON test strings
This improves the readability of the JSON strings used for
testing JSON serialize / deserialize of Spring Security

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch d4c48dd3e1 Remove MockitoJUnitRunner from JSON tests
Previously the JSON tests unnecessarily had MockitoJUnitRunner.

This commit removes MockitoJUnitRunner from the JSON tests.

Issue gh-3736
2016-09-02 11:37:20 -05:00
Rob Winch 3fb77f3b59 Polish SecurityJacksonModules
Issue gh-3736
* ClassLoader argument - this is required because we do not want to assume
the ClassLoader that should be used
* Clean up logging - logging is now at debug level because we don't expect
all of the modules are loaded (they are quite possibly off the ClassPath)
* Remove ObjectUtils as it was being used on methods that expect a
Collection or Array with non collection based objects
* Polish Javadoc warnings
2016-09-02 11:37:13 -05:00
Rob Winch 6f2b24a62b Polish JSON warnings / javadoc
Issue gh-3736
2016-09-02 11:36:23 -05:00
Rob Winch 6d2003722e Polish JSON class scope
Use package scope when possible

Issue gh-3736
2016-09-02 11:36:06 -05:00
Jitendra Singh Bisht d77ca17e95 Add JSON Serialization
Fixes gh-3812
2016-09-02 11:29:53 -05:00
Rob Winch 4d02a5c0a0 Update pom.xml dependencies 2016-08-30 11:27:29 -05:00
Joe Grandja 4d460b2ec9 Remove unused MvcReqestMatcher.getMvcPattern (#4033) 2016-08-19 14:21:42 -05:00
Rob Winch c6366baee2 Remove MvcRequestMatcher.afterPropertiesSet()
The validation does not work due to restrictions within the servlet
container. Specifically we cannot access the servlets that are registered.

This commit reverts the validation logic for MvcRequestMatcher to determine
if servletPath is required.

Fixes gh-4027
2016-08-19 14:18:07 -04:00
Joe Grandja e080905a79 MvcRequestMatcher servletPath Polish / XML Config
Fixes gh-4014
2016-08-09 16:29:30 -05:00
Rob Winch 3befb1c8a6 MvcRequestMatcher servletPath / JavaConfig
Issue: gh-3987
2016-08-09 16:29:30 -05:00
Rob Winch ca170f8479 DummyRequest supports methods for MvcRequestMatcher
To support MvcRequestMatcher DummyRequest needs to support
getCharacterEncoding() and getAttribute(String)
2016-07-14 14:18:31 -05:00
Marten Deinum 80ff267749 Check RememberMe in ExceptionTranslationFilter
This commit adds a check for rememberme to the ExceptionTranslationFilter.
Using this when someone isn't fully authenticated he will be prompted with a
login screen and after that will be redirected to the original requested URI.

Fixes gh-2427
2016-07-13 16:58:00 -04:00
Rob Winch 70787fc548 Polish CompositeLogoutHandler
Issue gh-3895
2016-07-08 14:39:35 -05:00
Eddú Meléndez 1effc1882a Add CompositeLogoutHandler
Fixes gh-3895
2016-07-08 13:30:38 -05:00
Eddú Meléndez 26fa4a4bf0 Prevent HTTP response splitting
Evaluate if http header value contains CR/LF.

Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting

Fixes gh-3910
2016-07-07 13:42:52 -05:00
Eddú Meléndez 13b0ddb7e6 Fix test assertions 2016-07-07 13:29:00 -05:00
Spring Buildmaster 919f000c80 Release version 4.1.1.RELEASE 2016-07-07 00:57:35 +00:00
Rob Winch 9d50944cb2 AntPathRequestMatcher implements RequestVariableExtractor
Issue gh-3964
2016-07-06 15:47:34 -05:00
Rob Winch e4c13e3c0e Add MvcRequestMatcher
Fixes gh-3964
2016-07-06 15:47:23 -05:00
Rob Winch 2a73f3cdf7 Remove abigious import 2016-06-20 15:03:09 -05:00
Eddú Meléndez a2ead4cf7a Polish
Fixes gh-3892
2016-06-20 12:35:43 -05:00
Ruben Dijkstra 364db6762e Add failing test for #3905 Fix Assert usage 2016-06-20 09:24:04 -05:00
Ruben Dijkstra e8f4ee8a39 Fix Assert usage 2016-06-20 09:23:51 -05:00
Ruben Dijkstra ca76e8d784 Remove null-check inside afterPropertiesSet() since it's never null 2016-06-17 16:40:39 -05:00
Rob Winch 2d6051625f Update pom.xml 2016-06-17 14:30:11 -05:00
Adrien SAUVEZ c261975be0 Set cookie domain for cancel remember-me
Fixes gh-3871
2016-05-13 13:34:43 -05:00
Rob Winch d4218c70f1 Update CookieCsrfTokenRepository docs to cookiHttpOnly=false
Currently CookieCsrfTokenRepository does not specify that the httpOnly
flag needs set to false. We should update the reference to include this
setting (and a comment about it) since it states that the settings will
work with AngularJS.

This commit updates the documentation and provides a convenience factory
method to create a CookieCsrfTokenRepository with cookiHttpOnly=false

Fixes gh-3865
2016-05-06 16:28:04 -04:00
Spring Buildmaster 001b05569a Release version 4.1.0.RELEASE 2016-05-05 04:25:46 +00:00
Rob Winch 9745de9510 Add @AuthenticationPrincipal expression
It is now possible to provide a SpEL expression for
@AuthenticationPrincipal. This allows invoking custom logic including
methods on the principal object.

Fixes gh-3859
2016-05-03 18:08:52 -04:00
bartolom 3ca8273a95 Improve GC for OnCommittedResponseWrapper
Only track content length if disableOnCommitted is false. This improves object creation and thus GC.

Fixes gh-3842
2016-05-02 16:19:21 -05:00
Joe Grandja 2bdb0231c2 CookieCsrfTokenRepository supports HttpOnly
CookieCsrfTokenRepository supports HttpOnly

Fixes gh-3835

* Add Servlet 3 tests and javadocs

Issue gh-3835

* Add copyright header

Issue gh-3835
2016-05-02 15:49:37 -05:00
Li Weinan 70bd7d1bbc Include AuthenticationException in logs
Fixes gh-3705
2016-04-21 11:17:47 -04:00
Spring Buildmaster 24d0069668 Release version 4.1.0.RC2 2016-04-21 01:47:25 +00:00
Rob Winch 7fe0a135ec Default AntPathRequestMatcher to be case sensitive
Issue gh-3831
2016-04-20 13:29:18 -05:00
Rob Winch 6fa1588de9 Disable AntPathRequestMatcher trim tokens
Issue gh-3831
2016-04-20 13:29:17 -05:00
Rob Winch 4093690322 Polish Logout Content Negotiation
* Rename to DelegatingLogoutSuccessHandler for consistency
* Remove JavascriptOriginRequestMatcher in favor of
RequestHeaderRequestMatcher

Issue gh-3282
2016-04-20 10:49:37 -05:00
Shazin Sadakath f0d1700ad6 Content Negotiating LogoutSuccessHandler
Issue gh-3282
2016-04-20 10:42:13 -05:00
Rob Winch 1dbd3f5906 Fix NPE in OnCommittedResponseWrapper trackContentLength (#3824)
OnCommittedResponseWrapper trackContentLength will throw a
NullPointerException when the content length passed in is null.

This commit properly tracks the null value as a length of 4.

Fixes gh-3823
2016-04-19 14:58:56 -04:00
Johnny Lim 933a7e8363 Remove duplicate words
Fixes gh-3826
2016-04-18 23:21:20 -05:00
Rob Winch fb5776cb5c Support Camel case URI variables (#3814)
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.

Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.

Fixes gh-3786
2016-04-18 17:54:48 -04:00
Simon Olofsson 337a7ed35e Fix HeaderWriterFilter Javadoc
Fixes the formatting and spelling in HeaderWriterFilter Javadoc

Issue gh-3813
2016-04-15 08:56:58 -05:00
Andrew NS Yeow eb26095ca9 Fix HpkpHeaderWriter Javadoc format 2016-04-15 08:41:43 -05:00
Joe Grandja 2ef3da1b47 Documents the new @AuthenticationPrincipal in more detail.
Fixes gh-3771
2016-04-13 12:27:23 -04:00
Rob Winch d3a9cc6eae Add CsrfTokenRepository (#3805)
* Create LazyCsrfTokenRepository

Fixes gh-3790

* Add CookieCsrfTokenRepository

Fixes gh-3009
2016-04-12 17:26:53 -04:00
Johnny Lim fe94d654ed Fix typos (#228) 2016-04-12 11:11:51 -05:00
Joe Grandja b90242f2fa Updates all POM versions to 4.1.0 snapshot build.
Fixes gh-3804
2016-04-12 10:35:43 -04:00
izeye 2c85fb05d0 Remove duplicate test.
Remove duplicate test with `trailingWildcardWithVariableMatchesCorrectly()`.

Fixes gh-183
2016-04-08 13:36:45 -05:00
Rob Winch f49cd5faba Polish Codestyle 2016-04-01 09:53:32 -05:00
Rob Winch d900c78f11 Perform null check on super.getAsyncContext()
Fixes gh-3780
2016-04-01 09:53:32 -05:00
Shazin Sadakath 1bc7060c93 Add AuthenticationSuccessHandler support to AbstractPreAuthenticatedProcessingFilter
Fixes gh-3389
2016-03-25 09:46:16 -05:00
Spring Buildmaster 044acf7e27 Release version 4.1.0.RC1 2016-03-23 07:15:15 -07:00
Joe Grandja 2f7f2ff589 Adds support for Content Security Policy
Fixes gh-2342
2016-03-22 21:59:13 -05:00
Rob Winch 7bf014f678 Path Variables fail with different case
Fixes gh-3329
2016-03-21 10:09:50 -05:00
Eddú Meléndez 41c6a797c3 Add RememberMeConfigurer set domain
Fixes gh-3408
2016-03-17 08:30:18 -05:00
Rob Winch 242b831f20 Cache Control only written if not set
Previously Spring Security always wrote cache control headers and relied
on the application to override the values. This can cause problems with
cache control. For example, applications may only set cache control if
the header is not already set. Additionally, setting of Cache-Control
should disable writing of Pragma.

This commit delays writing headers until just before the response is
committed and only writes the Cache Control headers if they do not exist.

Fixes gh-2953
2016-03-15 12:30:37 -05:00
Rob Winch 1fcc2fcd88 Make OnCommittedResponseWrapper public
This is preparing for changes in gh-2953

Issues gh-2953
2016-03-15 11:22:06 -05:00
Rob Winch ec4e6c7453 Update pom.xml to 4.1.0.BUILD-SNAPSHOT 2016-03-14 00:51:35 -05:00
Rob Winch f221920a19 Clean up code to conform to basic checkstyle
Issue gh-3746
2016-03-14 00:15:12 -05:00
Rob Winch 40f687aa78 Improve CSRF missing error message
Fixes gh-3738
2016-03-09 14:52:21 -06:00
Billy Korando 71d4ce96ad Convert to assertj
Fixes gh-3175
2016-03-09 14:30:17 -06:00
Rob Winch bb600a473e Start AssertJ Migration
Issue gh-3175
2016-03-09 14:26:30 -06:00
Alex Baxanean a1c4c2039b Rename HeaderWriter loop variable 2016-03-09 10:36:03 -06:00
Rob Winch 6cbb1dc881 Polish ForwardAuthenticationSuccessHandler
* Whitespace cleanup
* Add @since

Issue gh-3726
2016-03-09 10:23:53 -06:00
Rob Winch e61bc7e93b Polish ForwardAuthenticationFailureHandler
* Whitespace cleanup
* Add @since

Issue gh-3727
2016-03-09 10:23:39 -06:00
Shazin Sadakath 7341da9320 Add ForwardAuthenticationSuccessHandler
Fixes gh-3726
2016-03-09 10:22:55 -06:00
Shazin Sadakath b288d24100 Add ForwardAuthenticationFailureHandler
Fixes gh-3727
2016-03-09 10:22:41 -06:00
Rob Winch db81977a1a Polish HPKP
* Javadoc polish
* Whitespace cleanup

Issue gh-3706
2016-03-03 15:11:40 -06:00
Tim Ysewyn 331c7e91b7 HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
 and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.

This commit will add this new functionality.

Fixes gh-3706
2016-03-03 14:21:46 -06:00
Rob Winch d0dc47cb66 Remove logging for "Skip invoking on" response committed
Fixes gh-3683
2016-02-25 11:01:51 -06:00
Andrei Ivanov 9008a7af1d Allow override of SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR
Fixes gh-3697
2016-02-15 09:03:27 -06:00
Rob Winch 56fad169db request.setMethod("POST") 2015-12-21 14:53:13 -06:00
Rob Winch 7d5af63510 Merge pull request #243 from panchenko/SEC-3158
SEC-3158 findRequiredWebApplicationContext() compatibility with spring framework 4.1
2015-12-03 22:14:58 -06:00
Rob Winch 81db6abbe0 SEC-3164: JDK6 compatability 2015-12-02 14:16:57 -06:00
Alex Panchenko cfa23b152e SEC-3164 Optimization in DefaultRequiresCsrfMatcher 2015-12-01 13:19:13 +06:00
Alex Panchenko 3af4140742 SEC-3158 findRequiredWebApplicationContext() compatibility with spring framework 4.1.x 2015-12-01 12:54:08 +06:00