Commit Graph

752 Commits

Author SHA1 Message Date
bartolom 3ca8273a95 Improve GC for OnCommittedResponseWrapper
Only track content length if disableOnCommitted is false. This improves object creation and thus GC.

Fixes gh-3842
2016-05-02 16:19:21 -05:00
Joe Grandja 2bdb0231c2 CookieCsrfTokenRepository supports HttpOnly
CookieCsrfTokenRepository supports HttpOnly

Fixes gh-3835

* Add Servlet 3 tests and javadocs

Issue gh-3835

* Add copyright header

Issue gh-3835
2016-05-02 15:49:37 -05:00
Li Weinan 70bd7d1bbc Include AuthenticationException in logs
Fixes gh-3705
2016-04-21 11:17:47 -04:00
Spring Buildmaster 24d0069668 Release version 4.1.0.RC2 2016-04-21 01:47:25 +00:00
Rob Winch 7fe0a135ec Default AntPathRequestMatcher to be case sensitive
Issue gh-3831
2016-04-20 13:29:18 -05:00
Rob Winch 6fa1588de9 Disable AntPathRequestMatcher trim tokens
Issue gh-3831
2016-04-20 13:29:17 -05:00
Rob Winch 4093690322 Polish Logout Content Negotiation
* Rename to DelegatingLogoutSuccessHandler for consistency
* Remove JavascriptOriginRequestMatcher in favor of
RequestHeaderRequestMatcher

Issue gh-3282
2016-04-20 10:49:37 -05:00
Shazin Sadakath f0d1700ad6 Content Negotiating LogoutSuccessHandler
Issue gh-3282
2016-04-20 10:42:13 -05:00
Rob Winch 1dbd3f5906 Fix NPE in OnCommittedResponseWrapper trackContentLength (#3824)
OnCommittedResponseWrapper trackContentLength will throw a
NullPointerException when the content length passed in is null.

This commit properly tracks the null value as a length of 4.

Fixes gh-3823
2016-04-19 14:58:56 -04:00
Johnny Lim 933a7e8363 Remove duplicate words
Fixes gh-3826
2016-04-18 23:21:20 -05:00
Rob Winch fb5776cb5c Support Camel case URI variables (#3814)
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.

Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.

Fixes gh-3786
2016-04-18 17:54:48 -04:00
Simon Olofsson 337a7ed35e Fix HeaderWriterFilter Javadoc
Fixes the formatting and spelling in HeaderWriterFilter Javadoc

Issue gh-3813
2016-04-15 08:56:58 -05:00
Andrew NS Yeow eb26095ca9 Fix HpkpHeaderWriter Javadoc format 2016-04-15 08:41:43 -05:00
Joe Grandja 2ef3da1b47 Documents the new @AuthenticationPrincipal in more detail.
Fixes gh-3771
2016-04-13 12:27:23 -04:00
Rob Winch d3a9cc6eae Add CsrfTokenRepository (#3805)
* Create LazyCsrfTokenRepository

Fixes gh-3790

* Add CookieCsrfTokenRepository

Fixes gh-3009
2016-04-12 17:26:53 -04:00
Johnny Lim fe94d654ed Fix typos (#228) 2016-04-12 11:11:51 -05:00
Joe Grandja b90242f2fa Updates all POM versions to 4.1.0 snapshot build.
Fixes gh-3804
2016-04-12 10:35:43 -04:00
izeye 2c85fb05d0 Remove duplicate test.
Remove duplicate test with `trailingWildcardWithVariableMatchesCorrectly()`.

Fixes gh-183
2016-04-08 13:36:45 -05:00
Rob Winch f49cd5faba Polish Codestyle 2016-04-01 09:53:32 -05:00
Rob Winch d900c78f11 Perform null check on super.getAsyncContext()
Fixes gh-3780
2016-04-01 09:53:32 -05:00
Shazin Sadakath 1bc7060c93 Add AuthenticationSuccessHandler support to AbstractPreAuthenticatedProcessingFilter
Fixes gh-3389
2016-03-25 09:46:16 -05:00
Spring Buildmaster 044acf7e27 Release version 4.1.0.RC1 2016-03-23 07:15:15 -07:00
Joe Grandja 2f7f2ff589 Adds support for Content Security Policy
Fixes gh-2342
2016-03-22 21:59:13 -05:00
Rob Winch 7bf014f678 Path Variables fail with different case
Fixes gh-3329
2016-03-21 10:09:50 -05:00
Eddú Meléndez 41c6a797c3 Add RememberMeConfigurer set domain
Fixes gh-3408
2016-03-17 08:30:18 -05:00
Rob Winch 242b831f20 Cache Control only written if not set
Previously Spring Security always wrote cache control headers and relied
on the application to override the values. This can cause problems with
cache control. For example, applications may only set cache control if
the header is not already set. Additionally, setting of Cache-Control
should disable writing of Pragma.

This commit delays writing headers until just before the response is
committed and only writes the Cache Control headers if they do not exist.

Fixes gh-2953
2016-03-15 12:30:37 -05:00
Rob Winch 1fcc2fcd88 Make OnCommittedResponseWrapper public
This is preparing for changes in gh-2953

Issues gh-2953
2016-03-15 11:22:06 -05:00
Rob Winch ec4e6c7453 Update pom.xml to 4.1.0.BUILD-SNAPSHOT 2016-03-14 00:51:35 -05:00
Rob Winch f221920a19 Clean up code to conform to basic checkstyle
Issue gh-3746
2016-03-14 00:15:12 -05:00
Rob Winch 40f687aa78 Improve CSRF missing error message
Fixes gh-3738
2016-03-09 14:52:21 -06:00
Billy Korando 71d4ce96ad Convert to assertj
Fixes gh-3175
2016-03-09 14:30:17 -06:00
Rob Winch bb600a473e Start AssertJ Migration
Issue gh-3175
2016-03-09 14:26:30 -06:00
Alex Baxanean a1c4c2039b Rename HeaderWriter loop variable 2016-03-09 10:36:03 -06:00
Rob Winch 6cbb1dc881 Polish ForwardAuthenticationSuccessHandler
* Whitespace cleanup
* Add @since

Issue gh-3726
2016-03-09 10:23:53 -06:00
Rob Winch e61bc7e93b Polish ForwardAuthenticationFailureHandler
* Whitespace cleanup
* Add @since

Issue gh-3727
2016-03-09 10:23:39 -06:00
Shazin Sadakath 7341da9320 Add ForwardAuthenticationSuccessHandler
Fixes gh-3726
2016-03-09 10:22:55 -06:00
Shazin Sadakath b288d24100 Add ForwardAuthenticationFailureHandler
Fixes gh-3727
2016-03-09 10:22:41 -06:00
Rob Winch db81977a1a Polish HPKP
* Javadoc polish
* Whitespace cleanup

Issue gh-3706
2016-03-03 15:11:40 -06:00
Tim Ysewyn 331c7e91b7 HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
 and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.

This commit will add this new functionality.

Fixes gh-3706
2016-03-03 14:21:46 -06:00
Rob Winch d0dc47cb66 Remove logging for "Skip invoking on" response committed
Fixes gh-3683
2016-02-25 11:01:51 -06:00
Andrei Ivanov 9008a7af1d Allow override of SwitchUserFilter.ROLE_PREVIOUS_ADMINISTRATOR
Fixes gh-3697
2016-02-15 09:03:27 -06:00
Rob Winch 56fad169db request.setMethod("POST") 2015-12-21 14:53:13 -06:00
Rob Winch 7d5af63510 Merge pull request #243 from panchenko/SEC-3158
SEC-3158 findRequiredWebApplicationContext() compatibility with spring framework 4.1
2015-12-03 22:14:58 -06:00
Rob Winch 81db6abbe0 SEC-3164: JDK6 compatability 2015-12-02 14:16:57 -06:00
Alex Panchenko cfa23b152e SEC-3164 Optimization in DefaultRequiresCsrfMatcher 2015-12-01 13:19:13 +06:00
Alex Panchenko 3af4140742 SEC-3158 findRequiredWebApplicationContext() compatibility with spring framework 4.1.x 2015-12-01 12:54:08 +06:00
Rob Winch 4144de9376 SEC-3082: make SavedRequest parameters case sensitive 2015-10-29 16:46:11 -05:00
Rob Winch 8f13beccb7 SEC-2190: Fix Javadoc 2015-10-29 11:41:39 -05:00
Rob Winch 8b641e5f79 SEC-2190: Support WebApplicationContext in ServletContext attribute 2015-10-28 15:12:35 -05:00
Rob Winch 5c73816a1a SEC-3108: DigestAuthenticationFilter should use SecurityContextHolder.createEmptyContext() 2015-10-27 13:56:51 -05:00
Rob Winch a88ac0fcc1 SEC-3109: Fix web tests 2015-10-26 21:31:07 -05:00
Rob Winch cda6532c43 SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work
2015-10-20 14:58:57 -05:00
izeye 3925ed90c4 SEC-3124: Fix broken Javadoc related to `<` and `>` 2015-10-13 13:33:28 -05:00
zhanhb 29f2cc0ab1 snasphot -> snapshot 2015-09-25 15:28:39 -05:00
Rob Winch 97969ea9d2 SEC-2059: Ignore Query String for Resolving Path Variables 2015-09-01 09:53:29 -05:00
Rob Winch 6b05b298ff SEC-2059: Support Path Variables in Web Expressions 2015-08-20 17:11:01 -05:00
Rob Winch 969f3a7d1b Update pom.xml to latest snapshots 2015-08-03 09:46:01 -05:00
Thomas Darimont ad1d858e2b SEC-3056 - Fix JavaDoc errors.
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
Rob Winch 117f892c91 SEC-3031: DelegatingSecurityContext(Runnable|Callable) only modify SecurityContext on new Thread
Modifying the SecurityContext on the same Thread can cause issues. For example, with a
RejectedExecutionHandler the SecurityContext may be cleared out on the original Thread.

This change modifies both the DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable to,
by default, only modify the SecurityContext if they are invoked on a new Thread. The behavior can be changed
by setting the property enableOnOrigionalThread to true.
2015-07-22 16:07:21 -05:00
Rob Winch e8c9f75f9c Update pom.xml to latest versions 2015-07-22 12:51:04 -05:00
Rob Winch 432123daa2 SEC-2964: Fix CsrfTokenArgumentResolver Javadoc 2015-07-22 11:32:36 -05:00
Rob Winch 92ae45a04d SEC-3051: Add AbstractPreAuthenticatedProcessingFilter#principalChanged 2015-07-22 08:41:33 -05:00
Rob Winch 7c725a60e2 SEC-3047: SecurityContextHolderAwareRequestFactory update RequestFactory 2015-07-20 14:06:44 -05:00
Rob Winch 76a2fb9488 SEC-3020: SecurityContextHolderAwareRequestWrapper conditional rolePrefix
Previously SecurityContextHolderAwareRequestWrapper always prefixed with
rolePrefix. This meant the defaults would never return true for a role
that started with the prefix (i.e. ROLE_).

We no longer apply the rolePrefix if the value passed in already starts
with rolePrefix.
2015-07-16 14:49:32 -05:00
Rob Winch 08b1b56e2c SEC-2973: Add OnCommittedResponseWrapper
This ensures that Spring Session & Security's logic for performing
a save on the response being committed can easily be kept in synch.
Further this ensures that the SecurityContext is now persisted when
the response body meets the content length.
2015-07-14 14:48:41 -05:00
Rob Winch 316886affc SEC-2931: Fix CsrfFilter Javadoc 2015-07-14 13:40:59 -05:00
Rob Winch aed288da05 Fix Spring IO Tests 2015-07-08 11:48:43 -05:00
Rob Winch 1f74ac811e Fix Spring IO Tests 2015-07-08 11:09:29 -05:00
Rob Winch 197ddb3cd1 SEC-3029: Fix Compatibility with Spring 4.2.x 2015-07-07 22:46:31 -05:00
Alex Panchenko 0a118336d4 SEC-2955: Convert to "static" for inner classes 2015-04-30 12:54:52 -05:00
Rob Winch a67ef1c3a2 SEC-2944: Polish 2015-04-30 10:00:04 -05:00
Gunnar Hillert 3099f92154 SEC-2944 Add HttpStatusReturningLogoutSuccessHandler
* Add HttpStatusReturningLogoutSuccessHandler to provide better logout capabilities for RESTful APIs
2015-04-30 09:56:02 -05:00
Rob Winch e08e9cda00 SEC-2851: Remove DataAccessException import from Persistent RememberMe 2015-04-21 14:57:32 -05:00
Rob Winch 09acc2b7a5 SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix 2015-04-21 11:42:48 -05:00
Rob Winch d5dfeeca49 SEC-2927: Update chat-jc pom so Maven Builds
Previously there were some incorrect dependency versions. This commit fixes
that.

We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
2015-04-20 15:53:26 -05:00
Rob Winch 0bfbd2923a SEC-2915: Fix defaut login page tests with tabs 2015-04-17 12:13:44 -05:00
Rob Winch 4fdfb8caba SEC-2915: More Tabs -> Spaces 2015-04-17 11:34:34 -05:00
Rob Winch db531d9100 SEC-2917: Update to Spring 4.1.6 2015-03-25 15:18:59 -05:00
Rob Winch ae6af5d73c SEC-2915: Updated Java Code Formatting 2015-03-25 13:09:18 -05:00
Rob Winch 0a2e496a84 SEC-2915: groovy/gradle spaces->tabs 2015-03-25 13:08:59 -05:00
Rob Winch cf9f58a4ac SEC-2915: XML spaces->tabs 2015-03-25 13:08:52 -05:00
Rob Winch b85ad33aef SEC-2888: Polish 2015-03-13 16:10:39 -05:00
Pascal Gehl 85955015f7 SEC-2888 AntPathRequestMatcher ignores variables in pattern when pattern
finishes with /**
2015-03-13 16:03:08 -05:00
Rob Winch e776a1fd35 SEC-2803: Add HttpStatusEntryPoint 2015-03-11 14:45:59 -05:00
Rob Winch 9d0085bb64 SEC-2882: DefaultLoginPageGeneratingFilter match on /login
Previously DefaultLoginPageGeneratingFilter would match on /**/login
which was not ideal since other parts of the application may want to
match on the URL.

Now it matches on /login.
2015-03-10 11:52:26 -05:00
Rob Winch 217152c8fd Polish Http403ForbiddenEntryPoint whitespace 2015-03-10 10:58:58 -05:00
Rob Winch b04388ad62 SEC-2805: Remove unnecessary cast in Http403ForbiddenEntryPoint 2015-03-10 10:58:21 -05:00
Rob Winch 62d74aef3d Merge pull request #103 from bcecchinato/fix-logs
Trivial logging fix in saveContext method in HttpSessionSecurityContextRepository
2015-02-25 00:02:44 -06:00
Rob Winch 6fd45df1e4 SEC-2879: Add Test 2015-02-24 23:19:04 -06:00
Michael Cramer 8c0b16820b SEC-2879: JdbcTokenRepositoryImpl updateToken should use lastUsed arg 2015-02-24 23:18:38 -06:00
Marcin Mielnicki 9ea7372405 SEC-2878: Clean imports in UsernamePasswordAuthenticationFilter 2015-02-24 22:53:44 -06:00
Rob Winch 5f57e5b0c3 SEC-2873: Remember Me XML Configuration Defaults Should Match Java Config 2015-02-24 20:49:56 -06:00
Rob Winch 76d9ef4ec3 SEC-2872: CsrfAuthenticationStrategy Delay Saving CsrfToken 2015-02-24 17:30:57 -06:00
Rob Winch 98ae03fc40 SEC-2832: Add Tests 2015-02-24 17:30:56 -06:00
Stillglade 310e5bb285 SEC-2832: Update request attributes with new CsrfToken 2015-02-24 17:30:19 -06:00
Rob Winch d973f5f80c SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.

Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
2015-02-24 16:37:55 -06:00
Rob Winch 706e7fd7a2 SEC-2863: Update to Spring 4.1.5 2015-02-20 11:43:04 -06:00
Rob Winch 6a8475adbb SEC-2830: Provide Same Origin support for SockJS 2015-02-18 11:21:02 -06:00
Rob Winch a27c33754c SEC-2859: Add CsrfTokenArgumentResolver 2015-02-18 10:51:30 -06:00
Rob Winch 1a35292750 SEC-2791: AbstractRememberMeServices sets the version
If the maxAge < 1 then the version must be 1 otherwise browsers ignore
the value.
2015-02-04 15:57:45 -06:00
Rob Winch 1a00c397a4 SEC-2835: Polish 2015-02-04 15:50:24 -06:00
Rob Winch 07c54e5d0e SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method 2015-02-04 11:57:46 -06:00
Kazuki Shimizu 31234ecef9 SEC-2835: Add DelegatingAuthenticationFailureHandler
Add the DelegatingAuthenticationFailureHandler class to support
map each exception to AuthenticationFailureHandler. This class gives
more powerful options to customize default behavior for users.
2015-02-04 10:49:13 -06:00
Kazuki Shimizu 1d0eee1d0b SEC-2840: Modify typo in DelegatingAccessDeniedHandler 2015-02-04 10:49:41 +09:00
Rob Winch 6627f76df7 SEC-2758: Make ROLE_ consistent 2015-01-29 17:08:43 -06:00
Rob Winch 8f0001f59a Next Development Version 2014-12-11 20:39:26 -06:00
Spring Buildmaster 49b69196de Release version 4.0.0.RC1 2014-12-11 20:36:55 -06:00
Rob Winch 11116c2b80 SEC-2787: Update Versions 2014-12-10 16:37:19 -06:00
Rob Winch c67ff42b8a SEC-2783: XML Configuration Defaults Should Match JavaConfig
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
Rob Winch b56e5edbbd SEC-2784: Fix build plugins 2014-12-08 14:24:34 -06:00
Rob Winch 6e204fff72 SEC-2781: Remove deprecations 2014-12-04 15:28:40 -06:00
Rob Winch eedbf44235 SEC-2348: Security HTTP Response Headers enabled by default w/ XML 2014-11-21 16:06:29 -06:00
Rob Winch 2e1e9885ec SEC-2054: Polish
Fix the tests to use .getName() for assertions
2014-11-21 11:08:30 -06:00
Rob Winch e2f7b38b87 SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch 2014-11-21 10:47:45 -06:00
Rob Winch dfa17bdb98 SEC-2747: Remove spring-core dependency from spring-security-crypto 2014-11-20 16:16:22 -06:00
Rob Winch fa9e7999da SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.

Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
2014-11-18 13:17:27 -06:00
Rob Winch 5ba8f000a7 SEC-2714: Add AuthenticationPrincipal resolver for messaging support 2014-09-23 16:28:48 -05:00
Rob Winch 3187ee8bf3 SEC-2700: Register WithSecurityContextTestExecutionListener by default 2014-08-15 16:41:33 -05:00
Rob Winch b72c1ad314 SEC-2686: Create SecurityMockMvcConfigurer 2014-07-22 15:11:37 -05:00
Rob Winch e14e5b42fc SEC-2599: HttpSessionEventPublisher get required ApplicationContext
In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
2014-07-22 09:19:50 -05:00
Rob Winch 3289c1c92a SEC-2683: Correct spelling of assignamble in AuthenticationPrincipalResolver Exception 2014-07-18 13:57:13 -05:00
bcecchinato bb1762d4c3 Adding httpSession in logging for the saveContext method 2014-07-02 13:07:32 +02:00
Rob Winch 2082d3747a SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper 2014-05-02 15:06:50 -05:00
Mattias Severson 2b3becf666 SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo 2014-04-23 09:28:00 -05:00
Rob Winch 8baf82532c SEC-2015: Add spring-security-test 2014-04-22 16:47:48 -05:00
Rob Winch ccf96a4d69 SEC-2542: Polish dependency exclusions
This cleans up exclusions so the pom.xml are not as cluttered.
2014-04-02 09:47:29 -05:00
Rob Winch 3118e39de8 SEC-2542: Use exclusions to remove duplicate dependencies
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.

In addition to the new exclusions, notable other changes are:

 - Spring Data JPA has been updated to 1.4.1. This brings its
   transitive dependency upon spring-data-commons into line with
   Spring LDAP's and prevents both spring-data-commons-core and
   spring-data-commons from being on the classpath
 - All Servlet API dependencies have been updated to use the official
   artifact with all transitive dependencies on unofficial servlet API
   artifacts being excluded.
 - In places, groovy has been replaced with groovy-all. This removes
   some duplicates caused by groovy's transitive dependencies.
 - JUnit has been updated to 4.11 which brings its transitive Hamcrest
   dependency into line with other components.

There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level

Conflicts:
	samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
Rob Winch c0590e614a SEC-2177: Polish 2014-03-18 15:48:54 -05:00
Maciej Zasada 7cf37856c0 SEC-2177: Striping off all leading schemes
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
2014-03-18 15:45:41 -05:00
Julien Dubois 7325b97c76 SEC-2519: RememberMeAuthenticationException supports root cause
Added a constructor which keeps the root cause of the exception, and
added some documentation
2014-03-11 16:11:52 -05:00
Rob Winch 91a074c744 Merge pull request #62 from dalbertom/typo
Correct typo in AbstractRememberMeServices assertion
2014-03-11 15:40:23 -05:00
Rob Winch ea902e5829 SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation 2014-03-10 14:33:37 -05:00
Rob Winch e15cee62f4 SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header 2014-03-06 22:01:25 -06:00
getvictor 6de138c2f2 SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
2014-03-06 22:01:23 -06:00
Rob Winch 9988fa141c Update Spring Security version in pom.xml 2014-03-06 08:13:52 -06:00
Rob Winch 6be4e3a9fc SEC-2506: Remove Bundlor Support 2014-03-05 13:32:16 -06:00
Rob Winch 7f99a2dfbb SEC-2487: Update to Spring 3.2.8.RELEASE 2014-02-19 09:30:40 -06:00
Rob Winch ec8b48150d SEC-2474: Update poms 2014-02-07 17:01:11 -06:00
Rob Winch 8d8475deb1 SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
Rob Winch 2df5541905 SEC-2448: Update to HSQL 2.3.1 2013-12-14 10:19:06 -06:00
Rob Winch ca1080fb96 SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter 2013-12-13 15:47:28 -06:00
Rob Winch a34178bc40 SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA 2013-12-12 08:16:59 -06:00
Rob Winch aaa7cec32e SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
Rob Winch 7f714ebb23 SEC-2422: Session timeout detection with CSRF protection 2013-12-11 17:38:17 -06:00
Rob Winch 4460e84b29 Updates to pom.xml author and repo 2013-12-09 08:57:30 -06:00
David Alberto f9998d582a Correct typo in AbstractRememberMeServices assertion 2013-11-26 18:06:55 -05:00
Rob Winch 59e13e7bbb SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken 2013-11-21 15:12:08 -06:00
Rob Winch 2c8946c406 Next development version 2013-11-01 14:20:55 -05:00
Spring Buildmaster 9c703a3051 Release version 3.2.0.RC2 2013-11-01 14:20:49 -05:00
Rob Winch 1a1f577a8b SEC-2358: Add RequestHEaderRequestMatcher#toString() 2013-10-28 14:41:10 -05:00
Rob Winch e638f0a547 SEC-2357: old RequestMatcher interface extends new RequestMatcher 2013-10-23 17:09:33 -05:00
Rob Winch 04b091c385 SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method 2013-10-17 16:18:43 -05:00
Rob Winch 15a63c58a7 SEC-2368: DebugFilter outputs headers and HTTP method 2013-10-17 14:49:45 -05:00
Rob Winch 1351c8bada SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc 2013-10-15 13:53:23 -05:00
Adrien be e50b587d60 SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd 2013-10-14 15:06:11 -05:00
Rob Winch 0b0e7dbea9 SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter 2013-10-14 15:00:24 -05:00
Rob Winch 51171efa7a SEC-2357: Move *RequestMatcher to .matcher package 2013-10-14 11:55:56 -05:00
Rob Winch 45ad74a0bd SEC-2357: Fix package cycles 2013-10-14 11:15:16 -05:00
Rob Winch 14b9050616 SEC-2357: Move *RequestMatchers to .matchers package 2013-10-14 10:36:31 -05:00
Rob Winch 7d99436740 SEC-2358: Add RequestHeaderRequestMatcher 2013-10-11 14:53:11 -05:00
Rob Winch 0ac1176152 Polish RequestMatcher logging and toString 2013-10-07 15:45:42 -05:00
Rob Winch cffbefadd1 SEC-2306: Fix Session Fixation logging race condition
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.

The code now synchronizes on WebUtils.getSessionMutex(..).
2013-10-06 17:13:40 -05:00
kazuki43zoo 611a97023d SEC-2352: HttpSessionCsrfTokenRepository lazy session creation 2013-10-06 16:44:18 -05:00
Rob Winch 17efd25717 SEC-2331: Include Expires: 0 in security headers documentation 2013-09-27 16:13:40 -05:00
Rob Winch cea0cf9260 SEC-2243: Remove additional Debug Filter 2013-09-26 11:38:16 -05:00
Rob Winch b591881e95 SEC-2302: Provide beforeSpringSecurityFilterChain hook
This allows inserting filters before the springSecurityFilterChain.
2013-09-25 14:52:40 -05:00
Rob Winch 88f41cdf62 SEC-2341: Update to Gradle 1.8
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
Rob Winch ddc0ef7ab3 SEC-2339: Added Logical (Or, And, Negated) RequestMatchers 2013-09-23 20:55:49 -05:00
Rob Winch 788ba9a1fa SEC-2329: Allow injecting of AuthenticationTrustResolver 2013-09-20 15:26:52 -05:00
Rob Winch 9133c33f1d SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.

Now the cast is to SavedRequest.
2013-09-19 15:08:32 -05:00
Rob Winch 8f8c6169e8 SEC-2331: Cache Control now includes Expires: 0 2013-09-19 14:06:37 -05:00
Rob Winch 0114b457c0 SEC-2330: CacheControlHeadersWriter use a single header 2013-09-18 16:12:34 -05:00
Rob Winch 32e9239fd2 SEC-2320: AuthenticationPrincipal can be null on invalid type
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
2013-09-13 15:21:13 -07:00
Rob Winch b22acd0768 SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet 2013-09-13 14:44:44 -07:00
Rob Winch 8e74407381 SEC-2296: HttpServletRequest.login should throw ServletException if already authenticated
See throws documentation at
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29
2013-08-31 11:55:24 -05:00
Rob Winch e8ac11641b SEC-2297: Add DispatchType.ASYNC as default for AbstractSecurityWebApplicationInitializer 2013-08-31 11:39:57 -05:00
Rob Winch 3d2f23602f SEC-2294: Update Spring Version to 3.2.4.RELEASE 2013-08-31 11:26:43 -05:00
Rob Winch 43f4d01cf3 SEC-2292: Add test to assert CSRF bypass of methods is case sensitive
HTTP methods should be case sensitive, so add test to ensure that this is
the case http://www.w3.org/Protocols/rfc2616/rfc2616-sec5.html#sec5.1.1
2013-08-31 10:40:49 -05:00
Rob Winch 6e9fb7930b SEC-2298: Add AuthenticationPrincipalArgumentResolver 2013-08-30 17:06:40 -05:00
Rob Winch 086056f191 SEC-2289: Make compatible with Spring 4 as well
There are a few subtle changes in Spring 4 that this commit addresses
2013-08-27 16:43:10 -05:00
Rob Winch 26166ef6e8 SEC-2272: CsrfRequestDataValueProcessor support Spring 4 and Spring 3 2013-08-27 16:26:16 -05:00
Rob Winch 3f69847a4e SEC-2286: Log invalid CSRF tokens at debug level 2013-08-25 22:35:20 -05:00
Rob Winch d60108eaf6 SEC-2229: Add optional dependencies to spring-security-config
spring-tx and spring-jdbc aren't pulled in transitively from
spring-security-web now, so we must include them as optional dependencies.
2013-08-25 19:47:57 -05:00
Rob Winch 33db440961 SEC-2129: AntPathRequestMatcher also supports case sensitive comparisions 2013-08-25 16:26:18 -05:00
Rob Winch 7d1d856729 SEC-2229: spring-security-web dependency polish
- remove direct dependency on spring-aop
- spring-tx and spring-jdbc optional
2013-08-25 15:52:17 -05:00
Rob Winch 534989c8ea SEC-2103: Fix tests to verify debug logging instead of info 2013-08-25 10:05:22 -05:00
Rob Winch acb2b680d0 SEC-2103: Change log of no results to debug 2013-08-24 23:39:56 -05:00
Rob Winch 48283ec004 SEC-2276: Delay saving CsrfToken until token is accessed
This also removed the CsrfToken from the response headers to prevent the
token from being saved. If user's wish to return the CsrfToken in the
response headers, they should use the CsrfToken found on the request.
2013-08-24 23:31:01 -05:00
Rob Winch e9bb9e766e SEC-1574: Add CSRF Support 2013-08-15 14:49:21 -05:00
Rob Winch 797df51264 SEC-2135: Support HttpServletRequest#changeSessionId() 2013-08-15 13:59:16 -05:00
Rob Winch 75fb971d23 SEC-2221: Fix the ignored media types to use includes instead of equals 2013-08-15 13:59:15 -05:00
Rob Winch 13da42ca1b SEC-2137: Allow disabling session fixation and enable concurrency control 2013-08-15 12:50:40 -05:00
Rob Winch 867f02e8ac SEC-2249: AbstractSecurityWebApplicationInitializer does not delegate WebApplicationInitializer
Previously AbstractSecurityWebApplicationInitializer delegated to a
WebApplicationInitializer, but it caused issues in some instances where
a container would pass the annonymous inner class to
SpringServletContainerInitializer which caused errors on startup.

Now AbstractSecurityWebApplicationInitializer registers the
ContextLoaderListener on its own instead of delegating.
2013-08-15 12:49:44 -05:00
Rob Winch e8278f3b9b SEC-2249: AbstractSecurityWebApplicationInitializer allows register config 2013-08-08 14:33:54 -05:00
Rob Winch 976d9a9016 SEC-2194: Polish java config sample apps 2013-08-08 14:33:54 -05:00
Rob Winch fdb73fac23 Remove @Override from interface define methods 2013-08-05 16:49:33 -05:00
Rob Winch 94a73fee37 SEC-2230: Polish scoping and finals 2013-07-31 11:34:35 -05:00
Rob Winch 606bddf598 SEC-2230: Add Header JavaConfig
Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.
2013-07-31 10:39:52 -05:00
Rob Winch c85328c5d1 SEC-2230: HTTP Strict Transport Security (HSTS)Add support for Strict
This is a distinct filter as apposed to reusing StaticHeaderWriter
since the specification specifies that the "Strict-Transport-Security"
header should only be set on secure requests. It would not make sense to
require DelegatingRequestMatcherHeaderWriter since this requirement is
in the specification.
2013-07-31 10:39:52 -05:00
Rob Winch 8013cd54d6 SEC-2230: Added Cache Control support 2013-07-31 10:39:45 -05:00