Commit Graph

4718 Commits

Author SHA1 Message Date
Rob Winch 960564ef50 Add CONTRIBUTING.md 2013-02-25 17:13:12 -06:00
Rob Winch 3656dff720 SEC-2118: Include missing Bundlor packages 2013-02-25 17:07:09 -06:00
Jean-Pierre Bergamin c02a1486c0 SEC-2118: Fixing spring and aspectj OSGi version ranges [3.2, 3.2) -> [3.2, 3.3) 2013-02-25 17:05:29 -06:00
Rob Winch 5f9dfb73be SEC-2111: Disable auto save of SecurityContext when response committed after startAsync invoked
Previously Spring Security would disable automatically saving the
SecurityContext when the Thread was different than the Thread that
created the SaveContextOnUpdateOrErrorResponseWrapper. This worked for
many cases, but could cause issues when a timeout occurred. The problem
is that a Thread can be reused to process the timeout since the Threads
are pooled. This means that a timeout of a request trigger an apparent
logout as described in the following workflow:

  - The SecurityContext was established on the SecurityContextHolder
  - An Async request was made
  - The SecurityContextHolder would be cleared out
  - The Async request times out
  - The Async request would be dispatched back to the container upon
    timing out. If the container reused the same Thread to process the
    timeout as the original request, Spring Security would attempt to
    save the SecurityContext when the response was committed. Since the
    SecurityContextHolder was still cleared out it removes the
    SecurityContext from the HttpSession

Spring Security will now prevent the SecurityContext from automatically
being saved when the response is committed as soon as
HttpServletRequest#startAsync() or
ServletRequest#startAsync(ServletRequest,ServletResponse) is called.
2013-01-10 13:26:43 -06:00
Georges-Etienne Legendre 66d13642b7 SEC-2115: Improve French translation for "credentials"
"Créances" is not the right translation. "Identifications" is a lot better in this case.
2013-01-04 14:31:57 -06:00
Rob Winch 6b81f97081 SEC-2114: Polishing Spring Based Cache 2013-01-04 11:33:46 -06:00
Marten Deinum 01ea39ce35 SEC-2114: Provide Spring Cache Abstraction based cache implementations
As of Spring 3.1 spring has its own cache abstraction. This commit adds cache
imlpementations based on that abstraction.
2013-01-04 11:33:27 -06:00
Rob Winch 89c63fd752 Add spring-security-3.2.rnc 2013-01-03 18:32:33 -06:00
Rob Winch 036e0505b3 Make rnc transform part of Gradle build 2013-01-03 18:32:32 -06:00
Rob Winch d06eae9967 Merge pull request #22 from zagyi/SEC-2107
SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
2012-12-28 14:50:36 -08:00
Balazs Zagyvai 73ea8b5c05 SEC-2107: Fix Javadoc on methods of AbstractAuthenticationProcessingFilter
Both overloads of
AbstractAuthenticationProcessingFilter.successfulAuthentication()
claimed to invoke SessionAuthenticationStrategy, which is not true, as
the invokation happens earlier in doFilter(). The Javadoc on these
methods are updated to reflect the actual code.
2012-12-28 22:59:38 +01:00
Rob Winch 7edb1089a8 SEC-2096: Added release-checks 2012-12-18 15:15:46 -06:00
Rob Winch ebb82e1aa9 SEC-2096: Update to Spring 3.2.0.RELEASE 2012-12-18 15:15:46 -06:00
Rob Winch 2e8a61660d Disable artifactoryPublish for projects without artifacts 2012-12-12 18:04:24 -06:00
Rob Winch 22e333b9c6 SEC-2092: Add servlet api example 2012-12-11 17:44:57 -06:00
Rob Winch 9c4563285e SEC-1998: Async tests with SecurityContextHolderAwareReqeustFilter 2012-12-11 17:26:31 -06:00
Rob Winch c8d45397fe SEC-2079: Add Servlet 3 Authentication methods
Add support for HttpServletRequest's login(String,String), logout(),
and authenticate(HttpServletResponse).
2012-12-11 17:26:31 -06:00
Rob Winch d04cf5ea68 Remove unused FilterInvocation.DummyResponse 2012-12-11 14:21:03 -06:00
Rob Winch 1a650acbcc SEC-1998: DummyRequest extend HttpServletRequestWrapper
Previously DummyRequest implemented HttpServletRequest which caused complications
since Servlet 2.5 and Servlet 3 had non passive changes. While we were "safe" if the
Servlet 3 methods were never invoked reflective access of the methods would also
problems. We could prevent users from accessing the methods of DummyRequest by
returning new HttpServletRequestWrapper(DummyRequest), but a debugger could
potentially try to iterate over the methods triggering a NoClassDefFoundError.

DummyRequest now extends HttpServletRequestWrapper which will be dynamically
linked to the proper version of HttpServletRequest. We use a Dynamic Proxy that
throws UnsupportedOperationException to implement any methods we are not
interested in.
2012-12-11 14:21:03 -06:00
Rob Winch 3437ef714a SEC-1998: SecurityContextCallableProcessingInterceptor uses postProcess
Previously SecurityContextCallableProcessingInterceptor used afterCompletion
to clear the SecurityContextHolder. This does not work since afterCompletion
is invoked on the Servlet Container thread.

Now SecurityContextCallableProcessingInterceptor clears the
SecurityContextHolder on postProcess which is invoked on the same thread
that the Callable is processed on.
2012-12-11 14:21:03 -06:00
Rob Winch 796de42105 Revert "SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals"
This reverts commit 3fe7791266.
2012-12-11 14:21:02 -06:00
Rob Winch 70849aa8d2 Revert "SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication"
This reverts commit ece4a0f067.
2012-12-11 14:21:02 -06:00
Rob Winch ece4a0f067 SEC-2078: Updated Javadoc to reflect that updates to Principal will also trigger reauthentication 2012-12-06 09:04:14 -06:00
Rob Winch 3fe7791266 SEC-2078: AbstractPreAuthenticatedProcessingFilter requriesAuthentication support for non-String Principals
Previously, if the Principal returned by getPreAuthenticatedPrincipal was not a String,
it prevented requiresAuthentication from detecting when the Principal was the same.
This caused the need to authenticate the user for every request even when the Principal
did not change.

Now requiresAuthentication will check to see if the result of
getPreAuthenticatedPrincipal is equal to the current Authentication.getPrincipal().
2012-12-04 10:54:29 -06:00
Rob Winch 5ba31dfd56 Use AspectJMethodSecurityInterceptor in reference
Change reference to use AspectJMethodSecurityInterceptor instead of
undefined AspectJSecurityInterceptor.
2012-12-04 10:06:27 -06:00
Rob Winch 373fe3a9f1 SEC-2074: Update reference to use <method-security-metadata-source> 2012-12-04 10:05:22 -06:00
Rob Winch 6e47834d77 SEC-2084: AntPathRequestMatcher and RegexpRequestMatcher support request.getMethod()
Previously a NullPointerException would occur if an HttpServletRequest.getMethod()
returned null.

Now AntPathRequestMatcher and RegexpRequestMatcher will handle if the
HttpServletRequest.getMethod() returns null. While under normal circumstances,
it is unlikely for the method to be null this can occur when using
DefaultWebInvocationPrivilegeEvaluator.isAllowed(String, Authentication).
2012-12-03 15:07:18 -06:00
Rob Winch eaf4843474 Update to Gradle 1.3 2012-11-30 16:33:44 -06:00
Rob Winch d40ecba9e0 SEC-1998: SaveContextOnUpdateOrErrorResponseWrapper only saves SecurityContext on original Thread
Previously SaveContextOnUpdateOrErrorResponseWrapper would save the SecurityContext on a different
Threads than the one it was created on. This causes issues with Async Web requests which may write
to the response on a new Thread.

Now SaveContextOnUpdateOrErrorResponseWrapper will not save the SecurityContext when a different
Thread invokes any of the methods that commit the response. This prevents issues with Async
processing. However, explicit calls to SecurityContextRepository.save will still save the
SecurityContext since it invokes the saveRequest method rather than private doSave method within
the SaveContextOnUpdateOrErrorResponseWrapper which contains the logic to prevent saving from
another Thread.
2012-11-30 14:27:02 -06:00
Rob Winch 593e512558 SEC-1998: SecurityContext integration with AsyncContext.start 2012-11-28 17:57:41 -06:00
Rob Winch 1ed643ca1f SEC-1998: Provide integration with WebAsyncManager#startCallableProcessing
Support integration of the Spring SecurityContext on Callable's used with
WebAsyncManager by registering SecurityContextCallableProcessingInterceptor.
2012-11-28 17:56:03 -06:00
Rob Winch 1a7aaa85c4 SEC-2066: ProtectPointcutPostProcessor is now ThreadSafe
Previously a ConcurrentModificationException could occur when
PointcutExpression.matchesMethodExecution was performed in multiple threads. Another
issue was that beans may get processed multiple times.

Now a lock is performed to ensure that only a single thread has access to
PointcutExpression.matchesMethodExecution and that each bean only gets processed once.
2012-11-09 14:34:00 -06:00
Rob Winch 51fd83060e SEC-2077: Concurrency support
Provide abstractions for transferring a SecurityContext across threads.

The main concepts are the DelegatingSecurityContextCallable and the
DelegatingSecurityContextRunnable which contain a SecurityContext to establish before
delegating to a Callable or Runnable.

There are also wrapper implementations for each of the key java.util.concurrent and
spring task interfaces to make using the DelegatingSecurityContextCallable and
DelegatingSecurityContextRunnable transparent to users. For example a
DelegatingSecurityContextTaskExecutor which can be injected with a specific
SecurityContext or use the SecurityContext from the SecurityContextHolder at the time the
task is submitted. There are similar  implementations for each of the key
java.util.concurrent and spring task interfaces.

Note that in order to get DelegatingSecurityContextExecutorService to compile with
JDK 5 or JDK 6 we could not use type safe methods. See
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6267833 for details.
2012-11-08 22:49:21 -06:00
Rob Winch 30780baf24 Externalize powermock dependencies for reuse 2012-11-08 22:49:20 -06:00
Rob Winch f61fab3509 Add fest-assert as default test dependency 2012-11-08 22:49:20 -06:00
Rob Winch ea6b444770 update to spring snapshot dependencies 2012-11-08 22:49:20 -06:00
Rob Winch 4c50d1f5de SEC-2072: <security:anonymous> granted-authority supports multiple authorities again 2012-11-02 16:24:14 -05:00
Rob Winch 091549779c Update SpringSecurityCoreVersion 2012-11-02 11:03:36 -05:00
Rob Winch ace6b804f7 Update to 3.2.x and added eclipse suffix to eclipse projects 2012-11-02 10:48:50 -05:00
Rob Winch c0dfb70ca0 Added generatePom task
This can be used to generate the pom.xml for adding the Spring Security
snapshot jars as a Maven Dependency to another project. For example,
if mywebapp requires the Spring Security 3.1.4.CI-SNAPSHOT jars one
could generate the pom.xml files and then use that to convert the project
into a valid Maven project within the IDE. Then the SNAPSHOT dependendies
could be added to mywebapp. This prevents the need to install the SNAPSHOT
dependencies in the local Maven repository.
2012-11-01 15:18:10 -05:00
Rob Winch 78cbdd2c93 Reserve Server Ports in integrationTests
Previously the build would look up a server port dynamically, but since
it closed the port immediately it may not be reserved by the time jetty
started up.

We now reserve the port and do not close it till just before Jetty starts.
While there is still a race condition, it is much smaller window of time
than it was previously.
2012-11-01 11:14:50 -05:00
Rob Winch 6cea2694dc SEC-2069: Update doc to use FilterInvocationSecurityMetadataSource 2012-10-22 14:24:05 -05:00
Rob Winch c2499c6143 Next developement version 2012-10-08 22:28:56 -05:00
Spring Buildmaster ac472d494a Release version 3.1.3.RELEASE 2012-10-08 15:17:42 -07:00
Rob Winch c076f0f2e1 SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.

The code has been updated to do comparison against a dummy password
even when the the user was not found.
2012-10-07 12:14:08 -05:00
Rob Winch f3b143f677 SEC-2031: PreInvocationAuthorizationAdviceVoter supports subclasses 2012-10-07 11:55:35 -05:00
Rob Winch 72aecaff05 SEC-1939: Update SwitchUserFilter logger to use debug
Previously the SwitchUserFilter was logging as an error and then
throwing an Exception immediately after. This is not correct, since
whomever is catching the Exception should choose to log an error or not.

Now the log statement is at a debug level.
2012-10-07 11:38:21 -05:00
Rob Winch d3339a1e32 SEC-2025: SecurityContextLogoutHandler removes Authentication from SecurityContext
Previously there was a race condition could occur when the user attempts to access
a slow resource and then logs out which would result in the user not being logged
out.

SecurityContextLogoutHandler will now remove the Authentication from the
SecurityContext to protect against this scenario.
2012-10-05 18:30:01 -05:00
Rob Winch f38df99730 SEC-2045: AbstractAuthorizeTag supports custom WebInvocationPrivilegeEvaluator 2012-10-04 11:34:36 -05:00
Rob Winch 4f741bc914 SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersistenceFilter
Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.

The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
2012-10-03 09:27:24 -05:00