d7d8448120
SEC-1521: Add check for null SecurityContextRepository and clarify related docs on use of null implementation (NullSecurityContextRepository).
2010-07-23 15:59:53 +01:00
5d35919ca3
SEC-1490: Code for GAE Sample webapp
2010-07-20 23:41:31 +01:00
69a10c48ae
Switch to using slf4j/logback for logging.
...
We still compile modules against commons-logging but all runtime logging and samples will use logback
2010-07-12 12:39:52 +01:00
8df356de29
SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest.
...
Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
2010-06-28 19:51:30 +01:00
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
09176b0af4
SEC-1501: Fix bean classname in Javadoc for SwitchUserFilter.
2010-06-25 19:45:34 +01:00
ea8d37892c
SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy.
2010-06-18 03:33:49 +01:00
4d10d4b67f
SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs.
2010-06-18 01:34:07 +01:00
76ebb759f3
Removed unnecessary casts.
2010-06-08 22:56:59 +01:00
7d74b7c87e
SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping.
2010-05-27 15:54:15 +01:00
e156d5339a
Fix build when upload properties are missing. Added missing hsql test dependency
2010-05-24 17:01:19 +01:00
0e57ce2dc3
SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection.
2010-05-21 15:59:50 +01:00
978bb9f601
Remove commented-out code in ETF.
2010-05-16 15:16:40 +01:00
f0c4cccb0d
SEC-1479: Clarify that matching is against servletPath + pathInfo for ant pattern matching. Added some extra pointers to request-matching info in namespace doc.
2010-05-16 14:14:13 +01:00
bf288101a0
Javadoc improvements
2010-05-16 14:14:13 +01:00
b3aad4cf19
Javadoc fixes.
2010-05-06 20:02:08 +01:00
0c09780644
SEC-1476: Modify AbstractPreAuthenticatedProcessingFilter to store authentication exception in request instead of creating a new session.
2010-05-05 14:13:48 +01:00
fcf33afce0
Formatting.
2010-05-03 14:53:05 +01:00
bca6c1aeac
SEC-1468: Doc and Javadoc updates.
2010-04-26 23:26:07 +01:00
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
2010-04-25 04:27:09 +01:00
ee1fd1bc50
SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins.
2010-04-20 23:47:48 +01:00
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
2010-04-20 23:47:47 +01:00
a45d2a4fb2
SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client.
2010-04-20 18:04:22 +01:00
93deec8d40
SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized.
2010-04-16 16:12:38 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
2e2625873c
SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
...
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
2010-03-23 00:45:06 +00:00
d5df53f1db
SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
...
Necessary to allow use of custom SecurityContextRepository.
2010-03-12 15:53:05 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
43f0e11106
SEC-1429: Removed cached authentication from session after successful authentication.
2010-03-05 00:07:35 +00:00
89d8c8cc83
Additional test classes for authentication and logout success/failure handling.
2010-03-04 23:18:46 +00:00
a3263753d9
Fix to Javadoc for AbstractAuthenticationProcessingFilter.
2010-03-04 22:06:04 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
43f3568b16
SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions.
2010-03-03 23:11:49 +00:00
ae8027fa47
SEC-1425: Replace use of Java 1.6 String.isEmpty().
2010-03-01 13:49:42 +00:00
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
cb0f3f677f
SEC-1425: Add check for empty cookie in AbstractRememberMeServices.
...
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
2010-02-28 14:08:27 +00:00
f0466b6488
SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all.
2010-02-27 00:22:21 +00:00
e2f9be9015
SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved.
...
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
2010-02-26 16:01:40 +00:00
4dd10cd266
Refactor overly large doFilter() method in DigestAuthenticationFilter.
2010-02-22 01:48:53 +00:00
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
14ae36ac3b
SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.
...
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
2010-02-18 00:32:49 +00:00
bd635edc31
SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
...
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
2010-02-15 22:46:18 +00:00
c1133d1ef3
Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name.
2010-02-14 23:31:31 +00:00
d30e31d816
Remove unnecessary @SuppressWarnings and inline dependency from ELRequestMatcher (util package) to core ExpressionUtils.
2010-02-14 23:29:27 +00:00
c12c43da9e
Javadoc fixes.
2010-02-14 23:27:09 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
1e4f451352
Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources
2010-02-11 18:08:06 +00:00
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
90d6ff1fde
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 13:19:16 +01:00
d32b078a8c
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-11 09:05:28 +01:00
d2413cf237
SEC-1406: Create a DelegatingAuthenticationEntryPoint
2010-02-10 21:25:23 +01:00
08c7155ab5
SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions.
2010-02-10 15:06:01 +00:00
1ecd3e228b
SEC-1405: added RequestMatcher interface.
2010-02-10 14:34:14 +00:00
984604b026
SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
...
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
2010-02-06 14:38:44 +00:00
0974e21fb6
SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
...
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
2010-01-23 02:12:30 +00:00
04447bdbf0
SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs).
2010-01-22 01:55:13 +00:00
0c10efbbf8
Revert SEC-1356.
...
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
2010-01-19 22:26:21 +00:00
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
a9567a58d8
SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos.
2010-01-13 15:36:58 +00:00
3a8daa1bf4
Gradle build improvements.
...
Added generation of source archives and trial support for maven deployment and pom generation, with "provided" configuration mapped to "provided" scope.
2010-01-13 00:44:05 +00:00
f62d97b092
SEC-1356: Fix broken tests.
...
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
2010-01-12 01:32:02 +00:00
6eff4d90b7
SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
...
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
2010-01-12 00:49:53 +00:00
2023ca283e
SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
...
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
2010-01-12 00:30:27 +00:00
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
bc02fc2de1
Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices.
2010-01-08 23:57:27 +00:00
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
f5d36aef65
SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
...
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
2010-01-05 16:01:55 +00:00
c6b8fe5e55
SEC-1346: Added missing 'return' statements after redirects.
...
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
2010-01-03 19:06:58 +00:00
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
115d5b84ff
[maven-release-plugin] prepare for next development iteration
2009-12-22 22:20:01 +00:00
6c6ef08353
[maven-release-plugin] prepare release spring-security-3.0.0.RELEASE
2009-12-22 22:19:38 +00:00
e64866ae6a
Updated bundlor templates and introduced spring.version variable
2009-12-22 01:10:04 +00:00
3418aab46e
SEC-1327: Javadoc additions to clarify some behaviour
2009-12-21 17:32:54 +00:00
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
97a31cae04
SEC-1333: Added error message for invalid redirect URL assertion
2009-12-18 19:29:36 +00:00
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
2009-12-18 18:44:42 +00:00
76731254c0
SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name.
2009-12-18 18:04:03 +00:00
06e092d46a
Midor Javadoc correction.
2009-12-15 15:39:01 +00:00
6805761d85
Extra test to confirm http-method specific matching behaviour.
2009-12-14 13:55:48 +00:00
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
2009-12-13 17:37:24 +00:00
520e733cb2
[maven-release-plugin] prepare for next development iteration
2009-12-08 21:19:41 +00:00
f2cf17bd49
[maven-release-plugin] prepare release spring-security-3.0.0.RC2
2009-12-08 21:19:20 +00:00
075e7a15ad
Corrected package name in Javadoc.
2009-12-07 21:44:02 +00:00
444d93b13f
SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter
2009-12-07 13:54:39 +00:00
b27d7afd24
SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.
2009-12-06 15:28:03 +00:00
aee6b8f3f9
SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated.
2009-12-06 15:09:33 +00:00
dab76249db
Added gradle build files (experimental)
2009-12-04 21:33:17 +00:00
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
4d8956a227
SEC-1288: Changed claimedIdentityFieldName in OpenIDAuthenticationFilter to "openid_identifier", as recommended by the 2.0 spec.
2009-11-17 22:05:38 +00:00
d84542cf88
SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.
2009-11-17 15:29:07 +00:00
617e517e5e
SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.
2009-11-04 17:20:13 +00:00
930c1b6b53
Coverted to Junit 4 test.
2009-10-14 21:48:30 +00:00
11e476c486
Added issue numbers in comment.
2009-10-14 14:23:34 +00:00
d4d45e1311
Make getHeader() methods check case-insensitive matching on header name.
2009-10-14 14:12:27 +00:00
7282eed197
Import cleaning.
2009-10-14 00:30:55 +00:00
Luke Taylor
Luke Taylor
Mike Wiesner