1eaecc12ec
Add CookieServerCsrfTokenRepository
...
A cookie implementation of ServerCsrfTokenRepository (like CookieCsrfTokenRepository)
is missing. In this implementation it would be nice to allow the setting of the domain as well.
Fixes: gh-5083
2018-05-04 16:54:48 -05:00
0570cebbce
Avoid unnecessary grow of ArrayList
...
Adapted ArrayList size in CacheControlHeadersWriter::createHeaders()
2018-05-04 14:23:31 -05:00
3740d33e64
The HttpHeader's ContentLength is a byte unit
2018-05-04 14:18:03 -05:00
23dd136efb
The HttpHeader's ContentLength is a byte unit
2018-05-04 14:18:03 -05:00
9bb841ac67
ExceptionTranslationFilter does not handle committed responses
...
Fixes: gh-5273
2018-04-30 16:49:51 -05:00
afdefe7b13
Fixes: gh-5190
2018-04-16 17:52:27 -05:00
8fbec3f0f1
Polish NegatedServerWebExchangeMatcher
...
Issue: gh-5170
2018-03-29 21:17:40 -05:00
d83b67e4cb
Add NegatedServerWebExchangeMatcher
...
Fixes: gh-5170
2018-03-29 21:16:11 -05:00
fb7394c1de
Polish Javadoc
...
Fixes: gh-5186
2018-03-29 15:33:57 -05:00
3c07d99b0a
Close quoted expected path in log when matching
2018-03-27 11:14:14 -05:00
d20ed9f5c9
Fix @since for StrictHttpFirewall
2018-03-27 11:01:26 -05:00
d07cfe655d
Use Supplier variants of Assert methods
2018-03-27 10:58:55 -05:00
b1d013e8f0
Fix JDK 9
...
Issue: gh-5160
2018-03-27 09:30:56 -05:00
7e6ed52603
CookieClearingLogoutHandler adds uses contextPath + "/"
...
Fixes: gh-2325
2018-03-19 16:51:22 -05:00
d21338d212
Support errorOnInvalidType for Reactive AuthenticationPrincipal
...
Fixes: gh-5096
2018-03-09 12:05:55 -06:00
a2073b2b91
Support BeanResolver for Reactive AuthenticationPrincipal
...
Fixes: gh-4326
2018-03-09 12:05:55 -06:00
949c7d68b8
Fix StrictHttpFirewall rules
...
Fixes: gh-5044
2018-03-08 21:30:23 -06:00
055a2ca917
Polish Javadoc HttpStatusServerAccessDeniedHandler
2018-03-07 12:35:25 -06:00
9f23212e43
HttpStatusServerAccessDeniedHandler use injected HttpStatus
...
Fixes: gh-5078
2018-03-07 12:35:25 -06:00
8d75554b6b
Lazily Create Throwables
...
Fixes: gh-5040
2018-02-26 16:24:40 -06:00
0fc67f765a
Polish StrictHttpFirewall Javadoc
...
Also cleanup DefaultHttpFirewall Javadoc
Issue: gh-5008
2018-02-15 17:18:28 -06:00
fcf967687b
Add FilterSecurityInterceptor once per request test
...
Issue: gh-4997
2018-02-08 17:11:37 -06:00
40a1281c66
FilterSecurityInterceptor once per request set attr
...
Only set the attribute if once per request is true
2018-02-08 17:10:45 -06:00
ce5fb51b20
Remove Mono.defer in ReactorContextWebFilter
...
Fixes: gh-5010
2018-02-08 16:19:10 -06:00
66298dcf5d
Clean ReactorContextWebFilterTests imports
...
Issue: gh-4962
2018-02-08 16:15:29 -06:00
141e3f581f
ReactorContextWebFilter preserves main Context
...
Previously ReactorContextWebFilter overrode
the main Context.
Fixes: gh-4962
2018-02-08 14:58:08 -06:00
c399987450
Polish StrictHttpFirewall Javadoc
...
Fixes: gh-5008
2018-02-08 14:08:54 -06:00
ea3dd336aa
Cache headers only if no cache headers set
...
Fixes: gh-5004
2018-02-07 14:56:34 -06:00
8b7f772761
Update to Jackson 2.9.4
...
Fixes: gh-4985
2018-02-01 13:45:06 -06:00
0eef5b4b42
Add StrictHttpFirewall
2018-01-24 11:06:08 -06:00
6a0833165a
AuthorizationWebFilter handles null Authentication
...
If the AuthorizationManager used the Authentication and the Authentication
was null the AuthorizationWebFilter would produce a NullPointerException
This commit fixes the test to ensure that Authentication is subscribed to
and ensures that the Authentication is not null
Fixes: gh-4966
2018-01-22 15:16:58 -06:00
921157cdcd
Remove explicit super() calls
2017-12-21 15:11:51 -06:00
57353d18e5
Use diamond type
2017-12-21 15:09:00 -06:00
c16456623f
Remove unused imports
2017-12-20 16:05:38 -06:00
70be0f3619
Mono<CsrfToken> saveToken->Mono<Void>
...
Issue: gh-4856
2017-11-20 16:30:29 -06:00
d55db837e1
CsrfWebFilter places Mono<CsrfToken>
...
Fixes: gh-4855
2017-11-20 16:30:29 -06:00
701933c7f7
Fix copyright start years
...
See gh-4655
See gh-4725
2017-11-17 10:14:32 -06:00
5f518d00e5
Apply Checkstyle EmptyStatementCheck module
...
This commit adds Checkstyle `EmptyStatementCheck` module and aligns code with it.
2017-11-16 20:18:21 -06:00
be397b8b33
WebSessionServerSecurityContextRepository Polish
...
- map(WebSession::getAttributes)
- use Mono.justOrEmpty
Issue: gh-4843
2017-11-16 15:54:33 -06:00
8d30d6110b
WebSessionSecurityContextRepository custom session attribute name
...
Fixes: gh-4843
2017-11-16 15:54:21 -06:00
b7529be3d0
WebSessionSecurityContextRepository changes session id
...
Fixes: gh-4842
2017-11-16 15:46:26 -06:00
b19e14330f
WebSessionServerCsrfTokenRepository session fixation protection
...
Issue: gh-4842
2017-11-16 15:45:57 -06:00
75a7c5268a
ServerRequestCache.removeMatchingRequest
...
Issue: gh-4789
2017-11-16 15:44:32 -06:00
fffd781b03
Add localization to error messages from ExceptionTranslationFilter
...
Fixes gh-4504
2017-11-16 11:25:56 -06:00
b6895e6359
Apply Checkstyle WhitespaceAfterCheck module
2017-11-16 11:18:31 -06:00
64ad08e96d
ServerRedirectCache.getRequest->getRedirectUri
...
Issue: gh-4789
2017-11-15 15:10:47 -06:00
1d9b0760d5
ServerRequestCache uses URI
...
Issue: gh-4789
2017-11-15 12:54:05 -06:00
942b51dba7
Reactive Basic does not create session by default
...
Fixes: gh-4825
2017-11-15 12:50:29 -06:00
5f79fdd3eb
requiresLogoutMatcher naming polish
...
Issue: gh-4822
2017-11-14 16:42:41 -06:00
c1f94156f9
serverWebExchange->exchange
...
Issue: gh-4822
2017-11-14 16:42:38 -06:00
11f6e0477c
serverLogoutSuccessHandler->logoutSuccessHandler
...
Issue: gh-4822
2017-11-14 16:42:36 -06:00
bf570854b8
serverLogoutHandler->logoutHandler
...
Issue: gh-4822
2017-11-14 16:42:33 -06:00
1c977ca15f
serverRedirectStrategy->redirectStrategy
...
Issue: gh-4822
2017-11-14 16:42:30 -06:00
2cbdb4ba02
serverCsrfTokenRepository->csrfTokenRepository
...
Issue: gh-4822
2017-11-14 16:42:27 -06:00
3bfda6cff7
serverAccessDeniedHandler->accessDeniedHandler
...
Issue: gh-4822
2017-11-14 16:42:24 -06:00
9e82fc0b83
serverAuthenticationEntryPoint->authenticationEntryPoint
...
Issue: gh-4822
2017-11-14 16:42:20 -06:00
9cf0dc6b38
serverWebExchange->webExchange
...
Issue: gh-4822
2017-11-14 16:42:17 -06:00
520e0a5a68
serverAuthenticationSuccessHandler->authenticationSuccessHandler
...
Issue: gh-4822
2017-11-14 16:42:14 -06:00
5c83f92ddc
serverAuthenticationFailureHandler->authenticationFailureHandler
...
Issue: gh-4822
2017-11-14 16:42:10 -06:00
692233e431
ServerSecurityContextRepository members to securityContextRepository
...
Issue: gh-4822
2017-11-14 16:42:06 -06:00
d900f2a623
Remove unused imports
...
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
1b70efce2b
Add ServerRequestCache
...
Fixes: gh-4789
2017-11-13 15:49:34 -06:00
8f6491b281
Add RedirectServerAuthenticationFailureHandler
...
Fixes gh-4816
2017-11-13 15:49:20 -06:00
060d8689fe
Make RedirectServer*Tests less specific
...
Issue: gh-4816
2017-11-13 15:49:06 -06:00
99df632f24
Add missing @Override annotations
...
This commit also adds MissingOverrideCheck module to Checkstyle configuration.
2017-11-08 13:27:24 -06:00
676020321e
Add reactive CsrfRequestDataValueProcessor
...
Fixes gh-4762
2017-11-07 22:25:36 -06:00
7622826b69
WebSessionServerCsrfTokenRepository saves on getToken
...
Fixes gh-4801
2017-11-07 22:25:23 -06:00
776364d403
ServerCsrfTokenRepository.saveToken return Mono<CsrfToken>
...
Fixes gh-4800
2017-11-07 22:24:53 -06:00
3f18881493
Remove additional attribute name from CsrfWebFilter
...
Fixes gh-4799
2017-11-07 22:24:42 -06:00
35706ad60a
Deserialize the principal in a neutral way
...
When the principal of the Authentication is an object, it is not necessarily
an User: it could be another implementation of UserDetails, or even a
completely unrelated type. Since the type of the object is serialized as a
property and used by the deserialization anyway, there's no point in
enforcing a stricter type.
2017-10-30 00:53:31 -05:00
6fd9ff254b
Map values directly from the JSON nodes
...
Not only is it more efficient without converting to an intermediate String,
using JsonNode.toString() may not even produce valid JSON according to its
Javadoc (ObjectMapper.writeValueAsString() should be used).
2017-10-30 00:53:31 -05:00
a1fdb7dcb3
Update AbstractRememberMeServices.java
...
this file`s file encode is unkown,maybe is "Eddu Melendez"
2017-10-30 00:50:23 -05:00
832f5c39c1
SEC-3190: Add support for colons in remember-me token values
...
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons. so this
change urlencodes the individual tokens when creating the cookie
string; and urldecodes them decoding the cookie and extracting the
tokens. This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.
2017-10-30 00:33:14 -05:00
93ac706d86
Polish XFrameOptionsHeaderWriter
...
Issue: gh-4559
2017-10-29 23:32:53 -05:00
02a78b17b9
Add check to see if return value is DENY
...
Originally, if the return from getAllowFromValue(request) is "DENY",
then the X-Frame-Options header's value will proceed to be written as
"ALLOW FROM DENY" - an invalid value.
This commit adds a condition in the if clause that checks whether
allowFromValue is "DENY". This way, the X-Frame-Options header will be
written as "ALLOW FROM origin" or "DENY".
2017-10-29 23:32:53 -05:00
bed4ec7d18
Fix leading space characters reported by checkstyle
2017-10-29 22:22:34 -05:00
0771778b81
Polish more AssertJ assertions
2017-10-29 22:22:34 -05:00
e0aca04a28
Polish AssertJ assertions
...
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
5a5ec58ca4
Add LogoutPageGeneratingWebFilter
...
Fixes gh-4735
2017-10-29 00:12:23 -05:00
0734d70d02
Logout requires POST
...
Issue: gh-4734
2017-10-29 00:11:59 -05:00
8da2c7f657
Add WebFlux CSRF Protection
...
Fixes gh-4734
2017-10-28 22:59:24 -05:00
192776858d
HttpStatusServerAccessDeniedHandler write error message
2017-10-28 22:59:24 -05:00
e63c53e267
Add AuthorizationWebFilterTests
2017-10-28 22:58:55 -05:00
2060125ebd
ServerWebExchangeAttributeServerSecurityContextRepository->NoOpNoOpServerSecurityContextRepository
...
Issue: gh-4719
2017-10-27 18:17:52 -05:00
4777a869bc
Logout at the end of logout method
...
Issue: gh-4719
2017-10-27 18:17:40 -05:00
5bcf3c559b
Remove wrappedExchange from AuthenticationWebFilter
...
Issue: gh-4719
2017-10-27 18:17:29 -05:00
437ba56415
ReactorContextWebFilter & SecurityContextServerWebExchangeWebFilter
...
Issue: gh-4719
2017-10-27 18:17:10 -05:00
c63b258b16
AuthorizeWebFilter uses ReactiveSecurityContextHolder
...
Issue gh-4719
2017-10-27 18:16:59 -05:00
747473257f
Use ReactorSecurityContextHolder
...
Issue gh-4713
2017-10-26 20:11:42 -05:00
44b41e78cd
Flux member variables in favor of Collections
...
Fix gh-4694
2017-10-25 07:41:37 -05:00
fcc1152f78
WebFilterChainProxy not matched continues WebFilterChain
...
Fixes gh-4668
2017-10-24 16:22:07 -05:00
b81c1ce2c0
Move spring-security-webflux into spring-security-web
...
Fixes gh-4662
2017-10-18 16:20:09 -05:00
a74f7c6faa
Fix CSRF / DefaultLoginPageGeneratingFilter package tangle
...
Issue: gh-4636
2017-10-16 16:36:49 -05:00
0c830f9ba8
fix JavaDoc typo on `BasicAuthenticationEntryPoint`
2017-10-12 07:42:58 -05:00
23f56f568c
Update MockitJunitRunner import
...
Issue: gh-4608
2017-10-09 16:13:33 -05:00
445834784a
Update to Mockito 2.10.0
...
Issue: gh-4608
2017-10-09 16:13:11 -05:00
f3828924ff
Fix equals and hashCode alignment
...
Fixes gh-4588
2017-09-28 17:25:00 -05:00
646b3e48b3
Avoid Exception Message in HTTP Response
...
Fixes gh-4587
2017-09-28 17:24:49 -05:00
9e719bc313
Drop the `aopalliance:aopalliance` dependency
...
As of Spring 4.3 RC1 the `org.aopalliance` interfaces are once again bundled
with `spring-aop` [1]. Moreover, all modules with a dependency on
`aopalliance:aopalliance` directly or indirectly also depend on `spring-aop`.
This change drops the `aopalliance:aopalliance` dependency in all places it's
declared. Where applicable an explicit dependency on `spring-aop` was added in
its place. (This dependency was already present in most places; in one case the
module didn't require `aopalliance:aopalliance` in the first place.)
The documentation is updated accordingly.
[1] https://jira.spring.io/browse/SPR-13984
2017-09-22 11:11:04 -05:00
95de158909
Add `ForwardLogoutSuccessHandler`
2017-09-06 15:15:02 -05:00
4951550d7d
Add context path to authorization request URI
...
Fixes gh-4510
2017-08-26 18:55:23 -04:00
e16b8e7976
Fix logback-test.xml
2017-08-17 16:42:01 -05:00
d8a678df6f
Removed Unicode Character from Parameter Name
2017-06-29 16:03:29 -05:00
f2c04dd9b1
fix typo
2017-06-20 08:17:15 -05:00
d81b436e5d
Remove pom.xml from build
...
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.
This commit removes the pom.xml files from the build.
Fixes gh-4283
2017-05-11 14:32:36 -05:00
85719fcd64
Use Base64 implementation provided by Java 8
2017-05-10 00:27:36 -05:00
829c386756
Add support for OAuth 2.0 Login
...
Fixes gh-3907
2017-04-28 10:58:59 -04:00
dd6fc48dd8
Standardize Build
...
The build now uses spring build conventions to simplify the build
Fixes gh-4284
2017-04-21 10:55:05 -05:00
5a65da400d
Use ReflectionTestUtils rather than Whitebox
...
This is better because it no longer uses Mockito's internal API
Fixes gh-4305
2017-04-21 10:54:58 -05:00
9d9aadb80f
Fix DefaultSavedRequestMixinTests with Spring 5
...
Previously DefaultSavedRequestMixinTests
serializeDefaultRequestBuildWithConstructorTest broke in Spring 5
because Spring 5's MockHttpServletRequest.setCookie now automatically adds
the Cookie header.
This commit ensures that the Cookie header is not added by overriding the
class we are writing.
Fixes gh-4272
2017-04-12 15:51:26 -05:00
2ce174dbf0
Update poms to 5.0.0.BUILD-SNAPSHOT
2017-04-07 16:49:50 -04:00
2b81983f7c
Update to Java 8 compatibility
...
* Spring IO Athens-BUILD-SNAPSHOT -> Cairo-BUILD-SNAPSHOT
* CGLib 3.1 -> 3.2.5 latest release Issue related to ASM https://github.com/cglib/cglib/issues/20
* AssertJ 2.2.0 -> 3.6.2 latest release
* PowerMock 1.6.2 -> 1.6.5 latest release is 1.6.6 but has regression Issue https://github.com/powermock/powermock/issues/717
* Update maven-compiler-plugin source/target to 1.8
2017-04-07 16:49:38 -04:00
8a458eb9e1
Avoid multiple X-Frame-Options headers
...
XFrameOptionsHeaderWriter should not *add*, but *set* the
X-Frame-Options header. According to
https://tools.ietf.org/html/rfc7034#section-2.1 , having
multiple values for the header is disallowed:
"There are three different values for the header field.
These values are mutually exclusive; that is, the header
field MUST be set to exactly one of the three values."
With this change, only the latest XFrameOptionsHeaderWriter
will remain.
2017-03-08 15:49:18 -06:00
d2524eadfc
Update poms to new to SNAPSHOT version
2017-03-02 09:20:34 -06:00
081f0c4d94
Release version 4.2.2.RELEASE
2017-03-02 07:29:42 +00:00
247f54dc41
Fix SwitchUserFilter.setSwitchFailureUrl assertion
...
Fixes gh-4198
2017-03-02 00:47:09 -06:00
017e9834bd
Fix NPE in UrlUtils with null url
...
Fixes gh-4233
2017-03-02 00:46:01 -06:00
168f4b8f70
Prevent Duplicate Cache Headers
...
Fixes gh-4199
2017-03-01 16:14:12 -06:00
9c03571bbb
Use message in all Assert
...
This ensures compatibility with Spring 5.
Fixes gh-4193
2017-01-30 19:58:24 -06:00
38492a5794
Add since version in javadoc
...
Issue: gh-4130
2016-12-21 16:12:39 -06:00
7a7ce11ebb
Release version 4.2.1.RELEASE
2016-12-21 17:23:28 +00:00
028854b936
Add HttpSessionRequestCache sessionAttrName property
...
This commit allows to customize the session attribute name. Default is
SPRING_SECURITY_SAVED_REQUEST.
Fixes gh-4130
2016-12-21 10:22:09 -06:00
d39f3385b6
Polish DefaultHttpFirewallTests
...
Issue gh-4169
2016-12-21 09:29:23 -06:00
666e356ebc
Block URL Encoded "/" in DefaultHttpFirewall
...
Fixes gh-4169
2016-12-21 09:04:00 -06:00
24fcb6c45a
Release version 4.2.0.RELEASE
2016-11-09 23:42:11 +00:00
697daeab7c
Add Jackson2 Support for PreAuthenticatedAuthenticationToken
...
Fixes gh-4120
2016-11-09 16:55:10 -06:00
f97f38fd57
jacksonDatavindVersion->jacksonDatabindVersion
...
Issue gh-4122
2016-11-09 16:46:38 -06:00
f0a9421aa4
SecurityJacksonModules->SecurityJackson2Modules
...
Fixes gh-4121
2016-11-09 16:42:41 -06:00
d2c28c58e2
Polishing the ReferrerPolicyHeaderWriter gh-4110
2016-11-09 13:16:41 -06:00
23294c4c57
Add Referrer-Policy header support
...
Fixes gh-4110
2016-11-08 13:21:35 -06:00
97b4cb0b73
Release version 4.2.0.RC1
2016-10-26 02:49:23 +00:00
57d7ad05f9
Revert "Cache Control only written if not set"
...
This reverts commit 242b831f20
2016-10-24 15:57:26 -05:00
50b72dddbc
Fix typo in Javadoc
...
This commit simply fixes typo in Javadoc.
2016-10-20 21:07:15 -05:00
aaa9708b95
Add BeanResolver to AuthenticationPrincipalArgumentResolver
...
Previously @AuthenticationPrincipal's expression attribute didn't support
bean references because the BeanResolver was not set on the SpEL context.
This commit adds a BeanResolver and ensures that the configuration
sets a BeanResolver.
Fixes gh-3949
2016-10-18 19:45:54 -05:00
2c99cd3bbf
Remove MatcherAssertionErrors
...
Spring 5 removes MatcherAssertionErrors. We should not have been using
this class anyways.
This commit updates to using assertj in favor of MatcherAssertionErrors.
Issue gh-4080
2016-10-17 17:00:17 -05:00
08c1f500a7
Version bumps for Spring 5
...
Issue gh-4080
2016-10-17 17:00:17 -05:00
c1b8150439
Release version 4.2.0.M1
2016-09-23 19:39:33 +00:00
8b89e804e3
Polish RequestAttributeAuthenticationFilter
...
Issue gh-3978
2016-09-23 13:08:08 -05:00
6fb564a629
Polish HTTP Response Splitting
...
Issue gh-3910
2016-09-23 12:49:01 -05:00
9ae163e92d
Rename to RequestAttributeAuthenticationFilter
...
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests
Polish gh-3978
2016-09-22 16:44:10 -05:00
a8120e74a7
Added authentication filter reading environment variables.
...
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
2016-09-22 16:30:54 -05:00
b443baef04
Polish GrantedAuthorityDefaults
...
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
ApplicationContextAware
Issue gh-3701
2016-09-22 15:13:05 -05:00
eabeaf35d6
Make single definition of `defaultRolePrefix` and `rolePrefix`
...
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.
Fixes gh-3701
2016-09-21 14:55:41 -05:00
2e6656e9d3
Polish HTTP Response Splitting
...
* Use new test method name convention of
methodNameWhen<Condition>Then<Expectation>
* Check null Cookie
* Check Cookie.getName() for crlf since we do not want to rely on the
implementation. For example Cookie could be overriden by extending it.
* Use Crlf as convention instead of CLRF as style guide
* Create new FirewalledResponse before each test to ensure isolation
* Use Mock for HttpServletResponse delegate to keep test in isolation (i.e.
we do not want our tests to fail if MockHttpServletRequest changes an
Exception error message)
Issue gh-3910
2016-09-21 10:42:24 -05:00
4a1f00b90f
Add additional HTTP Response splitting prevention
...
- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.
Issue gh-3910
2016-09-21 10:42:18 -05:00
6834467389
Add cookiePath to CookieCsrfTokenRepository
...
Allow the csrf cookie path to be set instead of inferred from the
request context.
Fixes gh-4062
2016-09-19 13:52:54 -05:00
6650429283
Polish SessionInformationExpiredStrategy
...
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1
Issue gh-3808
2016-09-15 14:30:52 -05:00
b88418b94a
Configuration of session management strategies
...
This commit adds an ExpiredSessionStrategy for the ConcurrentSessionFilter
analogous to the InvalidSessionStrategy for the SessionManagementFilter. It also
adds a configuration option for both the InvalidSessionStrategy and
ExpiredSessionStrategy to the XML namespace and Java configuration.
Fixes gh-3794
Fixes gh-3795
2016-09-15 11:10:17 -05:00
a82cab7afd
Revert "Add support for colons in remember-me token values"
...
This reverts commit aceba1f1cf
2016-09-13 10:27:51 -04:00
2b6821622e
Make DefaultRedirectStrategy more extensible
...
Fixes gh-2173
2016-09-08 17:23:13 -04:00
d6397c2362
Remove dead code in SessionFixationProtectionStrategy
...
The retainedAttributes property is no longer used as a result of removing deprecations in 6e204fff72
2016-09-08 11:36:22 -04:00
aceba1f1cf
Add support for colons in remember-me token values
...
We have an issue where token strings that contain a colon break
the existing decoding strategy, which tokenizes on colons. This
change urlencodes the individual tokens when creating the cookie
string; and urldecodes them decoding the cookie and extracting the
tokens. This also eliminates the need for existing code to deal with
openid tokens which contain urls, and thus colons.
Fixes gh-3355
2016-09-07 16:35:15 -04:00
8ad0003456
Polish Whitespace
...
Issue gh-3736
2016-09-02 11:37:21 -05:00
3531cc93c2
JSON tests ObjectMapper Cleanup
...
* Move to @Setup
* Consistently extend from AbstractMixinTests and reuse ObjectMapper
Issue gh-3736
2016-09-02 11:37:20 -05:00
bd925313af
Improve Readablility of JSON test strings
...
This improves the readability of the JSON strings used for
testing JSON serialize / deserialize of Spring Security
Issue gh-3736
2016-09-02 11:37:20 -05:00
d4c48dd3e1
Remove MockitoJUnitRunner from JSON tests
...
Previously the JSON tests unnecessarily had MockitoJUnitRunner.
This commit removes MockitoJUnitRunner from the JSON tests.
Issue gh-3736
2016-09-02 11:37:20 -05:00
3fb77f3b59
Polish SecurityJacksonModules
...
Issue gh-3736
* ClassLoader argument - this is required because we do not want to assume
the ClassLoader that should be used
* Clean up logging - logging is now at debug level because we don't expect
all of the modules are loaded (they are quite possibly off the ClassPath)
* Remove ObjectUtils as it was being used on methods that expect a
Collection or Array with non collection based objects
* Polish Javadoc warnings
2016-09-02 11:37:13 -05:00
6f2b24a62b
Polish JSON warnings / javadoc
...
Issue gh-3736
2016-09-02 11:36:23 -05:00
6d2003722e
Polish JSON class scope
...
Use package scope when possible
Issue gh-3736
2016-09-02 11:36:06 -05:00
d77ca17e95
Add JSON Serialization
...
Fixes gh-3812
2016-09-02 11:29:53 -05:00
4d02a5c0a0
Update pom.xml dependencies
2016-08-30 11:27:29 -05:00
4d460b2ec9
Remove unused MvcReqestMatcher.getMvcPattern ( #4033 )
2016-08-19 14:21:42 -05:00
c6366baee2
Remove MvcRequestMatcher.afterPropertiesSet()
...
The validation does not work due to restrictions within the servlet
container. Specifically we cannot access the servlets that are registered.
This commit reverts the validation logic for MvcRequestMatcher to determine
if servletPath is required.
Fixes gh-4027
2016-08-19 14:18:07 -04:00
e080905a79
MvcRequestMatcher servletPath Polish / XML Config
...
Fixes gh-4014
2016-08-09 16:29:30 -05:00
3befb1c8a6
MvcRequestMatcher servletPath / JavaConfig
...
Issue: gh-3987
2016-08-09 16:29:30 -05:00
ca170f8479
DummyRequest supports methods for MvcRequestMatcher
...
To support MvcRequestMatcher DummyRequest needs to support
getCharacterEncoding() and getAttribute(String)
2016-07-14 14:18:31 -05:00
80ff267749
Check RememberMe in ExceptionTranslationFilter
...
This commit adds a check for rememberme to the ExceptionTranslationFilter.
Using this when someone isn't fully authenticated he will be prompted with a
login screen and after that will be redirected to the original requested URI.
Fixes gh-2427
2016-07-13 16:58:00 -04:00
70787fc548
Polish CompositeLogoutHandler
...
Issue gh-3895
2016-07-08 14:39:35 -05:00
1effc1882a
Add CompositeLogoutHandler
...
Fixes gh-3895
2016-07-08 13:30:38 -05:00
26fa4a4bf0
Prevent HTTP response splitting
...
Evaluate if http header value contains CR/LF.
Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting
Fixes gh-3910
2016-07-07 13:42:52 -05:00
13b0ddb7e6
Fix test assertions
2016-07-07 13:29:00 -05:00
919f000c80
Release version 4.1.1.RELEASE
2016-07-07 00:57:35 +00:00
9d50944cb2
AntPathRequestMatcher implements RequestVariableExtractor
...
Issue gh-3964
2016-07-06 15:47:34 -05:00
e4c13e3c0e
Add MvcRequestMatcher
...
Fixes gh-3964
2016-07-06 15:47:23 -05:00
2a73f3cdf7
Remove abigious import
2016-06-20 15:03:09 -05:00
a2ead4cf7a
Polish
...
Fixes gh-3892
2016-06-20 12:35:43 -05:00
364db6762e
Add failing test for #3905 Fix Assert usage
2016-06-20 09:24:04 -05:00
e8f4ee8a39
Fix Assert usage
2016-06-20 09:23:51 -05:00
ca76e8d784
Remove null-check inside afterPropertiesSet() since it's never null
2016-06-17 16:40:39 -05:00
2d6051625f
Update pom.xml
2016-06-17 14:30:11 -05:00
c261975be0
Set cookie domain for cancel remember-me
...
Fixes gh-3871
2016-05-13 13:34:43 -05:00
d4218c70f1
Update CookieCsrfTokenRepository docs to cookiHttpOnly=false
...
Currently CookieCsrfTokenRepository does not specify that the httpOnly
flag needs set to false. We should update the reference to include this
setting (and a comment about it) since it states that the settings will
work with AngularJS.
This commit updates the documentation and provides a convenience factory
method to create a CookieCsrfTokenRepository with cookiHttpOnly=false
Fixes gh-3865
2016-05-06 16:28:04 -04:00
001b05569a
Release version 4.1.0.RELEASE
2016-05-05 04:25:46 +00:00
9745de9510
Add @AuthenticationPrincipal expression
...
It is now possible to provide a SpEL expression for
@AuthenticationPrincipal. This allows invoking custom logic including
methods on the principal object.
Fixes gh-3859
2016-05-03 18:08:52 -04:00
3ca8273a95
Improve GC for OnCommittedResponseWrapper
...
Only track content length if disableOnCommitted is false. This improves object creation and thus GC.
Fixes gh-3842
2016-05-02 16:19:21 -05:00
2bdb0231c2
CookieCsrfTokenRepository supports HttpOnly
...
CookieCsrfTokenRepository supports HttpOnly
Fixes gh-3835
* Add Servlet 3 tests and javadocs
Issue gh-3835
* Add copyright header
Issue gh-3835
2016-05-02 15:49:37 -05:00
70bd7d1bbc
Include AuthenticationException in logs
...
Fixes gh-3705
2016-04-21 11:17:47 -04:00
24d0069668
Release version 4.1.0.RC2
2016-04-21 01:47:25 +00:00
7fe0a135ec
Default AntPathRequestMatcher to be case sensitive
...
Issue gh-3831
2016-04-20 13:29:18 -05:00
6fa1588de9
Disable AntPathRequestMatcher trim tokens
...
Issue gh-3831
2016-04-20 13:29:17 -05:00
4093690322
Polish Logout Content Negotiation
...
* Rename to DelegatingLogoutSuccessHandler for consistency
* Remove JavascriptOriginRequestMatcher in favor of
RequestHeaderRequestMatcher
Issue gh-3282
2016-04-20 10:49:37 -05:00
f0d1700ad6
Content Negotiating LogoutSuccessHandler
...
Issue gh-3282
2016-04-20 10:42:13 -05:00
1dbd3f5906
Fix NPE in OnCommittedResponseWrapper trackContentLength ( #3824 )
...
OnCommittedResponseWrapper trackContentLength will throw a
NullPointerException when the content length passed in is null.
This commit properly tracks the null value as a length of 4.
Fixes gh-3823
2016-04-19 14:58:56 -04:00
933a7e8363
Remove duplicate words
...
Fixes gh-3826
2016-04-18 23:21:20 -05:00
fb5776cb5c
Support Camel case URI variables ( #3814 )
...
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.
Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.
Fixes gh-3786
2016-04-18 17:54:48 -04:00
337a7ed35e
Fix HeaderWriterFilter Javadoc
...
Fixes the formatting and spelling in HeaderWriterFilter Javadoc
Issue gh-3813
2016-04-15 08:56:58 -05:00
eb26095ca9
Fix HpkpHeaderWriter Javadoc format
2016-04-15 08:41:43 -05:00
2ef3da1b47
Documents the new @AuthenticationPrincipal in more detail.
...
Fixes gh-3771
2016-04-13 12:27:23 -04:00
d3a9cc6eae
Add CsrfTokenRepository ( #3805 )
...
* Create LazyCsrfTokenRepository
Fixes gh-3790
* Add CookieCsrfTokenRepository
Fixes gh-3009
2016-04-12 17:26:53 -04:00
fe94d654ed
Fix typos ( #228 )
2016-04-12 11:11:51 -05:00
Eric Deandrea
Alexander Münch
XYUU
Rob Winch
Tao Qian
Mark Hobson
Johnny Lim
Christoph Dreis
json20080301
Eddú Meléndez
Benedikt Ritter
Frank Pavageau
SignleMR
Jeremy Waters
Nathan Wong
Antoine
Andreas Gebhardt
Stephan Schroevers
Vedran Pavic
Joe Grandja
Kyle Anderson
Takuma Setoguchi
borlafu
Rob Winch
Spring Buildmaster
Kazuki Shimizu
Milan Ševčík
Gabriel Lavoie
Julio Valcarcel
Marten Deinum
Dennis Kieselhorst
Stefan Penndorf
Jitendra Singh Bisht
Joe Grandja
Ruben Dijkstra
Adrien SAUVEZ
bartolom
Li Weinan
Shazin Sadakath
Simon Olofsson
Andrew NS Yeow