Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-24 16:05:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,130 Commits 34 Branches 337 Tags
Commit Graph

4130 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Luke Taylor
d3d9c5db59 Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor. 2010-04-20 23:47:47 +01:00
Luke Taylor
74896f217b SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>. 2010-04-20 23:47:47 +01:00
Luke Taylor
a45d2a4fb2 SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client. 2010-04-20 18:04:22 +01:00
Luke Taylor
93deec8d40 SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized. 2010-04-16 16:12:38 +01:00
Luke Taylor
0521d10069 SEC-1294: Enable access to beans from ApplicationContext in EL expressions. 
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
 2010-04-01 01:24:23 +01:00
Luke Taylor
12a6ae2ffa SEC-1232: Add config dependency to maven build for aspectj sample. 2010-03-31 19:58:59 +01:00
Luke Taylor
a5a95a8ebc Upgrade jython and disable cachedir. 2010-03-31 19:11:00 +01:00
Luke Taylor
a3ef8255d8 SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj' 
Also added this syntax to the aspectj sample.
 2010-03-31 18:31:28 +01:00
Luke Taylor
020e0aa49a SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext. 
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
 2010-03-30 15:52:40 +01:00
Luke Taylor
d334f6fa09 Latest gradle syntax updates. 2010-03-28 23:54:41 +01:00
Luke Taylor
2b9beffd08 SEC-1444: Fix JNDI escaping problems in LDAP authentication. 
CompositeName adds quotes to names which contain a forward slash ("/") character. These are automatically removed by Spring LDAP's DistinguishedName, but only if they are at the ends of the String. Since we were preprending the base to the (quoted) DN, resulting in something like ["cn=joe/b",ou=people], this was causing problems with the DN value returned from the search. Additionally, the bind succeeds when a DN is used with a slash, but the subsequent call to getAttributes() fails. This call now passes in a DistinguishedName for the user DN instance instead of a String.
 2010-03-27 15:30:15 +00:00
Luke Taylor
977bc2b164 SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx. 
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
 2010-03-26 18:05:28 +00:00
Luke Taylor
57150a6717 SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter. 2010-03-26 12:47:24 +00:00
Luke Taylor
2a0aae1904 SEC-524: Document addition of "var" attribute in authorization tags. 2010-03-25 19:48:26 +00:00
Luke Taylor
0849dd93e9 Minor correction to namespace appendix 2010-03-24 21:02:51 +00:00
Luke Taylor
472c1fac84 SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent. 
Ensures protect-pointcut expressions match methods with generic parameters.
 2010-03-24 20:57:03 +00:00
Luke Taylor
bf91f2ca67 SEC-524: Added "var" attribute to authorize and accesscontrollist JSP tags. 
Allows the result of the boolean condition granting/denying access to be stored in the page context for later use, without having to duplicate the tag.
 2010-03-24 18:35:17 +00:00
Luke Taylor
2e2625873c SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager). 
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
 2010-03-23 00:45:06 +00:00
Luke Taylor
e60108ca8c SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles. 
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
 2010-03-22 16:26:04 +00:00
Luke Taylor
d5df53f1db SEC-1439: Make getters and setters public on HttpRequestResponseHolder. 
Necessary to allow use of custom SecurityContextRepository.
 2010-03-12 15:53:05 +00:00
Luke Taylor
111d49d68a Added build file for itest-context. 2010-03-12 01:40:27 +00:00
Luke Taylor
9e049dfef4 SEC-1438: Removed JoinPoint support from AbstractMethodSecurityMetadataSource 2010-03-11 21:51:19 +00:00
Luke Taylor
1be44ecd18 SEC-1262: Added extra test for PostFilter with AspectJ interceptor. 2010-03-11 20:55:06 +00:00
Luke Taylor
c09cd3a9cb Remove unused inner class in MethodSecurityMetadataSourceAdvisor 2010-03-11 01:52:07 +00:00
Luke Taylor
55de2cfcb1 SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances. 
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
 2010-03-11 01:51:59 +00:00
Luke Taylor
2b8b8819e4 Added gradle support for aspects project. 2010-03-09 19:22:50 +00:00
Luke Taylor
6fcaba2c46 Moved setting of 'provided' scope mapping on pom out of whenConfigured() so that the mapping is in place when the pom dependencies are assembled. Added 'skipTests' option. 2010-03-07 23:53:33 +00:00
Luke Taylor
f3264ba9ab Addition of commons-logging exclusions and adjustments to pom generation. 2010-03-07 21:58:25 +00:00
Hans Dockter
b64a3fa725 Hans Dockter's refactoring of gradle build, plus simplification of docbook plugin. 2010-03-05 23:23:43 +00:00
Luke Taylor
d66ff32a1d Added taglib dependency to itest-web project. Needed by additional test for SEC-1420. 2010-03-05 23:23:01 +00:00
Luke Taylor
b7aaa3447c Updated aws-maven to 3.0.0.RELEASE 2010-03-05 23:23:01 +00:00
Luke Taylor
b38b8e55ac SEC-1432: Convert map keys to lower-case in UserMap.setUsers(). 
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
 2010-03-05 17:55:29 +00:00
Luke Taylor
43f0e11106 SEC-1429: Removed cached authentication from session after successful authentication. 2010-03-05 00:07:35 +00:00
Luke Taylor
89d8c8cc83 Additional test classes for authentication and logout success/failure handling. 2010-03-04 23:18:46 +00:00
Luke Taylor
a3263753d9 Fix to Javadoc for AbstractAuthenticationProcessingFilter. 2010-03-04 22:06:04 +00:00
Luke Taylor
530ab3ae30 SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect. 2010-03-04 21:21:07 +00:00
Luke Taylor
4d70f88285 SEC-1420: JSP for itest of authentication tags with and without escaping. 2010-03-04 01:44:27 +00:00
Luke Taylor
0551dd89ac SEC-1420: Add htmlEscape attribute to authentication JSP tag. 
This allows HTML escaping to be disabled if required.
 2010-03-04 00:47:22 +00:00
Luke Taylor
43f3568b16 SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions. 2010-03-03 23:11:49 +00:00
Luke Taylor
90caf1bb37 Manual formatting. 2010-03-03 23:08:05 +00:00
Luke Taylor
ae8027fa47 SEC-1425: Replace use of Java 1.6 String.isEmpty(). 2010-03-01 13:49:42 +00:00
Luke Taylor
e5a875d752 SEC-1407: Correct logger category in MatcherType. 2010-03-01 02:03:32 +00:00
Luke Taylor
90a7f1f00e SEC-1383: Namespace support for MethodSecurityMetadataSource. Initial commit. 2010-03-01 01:45:43 +00:00
Luke Taylor
93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy. 
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
 2010-03-01 01:21:06 +00:00
Luke Taylor
962a2d5272 Tone down Apache DS log level in itest-web 2010-03-01 01:20:11 +00:00
Luke Taylor
d39e93ec23 Add maven pom customization options to build.gradle 2010-03-01 01:17:57 +00:00
Luke Taylor
b147652193 Make hsqldb a testRuntime/runtime dependency. 2010-03-01 01:10:58 +00:00
Luke Taylor
cb0f3f677f SEC-1425: Add check for empty cookie in AbstractRememberMeServices. 
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
 2010-02-28 14:08:27 +00:00
Luke Taylor
f0466b6488 SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all. 2010-02-27 00:22:21 +00:00
Luke Taylor
6a34807a07 SEC-1423: Cache PointcutExpression instances in ProtectPointcutPostProcessor for more efficient startup. 2010-02-26 17:21:25 +00:00