0961671772
Reinstated missing 3.0.3 schema file
2010-10-27 13:25:39 +01:00
f455e9a5a4
SEC-1584: Documentation of request-checking and matching process. Logging of servletPath and and pathInfo in DebugFilter for comparison.
2010-10-27 13:25:39 +01:00
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
2010-10-27 13:25:39 +01:00
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
2010-10-05 22:28:42 -05:00
e69b981c72
Make method in MatcherType public for use in OAuth.
2010-09-25 20:09:12 +01:00
11a87d1fa0
Switch to using xsd:boolean in schema file.
2010-09-19 18:17:06 +01:00
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
2010-09-16 16:03:24 +01:00
383211561c
Moved LDAP placeholder config test into LDAP tests to prevent issues with parallel tests. Converted LdapProviderBDP tests to groovy/spock. Other misc tidying of config tests.
2010-09-16 12:31:23 +01:00
7dd8cd2fb9
Make sure ApacheDS work directory is set correctly for separate LDAP test task in config module.
2010-09-16 10:50:12 +01:00
a128e3b4fe
http://forum.springsource.org/showthread.php?p=318755 Added PlaceHolderAndELConfigTests.ldapAuthenticationProviderWorksWithPlaceholders
2010-09-13 13:44:12 -05:00
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
2010-09-13 13:12:45 -05:00
0217e98bdb
Added an AppListener to collect events for use in tests
2010-09-13 14:20:21 +01:00
f4d57ab5e8
SEC-1456: Remove maven poms as we are now using gradle for the build.
2010-08-30 19:02:19 +01:00
20988c8cf6
Minor refactoring of debug filter and tidying up tests.
2010-08-27 01:49:30 +01:00
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
2010-08-24 18:25:39 +01:00
1db83fc81e
Minor BD parser tidying.
2010-08-20 21:14:00 +01:00
c37ca1c2a9
Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.
2010-08-19 22:41:51 +01:00
5f6bcc0e1e
SEC-1540: Fix to add HTTP-method specific support for namespace requires-channel attribute.
2010-08-18 13:01:16 +01:00
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
2010-08-18 02:32:43 +01:00
aafc5f9038
File rename to correct case.
2010-08-17 02:27:36 +01:00
1f520b691f
SEC-1469: Initial support for debugging filter.
2010-08-17 02:23:34 +01:00
591bd532bd
Polishing FilterChainProxy and its tests.
2010-08-17 02:20:34 +01:00
6abfa2e887
Update minimum required schema to 3.1.
2010-08-17 02:19:55 +01:00
4bd41cbf72
SEC-1133: Support for setting of authenticationDetailsSource property for form-login, openid-login, http-basic and x509 namespace elements. These elements now support an additional 'authentication-details-source-ref' attribute.
2010-08-14 15:10:03 +01:00
4935aa07c7
SEC-1535: Added suggested doc fixes.
2010-08-12 20:41:29 +01:00
2222a7be07
Use Integer.valueOf() in preference to new Integer()
2010-08-11 18:17:23 +01:00
dca0fd871c
SEC-1532: Add cache of previously matched beans to ProtectPointcutPostProcessor to ensure that it doesn't perform pointcut matching every time a new prototype bean is created.
2010-08-09 17:16:43 +01:00
85c4c91e0e
IDEA inspection refactorings.
2010-08-05 23:28:07 +01:00
413b2a06e3
Improvements in up-to-date checking and use of parallel tests where possible.
2010-08-05 02:11:00 +01:00
64375484a1
More build and logging tuning.
2010-08-04 22:55:17 +01:00
2d9a848265
Added missing gradle build files for remaining samples. Some related reordering, dependency fixing etc. CAS sample no longer requires two separate subprojects as both client and server app can be run from a single gradle build.
2010-07-27 02:20:36 +01:00
c1c8fd1874
SEC-1171: Changed attribute name/value from secured="false" to security="none" to allow future extension by adding extra options (e.g. contextOnly to provide security context information during the request).
2010-07-20 19:46:47 +01:00
a4fd191499
Added check for use of "ref" with other attributes in <authentication-provider>.
2010-07-20 14:31:52 +01:00
4683273c2c
Correct message in namespace handler when web classes are missing.
2010-07-12 12:40:06 +01:00
69a10c48ae
Switch to using slf4j/logback for logging.
...
We still compile modules against commons-logging but all runtime logging and samples will use logback
2010-07-12 12:39:52 +01:00
443ac0487a
SEC-1093: Namespace support for jee element.
...
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
2010-07-07 22:42:26 +01:00
026517f674
Removal of deprecated methods and classes.
2010-06-26 16:23:42 +01:00
6a79cf7be2
SEC-1383: Make MethodSecurityMetadataSourceBeanDefinitionParser extend AbstractBeanDefinitionParser for automatic support of ID attribute.
2010-06-26 16:07:23 +01:00
cd946c4e23
SEC-1493: Added namespace support.
2010-06-20 21:09:38 +01:00
8bddc8f820
SEC-1484: Documentation for some namespace attributes.
2010-06-05 17:35:24 +01:00
2e865752ff
Upgraded groovy to 1.7.2 to avoid jansi dependency issue
2010-06-03 23:13:28 +01:00
efb600166a
SEC-1488: Remove commons-logging dependencies from maven poms.
2010-05-28 13:10:59 +01:00
f7405cef82
Removed original Java version of refactored http namespace tests.
2010-05-27 18:06:26 +01:00
34401416b0
SEC-1171: Implement parsing of empty filter chain patters via http 'secured' attribute and remove filters='none' support.
2010-05-27 15:54:15 +01:00
05c7abe191
SEC-1445: Tests for setting of username and password parameter names through the form-login element.
2010-05-27 15:54:15 +01:00
7d74b7c87e
SEC-1171: Allow multiple http elements and add pattern attribute to specify filter chain mapping.
2010-05-27 15:54:15 +01:00
b0758dd8de
Refactoring HTTP config tests to use spock and groovy MarkupBuilder
2010-05-27 15:53:52 +01:00
b0308e41cb
SEC-1455: Load namespace parsers when required, rather than on init() call, to avoid classloaded issue with dmServer failing to resolve web classes when the namespace handler is first used.
2010-05-21 15:36:37 +01:00
a4ce14f604
Add "provisioning" package to config bundlor template.
2010-05-16 14:14:13 +01:00
d5ffdd9c27
Import cleaning
2010-05-03 18:46:06 +01:00
dccb30ad63
Remove use of wrong DOMUtils class (from com.sun package).
2010-05-01 15:06:48 +01:00
863ccecf55
SEC-1466: Report error if authentication-provider element has child elements when used with "ref" attribute.
2010-04-30 20:22:20 +01:00
165cbb0d19
SEC-1445: Added support for custom username and password parameters in form-login.
2010-04-30 18:14:50 +01:00
a421370a3d
SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.
2010-04-25 22:00:25 +01:00
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
2010-04-25 04:26:45 +01:00
2f025fba6c
SEC-1460: Added AxFetchListFactory which matches OpenID identifiers to lists of attributes to use in a fetch-request.
...
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
2010-04-20 23:47:48 +01:00
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
2010-04-20 23:47:47 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
a3ef8255d8
SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj'
...
Also added this syntax to the aspectj sample.
2010-03-31 18:31:28 +01:00
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-30 15:52:40 +01:00
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
2010-03-26 18:05:28 +00:00
57150a6717
SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter.
2010-03-26 12:47:24 +00:00
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 20:57:03 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2010-03-05 17:55:29 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
e5a875d752
SEC-1407: Correct logger category in MatcherType.
2010-03-01 02:03:32 +00:00
90a7f1f00e
SEC-1383: Namespace support for MethodSecurityMetadataSource. Initial commit.
2010-03-01 01:45:43 +00:00
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
2010-03-01 01:21:06 +00:00
b147652193
Make hsqldb a testRuntime/runtime dependency.
2010-03-01 01:10:58 +00:00
f0466b6488
SEC-1424: Added support for "stateless" option for create-session attribute, designed for applications which do not use sessions at all.
2010-02-27 00:22:21 +00:00
6a34807a07
SEC-1423: Cache PointcutExpression instances in ProtectPointcutPostProcessor for more efficient startup.
2010-02-26 17:21:25 +00:00
2f1479785e
Refactoring to remove remaining circular dependencies indicated by structure101.
2010-02-22 01:48:22 +00:00
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
2010-02-21 23:25:36 +00:00
26cf6f5528
SEC-1399: Remove MockAuthenticationManager in app context file for FilterChainProxy tests.
2010-02-20 21:59:44 +00:00
68f6afd905
SEC-1383: Added namespace support for method-security-metadata-source
2010-02-20 19:05:25 +00:00
b7fc5bc455
Update schema version to 3.1
2010-02-20 18:58:00 +00:00
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
2010-02-19 17:35:19 +00:00
44f45d21f0
3.0.2 release. Update version in build files.
2010-02-19 01:22:21 +00:00
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
2010-02-19 00:53:14 +00:00
5b5934144a
Avoid infinite loop in InterceptMethodsBeanDefinitionDecoratorTests when upgrading to Spring 3.0.1.
...
Converted test target to implement ApplicationListener<SessionCreatedEvent> so that it doesn't receive events from its own interceptor (which are in turn intercepted).
2010-02-16 00:03:15 +00:00
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
2010-02-11 17:47:22 +00:00
70ef0d8b3e
Added extra test to itest/context as POC of using extra interceptor with http ns.
2010-02-11 01:48:00 +00:00
23511c930f
Standardising slf4j versions.
2010-02-11 01:33:31 +00:00
2173029216
SEC-1404: Use a factory method to convert the path to lower case for use in the filter-chain map.
...
Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
2010-02-10 23:49:26 +00:00
5753d69465
SEC-1404: Updated test for placeholders in intercept-url elements to check they work for filter='none' elements
2010-02-10 16:49:53 +00:00
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
2010-02-06 15:42:01 +00:00
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
2010-01-23 02:12:30 +00:00
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
2010-01-15 18:15:19 +00:00
05634f97dc
Updated version numbers for 3.0.1 release.
2010-01-15 18:04:28 +00:00
670297c55d
SEC-1369: Make sure beans aren't registered twice in case allowBeanDefinitionOverriding=false in the app context.
...
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
2010-01-14 15:48:14 +00:00
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
51abedcbef
Parameterize getFilter() method in HttpSecurityBeanDefinitionParserTests.
...
Removes the need for casting to specific filter type.
2010-01-08 23:20:16 +00:00
f40a1fda34
SEC-1357: Use getClass().getClassLoader() in SecurityNamespaceHandler to check for web classes.
...
This is used in preference to ClassUtils.getDefaultClassLoader() which fails to find the web classes in some situations.
2010-01-08 21:12:36 +00:00
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
dc5417f1d5
SEC-1352: Added support for placeholders in <user-service>
...
The username, password and authorities attributes can now be placeholders.
2010-01-05 22:34:10 +00:00
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
bcb1ff8921
SEC-1342: Introduced extra factory method in SecurityConfig to get round problem with Spring converting a string with commas to an array
2009-12-23 14:12:59 +00:00
115d5b84ff
[maven-release-plugin] prepare for next development iteration
2009-12-22 22:20:01 +00:00
6c6ef08353
[maven-release-plugin] prepare release spring-security-3.0.0.RELEASE
2009-12-22 22:19:38 +00:00
e64866ae6a
Updated bundlor templates and introduced spring.version variable
2009-12-22 01:10:04 +00:00
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
fac07ba8ff
Schema updates to Spring 3.0
2009-12-18 18:44:17 +00:00
85a58fd473
SEC-1331: Modify namespace to allow omission of user passwords in user-service element and generate random ones internally, preventing authentication against the data..
2009-12-18 15:39:13 +00:00
520e733cb2
[maven-release-plugin] prepare for next development iteration
2009-12-08 21:19:41 +00:00
f2cf17bd49
[maven-release-plugin] prepare release spring-security-3.0.0.RC2
2009-12-08 21:19:20 +00:00
1dc4bb112e
SEC-1318: Correct logic for checking combination of session-management attributes.
2009-12-07 22:40:47 +00:00
3469a8d4a3
Javadoc.
2009-12-07 21:40:06 +00:00
ac564fc34e
SEC-1317: Forgot to commit test from config module.
2009-12-07 21:39:49 +00:00
d4e4a09801
SEC-1312: Add detection of 2.0 schemas. Added check to SecurityNamespaceHandler and reinstated old schemas.
2009-12-06 21:15:11 +00:00
dab76249db
Added gradle build files (experimental)
2009-12-04 21:33:17 +00:00
eddde8ea28
SEC-1309: Namespace configurations should support Spring EL. Removed premature conversion of URL paths to lower case, which messes up if they are case-sensitive expressions or placeholders. Some other minor changes to suppport EL configuration.
2009-12-01 14:23:58 +00:00
e9402fa0f9
Removed commented deps from pom.
2009-11-24 09:34:05 +00:00
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
2009-11-24 09:31:03 +00:00
5546698fef
SEC-1253: Decouple spring-security-config module from spring-security-web. Added ClassUtils.isPresent() check for FilterChainProxy before attempting to register web-related parsers and decorators. Added use of namespace to dms sample for testing.
2009-11-17 23:39:42 +00:00
66b1b1957c
SEC-1298: Deleted custom-filter BeanDefinitionDecorator
2009-11-17 21:36:11 +00:00
3444b31615
SEC-1291: Add logout namespace support for custom success handler. Added attribute "success-handler-ref" to <logout> element in namespace.
2009-11-17 17:29:43 +00:00
9eae7b899c
SEC-1284: Added proxy-target-class attribute to method security namespace
2009-11-17 16:19:05 +00:00
afdd80235c
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Fixed Spring RC1 - RC2 regression problem with test (addApplicationListener() behaviour has changed).
2009-11-17 14:34:43 +00:00
d4d5012035
SEC-1272: <authentication-manager> does not register default event handler DefaultAuthenticationEventPublisher. Update AuthenticationManagerBeanDefinitionParser to register a DefaultAuthenticationeventPublisher and set it on the registered ProviderManager.
2009-11-17 12:55:53 +00:00
a2468c523a
SEC-1283: AuthenticationConfigBuilder.createAnonymousFilter uses httpElt instead of anonymousElt. Corrected element name.
2009-11-04 17:39:26 +00:00
197737a2b4
SEC-1281: make sure correct 'key' value is used for RememberMeAuthenticationProvider when external RememberMeServices is used
2009-11-04 14:55:58 +00:00
799b96520b
SEC-1269: Combining <form-login> and <open-id> fails to find entry point. Fixed entry point choice conditions when using openID and/or form-login
2009-10-14 00:30:28 +00:00
3f963ef8ca
Restore versions and svn URLs in trunk (release plugin fail)
2009-10-11 21:59:38 +00:00
af563e826c
[maven-release-plugin] prepare release spring-security-3.0.0.RC1
2009-10-11 21:43:42 +00:00
73df14c912
Allow any ordering of authentication-provider elements within authentication-manager
2009-10-11 19:58:04 +00:00
ed2ddf9323
SEC-1263: Add FactoryBean for namespace AuthenticationManager. <http> now uses AuthenticationManagerFactoryBean. Method security already uses a delegate object to lookup the AuthenticationManager. This now uses the same error message if the bean isn't found, rather than allowing the BeanFactory NoSuchBeanDefinitionException to be thrown directly.
2009-10-09 14:41:34 +00:00
ac5237c127
SEC:1263: Added FactoryBean for AuthenticationManager
2009-10-09 12:11:45 +00:00
e398922f85
Removing elements that are no longer supported from the namespace
2009-10-08 14:40:52 +00:00
80eb47c6fe
SEC-1261: Convert FilterChainOrder to an enum (SecurityFilters).
2009-10-08 13:18:32 +00:00
4dcb9de67a
SEC-1257: Some additional API changes to use Collection instead of List...
2009-10-07 21:08:20 +00:00
1286741c7c
SEC-1259: Improve consistency of authentication filter names.
2009-10-07 14:43:55 +00:00
f213cc5d9e
SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted.
2009-10-06 19:46:44 +00:00
5d486a51b6
SEC-1256: Added support for expression attributes in filter-security-metadata-source configuration.
2009-10-06 16:39:56 +00:00
07d7c0ddae
Renamed form and openID filters to shorten names
2009-10-05 17:33:34 +00:00
1042305cfe
Renamed web.wrapper to web.servletapi. Added some package.html files.
2009-10-05 16:59:37 +00:00
673cf300fb
SEC-1229: Refactoring to remove package cycles.
2009-10-05 16:40:32 +00:00
acf13c74ca
SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session
2009-10-05 15:51:00 +00:00
2b89ebdfbb
SEC-1229: Further doc and mods to namespace config/naming to make it more consistent
2009-10-03 16:08:51 +00:00
073198886d
SEC-1255: Modified UrlUtils. Full request URL for redirects uses the requestURI (which is encoded). The URL for path comparsions is built using the servletpath, as before.
2009-10-02 17:29:43 +00:00
c34d719004
SEC-1252: Remove 2.0.x schemas from 3.0. Removed files and updated spring.schemas to remove 2.0.x versions
2009-09-29 17:56:01 +00:00
2a1430f1ce
SEC-1229: Removed legacy concurrency classes
2009-09-29 16:18:25 +00:00
ebada9fd12
SEC-1229: Added support for parsing error URL in session-management
2009-09-29 16:17:05 +00:00
203cc5a8dc
SEC-1229: Added error-url to concurrency-control element and changed "exception-if-max-exceeded" to "error-if-max-exceeded"
2009-09-29 16:16:06 +00:00
7109b7e183
Import cleaning.
2009-09-29 00:30:29 +00:00
aa153681bf
SEC-1229: Added session-management element to namespace and refactored existing session-related attributes and concurrency control. Refactored <http> parsing code to split it up into more manageable units.
2009-09-29 00:29:09 +00:00
731402e9f5
SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context.
2009-09-16 00:23:13 +00:00
71ab83255d
SEC-1242: Check that RememberMeServices is an instance of AbstractRememberMeServices before attempting to inject a UserDetailsService.
2009-09-11 21:10:16 +00:00
fa7404741b
SEC-1167: Introduce more flexible SavedRequest handling. Add namespace support for a custom RequestCache through the request-cache element.
2009-09-09 21:40:12 +00:00
aec730ae7e
SEC-1238: Disable portlet module
2009-09-09 20:03:00 +00:00
6640eab9dc
SEC-1240: Added {ssha} support to PasswordEncoderParser.
2009-09-09 12:12:29 +00:00
d099d14e9b
SEC-1235: Added test to attempt to verify (failed to reproduce).
2009-09-05 14:14:12 +00:00
8632946f30
SEC-1213: Added "order" atrribute to global-method-security
2009-09-04 15:54:42 +00:00
245fc96137
SEC-1075: Update the embedded LDAP server to use Apache DS 1.5. Updated to use the new 1.5.5 release for the embedded server.
2009-09-01 23:21:44 +00:00
2039200617
SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace.
2009-09-01 16:08:20 +00:00
dbcb13ad14
SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.
2009-08-31 22:48:49 +00:00
0d7b990e0a
SEC-1184: Moved ACL cache classes and interface out of jdbc package.
2009-08-31 22:15:37 +00:00
471206a29d
SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy
2009-08-27 10:43:01 +00:00
fe33f08b73
SEC-1201: Allow requires-channel attribute to take placeholders.
2009-08-23 16:42:06 +00:00
00352227ac
Tidying.
2009-08-23 16:03:40 +00:00
ea01e9cdf7
SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Ensure that channel processing handles paths which are placeholders.
2009-08-23 15:57:59 +00:00
9bf8656d66
SEC-1201: PropertyPlaceholderConfigurer does not work for intercept-url attributes. Added use of ManagedMaps and BeanDefinitions to support placeholders in the pattern and access attributes.
2009-08-22 21:09:34 +00:00
579644fa95
SEC-1225: Use bean references for authentication providers. Updated AuthenticationManagerBDP to regsiter the providers as top level beans.
2009-08-22 12:37:14 +00:00
24911eb606
Corrected links in manual, comment in schema file.
2009-08-22 01:54:31 +00:00
5a8772df5b
Reset pom versions post release
2009-08-21 12:02:49 +00:00
0e5aa7008d
[maven-release-plugin] prepare release spring-security-3.0.0.M2
2009-08-20 15:51:26 +00:00
48988bde84
SEC-935: Support for OpenID attribute exchange and changes to namespace syntax to allow simple configuration of attributes to request.
2009-08-13 23:55:25 +00:00
f536c80020
SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web
2009-08-10 14:18:18 +00:00
966f3e4101
SEC-1182: Added tst to confirm that this is no longer an issue due to other changes
2009-08-10 11:32:02 +00:00
b4bb489638
SEC-1164: Further registering on bean components for tooling and removal of global ids.
2009-08-08 21:08:12 +00:00
b387d63aba
Removing unnecessary global bean names.
2009-08-08 18:57:51 +00:00
a67448c867
SEC-1216: Remove unused code.
2009-08-08 18:51:15 +00:00
229866e293
SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url
2009-08-07 23:57:10 +00:00
0f6642d3ab
SEC-1216: Replacement of custom-after-invocation-provider with after-invocation-provider element. Some changes to help prevent proxying of aop infrastructure classes (use of AopInfrastructureBean marker interface)
2009-08-04 00:18:07 +00:00
eaa0dc4fce
typo
2009-08-03 16:30:26 +00:00
e40b9fbc75
SEC-1196: Introduce AuthenticationManagerDelegator is MethodSecurityInterceptor which is configured by global-method-security. Prevents regression of SEC-933 caused by eager init of AuthenitcationManager and dependent beans
2009-08-03 01:44:49 +00:00
997faabe1e
SEC-1196: Removed ConfigUtils (no longer used).
2009-08-03 00:22:47 +00:00
5953af0f6b
SEC-1196: Change use of <authentication-manager> to actually register the global ProviderManager instance. This element now registers the global ProviderManager instance and must contain any authentication-provider elements (or ldap-authentication-provider elements).
2009-08-03 00:21:11 +00:00
c5d6484b54
SEC-1210: RememberMe filter misses UserDetailsService in default <http /> tag config when it is declared in parent app context. Fixed by getting the UserDetailsServiceInjectionPostProcessor to check ancestor bean factories for a UserDetailsService if one isn't found in the current bean factory.
2009-07-31 19:40:20 +00:00
160aa512a1
Remove "infrastructure" type from authentication provider bean.
2009-07-31 19:38:16 +00:00
6ae61f95db
Minor updates to test XML context implementation.
2009-07-31 19:37:05 +00:00
a4a0aab66f
SEC-1164: Add additional component definitions so that Spring IDE picks them up and doesn;t report missing bean definitions
2009-07-31 00:18:16 +00:00
5d5df0c63d
Added extra 'manual' security interceptor config
2009-07-29 16:08:04 +00:00
3e6054b69f
SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.
2009-07-29 00:52:30 +00:00
609a68b12a
SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false.
2009-07-28 23:47:26 +00:00
db90122179
SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.
2009-07-28 18:00:24 +00:00
931cf90dbb
SEC-1203: Allow configuration of X509 subject-dn-regex attribute using PropertyPlaceholderConfigurer. Modified parser to use a BeanDefinition for the SubjectPrincipalDnExtractor to allow property subsititution.
2009-07-21 00:14:57 +00:00
8b115e2a21
SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache.
2009-07-20 22:52:48 +00:00
f404bb3d74
SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though.
2009-07-20 22:34:40 +00:00
491837ae34
SEC-1197: Moved support from session-controller-ref from authentication-manager to concurrent-session-control element. Plus refactoring of config classes into separate packages.
2009-07-17 23:36:35 +00:00
1afa67c954
SEC-1195: Added internal AuthenticationManager for use by beans which are generated by the <http> block.
2009-07-15 23:09:47 +00:00
6346e31517
SEC-1195: Change <http> parsing behaviour to use an internal AuthenticationManager instance. Implemented "parent" AuthenticationManager in ProviderManager which is delegated to when no authentication is returned by the instances list of authentication providers. Extracted the Authentication success/failure publishing into a separate strategy.
2009-07-15 01:28:28 +00:00
d59bdc0cbc
Reducing use of global bean Ids as part of SEC-1186
2009-07-08 23:54:26 +00:00
7622dfe092
SEC-1194: Added support for services-alias to remember-me
2009-07-08 23:53:47 +00:00
d02bbbf560
import cleaning.
2009-07-08 17:17:45 +00:00
43dab4c3b3
SEC-1186: Additional changes to remove custom-filter decorator functionality.
2009-07-08 16:50:47 +00:00
abddcb044a
SEC-1186: Remove functionality from CustomFilterBeanDefinitionDecorator and report a warning instead.
2009-07-08 16:49:30 +00:00
b3366a1646
SEC-1186: Tidying up changes to http parsing
2009-07-08 16:19:26 +00:00
eae670269d
Tidying
2009-07-06 10:33:57 +00:00
853b4c8753
SEC-1186: Make sure an Element is always supplied when registering the AuthenticationManager. Fixes broken tests.
2009-06-28 13:36:54 +00:00
d5bf5d7adc
SEC-1186: validator for filter chain beans
2009-06-26 12:47:03 +00:00
8ddd96af2b
SEC-1186: intermediate commit of namespace changes for improved tooling support
2009-06-26 12:44:46 +00:00
f6e2e36346
Remove use of property editor internally.
2009-06-18 23:37:36 +00:00
074fa7d629
SEC-1186: Refactoring to bring all filter registrations into the HttpBDP parse method in preparation for building the filter chain and map at that point, rather than in a post-processor
2009-06-18 22:33:16 +00:00
37d3401d0c
SEC-1016: Rollback changes.
2009-06-14 21:10:02 +00:00
a963be4719
SEC-1095: Register AuthenticationManager from GlobalMethodSecurityBDP.
2009-06-09 01:38:53 +00:00
0473cfbfc0
SEC-1137: Added support for an external UserDetailsContextMapper using the attribute user-context-mapper-ref.
2009-06-08 23:35:05 +00:00
bfa2806034
Add component definition registration for tooling.
2009-06-08 22:27:55 +00:00
aa511bb1f4
SEC-1175: Changed default anonymous username to match that in the schema docs.
2009-06-08 13:09:07 +00:00
66f7e8bcc8
SEC-1168: Added filter-security-metadat-source to namespace.
2009-06-08 12:59:13 +00:00
9993a7f6e4
Added newlines to filter list to test use of xsd:token.
2009-05-31 21:28:16 +00:00
545550bb0c
Made ApacheDS deps optional
2009-05-27 02:15:45 +00:00
131ba5c62e
Reset poms to 3.0.0.CI-SNAPSHOT after tagging M1 release
2009-05-27 00:12:30 +00:00
e2c218e8c9
[maven-release-plugin] prepare release spring-security-3.0.0.M1
2009-05-26 23:44:11 +00:00
45c54c558c
Updated build to use maven.springframework.org deps
2009-05-13 06:16:05 +00:00
a8215fa2cb
SEC-1160: Renaming of authentication filters and entry points and associated doc changes
2009-05-12 05:37:11 +00:00
4bad213b19
SEC-1132: Moved remaining preauth code from core to web
2009-05-12 00:11:06 +00:00
76561813e9
Fixed config bundlor template
2009-05-11 07:57:52 +00:00
76438b3347
SEC-1132: Refactoring of access/intercept package to extract packages and classes which are externally depended on or potentially may be used outside of the standard interceptor model (e.g. SecurityMetadataSource)
2009-05-11 05:44:31 +00:00
14c4739605
SEC-1158: Decoupling of Pre/Post annotations implementation from Spring EL.
2009-05-11 05:18:20 +00:00
b3ccee4dbc
Some additional tests on session creation.
2009-05-07 07:10:10 +00:00
29fafbbf18
Misc tidying up of old files and refactoring of tests
2009-05-05 13:29:59 +00:00
cef089376c
SEC-1152: Changes to add anonymous filter to default namespace configuration and added enabled flag to allow overriding of the behaviour.
2009-05-05 07:23:31 +00:00
6d655aa514
SEC-1132: More refactoring to remove cycles ad reduce complexity metrics
2009-05-04 14:24:54 +00:00
8c94e39150
SEC-1118: Added run-as-manager-ref attribute to global-method-security element. Also updated schema to use xsd:token in place of xsd:string where appropriate.
2009-05-01 05:16:19 +00:00
5aeca2d7dd
Added test XML file for use messing about in an XML editor while generating schema.
2009-04-30 06:58:38 +00:00
90b849c271
SEC-1100: Added support for <access-denied-handler> element which can take a ref or an error-page attribute.
2009-04-30 05:46:55 +00:00
39cc865a36
SEC-1143: Fixed by using BeanDefinitionRegistry.isBeanNameInUse() instead of containsBeanDefinition() to check for the SessionRegistry availability. The former picks up the alias registration of the standard bean Id for user's bean Id.
2009-04-28 12:08:48 +00:00
4f33f4677b
Import cleaning.
2009-04-26 10:06:58 +00:00
1ac0ea9d3f
Moved InMemoryXmlApplicationContext to test src as it is only used in tests.
2009-04-25 06:52:57 +00:00
22e7142f45
SEC-998: Bundlor enabled in web, ldap, config and core modules
2009-04-24 09:12:53 +00:00
21e36e0a57
Updated version number from 2.5.0-SNPSHOT to 3.0.0.CI-SNAPSHOT
2009-04-22 12:55:52 +00:00
cac2bce382
Refactored SessionRegistryImpl to remove servlet API deps and moved back into core, along with other concurrent authentication package classes.
2009-04-21 06:05:14 +00:00
93bdcccaee
SEC-1132: Moved userdetails into core and added core/authority sub-package
2009-04-15 07:39:21 +00:00
10673780db
OPEN - issue SEC-1136: Removed SpringSecurityException. Introduced new AclException as base class for Acl module. Refactored JAAS authentication to map to AuthenticationExcpetions rather than SpringSecurityException. Modified ExceptionTranslationFilter to look explicitly for AuthenticationException or AccessDeniedException (which it should do since these are the only two it handles).
2009-04-13 14:56:49 +00:00
ca7d055c2b
SEC-1132: Created core and authentication packages within core module.
2009-04-13 13:43:23 +00:00
9efb5a7007
SEC-1132: Moved access-control/authorization specific code to org.sf.security.access package. Created provisioning package for user management classes to remove cyclical deps. Some other moving of classes to remove code tangles. Restructuring of portlet module under org.sf.security.portlet
2009-04-12 12:23:23 +00:00
32ebd277d4
SEC-1132: Deleted empty packages
2009-03-27 07:01:42 +00:00
f746a20ab4
SEC-1132: package refactoring of non-core modules
2009-03-27 05:01:03 +00:00
bec84f874a
SEC-1125: Further refactoring of web packages following creation of web module. Fixing samples.
2009-03-26 07:18:36 +00:00
2a9a8a41db
SEC-1125: Created separate web module spring-security-web
2009-03-25 06:28:18 +00:00
2c985a1c36
SEC-1126: separated out spring-security-config module containing namespace configuration classes and resources
2009-03-23 04:23:48 +00:00
Luke Taylor
Rob Winch