Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-24 21:12:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,098 Commits 55 Branches 348 Tags
Commit Graph

4098 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rob Winch
b192680df3 removed maven.gradle in favor of maven-deployment.gradle 2012-10-02 13:55:34 -05:00
Rob Winch
95d0e08059 Eclipse Project names include 3.0.x suffix 2012-10-02 12:05:18 -05:00
Rob Winch
4f993d95b5 Updates for 3.0.x autorepo support 2012-10-02 11:20:40 -05:00
Rob Winch
4c832fc946 SEC-2038: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 15:23:42 -05:00
Rob Winch
5945abb10a Revert "SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super" 
This commit contains the wrong JIRA ID.

This reverts commit c53fd99430739ced5289c6bbe5c50563710fa610.
 2012-09-21 15:23:42 -05:00
Rob Winch
8c224f39dc SEC-2045: AbstractPreAuthenticationFilter afterPropertiesSet invokes super 2012-09-21 14:52:42 -05:00
Rob Winch
f0a6b7ca27 SEC-2041: SaveContextServletOutputStream/SaveContextPrintWriter delegate all methods 2012-09-21 14:51:32 -05:00
Rob Winch
0350c2833e SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super 2012-09-21 14:51:18 -05:00
Rob Winch
7406e03306 SEC-1975: Ignore anonymous users for AuthenticationSimpleHttpInvokerRequestExecutor 
Previously anonymous authentication was submitted as credentials over the wire which
caused the applications to attempt to authenticate the anonymous user.

Now if the user is anonymous (determined by the AuthenticationTrustResolver), the
AuthenticationSimpleHttpInvokerRequestExecutor does not populate any credentials.
 2012-08-09 10:04:03 -05:00
Rob Winch
ca3c1979b8 SEC-2005: Ensure SecurityContext saved prior to the response being committed 
Previously Spring Security did not save the Security Context immediately prior
to the following methods being invoked:

   - HttpServletResonse.flushBuffer()
   - HttpServletResonse.getWriter().close()
   - HttpServletResonse.getWriter().flush()
   - HttpServletRespose.getOutputStream().close()
   - HttpServletRespose.getOutputStream().flush()

This meant that the client could get a response prior to the SecurityContext
being stored. After the client got the response, it would make another request
and this would not yet be authenticated. The reason this can occur is because
all of the above methods commit the response, which means that the server can
signal to the client the response is completed. A similar issue happened in
SEC-398.

Now the previously listed methods are wrapped in order to ensure the SecurityContext
is persisted prior to the response being committed.
 2012-08-09 10:03:48 -05:00
Rob Winch
c9facdd993 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:33 -05:00
Rob Winch
d2e6343295 SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true 2012-06-27 15:46:10 -05:00
Rob Winch
31338a7bdb SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice 
This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
 2012-06-26 16:39:08 -05:00
Rob Winch
7714c5cd02 .gitignore bin and */src/*/java/META-INF 2012-06-15 14:54:48 -05:00
Rob Winch
5ed5590268 SEC-1970: Cleanup of pre authentication documentation 
* Removed custom-authentication-provider from documentation
* Rephrased to make the pre authentication documentation a little more concise
* Removed nested () within text (not code)
* Removed user which should have been use
 2012-06-15 14:51:50 -05:00
Rob Winch
5dd6b4a77a SEC-1865: Remove invalid OWASP link in TextEscapeUtils 2012-06-11 16:36:25 -05:00
Rob Winch
5118e0b86e SEC-1943: Corrected namespace doc to state SecurityContextHolderAwareRequestFilter instead of SecurityContextHolderAwareFilter 2012-03-20 19:22:54 -05:00
Rob Winch
21f2991ab4 Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests 2011-12-30 16:31:37 -06:00
Rob Winch
3679227b11 SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous 2011-12-30 16:31:31 -06:00
Rob Winch
25e17c1568 SEC-1881: Configure surefire to include **/*Test.class to avoid accidentally not running new tests that end in Test 2011-12-30 12:53:33 -06:00
Rob Winch
9847366d5e SEC-1881: Renamed **/*Test.java to **/*Tests.java since **/*Test.java are not included in surefire configuration 
NOTE: Some tests no longer pass and thus are being ignored until SEC-1882 is fixed. This is still better than
the previous situation since before all the tests ending in Test.java were ignored and this ensures that most of
these tests will be ran with the build.
 2011-12-30 12:46:41 -06:00
Rob Winch
7cb472f105 SEC-1880: Corrected error message when using both logout-success-url and success-handler-ref 2011-12-30 11:35:48 -06:00
Rob Winch
863b36962b SEC-1878: Added test to ensure that DefaultFilterChainValidator can handle web expressions 2011-12-28 16:24:48 -06:00
Rob Winch
bbfb3da9c7 Updated to maven-resources-plugin 2.4 
This is to fix an error when using the latest m2e plugin that states: 'maven-resources-plugin prior to 2.4 is not supported by m2e'
 2011-12-28 15:20:06 -06:00
Luke Taylor
b1af3d00ee SEC-1857: Use Principal.getName() in ContextPropagatingRemoteInvocation 
This is a better option than using the toString() method
where the latter doesn't return the username. e.g when the
principal is a UserDetails.
 2011-12-05 21:24:28 +00:00
Luke Taylor
daa7f3f64e SEC-1848: LDAP encode name when using user DN patterns in AbstractLdapAuthenticator. 2011-11-01 13:30:44 +00:00
Rob Winch
7a3135f0f9 SEC-1839: Updated preauth example to use </security:authentication-manager> instead of </security-authentication-manager> 2011-10-18 19:19:27 -05:00
Luke Taylor
82163e2546 Remove ancient code formatter artifacts. 2011-09-25 21:20:02 +01:00
Luke Taylor
2d27b28199 Set version to 3.0.8.CI-SNAPSHOT. 2011-09-05 23:04:06 +01:00
Luke Taylor
714ee3e960 Set version to 3.0.7.RELEASE. 3.0.7.RELEASE 2011-09-05 23:03:17 +01:00
Luke Taylor
ee74c4ced2 SEC-1803: Add check in AbstractAuthenticationTargetUrlRequestHandler for null targetUrlParameter before attempting to read it from the request. Prevents NPE when targetUrlParameter is not set. 2011-08-29 13:47:31 +01:00
Luke Taylor
102027a44c SEC-1804: Updated Javadoc wrt immutability of User class. 2011-08-25 11:10:41 +01:00
Luke Taylor
799a43d72e SEC-1804: Update InMemoryDaoImpl to use User class directly and create a copy. Otherwise credentials are cleared on cached user instances. 2011-08-25 11:09:02 +01:00
Luke Taylor
3dc4158f7d Set version to 3.0.7.CI-SNAPSHOT 2011-08-19 12:52:39 -07:00
Luke Taylor
62f70f17ff Set project release version to 3.0.6.RELEASE 3.0.6.RELEASE 2011-08-19 12:47:55 -07:00
Luke Taylor
4b0fbe1606 Remove session timeout check in tutorial sample. 2011-08-19 12:47:06 -07:00
Luke Taylor
a8bce41876 SEC-1795: Fix possible NPEs in AclImpl.equals() 2011-08-19 12:03:04 -07:00
Luke Taylor
cea1f4499f SEC-1686: Upgrade to Spring 3.0.6 2011-08-19 10:15:48 -07:00
Luke Taylor
c19a5ffd73 SEC-1796: Check for annotated annotations at class/interface level. Previously only the specific security annotation was checked for. By delegating to Spring's AnnotationUtils, custom annotations carrying the security annotation are also detected. 2011-08-12 14:36:42 +01:00
Luke Taylor
594ee9515e Taglib test fixes to take latest SFW changes into account. 2011-08-11 23:44:01 +01:00
Luke Taylor
a087e828a6 SEC-1790: Disable use of spring-security-redirect by default for SimpleUrlLogoutSuccesshandler. 2011-08-05 16:54:35 +01:00
Luke Taylor
5238ba0e26 SEC-1790: Reject redirect locations containing CR or LF. 2011-07-29 16:34:48 +01:00
Luke Taylor
887e3361d2 SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread. 2011-07-29 16:32:40 +01:00
Luke Taylor
a24570ae06 SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider. 2011-07-29 16:32:40 +01:00
Luke Taylor
ba719dc0e1 SEC-1741: Modify ContextPropagatingRemoteInvocation to pass a simple combination of principal/credentials as Strings, rather than serializing the whole SecurityContext object from the client. 2011-07-29 16:32:40 +01:00
Luke Taylor
28e70db8f2 SEC-1742: Deprecate use of extraInformation field in AuthenticationException, making it transient and removing any sensitive data in UserDetails objects which are stored in it. 2011-07-29 16:32:40 +01:00
Rob Winch
84031c6001 SEC-1792: Fixed NullPointerException in RunAsUserToken#toString() 2011-07-29 10:00:37 -05:00
Luke Taylor
ca2af8bc59 SEC-1770: Call refreshLastRequest on the session registry rather than the SessionInformation object to make sure it works with alternative SessionRegistry implementations. 2011-07-13 20:57:18 +01:00
Luke Taylor
6f59805ef3 SEC-1782: Javadoc correction for LdapAuthenticationProvider. 2011-07-12 01:51:42 +01:00
Rob Winch
f359bed596 SEC-1777: Corrected log in HttpSessionSecurityContextRepository to reference itself instead of HttpSessionContextIntegrationFilter 2011-07-09 19:27:59 -05:00