Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,629 Commits 32 Branches 333 Tags 111 MiB
Commit Graph

346 Commits

Author SHA1 Message Date
Rob Winch 24c3bdfd90 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:12 -05:00
Rob Winch 1710f32a08 SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication 
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
 2012-07-19 11:15:06 -05:00
Rob Winch b868daaa8c SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc 
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
 2012-07-19 10:20:40 -05:00
Rob Winch aa4ec9a508 Cleaned up warnings in JdbcTokenRepositoryImpl and JdbcTokenRepositoryImplTests 2012-07-18 16:35:57 -05:00
Rob Winch 340534dadb SEC-1964: Handle missing series in JdbcTokenRepositoryImpl 
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.

Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
 2012-07-18 16:35:57 -05:00
Rob Winch f2345fcb21 SEC-1981: Remove dependency on Locale for the build 2012-07-05 13:30:41 -05:00
Rob Winch a2452ab514 SEC-1906: Update to Gradle 1.0 2012-07-05 12:41:56 -05:00
Rob Winch 2fba10ab61 Use powermock for testing servlet 3.0 functionality instead of distinct classpaths 2012-07-01 12:37:01 -05:00
Rob Winch f6902471fb SEC-1965: DefaultWebSecurityExpressionHandler is now passive from 3.0.x releases 
There were two issues that needed resolved

 - Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
   type would not work. This caused failures in the JSF support.

 - The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
   parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
   method any class compiled against a previous version would cause a NoSuchMethodException.
 2012-06-28 10:54:01 -05:00
Rob Winch b6ec700640 SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true 2012-06-27 15:49:18 -05:00
Rob Winch de3dfb5b3f SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice 
This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
 2012-06-26 16:36:41 -05:00
Rob Winch 520b65e2e3 SEC-1865: Remove invalid OWASP link in TextEscapeUtils 2012-06-11 14:49:28 -05:00
Rob Winch c446697de3 Cleaned up warnings in FilterChainProxyTests 2012-04-11 17:23:07 -05:00
Rob Winch bb8f3bae7c SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy 2012-04-11 17:22:19 -05:00
Rob Winch a4322d70ba Merge pull request #5 from tburch/setUseSecureCookie-typo 
fix typo in AbstractRememberMeServices.setUseSecureCookie method documentation
 2012-03-13 17:02:43 -07:00
Rob Winch 84141c4c76 SEC-1927: Corrected debug log in SessionManagementFilter to have a space between ID and the session and added guard to log statement 2012-03-11 18:35:38 -05:00
Tristan Burch e7f47964ee fix typo in setUseSecureCookie method documentation 2012-03-09 17:01:17 -07:00
Luke Taylor 5d71d2a4fa SEC-1887: Add MethodSecurityOperations interface. 
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.

Also cleaning whitespace.
 2012-02-01 15:49:56 +00:00
Luke Taylor 538e75ce1b SEC-1903: Use a static CRLF Pattern in FirewalledResponse 
The Pattern was being recompiled for every request
when a single instance could be shared for performance
reasons.
 2012-02-01 13:21:16 +00:00
Andrei Stefan 0f9ee81df1 SEC-1887: Improve extensibility of expression-based security classes 
Introduces a new SecurityExpressionOperations interface which is
implemented by SecurityExpressionRoot
 2012-01-31 19:06:43 +00:00
Rob Winch 22225effcc Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests 2011-12-30 16:05:35 -06:00
Rob Winch 5d94cd5e13 SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous 2011-12-30 16:04:02 -06:00
Rob Winch 6fe6e18939 SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names 2011-12-29 15:44:49 -06:00
Rob Winch 8ca2927761 Renamed **/Test.java to **/Tests.java to better follow conventions 2011-12-28 17:39:29 -06:00
Luke Taylor 0bccbbfc18 SEC-1779: Make new getters protected rather than public. 2011-11-01 00:20:34 +00:00
Luke Taylor f456db267f SEC-1779: Added getters for success and failure handlers to AbstractAuthenticationProcessingFilter. 2011-11-01 00:06:23 +00:00
Luke Taylor 09ac4bd8f9 SEC-1833: Remove unused securityContextClass from HttpSessionSecurityContextRepository. 2011-10-31 23:44:43 +00:00
Luke Taylor 44e2543015 Minor changes to make filter chain validation more robust with custom request matchers. 2011-10-24 21:21:10 +01:00
Luke Taylor f1e63f3008 SEC-1802: Add digits to valid URL scheme regex. 2011-10-21 17:25:50 +01:00
Luke Taylor 869c6a7c18 SEC-1800: Set input size to 30 for OpenID login. 2011-09-25 21:13:37 +01:00
Luke Taylor 824464516c SEC-1790: Reject redirect locations containing CR or LF. 2011-08-12 19:44:26 +01:00
Luke Taylor 6333909107 SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change. 2011-08-12 19:07:17 +01:00
Luke Taylor 0c2a950fa0 SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled. 2011-08-10 17:07:09 +01:00
Luke Taylor 8740efc0f5 Added constructor injection options to ConcurrentSessionFilter 2011-07-18 15:09:31 +01:00
Luke Taylor a1c714cff4 SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted. 2011-07-14 16:43:02 +01:00
Luke Taylor 8440743108 Remove Sql query objects from JdbcTokenRepositoryImpl in favour of direct JdbcTemplate use. 2011-07-13 23:28:41 +01:00
Luke Taylor 700fa9e0b6 SEC-1772: remote URL decoding of targetUrlParameter in AbstractAuthenticationTargetUrlRequestHandler. 2011-07-13 22:13:52 +01:00
Luke Taylor de97bac85b SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch. 2011-07-13 21:59:11 +01:00
Luke Taylor a504cfae1a SEC-1770: Call refreshLastRequest on the session registry rather than the SessionInformation object to make sure it works with alternative SessionRegistry implementations. 2011-07-13 20:56:47 +01:00
Rob Winch 330f82f562 SEC-1777: Corrected log in HttpSessionSecurityContextRepository to reference itself instead of HttpSessionContextIntegrationFilter 2011-07-09 19:24:12 -05:00
Rob Winch 825f0061fb SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0 2011-07-09 19:23:51 -05:00
Luke Taylor 56e86dd36f Adding assertions on constructor arg values. 2011-07-06 20:50:25 +01:00
Luke Taylor f92589f051 Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options. 2011-07-06 00:12:48 +01:00
Luke Taylor 2d271666a4 Add constructors to facilitate constructor-based injection for required/shared bean properties. 2011-07-05 20:25:49 +01:00
Luke Taylor 73442125de SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter. 2011-07-04 21:09:48 +01:00
Luke Taylor b15475ab3d SEC-1771: Change TokenBasedRememberMeServices to obtain password from UserDetailsService if necessary. 2011-07-02 20:36:42 +01:00
Luke Taylor 737a9d1825 Improved toString methods on request wrappers. 2011-07-02 20:36:41 +01:00
Luke Taylor 571bfc4869 Refactoring to use Utf8 encoder instead of String.getBytes("UTF-8"). 2011-06-14 18:47:50 +01:00
Luke Taylor 685f12c5a0 SEC-1733: Support explicit zero netmask correctly. 2011-06-07 12:15:07 +01:00
Luke Taylor f5f410ae3b Clean unused imports. 2011-05-25 20:39:16 +01:00