f20649f035
SEC-1648: added null check for getTargetUrlParameter() in SavedRequestAwareAuthenticationSuccessHandler.onAuthenticationSuccess and updated validation for AbstractAuthenticationTargetUrlRequestHandler.setTargetUrlParameter
2011-01-13 20:29:37 -06:00
eeb466b613
SEC-1648: Implemented Rob's suggestion to use a null value for the targetUrlParameter rather than a boolean property. It should thus only be used if this value is set.
2011-01-12 13:26:05 +00:00
bf59c75886
Test class to improve coverage of WAS-specific preauth code.
2011-01-07 19:49:50 +00:00
7fd3aa2b45
SEC-1603: Add support for injecting an AuthenticationSuccessHandler into RememberMeAuthenticationFilter.
2011-01-06 13:02:38 +00:00
423f9eae7a
SEC-1648: Added a useTargetUrlparameter property to AbstractAuthenticationTargetUrlRequestHandler which defaults to false.
...
This ensures that users will think about the context in which they are enabling the use of a parameter to determine the redirect location.
2011-01-05 13:14:02 +00:00
428a0b7dce
SEC-1639: Removed url argument from FilterChainProxy's VirtualFilterChain, since this can be directly computed from the request instance in the debug statements.
2010-12-20 14:13:13 +00:00
7cf9740fd4
SEC-1638: Added an example configuration to the Javadoc for ChannelProcessingFilter and a pointer from the reference manual.
2010-12-17 17:09:20 +00:00
7c04fdbc90
SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers.
...
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
2010-12-16 21:57:26 -06:00
c8820166c8
SEC-1576: Parameterize the secured object type in AccessDecisionVoter.
2010-12-16 15:21:22 +00:00
ce421f22bf
SEC-1635: Stop security interceptors from calling AfterInvocationManager if exception occurs during invocation
2010-12-14 16:24:51 +00:00
2be2660b13
SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match.
2010-12-11 21:56:35 +00:00
4a40d80da1
SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority.
...
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
2010-12-03 16:41:46 +00:00
4ad0652787
Removed array of authorities constructor from TestingAuthenticationToken and RunAsUserToken.
2010-12-01 20:52:37 +00:00
9b29dcb8bf
SEC-1430: Removed username attribute from WebAttributes class.
2010-11-26 14:20:19 +00:00
43be9ea2a4
SEC-1430: Removed caching of username in session upon failed authentication. Improved Javadoc.
2010-11-26 13:58:49 +00:00
d64efe9747
SEC-1492: Added GrantedAuthoritiesMapper to provide mapping of loaded authorities to those which are eventually stored in the user Authentication object.
2010-11-25 15:19:37 +00:00
60970dd9c4
Added some tests for web expression handling code.
2010-11-15 20:01:38 +00:00
2d9f98d535
SEC-1412: DefaultSavedRequest should ignore "If-Modified-Since" headers to prevent re-displaying the login form (the cached result of the original request).
2010-11-15 16:14:24 +00:00
8b51c2c97d
SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous.
...
Allows for the situation where a user is logged out without invalidating the session.
2010-11-09 13:55:45 +00:00
4f51eb09c0
SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward
2010-11-03 15:27:59 -05:00
1c8d28501c
SEC-1550: Convert signatures to use Collection<? extends GrantedAuthority> where appropriate.
2010-11-03 13:48:59 +00:00
8d867e8b67
Updated integration tests to detect case reported as SPR-7563.
2010-11-02 20:35:24 +00:00
54d0a263de
SEC-1590: Removed WebAuthenticatioDetails.doPopulateAdditionalInformation() method which is caled from superclass constructor.
2010-11-02 19:50:40 +00:00
43ec2beec0
SEC-1183: Modified Attributes2GrantedAuthoritiesMapper to return Collection<? extends GrantedAuthority>.
2010-11-02 14:02:55 +00:00
84efffb937
SEC-1542: Add a setter for the UserDetailsChecker in AbstractRememberMeServices.
2010-11-02 13:41:59 +00:00
0696bed78e
SEC-1608: Make sure FirewalledRequest.reset() is called when filter="none"
2010-11-02 12:08:39 +00:00
21ed5feb8d
SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version.
2010-10-27 13:25:40 +01:00
4de8b84b0d
SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception.
2010-10-27 13:25:40 +01:00
883ca2a55d
Import cleaning.
2010-10-27 13:25:40 +01:00
1724d1eac6
SEC-1561: HttpSessionSecurityContextRepository should check whether the session contains the context attribute in case a new session has been created during the request. If the attribute is empty, then the context should be stored regardless of whether a change is detected or not.
2010-10-27 13:25:39 +01:00
a6d47203db
FilterInvocation should set queryString on dummy request.
2010-10-27 13:25:39 +01:00
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
2010-10-27 13:25:39 +01:00
70600a0277
SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering.
2010-10-26 12:33:51 +01:00
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
2010-10-05 22:28:42 -05:00
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
2010-09-16 16:03:24 +01:00
551166a577
ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process.
2010-09-14 14:43:21 +01:00
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
2010-09-13 13:12:45 -05:00
c5231fc213
SEC-1538: Deprecate PreAuthenticatedGrantedAuthoritiesAuthenticationDetails (forgot originally) and update documentation to remove reference to AbstractPreAuthenticationAuthenticationDetailsSource.
2010-09-13 12:19:21 +01:00
af56f4844d
SEC-1562: Created SecurityExpressionHandler interface and AbstractSecurityExpressionHandler.
2010-09-07 19:46:45 +01:00
b0998c01bc
SEC-1553: Make WebAuthenticationDetails serializable
2010-09-01 18:43:07 +01:00
f4d57ab5e8
SEC-1456: Remove maven poms as we are now using gradle for the build.
2010-08-30 19:02:19 +01:00
1a1372ab84
Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests.
2010-08-28 21:41:19 +01:00
ba890cf7e5
Removed invalid test method.
2010-08-24 21:03:33 +01:00
d1e8b8e29d
More tests. Minor refactoring.
2010-08-24 20:57:45 +01:00
bf9d4a9747
Remove unnecessary local variable.
2010-08-24 20:29:25 +01:00
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
2010-08-24 18:25:39 +01:00
102bc2d6a0
Reduce unnecessary use of aspectj as a build dependency
2010-08-19 23:23:03 +01:00
c37ca1c2a9
Sample app build adjustments to remove unwanted deps such as jsp-api, tidy up use of JSTL, make sure all are using servlet 2.5 etc.
2010-08-19 22:41:51 +01:00
1680807470
Added eclipse plugin to build. Some minor fixes to remove eclipse warnings.
2010-08-18 14:11:16 +01:00
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
2010-08-18 02:32:43 +01:00
Rob Winch
Luke Taylor
Rob Winch
Rossen Stoyanchev