c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
b56e5edbbd
SEC-2784: Fix build plugins
2014-12-08 14:24:34 -06:00
5f5e7e7265
SEC-2785: Reference outputs PDF, Html Multi, & epub
2014-12-08 13:29:15 -06:00
87a52ffbfd
SEC-2784: Update to Gradle 2.2.1
2014-12-08 13:29:07 -06:00
6e204fff72
SEC-2781: Remove deprecations
2014-12-04 15:28:40 -06:00
5bb0ce9a8f
SEC-2773: Add Test for static delegatingApplicationListener
2014-12-01 12:06:09 -06:00
0f7c2e4128
SEC-2773: Prevent premature container initialization in WebSecurityConfiguration.
...
Changed the bean definition method for the DelegatingApplicationListener
to be static to avoid the need to instantiate the configuration class which
caused further premature initializations to satisfy the dependencies
expressed in setFilterChainProxySecurityConfigurer(…).
2014-12-01 11:38:19 -06:00
2cb2657f5b
SEC-2702: Clean WebSocket Namespace documentation
2014-11-25 12:27:29 -06:00
8ad16b01f5
SEC-2702: Add WebSocket Security XML Namespace Support
2014-11-25 09:45:32 -06:00
09f6210c73
SEC-2347: Polish
2014-11-21 22:31:03 -06:00
3c487c0348
SEC-2348: Update doc headers enabled by default with XML
2014-11-21 21:55:03 -06:00
4392205f63
SEC-2347: CSRF Enabled by default w/ XML Config
2014-11-21 21:32:56 -06:00
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
2014-11-21 16:06:29 -06:00
2e1e9885ec
SEC-2054: Polish
...
Fix the tests to use .getName() for assertions
2014-11-21 11:08:30 -06:00
e2f7b38b87
SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch
2014-11-21 10:47:45 -06:00
dfa17bdb98
SEC-2747: Remove spring-core dependency from spring-security-crypto
2014-11-20 16:16:22 -06:00
30c5788b8b
SEC-1897: Remove raw types from AbstractAccessDecisionManager
2014-11-20 15:36:53 -06:00
1cca72e6d8
SEC-2749: CsrfConfigurer.requireCsrfProtectionMatcher correct null check
2014-11-20 14:40:51 -06:00
4d738d8576
SEC-2491: KeyBasedPersistenceTokenService defaults to 32 bytes
2014-11-20 14:40:07 -06:00
0704f88e99
SEC-2344: Remove check for DefaultParamterNameDiscoverer
...
Spring Security not requires Spring 4, so there is no need to perform a
check if Spring 4 is present.
2014-11-20 12:09:38 -06:00
3089f1603e
SEC-2682: DelegatingSecurityContextRunnable/Callable delegate toString()
2014-11-20 11:51:05 -06:00
05882b5f24
SEC-2574: Polish
...
Handle null DelegatingApplicationListener
2014-11-19 17:09:24 -06:00
5810681b06
SEC-2574: JavaConfig default SessionRegistry processes SessionDestroyedEvents
2014-11-19 16:48:19 -06:00
4dcc89fab0
SEC-2674: Documentation refers to httpStrictTransportSecurity() instead of hsts()
2014-11-19 13:31:09 -06:00
002a78d87d
SEC-2768: DefaultMessageSecurityExpressionHandler sets PermissionEvaluator
2014-11-19 11:58:58 -06:00
95c70f29bd
SEC-2769: DefaultMessageSecurityExpressionHandler sets RoleHierarchy
2014-11-19 11:58:54 -06:00
ff95a34b1f
SEC-2705: DefaultMessageSecurityExpressionHandler populates AuthenticationTrustResolver
2014-11-19 11:25:07 -06:00
3b8f7fdd67
SEC-2732: ehcache-core -> ehcache
2014-11-18 17:14:30 -06:00
55d6d5a86a
SEC-2615: accesscontrollist tag hasPermission performs OR not AND
...
In 3.1 the accesscontrollist tag began performing an and on the
permissions. This may have been accidental, but I think that it is more
intuitive & secure for it to behave this way. When compared to hasAnyRole
and hasRoles the hasPermission tag implies it is an and. If users end up
needing OR support, then the authorize tag can be used along with the
hasPermission expression. For example:
<sec:authorize access="hasPermission(#domain, 'read') or hasPermission(#domain, 'write') ">
In general, the authorize tag should be preferred as it is the more
powerful way of performing authorization checks.
2014-11-18 16:59:46 -06:00
f20219d541
Added possibility create custom Sid
2014-11-18 13:27:36 -06:00
fa9e7999da
SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()
...
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.
Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
2014-11-18 13:17:27 -06:00
97df23e3b5
Add IDE Setup to CONTRIBUTING
2014-10-28 22:09:53 -05:00
24dec7ec3e
SEC-2737: Remove WebSocket Outbound Authorization
2014-10-10 15:56:25 -05:00
4e7398eec0
SEC-2150: Support class level annotations on Spring Data Repositories
2014-09-26 13:47:37 -05:00
d429c96253
SEC-2150: Add tests to verify JSR-250 Spec behavior
2014-09-26 13:46:10 -05:00
a28650c715
Provide a ClassLoader to be used to load LDIF files
...
Prior to this change, ApacheDSContainer created a LdifFileLoader
without a ClassLoader. This limited its ability to load LDIF files
and causes a problem with an executable war in Spring Boot. See [1]
for details.
ApacheDSContainer now initialises LdifFileLoader with a ClassLoader.
This allows it to locate LDIF files packaged in WEB-INF/classes in
the case of an executable war file. The executable jar case was not
affected by this problem as, in that case, the LDIF file is pacakaged
in the root of the jar and is accessible via getSystemResourceAsStream
[1] https://github.com/spring-projects/spring-boot/issues/1550
2014-09-24 13:49:15 -05:00
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
2014-09-23 16:28:48 -05:00
d2fa019fe5
SEC-2704: Separation of inbound and outbound security rules
2014-09-19 16:39:43 -05:00
28446284a6
SEC-2713: Support authorization by SimpMessageType
2014-09-19 16:38:56 -05:00
b717333707
Polish messaging generics and imports
2014-09-16 14:31:06 -05:00
b6fcde880a
SEC-2703: ChannelSecurityInterceptor use ThreadLocal for InterceptorStatusToken
2014-09-16 13:46:10 -05:00
e7edb77cae
SEC-2716: Fix doc spelling of AbstractPreAuthenticatedProcessingFilter
2014-09-16 10:56:52 -05:00
d316f661e8
SEC-2719: Fix order sensitive authenticated().withRoles(..)
2014-09-16 10:54:50 -05:00
02c3565e22
Fix compiling in Eclipse
2014-09-16 10:18:46 -05:00
39d544b901
Merge pull request #121 from bonifaido/patch-1
...
Removed unnecessary params from anyRequest()'s javadoc
2014-09-01 22:30:25 -05:00
96ea4ddc7b
Merge pull request #120 from bura/fix-clickjacking-url
...
Fixed broken url to Clickjacking description.
2014-09-01 22:29:39 -05:00
a932d6ecf3
Removed unnecessary params from anyRequest()'s javadoc
2014-08-20 11:24:15 +02:00
bd322542ca
Fixed broken url to Clickjacking description.
2014-08-20 10:11:21 +04:00
57ea75a7ce
Merge pull request #118 from benmccann/patch-1
...
Artifacts should be downloaded using https
2014-08-18 17:03:36 -05:00
b9df7ba01f
SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher
2014-08-18 11:04:04 -05:00
Rob Winch
Oliver Gierke
Mikhail Stryzhonok
Rob Winch
Andy Wilkinson
Nándor István Krácser
Bloshchetsov Andrey Evgenyevich