Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-01-13 18:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
4,587 Commits 47 Branches 369 Tags
Commit Graph

158 Commits

Author SHA1 Message Date
Rob Winch
c446697de3 Cleaned up warnings in FilterChainProxyTests 2012-04-11 17:23:07 -05:00
Rob Winch
bb8f3bae7c SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy 2012-04-11 17:22:19 -05:00
Rob Winch
22225effcc Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests 2011-12-30 16:05:35 -06:00
Rob Winch
5d94cd5e13 SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous 2011-12-30 16:04:02 -06:00
Rob Winch
6fe6e18939 SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names 2011-12-29 15:44:49 -06:00
Rob Winch
8ca2927761 Renamed **/Test.java to **/Tests.java to better follow conventions 2011-12-28 17:39:29 -06:00
Luke Taylor
f1e63f3008 SEC-1802: Add digits to valid URL scheme regex. 2011-10-21 17:25:50 +01:00
Luke Taylor
824464516c SEC-1790: Reject redirect locations containing CR or LF. 2011-08-12 19:44:26 +01:00
Luke Taylor
a1c714cff4 SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted. 2011-07-14 16:43:02 +01:00
Luke Taylor
de97bac85b SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch. 2011-07-13 21:59:11 +01:00
Rob Winch
825f0061fb SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0 2011-07-09 19:23:51 -05:00
Luke Taylor
f92589f051 Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options. 2011-07-06 00:12:48 +01:00
Luke Taylor
2d271666a4 Add constructors to facilitate constructor-based injection for required/shared bean properties. 2011-07-05 20:25:49 +01:00
Luke Taylor
73442125de SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter. 2011-07-04 21:09:48 +01:00
Luke Taylor
685f12c5a0 SEC-1733: Support explicit zero netmask correctly. 2011-06-07 12:15:07 +01:00
Luke Taylor
ec97b70df9 SEC-1668: Allow customization of username parameter in SwitchUserFilter. 2011-05-25 20:03:02 +01:00
Luke Taylor
6d04670f87 SEC-1695: Allow customization of the session key under which the SecurityContext is stored. 2011-05-25 19:51:47 +01:00
Luke Taylor
6e91786f92 SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false). 2011-05-09 13:36:23 +01:00
Luke Taylor
37d0454fd7 SEC-1657: Create SecurityFilterChain class for use in configuring FilterChinProxy. Encapsulates a RequestMatcher and List<Filter>. 2011-04-23 22:15:35 +01:00
Luke Taylor
614d8c0321 SEC-1723: Use standard SpEL syntax for accessing beans in the app context by name. 2011-04-22 13:47:59 +01:00
Luke Taylor
acf4b91a89 SEC-1674: Test to check that absolute URLs work in SimpleUrlLogoutSuccessHandler. 2011-04-14 15:06:05 +01:00
Luke Taylor
ef72dd1986 SEC-1714: RegexRequestMatcher should prepend question mark to query string. 2011-04-11 14:02:54 +01:00
Luke Taylor
01c9c4e4db SEC-1697: Don't publish authorization success events in AbstractSecurityInterceptor by default. 2011-04-06 13:58:58 +01:00
Luke Taylor
eb9482b33b Removal of some unused internal methods, plus additional tests for some areas lacking coverage. 2011-02-07 00:24:20 +00:00
Rob Winch
f20649f035 SEC-1648: added null check for getTargetUrlParameter() in SavedRequestAwareAuthenticationSuccessHandler.onAuthenticationSuccess and updated validation for AbstractAuthenticationTargetUrlRequestHandler.setTargetUrlParameter 2011-01-13 20:29:37 -06:00
Luke Taylor
eeb466b613 SEC-1648: Implemented Rob's suggestion to use a null value for the targetUrlParameter rather than a boolean property. It should thus only be used if this value is set. 2011-01-12 13:26:05 +00:00
Luke Taylor
bf59c75886 Test class to improve coverage of WAS-specific preauth code. 2011-01-07 19:49:50 +00:00
Luke Taylor
7fd3aa2b45 SEC-1603: Add support for injecting an AuthenticationSuccessHandler into RememberMeAuthenticationFilter. 2011-01-06 13:02:38 +00:00
Luke Taylor
423f9eae7a SEC-1648: Added a useTargetUrlparameter property to AbstractAuthenticationTargetUrlRequestHandler which defaults to false. 
This ensures that users will think about the context in which they are enabling the use of a parameter to determine the redirect location.
 2011-01-05 13:14:02 +00:00
Rob Winch
7c04fdbc90 SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers. 
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
 2010-12-16 21:57:26 -06:00
Luke Taylor
ce421f22bf SEC-1635: Stop security interceptors from calling AfterInvocationManager if exception occurs during invocation 2010-12-14 16:24:51 +00:00
Luke Taylor
2be2660b13 SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match. 2010-12-11 21:56:35 +00:00
Luke Taylor
4a40d80da1 SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority. 
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
 2010-12-03 16:41:46 +00:00
Luke Taylor
4ad0652787 Removed array of authorities constructor from TestingAuthenticationToken and RunAsUserToken. 2010-12-01 20:52:37 +00:00
Luke Taylor
43be9ea2a4 SEC-1430: Removed caching of username in session upon failed authentication. Improved Javadoc. 2010-11-26 13:58:49 +00:00
Luke Taylor
60970dd9c4 Added some tests for web expression handling code. 2010-11-15 20:01:38 +00:00
Luke Taylor
8b51c2c97d SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous. 
Allows for the situation where a user is logged out without invalidating the session.
 2010-11-09 13:55:45 +00:00
Rob Winch
4f51eb09c0 SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward 2010-11-03 15:27:59 -05:00
Luke Taylor
1c8d28501c SEC-1550: Convert signatures to use Collection<? extends GrantedAuthority> where appropriate. 2010-11-03 13:48:59 +00:00
Luke Taylor
43ec2beec0 SEC-1183: Modified Attributes2GrantedAuthoritiesMapper to return Collection<? extends GrantedAuthority>. 2010-11-02 14:02:55 +00:00
Luke Taylor
84efffb937 SEC-1542: Add a setter for the UserDetailsChecker in AbstractRememberMeServices. 2010-11-02 13:41:59 +00:00
Luke Taylor
0696bed78e SEC-1608: Make sure FirewalledRequest.reset() is called when filter="none" 2010-11-02 12:08:39 +00:00
Luke Taylor
4de8b84b0d SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception. 2010-10-27 13:25:40 +01:00
Luke Taylor
7d97adc687 SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/". 2010-10-27 13:25:39 +01:00
Rossen Stoyanchev
70600a0277 SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering. 2010-10-26 12:33:51 +01:00
Rob Winch
ee12d54bec SEC-1536: moved web.authentication.jaas to web.jaasapi 
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
 2010-10-05 22:28:42 -05:00
Luke Taylor
1b2b371970 SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element. 
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.

Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
 2010-09-16 16:03:24 +01:00
Luke Taylor
551166a577 ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process. 2010-09-14 14:43:21 +01:00
rwinch
de819378fc SEC-1536: added JAAS API Integration, updated doc, updated jaas sample 2010-09-13 13:12:45 -05:00
Luke Taylor
1a1372ab84 Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests. 2010-08-28 21:41:19 +01:00