Commit Graph

4792 Commits

Author SHA1 Message Date
Rob Winch e6593151fc SEC-2017: Convert IncorrectResultsSizeException.size() == 0 to BadCredentialsException in ActiveDirectoryAuthenticationProvider 2012-08-01 16:19:57 -05:00
Rob Winch a5ec116e80 SEC-1919: Log error when fail to communicate with LDAP
Previously communication errors with LDAP were only logged at debug level.

Communication errors (along with other non-authenticated related NamingExceptions)
are now logged as error messages. We created an InternalAuthetnicationServiceException
to represent errors that should be logged as errors to distinguish between internal
and external authentication failures. For example, we do not want an OpenID Provider
being able to report errors that cause our logs to fill up. However, an LDAP system is
internal and should be trusted so logging at an error level makes sense.
2012-07-31 16:55:48 -05:00
Rob Winch a19cc8f1c7 SEC-2020: Set eraseCredentialsAfterAuthentication when using http@authentication-manager-ref
Previously the namespace configuration did not properly set the eraseCredentialsAfterAuthentication
property on the parent AuthenticationProvider when using http@authentication-manager-ref.

Now the ProviderManager that is created by the namespace consults the original
AuthenticationManager to determine if eraseCredentialsAfterAuthentication should
be set on the wrapped instance. If the original is not a ProviderManager the
eraseCredentialsAfterAuthentication is set to false since we should not "magically"
add behavior to the custom AuthenticationManager without knowing the desired behavior.
2012-07-31 14:04:11 -05:00
Rob Winch d2a5ad6fd1 SEC-2016: Update config integration tests to use specific ldif to work in Eclipse
Due to Eclipse restrictions the classpath adding an project as a dependency picks up
the test dependencies of other projects. This caused problems when running the
config integration tests within Eclipse.

Now the tests specify a specific ldif to load. There is also one new test that ensures
that the ldif is defaulted properly, but does not rely on the ldif that is loaded.
2012-07-31 14:03:38 -05:00
Rob Winch 37aed0660d SEC-1938: Add ActiveDirectoryAuthenticationException as caused by for ActiveDirectoryAuthenticationProvider
Previously there was no way to extract the original exception or to easily
obtain details about the failure if Spring Security was not able to translate
the exception into a Spring Security AuthenticationException.

Now the caused by is an ActiveDirectoryAuthenticationException which contains
the original Active Directory error code.
2012-07-31 09:34:06 -05:00
Rob Winch 734188206d SEC-1940: ProviderManager publishes any AccountStatusException
Previously there was a bug introduced by SEC-546 that prevented any
AccountStatusException from being published.

Now AccountStatusExceptions are also published.
2012-07-30 14:09:50 -05:00
Rob Winch a0572418e6 SEC-1995: Move version to gradle.properties so Bamboo can update on releases 2012-07-26 17:26:50 -05:00
Rob Winch 67d6ebdc51 SEC-1999: Updated spring-context version for acs/template.mf
Previously the Spring Security version was being used
instead of the Spring Security version.

Now the Spring version is used.
2012-07-25 16:39:08 -05:00
Rob Winch 10e6a6f943 Remove compile warnings in AspectJMethodSecurityInterceptorTests 2012-07-24 18:13:52 -05:00
Rob Winch 9a9aafaeec SEC-1967: Restore original SecurityContext in finally when RunAsManager is used
Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.

AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
2012-07-24 18:08:27 -05:00
Rob Winch a1df1ca66b SEC-2018: Removed mavenLocal() from gradle build 2012-07-23 11:42:06 -05:00
Rob Winch 1d701a2d8f SEC-2012: Remove additional incorrect javadoc from UserDetails#getPassword() 2012-07-21 10:35:28 -05:00
Rob Winch a547f6922a SEC-1996: Fix javadoc to work with jdk 1.5
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.

This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
2012-07-20 16:38:27 -05:00
Rob Winch b4fbabdbfd SEC-2012: Remove incorrect javadoc from UserDetails#getPassword()
Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.

The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
2012-07-20 15:34:28 -05:00
Rob Winch c025e8db46 Added comment to ide-integration.gradle about STS-2723 2012-07-19 17:46:13 -05:00
Rob Winch 23ef7dac48 SEC-2009: Support ./gradlew eclipse
Previously there were problems when importing with ./gradlew eclipse. For
example GRADLE-1116 and GRADLE-1422.

The changes provide workarounds that are compatible with Gradle 1.0. Note
when importing after using ./gradlew eclipse users may get errors stating
"Element not found". This is only at the time of import and can be ignored.
This is an Eclipse bug logged as
https://bugs.eclipse.org/bugs/show_bug.cgi?id=244315
2012-07-19 17:42:36 -05:00
Rob Winch 24c3bdfd90 SEC-2013: Add space to log of AbstractAuthenticationProcessingFilter 2012-07-19 16:13:12 -05:00
Rob Winch 1710f32a08 SEC-2011: Moved SessionRegistry documentation of SessionRegistry#onAuthentication
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.

Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
2012-07-19 11:15:06 -05:00
Rob Winch b868daaa8c SEC-2011: Remove reference to SessionRegistry from SessionFixationProtectionStrategy javadoc
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).

Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
2012-07-19 10:20:40 -05:00
Rob Winch 095dcb3a74 SEC-2010: Include missing <value> tag in Hierarchical Roles section of the reference 2012-07-19 10:18:12 -05:00
Rob Winch aa4ec9a508 Cleaned up warnings in JdbcTokenRepositoryImpl and JdbcTokenRepositoryImplTests 2012-07-18 16:35:57 -05:00
Rob Winch 340534dadb SEC-1964: Handle missing series in JdbcTokenRepositoryImpl
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.

Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
2012-07-18 16:35:57 -05:00
Rob Winch 7f9938c8e2 Organize imports on RememberMeConfigTests 2012-07-18 14:45:05 -05:00
Rob Winch c7c41ced84 Added test to verify LogoutHandlers added to LogoutFilter 2012-07-18 14:45:05 -05:00
Rob Winch 3ce06333c5 SEC-1850: Namespace adds all LogoutHandlers to ConcurrentSessionFilter
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.

Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
2012-07-18 14:44:35 -05:00
Rob Winch 06638db289 SEC-1909: Namespace configuration no longer uses deprecated API's
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.

Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
2012-07-17 14:08:36 -05:00
Rob Winch b196d70f99 SEC-1905: Added para tag to the digest encoded password footnote 2012-07-11 13:12:57 -05:00
Rob Winch bfd09f7603 SEC-1905: Added footnote to password encoding for digest authentication
Technically digest authentication can allow for encoded passwords, but
it needs to be in the correct format. This update adds a footnote to clarify this.

Previously the documentation stated that passwords must be in clear text.
2012-07-11 13:00:06 -05:00
Rob Winch 40ccbedefd SEC-1988: Add contributor guide link to readme.txt 2012-07-10 22:27:19 -05:00
Rob Winch 42b72bcbc4 SEC-1980: Prevent parser warning when URL's in configuration start with #
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
2012-07-10 14:24:42 -05:00
Rob Winch b28e3a0b2f SEC-1976: include *.aj files in sourceJar 2012-07-09 18:37:05 -05:00
Rob Winch 262ee099df SEC-1994: explicit sourceCompatibility and targetCompatibility of 1.5 in Gradle build 2012-07-08 15:55:48 -05:00
Rob Winch 3e4da4f60f Updated to next snapshot version 2012-07-06 11:28:21 -05:00
Rob Winch f46a5bab40 Set to 3.1.1 Release 2012-07-06 10:32:55 -05:00
Rob Winch 638e92a3f7 SEC-1992: Updated Spring version to 3.0.7 2012-07-06 10:32:45 -05:00
Rob Winch d14150c2e1 SEC-1906: Fix EmmaPlugin for Gradle 1.0 2012-07-05 22:57:16 -05:00
Rob Winch a6bded86c2 SEC-1990: Polishing code cleanup on BCrypt
- Formatting
 - Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
Joseph Walton 14a5135ac3 SEC-1990: Clean up jBCrypt and include its tests.
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
Rob Winch fde9142d8d SEC-1907: Exclude crypto dependency in core module since classes are bundled in core 2012-07-05 13:56:47 -05:00
Rob Winch f2345fcb21 SEC-1981: Remove dependency on Locale for the build 2012-07-05 13:30:41 -05:00
Rob Winch a2452ab514 SEC-1906: Update to Gradle 1.0 2012-07-05 12:41:56 -05:00
Rob Winch 2fba10ab61 Use powermock for testing servlet 3.0 functionality instead of distinct classpaths 2012-07-01 12:37:01 -05:00
Rob Winch 18230259b8 SEC-1985: Removed WebSecurityExpessionHandler from reference 2012-06-28 11:35:07 -05:00
Rob Winch f6902471fb SEC-1965: DefaultWebSecurityExpressionHandler is now passive from 3.0.x releases
There were two issues that needed resolved

 - Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
   type would not work. This caused failures in the JSF support.

 - The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
   parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
   method any class compiled against a previous version would cause a NoSuchMethodException.
2012-06-28 10:54:01 -05:00
Rob Winch b6ec700640 SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true 2012-06-27 15:49:18 -05:00
Rob Winch e1068b84ea .gitignore src/*/java/META-INF/ 2012-06-26 16:36:41 -05:00
Rob Winch de3dfb5b3f SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice
This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
2012-06-26 16:36:41 -05:00
Rob Winch 954ba57cf2 SEC-1970: Cleanup of pre authentication documentation
* Removed custom-authentication-provider from documentation
* Rephrased to make the pre authentication documentation a little more concise
* Removed nested () within text (not code)
* Removed user which should have been use
2012-06-15 14:44:16 -05:00
Rob Winch 8b05d23832 SEC-1971: Allow injection of ExpressionParser in AbstractSecurityExpressionHandler 2012-06-15 08:21:52 -05:00
Rob Winch 6584b65489 SEC-1898: Added test to demonstrate JdbcAclService#readAclById throws NotFoundException when the Acl is missing 2012-06-11 16:29:50 -05:00