b93528138e
URL Cleanup
...
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).
# Fixed URLs
## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.
* http://www.apache.org/licenses/ with 1 occurrences migrated to:
https://www.apache.org/licenses/ ([https](https://www.apache.org/licenses/ ) result 200).
* http://www.apache.org/licenses/LICENSE-2.0 with 2691 occurrences migrated to:
https://www.apache.org/licenses/LICENSE-2.0 ([https](https://www.apache.org/licenses/LICENSE-2.0 ) result 200).
* http://www.apache.org/licenses/LICENSE-2.0.html with 2 occurrences migrated to:
https://www.apache.org/licenses/LICENSE-2.0.html ([https](https://www.apache.org/licenses/LICENSE-2.0.html ) result 200).
2019-03-14 15:46:20 -05:00
ae0f330f98
Add BCrypt Test for Empty Raw Password
...
Issue: gh-5548
2019-01-08 11:54:36 -06:00
9ee291e659
AesBytesEncryptorTests Check Key Strength
...
Fixes: gh-6121
2018-11-20 11:45:45 -07:00
b5455b0bec
Make AesByesEncryptor public
...
Fixes: gh-5099
2018-11-13 16:05:59 -07:00
13de580632
AesBytesEncryptorTests
...
Issue: gh-5099
2018-11-13 16:03:47 -07:00
f56f55dc8e
Fix BCrypt Checkstyle
...
Issue: gh-3320
2018-10-22 11:18:52 -05:00
388a7b62b9
Add BCrypt Revision Support
...
Fixes: gh-3320
2018-10-22 11:13:55 -05:00
cb0ba58b58
Fix WhitespaceAfterCheck Checkstyle check
2018-08-27 10:45:35 -05:00
e945f3bf82
Fix typo
...
Closes #5579
2018-08-03 09:58:01 -05:00
02b857d82a
Add PasswordEncoder.upgradeEncoding
...
Issue: gh-2778
2018-07-14 22:52:15 -05:00
9b42831c70
Suppress deprecation warnings in spring-security-crypto
2018-05-04 21:02:57 -05:00
0a5da93640
Improve PasswordEncoder deprecated notices
...
Fixes: gh-5296
2018-05-03 15:13:06 -05:00
b1d013e8f0
Fix JDK 9
...
Issue: gh-5160
2018-03-27 09:30:56 -05:00
a622a92001
Fix: Typo in DelegatingPasswordEncoder's Javadoc
2018-01-30 10:07:49 -06:00
22737dce7e
Polish
...
DelegatingPasswordEncoder copies the provided Map. This ensures that
references to the Map do not update the state of DelegatingPasswordEncoder
and NullPointerException is avoided for implementations that do not allow
a null key.
Issue: gh-4936
2018-01-03 10:11:04 -06:00
2b66793535
Catch possible NullPointerException
...
Some maps may throw a NullPointerException when get is called with null. This commit catches the exceptions and just leaves the delegate null.
Fixes gh-4936
2018-01-03 09:46:58 -06:00
e5b41f30ea
Fix DelegatingPasswordEncoderTests
...
Issue: gh-4872
2017-11-27 12:01:31 -06:00
f558b5016c
DelegatingPasswordEncoder handles null encodedPassword
...
Fixes: gh-4872
2017-11-27 11:42:56 -06:00
b6895e6359
Apply Checkstyle WhitespaceAfterCheck module
2017-11-16 11:18:31 -06:00
e17272c633
Polish
2017-11-16 10:33:59 -06:00
d900f2a623
Remove unused imports
...
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
e0aca04a28
Polish AssertJ assertions
...
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
de9fe3e3b1
Fix the JavaDoc for Pbkdf2PasswordEncoder so that it uses the actual values for default hash width and number of iterations
2017-10-29 21:08:38 -05:00
a7ba02bdef
Polishing the Pbkdf2PasswordEncoder's javadoc
2017-10-24 12:49:01 -05:00
6532bac295
Update Md4PasswordEncoder Javadoc
...
Include format and migration information.
Issue: gh-4674
2017-10-24 10:23:38 -05:00
03ebf19878
Update MessageDigestPasswordEncoder javadoc
...
Include format and migration information
Issue: gh-4674
2017-10-24 10:23:27 -05:00
870b8bf9b2
Pbkdf2PasswordEncoder supports Base64 encoding
...
Fixes gh-4683
2017-10-24 08:47:04 -05:00
fe8f3afbaf
Pbkdf2PasswordEncoder allows custom SecretKeyFactory
...
Fixes gh-2742
2017-10-24 08:34:30 -05:00
d832213c6c
Add ldap to PasswordEncoderFactories
...
Issue: gh-4674
2017-10-24 07:56:28 -05:00
d83f4c4aa5
Add SHA-256 to PasswordEncoderFactories
...
Issue: gh-4674
2017-10-24 07:56:28 -05:00
5f2785d39c
Add SHA-1 to PasswordEncoderFactories
...
Issue: gh-4674
2017-10-24 07:56:28 -05:00
63e061f4d1
Add MD5 to PasswordEncoderFactories
...
Issue: gh-4674
2017-10-24 07:56:28 -05:00
7fe41de5eb
Add MD4 to PasswordEncoderFactories
...
Issue: gh-4674
2017-10-24 07:56:28 -05:00
3a4a32e654
Remove LdapShaPasswordEncoder from core
...
Issue: gh-4674
2017-10-24 07:56:20 -05:00
1ed1716df4
Add LdapShaPasswordEncoder to crypto
...
Issue: gh-4674
2017-10-23 22:27:16 -05:00
d9a594d039
Add Md4PasswordEncoder to crypto
...
Issue: gh-4674
2017-10-23 22:27:16 -05:00
8fda55e98f
Add MessageDigestPasswordEncoder to crypto
...
Issue: gh-4674
2017-10-23 22:27:16 -05:00
7b282b54c8
Deprecate StandardPasswordEncoder
...
Issue: gh-2776
2017-10-23 22:27:16 -05:00
a0e9eb3a64
Deprecate NoOpPasswordEncoder
...
Issue: gh-2776
2017-10-23 22:27:16 -05:00
b66ea9ab94
Allow Digester iterations to update
...
Fixes gh-4676
2017-10-23 22:27:16 -05:00
2937477405
Polishing
...
See gh-4666
2017-10-23 08:36:24 -05:00
c7f4160e04
Fix Javadoc of PasswordEncoderFactories#createDelegatingPasswordEncoder
...
See gh-4666
2017-10-22 11:54:32 -05:00
d152a2e2c1
Add PasswordEncoderFactories
...
Issue gh-4666
2017-10-20 13:26:17 -05:00
d0332eb71a
Add DelegatingPasswordEncoder
...
Fixes gh-4666
2017-10-20 13:26:17 -05:00
d7d6400971
DefaultStateGenerator->Base64StringKeyGenerator
...
Rename and move DefaultStateGenerator since it is more generic than just
OAuth.
Fixes gh-4645
2017-10-18 11:29:04 -05:00
e16b8e7976
Fix logback-test.xml
2017-08-17 16:42:01 -05:00
07c3123696
Deprecate crypto.codec.Base64
...
In commit 85719fc
2017-06-26 09:21:00 -05:00
d81b436e5d
Remove pom.xml from build
...
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.
This commit removes the pom.xml files from the build.
Fixes gh-4283
2017-05-11 14:32:36 -05:00
85719fcd64
Use Base64 implementation provided by Java 8
2017-05-10 00:27:36 -05:00
861e7994ff
crypto uses spring-jcl
2017-05-09 02:35:46 -05:00
dd6fc48dd8
Standardize Build
...
The build now uses spring build conventions to simplify the build
Fixes gh-4284
2017-04-21 10:55:05 -05:00
2ce174dbf0
Update poms to 5.0.0.BUILD-SNAPSHOT
2017-04-07 16:49:50 -04:00
d2524eadfc
Update poms to new to SNAPSHOT version
2017-03-02 09:20:34 -06:00
081f0c4d94
Release version 4.2.2.RELEASE
2017-03-02 07:29:42 +00:00
c31bdb6390
SCryptPasswordEncoder to take default keyLength value
...
Fixes gh-4225
Closes gh-4231
2017-03-01 23:11:52 -06:00
7a7ce11ebb
Release version 4.2.1.RELEASE
2016-12-21 17:23:28 +00:00
bb834bccf6
Polish Exception Message
...
Polish Exception message for bad salt in BCrypt
Issue gh-4147
2016-12-06 08:45:08 -06:00
09436649cc
handling null-values for salts properly now - fixes gh-4147
2016-12-06 08:43:19 -06:00
24fcb6c45a
Release version 4.2.0.RELEASE
2016-11-09 23:42:11 +00:00
97b4cb0b73
Release version 4.2.0.RC1
2016-10-26 02:49:23 +00:00
c1b8150439
Release version 4.2.0.M1
2016-09-23 19:39:33 +00:00
4d02a5c0a0
Update pom.xml dependencies
2016-08-30 11:27:29 -05:00
a1f771251a
Improve exception message on Hex#decode
...
Fixes gh-4043
2016-08-29 15:10:39 -04:00
919f000c80
Release version 4.1.1.RELEASE
2016-07-07 00:57:35 +00:00
8f880aea0e
Polish Pbkdf2PasswordEncoder
...
Issue gh-3930
2016-06-21 11:47:50 -05:00
5f658b3ffc
Remove double salt in Pbkdf2PasswordEncoder
...
Issue gh-3930
2016-06-21 11:44:23 -05:00
a2ead4cf7a
Polish
...
Fixes gh-3892
2016-06-20 12:35:43 -05:00
2d6051625f
Update pom.xml
2016-06-17 14:30:11 -05:00
9fcfeaf225
BCryptPasswordEncoder validates strength
...
Fixes gh-3862
2016-05-20 14:54:26 -05:00
001b05569a
Release version 4.1.0.RELEASE
2016-05-05 04:25:46 +00:00
24d0069668
Release version 4.1.0.RC2
2016-04-21 01:47:25 +00:00
b01437281d
Bouncy Castle 1.47 Support
...
This forces us to avoid using CipherOutputStream, and instead use the
BlockCiphers directly. As an extra measure for correctness, test the
equivalence of the BC implementations against data sizes from 1 to 2048
bytes.
Fixes gh-2917
2016-04-18 08:35:57 -05:00
44fa624b6b
Refactor test assumptions about JCE to common class. ( #3817 )
...
Apply assumptions directly to test methods instead of checking for key
length in crypto.gradle.
2016-04-14 17:02:31 -05:00
40208127e8
Skip tests when AesBytesEncryptor can't be created in CBC or GCM mode. ( #3816 )
...
Tests would fail in cases where JCE unlimited strength was available but
GCM wasn't, like on JDK7.
2016-04-14 15:21:20 -05:00
63b2cfe1cf
Bouncy Castle implementations of AES-256
...
Adds "AES/CBC/PKCS5Padding" and "AES/GCM/NoPadding"
Fixes gh-2917
2016-04-13 16:28:55 -05:00
95a3e30d9f
Polish Pbkdf2PasswordEncoder
...
Fixes gh-2158
Fixes gh-51
2016-04-12 17:16:38 -05:00
0ab7126e64
Added PBKDF2PasswordEncoder.
...
- Also moved some logic into a new class, AbstractPasswordEncoder.
Both PBKDF2PasswordEncoder and the now-simplified
StandardPasswordEncoder extend AbstractPasswordEncoder.
- Added tests for PBKDF2PasswordEncoder
Issue gh-2158
2016-04-12 17:16:38 -05:00
b90242f2fa
Updates all POM versions to 4.1.0 snapshot build.
...
Fixes gh-3804
2016-04-12 10:35:43 -04:00
044acf7e27
Release version 4.1.0.RC1
2016-03-23 07:15:15 -07:00
ec4e6c7453
Update pom.xml to 4.1.0.BUILD-SNAPSHOT
2016-03-14 00:51:35 -05:00
f221920a19
Clean up code to conform to basic checkstyle
...
Issue gh-3746
2016-03-14 00:15:12 -05:00
71d4ce96ad
Convert to assertj
...
Fixes gh-3175
2016-03-09 14:30:17 -06:00
bb600a473e
Start AssertJ Migration
...
Issue gh-3175
2016-03-09 14:26:30 -06:00
a7b0f74803
bcprov-jdk15on -> bcpkix-jdk150n
...
This fixes the Spring IO checks since bcprov-jdk15on is not part of Spring
IO platform.
Issue gh-3702
2016-03-03 14:34:23 -06:00
8fbc7e0d2c
Fix SCryptPasswordEncoder javadoc
...
Issue gh-3702
2016-03-03 14:18:50 -06:00
fc75a679d9
Polish SCryptPasswordEncoder
...
* JKD8 Base64 -> Spring Security's Base64 to continue to support older JDKs
* Spaces to tabs
* Javadoc cleanup
* Remove of @Override to compile in Eclipse
Issue gh-3702
2016-03-03 14:06:08 -06:00
7d02e259df
Add SCryptPasswordEncoder
...
Fixes gh-3702
2016-03-03 10:24:29 -06:00
69274d9aa8
SEC-2521: Improve StandardPasswordEncoder performance
2015-10-27 11:20:24 -05:00
29f2cc0ab1
snasphot -> snapshot
2015-09-25 15:28:39 -05:00
8cc9108601
Merge pull request #209 from raindev/patch-1
...
Remove unused imports from SecureRandomBytesKeyGenerator
2015-08-06 08:54:09 -05:00
969f3a7d1b
Update pom.xml to latest snapshots
2015-08-03 09:46:01 -05:00
ad1d858e2b
SEC-3056 - Fix JavaDoc errors.
...
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
e8c9f75f9c
Update pom.xml to latest versions
2015-07-22 12:51:04 -05:00
3832647ecf
Remove unused imports
2015-07-14 16:35:11 +03:00
3db01bd9d6
SEC-3002: Add JUnit Assume to GCM encryption tests
...
Not all JDKs have GCM installed on them.
2015-07-13 16:22:18 -05:00
a48cc18858
SEC-3002: Add new option for AES encryption with GCM
...
The Galois Counter Mode (GCM) is held to be superior than the current
default CBC. This change adds an extra parameter to the constructor
of AesBytesEncryptor and a new convenience method in Encryptors.
2015-07-09 23:27:33 -05:00
d5dfeeca49
SEC-2927: Update chat-jc pom so Maven Builds
...
Previously there were some incorrect dependency versions. This commit fixes
that.
We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
2015-04-20 15:53:26 -05:00
db531d9100
SEC-2917: Update to Spring 4.1.6
2015-03-25 15:18:59 -05:00
ae6af5d73c
SEC-2915: Updated Java Code Formatting
2015-03-25 13:09:18 -05:00
0a2e496a84
SEC-2915: groovy/gradle spaces->tabs
2015-03-25 13:08:59 -05:00
cf9f58a4ac
SEC-2915: XML spaces->tabs
2015-03-25 13:08:52 -05:00
706e7fd7a2
SEC-2863: Update to Spring 4.1.5
2015-02-20 11:43:04 -06:00
8f0001f59a
Next Development Version
2014-12-11 20:39:26 -06:00
49b69196de
Release version 4.0.0.RC1
2014-12-11 20:36:55 -06:00
11116c2b80
SEC-2787: Update Versions
2014-12-10 16:37:19 -06:00
b56e5edbbd
SEC-2784: Fix build plugins
2014-12-08 14:24:34 -06:00
dfa17bdb98
SEC-2747: Remove spring-core dependency from spring-security-crypto
2014-11-20 16:16:22 -06:00
3187ee8bf3
SEC-2700: Register WithSecurityContextTestExecutionListener by default
2014-08-15 16:41:33 -05:00
b72c1ad314
SEC-2686: Create SecurityMockMvcConfigurer
2014-07-22 15:11:37 -05:00
00e1094178
Add springio-platform plugin
2014-04-23 14:35:22 -05:00
3118e39de8
SEC-2542: Use exclusions to remove duplicate dependencies
...
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.
In addition to the new exclusions, notable other changes are:
- Spring Data JPA has been updated to 1.4.1. This brings its
transitive dependency upon spring-data-commons into line with
Spring LDAP's and prevents both spring-data-commons-core and
spring-data-commons from being on the classpath
- All Servlet API dependencies have been updated to use the official
artifact with all transitive dependencies on unofficial servlet API
artifacts being excluded.
- In places, groovy has been replaced with groovy-all. This removes
some duplicates caused by groovy's transitive dependencies.
- JUnit has been updated to 4.11 which brings its transitive Hamcrest
dependency into line with other components.
There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level
Conflicts:
samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
9988fa141c
Update Spring Security version in pom.xml
2014-03-06 08:13:52 -06:00
6be4e3a9fc
SEC-2506: Remove Bundlor Support
2014-03-05 13:32:16 -06:00
de4ed136ea
Fix spring4 test
2014-02-19 16:13:30 -06:00
7f99a2dfbb
SEC-2487: Update to Spring 3.2.8.RELEASE
2014-02-19 09:30:40 -06:00
ec8b48150d
SEC-2474: Update poms
2014-02-07 17:01:11 -06:00
a34178bc40
SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA
2013-12-12 08:16:59 -06:00
4460e84b29
Updates to pom.xml author and repo
2013-12-09 08:57:30 -06:00
2c8946c406
Next development version
2013-11-01 14:20:55 -05:00
9c703a3051
Release version 3.2.0.RC2
2013-11-01 14:20:49 -05:00
88f41cdf62
SEC-2341: Update to Gradle 1.8
...
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
3d2f23602f
SEC-2294: Update Spring Version to 3.2.4.RELEASE
2013-08-31 11:26:43 -05:00
aca2e4ff3a
SEC-2289: Add spring4Test
2013-08-27 16:43:10 -05:00
976d9a9016
SEC-2194: Polish java config sample apps
2013-08-08 14:33:54 -05:00
5e6ca12b01
SEC-2097: Update integrationTestCompile to use optional and provided
...
Also update slf4j version and remove explicit commons-logging from pom generation
2013-07-16 15:59:06 -05:00
02551e1b7a
SEC-2214: Update Spring Version
2013-07-16 15:15:47 -05:00
faa8b354b7
SEC-2209: add pom.xml
2013-07-16 15:15:47 -05:00
743960d2d8
SEC-2122: Fix broken integration tests.
...
Modified BCryptPasswordEncoder to no longer throw an
IllegalArgumentException when the encoded password is empty or
the incorrect format for bcrypt. Instead it now logs a warning
that non bcrypt data was found.
The Dms integration tests were failing after being changed to
use bcrypt and this fixes the issue.
2013-05-21 23:13:08 +01:00
d6524feb62
SEC-2122: Change doc to prioritize bcrypt use
2013-05-17 18:42:47 +01:00
4fabe939d0
SEC-2035: Add template.mf to crypto
2012-08-17 14:13:56 -05:00
a6bded86c2
SEC-1990: Polishing code cleanup on BCrypt
...
- Formatting
- Renamed test to be BCryptTests to better align with Spring Security's naming conventions
2012-07-05 14:12:14 -05:00
14a5135ac3
SEC-1990: Clean up jBCrypt and include its tests.
...
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
2012-07-05 14:04:39 -05:00
3760d792ea
SEC-1890: Add checks for validity of stored bcrypt hash
...
When checking for a match, the BCryptPasswordEncoder validates
the stored hash against a pattern to check that it actually is
a bcrypt value.
2012-02-22 14:36:13 +00:00
8565116f20
SEC-1472: Add crypto wrappers for BCrypt
2011-11-02 18:10:19 +00:00
45d938566c
Some tests for Base64 encoding.
2011-08-12 19:44:27 +01:00
89b7b2b935
SEC-1764: Remove use of Java 6 method Arrays.copyOfRange.
2011-06-15 11:22:17 +01:00
e27f655e9d
SEC-1689: Re-instate crypto as separate library (for use in non-Spring Security apps), as well as packaging with core.
2011-06-10 00:01:25 +01:00
50828cdd43
SEC-1689: Move crypto module code to core for simplicity.
2011-03-10 18:58:47 +00:00
8c08eeb57b
SEC-1666: Use constant time comparison for sensitive data.
...
Constant time comparison helps to mitigate timing attacks. See the following link for more information
* http://rdist.root.org/2010/07/19/exploiting-remote-timing-attacks/
* http://en.wikipedia.org/wiki/Timing_attack for more information.
2011-01-31 23:03:51 -06:00
2e822e9abe
SEC-1659: Ensure that Digester is returning digest(digest(value)...) instead of digesting the same value multiple times.
...
Make it so that the Digester returns digest(digest(value)...) instead of digesting the same value multiple times. This
alligns with the OWASP recommendations at http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack
2011-01-30 22:30:01 -06:00
6b1b012e2c
Added check for maximum AES key size in crypto.gradle to skip tests if limited strength crypto policy files are in place.
2011-01-20 02:13:33 +00:00
594f6694bb
Add logging of jdk version to crypto build file
2011-01-20 01:31:30 +00:00
d686f64f26
Skip EncryptorsTests when using <JDK 1.6 as AES isn't available
2011-01-19 23:43:13 +00:00
162cb64baa
SEC-1659: Label crypto utils package as only for internal use.
2011-01-19 18:19:58 +00:00
b646e44646
SEC-1659: fixed bundlor step of build
2011-01-19 18:17:03 +00:00
ea76efdb2c
SEC-1659: favor AES encryption instead of DES as standard symmetric encryption algorithm
2011-01-19 18:17:02 +00:00
ffa7301e7f
SEC-1569: initial commit of spring-security-crypto module, consisting of encrypt, keygen, password, and util packages
2011-01-19 18:17:02 +00:00
Spring Operator
Rob Winch
Josh Cummings
Krzysztof Szmytkowski
linfeng
Vedran Pavic
Johnny Lim
Alexander Münch
Michael J. Simons
Antoine
Joris Portegies Zwart
Kazuki Shimizu
Joe Grandja
Rob Winch
Spring Buildmaster
SendilKumar N
Jan Brennenstuhl
vitaliy_kuzmich
Eddú Meléndez
Kim Saabye Pedersen
Will Tran
Rob Worsnop
Billy Korando
Shazin
zhanhb
Thomas Darimont
Andrew Barchuk
Dave Syer
Rob Winch
Luke Taylor
Joseph Walton
Dave Syer
Rob Winch
Keith Donald