Commit Graph

2457 Commits

Author SHA1 Message Date
ylombardi 1d0e97880d Add the BadCredentialsExceptionMixin to help Jackson serialization of BadCredentialsException 2018-03-08 16:55:57 -06:00
Joe Grandja 5b023d0abc Fix Security version tests -> 5.1 2018-03-02 16:29:22 -05:00
Johnny Lim d316803596 Polish DaoAuthenticationProviderTests 2018-03-02 08:55:37 -06:00
Rob Winch 8d75554b6b Lazily Create Throwables
Fixes: gh-5040
2018-02-26 16:24:40 -06:00
Rob Winch 831399be16 Update to Spring Framework 5.0.4
Fixes: gh-5027
2018-02-19 22:00:33 -06:00
Rob Winch 7063a9e111 Issue: gh-5018 2018-02-16 16:50:14 -06:00
Rob Winch 964a14b224 Document Reactive Method security requires Publisher return types
Fixes: gh-4988
2018-02-07 16:43:18 -06:00
Lóránt Pintér f7beb537f0 Add included build to JAR
Instead of copying classes to the compile output, we now add them directly to the JAR.
This allows JavaCompile to be cached, since there are no overlapping outputs anymore.
2018-02-02 11:50:00 -06:00
Rob Winch 8b7f772761 Update to Jackson 2.9.4
Fixes: gh-4985
2018-02-01 13:45:06 -06:00
Rob Winch 994abb0d00 Document User.withDefaultPasswordEncoder unsafe for production
Fixes: gh-4793
2018-01-31 16:26:26 -06:00
Rob Winch f7e49ace9f Add TestAuthentication 2018-01-26 15:13:09 -06:00
Rob Winch c5e6ee4563 Update Dependencies
Fixes: gh-4973
2018-01-24 13:48:14 -06:00
Rob Winch 6ba225b62d Polish userNotFoundEncodedPassword
Ensure that if passwordEncoder is set that userNotFoundEncodedPassword
is encoded again if already set.

Issue: gh-4915
2018-01-24 11:06:08 -06:00
Phillip Webb fd78d055aa Lazily initialize userNotFoundEncodedPassword
Update `DaoAuthenticationProvider` so that `userNotFoundEncodedPassword`
is lazily initialized on the first call to `retrieveUser`, rather than
in `doAfterPropertiesSet`.

Since some `PasswordEncoder` implementations can be slow, this change
can help to improve application startup times and the expense of some
delay with the first login.

Note that `userNotFoundEncodedPassword` creation occurs on the first
user retrieval, regardless of whether the user is ultimately found. This
ensures consistent processing times, regardless of the outcome.

First Call:
	Found      = encode(userNotFound) + decode(supplied)
	Not-Found  = encode(userNotFound) + decode(userNotFound)

Subsequent Call:
	Found      = decode(supplied)
	Not-Found  = decode(userNotFound)

Fixes gh-4915
2018-01-24 11:06:08 -06:00
Johnny Lim f3830eec7d Rename userDetailsRepository to userDetailsService 2018-01-10 16:04:48 -06:00
Rob Winch 803cdcf01e Test Jackson HashMap in Whitelist
Issue: gh-4889
2018-01-03 16:17:23 -06:00
Chris Burrell cf97e16379 Add HashMap to Jackson whitelist
Issue: gh-4889
2018-01-03 16:17:23 -06:00
Rob Winch b9152701a6 Javadoc Polish 2017-12-21 16:43:11 -06:00
Johnny Lim 921157cdcd Remove explicit super() calls 2017-12-21 15:11:51 -06:00
Johnny Lim 57353d18e5 Use diamond type 2017-12-21 15:09:00 -06:00
Rob Winch c856c376df Fix UTF-8 in JdbcDaoImplTests 2017-12-20 15:50:23 -06:00
Joe Grandja e19fdb6cc1 Remove AuthenticatedPrincipal from UserDetails
Issue gh-4877
2017-11-30 10:52:24 -05:00
Joe Grandja 50d1a81458 AbstractAuthenticationToken.getName() uses UserDetails.getUsername()
Fixes gh-4877
2017-11-30 09:17:42 -05:00
Rob Winch ee1745b681 Update to Spring Framework 5.0.2.RELEASE 2017-11-27 11:57:03 -06:00
Rob Winch 691bf2e11d PasswordEncoder Bean for AuthenticationManagerBuilder
Issue: gh-4873
2017-11-27 11:42:56 -06:00
Johnny Lim 701933c7f7 Fix copyright start years
See gh-4655
See gh-4725
2017-11-17 10:14:32 -06:00
Johnny Lim 5f518d00e5 Apply Checkstyle EmptyStatementCheck module
This commit adds Checkstyle `EmptyStatementCheck` module and aligns code with it.
2017-11-16 20:18:21 -06:00
Oleg Zhuravlev 563139c469 Fix keys in messages bundle 2017-11-16 11:28:57 -06:00
Benedikt Ritter fffd781b03 Add localization to error messages from ExceptionTranslationFilter
Fixes gh-4504
2017-11-16 11:25:56 -06:00
Johnny Lim b6895e6359 Apply Checkstyle WhitespaceAfterCheck module 2017-11-16 11:18:31 -06:00
Johnny Lim d900f2a623 Remove unused imports
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
Rob Winch 6d4b4bf2c7 Align Dependencies with Spring IO Cairo
Fixes gh-4821
2017-11-14 13:45:24 -06:00
Johnny Lim 99df632f24 Add missing @Override annotations
This commit also adds MissingOverrideCheck module to Checkstyle configuration.
2017-11-08 13:27:24 -06:00
Rob Winch d9abd2e443 User.UserBuilder only encodes once
Fixes gh-4794
2017-11-06 09:47:37 -06:00
Greg Turnquist 881cd0befb Fix UsernamePasswordAuthenticationTokenMixin to handle null credentials/details
Resolves #4698
2017-10-31 16:34:07 -05:00
Rob Winch e95430fa36 Polish Reactive Method Security reference
Issue gh-4757
2017-10-30 16:27:50 -05:00
Gajendra kumar ec723952d5 principals and sessionIds should be set using constructor so that can be shared across node in cluster
As principals and sessionIds are set in class itself so one can't share user session count across nodes(Cluster). Using constructor for setting principals and sessionIds we can pass Cache map to constructor which can enable common session count in cluster otherwise user would be allowed to logged in with multiple sessions. There is no point keeping principals and sessionIds completely internal.
2017-10-30 01:08:15 -05:00
Frank Pavageau 35706ad60a Deserialize the principal in a neutral way
When the principal of the Authentication is an object, it is not necessarily
an User: it could be another implementation of UserDetails, or even a
completely unrelated type. Since the type of the object is serialized as a
property and used by the deserialization anyway, there's no point in
enforcing a stricter type.
2017-10-30 00:53:31 -05:00
Frank Pavageau 6fd9ff254b Map values directly from the JSON nodes
Not only is it more efficient without converting to an intermediate String,
using JsonNode.toString() may not even produce valid JSON according to its
Javadoc (ObjectMapper.writeValueAsString() should be used).
2017-10-30 00:53:31 -05:00
Antoine 0771778b81 Polish more AssertJ assertions 2017-10-29 22:22:34 -05:00
Antoine e0aca04a28 Polish AssertJ assertions
Polish AssertJ assertions
2017-10-29 22:22:34 -05:00
Rob Winch 44320447fe Update to Spring 5.0.1.RELEASE
Issue gh-4739
2017-10-29 14:31:45 -05:00
Rob Winch 747473257f Use ReactorSecurityContextHolder
Issue gh-4713
2017-10-26 20:11:42 -05:00
Rob Winch 9ea4df5b5d ReactiveSecurityContextHolder
Fixes gh-4713
2017-10-26 20:11:42 -05:00
Rob Winch 399da1ecad SecurityContextImpl constructor
Fixes gh-4712
2017-10-26 20:11:42 -05:00
Rob Winch 38a8189a62 DelegatingApplicationListener uses CopyOnWriteArrayList
Fixes gh-4416
2017-10-24 15:35:04 -05:00
Rob Winch 8291f20796 DaoAuthenticationProvider uses DelegatingPasswordEncoder
This means that passwords will be encoded with BCrypt by default

Fixes: gh-2775
2017-10-24 07:56:28 -05:00
Rob Winch d19b222b55 UserDetailsRepositoryReactiveAuthenticationManager uses DelegatingPasswordEncoder
This means passwords will be encoded with BCrypt by default

Issue: gh-2775
2017-10-24 07:56:28 -05:00
Rob Winch cdc992b132 Remove SaltSource
Fixes gh-4681
2017-10-24 07:56:28 -05:00
Rob Winch 4529e09339 Remove PasswordEncoder from core
Issue: gh-4674
2017-10-24 07:56:28 -05:00