fa1c484587
AuthenticationConfiguration.getAuthenticationManager() supports recursion
...
AuthenticationConfiguration.getAuthenticationManager() now supports
recursion. This is necessary in instances where something using
@EnableGlobalAuthentication requires an object using method level security.
Fixes gh-3935
2016-06-17 14:02:36 -05:00
9e3d2e2d99
HTTP Basic default logout ignores text/html
...
This fixes an issue where Chrome sends an accept header of application/xml
which triggers an HTTP 204 to be returned
Fixes gh-3902
2016-06-14 16:27:56 -05:00
d3b3f8e004
Fix WebSecurityConfigurerAdapter Javadoc
...
The constructor's Javadoc was incorrect. This commit
fixes it.
2016-05-23 08:12:50 -05:00
001b05569a
Release version 4.1.0.RELEASE
2016-05-05 04:25:46 +00:00
e68d8bfaea
Clarifies sessionAuthenticationStrategy setter
...
Fixes gh-234
2016-05-02 13:21:58 -05:00
491abf2600
Revert "Fix test for SessionManagementConfigurer"
...
This reverts commit 17b25d1477
2016-05-02 13:21:58 -05:00
0d2b797c2a
Revert "Fix sessionAuthenticationStrategy setter"
...
This reverts commit 8f5d46ad68
2016-05-02 13:21:58 -05:00
17b25d1477
Fix test for SessionManagementConfigurer
...
Fixes gh-234
2016-04-21 16:50:03 -04:00
8f5d46ad68
Fix sessionAuthenticationStrategy setter
...
sessionAuthenticationStrategy was setting sessionFixationAuthenticationStrategy instead
Fixes gh-234
2016-04-21 16:21:54 -04:00
24d0069668
Release version 4.1.0.RC2
2016-04-21 01:47:25 +00:00
7fe0a135ec
Default AntPathRequestMatcher to be case sensitive
...
Issue gh-3831
2016-04-20 13:29:18 -05:00
510cd59980
Default logout negotiation in Java Configuration
...
This commit adds content negotiation for log out.
Fixes gh-3282
2016-04-20 10:59:14 -05:00
51995dc187
Add Java Configuration InvalidSessionStrategy ( #3827 )
...
Allow configuring the InvalidSessionStrategy in Java Configuration.
Fixes gh-3371
2016-04-20 09:59:27 -04:00
a5a8aeb550
Message SecurityExpressionHandler is post processed ( #3820 )
...
Previously the SecurityExpressionHandler for message based configuration
did not have a beanResolver set.
This commit post processes the default message SecurityExpressionHandler
to ensure the beanResolver is set.
Fixes gh-3797
2016-04-19 13:21:58 -04:00
c872a77ad1
RoleHiearchy Bean used in GlobalMethodSecurity ( #3394 )
...
Previously it required quite a bit of extra work to use RoleHiearchy
within Java Based Spring Security configuration.
Now if a single RoleHiearchy Bean is defined it will automatically
be picked up and used by method security.
Fixes gh-3394
2016-04-19 12:47:38 -04:00
933a7e8363
Remove duplicate words
...
Fixes gh-3826
2016-04-18 23:21:20 -05:00
fb5776cb5c
Support Camel case URI variables ( #3814 )
...
Perviously there were issues with case insenstive patterns and URI
variables that contained upper case characters. For example, the pattern
"/user/{userId}" could not resolve the variable #userId Instead it was
forced to lowercase and #userid was used.
Now if the pattern is case insensitive then so is the variable. This means
that #userId will work as will #userid.
Fixes gh-3786
2016-04-18 17:54:48 -04:00
b6800bdb4d
Update ExpressionUrlAuthorizationConfigurer Error Message
...
Update error message
2016-04-14 15:33:48 -05:00
59db9413aa
Add SpEL Bean reference test ( #3815 )
...
Issue gh-3797
2016-04-14 12:11:40 -05:00
6f169267c4
HttpSecurity comparitor->comparator
...
Rename HttpSecurity's comparitor to comparator
Fixes gh-3810
2016-04-13 15:04:22 -05:00
a7fb6d2e58
Add HttpSecurity.addFilterAt ( #3809 )
...
Fixes gh-3784
2016-04-13 16:01:25 -04:00
d3a9cc6eae
Add CsrfTokenRepository ( #3805 )
...
* Create LazyCsrfTokenRepository
Fixes gh-3790
* Add CookieCsrfTokenRepository
Fixes gh-3009
2016-04-12 17:26:53 -04:00
b82df4ecf3
Add alwaysRemember to RememberMe Java Config
...
Allow setting alwaysRemember from RememberMeConfigurer
Fixes gh-180
2016-04-12 13:37:44 -05:00
bd0c8a7baa
Fix HttpSecurity logout JavaDoc
...
Removed error provoking extra logout() from example code
2016-04-12 13:24:40 -05:00
fe94d654ed
Fix typos ( #228 )
2016-04-12 11:11:51 -05:00
c57dba6b77
Fix typo in setMessageExpessionHandler ( #3803 )
2016-04-12 11:08:52 -05:00
b90242f2fa
Updates all POM versions to 4.1.0 snapshot build.
...
Fixes gh-3804
2016-04-12 10:35:43 -04:00
d05fe8ec07
Fix typo in xsd
...
Fixes gh-3229
2016-04-05 09:47:48 -05:00
044acf7e27
Release version 4.1.0.RC1
2016-03-23 07:15:15 -07:00
2f7f2ff589
Adds support for Content Security Policy
...
Fixes gh-2342
2016-03-22 21:59:13 -05:00
4b650dc58d
Allow AuthenticationProvider Bean in Java Config
...
This commit adds support for defaulting java configuration's
authentication by providing an AuthenticationProvider Bean.
Fixes gh-3091
2016-03-22 16:17:25 -05:00
533a5f0905
Fix <password-encoder> when authentication-manager@id specified
...
When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.
This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.
Fixes gh-3296
2016-03-21 22:48:49 -05:00
7bf014f678
Path Variables fail with different case
...
Fixes gh-3329
2016-03-21 10:09:50 -05:00
cf66487d3a
Add Java Configuration Test
...
Issue SEC-2256
2016-03-18 14:03:47 -05:00
41c6a797c3
Add RememberMeConfigurer set domain
...
Fixes gh-3408
2016-03-17 08:30:18 -05:00
ec4e6c7453
Update pom.xml to 4.1.0.BUILD-SNAPSHOT
2016-03-14 00:51:35 -05:00
f221920a19
Clean up code to conform to basic checkstyle
...
Issue gh-3746
2016-03-14 00:15:12 -05:00
35eff94e3d
Add Both Config names to duplicate WebSecurityConfigurer order
...
Previously the error message when multiple WebSecurityConfigurer with the
same Order did not include both WebSecurityConfigurer classes that were
involved in the duplicate Order. This made resolving errors difficult.
This commit ensures both WebSecurityConfigurers are include in the error
message.
Fixes gh-3380
2016-03-11 12:12:55 -06:00
e33e21fe6b
Add Forward after authentication attempt config support
...
Fixes gh-3728
2016-03-11 10:49:30 -06:00
5d6e8bc3c8
Remove SPR-11251 workaround from WebSecurityConfiguration
...
Fixes gh-3348
2016-03-09 16:48:24 -06:00
be36ddb614
Some formatting fixes for HttpSecurity Javadoc
2016-03-09 16:45:43 -06:00
2f4610e8b7
Update HttpSecurity.requestMatcher() Javadoc
...
Fixes gh-3365
2016-03-09 16:45:29 -06:00
71d4ce96ad
Convert to assertj
...
Fixes gh-3175
2016-03-09 14:30:17 -06:00
bb600a473e
Start AssertJ Migration
...
Issue gh-3175
2016-03-09 14:26:30 -06:00
3164bd6f8d
Polish Sorting ObjectPostProcessor
...
* Add Test
* Only sort on adding new entry
Issue gh-3572
2016-03-08 15:51:13 -06:00
a366489c3c
Sort ObjectPostProcessors prior to invoking them
...
Fixes gh-3572
2016-03-08 10:39:56 -06:00
db81977a1a
Polish HPKP
...
* Javadoc polish
* Whitespace cleanup
Issue gh-3706
2016-03-03 15:11:40 -06:00
331c7e91b7
HTTP Public Key Pinning
...
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.
This commit will add this new functionality.
Fixes gh-3706
2016-03-03 14:21:46 -06:00
337f1885ea
SEC-3170: Polish
...
* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
2015-12-15 09:50:54 -06:00
b28c62a6fe
SEC-3170: Null check for Java Config of RememberMeServices
...
Added a null check in LogoutConfigurer.addLogoutHandler() method to
ensure that a logout handler is always provided..
2015-12-15 09:50:54 -06:00
1182d35d3c
SEC-3159: Fix Javadoc
...
The HttpSecurity#headers() Javadoc did not accurately reflect changes made to the
HeadersConfigurer in Spring Security 4.x.
2015-11-21 19:39:15 -05:00
205ef42cfb
SEC-3147: Add error parameter for default authentication-failure-url
2015-11-12 15:00:21 -06:00
53f85e2151
SEC-2848: LogoutConfigurer allows setting clearAuthentication
2015-10-30 13:54:01 -05:00
15b4406015
SEC-3135: antMatchers(<method>,new String[0]) now passive
2015-10-30 10:08:42 -05:00
6f1bb705ac
SEC-3135: antMatchers now allows method and no pattern
...
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().
Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:48:29 -05:00
f76bf96e14
SEC-3132: securityBuilder cannot be null
...
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.
This commit fixes this.
2015-10-23 10:27:09 -05:00
b9f8af3096
SEC-3063: rm ConditionalOnMissingBean for @Primary
...
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.
Instead users that wish to override requestDataValueProcessor can use
@Primary.
2015-10-21 15:40:43 -05:00
8baafbb2f2
SEC-3116: Polish WebSecurity Javadoc
2015-10-01 15:50:22 -05:00
29f2cc0ab1
snasphot -> snapshot
2015-09-25 15:28:39 -05:00
bac980cbcb
SEC-2868: Simplify custom UserDetailsService Java Config
...
Exposing a UserDetailsService as a bean is now all that is necessary
for Java based configuration. Additionally, an optional PasswordEncoder
bean can be used to configure password encoding.
2015-08-27 20:41:15 -05:00
6b05b298ff
SEC-2059: Support Path Variables in Web Expressions
2015-08-20 17:11:01 -05:00
cbed1d75ee
SEC-3076: Add Method Level Security Meta Annotations
2015-08-19 16:07:03 -05:00
41c9431fcc
Test that form log in requires CSRF
2015-08-03 12:24:37 -05:00
453e6332da
Fix indentation of CsrfConfigTests
2015-08-03 12:03:05 -05:00
969f3a7d1b
Update pom.xml to latest snapshots
2015-08-03 09:46:01 -05:00
ad1d858e2b
SEC-3056 - Fix JavaDoc errors.
...
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
dab4cf18b8
SEC-3032: Correct documented logout-success-url default
2015-07-22 13:48:07 -05:00
e8c9f75f9c
Update pom.xml to latest versions
2015-07-22 12:51:04 -05:00
07fb2af74b
SEC-3011: AbstractUrlAuthorizationConfigurer postProcess default AccessDecisionManager
2015-07-21 08:52:36 -05:00
ab1b7a1eb6
Remove unnecessary @SuppressWarnings
2015-07-21 08:51:32 -05:00
9654df2cc3
SEC-3045: Conditionally add MethodSecurityMetadataSourceAdvisor
2015-07-17 15:16:09 -05:00
a3df41b380
Clean Import Statements
2015-07-17 14:52:23 -05:00
0e36f85dab
SEC-3019: Java Config for Http Basic supports Rememberme
2015-07-16 11:12:44 -05:00
474d624e8e
SEC-2988: Renamed OnBeanCondition.java to OnMissingBeanCondition.java
2015-07-13 22:51:45 -05:00
64938ebcfc
SEC-2996: Suport configuring SecurityExpressionHandler<Message<Object>>
2015-07-13 22:45:35 -05:00
ca0ffb8b5d
SEC-2948: Fix error message for wrong xsd schema
...
When using the wrong xsd schema < 4.0 a message was shown that the
schema needed to be version 3.2.
In reality this schema had to be version 4.0.
2015-07-09 23:17:16 -05:00
1f74ac811e
Fix Spring IO Tests
2015-07-08 11:09:29 -05:00
197ddb3cd1
SEC-3029: Fix Compatibility with Spring 4.2.x
2015-07-07 22:46:31 -05:00
0a118336d4
SEC-2955: Convert to "static" for inner classes
2015-04-30 12:54:52 -05:00
f1352ba492
SEC-2942: Add test EnableWebSecurity supports AuthenticationPrincipal
2015-04-23 16:34:04 -05:00
f548d89b27
SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository
2015-04-22 16:50:51 -05:00
09acc2b7a5
SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix
2015-04-21 11:42:48 -05:00
38e2e23b86
Fix indentation of InterceptUrlConfigTests
2015-04-21 09:38:17 -05:00
d5dfeeca49
SEC-2927: Update chat-jc pom so Maven Builds
...
Previously there were some incorrect dependency versions. This commit fixes
that.
We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
2015-04-20 15:53:26 -05:00
0bfbd2923a
SEC-2915: Fix defaut login page tests with tabs
2015-04-17 12:13:44 -05:00
4fdfb8caba
SEC-2915: More Tabs -> Spaces
2015-04-17 11:34:34 -05:00
5fa5630bc3
Polish ordering of Config and test in NamespaceRememberMeTests
...
The convention is to put the config just below the test.
This commit fixes the convention for NamespaceRememberMeTests
2015-04-17 11:20:39 -05:00
0c77c2071b
SEC-2880: Add a setter method to override the cookie name of remember-me
2015-04-17 11:14:58 -05:00
ec89fdcfaa
SEC-2919: Polish
...
Remove now unnecessary AuthenticationConfig.Builder#getLoginFormUrl
method.
2015-04-17 11:12:08 -05:00
052bd32f40
SEC-2919: DefaultLoginPageGeneratingFilter disabled when login-page specified
2015-04-17 11:12:08 -05:00
4ca936bb76
SEC-2913: Polish
2015-03-25 21:18:12 -05:00
6c541468f6
SEC-2913: Post Process default session fixation AuthenticationStrategy
...
Before the default session fixation AuthenticationStrategy used a
NullEventPublisher when using the Java Configuration. This was due to the
fact that it is not exposed as a Bean and is not post processed.
We now post process the default session fixation AuthenticationStrategy
which initializes the EventPublisher properly.
2015-03-25 21:11:52 -05:00
7b25b3e40d
SEC-2864: Default Spring Security WebSocket PathMatcher XML Namespace
2015-03-25 16:32:03 -05:00
db531d9100
SEC-2917: Update to Spring 4.1.6
2015-03-25 15:18:59 -05:00
57b06fb0b5
SEC-2864: Default Spring Security WebSocket PathMatcher
2015-03-25 13:14:15 -05:00
c94a5cf8e2
SEC-2916: disable-url-rewriting=true by default
2015-03-25 13:14:15 -05:00
ae6af5d73c
SEC-2915: Updated Java Code Formatting
2015-03-25 13:09:18 -05:00
0a2e496a84
SEC-2915: groovy/gradle spaces->tabs
2015-03-25 13:08:59 -05:00
cf9f58a4ac
SEC-2915: XML spaces->tabs
2015-03-25 13:08:52 -05:00
fbf3672eca
SEC-2908: mulitple invocations of http.requetMatchers() properly chains
2015-03-20 15:30:19 -05:00
e776a1fd35
SEC-2803: Add HttpStatusEntryPoint
2015-03-11 14:45:59 -05:00
bed20db905
Remove Unnecessary @Override
2015-02-27 16:18:31 -06:00
8b78194f31
SEC-2876: HttpSecurityBuilder addFilterAfter javadoc before->after
2015-02-24 22:19:50 -06:00
c8b79289c9
add setter for using a custom name for the rememberMeParameter
2015-02-24 21:45:23 -06:00
5f57e5b0c3
SEC-2873: Remember Me XML Configuration Defaults Should Match Java Config
2015-02-24 20:49:56 -06:00
67cd8465c3
SEC-2826: Add remember-me-cookie attribute in xml namespace
2015-02-24 17:54:54 -06:00
d2fd852711
SEC-2832: Fix config tests
2015-02-24 17:53:39 -06:00
2bf4f28db9
Fix .properites user
2015-02-24 16:25:24 -06:00
df96e5573f
Add test .properties Authentication Java Config
2015-02-24 16:14:15 -06:00
37740cd020
SEC-2861: Add WebSocket Documentation & Sample
2015-02-24 10:29:47 -06:00
b9563f6102
SEC-2830: Cleanup disabling Same Origin SockJS
...
- Defaults for properties false
- Add XML Namespace support
2015-02-24 10:28:33 -06:00
b9e2a57131
SEC-2854: Add intercept-message@message-type
2015-02-20 11:43:16 -06:00
fea03536d6
SEC-2853: Rename WebSocket XML Namespace elements
2015-02-20 11:43:15 -06:00
706e7fd7a2
SEC-2863: Update to Spring 4.1.5
2015-02-20 11:43:04 -06:00
fb085cae25
Add session-management@session-fixation-protection=none test
2015-02-19 13:01:59 -06:00
6a8475adbb
SEC-2830: Provide Same Origin support for SockJS
2015-02-18 11:21:02 -06:00
a27c33754c
SEC-2859: Add CsrfTokenArgumentResolver
2015-02-18 10:51:30 -06:00
36fe0d0357
SEC-2845: SecurityContextChannelInterceptor support anonymous
2015-02-18 10:00:22 -06:00
c4fe630f8e
SEC-2846: Security HTTP Response Headers Configuration Cleanup
2015-02-10 10:36:00 -06:00
9b5f76f3d6
SEC-2833: Rossen's feedback on WebSocket
2015-02-04 10:43:12 -06:00
72e256b95a
Fix unchecked warning in AbstractSecurityWebSocketMessageBrokerConfigurer
2015-02-04 10:43:12 -06:00
55fde81a0f
SEC-2838
2015-01-31 11:04:55 +01:00
6627f76df7
SEC-2758: Make ROLE_ consistent
2015-01-29 17:08:43 -06:00
414f98bee0
SEC-2827: Clean up MessageMatcher Ambiguities
2015-01-23 17:29:54 -06:00
5b0f8918ce
Fix Eclipse import
2015-01-23 17:29:54 -06:00
1e5f7023c6
SEC-2822: Make EnableGlobalAuthenticationAutowiredConfigurer static Bean
...
This ensures that EnableGlobalAuthenticationAutowiredConfigurer is actually
used in newer versions of Spring. See SPR-12646
2015-01-20 14:28:17 -06:00
62649af0aa
SEC-2815: Delay looking up AuthenticationConfiguration
2015-01-20 10:23:43 -06:00
8f0001f59a
Next Development Version
2014-12-11 20:39:26 -06:00
49b69196de
Release version 4.0.0.RC1
2014-12-11 20:36:55 -06:00
1677836d53
SEC-2790: Deprecate @EnableWebMvcConfig
2014-12-10 21:10:27 -06:00
62e127e978
SEC-2789: Add Default WebSecurityConfigurerAdapter
2014-12-10 21:10:26 -06:00
3171cc4364
SEC-2788: Add @Configuration as meta annotation to @Enable* annotations
2014-12-10 21:10:15 -06:00
11116c2b80
SEC-2787: Update Versions
2014-12-10 16:37:19 -06:00
c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
b56e5edbbd
SEC-2784: Fix build plugins
2014-12-08 14:24:34 -06:00
87a52ffbfd
SEC-2784: Update to Gradle 2.2.1
2014-12-08 13:29:07 -06:00
6e204fff72
SEC-2781: Remove deprecations
2014-12-04 15:28:40 -06:00
5bb0ce9a8f
SEC-2773: Add Test for static delegatingApplicationListener
2014-12-01 12:06:09 -06:00
0f7c2e4128
SEC-2773: Prevent premature container initialization in WebSecurityConfiguration.
...
Changed the bean definition method for the DelegatingApplicationListener
to be static to avoid the need to instantiate the configuration class which
caused further premature initializations to satisfy the dependencies
expressed in setFilterChainProxySecurityConfigurer(…).
2014-12-01 11:38:19 -06:00
2cb2657f5b
SEC-2702: Clean WebSocket Namespace documentation
2014-11-25 12:27:29 -06:00
8ad16b01f5
SEC-2702: Add WebSocket Security XML Namespace Support
2014-11-25 09:45:32 -06:00
3c487c0348
SEC-2348: Update doc headers enabled by default with XML
2014-11-21 21:55:03 -06:00
4392205f63
SEC-2347: CSRF Enabled by default w/ XML Config
2014-11-21 21:32:56 -06:00
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
2014-11-21 16:06:29 -06:00
dfa17bdb98
SEC-2747: Remove spring-core dependency from spring-security-crypto
2014-11-20 16:16:22 -06:00
30c5788b8b
SEC-1897: Remove raw types from AbstractAccessDecisionManager
2014-11-20 15:36:53 -06:00
1cca72e6d8
SEC-2749: CsrfConfigurer.requireCsrfProtectionMatcher correct null check
2014-11-20 14:40:51 -06:00
05882b5f24
SEC-2574: Polish
...
Handle null DelegatingApplicationListener
2014-11-19 17:09:24 -06:00
5810681b06
SEC-2574: JavaConfig default SessionRegistry processes SessionDestroyedEvents
2014-11-19 16:48:19 -06:00
24dec7ec3e
SEC-2737: Remove WebSocket Outbound Authorization
2014-10-10 15:56:25 -05:00
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
2014-09-23 16:28:48 -05:00
d2fa019fe5
SEC-2704: Separation of inbound and outbound security rules
2014-09-19 16:39:43 -05:00
28446284a6
SEC-2713: Support authorization by SimpMessageType
2014-09-19 16:38:56 -05:00
02c3565e22
Fix compiling in Eclipse
2014-09-16 10:18:46 -05:00
a932d6ecf3
Removed unnecessary params from anyRequest()'s javadoc
2014-08-20 11:24:15 +02:00
b9df7ba01f
SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher
2014-08-18 11:04:04 -05:00
6321665353
SEC-2676: Update to Spring Data Evans RC1
2014-08-15 20:46:59 -05:00
3f30529039
SEC-2179: Add Spring Security Messaging Support
2014-08-15 20:46:58 -05:00
3187ee8bf3
SEC-2700: Register WithSecurityContextTestExecutionListener by default
2014-08-15 16:41:33 -05:00
1f861f512a
SEC-2676: Add SpEL Spring Security Integration
2014-07-29 20:04:37 -05:00
8a2a1b7a5b
SEC-2595: Polish
2014-07-25 16:27:19 -05:00
b2d66e2a78
SEC-2595: @EnableGlobalMethodSecurity AspectJ fixes
2014-07-25 16:03:18 -05:00
b72c1ad314
SEC-2686: Create SecurityMockMvcConfigurer
2014-07-22 15:11:37 -05:00
ecb4296540
SEC-2588: Javadoc fix channelSecurity->requiresChannel
2014-07-21 14:23:40 -05:00
75df42cb7c
SEC-2656: Fix <frame-options> with whitelist strategy
2014-06-18 09:10:28 -05:00
c3d05bea62
SEC-2657: Test for multi dynamic ports for LDAP Java Config
2014-06-17 17:25:08 -05:00
a3fd706335
SEC-2660: Move config integration-test *.groovy to groovy source folder
2014-06-17 17:22:42 -05:00
b255478b14
SEC-2658: Java Config triggers usePasswordAttrCompare to be set
2014-06-17 17:10:16 -05:00
a2b53fabce
SEC-2657: LdapAuthenticationProviderConfigurer find available port
2014-06-17 16:54:42 -05:00
63d1b531a1
SEC-2618: LdapAuthenticationProviderConfigurer passwordAttribute null check
...
If LdapAuthenticationProviderConfigurer passwordAttribute is null, do not
set on the PasswordComparisonAuthenticator
2014-06-17 16:51:01 -05:00
e6e35932ed
SEC-2603: Fix config groovy integration tests
2014-05-20 23:15:39 -05:00
cbd06a4994
SEC-2472: Support LDAP crypto PasswordEncoder
2014-05-20 23:15:36 -05:00
d95640d3e5
SEC-2600: Remove unused import
2014-05-19 12:29:04 -05:00
f73b579ad9
SEC-2543: Logout with CSRF enabled requires POST by default
2014-05-02 11:24:02 -05:00
1d7402e0cd
SEC-2532: Add disclaimer about jdbcAuthentication() with persistent data stores
2014-04-28 15:06:52 -05:00
37bb350883
SEC-2549: Remove LazyBean marker interface
2014-04-24 14:34:35 -05:00
00e1094178
Add springio-platform plugin
2014-04-23 14:35:22 -05:00
ccf96a4d69
SEC-2542: Polish dependency exclusions
...
This cleans up exclusions so the pom.xml are not as cluttered.
2014-04-02 09:47:29 -05:00
3118e39de8
SEC-2542: Use exclusions to remove duplicate dependencies
...
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.
In addition to the new exclusions, notable other changes are:
- Spring Data JPA has been updated to 1.4.1. This brings its
transitive dependency upon spring-data-commons into line with
Spring LDAP's and prevents both spring-data-commons-core and
spring-data-commons from being on the classpath
- All Servlet API dependencies have been updated to use the official
artifact with all transitive dependencies on unofficial servlet API
artifacts being excluded.
- In places, groovy has been replaced with groovy-all. This removes
some duplicates caused by groovy's transitive dependencies.
- JUnit has been updated to 4.11 which brings its transitive Hamcrest
dependency into line with other components.
There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level
Conflicts:
samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
c411014c24
SEC-2533: Global AuthenticationManagerBuilder disables clearing child credentials
2014-03-25 13:05:44 -05:00
cb0549a609
SEC-2498: RequestCache allows POST when CSRF is disabled
2014-03-25 10:50:59 -05:00
d079044592
SEC-2531: AuthenticationConfiguration#lazyBean should use BeanClassLoader
2014-03-24 14:58:19 -05:00
e4a58375cc
SEC-2515: Detect object cycle for AuthenticationManager configuration
2014-03-10 14:33:35 -05:00
4cdeacc277
SEC-2499: Allow MethodSecurityExpressionHandler in parent context
...
Previously a NoSuchBeanDefintionException was thrown when the
MethodSecurityExpressionHandler was defined in the parent context. This
happened due to trying to work around ordering issues related to SEC-2136
This commit resolves this by not marking the
MethodSecurityExpressionHandler bean as lazy unless it exists.
2014-03-06 21:14:35 -06:00
9988fa141c
Update Spring Security version in pom.xml
2014-03-06 08:13:52 -06:00
6be4e3a9fc
SEC-2506: Remove Bundlor Support
2014-03-05 13:32:16 -06:00
04a527d4ec
SEC-2495: CSRF disables logout on GET
2014-02-20 09:40:00 -06:00
7f99a2dfbb
SEC-2487: Update to Spring 3.2.8.RELEASE
2014-02-19 09:30:40 -06:00
85305050c0
SEC-2455: Fix XML default login generation
2014-02-18 13:52:05 -06:00
8a3a7961cb
SEC-2492: ExpressionUrlAuthorizationConfigurer private interceptUrl to void
2014-02-15 14:41:26 -06:00
bf2df220ca
SEC-2490: LdapAuthenticationProviderConfigurer allows custom LdapAuthoritiesPopulator
2014-02-13 16:37:33 -06:00
7a3da28987
SEC-2479: Search parent context for AuthenticationManager
2014-02-12 08:11:26 -06:00
6c35c33abe
SEC-2447: Fix AuthenticationManagerBuilder ordering issues
2014-02-09 21:17:51 -06:00
c42e13c966
loginProcessing test
2014-02-07 17:01:11 -06:00
6b42a2eae1
SEC-2461: Multi WebSecurityConfiguration does not create null springSecurityFilterChain
2014-02-07 17:01:11 -06:00
ec8b48150d
SEC-2474: Update poms
2014-02-07 17:01:11 -06:00
8d8475deb1
SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
...
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
1f833b0d6b
Add ExpressionUrlAuthorizationCOnfigurer tests
...
- Demo custom expression root
- Demo @Bean in expression example
2014-01-23 11:21:21 -06:00
994117ad75
SEC-2436: Fix CsrfConfigurerNoWebMvcTests
2013-12-14 14:48:47 -06:00
b7041ed00e
SEC-2436: Add @EnableWebMvcSecurity
2013-12-14 14:40:01 -06:00
053c890a69
SEC-2450: WebSecurityConfigurerAdapter have default Order of 100
2013-12-14 13:00:48 -06:00
2df5541905
SEC-2448: Update to HSQL 2.3.1
2013-12-14 10:19:06 -06:00
04fac30d75
SEC-2449: <ldap-server> default port should fallback to dynamic value
2013-12-14 10:19:06 -06:00
54ffa28bde
remove apacheDSWorkDir since custom tmp dir is created
2013-12-13 16:38:35 -06:00
a34178bc40
SEC-2434: Update to Spring 3.2.6 and Spring 4.0 GA
2013-12-12 08:16:59 -06:00
aaa7cec32e
SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
...
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
7f714ebb23
SEC-2422: Session timeout detection with CSRF protection
2013-12-11 17:38:17 -06:00
00d668dc5c
SEC-2431: UrlAuthorizationConfigurer missing <HttpSecurity> in doc
2013-12-11 11:07:05 -06:00
4460e84b29
Updates to pom.xml author and repo
2013-12-09 08:57:30 -06:00
8e8bdad8e6
SEC-2386: Remove stack for AuthenticationManagerBuilder with no authenticationProviders
2013-12-04 15:53:32 -06:00
f2fdc9d1f5
SEC-2425: Add Test for EnableGlobalMethodSecurity works on parent config
2013-12-04 14:54:56 -06:00
595b16d836
SEC-2377: Fix tests
2013-12-03 11:48:25 -06:00
2a632a061e
SEC-2377: Hhandle EnableWebSecurity in both child & parent ApplicationContext
2013-12-03 10:45:25 -06:00
0b996c669f
SEC-2424: Document ObjectPostProcessor
2013-12-02 10:17:08 -06:00
13c5af5b91
SEC-2407: Better error message for missing securityFilterChainBuilders
2013-11-26 10:12:55 -06:00
c7b93e6cee
SEC-2404: Fix CSRF config tests
2013-11-21 15:35:26 -06:00
9dbe30c81d
SEC-2165: remember-me@token-validity-seconds can be parameterized
2013-11-15 14:58:53 -06:00
afddb5eb39
SEC-2373: Update XSD doc to state security="none"
2013-11-15 13:50:49 -06:00
6382b6341a
SEC-2355: Add test to validate intercept-url PATCH works
2013-11-15 11:57:47 -06:00
85cd5627b6
SEC-2355: Add PATCH to intercept-url xsd
2013-11-15 11:46:34 -06:00
2c8946c406
Next development version
2013-11-01 14:20:55 -05:00
9c703a3051
Release version 3.2.0.RC2
2013-11-01 14:20:49 -05:00
dc317b3602
WebSecurityConfigurerAdapter implements WebSecurityConfigurer
2013-11-01 12:26:32 -05:00
cda23443ac
XsdDocumentedTests now uses asciidoc instead of asciidoctor
2013-11-01 09:32:05 -05:00
26be54653b
SEC-2382: AutowireBeanFactoryObjectPostProcessor works w/ BeanNameAutoProxyCreator
2013-10-30 11:20:42 -05:00
9e7fbf8067
SEC-2321: Refine to use X-Requested-With: XMLHttpRequest
2013-10-28 14:00:56 -05:00
5f290ba10f
SEC-2371: Remove ObjectPostProcessor.QUIESENT_POSTPROCESSOR
2013-10-18 14:31:13 -05:00
604c26eb0d
Shis simplifies the class hieararchy significantly.EC-2366: Extract AbstractRequestMatcherRegistry from AbstractRequestMatcherConfigurer
...
This simplifies the class hierarchy significantly.
2013-10-17 13:37:51 -05:00
348e3a22b6
SEC-2365: registerAuthentication->configure
2013-10-16 13:59:56 -05:00
0978c12c47
SEC-2361: Java Config Sampels use @Autowired AuthenticationManagerBuilder
2013-10-15 12:35:32 -05:00
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
2013-10-14 15:00:24 -05:00
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
2013-10-14 11:55:56 -05:00
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
2013-10-14 10:36:31 -05:00
f2b44e6beb
Fix javadoc whitespace issue in HttpBasicConfigurer
2013-10-11 14:53:11 -05:00
4ef0460ef6
SEC-2321: Improve Java Config defaults for JavaScript clients
2013-10-11 14:53:11 -05:00
5f10d84bf5
SEC-2303: WebSecurity sets the Bean resolver
2013-10-06 13:37:51 -05:00
dd1c2483b5
SEC-2349: Fix documentation tests
2013-10-03 17:03:17 -05:00
8087cde628
SEC-2331: Include Expires: 0 in xsd and appendix
2013-09-27 17:10:42 -05:00
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
2013-09-27 16:13:40 -05:00
614c94187e
SEC-2305: GlobalMethodSecurityConfiguration autowire PermissionEvaluator
...
If a single PermissionEvaluator bean is found the
DefaultMethodSecurityExpressionHandler is configured with the
PermissionEvaluator. If multiple PermissionEvaluator beans are found, the
beans are ignored.
2013-09-27 15:46:45 -05:00
a09756745f
SEC-2151: Support binding method arguments with Annotations
...
This allow utilizing method arguments for method access control on
interfaces prior to JDK 8.
2013-09-27 11:18:37 -05:00
cea0cf9260
SEC-2243: Remove additional Debug Filter
2013-09-26 11:38:16 -05:00
56ce7d284c
SEC-2336: WebSecurityConfigurerAdapter#registerAuthentication javadoc fixes
2013-09-26 09:08:25 -05:00
88f41cdf62
SEC-2341: Update to Gradle 1.8
...
Some dependencies were necessary to update due to issues with JUnit
integration.
2013-09-24 15:35:51 -05:00
a888ddf8b3
SEC-2307: JavaConfig RequestCache ignores favicon.ico
2013-09-24 11:30:37 -05:00
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
2013-09-23 20:55:49 -05:00
28fb6ba14b
SEC-2328: Add hasAnyRole to ExpressionUrlAuthorizationConfiguration
2013-09-23 10:51:08 -05:00
b16c17f70b
SEC-2301: Remove invalid import
2013-09-20 16:09:23 -05:00
a3d112979f
SEC-2301: GlobalMethodSecurityConfiguration sets DefaultWebSecurityExpressionHandler BeanResolver
2013-09-20 15:53:58 -05:00
f294480e6b
SEC-2329: JC @Autowire(required=false) AuthenticationTrustResolver
...
Java Configuration now allows optional @Autowire of
AuthenticationTrustResolver. In the WebSecurityConfigurerAdapter this is
done by populating AuthenticationTrustResolver as a sharedObject.
2013-09-20 15:28:50 -05:00
Rob Winch
Sola
Spring Buildmaster
Joe Grandja
didiez
Rob Winch
Johnny Lim
Matthias Merdes
Leon Radley
Jeffrey Walraven
Nicolai Ehemann
Quinten De Swaef
Eddú Meléndez
Shazin Sadakath
Billy Korando
Wallace Wadge
Tim Ysewyn
Nikos Kastamoulas
William Gorder
Kazuki Shimizu
zhanhb
Thomas Darimont
Stijn
Alex Panchenko
Romain Fromi
Michael Cramer
Michael Oberwasserlechner
Oliver Gierke
Nándor István Krácser
Mirko Zeibig
Andy Wilkinson
Rob Winch
Collin Peters