d5ee89bb7c
Correct typo in error message.
2008-06-19 15:21:03 +00:00
ff5bfccdba
SEC-892: Linked use of create-session='never' in namespace to corresponding properties in ExceptionTranslationFilter and AbstractProcessingFilter
2008-06-19 13:46:45 +00:00
c56d524bd9
SEC-887: Added setter method for account status checker.
2008-06-18 12:00:45 +00:00
af5f193ec1
SEC-890: Corrected use of dataSource property name in RememberMeBDP.
2008-06-18 10:35:30 +00:00
7d79ae5424
SEC-880: Fix incorrect index value.
2008-06-13 10:58:01 +00:00
32b8009bee
SEC-875: Removed duplicated parameters from SavedRequestWrapper.getParameterValues()
2008-06-09 23:33:36 +00:00
3b775d29d3
SEC-870: Polish messages file contribution
2008-06-08 22:09:47 +00:00
358f284f42
SEC-760: Correct bug where more than one concurrent JaasAuthenticationProvider used.
2008-06-06 06:13:14 +00:00
ff785a829f
[maven-release-plugin] prepare for next development iteration
2008-06-03 16:07:20 +00:00
db1d8604a6
[maven-release-plugin] prepare release spring-security-parent-2.0.2
2008-06-03 16:05:40 +00:00
9308284bd4
SEC-864: Removed duplicate OpenID provider.
2008-06-03 14:53:43 +00:00
122e1c47ed
Changed rnc filename prior to 2.0.2 release
2008-06-01 19:34:50 +00:00
64ab7e534c
Spelling corrections in Javadoc.
2008-06-01 17:26:27 +00:00
ab6d29d927
SEC-862: Make logoutSuccessUrl accessible to sub-classes.
2008-06-01 16:15:09 +00:00
1d9d7eb9a7
Removed accidental commit of SavedRequest clearing code in TargetUrlResolverImpl
2008-05-30 17:53:09 +00:00
ecd2cc6da7
Added some Assert calls to setters and improved comments.
2008-05-30 15:29:51 +00:00
f228d013d8
SEC-861: Change default value of justUseSavedRequestOnGet to false
2008-05-30 15:09:51 +00:00
4de4bb8e87
SEC-860: Added setter for authenticationDetailsSource to AbstractRememberMeServices
2008-05-30 14:29:32 +00:00
f8cded10ee
Typo.
2008-05-30 11:20:16 +00:00
c031588975
SEC-606: Added support for customizable credentials character set.
2008-05-29 18:00:15 +00:00
36a192b70f
SEC-858: Replaced integer properties in schema with strings to allow use of placeholders.
2008-05-29 16:13:14 +00:00
980a72f9a0
Removed TODO (done).
2008-05-29 15:54:50 +00:00
517a7f117a
SEC-857: Make request wrapper getParameterValues() consistent with getParameterMap() etc.
2008-05-29 15:49:43 +00:00
244579faf4
OPEN - issue SEC-856: GroupManager JdbcUserDetailsManager implementation: addGroupAuthority() method doesn't work.
...
http://jira.springframework.org/browse/SEC-856 . Refactored class to remove the JDBC-related inner classes.
2008-05-28 16:25:28 +00:00
d63536cc0d
SEC-821: Added support for eternal session registry and concurrent session controller to the 2.0.2 namespace.
2008-05-27 13:14:21 +00:00
8b5bbe3800
SEC-830: Changed SavedRequestAwareWrapper to make wrapped request parameters take precedence over saved request ones.
2008-05-25 22:57:03 +00:00
45c3084502
SEC-836: Made LDAP namespace elements use subtree group searching by default.
2008-05-23 23:57:01 +00:00
871e529840
SEC-850: custom-authentication-provider Registering Separate Bean Definitions in App Context and Providers List
...
http://jira.springframework.org/browse/SEC-850 . Added extra test.
2008-05-23 23:32:57 +00:00
d1005e4cfb
SEC-850: custom-authentication-provider Registering Separate Bean Definitions in App Context and Providers List
...
http://jira.springframework.org/browse/SEC-850 . Changed bean decorator to add a bean reference to the ProviderManager rather than a bean definition.
2008-05-23 23:25:09 +00:00
9ce0270226
Fixed typo in test name
2008-05-23 22:57:30 +00:00
7603ce2f97
SEC-848: Remove all Spring LDAP dependecy loading from namespace parsers
...
http://jira.springframework.org/browse/SEC-848 . Replaced class references with class names.
2008-05-23 21:30:57 +00:00
25ba269db0
SEC-835: use setContentType on response for J2EE 1.3 compatibility.
2008-05-23 20:55:10 +00:00
11b448c0e0
SEC-847: Updated the xsl file to inline openid-login and other elements
2008-05-23 16:29:44 +00:00
08c5fe8925
Fixed autoboxing issue
2008-05-22 12:19:00 +00:00
fbe3ca48f4
SEC-823, SEC-843: Allow setting of custom RememberMeServices and token validity periodon remember-me namespace element
2008-05-21 16:03:05 +00:00
3e33b8a880
Update InMemoryXmlApplicationContext to use 2.0.2 schema
2008-05-20 22:46:37 +00:00
b60c578b25
SEC-844: Support for SHA-256 hashing.
2008-05-20 22:45:02 +00:00
03981ab6a0
SEC-844: Added sec-256 to namespace schema
2008-05-20 22:32:03 +00:00
e9adbd4d62
SEC-844, SEC-843, SEC-823: Added support for sha-256, custom remember-me services and setting of remember me token validity period to namespace schema. Also added 2.0.2 XSD file
2008-05-20 19:48:32 +00:00
29d31b72d0
SEC-837: Add special character filtering to LDAP search filters
2008-05-20 19:25:37 +00:00
3fb1f59fde
SEC-837: Add special character filtering to LDAP search filterscore/src/test/java/org/springframework/security/ldap
2008-05-20 19:22:49 +00:00
5af53da106
Improved doc for'filters' attribute
2008-05-18 11:09:50 +00:00
2329dadf48
Removed jalopy parameter comments
2008-05-15 17:58:15 +00:00
f269373442
IDE-791: Remove explicit Spring LDAP class dependencies from LdapServerBDP.
2008-05-15 14:33:42 +00:00
8b2c0468ff
OPEN - issue SEC-834: Session fixation attack protection will cause problems with URL rewriting
...
http://jira.springframework.org/browse/SEC-834 . Modified HttpSecurityBDP to add session-fixation parameters to openId and form-login filters. Also added sessionRegistry property to AbstractProcessingFilter so that it doesn't conflict with concurrent session control.
2008-05-15 01:34:14 +00:00
d17a2da9e0
SEC-834: Session fixation attack protection will cause problems with URL rewriting
...
http://jira.springframework.org/browse/SEC-834 . Changed position of SessionFixationProtectionFilter and modified it to make a decision about whether authentication has taken place prior to calling doFilter(). Previously it did this on the return through the filter chain, which caused the problem described in this issue.
2008-05-15 00:26:27 +00:00
7f38c656ca
SEC-820: Expand regular expression used in hierarchical roles.
2008-05-14 22:59:33 +00:00
6493df13f8
SEC-803: Removed use of websphere SubjectHelper class.
2008-05-14 22:51:39 +00:00
59543af4fb
SEC-826: Support for JPA PersistenceContext annotation broken
...
http://jira.springframework.org/browse/SEC-826 Moved all injection post-processing to BeanPostProcessors (and deleted bean factory post-processor) to prevent early instantiation problems. Beas should now all be instantiated before the injection takes place.
2008-05-14 16:41:52 +00:00
1fee538c7e
Fixed typo in setter method (uses of).
2008-05-13 15:32:30 +00:00
ae2470127c
Fixed typo in setter method "seAttributePrefix"
2008-05-13 13:51:49 +00:00
e1b226ee57
Added 2.0.2 namespace file
2008-05-10 17:16:46 +00:00
add2649397
Javadoc typo.
2008-05-09 18:09:56 +00:00
781d88bd30
OPEN - issue SEC-825: Query string isn't beig stripped from URLs when ant matcher is in use (regression issue)
...
http://jira.springframework.org/browse/SEC-825 . Make sure the property is set on DefaultFilterInvocationDefinitionSource when ant paths are in use.
2008-05-09 18:08:32 +00:00
883b92e7bd
SEC-822: Converted to long arithmetic to prevent integer overflowing with long token validity periods
2008-05-08 15:07:40 +00:00
301d021bf5
SEC-817: NPE in org.springframework.security.config.FilterChainProxyPostProcessor
...
Reversed order of beanName.equals() call as suggested.
2008-05-07 13:58:53 +00:00
8ad2d681ab
SEC-818: Changed redirect URL validation to ignore potential property placeholders at parsing time and report a warning through the parser context rather than an error. Also validated the URLs in the beans themselves using Asserts, so an exception will occur later when the beans have been created rather than while assembling the bean definitions.
2008-05-07 13:49:20 +00:00
afc757e618
Removed reference to LdapDataAccessException since it isn't actually mentioned except in javadoc
2008-05-06 14:43:52 +00:00
c333070fe3
Javadoc tidying
2008-05-06 13:59:46 +00:00
fca3a2a709
SEC-812: Added missing TextUtils file
2008-05-05 19:09:09 +00:00
fa44c74993
SEC-812: Added entity-escaping of username stored under last username key, to prevent problems if it is rendered in a page without escaping the text.
2008-05-05 18:37:02 +00:00
06719053f1
Removed commons lang dependency.
2008-05-05 17:18:47 +00:00
9961c7f867
Moved to correct build location.
2008-05-02 10:52:57 +00:00
7a2e1e13d3
SEC-811: Provide a mechanism to allocate and rebuild cryptographically strong, randomised tokens.
2008-05-02 10:38:56 +00:00
a599ef5398
[maven-release-plugin] prepare for next development iteration
2008-05-01 20:09:03 +00:00
3e808335a4
[maven-release-plugin] prepare release spring-security-parent-2.0.1
2008-05-01 20:07:46 +00:00
6ecfa0541f
SEC-806: Osgi-ified more modules
2008-05-01 17:11:31 +00:00
4984d4be65
OPEN - issue SEC-757: Add validation of redirect URLs on namespace
...
http://jira.springframework.org/browse/SEC-757 . Added validation method to ConfigUtils and calls to it for url attributes.
2008-05-01 16:39:31 +00:00
0df9dee9dd
SEC-806: Improved OSGi bundle version information support
2008-04-30 18:02:47 +00:00
81ebd094ff
OPEN - issue SEC-808: Switch namespace schema version to 2.0.1 and update spring.schemas
...
http://jira.springframework.org/browse/SEC-808 . Replaced 2.0 text with that from the 2.0 release, rather than the website schema.
2008-04-29 18:59:25 +00:00
473f6a32c6
OPEN - issue SEC-808: Switch namespace schema version to 2.0.1 and update spring.schemas
...
http://jira.springframework.org/browse/SEC-808 . Created new 2.0.1 schema files and updated tests to use them.
2008-04-29 18:53:33 +00:00
8281aeb0da
SEC-807: Allow mapping to a standard Ldap UserDetails through the namespace
...
http://jira.springframework.org/browse/SEC-807 . Added extra test for Ldap provider parser.
2008-04-29 18:01:59 +00:00
e4b32b8d29
OPEN - issue SEC-807: Allow mapping to a standard Ldap UserDetails through the namespace
...
http://jira.springframework.org/browse/SEC-807 . Added support for user-details-class attribute to ldap-authentication-provider and ldap-user-service.
2008-04-29 16:53:24 +00:00
104716fedb
SEC-805: Add extra fields to InetOrgPerson
...
http://jira.springframework.org/browse/SEC-805 . Added a substantial number of new fields to the class.
2008-04-29 14:39:58 +00:00
ef112f7967
Fixed autoboxing problem.
2008-04-28 15:26:20 +00:00
341455cde4
SEC-799: Import cleaning following other changes.
2008-04-28 15:19:25 +00:00
2d692718e0
SEC-799: Add better detection of missing server-ref element for <ldap-user-service> and <ldap-authentication-provider />
...
http://jira.springframework.org/browse/SEC-799 . Updated ContextSourceSettingPostProcessor to set the standard ContextSource as an alias if it is needed by a bean but has not been set (because the user specified their own server id on <ldap-server />).
2008-04-28 15:01:20 +00:00
270fa92780
Improved Javadoc comment
2008-04-28 09:20:37 +00:00
d3a0f05de9
SEC-783: GlobalMethodSecurityBeanDefinitionParser should support AfterInvocationProviders
...
http://jira.springframework.org/browse/SEC-783 . Added support for custom-after-invocation-provider
2008-04-25 12:28:30 +00:00
348d211b8c
SEC-797: Minor javadoc correction.
2008-04-24 23:12:55 +00:00
d1e23b3d2c
SEC-783: Added custom-after-invocation-provider element to namespace.
2008-04-24 02:02:23 +00:00
1090072fff
SEC-795: Add check for protected login page when using namespace
...
http://jira.springframework.org/browse/SEC-795 . I've added checks for the various scenarios which will result in a protected login page and suitable warning messages.
2008-04-24 01:59:19 +00:00
5d51b35cfa
SEC-792: Filters should only be added to the default stack if they are labelled using custom-filter.
...
http://jira.springframework.org/browse/SEC-792 . Updated FilterChainProxyPostProcessor to raise an exception if two filters have the same order, and also to unwrap wrapped filters once the sorting by order has been performed.
2008-04-23 23:19:44 +00:00
38774ec94f
SEC-792: Filters should only be added to the default stack if they are labelled using custom-filter.
...
http://jira.springframework.org/browse/SEC-792 . The filters are now maintained as a list in the context and have to be stored there explicitly on registration.
2008-04-23 16:06:54 +00:00
01185475a1
OPEN - issue SEC-793: ldap-authentication-provider element parser ignores hash attribute.
...
http://jira.springframework.org/browse/SEC-793 . Added support for hash attribute. password-encoder still takes precendence with a warning if both are present.
2008-04-23 12:50:09 +00:00
7e63fe7357
SEC-790: DefaultLoginPageGeneratingFilter should be a better HTTP citizen
...
http://jira.springframework.org/browse/SEC-790 . Applied submitted patch.
2008-04-23 00:41:52 +00:00
8ea7487ec3
Removed unused method.
2008-04-22 23:20:49 +00:00
ec81e780b2
Import cleaning.
2008-04-22 22:27:51 +00:00
599d9fea04
Minor improvements to toString() methods for logging.
2008-04-22 22:21:20 +00:00
b2e9e82727
Fixed typo in message.
2008-04-22 21:54:54 +00:00
63decfeb93
SEC-761: HttpSessionContextIntegrationFilter.contextObject should be created in afterPropertiesSet(), not the constructor
...
http://jira.springframework.org/browse/SEC-761 . Added call to generateNewContext() in the afterPropertiesSet() method to take account of custom security context classes.
2008-04-22 21:51:12 +00:00
1ae167434a
SEC-756: Add checks for duplicate use of namespace elements such as global-method-security
...
http://jira.springframework.org/browse/SEC-756 . Refactored HttpSecurityBDP and added check for duplicate usage of the element.
2008-04-22 21:25:35 +00:00
083644f2fe
SEC-756: Refactored GlobalMethodSecurityDefinitionParser and added check for duplicate registration.
2008-04-22 18:25:35 +00:00
1258fa854e
SEC-788: x509 authentication does not work properly
...
http://jira.springframework.org/browse/SEC-788 . Added check for X509 element when choosing entry point, if nothing else is available.
2008-04-22 14:53:11 +00:00
e12b6afefa
SEC-776: Http Session created for Anonymous request
...
http://jira.springframework.org/browse/SEC-776 . Added AuthenticationtrustResolver to HttpSCIF to check for anonymous authentication.
2008-04-22 13:22:38 +00:00
88ea87642a
SEC-791: RequestKey.equals throws NPE if method is null
...
http://jira.springframework.org/browse/SEC-791 . Fixed handling of equals when one http method is null.
2008-04-22 12:32:33 +00:00
9eaa1cbbdd
OPEN - issue SEC-789: Add support for optional role-prefix attribute to namespace
...
http://jira.springframework.org/browse/SEC-789 . Added role-prefix attribute to ldap provider and jdbc/ldap user-service elements.
2008-04-21 18:29:54 +00:00
aba5a22b6c
SEC-789: Add support for optional role-prefix attribute to namespace
...
http://jira.springframework.org/browse/SEC-789 . Added support for role-prefix to jdbc-user-service element.
2008-04-21 17:44:32 +00:00
1a4130528a
SEC-782: Incorrect UrlMatcher initialization in FilterChainProxy results in wrong lowercase/uppercase matching
...
http://jira.springframework.org/browse/SEC-782 . I've updated FilterChainProxy to make sure the same UrlMatcher is used throughout when converting a legacy configuration.
2008-04-21 16:51:06 +00:00
5bb558bd6a
SEC-777: The disabled status cannot be set in <user-service>
...
http://jira.springframework.org/browse/SEC-777 . Added the disabled flag to the relax grammar file.
2008-04-21 15:59:08 +00:00
993fdd7a32
Added better toString() method to OrderedFilterDecorator to make it report the delegate filter information.
2008-04-21 12:53:54 +00:00
469f55ce05
SEC-773: global-method-security fails with JPA
...
http://jira.springframework.org/browse/SEC-773 . Added extra constructor to MethodDefinitionSourceAdvisor to allow for lazy initialization of the advice (MethodSecurityInterceptor), and in turn the AuthenticationManager and ay referenced UserDetailsService implementations.
2008-04-18 13:15:56 +00:00
7238097310
OPEN - issue SEC-775: CLONE -impossible to specify "observeOncePerRequest" property in the namespace based configuration.
...
http://jira.springframework.org/browse/SEC-775 . Corrected check for value of observe-once-per-request attribute. Should be a check for "false" as it is true by default.
2008-04-15 16:57:47 +00:00
b5dc523041
[maven-release-plugin] prepare for next development iteration
2008-04-14 07:06:44 +00:00
0c42670431
[maven-release-plugin] prepare release spring-security-parent-2.0.0
2008-04-14 07:05:46 +00:00
4d714b33e0
SEC-770: Mark old org.springframework.security.acl module as @deprecated.
2008-04-14 06:50:01 +00:00
57b5f38df1
OPEN - issue SEC-769: Remember-Me functionality not available in namespace configuration
...
http://jira.springframework.org/browse/SEC-769 . I've added a check in FormLoginBeanDefintionParser to see if RememberMeServices is registered. If so, it will inject the bean into the filter. Also added a check in HttpSecurityBeanDefinitionParserTests that the field has been set.
2008-04-13 22:11:09 +00:00
4ae40150c9
SEC-752: ClassLoading in GlobalMethodSecurityBeanDefinitionParser doesn't work in tooling
...
http://jira.springframework.org/browse/SEC-752 . Removed check for JSR-250 class.
2008-04-13 20:59:39 +00:00
552dc6486a
SEC-703: Expose customization of SQL used by <jdbc-user-service>
...
http://jira.springframework.org/browse/SEC-703 . Added suggested attributes for sql queries.
2008-04-13 20:51:40 +00:00
d6e5dbbcfd
SEC-767: Added override for flushBuffer in response wrapper.
2008-04-13 20:22:31 +00:00
9d54c2d22b
OPEN - issue SEC-637: Dependency on RequestUtils
...
http://jira.springframework.org/browse/SEC-637 . Removed use of ServletRequestUtils in AbstractRememberMeServices
2008-04-13 12:53:01 +00:00
0422cb1f8f
Fixed artifact groups for aspectjrt and added cas sample to project build
2008-04-13 00:08:18 +00:00
83c152e379
SEC-768: Changed exception to error reported through parser context. Added entry-point-ref to cas config
2008-04-13 00:02:46 +00:00
a2f4ee1c58
SEC-767: Added check for committed response before attempting to create a new session
2008-04-12 23:18:03 +00:00
2d3bc27d06
SEC-755: Updated bundle names in line with Christian's recommendations.
2008-04-12 18:38:06 +00:00
d0ae8e072d
Refactored out safeGetHttpSession method to remove multiple try/catch IllegalArgumentException blocks round request.getSession() calls.
2008-04-12 15:01:52 +00:00
6b86b05a0a
Removed autoboxing
2008-04-11 23:22:36 +00:00
d288f722a8
OPEN - issue SEC-759: GrantedAuthoritiesContainer should extend Serializable
...
http://jira.springframework.org/browse/SEC-759 . Added Serializable to interface.
2008-04-11 17:25:41 +00:00
3b3d339393
SEC-764: Added support for "position" attribute. Also added "LAST" as an option for filter position.
2008-04-11 17:01:08 +00:00
7145198e5a
OPEN - issue SEC-763: Allow setting of alwaysUseDirectTargetUrl via form-login namespace URL
...
http://jira.springframework.org/browse/SEC-763 . Added always-use-default target attribute to namespace.
2008-04-11 12:03:55 +00:00
a3de51ea51
Fixed typo in constant name.
2008-04-09 23:41:27 +00:00
029f8a2409
Made test method getFilters on FilterChainProxy default access.
2008-04-07 22:41:50 +00:00
a2d2c6b67a
Corrected element name.
2008-04-07 22:28:47 +00:00
243b5f4a2a
SEC-746: impossible to specify errorPage for the AccessDeniedHandlerImp when using namespace based configuration
...
http://jira.springframework.org/browse/SEC-746 . Added access-denied-page to http element.
2008-04-07 22:17:09 +00:00
f57ba43780
SEC-673: Reinstated a bean registration that had accidentally bean removed by the last patch, breaking core-tiger tests.
2008-04-07 21:05:13 +00:00
80dbc4fd75
SEC-673: Applied patch from Christian.
2008-04-07 20:20:58 +00:00
594b69b7ef
SEC-754: Changed tests to use unicode escapes rather than explicit UTF-8.
2008-04-07 18:05:45 +00:00
236e310ea7
SEC-747: impossible to specify "observeOncePerRequest" property in the namespace based configuration.
...
http://jira.springframework.org/browse/SEC-747 . Added once-per-request attribute to http element.
2008-04-07 15:30:27 +00:00
6612d0f729
SEC-754: Fixed wrong array length and added tests for encoding non-ascii password.
2008-04-07 14:13:40 +00:00
6d1932da33
SEC-753: Changed Spring version range in felix plugin to [2.0,2.6) to allow use with minor 2.5 versions.
2008-04-07 12:39:00 +00:00
92ad1ecf81
Typo in Javadoc.
2008-04-06 00:08:41 +00:00
67d5a5b814
SEC-750: Support for JPA PersistenceContext annotation broken
...
http://jira.springframework.org/browse/SEC-750 . Updates to prevent the HttpSecurityPostProcessor from causing beans to be instantiated. Added a simplified test case to HttpSecurityBeanDefinitionParserTests.
2008-04-06 00:04:50 +00:00
a43d054bd7
Removed comment about status checking as it is not entirely correct and misleads people.
2008-04-04 19:40:28 +00:00
21e83e8364
[maven-release-plugin] prepare for next development iteration
2008-04-01 15:03:29 +00:00
91ed7dceb6
[maven-release-plugin] prepare release release_2_0_0_RC1
2008-04-01 15:01:30 +00:00
3cb504fa95
Fixed jdk 1.4 compatibility issues
2008-04-01 14:32:31 +00:00
e05d1da102
Refactored AuthenticationUserDetailsService to userdetails package as it isn't preauth specific
2008-03-31 23:08:30 +00:00
f898bec370
OPEN - issue SEC-742: IllegalArgumentException if namespace configuration defines RememberMeServices without BasicProcessingFilter
...
http://jira.springframework.org/browse/SEC-742 . Fix. Post processor was assuming there was a BasicProcessinFilter in the app context when a remember-me services was present.
2008-03-31 22:44:11 +00:00
c347834401
OPEN - issue SEC-605: JdbcDaoImpl of UserDetailsService should provide a method for customizing creation of the final UserDetails object
...
http://jira.springframework.org/browse/SEC-605 . Added a createUserDetails method and also some other methods which are responsible for executing the individual queries for loading the userinformation and authorities.
2008-03-31 18:01:07 +00:00
40e51dd5fe
OPEN - issue SEC-649: Add user-service-ref attribute to remember-me namespace element
...
http://jira.springframework.org/browse/SEC-649 . Added attribute to namespace and parsing support.
2008-03-31 17:27:58 +00:00
cc752cfc28
OPEN - issue SEC-732: Encapsulate query objects in JdbcDaoImpl and JdbcUserDetailsManager
...
http://jira.springframework.org/browse/SEC-732 . Updated these classes to hide the internal query and update objects to allow future refactoring.
2008-03-31 16:52:31 +00:00
53b084e2f9
Simple tests to detect invalid configurations, particularly when the namespace has been updated without applying the spring-security.xsl transformation, which prevents certain elements from appearing at top level.
2008-03-31 16:30:28 +00:00
b1ae4922d2
SEC-726: Added entry-point-ref to <http> namespace element to allow customization of authentication process.
2008-03-31 16:22:40 +00:00
9db55f336c
SEC-739: Removed siteminder provider code.
2008-03-31 12:23:32 +00:00
512c64fb98
SEC-738: Add session-registry-alias attribute to concurrent-session-control
...
http://jira.springframework.org/browse/SEC-738 . Added this attribute. Also various bugfixes in handling of attribute names for concurrent session control.
2008-03-31 12:01:37 +00:00
07f820f1a6
Minor portlet-related changes suggested by John Lewis: Javadoc and default values of booleans.
2008-03-31 10:10:13 +00:00
c9b6fe9555
OPEN - issue SEC-657: Create pre-authenticated processing filter which obtains username from request header
...
http://jira.springframework.org/browse/SEC-657 . Added filter and test class.
2008-03-30 13:37:13 +00:00
b98c72056a
SEC-728: Change use of String.getBytes() in password encoders to use UTF-8
2008-03-29 15:21:31 +00:00
1463b9769d
SEC-629: authentication-provider doesn't support caching.
...
http://jira.springframework.org/browse/SEC-629 . Added support for cache-ref elements on jdbc-user-service and ldap-user-service
2008-03-28 17:55:12 +00:00
db6fafaf56
SEC-629: authentication-provider doesn't support caching. Refactored MockUserCache class to top level
2008-03-28 14:17:05 +00:00
1fece47b49
SEC-691: Applied patch to allow setting of returned user attributes from LDAP search.
2008-03-27 14:41:11 +00:00
350a626587
SEC-477: Added preauthenticated websphere contribution.
2008-03-27 14:25:17 +00:00
584853bbcb
Tidied imports.
2008-03-26 21:49:26 +00:00
ef5b3e2f9c
SEC-733: Changed names of <global-method-security> attributes as discussed with Ben and updated sample to reflect the changes. Also changed explicit instantiation of Jsr250 and Secured annotation MethodDefinitionSource beans in GlobalMethodSecurityBDP into bean definitions to make more tooling friendly.
2008-03-26 21:48:24 +00:00
9ea2408ac6
Fixed error in choosing main entry point (it's an alias not a bean name, so doesn't appear in the entry map - you have to get it direct from the bean factory).
2008-03-26 17:34:42 +00:00
1b8a3c5673
SEC-689: Updated session fixation protection namespace support to set session registry on SessionFixationProtectionFilter.
2008-03-26 14:51:16 +00:00
eeb14b3965
Changed filter order numbers to start at zero (makes them more readable in log compared with large negative numbers)
2008-03-26 12:22:26 +00:00
4681ff3d50
SEC-689: Fix 1.4 compatibility issue (overlooked autoboxing of boolean)
2008-03-26 12:09:57 +00:00
43b51ca64d
SEC-689: Session Fixation protection should be available to all authentication mechanisms.
...
http://jira.springframework.org/browse/SEC-689 . Added support to namespace.
2008-03-26 12:00:58 +00:00
2af2f299cb
SEC-689: Further tests, logging improvements.
2008-03-26 00:00:56 +00:00
a29842a467
SEC-689: Tests for SessionFixationProtectionFilter
2008-03-25 23:24:38 +00:00
8f5bcb64a6
SEC-689: Session Fixation protection should be available to all authentication mechanisms.
...
http://jira.springframework.org/browse/SEC-689 . Added a general SessionFixationProtectionFilter which can be added to the filter stack to detect when a user has been authenticated and then migrate them to a new session. Also added support to <http/> namespace element.
2008-03-25 22:32:26 +00:00
83bcc6ad7c
Removed loggers from subclasses of SpringSecurityFilter in favour of using base class logger.
2008-03-25 14:51:34 +00:00
0860333a3f
SEC-733: AspectJ Pointcut Expression Parsing support.
2008-03-25 08:28:53 +00:00
f4eb15b08b
SEC-428: Tests to prove proxy-target-class="true" works.
2008-03-24 23:10:01 +00:00
f8b5000d40
SEC-428: Make sure context is cleared before running test.
2008-03-24 22:56:43 +00:00
18fef571c3
Import cleaning.
2008-03-24 22:44:42 +00:00
028af06d61
SEC-428: Security interceptor does not work with schema based aop:config
...
http://jira.springframework.org/browse/SEC-428 . Fixed broken test method.
2008-03-24 22:43:08 +00:00
a375d8e59e
SEC-428: Added test
2008-03-24 20:50:58 +00:00
1dd5f42142
Adding svn keywords, correcting typos etc.
2008-03-24 20:48:45 +00:00
9a4977ebd1
SEC-99/428/429/563: Various refactoring of method security metadata support.
2008-03-24 09:40:13 +00:00
6ab301981c
Update dependency versions and POM structure.
2008-03-24 09:05:44 +00:00
fe0e05a6c8
SEC-725: PasswordEncoderParser: <security:password-encoder> element does not pick up 'base64' attribute value
...
http://jira.springframework.org/browse/SEC-725 . Added fix as recommended in issue.
2008-03-23 22:38:13 +00:00
b54e3978dc
SEC-729: Organization of pom dependencies, particularly for servlet-api and jstl. Some other adjustments, removal of unrequired deps etc
2008-03-23 00:31:32 +00:00
30a6abbe50
Tidied formatting of toString output for FilterBasedLdapUserSearch
2008-03-22 21:40:54 +00:00
162933155e
Added implementation of GrantedAuthoritiesContainer to allow refactoring of duplication in various preauth details classes
2008-03-22 19:29:13 +00:00
2ea94e2cc9
Tidying imports etc
2008-03-22 11:44:28 +00:00
563dabda2f
SEC-722: Add Open ID Namespace Support
...
http://jira.springframework.org/browse/SEC-722 . Added OpenIDProvider to bean registry and fixed login page generator to use correct URL for OpenID. Added user-service-ref to namespace element. Changed OpenID sample to use <openid-login />.
2008-03-21 23:47:09 +00:00
b89dbc6060
Import cleaning
2008-03-21 21:51:48 +00:00
9871685ea3
SEC-722: Fixed problem with empty loginpage string (rather than null) preventing default login page filter from being added to the stack.
2008-03-21 21:50:26 +00:00
b73736ffaf
Updated example configuration in javadoc for LdapAuthenticationProvider.
2008-03-21 17:12:22 +00:00
16ea8faa0d
SEC-727: Ensure SecurityConfig cannot be constructed unsafely; also update SecurityConfigTests to JUnit 4.
2008-03-21 02:15:47 +00:00
acc22b2745
SEC-722: Add Open ID Namespace Support
...
http://jira.springframework.org/browse/SEC-722 . Added check for MAIN_ENTRY_POINT bean when resolving entry points. If this has been set during parsing it will be used.
2008-03-20 20:11:34 +00:00
815f04b6c3
SEC-722: Add Open ID Namespace Support
...
http://jira.springframework.org/browse/SEC-722 . Added element to namespace and modified form login parser to handle open id element. Also added openID support to login page generator.
2008-03-20 20:05:11 +00:00
bbc5fea598
SEC-722: Add Open ID Namespace Support
...
http://jira.springframework.org/browse/SEC-722 . Added extra constants for OpenID support.
2008-03-20 19:51:59 +00:00
d333655b0b
Updated to commons logging 1.1.1 to get rid of servlet api dependency in their pom
2008-03-20 19:43:55 +00:00
56b967f935
Removed filer name duplication in rnc file.
2008-03-20 15:10:21 +00:00
a65b5a9ed8
Corrected separators between http method strings in rnc file.
2008-03-20 14:56:02 +00:00
8f379768a8
SEC-720: Design for extension: PreAuthenticatedGrantedAuthoritiesUserDetailsService
...
http://jira.springframework.org/browse/SEC-720 . Added createUserDetails method to allow custom UserDetails object t be created.
2008-03-19 18:29:38 +00:00
030550a88e
Applied XSL transform to XSD file
2008-03-19 17:04:39 +00:00
f8d855f1a2
SEC-716: Default (non-web) AuthenticationDetailsSource implementation.
2008-03-18 18:45:38 +00:00
c9ff912b2f
SEC-723: Change PreAuthenticatedAuthenticationProvider to reject authentication tokens with null credentials. Also introduced a property "throwExceptionWhenTokenIsRejected" which raises a BadCredentialsException when the toke is invalid.
2008-03-18 18:29:48 +00:00
163fb1052f
SEC-721: Call Principal.getName() in AbstractAuthenticationToken.getName() if principal instaceof Principal
2008-03-18 18:06:56 +00:00
2df2eaa169
SEC-719: Introduced base class for J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource to extract non-http specific functionality (for use in portlet version).
2008-03-18 17:22:02 +00:00
52b92b209c
Removed out of date email address for Ben.
2008-03-17 22:44:13 +00:00
8f7b216de3
Import cleaning, removal of unnecessary constructors etc based on eclipse warnings
2008-03-17 14:10:22 +00:00
abd5e384fe
removed unused eh-cache config file
2008-03-17 14:07:19 +00:00
60de6314d4
Replaced casting to check validity of provider list with call to Assert.isInstanceof.
2008-03-17 13:50:37 +00:00
e4c6022b36
SEC-718: Support additional HTTP methods.
2008-03-16 04:14:21 +00:00
6bc0585e4a
SEC-717: Resolve UserDetails.getAuthorities() sort logic issue.
2008-03-16 04:02:55 +00:00
5743763599
SEC-625: Remove references to FilterToBeanProxy
2008-03-13 18:52:31 +00:00
5d6ec8ed71
SEC-702: Updated use of UsernameNotFoundException to set extraInformation property
2008-03-13 16:49:19 +00:00
712f1770d9
SEC-714: Refactor PreAuthenticatedGrantedAuthoritiesSetter and PreAuthenticatedGrantedAuthoritiesRetriever
...
http://jira.springframework.org/browse/SEC-714
2008-03-13 16:03:18 +00:00
42a80931c1
SEC-671: Changed AuthenticationDetailsSource to take an object as argument instead of an HttpServletRequest and renamed AuthenticationDetailsSourceImpl to WebAuthenticationDetailsSource. Also removed some preauth dependencies on commons lang
2008-03-13 14:42:38 +00:00
df0d52ada7
SEC-708: Improve generation of XSD file from Relax NG schema
...
http://jira.springframework.org/browse/SEC-708 . Committed XSL transformed XSD file and some minor changes to organisation of RNC file.
2008-03-13 10:33:28 +00:00
3a364a3343
SEC-713: Made MethodDefinitionAdvisor an infrastructure bean as required by Spring 2.0.7+ and upgraded to Spring 2.0.8
2008-03-11 17:53:04 +00:00
089bffa10f
SEC-712: HttpSessionContextIntegrationFilter "context" property should be renamed
...
http://jira.springframework.org/browse/SEC-712
2008-03-11 14:16:40 +00:00
ed08ba10ba
Added test file for CustomAuthenticationProviderBeanDefinitionDecorator
2008-03-11 13:50:53 +00:00
6fcadb2022
SEC-699: Make TargetUrlResolverImpl parameter non-optional
...
http://jira.springframework.org/browse/SEC-699
2008-03-11 11:25:55 +00:00
e8c0e74498
SEC-708: Improve generation of XSD file from Relax NG schema. XSL file to be run on generated xsd to inline selected elements which should not be global.
...
http://jira.springframework.org/browse/SEC-708
2008-03-10 19:47:20 +00:00
8231df4bc1
Catalog file for security xsd file to simplify its use in editors or ther tools supporting this format.
2008-03-10 12:23:23 +00:00
f76f1b340f
SEC-707: Make purpose of form-login attributes clearer. Renamed login-url to login-processing-url
2008-03-10 10:46:23 +00:00
f7ae070b2f
SEC-705: Extend ldap-authentication-provider namespace elt to support user searches and multiple authentication strategies
...
http://jira.springframework.org/browse/SEC-705
2008-03-09 19:26:34 +00:00
424d291a8f
SEC-672: Added symbolic name to bundle.
2008-03-05 19:44:07 +00:00
a7e4dc3636
SEC-672: Added felix plugin to core build pom.xml
2008-03-05 19:41:59 +00:00
89415e3ee5
SEC-693: RoleVoter can improve performance
...
http://jira.springframework.org/browse/SEC-693
2008-03-05 13:42:39 +00:00
5ec8aa797c
SEC-694: Add check to LdapShaPasswordEncoder to detect use with non-SHA passwords
...
http://jira.springframework.org/browse/SEC-694
2008-03-05 13:29:26 +00:00
426e526694
Minor tidying.
2008-03-03 21:57:59 +00:00
ff16c413dd
[maven-release-plugin] prepare for next development iteration
2008-02-29 14:55:31 +00:00
b8916ffaba
[maven-release-plugin] prepare release release_2_0_M2
2008-02-29 14:54:15 +00:00
6c8adfc982
SEC-640: Test class for FilterInvocationDefinitionSourceParser
2008-02-28 19:36:22 +00:00
33023565a8
SEC-640: Add namespace support for FilterInvocationDefinitionSource configuration
...
http://jira.springframework.org/browse/SEC-640
2008-02-28 19:29:33 +00:00
93432b7626
SEC-680: Missed some additional method, method parameter & field names, JavaDoc
...
http://jira.springframework.org/browse/SEC-680
2008-02-28 12:28:17 +00:00
25c4db08b9
Updated class javadoc to reflect recent changes to AbstractProcessingFilter
2008-02-28 12:04:24 +00:00
709f78e481
SEC-688: java.lang.NullPointerException in AbstractAuthenticationToken.equals()
...
http://jira.springframework.org/browse/SEC-688
2008-02-28 11:44:15 +00:00
e6e1f2586f
SEC-213: Allow custom redirects based on "redirect" parameter in AbstractProcessingFilter. successfulAuthentication()
...
http://jira.springframework.org/browse/SEC-213
2008-02-28 11:03:05 +00:00
439b0be58e
SEC-462: 302 redirect is not usable for SOAP clients
...
http://jira.springframework.org/browse/SEC-462
2008-02-26 14:54:29 +00:00
5e27b326d2
SEC-685: minor javadoc change
2008-02-26 13:02:59 +00:00
0f63084afe
SEC-685: Improvement to Javadoc for FilterChainProxy and changed to use of LinkedHashSet in obtainAllDefinedFilters to guarantee order is preserved.
2008-02-26 12:59:33 +00:00
8c00bb1537
SEC-674: Updated samples to work with new module layout. Changed taglib build to copy tld file to META-INF directory.
...
Also standardized JSTL version to 1.1.0 (impl 1.1.2), moving deps to root sample pom.
2008-02-22 16:21:37 +00:00
5187f89fe8
SEC-679: Removed use of MockApplicationContext and improved use of ehcache (shutting down cache managers after tests are run). Upgraded ehcache version to 1.3 as used in Spring pom.
2008-02-22 13:34:20 +00:00
ca9e64f857
SEC-674: Moved cas "ui" package to new module
2008-02-22 11:11:56 +00:00
2dd9faabc0
SEC-674: Created new project modules for cas, captcha, acls and taglibs
2008-02-19 20:30:53 +00:00
59651f5214
SEC-678: Moved extraInformation property to AuthenticationException so ti isn't only available in BadCredentialsException. Added clearExtraInformation flag to AbstractAuthenticationManager to allow the information to be removed if required before rethrowing.
2008-02-18 20:18:40 +00:00
1aec2a6d0a
Tidying javadoc
2008-02-18 18:27:50 +00:00
d7b3a1f734
SEC-603: Removed requirement for an entry point on BasicProcessingFilter if ignoreFailures is true.
2008-02-18 15:41:23 +00:00
5af9653a8e
Import cleaning.
2008-02-18 12:35:55 +00:00
6575f5af1c
SEC-536: Added account status checking to Siteminder provider
2008-02-18 12:35:18 +00:00
3c011685cd
SEC-536: Added account status checking to pre-auth provider.
2008-02-18 12:15:30 +00:00
84282ffabb
SEC-532: added test method for SEC-655
2008-02-15 22:27:14 +00:00
48e2c38736
SEC-536: Added account status checking to Cas provider
2008-02-15 18:14:57 +00:00
04e187d1a7
Tiding up code in acl package (formatting, reduction onf nesting etc).
2008-02-15 18:09:26 +00:00
5e204e23f3
SEC-536: Introduced UserDetailsChecker strategy to extract code for checking status of accounts and allowing variation in pre/post authentication checks made by AbstractUserDetailsAuthenticationProvider
2008-02-15 18:05:12 +00:00
da90b81e16
Corrected toString output (using "username" instead of "principal")
2008-02-15 17:15:20 +00:00
48e2d5ad62
Refactored AbstractSecurityInterceptor, extracting method authenticateIfRequired();
2008-02-15 17:05:58 +00:00
a930ce2bf6
SEC-577: Correct javadocs for switch user
2008-02-15 14:34:46 +00:00
985818ae2c
SEC-581: Copy authentication details to CAS result token
2008-02-15 14:11:56 +00:00
bdc791649d
SEC-656: Provide ability to dependency inject additional exception to event mappings, rather than require subclassing.
2008-02-15 11:56:53 +00:00
afca3d8adc
tidying up changes
2008-02-15 10:56:05 +00:00
24ff891fea
tidying up changes
2008-02-15 10:55:27 +00:00
69c2f31aa7
SEC-532: AclImpl tests class
2008-02-15 10:53:23 +00:00
0eff5afc8f
SEC-532: small bug-fix
2008-02-15 10:39:25 +00:00
c65ec2aa38
Make authentication-failure-url attribute optional.
2008-02-12 17:40:49 +00:00
b84c812305
SEC-532: added method that reproduces bug in SEC-590
2008-02-12 16:28:33 +00:00
0dae2a2dfc
SEC-532: added test methods; one method reproduces bug in SEC-590
2008-02-12 16:20:48 +00:00
ae28169383
SEC-482: Load AclService implementations from parent app contexts.
2008-02-10 12:42:06 +00:00
f0ec1eeabd
Tidying.
2008-02-09 15:39:16 +00:00
3c775b5d0d
Added access-decision-manager-ref attribute to intercept-methods element. Made interceptor bean autowired by default to pick up AfterInvocationManager.
2008-02-09 15:38:31 +00:00
10ab4136d1
SEC-309: Patch for Authentication tag to use property of authentication object, rather than invoking an operation on the principal. Allows use of nested properties.
2008-02-09 13:41:05 +00:00
e0d0cc20c7
SEC-665: Missed a method name...
2008-02-08 18:19:27 +00:00
bd5a64825d
SEC-552: Replaced authorites populators in CAS and OpenID with a plain UserDetailsService
2008-02-08 13:23:43 +00:00
842c49c890
SEC-665: Renaming of rolemapping package to authoritymapping, and corresponding refactoring of classes.
2008-02-08 12:01:10 +00:00
549de2927e
SEC-641: Avoid direct use of external classes in namespace parsing.
2008-02-07 15:03:27 +00:00
6e93ec92eb
Added db creation message.
2008-02-07 13:35:27 +00:00
28153f2c7f
Added TestDataSource class to cut down verbosity of in-memory test databases and to implement DisposableBean, so the database is destroyed when the application context containing it is closed.
2008-02-07 13:33:15 +00:00
208d1ee8e2
SEC-456: Added test class for UserDetailsServiceLdapAuthoritiesPopulator
2008-02-07 13:31:25 +00:00
9292317e1c
Deleted unused context file.
2008-02-07 13:30:03 +00:00
b6d3ed135d
SEC-456: Added class Javadoc
2008-02-06 17:24:45 +00:00
b2cc817835
SEC-456: Basic LDAP authorities populator that delegates to a UserDetailsService.
2008-02-06 17:22:27 +00:00
99621a225d
SEC-481: Refactoring commence method of AuthenticationProcessingFilterEtryPoint to allow alternative redirect options. Extracted two methods, "buildRedirectUrlToLoginPage" and "buildHttpsRedirectUrlForRequest" and introduced a RedirectUrlBuilder class for assembling the URLs from schemes, ports etc.
2008-02-06 16:38:47 +00:00
adbf18a091
SEC-507: Updated JSR-250 impl to include better support for PermitAll and DenyAll as suggested by Ryan Heaton. Includes JSR-250 voter which is now used by AnnotationDriverbeanDefinitionParser.
2008-02-06 13:14:46 +00:00
c1895acb6b
Changed package doc which mentioned adding filter to web.xml rather than filter chain.
2008-02-06 10:36:25 +00:00
98ccaa61e7
SEC-532: test class for ObjectIdentityRetrievalStrategyImpl
2008-02-06 09:26:39 +00:00
5d09f1264b
SEC-532: Added test method for different hashCode calculation when different Serializable classes are used (the method is commmented as, now, it doesn't pass the test)
2008-02-06 09:26:05 +00:00
419a7a6426
SEC-532: added more test methods for JdbcAclService implementation
2008-02-06 09:24:13 +00:00
2c0c731aaa
SEC-552: Removed accidentally commited incomplete caching-related classes.
2008-02-05 16:59:41 +00:00
b82fbb698d
SEC-641: Updated to set "source" values on BeanDefinitions where possible.
2008-02-05 14:48:39 +00:00
8859034d11
SEC-641: Reomove use of SecurityConfigException during parsing.
2008-02-05 11:46:27 +00:00
717ab0b3cc
SEC-641: Replaced use of Assert with more tooling friendly calls to parserContext.getReaderContext().error()
2008-02-05 11:29:52 +00:00
abb6402cec
Import cleaning.
2008-02-05 10:51:52 +00:00
84c7ac5e57
SEC-664: Removed validateUserDetails method from AbstractRememberMeServices, wrapped the UserDetailsService in a status-checking one and added a catch block for AccountStatusExceptions. Also some minor tidying up of other remember-me classes.
2008-02-04 21:26:07 +00:00
d3f26f09b6
Added support for locking user accounts in namespace <user-service> "user" elements (for use in testing).
2008-02-04 21:23:49 +00:00
2343577fec
Update new X509 namespace config to use status checking of user accounts by default.
2008-02-04 19:43:09 +00:00
600ab04cc7
SEC-663: Added null check for pre-authenticated principal value (and skip authentication attempt if null).
2008-02-04 19:36:44 +00:00
3f1ab233dc
SEC-662: Add check for a null authentication object returned by provider and skip passing it to session controller.
2008-02-04 19:27:12 +00:00
9be3f20faa
2008-02-04 16:44:11 +00:00
1191701d8b
SEC-372: Added switchFailureUrl to SwitchUserProcessingFilter. Also did some refactoring to use the StatusCheckingUserDetailsService decorator, rather than checking status internally.
2008-02-04 14:02:30 +00:00
424ac4f117
Commented out tests which are breaking build.
2008-02-02 22:03:35 +00:00
ab5d416e00
SEC-516: Make default SavedRequest a "GET" in test to prevent NPE.
2008-02-02 21:41:41 +00:00
842dec0180
2008-02-01 15:35:20 +00:00
bd9138d78a
Import cleaning.
2008-02-01 14:38:03 +00:00
df1def412e
Changed to using new alias for security filter chain in samples.
2008-02-01 14:28:04 +00:00
298546014a
SEC-659: Added authentication-manager element to allow users to define an alias for the internal authentication manager.
2008-02-01 14:25:07 +00:00
2ad0c2cbd0
Corrected check on whether delegate implements Ordered interface.
2008-02-01 14:02:01 +00:00
ca75905c3e
SEC-658: Add support for ldap-user-service to AuthenticationProviderBeanDefinitionParser.
2008-01-31 20:32:31 +00:00
2c6fb3d1c9
Added extra tests for jdbc-user-details service to make sure it works within an <authentication-provider> element.
2008-01-31 20:30:37 +00:00
e82dfd3f1a
Added some further tests for LDAP searching with a different user search base.
2008-01-31 17:44:52 +00:00
feb790ea83
SEC-486: Added determineExpiredUrl method to ConcurrentSessionFilter
2008-01-31 16:25:50 +00:00
feadb3582a
SEC-516: TargetUrlResolver path to avoid redirecting to POST requests.
2008-01-31 16:05:25 +00:00
9f45f95fab
SEC-491: Add alternative options for determining logout URL.
2008-01-31 15:48:04 +00:00
Luke Taylor
Ben Alex
Andrei Stefan