Previously subclasses of AbstractSecurityInterceptor did not restore the original
Authentication when RunAsManager was used and an Exception was thrown in the
original method.
AbstractSecurityInterceptor has added a new method finallyInvocation which
should be invoked in a finally block immediately after the original invocation
which will restore the original Authentication. All existing sub classes have
been updated to use this new method.
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.
This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
Previously the javadoc stated that password could not be null. However,
since the introduction of CredentialsContainer introduced in SEC-1493 the
password can be null.
The changes remove the statement that passwords cannot be null. While this
is a non-passive change to the interface, the current state leaves no choice
for a non-passive change. Removing the javadoc was determined the better
option since erasing the credentials was an explicit feature request. Note
that replacing the password with an obscure String can be risky as it
introduces the risk that the value is used to authenticate.
Previously there were problems when importing with ./gradlew eclipse. For
example GRADLE-1116 and GRADLE-1422.
The changes provide workarounds that are compatible with Gradle 1.0. Note
when importing after using ./gradlew eclipse users may get errors stating
"Element not found". This is only at the time of import and can be ignored.
This is an Eclipse bug logged as
https://bugs.eclipse.org/bugs/show_bug.cgi?id=244315
Previously the documentation was referring to what ConcurrentSessionControlStrategy
performed.
Now the documentation has been moved to the ConcurrentSessionControlStrategy#onAuthentication
method.
Previously SessionFixationProtectionStrategy javadoc mentioned injecting
the SessionRegistry. However, this property is only available on
ConcurrentSessionControlStrategy (a subclass).
Now the mention has been removed. It is apparent the property is required
in ConcurrentSessionControlStrategy since it uses constructor injection.
Previously JdbcTokenRepositoryImpl would log an error with a misleading
message when the token series was missing.
Now JdbcTokenRepositoryImpl logs missing token series at info level with
a more informative message.
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.
Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.
Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
Technically digest authentication can allow for encoded passwords, but
it needs to be in the correct format. This update adds a footnote to clarify this.
Previously the documentation stated that passwords must be in clear text.
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
Merge in changes from jBCrypt.
- Use a ByteArrayOutputStream to cache bytes.
- Pass a StringBuilder into encode_base64.
- Refactor string comparison into its own method.
- General clean up.
There were two issues that needed resolved
- Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
type would not work. This caused failures in the JSF support.
- The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
method any class compiled against a previous version would cause a NoSuchMethodException.
This fixes two issues introduced by SEC-1229
* SessionRegistry.registerNewSession is invoked twice
* SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
* Removed custom-authentication-provider from documentation
* Rephrased to make the pre authentication documentation a little more concise
* Removed nested () within text (not code)
* Removed user which should have been use
Rob Winch
Joseph Walton
Rob Winch
Christian Hilmersson