e3ff4130a5
Allow negative values to configure unlimited sessions
2016-07-07 14:29:18 -05:00
50d7d3287f
Add spring-security-4.2.xsd
2016-07-07 14:19:01 -05:00
26fa4a4bf0
Prevent HTTP response splitting
...
Evaluate if http header value contains CR/LF.
Reference: https://www.owasp.org/index.php/HTTP_Response_Splitting
Fixes gh-3910
2016-07-07 13:42:52 -05:00
13b0ddb7e6
Fix test assertions
2016-07-07 13:29:00 -05:00
b4ab0483b1
Update version to 4.2.0.BUILD-SNAPSHOT
2016-07-07 12:56:20 -05:00
cc04392d9a
Next development version
2016-07-07 00:57:53 +00:00
919f000c80
Release version 4.1.1.RELEASE
2016-07-07 00:57:35 +00:00
310bb39a0d
Fix typo
2016-07-06 16:22:33 -05:00
764a4d8414
Fix Error Message typo
...
Fixes gh-3953
2016-07-06 16:19:29 -05:00
b17870ee07
LogoutConfigurer: only allow suitable http methods
2016-07-06 16:17:11 -05:00
8ad91ef6a5
WithSecurityContextTestExecutionListener > SqlScriptsTestExecutionListener
...
WithSecurityContextTestExecutionListener should order after
SqlScriptsTestExecutionListener so sql can setup the current user's info
in the database.
Fixes gh-3962
2016-07-06 16:09:17 -05:00
5f6312c5be
Update to Spring 4.3.1
...
Fixes gh-3963
2016-07-06 15:47:44 -05:00
9d50944cb2
AntPathRequestMatcher implements RequestVariableExtractor
...
Issue gh-3964
2016-07-06 15:47:34 -05:00
e4c13e3c0e
Add MvcRequestMatcher
...
Fixes gh-3964
2016-07-06 15:47:23 -05:00
13bc70f693
Add CorsFilter support
2016-07-05 14:28:04 -05:00
c935d857eb
Add mvc namespace to XmlApplicationContext
2016-07-01 22:04:55 -05:00
843ed3e437
Update to Spring 4.3.1.BUILD-SNAPSHOT
2016-07-01 22:04:55 -05:00
7f3b3a8b59
Polish
...
Issue gh-180
2016-07-01 13:17:52 -05:00
261c932b8e
Upgrade Gradle to 2.14
...
Issue gh-3946
2016-06-28 13:13:08 -04:00
1b4e20e97f
Fix InsecureApplicationTests package
...
Fixes gh-3951
2016-06-28 10:17:17 -05:00
bd5f71bb0d
Polish
...
Fix checkstyle for LDAP JavaConfig Authority mapping
Issue gh-2768
2016-06-21 17:08:37 -05:00
b76e3be822
LDAP Java Config supports GrantedAuthoritiesMapper
...
Fixes gh-2768
2016-06-21 16:43:13 -05:00
26ad1cb4a5
Polish RememberMe Validation
...
Issue gh-3909
2016-06-21 14:57:15 -05:00
87224f62e4
RememberMe JavaConfig Validation
...
Add validation when rememberMeServices and rememberMeCookieName are
provided
Fixes gh-3909
2016-06-21 14:57:01 -05:00
8f880aea0e
Polish Pbkdf2PasswordEncoder
...
Issue gh-3930
2016-06-21 11:47:50 -05:00
5f658b3ffc
Remove double salt in Pbkdf2PasswordEncoder
...
Issue gh-3930
2016-06-21 11:44:23 -05:00
77a478ba0d
Fix ApacheDSEmbeddedLdifTests checkstyle
...
Issue gh-54
2016-06-21 09:56:34 -05:00
a3c4a5fde7
SEC-2387 - add ignored failing test case
2016-06-21 09:53:38 -05:00
bbeb7f94d7
Fix checkstyle
...
Issue gh-3920
2016-06-20 19:36:51 -05:00
a2a06d19c1
Add formLogin() Accept Test
...
Issue gh-3920
2016-06-20 16:23:29 -05:00
314828859e
Added accept method call to buildRequest in SecurityMockMvcRequestBuilders with default of MediaType.APPLICATION_FORM_URLENCODED
2016-06-20 15:46:01 -05:00
66858e22ad
Disable XMLHttpRequest for formLogin entry point
...
Previously the following:
http http://localhost:8080/user \
"X-Requested-With:XMLHttpRequest" "Accept:text/plain"
Produced a 302 instead of a 401
Fixes gh-3887
2016-06-20 15:30:00 -05:00
2a73f3cdf7
Remove abigious import
2016-06-20 15:03:09 -05:00
dd9b59ba31
Document Digest is insecure
...
Fixes gh-3894
2016-06-20 14:10:36 -05:00
39ed7d0eca
Propagate rolePrefix to LdapAuthoritiesPopulator
...
Previous to this commit, custom rolePrefix was not propagated to
LdapAuthoritiesPopulator populating a wrong authority. Now, rolePrefix
is propagated and the authority is as expected.
Fixes gh-3921
2016-06-20 12:44:02 -05:00
a2ead4cf7a
Polish
...
Fixes gh-3892
2016-06-20 12:35:43 -05:00
364db6762e
Add failing test for #3905 Fix Assert usage
2016-06-20 09:24:04 -05:00
e8f4ee8a39
Fix Assert usage
2016-06-20 09:23:51 -05:00
d2b909e7c5
Doc InteractiveAuthenticationEvent doesn't extend AuthentcationEvent
...
Document why InteractiveAuthenticationEvent doesn't extend
AuthentcationEvent. This is to avoid multiple AuthenticationSuccessEvent
from being sent to any listeners.
Fixes gh-3857
2016-06-17 17:16:54 -05:00
9fa2c64737
Documentation SecurityConfig->WebSecurityConfig
...
Rename SecurityConfig to WebSecurityConfig in the documentation.
Fixes gh-153
2016-06-17 16:55:46 -05:00
6b436ff409
Avoid duplicate attribute search.
...
When using search-and-bind strategy, the user attributes are already returned in the first search.
If the user happens to not have privileges to perform a search, the second search may fail.
(user only has bind privileges)
See https://github.com/cloudfoundry/uaa/issues/342
2016-06-17 16:43:06 -05:00
ca76e8d784
Remove null-check inside afterPropertiesSet() since it's never null
2016-06-17 16:40:39 -05:00
2d6051625f
Update pom.xml
2016-06-17 14:30:11 -05:00
477573b3bc
Fix @EnableGlobalAuthentication & method seucrity on @Configuration class
...
Fixes gh-3934
2016-06-17 14:05:11 -05:00
fa1c484587
AuthenticationConfiguration.getAuthenticationManager() supports recursion
...
AuthenticationConfiguration.getAuthenticationManager() now supports
recursion. This is necessary in instances where something using
@EnableGlobalAuthentication requires an object using method level security.
Fixes gh-3935
2016-06-17 14:02:36 -05:00
9e3d2e2d99
HTTP Basic default logout ignores text/html
...
This fixes an issue where Chrome sends an accept header of application/xml
which triggers an HTTP 204 to be returned
Fixes gh-3902
2016-06-14 16:27:56 -05:00
e7fd6f6c3f
Remove the CLA confirmation from template
...
We now use the new CLA tooling which automates this
2016-06-13 13:20:22 -05:00
208f898403
Improve csrf login caveats
...
Add a suggestion to retrieve a fresh csrf token right before the
form submission in order to avoid problems with invalid csrf tokens
due session timeouts.
Fixes gh-3925
2016-06-13 16:26:16 +01:00
a7369bf71b
Update to CLA tooling
2016-06-08 21:56:22 -05:00
cf78793f8f
Fixes for Documentation
...
Fixes for the Documentation
2016-05-31 21:40:21 -05:00
Michael J. Simons
Rob Winch
Eddú Meléndez
Spring Buildmaster
Johnny Lim
Jakob Englisch
Tony Dalbrekt
vitaliy_kuzmich
Marcin Zajączkowski
Micah Silverman
Ruben Dijkstra
Shannon Carey
Filip Hanik
Rob Winch
Pedro Vilaça