Commit Graph

637 Commits

Author SHA1 Message Date
Matthias Merdes b6800bdb4d Update ExpressionUrlAuthorizationConfigurer Error Message
Update error message
2016-04-14 15:33:48 -05:00
Rob Winch 59db9413aa Add SpEL Bean reference test (#3815)
Issue gh-3797
2016-04-14 12:11:40 -05:00
Rob Winch 6f169267c4 HttpSecurity comparitor->comparator
Rename HttpSecurity's comparitor to comparator

Fixes gh-3810
2016-04-13 15:04:22 -05:00
Rob Winch a7fb6d2e58 Add HttpSecurity.addFilterAt (#3809)
Fixes gh-3784
2016-04-13 16:01:25 -04:00
Rob Winch d3a9cc6eae Add CsrfTokenRepository (#3805)
* Create LazyCsrfTokenRepository

Fixes gh-3790

* Add CookieCsrfTokenRepository

Fixes gh-3009
2016-04-12 17:26:53 -04:00
Leon Radley b82df4ecf3 Add alwaysRemember to RememberMe Java Config
Allow setting alwaysRemember from RememberMeConfigurer

Fixes gh-180
2016-04-12 13:37:44 -05:00
Jeffrey Walraven bd0c8a7baa Fix HttpSecurity logout JavaDoc
Removed error provoking extra logout() from example code
2016-04-12 13:24:40 -05:00
Johnny Lim fe94d654ed Fix typos (#228) 2016-04-12 11:11:51 -05:00
Nicolai Ehemann c57dba6b77 Fix typo in setMessageExpessionHandler (#3803) 2016-04-12 11:08:52 -05:00
Joe Grandja b90242f2fa Updates all POM versions to 4.1.0 snapshot build.
Fixes gh-3804
2016-04-12 10:35:43 -04:00
Quinten De Swaef d05fe8ec07 Fix typo in xsd
Fixes gh-3229
2016-04-05 09:47:48 -05:00
Spring Buildmaster 044acf7e27 Release version 4.1.0.RC1 2016-03-23 07:15:15 -07:00
Joe Grandja 2f7f2ff589 Adds support for Content Security Policy
Fixes gh-2342
2016-03-22 21:59:13 -05:00
Rob Winch 4b650dc58d Allow AuthenticationProvider Bean in Java Config
This commit adds support for defaulting java configuration's
authentication by providing an AuthenticationProvider Bean.

Fixes gh-3091
2016-03-22 16:17:25 -05:00
Rob Winch 533a5f0905 Fix <password-encoder> when authentication-manager@id specified
When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.

This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.

Fixes gh-3296
2016-03-21 22:48:49 -05:00
Rob Winch 7bf014f678 Path Variables fail with different case
Fixes gh-3329
2016-03-21 10:09:50 -05:00
Rob Winch cf66487d3a Add Java Configuration Test
Issue SEC-2256
2016-03-18 14:03:47 -05:00
Eddú Meléndez 41c6a797c3 Add RememberMeConfigurer set domain
Fixes gh-3408
2016-03-17 08:30:18 -05:00
Rob Winch ec4e6c7453 Update pom.xml to 4.1.0.BUILD-SNAPSHOT 2016-03-14 00:51:35 -05:00
Rob Winch f221920a19 Clean up code to conform to basic checkstyle
Issue gh-3746
2016-03-14 00:15:12 -05:00
Rob Winch 35eff94e3d Add Both Config names to duplicate WebSecurityConfigurer order
Previously the error message when multiple WebSecurityConfigurer with the
same Order did not include both WebSecurityConfigurer classes that were
involved in the duplicate Order. This made resolving errors difficult.

This commit ensures both WebSecurityConfigurers are include in the error
message.

Fixes gh-3380
2016-03-11 12:12:55 -06:00
Shazin Sadakath e33e21fe6b Add Forward after authentication attempt config support
Fixes gh-3728
2016-03-11 10:49:30 -06:00
Rob Winch 5d6e8bc3c8 Remove SPR-11251 workaround from WebSecurityConfiguration
Fixes gh-3348
2016-03-09 16:48:24 -06:00
Rob Winch be36ddb614 Some formatting fixes for HttpSecurity Javadoc 2016-03-09 16:45:43 -06:00
Rob Winch 2f4610e8b7 Update HttpSecurity.requestMatcher() Javadoc
Fixes gh-3365
2016-03-09 16:45:29 -06:00
Billy Korando 71d4ce96ad Convert to assertj
Fixes gh-3175
2016-03-09 14:30:17 -06:00
Rob Winch bb600a473e Start AssertJ Migration
Issue gh-3175
2016-03-09 14:26:30 -06:00
Rob Winch 3164bd6f8d Polish Sorting ObjectPostProcessor
* Add Test
* Only sort on adding new entry

Issue gh-3572
2016-03-08 15:51:13 -06:00
Wallace Wadge a366489c3c Sort ObjectPostProcessors prior to invoking them
Fixes gh-3572
2016-03-08 10:39:56 -06:00
Rob Winch db81977a1a Polish HPKP
* Javadoc polish
* Whitespace cleanup

Issue gh-3706
2016-03-03 15:11:40 -06:00
Tim Ysewyn 331c7e91b7 HTTP Public Key Pinning
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
 and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.

This commit will add this new functionality.

Fixes gh-3706
2016-03-03 14:21:46 -06:00
Rob Winch 337f1885ea SEC-3170: Polish
* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
2015-12-15 09:50:54 -06:00
Nikos Kastamoulas b28c62a6fe SEC-3170: Null check for Java Config of RememberMeServices
Added a null check in LogoutConfigurer.addLogoutHandler() method to
ensure that a logout handler is always provided..
2015-12-15 09:50:54 -06:00
William Gorder 1182d35d3c SEC-3159: Fix Javadoc
The HttpSecurity#headers() Javadoc did not accurately reflect changes made to the
HeadersConfigurer in Spring Security 4.x.
2015-11-21 19:39:15 -05:00
Kazuki Shimizu 205ef42cfb SEC-3147: Add error parameter for default authentication-failure-url 2015-11-12 15:00:21 -06:00
Rob Winch 53f85e2151 SEC-2848: LogoutConfigurer allows setting clearAuthentication 2015-10-30 13:54:01 -05:00
Rob Winch 15b4406015 SEC-3135: antMatchers(<method>,new String[0]) now passive 2015-10-30 10:08:42 -05:00
Rob Winch 6f1bb705ac SEC-3135: antMatchers now allows method and no pattern
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().

Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:48:29 -05:00
Rob Winch f76bf96e14 SEC-3132: securityBuilder cannot be null
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.

This commit fixes this.
2015-10-23 10:27:09 -05:00
Rob Winch b9f8af3096 SEC-3063: rm ConditionalOnMissingBean for @Primary
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.

Instead users that wish to override requestDataValueProcessor can use
@Primary.
2015-10-21 15:40:43 -05:00
izeye 8baafbb2f2 SEC-3116: Polish WebSecurity Javadoc 2015-10-01 15:50:22 -05:00
zhanhb 29f2cc0ab1 snasphot -> snapshot 2015-09-25 15:28:39 -05:00
Rob Winch bac980cbcb SEC-2868: Simplify custom UserDetailsService Java Config
Exposing a UserDetailsService as a bean is now all that is necessary
for Java based configuration. Additionally, an optional PasswordEncoder
bean can be used to configure password encoding.
2015-08-27 20:41:15 -05:00
Rob Winch 6b05b298ff SEC-2059: Support Path Variables in Web Expressions 2015-08-20 17:11:01 -05:00
Rob Winch cbed1d75ee SEC-3076: Add Method Level Security Meta Annotations 2015-08-19 16:07:03 -05:00
Rob Winch 41c9431fcc Test that form log in requires CSRF 2015-08-03 12:24:37 -05:00
Rob Winch 453e6332da Fix indentation of CsrfConfigTests 2015-08-03 12:03:05 -05:00
Rob Winch 969f3a7d1b Update pom.xml to latest snapshots 2015-08-03 09:46:01 -05:00
Thomas Darimont ad1d858e2b SEC-3056 - Fix JavaDoc errors.
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
Rob Winch dab4cf18b8 SEC-3032: Correct documented logout-success-url default 2015-07-22 13:48:07 -05:00