Commit Graph

6047 Commits

Author SHA1 Message Date
Rob Winch d3685d89c5 Polish PasswordEncoderUtils do not leak length
Issue gh-255
2016-10-24 11:26:43 -05:00
avri-schneider a98389fa98 PasswordEncoderUtils do not leak length
Enforce constant time even when expectedLength != actualLength.

Fixes gh-255
2016-10-24 11:26:34 -05:00
Rob Winch dc9f9b140f Polish PasswordEncoderUtilsTests
* Add more tests
* Smaller tests
* Follow new naming convention
2016-10-24 11:24:24 -05:00
Rob Winch f432c04111 Create UserBuilder
This commit creates a UserBuilder and updates samples to use it. We do not
leverate it for JdbcUserDetailsManager because it requires the schema to
be created which is difficult with a single bean definition and
unpredicatble ordering. For this, it is still advised to use
AuthenticationManagerBuilder

Fixes gh-4095
2016-10-21 16:42:03 -05:00
Johnny Lim 50b72dddbc Fix typo in Javadoc
This commit simply fixes typo in Javadoc.
2016-10-20 21:07:15 -05:00
Rob Winch 94e580fe64 Add Support for Custom Default Configuration in Web Security
Fixes gh-4102
2016-10-19 16:15:56 -05:00
Rob Winch af9139b613 Add intercept-url@request-matcher-ref
Fixes gh-4097
2016-10-18 22:27:31 -05:00
Rob Winch f019ea89e7 Remove unused lowercase-comparisons from XSD
Fixes gh-3932
2016-10-18 22:27:28 -05:00
Rob Winch 0d700628dc Add spring-security-4.2.xsd to spring.schemas
Fixes gh-4098
2016-10-18 22:27:22 -05:00
Rob Winch aaa9708b95 Add BeanResolver to AuthenticationPrincipalArgumentResolver
Previously @AuthenticationPrincipal's expression attribute didn't support
bean references because the BeanResolver was not set on the SpEL context.

This commit adds a BeanResolver and ensures that the configuration
sets a BeanResolver.

Fixes gh-3949
2016-10-18 19:45:54 -05:00
Joe df9e6c973c linked to java configuration sample applications
removed outdated description and linked directly to java configuration sample applications
2016-10-17 21:12:17 -05:00
Paul Samsotha 1da9c06f3b Fix Reference (test.adoc) Typo
@SpringExecutionListeners -> @SpringTestExecutionListeners
2016-10-17 21:11:19 -05:00
Rob Winch 0c35209d77 Document Proxy Server
Issue gh-4076
2016-10-17 21:07:57 -05:00
Rob Winch badb466cc5 AuthenticationConfiguration imports ObjectPostProcessor
Fixes gh-4086
2016-10-17 20:00:27 -05:00
Rob Winch 46bb855737 Remove chat sample
Removed in favor of
https://github.com/spring-projects/spring-session/tree/master/samples/websocket

Fixes gh-4094
2016-10-17 17:02:59 -05:00
Rob Winch 6a3a5f7beb Polish Deprecations
Issue gh-4080
2016-10-17 17:02:59 -05:00
Rob Winch 52c6e3cf89 Create RedirectMatcher
This commit creates RedirectMatcher for binary backward compatability with
Spring 4.3.x and Spring 5 to ensure that the Spring IO tests pass.

Issue gh-4080
2016-10-17 17:02:58 -05:00
Rob Winch 17cfd4707b Fix deprecations
Issue gh-4080
2016-10-17 17:00:18 -05:00
Rob Winch 2c99cd3bbf Remove MatcherAssertionErrors
Spring 5 removes MatcherAssertionErrors. We should not have been using
this class anyways.

This commit updates to using assertj in favor of MatcherAssertionErrors.

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch 8a7ac398e6 Remove TheController from Bean
It is already picked up with classpath scanning

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch 5e35e37a2b Update to Thymeleaf 3.0.2 and remove tiles
Spring 5 removed support for Tiles 2 and Thymeleaf does not support
Tiles 3 yet. This commit updates to Thymeleaf 3.0.2 and uses
Thymeleaf's build in layout support.

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch c1e9140940 Update itest/web to use Servelt 3.1
Previously itest/web used Servlet 2.5 which Spring 5 is not
compatabile with. This commit removes unnecessary tests (ones that
were already covered) and converts the remaining tests to MockMvc
using the provided servlet version.

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch 1222fc5f10 XML ref to bean
Spring 5 removes ref XML attribute in favor of bean XML attribute. This
commit updates all the samples and tests to use bean instead of ref.

Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch 08c1f500a7 Version bumps for Spring 5
Issue gh-4080
2016-10-17 17:00:17 -05:00
Rob Winch a18707c870 gradlew disables Gradle Daemon
Fixes gh-4093
2016-10-17 17:00:16 -05:00
Jitendra Singh 48ff518a41 Fix Jackson 2.7+
UnmodifiableSetDeserializer added which will ensure
Collection$UnmodifiableSet deserialize properly with jackson-databind 2.7+

Fixes gh-4073
2016-10-13 07:42:07 -05:00
Rob Winch 0b1e3b4e4a Fix Reference Typo
unlimitted->unlimited
2016-09-23 16:45:08 -05:00
Rob Winch 6b4a52715b Fix Typo in Reference 2016-09-23 14:57:52 -05:00
Spring Buildmaster 7fb052e7ae Next development version 2016-09-23 19:39:35 +00:00
Spring Buildmaster c1b8150439 Release version 4.2.0.M1 2016-09-23 19:39:33 +00:00
Rob Winch 8b89e804e3 Polish RequestAttributeAuthenticationFilter
Issue gh-3978
2016-09-23 13:08:08 -05:00
Rob Winch c0f5aaee78 Adds What's New Spring Security 4.2
Fixes gh-4070
2016-09-23 13:02:27 -05:00
Rob Winch 6fb564a629 Polish HTTP Response Splitting
Issue gh-3910
2016-09-23 12:49:01 -05:00
Rob Winch 9ae163e92d Rename to RequestAttributeAuthenticationFilter
Rename EnvironmentVariableAuthenticationFilter to
RequestAttributeAuthenticationFilterTests

Polish gh-3978
2016-09-22 16:44:10 -05:00
Milan Ševčík a8120e74a7 Added authentication filter reading environment variables.
This style is used in many SSO implementations, such as Stanford WebAuth
and Shibboleth.
2016-09-22 16:30:54 -05:00
Rob Winch b443baef04 Polish GrantedAuthorityDefaults
* Move GrantedAuthorityDefaults to config module
* Move setting of default role into config module vs
  ApplicationContextAware

Issue gh-3701
2016-09-22 15:13:05 -05:00
Eddú Meléndez eabeaf35d6 Make single definition of `defaultRolePrefix` and `rolePrefix`
Previous to this commit, role prefix had to be set in every class
causing repetition. Now, bean `GrantedAuthorityDefaults` can be used to
define the role prefix in a single point.

Fixes gh-3701
2016-09-21 14:55:41 -05:00
Rob Winch 2e6656e9d3 Polish HTTP Response Splitting
* Use new test method name convention of
  methodNameWhen<Condition>Then<Expectation>
* Check null Cookie
* Check Cookie.getName() for crlf since we do not want to rely on the
  implementation. For example Cookie could be overriden by extending it.
* Use Crlf as convention instead of CLRF as style guide
* Create new FirewalledResponse before each test to ensure isolation
* Use Mock for HttpServletResponse delegate to keep test in isolation (i.e.
  we do not want our tests to fail if MockHttpServletRequest changes an
  Exception error message)

Issue gh-3910
2016-09-21 10:42:24 -05:00
Gabriel Lavoie 4a1f00b90f Add additional HTTP Response splitting prevention
- Adding multiple test.
- HTTP response splitting should be validated too on cookie attributes and
header name.

Issue gh-3910
2016-09-21 10:42:18 -05:00
Rob Winch d8690a59e2 Fix ??? in reference 2016-09-19 16:29:46 -05:00
Rob Winch 49f7c98c3e Fix headers@defaults-disabled=true with no children
Previously <headers defaults-disabled="true"/> would fail if there were
no children with an IllegalArgumentException. This allows using
defaults-disabled="true" and no children as an alias for disabled="true".

Fixes gh-3986
2016-09-19 14:53:51 -05:00
Rob Winch 81ebdecd8a Update to Sonarqube 2.1-rc1
Issue gh-4052
2016-09-19 14:02:20 -05:00
Julio Valcarcel 6834467389 Add cookiePath to CookieCsrfTokenRepository
Allow the csrf cookie path to be set instead of inferred from the
request context.

Fixes gh-4062
2016-09-19 13:52:54 -05:00
Joe Grandja c75a5b7279 Polish RoleHierarchyUtils and add tests 2016-09-19 14:07:34 -04:00
Thomas Darimont 06c67070a6 Add convenience method for constructing RoleHierarchy from Map.
Introduced `RoleHierarchyUtils` which enables convenient
construction of `RoleHierarchy` from map based representation.
Where the map key is the role name and the map value is a list
of implied role names.

Here is a small example for that in action:
https://gist.github.com/thomasdarimont/ee9fffdef1adb9243b12ad247478aad4

Fixes #3990.

Signed-off-by: Thomas Darimont <thomas.darimont@gmail.com>

Signed-off-by: Thomas Darimont <thomas.darimont@gmail.com>
2016-09-19 14:07:34 -04:00
Rob Winch 7f54c8b8b4 Fix link to CSP in Reference Doc
Previously the link in the reference from x-frame-options to the
content security policy section was broken.

This commit fixes the link.

Issue gh-4063
2016-09-19 10:21:04 -05:00
Fred Cooke 12173c04ee Fix Typo in Reference Docs
Word substitution, it's foolproof, not full proof :-)

Fixes gh-4063
2016-09-19 10:11:16 -05:00
Fred Cooke 4cc899feab Fix Typo in Javadoc
Issue gh-4063
2016-09-19 10:09:48 -05:00
Rob Winch 6650429283 Polish SessionInformationExpiredStrategy
* Fix passivity and add tests
* Introduce SessionInformationExpiredEvent as a value object
* Rename ExpiredSessionStrategy to SessionInformationExpiredStrategy
  to account for the need of SessionInformation
* Switch to Constructor Injection
* Move the changes to the xsd to 4.2 xsd instead of 4.1

Issue gh-3808
2016-09-15 14:30:52 -05:00
Marten Deinum 67c9f12964 Configuration of session management strategies
This commit adds the possibility to configure the AuthenticationFailureHandler
of the SessionManagementFilter.

Fixes gh-3794
2016-09-15 11:10:36 -05:00