Commit Graph

3879 Commits

Author SHA1 Message Date
Luke Taylor f54831f2b5 SEC-1398: Minor changes to method security annotation information in namespace chapter.
Added some explanation of the different annotation types and their suitability.
2010-02-06 18:03:05 +00:00
Luke Taylor 67c9a0b78d SEC-1389: Added "iterations" property to BaseDigestpasswordEncoder to support "stretching" of passwords. 2010-02-06 17:34:07 +00:00
Luke Taylor bd2fd3448b SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly. 2010-02-06 15:42:01 +00:00
Luke Taylor 984604b026 SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
2010-02-06 14:38:44 +00:00
Luke Taylor 8720966d20 SEC-1390: Added null check on claimedIdentifier returned by DiscoveryInformation to prevent NPE. 2010-02-06 14:38:44 +00:00
Luke Taylor b1243416fc Minor corrections to aspectj interceptor docs 2010-02-05 20:24:05 +00:00
Luke Taylor 38837775a5 Minor corrections to aspectj interceptor docs. 2010-02-05 17:10:27 +00:00
Luke Taylor 10d787ede2 Javadoc corrections to SessionRegistryImpl 2010-02-03 23:49:36 +00:00
Luke Taylor c4d2f59eec SEC-1381: Update source repo information in docs to point to git rather than subversion. 2010-01-27 01:37:45 +00:00
Luke Taylor 912e7976da Added doc upload capability to build. 2010-01-23 02:12:31 +00:00
Luke Taylor dcf9ea25a6 Updated access-decision and after-invocation diagrams in manual. 2010-01-23 02:12:30 +00:00
Luke Taylor 0974e21fb6 SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
2010-01-23 02:12:30 +00:00
Luke Taylor d931495c8a SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig. 2010-01-23 02:12:30 +00:00
Luke Taylor 04447bdbf0 SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs). 2010-01-22 01:55:13 +00:00
Luke Taylor dbf673ec37 Build updates to include uploading of distro and docs, plus addition of admon graphics path to docbook plugin. 2010-01-21 20:12:12 +00:00
Luke Taylor 9734e4c82f Added generation of sha1 of distro archive to build. 2010-01-21 20:00:17 +00:00
Luke Taylor 56849dc41e Added tasks for apidocs, doc and distro archive generation to the build file. 2010-01-21 19:59:48 +00:00
Luke Taylor 10cd080090 SEC-1356: Update createUser method in LdapUserDetailsManager to create the LDAP entry before adding authorities. Prevents removal of authorities for an existing user. 2010-01-20 18:51:29 +00:00
Luke Taylor 0c10efbbf8 Revert SEC-1356.
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
2010-01-19 22:26:21 +00:00
Luke Taylor 1a7f71fc0f SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
Luke Taylor 8137a8bcd0 Enabled detection of release builds and s3 maven deployment capability to gradle build.
The s3 deployment requires an updated snapshot of the spring aws-maven dependency, as the old one was incompatible with changes in the latest version (1.0-beta6) of the Maven "wagon" api.
2010-01-18 02:02:28 +00:00
Luke Taylor a5dde8b28f Updated doc on invalid session detection.
Invalid session URL must typically be omitted from the filter chain to prevent an infinite loop.
2010-01-17 14:41:24 +00:00
Luke Taylor 51dfc0fb39 Set versions to 3.0.2-CI-SNAPSHOT, post release. 2010-01-15 18:15:19 +00:00
Luke Taylor 05634f97dc Updated version numbers for 3.0.1 release. 2010-01-15 18:04:28 +00:00
Luke Taylor e1d41177bb Update docbook plugin use to new gradle 0.9+ syntax. 2010-01-14 15:49:05 +00:00
Luke Taylor 81f91d28eb Add docbook note and tip images. 2010-01-14 15:48:36 +00:00
Luke Taylor 670297c55d SEC-1369: Make sure beans aren't registered twice in case allowBeanDefinitionOverriding=false in the app context.
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
2010-01-14 15:48:14 +00:00
Luke Taylor 0f90e69004 SEC-1362: Updated French messages translation. 2010-01-13 15:37:18 +00:00
Luke Taylor a9567a58d8 SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos. 2010-01-13 15:36:58 +00:00
Luke Taylor 3a8daa1bf4 Gradle build improvements.
Added generation of source archives and trial support for maven deployment and pom generation, with "provided" configuration mapped to "provided" scope.
2010-01-13 00:44:05 +00:00
Luke Taylor f62d97b092 SEC-1356: Fix broken tests.
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
2010-01-12 01:32:02 +00:00
Luke Taylor 6eff4d90b7 SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
2010-01-12 00:49:53 +00:00
Luke Taylor d900829921 Added bundlor and maven support to gradle build 2010-01-12 00:35:20 +00:00
Luke Taylor fa42d9d5ec Fix taglibs template.mf
Was missing sub-packages of org.sfw.security.acls.
2010-01-12 00:33:20 +00:00
Luke Taylor 2023ca283e SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
2010-01-12 00:30:27 +00:00
Luke Taylor b323098167 Added gradle build files for taglibs, tutorial, contacts and openid.
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
2010-01-10 23:31:23 +00:00
Luke Taylor e211f9b35f SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
2010-01-09 01:04:13 +00:00
Luke Taylor bc02fc2de1 Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices. 2010-01-08 23:57:27 +00:00
Luke Taylor 51abedcbef Parameterize getFilter() method in HttpSecurityBeanDefinitionParserTests.
Removes the need for casting to specific filter type.
2010-01-08 23:20:16 +00:00
Luke Taylor f40a1fda34 SEC-1357: Use getClass().getClassLoader() in SecurityNamespaceHandler to check for web classes.
This is used in preference to ClassUtils.getDefaultClassLoader() which fails to find the web classes in some situations.
2010-01-08 21:12:36 +00:00
Luke Taylor 052537c8b0 Removing $Id$ markers and stripping trailing whitespace from the codebase. 2010-01-08 21:05:13 +00:00
Luke Taylor 9a323f15bc Bring versions in itext module up-to-date 2010-01-07 17:56:32 +00:00
Luke Taylor 68ae49ebe1 SEC-1355: Update manual code snippet to cast to OpenIDAuthenticationToken. 2010-01-07 17:22:45 +00:00
Luke Taylor 4e4242d010 SEC-1354: Added integration tests for combinations of @PreAuthorize and @Secured annotations. 2010-01-06 22:23:01 +00:00
Luke Taylor 846aa40a7b Updated "heavyduty" sample version information. 2010-01-06 22:21:59 +00:00
Luke Taylor be72ed1350 Remove commented out beans from contacts sample app context.
These were left when the app was updated to use Spring MVC @Controller syntax and scanning.
2010-01-06 22:21:34 +00:00
Luke Taylor 9730600777 Revert bundlor version update.
Config was wrong, but even with the correct config
the maven jar plugin generates its own manifest
file and ignores the one generated by bundlor.
2010-01-05 23:47:27 +00:00
Luke Taylor 3c97d68346 Upgrade to bundlor RC1 2010-01-05 22:34:27 +00:00
Luke Taylor dc5417f1d5 SEC-1352: Added support for placeholders in <user-service>
The username, password and authorities attributes can now be placeholders.
2010-01-05 22:34:10 +00:00
Luke Taylor f5d36aef65 SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
2010-01-05 16:01:55 +00:00