f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
2010-04-25 04:26:45 +01:00
82bbd09b71
SEC-1460: Documentation of changes.
2010-04-24 15:49:47 +01:00
dada047e04
SEC-1456: Set rtexprvalue=true for "url" attribute in access tag to allow dynamic values (such as URL of current page).
2010-04-21 17:31:44 +01:00
def5f88c8c
SEC-1431: Added openid-selector to openid sample, plus AX configuration for myopenid.com.
2010-04-21 17:16:03 +01:00
2f025fba6c
SEC-1460: Added AxFetchListFactory which matches OpenID identifiers to lists of attributes to use in a fetch-request.
...
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
2010-04-20 23:47:48 +01:00
3af75afec1
Clarify that multiple authentication-provider elements can be used in combination.
2010-04-20 23:47:48 +01:00
ee1fd1bc50
SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins.
2010-04-20 23:47:48 +01:00
f5468087c2
Remove cached DiscoveryInformation from session in OpenID4JavaConsumer's endConsumption method.
2010-04-20 23:47:47 +01:00
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
2010-04-20 23:47:47 +01:00
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
2010-04-20 23:47:47 +01:00
a45d2a4fb2
SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client.
2010-04-20 18:04:22 +01:00
93deec8d40
SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized.
2010-04-16 16:12:38 +01:00
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
2010-04-01 01:24:23 +01:00
12a6ae2ffa
SEC-1232: Add config dependency to maven build for aspectj sample.
2010-03-31 19:58:59 +01:00
a5a95a8ebc
Upgrade jython and disable cachedir.
2010-03-31 19:11:00 +01:00
a3ef8255d8
SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj'
...
Also added this syntax to the aspectj sample.
2010-03-31 18:31:28 +01:00
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-30 15:52:40 +01:00
d334f6fa09
Latest gradle syntax updates.
2010-03-28 23:54:41 +01:00
2b9beffd08
SEC-1444: Fix JNDI escaping problems in LDAP authentication.
...
CompositeName adds quotes to names which contain a forward slash ("/") character. These are automatically removed by Spring LDAP's DistinguishedName, but only if they are at the ends of the String. Since we were preprending the base to the (quoted) DN, resulting in something like ["cn=joe/b",ou=people], this was causing problems with the DN value returned from the search. Additionally, the bind succeeds when a DN is used with a slash, but the subsequent call to getAttributes() fails. This call now passes in a DistinguishedName for the user DN instance instead of a String.
2010-03-27 15:30:15 +00:00
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
2010-03-26 18:05:28 +00:00
57150a6717
SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter.
2010-03-26 12:47:24 +00:00
2a0aae1904
SEC-524: Document addition of "var" attribute in authorization tags.
2010-03-25 19:48:26 +00:00
0849dd93e9
Minor correction to namespace appendix
2010-03-24 21:02:51 +00:00
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 20:57:03 +00:00
bf91f2ca67
SEC-524: Added "var" attribute to authorize and accesscontrollist JSP tags.
...
Allows the result of the boolean condition granting/denying access to be stored in the page context for later use, without having to duplicate the tag.
2010-03-24 18:35:17 +00:00
2e2625873c
SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
...
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
2010-03-23 00:45:06 +00:00
e60108ca8c
SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
...
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
2010-03-22 16:26:04 +00:00
d5df53f1db
SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
...
Necessary to allow use of custom SecurityContextRepository.
2010-03-12 15:53:05 +00:00
111d49d68a
Added build file for itest-context.
2010-03-12 01:40:27 +00:00
9e049dfef4
SEC-1438: Removed JoinPoint support from AbstractMethodSecurityMetadataSource
2010-03-11 21:51:19 +00:00
1be44ecd18
SEC-1262: Added extra test for PostFilter with AspectJ interceptor.
2010-03-11 20:55:06 +00:00
c09cd3a9cb
Remove unused inner class in MethodSecurityMetadataSourceAdvisor
2010-03-11 01:52:07 +00:00
55de2cfcb1
SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances.
...
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
2010-03-11 01:51:59 +00:00
2b8b8819e4
Added gradle support for aspects project.
2010-03-09 19:22:50 +00:00
6fcaba2c46
Moved setting of 'provided' scope mapping on pom out of whenConfigured() so that the mapping is in place when the pom dependencies are assembled. Added 'skipTests' option.
2010-03-07 23:53:33 +00:00
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
2010-03-07 21:58:25 +00:00
b64a3fa725
Hans Dockter's refactoring of gradle build, plus simplification of docbook plugin.
2010-03-05 23:23:43 +00:00
d66ff32a1d
Added taglib dependency to itest-web project. Needed by additional test for SEC-1420.
2010-03-05 23:23:01 +00:00
b7aaa3447c
Updated aws-maven to 3.0.0.RELEASE
2010-03-05 23:23:01 +00:00
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
2010-03-05 17:55:29 +00:00
43f0e11106
SEC-1429: Removed cached authentication from session after successful authentication.
2010-03-05 00:07:35 +00:00
89d8c8cc83
Additional test classes for authentication and logout success/failure handling.
2010-03-04 23:18:46 +00:00
a3263753d9
Fix to Javadoc for AbstractAuthenticationProcessingFilter.
2010-03-04 22:06:04 +00:00
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:21:07 +00:00
4d70f88285
SEC-1420: JSP for itest of authentication tags with and without escaping.
2010-03-04 01:44:27 +00:00
0551dd89ac
SEC-1420: Add htmlEscape attribute to authentication JSP tag.
...
This allows HTML escaping to be disabled if required.
2010-03-04 00:47:22 +00:00
43f3568b16
SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions.
2010-03-03 23:11:49 +00:00
90caf1bb37
Manual formatting.
2010-03-03 23:08:05 +00:00
ae8027fa47
SEC-1425: Replace use of Java 1.6 String.isEmpty().
2010-03-01 13:49:42 +00:00
e5a875d752
SEC-1407: Correct logger category in MatcherType.
2010-03-01 02:03:32 +00:00
Luke Taylor
Luke Taylor
Hans Dockter