48ea0a6249
SEC-1638: Added paragraph to docs explaining that for complete security, an app should not switch out of HTTPS at all.
2010-12-17 17:34:08 +00:00
7cf9740fd4
SEC-1638: Added an example configuration to the Javadoc for ChannelProcessingFilter and a pointer from the reference manual.
2010-12-17 17:09:20 +00:00
1ed5227d75
Removed @Override from HttpFirewallBeanDefinitionParser.parse since it does not override a method definition, it implements one.
...
Fixed The method parse(Element, ParserContext) of type HttpFirewallBeanDefinitionParser must override a superclass method HttpFirewallBeanDefinitionParser.java /spring-security-config/src/main/java/org/springframework/security/config/http line 23 Java Problem
2010-12-16 22:20:20 -06:00
7c04fdbc90
SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers.
...
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
2010-12-16 21:57:26 -06:00
46f83c8a08
SEC-1492: Added RoleHierarchyAuthoritiesMapper as the new preferred way of using a RoleHierarchy.
2010-12-16 16:00:43 +00:00
c8820166c8
SEC-1576: Parameterize the secured object type in AccessDecisionVoter.
2010-12-16 15:21:22 +00:00
85d685f7d3
SEC-1611: Make access attribute in authorize tag a runtime expression
2010-12-14 16:55:34 +00:00
ce421f22bf
SEC-1635: Stop security interceptors from calling AfterInvocationManager if exception occurs during invocation
2010-12-14 16:24:51 +00:00
2be2660b13
SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match.
2010-12-11 21:56:35 +00:00
523f6add60
Javadoc fix
2010-12-09 12:39:05 +00:00
4a40d80da1
SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority.
...
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
2010-12-03 16:41:46 +00:00
978b7d4707
SEC-1631: Reduced use of reflection in DefaultAuthenticationEventPublisher and added tests.
2010-12-02 18:19:27 +00:00
bfb723feac
SEC-1557: Added getter to DelegatingMethodSecurityMetadataSource. Also added some optimizations of cache lookup key equals method. A class type check is unnecessary since the key class is a private inner class.
2010-12-01 21:55:33 +00:00
441aa25383
SEC-1615: Changed key generation for anonymous provider to only use SecureRandom on demand.
2010-12-01 20:52:37 +00:00
4ad0652787
Removed array of authorities constructor from TestingAuthenticationToken and RunAsUserToken.
2010-12-01 20:52:37 +00:00
ca679e1479
Reformatting.
2010-12-01 20:52:37 +00:00
9b29dcb8bf
SEC-1430: Removed username attribute from WebAttributes class.
2010-11-26 14:20:19 +00:00
43be9ea2a4
SEC-1430: Removed caching of username in session upon failed authentication. Improved Javadoc.
2010-11-26 13:58:49 +00:00
d64efe9747
SEC-1492: Added GrantedAuthoritiesMapper to provide mapping of loaded authorities to those which are eventually stored in the user Authentication object.
2010-11-25 15:19:37 +00:00
89f80659a1
Move docs on request matching to correct file and delete unused one
2010-11-24 00:30:37 +00:00
49242729e4
Added imgSrcPath parameter for use in docbookFopPdf task.
2010-11-24 00:28:59 +00:00
51a53ddbaa
Minor refactoring of GAE code to use specific GrantedAuthority type.
2010-11-17 14:15:11 +00:00
60970dd9c4
Added some tests for web expression handling code.
2010-11-15 20:01:38 +00:00
2d9f98d535
SEC-1412: DefaultSavedRequest should ignore "If-Modified-Since" headers to prevent re-displaying the login form (the cached result of the original request).
2010-11-15 16:14:24 +00:00
fc00d7ef1d
Move the unix scripts for the tutorial sample into a subdirectory
2010-11-12 15:19:46 +00:00
37810a19c4
SEC-1619: Added check in GAE sample for change of Google user while still logged into the app.
...
Also updated GAE version and build script. Uploading to GAE now works when run from the gradle build file using the command 'gradle gaeDeploy'.
2010-11-10 15:37:42 +00:00
8b51c2c97d
SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous.
...
Allows for the situation where a user is logged out without invalidating the session.
2010-11-09 13:55:45 +00:00
7754882ba9
SEC-1550: Additional signature change (in AnonymousAuthenticationToken)
2010-11-09 13:48:57 +00:00
ffccc5f446
SEC-1617: Added spring-security-taglibs as a runtime dependency to jaas.gradle
2010-11-08 19:27:44 -06:00
4b6a2168c7
SEC-1550: Additional signature change (in LdapUserDetailsManager.removeAuthorities())
2010-11-08 15:14:30 +00:00
6b691f6fc0
SEC-1613: Corrected preauth docs.
2010-11-04 14:32:06 +00:00
4f51eb09c0
SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward
2010-11-03 15:27:59 -05:00
b9a98613eb
SEC-1593: Added tests to try to reproduce issue.
2010-11-03 19:37:25 +00:00
1c8d28501c
SEC-1550: Convert signatures to use Collection<? extends GrantedAuthority> where appropriate.
2010-11-03 13:48:59 +00:00
8d867e8b67
Updated integration tests to detect case reported as SPR-7563.
2010-11-02 20:35:24 +00:00
265cdaf2a6
SEC-1595: Added extra constructor to OpenID4JavaConsumer which takes a ConsumerManager to allow a version compatible with GAE to be injected.
2010-11-02 20:19:16 +00:00
337477de6a
SEC-1604: Change log level to debug for "Validated configuration attributes" message.
2010-11-02 20:06:42 +00:00
54d0a263de
SEC-1590: Removed WebAuthenticatioDetails.doPopulateAdditionalInformation() method which is caled from superclass constructor.
2010-11-02 19:50:40 +00:00
43ec2beec0
SEC-1183: Modified Attributes2GrantedAuthoritiesMapper to return Collection<? extends GrantedAuthority>.
2010-11-02 14:02:55 +00:00
84efffb937
SEC-1542: Add a setter for the UserDetailsChecker in AbstractRememberMeServices.
2010-11-02 13:41:59 +00:00
2671e52d5a
Expand message on incorrect Spring version to suggest checking the classpath for unwanted jars.
2010-11-02 12:31:44 +00:00
0696bed78e
SEC-1608: Make sure FirewalledRequest.reset() is called when filter="none"
2010-11-02 12:08:39 +00:00
deef2706ef
SEC-1607: Report correct version for Spring Security (not Spring version).
2010-11-02 11:13:32 +00:00
f85baac943
Updated to Spring 3.0.5
2010-10-27 13:25:40 +01:00
21ed5feb8d
SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version.
2010-10-27 13:25:40 +01:00
4de8b84b0d
SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception.
2010-10-27 13:25:40 +01:00
cf0289bc02
SEC-1598: Removed invalid properties from SessionFixationProtectionStrategy bean declaration in Session Management chapter docbook.
2010-10-27 13:25:40 +01:00
fabadff5f1
SEC-1597: Corrected bean class name for RememberMeAuthenticationProvider in docbook source.
2010-10-27 13:25:40 +01:00
31afb9c76d
Deleted superseded dao-auth-provider.xml chapter.
2010-10-27 13:25:40 +01:00
07b9ded126
SEC-1599: Corrected docbook source.
2010-10-27 13:25:40 +01:00
Luke Taylor
Rob Winch
Rob Winch