4b650dc58d
Allow AuthenticationProvider Bean in Java Config
...
This commit adds support for defaulting java configuration's
authentication by providing an AuthenticationProvider Bean.
Fixes gh-3091
2016-03-22 16:17:25 -05:00
533a5f0905
Fix <password-encoder> when authentication-manager@id specified
...
When <authentication-manager> specifies an id, the <password-encoder> is
not used because the parser changes the bean id without aliasing it to
BeanIds.AUTHENTICATION_MANAGER which is used by
AuthenticationManagerBeanDefinitionParser to look up the
AuthenticationManager bean.
This commit updates AuthenticationManagerBeanDefinitionParser to ensure
there is an alias to BeanIds.AUTHENTICATION_MANAGER when the id is
specified.
Fixes gh-3296
2016-03-21 22:48:49 -05:00
7bf014f678
Path Variables fail with different case
...
Fixes gh-3329
2016-03-21 10:09:50 -05:00
cf66487d3a
Add Java Configuration Test
...
Issue SEC-2256
2016-03-18 14:03:47 -05:00
41c6a797c3
Add RememberMeConfigurer set domain
...
Fixes gh-3408
2016-03-17 08:30:18 -05:00
ec4e6c7453
Update pom.xml to 4.1.0.BUILD-SNAPSHOT
2016-03-14 00:51:35 -05:00
f221920a19
Clean up code to conform to basic checkstyle
...
Issue gh-3746
2016-03-14 00:15:12 -05:00
35eff94e3d
Add Both Config names to duplicate WebSecurityConfigurer order
...
Previously the error message when multiple WebSecurityConfigurer with the
same Order did not include both WebSecurityConfigurer classes that were
involved in the duplicate Order. This made resolving errors difficult.
This commit ensures both WebSecurityConfigurers are include in the error
message.
Fixes gh-3380
2016-03-11 12:12:55 -06:00
e33e21fe6b
Add Forward after authentication attempt config support
...
Fixes gh-3728
2016-03-11 10:49:30 -06:00
5d6e8bc3c8
Remove SPR-11251 workaround from WebSecurityConfiguration
...
Fixes gh-3348
2016-03-09 16:48:24 -06:00
be36ddb614
Some formatting fixes for HttpSecurity Javadoc
2016-03-09 16:45:43 -06:00
2f4610e8b7
Update HttpSecurity.requestMatcher() Javadoc
...
Fixes gh-3365
2016-03-09 16:45:29 -06:00
71d4ce96ad
Convert to assertj
...
Fixes gh-3175
2016-03-09 14:30:17 -06:00
bb600a473e
Start AssertJ Migration
...
Issue gh-3175
2016-03-09 14:26:30 -06:00
3164bd6f8d
Polish Sorting ObjectPostProcessor
...
* Add Test
* Only sort on adding new entry
Issue gh-3572
2016-03-08 15:51:13 -06:00
a366489c3c
Sort ObjectPostProcessors prior to invoking them
...
Fixes gh-3572
2016-03-08 10:39:56 -06:00
db81977a1a
Polish HPKP
...
* Javadoc polish
* Whitespace cleanup
Issue gh-3706
2016-03-03 15:11:40 -06:00
331c7e91b7
HTTP Public Key Pinning
...
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites
to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates.
(For example, sometimes attackers can compromise certificate authorities,
and then can mis-issue certificates for a web origin.)
The HTTPS web server serves a list of public key hashes, and on subsequent connections
clients expect that server to use 1 or more of those public keys in its certificate chain.
This commit will add this new functionality.
Fixes gh-3706
2016-03-03 14:21:46 -06:00
337f1885ea
SEC-3170: Polish
...
* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
2015-12-15 09:50:54 -06:00
b28c62a6fe
SEC-3170: Null check for Java Config of RememberMeServices
...
Added a null check in LogoutConfigurer.addLogoutHandler() method to
ensure that a logout handler is always provided..
2015-12-15 09:50:54 -06:00
1182d35d3c
SEC-3159: Fix Javadoc
...
The HttpSecurity#headers() Javadoc did not accurately reflect changes made to the
HeadersConfigurer in Spring Security 4.x.
2015-11-21 19:39:15 -05:00
205ef42cfb
SEC-3147: Add error parameter for default authentication-failure-url
2015-11-12 15:00:21 -06:00
53f85e2151
SEC-2848: LogoutConfigurer allows setting clearAuthentication
2015-10-30 13:54:01 -05:00
15b4406015
SEC-3135: antMatchers(<method>,new String[0]) now passive
2015-10-30 10:08:42 -05:00
6f1bb705ac
SEC-3135: antMatchers now allows method and no pattern
...
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().
Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:48:29 -05:00
f76bf96e14
SEC-3132: securityBuilder cannot be null
...
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.
This commit fixes this.
2015-10-23 10:27:09 -05:00
b9f8af3096
SEC-3063: rm ConditionalOnMissingBean for @Primary
...
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.
Instead users that wish to override requestDataValueProcessor can use
@Primary.
2015-10-21 15:40:43 -05:00
8baafbb2f2
SEC-3116: Polish WebSecurity Javadoc
2015-10-01 15:50:22 -05:00
29f2cc0ab1
snasphot -> snapshot
2015-09-25 15:28:39 -05:00
bac980cbcb
SEC-2868: Simplify custom UserDetailsService Java Config
...
Exposing a UserDetailsService as a bean is now all that is necessary
for Java based configuration. Additionally, an optional PasswordEncoder
bean can be used to configure password encoding.
2015-08-27 20:41:15 -05:00
6b05b298ff
SEC-2059: Support Path Variables in Web Expressions
2015-08-20 17:11:01 -05:00
cbed1d75ee
SEC-3076: Add Method Level Security Meta Annotations
2015-08-19 16:07:03 -05:00
41c9431fcc
Test that form log in requires CSRF
2015-08-03 12:24:37 -05:00
453e6332da
Fix indentation of CsrfConfigTests
2015-08-03 12:03:05 -05:00
969f3a7d1b
Update pom.xml to latest snapshots
2015-08-03 09:46:01 -05:00
ad1d858e2b
SEC-3056 - Fix JavaDoc errors.
...
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
dab4cf18b8
SEC-3032: Correct documented logout-success-url default
2015-07-22 13:48:07 -05:00
e8c9f75f9c
Update pom.xml to latest versions
2015-07-22 12:51:04 -05:00
07fb2af74b
SEC-3011: AbstractUrlAuthorizationConfigurer postProcess default AccessDecisionManager
2015-07-21 08:52:36 -05:00
ab1b7a1eb6
Remove unnecessary @SuppressWarnings
2015-07-21 08:51:32 -05:00
9654df2cc3
SEC-3045: Conditionally add MethodSecurityMetadataSourceAdvisor
2015-07-17 15:16:09 -05:00
a3df41b380
Clean Import Statements
2015-07-17 14:52:23 -05:00
0e36f85dab
SEC-3019: Java Config for Http Basic supports Rememberme
2015-07-16 11:12:44 -05:00
474d624e8e
SEC-2988: Renamed OnBeanCondition.java to OnMissingBeanCondition.java
2015-07-13 22:51:45 -05:00
64938ebcfc
SEC-2996: Suport configuring SecurityExpressionHandler<Message<Object>>
2015-07-13 22:45:35 -05:00
ca0ffb8b5d
SEC-2948: Fix error message for wrong xsd schema
...
When using the wrong xsd schema < 4.0 a message was shown that the
schema needed to be version 3.2.
In reality this schema had to be version 4.0.
2015-07-09 23:17:16 -05:00
1f74ac811e
Fix Spring IO Tests
2015-07-08 11:09:29 -05:00
197ddb3cd1
SEC-3029: Fix Compatibility with Spring 4.2.x
2015-07-07 22:46:31 -05:00
0a118336d4
SEC-2955: Convert to "static" for inner classes
2015-04-30 12:54:52 -05:00
f1352ba492
SEC-2942: Add test EnableWebSecurity supports AuthenticationPrincipal
2015-04-23 16:34:04 -05:00
f548d89b27
SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository
2015-04-22 16:50:51 -05:00
09acc2b7a5
SEC-2962: SecurityContextHolderAwareRequestFilter default rolePrefix
2015-04-21 11:42:48 -05:00
38e2e23b86
Fix indentation of InterceptUrlConfigTests
2015-04-21 09:38:17 -05:00
d5dfeeca49
SEC-2927: Update chat-jc pom so Maven Builds
...
Previously there were some incorrect dependency versions. This commit fixes
that.
We added dependencyManagement for Spring Framework and corrected
Thymeleaf and embedded redis versions.
2015-04-20 15:53:26 -05:00
0bfbd2923a
SEC-2915: Fix defaut login page tests with tabs
2015-04-17 12:13:44 -05:00
4fdfb8caba
SEC-2915: More Tabs -> Spaces
2015-04-17 11:34:34 -05:00
5fa5630bc3
Polish ordering of Config and test in NamespaceRememberMeTests
...
The convention is to put the config just below the test.
This commit fixes the convention for NamespaceRememberMeTests
2015-04-17 11:20:39 -05:00
0c77c2071b
SEC-2880: Add a setter method to override the cookie name of remember-me
2015-04-17 11:14:58 -05:00
ec89fdcfaa
SEC-2919: Polish
...
Remove now unnecessary AuthenticationConfig.Builder#getLoginFormUrl
method.
2015-04-17 11:12:08 -05:00
052bd32f40
SEC-2919: DefaultLoginPageGeneratingFilter disabled when login-page specified
2015-04-17 11:12:08 -05:00
4ca936bb76
SEC-2913: Polish
2015-03-25 21:18:12 -05:00
6c541468f6
SEC-2913: Post Process default session fixation AuthenticationStrategy
...
Before the default session fixation AuthenticationStrategy used a
NullEventPublisher when using the Java Configuration. This was due to the
fact that it is not exposed as a Bean and is not post processed.
We now post process the default session fixation AuthenticationStrategy
which initializes the EventPublisher properly.
2015-03-25 21:11:52 -05:00
7b25b3e40d
SEC-2864: Default Spring Security WebSocket PathMatcher XML Namespace
2015-03-25 16:32:03 -05:00
db531d9100
SEC-2917: Update to Spring 4.1.6
2015-03-25 15:18:59 -05:00
57b06fb0b5
SEC-2864: Default Spring Security WebSocket PathMatcher
2015-03-25 13:14:15 -05:00
c94a5cf8e2
SEC-2916: disable-url-rewriting=true by default
2015-03-25 13:14:15 -05:00
ae6af5d73c
SEC-2915: Updated Java Code Formatting
2015-03-25 13:09:18 -05:00
0a2e496a84
SEC-2915: groovy/gradle spaces->tabs
2015-03-25 13:08:59 -05:00
cf9f58a4ac
SEC-2915: XML spaces->tabs
2015-03-25 13:08:52 -05:00
fbf3672eca
SEC-2908: mulitple invocations of http.requetMatchers() properly chains
2015-03-20 15:30:19 -05:00
e776a1fd35
SEC-2803: Add HttpStatusEntryPoint
2015-03-11 14:45:59 -05:00
bed20db905
Remove Unnecessary @Override
2015-02-27 16:18:31 -06:00
8b78194f31
SEC-2876: HttpSecurityBuilder addFilterAfter javadoc before->after
2015-02-24 22:19:50 -06:00
c8b79289c9
add setter for using a custom name for the rememberMeParameter
2015-02-24 21:45:23 -06:00
5f57e5b0c3
SEC-2873: Remember Me XML Configuration Defaults Should Match Java Config
2015-02-24 20:49:56 -06:00
67cd8465c3
SEC-2826: Add remember-me-cookie attribute in xml namespace
2015-02-24 17:54:54 -06:00
d2fd852711
SEC-2832: Fix config tests
2015-02-24 17:53:39 -06:00
2bf4f28db9
Fix .properites user
2015-02-24 16:25:24 -06:00
df96e5573f
Add test .properties Authentication Java Config
2015-02-24 16:14:15 -06:00
37740cd020
SEC-2861: Add WebSocket Documentation & Sample
2015-02-24 10:29:47 -06:00
b9563f6102
SEC-2830: Cleanup disabling Same Origin SockJS
...
- Defaults for properties false
- Add XML Namespace support
2015-02-24 10:28:33 -06:00
b9e2a57131
SEC-2854: Add intercept-message@message-type
2015-02-20 11:43:16 -06:00
fea03536d6
SEC-2853: Rename WebSocket XML Namespace elements
2015-02-20 11:43:15 -06:00
706e7fd7a2
SEC-2863: Update to Spring 4.1.5
2015-02-20 11:43:04 -06:00
fb085cae25
Add session-management@session-fixation-protection=none test
2015-02-19 13:01:59 -06:00
6a8475adbb
SEC-2830: Provide Same Origin support for SockJS
2015-02-18 11:21:02 -06:00
a27c33754c
SEC-2859: Add CsrfTokenArgumentResolver
2015-02-18 10:51:30 -06:00
36fe0d0357
SEC-2845: SecurityContextChannelInterceptor support anonymous
2015-02-18 10:00:22 -06:00
c4fe630f8e
SEC-2846: Security HTTP Response Headers Configuration Cleanup
2015-02-10 10:36:00 -06:00
9b5f76f3d6
SEC-2833: Rossen's feedback on WebSocket
2015-02-04 10:43:12 -06:00
72e256b95a
Fix unchecked warning in AbstractSecurityWebSocketMessageBrokerConfigurer
2015-02-04 10:43:12 -06:00
55fde81a0f
SEC-2838
2015-01-31 11:04:55 +01:00
6627f76df7
SEC-2758: Make ROLE_ consistent
2015-01-29 17:08:43 -06:00
414f98bee0
SEC-2827: Clean up MessageMatcher Ambiguities
2015-01-23 17:29:54 -06:00
5b0f8918ce
Fix Eclipse import
2015-01-23 17:29:54 -06:00
1e5f7023c6
SEC-2822: Make EnableGlobalAuthenticationAutowiredConfigurer static Bean
...
This ensures that EnableGlobalAuthenticationAutowiredConfigurer is actually
used in newer versions of Spring. See SPR-12646
2015-01-20 14:28:17 -06:00
62649af0aa
SEC-2815: Delay looking up AuthenticationConfiguration
2015-01-20 10:23:43 -06:00
8f0001f59a
Next Development Version
2014-12-11 20:39:26 -06:00
49b69196de
Release version 4.0.0.RC1
2014-12-11 20:36:55 -06:00
1677836d53
SEC-2790: Deprecate @EnableWebMvcConfig
2014-12-10 21:10:27 -06:00
62e127e978
SEC-2789: Add Default WebSecurityConfigurerAdapter
2014-12-10 21:10:26 -06:00
3171cc4364
SEC-2788: Add @Configuration as meta annotation to @Enable* annotations
2014-12-10 21:10:15 -06:00
11116c2b80
SEC-2787: Update Versions
2014-12-10 16:37:19 -06:00
c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
b56e5edbbd
SEC-2784: Fix build plugins
2014-12-08 14:24:34 -06:00
87a52ffbfd
SEC-2784: Update to Gradle 2.2.1
2014-12-08 13:29:07 -06:00
6e204fff72
SEC-2781: Remove deprecations
2014-12-04 15:28:40 -06:00
5bb0ce9a8f
SEC-2773: Add Test for static delegatingApplicationListener
2014-12-01 12:06:09 -06:00
0f7c2e4128
SEC-2773: Prevent premature container initialization in WebSecurityConfiguration.
...
Changed the bean definition method for the DelegatingApplicationListener
to be static to avoid the need to instantiate the configuration class which
caused further premature initializations to satisfy the dependencies
expressed in setFilterChainProxySecurityConfigurer(…).
2014-12-01 11:38:19 -06:00
2cb2657f5b
SEC-2702: Clean WebSocket Namespace documentation
2014-11-25 12:27:29 -06:00
8ad16b01f5
SEC-2702: Add WebSocket Security XML Namespace Support
2014-11-25 09:45:32 -06:00
3c487c0348
SEC-2348: Update doc headers enabled by default with XML
2014-11-21 21:55:03 -06:00
4392205f63
SEC-2347: CSRF Enabled by default w/ XML Config
2014-11-21 21:32:56 -06:00
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
2014-11-21 16:06:29 -06:00
dfa17bdb98
SEC-2747: Remove spring-core dependency from spring-security-crypto
2014-11-20 16:16:22 -06:00
30c5788b8b
SEC-1897: Remove raw types from AbstractAccessDecisionManager
2014-11-20 15:36:53 -06:00
1cca72e6d8
SEC-2749: CsrfConfigurer.requireCsrfProtectionMatcher correct null check
2014-11-20 14:40:51 -06:00
05882b5f24
SEC-2574: Polish
...
Handle null DelegatingApplicationListener
2014-11-19 17:09:24 -06:00
5810681b06
SEC-2574: JavaConfig default SessionRegistry processes SessionDestroyedEvents
2014-11-19 16:48:19 -06:00
24dec7ec3e
SEC-2737: Remove WebSocket Outbound Authorization
2014-10-10 15:56:25 -05:00
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
2014-09-23 16:28:48 -05:00
d2fa019fe5
SEC-2704: Separation of inbound and outbound security rules
2014-09-19 16:39:43 -05:00
28446284a6
SEC-2713: Support authorization by SimpMessageType
2014-09-19 16:38:56 -05:00
02c3565e22
Fix compiling in Eclipse
2014-09-16 10:18:46 -05:00
a932d6ecf3
Removed unnecessary params from anyRequest()'s javadoc
2014-08-20 11:24:15 +02:00
b9df7ba01f
SEC-2179: Allow customize PathMatcher for SimpDestinationMessageMatcher
2014-08-18 11:04:04 -05:00
6321665353
SEC-2676: Update to Spring Data Evans RC1
2014-08-15 20:46:59 -05:00
3f30529039
SEC-2179: Add Spring Security Messaging Support
2014-08-15 20:46:58 -05:00
3187ee8bf3
SEC-2700: Register WithSecurityContextTestExecutionListener by default
2014-08-15 16:41:33 -05:00
1f861f512a
SEC-2676: Add SpEL Spring Security Integration
2014-07-29 20:04:37 -05:00
8a2a1b7a5b
SEC-2595: Polish
2014-07-25 16:27:19 -05:00
b2d66e2a78
SEC-2595: @EnableGlobalMethodSecurity AspectJ fixes
2014-07-25 16:03:18 -05:00
b72c1ad314
SEC-2686: Create SecurityMockMvcConfigurer
2014-07-22 15:11:37 -05:00
ecb4296540
SEC-2588: Javadoc fix channelSecurity->requiresChannel
2014-07-21 14:23:40 -05:00
75df42cb7c
SEC-2656: Fix <frame-options> with whitelist strategy
2014-06-18 09:10:28 -05:00
c3d05bea62
SEC-2657: Test for multi dynamic ports for LDAP Java Config
2014-06-17 17:25:08 -05:00
a3fd706335
SEC-2660: Move config integration-test *.groovy to groovy source folder
2014-06-17 17:22:42 -05:00
b255478b14
SEC-2658: Java Config triggers usePasswordAttrCompare to be set
2014-06-17 17:10:16 -05:00
a2b53fabce
SEC-2657: LdapAuthenticationProviderConfigurer find available port
2014-06-17 16:54:42 -05:00
63d1b531a1
SEC-2618: LdapAuthenticationProviderConfigurer passwordAttribute null check
...
If LdapAuthenticationProviderConfigurer passwordAttribute is null, do not
set on the PasswordComparisonAuthenticator
2014-06-17 16:51:01 -05:00
e6e35932ed
SEC-2603: Fix config groovy integration tests
2014-05-20 23:15:39 -05:00
cbd06a4994
SEC-2472: Support LDAP crypto PasswordEncoder
2014-05-20 23:15:36 -05:00
d95640d3e5
SEC-2600: Remove unused import
2014-05-19 12:29:04 -05:00
f73b579ad9
SEC-2543: Logout with CSRF enabled requires POST by default
2014-05-02 11:24:02 -05:00
1d7402e0cd
SEC-2532: Add disclaimer about jdbcAuthentication() with persistent data stores
2014-04-28 15:06:52 -05:00
37bb350883
SEC-2549: Remove LazyBean marker interface
2014-04-24 14:34:35 -05:00
00e1094178
Add springio-platform plugin
2014-04-23 14:35:22 -05:00
ccf96a4d69
SEC-2542: Polish dependency exclusions
...
This cleans up exclusions so the pom.xml are not as cluttered.
2014-04-02 09:47:29 -05:00
3118e39de8
SEC-2542: Use exclusions to remove duplicate dependencies
...
A number of projects had duplicate dependencies on their classpaths
as a result of the same classes being available in more than one
artifact, each with different Maven coordinates. Typically this only
affected the tests, but meant that the actual classes that were
loaded was somewhat unpredictable and had the potential to vary
between an IDE and the command line depending on the order in which
the aritfacts appeared on the classpath. This commit adds a number of
exclusions to remove such duplicates.
In addition to the new exclusions, notable other changes are:
- Spring Data JPA has been updated to 1.4.1. This brings its
transitive dependency upon spring-data-commons into line with
Spring LDAP's and prevents both spring-data-commons-core and
spring-data-commons from being on the classpath
- All Servlet API dependencies have been updated to use the official
artifact with all transitive dependencies on unofficial servlet API
artifacts being excluded.
- In places, groovy has been replaced with groovy-all. This removes
some duplicates caused by groovy's transitive dependencies.
- JUnit has been updated to 4.11 which brings its transitive Hamcrest
dependency into line with other components.
There appears to be a bug in Gradle which means that some exclusions
applied to an artifact do not work reliably. To work around this
problem it has been necessary to apply some exclusions at the
configuration level
Conflicts:
samples/messages-jc/pom.xml
2014-04-02 09:47:26 -05:00
c411014c24
SEC-2533: Global AuthenticationManagerBuilder disables clearing child credentials
2014-03-25 13:05:44 -05:00
Rob Winch
Eddú Meléndez
Shazin Sadakath
Billy Korando
Wallace Wadge
Tim Ysewyn
Nikos Kastamoulas
William Gorder
Kazuki Shimizu
izeye
zhanhb
Thomas Darimont
Stijn
Alex Panchenko
Romain Fromi
Michael Cramer
Michael Oberwasserlechner
Spring Buildmaster
Oliver Gierke
Nándor István Krácser
Mirko Zeibig
Andy Wilkinson