Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-01-01 21:21:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,161 Commits 54 Branches 369 Tags
Commit Graph

677 Commits

Author SHA1 Message Date
Luke Taylor
2be2660b13 SEC-1636: Add optimizations for simple pattern cases in AntPathRequestMatcher. "/**" and "**" are treated as universal matches and a trailing "/**" is now optimized using a substring match. 2010-12-11 21:56:35 +00:00
Luke Taylor
4a40d80da1 SEC-1418: Deprecate GrantedAuthorityImpl in favour of final SimpleGrantedAuthority. 
It should be noted that equality checks or lookups with Strings or other authority types will now fail where they would have succeeded before.
 2010-12-03 16:41:46 +00:00
Luke Taylor
4ad0652787 Removed array of authorities constructor from TestingAuthenticationToken and RunAsUserToken. 2010-12-01 20:52:37 +00:00
Luke Taylor
43be9ea2a4 SEC-1430: Removed caching of username in session upon failed authentication. Improved Javadoc. 2010-11-26 13:58:49 +00:00
Luke Taylor
60970dd9c4 Added some tests for web expression handling code. 2010-11-15 20:01:38 +00:00
Luke Taylor
8b51c2c97d SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous. 
Allows for the situation where a user is logged out without invalidating the session.
 2010-11-09 13:55:45 +00:00
Rob Winch
4f51eb09c0 SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward 2010-11-03 15:27:59 -05:00
Luke Taylor
1c8d28501c SEC-1550: Convert signatures to use Collection<? extends GrantedAuthority> where appropriate. 2010-11-03 13:48:59 +00:00
Luke Taylor
43ec2beec0 SEC-1183: Modified Attributes2GrantedAuthoritiesMapper to return Collection<? extends GrantedAuthority>. 2010-11-02 14:02:55 +00:00
Luke Taylor
84efffb937 SEC-1542: Add a setter for the UserDetailsChecker in AbstractRememberMeServices. 2010-11-02 13:41:59 +00:00
Luke Taylor
0696bed78e SEC-1608: Make sure FirewalledRequest.reset() is called when filter="none" 2010-11-02 12:08:39 +00:00
Luke Taylor
4de8b84b0d SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception. 2010-10-27 13:25:40 +01:00
Luke Taylor
7d97adc687 SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/". 2010-10-27 13:25:39 +01:00
Rossen Stoyanchev
70600a0277 SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering. 2010-10-26 12:33:51 +01:00
Rob Winch
ee12d54bec SEC-1536: moved web.authentication.jaas to web.jaasapi 
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
 2010-10-05 22:28:42 -05:00
Luke Taylor
1b2b371970 SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element. 
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.

Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
 2010-09-16 16:03:24 +01:00
Luke Taylor
551166a577 ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process. 2010-09-14 14:43:21 +01:00
rwinch
de819378fc SEC-1536: added JAAS API Integration, updated doc, updated jaas sample 2010-09-13 13:12:45 -05:00
Luke Taylor
1a1372ab84 Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests. 2010-08-28 21:41:19 +01:00
Luke Taylor
ba890cf7e5 Removed invalid test method. 2010-08-24 21:03:33 +01:00
Luke Taylor
d1e8b8e29d More tests. Minor refactoring. 2010-08-24 20:57:45 +01:00
Luke Taylor
1680807470 Added eclipse plugin to build. Some minor fixes to remove eclipse warnings. 2010-08-18 14:11:16 +01:00
Luke Taylor
3c02989d67 Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests). 2010-08-18 02:32:43 +01:00
Luke Taylor
281d77271e SEC-1486, SEC-1538, SEC-1537: Generification of AuthenticationDetailsSource. Deprecation of non-web pre-authentication classes and other unnecessary classes. Removal of reflection in WebAuthenticationDetailsSource. 2010-08-13 15:51:05 +01:00
Luke Taylor
2222a7be07 Use Integer.valueOf() in preference to new Integer() 2010-08-11 18:17:23 +01:00
Luke Taylor
db6da77a5f SEC-1413: Add RedirectStrategy to AbstractRetryEntryPoint. 2010-08-10 17:39:12 +01:00
Luke Taylor
183333d189 SEC-1430: Forgot to commit changes to new ExceptionMappingAuthenticationFailureHandlerTests. 2010-08-09 17:09:02 +01:00
Luke Taylor
2e98b84494 SEC-1430: internalize session key for SavedRequest. This should be accessed using the RequestCache interface if required. Additional refactoring of related tests which were still in AbstractAuthenticationProcessingFilterTests for historical reasons, but should be in their respective success/failure handler test classes. 2010-08-08 17:49:06 +01:00
Luke Taylor
a2bd1bc9af SEC-1498: Allow use of absolute URL fopr login form in LoginUrlAuthenticationEntryPoint. 2010-08-05 21:09:34 +01:00
Luke Taylor
63734cfcf9 SEC-1528: Remove logic which checks if context in the session is the same as the current context to make sure that session.setAttribute() is called when the value in the session has been modified directly. 2010-08-02 22:41:57 +01:00
Luke Taylor
8df356de29 SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest. 
Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
 2010-06-28 19:51:30 +01:00
Luke Taylor
026517f674 Removal of deprecated methods and classes. 2010-06-26 16:23:42 +01:00
Luke Taylor
ea8d37892c SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy. 2010-06-18 03:33:49 +01:00
Luke Taylor
4d10d4b67f SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs. 2010-06-18 01:34:07 +01:00
Luke Taylor
024e6904ff SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager. 2010-04-25 04:27:09 +01:00
Luke Taylor
74896f217b SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>. 2010-04-20 23:47:47 +01:00
Luke Taylor
0521d10069 SEC-1294: Enable access to beans from ApplicationContext in EL expressions. 
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
 2010-04-01 01:24:23 +01:00
Luke Taylor
2e2625873c SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager). 
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
 2010-03-23 00:45:06 +00:00
Luke Taylor
89d8c8cc83 Additional test classes for authentication and logout success/failure handling. 2010-03-04 23:18:46 +00:00
Luke Taylor
530ab3ae30 SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect. 2010-03-04 21:21:07 +00:00
Luke Taylor
93438defff SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy. 
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
 2010-03-01 01:21:06 +00:00
Luke Taylor
cb0f3f677f SEC-1425: Add check for empty cookie in AbstractRememberMeServices. 
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
 2010-02-28 14:08:27 +00:00
Luke Taylor
e2f9be9015 SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved. 
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
 2010-02-26 16:01:40 +00:00
Luke Taylor
14ae36ac3b SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header. 
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
 2010-02-18 00:32:49 +00:00
Luke Taylor
bd635edc31 SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones. 
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
 2010-02-15 22:46:18 +00:00
Luke Taylor
c1133d1ef3 Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name. 2010-02-14 23:31:31 +00:00
Luke Taylor
1e4f451352 Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources 2010-02-11 18:08:06 +00:00
Mike Wiesner
90d6ff1fde SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 13:19:16 +01:00
Mike Wiesner
d32b078a8c SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-11 09:05:28 +01:00
Mike Wiesner
d2413cf237 SEC-1406: Create a DelegatingAuthenticationEntryPoint 2010-02-10 21:25:23 +01:00