Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-01-08 07:27:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
10,161 Commits 55 Branches 369 Tags
Commit Graph

677 Commits

Author SHA1 Message Date
Luke Taylor
04447bdbf0 SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs). 2010-01-22 01:55:13 +00:00
Luke Taylor
0c10efbbf8 Revert SEC-1356. 
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
 2010-01-19 22:26:21 +00:00
Luke Taylor
f62d97b092 SEC-1356: Fix broken tests. 
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
 2010-01-12 01:32:02 +00:00
Luke Taylor
e211f9b35f SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL. 
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.

Enabled remember-me in the OpenID sample.
 2010-01-09 01:04:13 +00:00
Luke Taylor
052537c8b0 Removing $Id$ markers and stripping trailing whitespace from the codebase. 2010-01-08 21:05:13 +00:00
Luke Taylor
c6b8fe5e55 SEC-1346: Added missing 'return' statements after redirects. 
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
 2010-01-03 19:06:58 +00:00
Luke Taylor
893f212fa5 Tidying 2010-01-02 19:53:19 +00:00
Luke Taylor
76731254c0 SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name. 2009-12-18 18:04:03 +00:00
Luke Taylor
6805761d85 Extra test to confirm http-method specific matching behaviour. 2009-12-14 13:55:48 +00:00
Luke Taylor
cad32ffe39 SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface. 2009-12-13 17:37:24 +00:00
Luke Taylor
444d93b13f SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter 2009-12-07 13:54:39 +00:00
Luke Taylor
b27d7afd24 SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation. 2009-12-06 15:28:03 +00:00
Luke Taylor
aee6b8f3f9 SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated. 2009-12-06 15:09:33 +00:00
Luke Taylor
617e517e5e SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method. 2009-11-04 17:20:13 +00:00
Luke Taylor
930c1b6b53 Coverted to Junit 4 test. 2009-10-14 21:48:30 +00:00
Luke Taylor
11e476c486 Added issue numbers in comment. 2009-10-14 14:23:34 +00:00
Luke Taylor
d4d45e1311 Make getHeader() methods check case-insensitive matching on header name. 2009-10-14 14:12:27 +00:00
Luke Taylor
0da99171da SEC-1250: RequestHeaderPreAuthenticatedProcessingFilter cannot be use to fail back to another authentication type. Added exceptionIfHeaderMissing property. 2009-10-08 16:37:53 +00:00
Luke Taylor
3f72983a1e SEC-1257: Some additional API changes to use Collection instead of List... 2009-10-07 21:08:41 +00:00
Luke Taylor
1286741c7c SEC-1259: Improve consistency of authentication filter names. 2009-10-07 14:43:55 +00:00
Luke Taylor
f213cc5d9e SEC-1257: APIs using List<ConfigAttribute> should use a Collection instead. Converted. 2009-10-06 19:46:44 +00:00
Luke Taylor
caff3ee9ba SEC-1231: Authentication.getAuthorities should be of type Collection<GrantedAuthority> and not List<GrantedAuthority>. Refactored the interface and related classes to match (UserDetails etc). 2009-10-05 19:28:53 +00:00
Luke Taylor
07d7c0ddae Renamed form and openID filters to shorten names 2009-10-05 17:33:34 +00:00
Luke Taylor
1042305cfe Renamed web.wrapper to web.servletapi. Added some package.html files. 2009-10-05 16:59:37 +00:00
Luke Taylor
673cf300fb SEC-1229: Refactoring to remove package cycles. 2009-10-05 16:40:32 +00:00
Luke Taylor
acf13c74ca SEC-1229: Refactored authentication.concurrent in core, moving classes into core.session 2009-10-05 15:51:00 +00:00
Luke Taylor
2b89ebdfbb SEC-1229: Further doc and mods to namespace config/naming to make it more consistent 2009-10-03 16:08:51 +00:00
Luke Taylor
731402e9f5 SEC-525: [PATCH] Add AccessCheckerTag based on URL resource access permissions. Added functionality to "authorize" tag to allow evaluation of whether a particual url is accessible to the user. Uses a WebInvocationPrivilegeEvaluator registered in the application context. 2009-09-16 00:23:13 +00:00
Luke Taylor
e7486fc203 Removed Ordered interface from Http403EntryPoint (unused). 2009-09-14 16:06:15 +00:00
Luke Taylor
23c8f479b8 SEC-1226: Renamed useRelativeContext to contextRelative to match corresponding flag name in Spring Framework. 2009-09-13 20:45:38 +00:00
Luke Taylor
9c7423599e SEC-1167: Extended SavedRequest interface to allow it to be used by wrapper. Removed null checks in wrapper, as the SavedRequest cannot now be null. 2009-09-13 16:27:35 +00:00
Luke Taylor
4064b7b4f6 SEC-1167: Introduce more flexible SavedRequest handling. Introduced interface for SavedRequest. 2009-09-13 15:03:14 +00:00
Luke Taylor
ac4e7bbadb SEC-1241: Make sure saved request is removed after a match. 2009-09-09 10:11:45 +00:00
Luke Taylor
f518da9d8b SEC-1236: Using HTTP Method-specific intercept-urls causes patterns with no method to be ignored. Fixed by also checking null key in map if no method-specific attributes are found. 2009-09-05 15:26:07 +00:00
Luke Taylor
5bdfd8cd77 Tidying imports etc to remove compiler warnings. 2009-09-05 14:14:58 +00:00
Mike Wiesner
5623c13038 SEC-1047: Added an option to DigestProcessingFilter that the created Authentication object is now marked as "authenticated" 2009-09-02 16:12:19 +00:00
Luke Taylor
2039200617 SEC-1217: AbstractRememberMeServices should set 'secure' attribute on remember-me cookie if in secure context. Added "useSecureCookie" configuration property and corresponding use-secure-cookie attribute in namespace. 2009-09-01 16:08:20 +00:00
Luke Taylor
3cc47c9c4d SEC-1190: Added "checkForPrincipalChanges" property to AbstactPreAuthenticatedProcessingFilter. 2009-08-31 23:28:40 +00:00
Luke Taylor
dbcb13ad14 SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination. 2009-08-31 22:48:49 +00:00
Luke Taylor
471206a29d SEC-1229: Redesign Concurrent Session Control implementation. Added ConcurrentSessionControlAuthenticatedSessionStrategy 2009-08-27 10:43:01 +00:00
Luke Taylor
ab0d66071a SEC-1226: Introduce RedirectStrategy to replace RedirectUtils. Implemented strategy and applied throughout relevant classes. 2009-08-27 10:42:11 +00:00
Luke Taylor
e6631be778 Import cleaning 2009-08-10 16:07:05 +00:00
Luke Taylor
6f76fe6fbb Import cleaning 2009-08-10 16:04:54 +00:00
Luke Taylor
f536c80020 SEC-1202: Removed SpringSecurityFilter and replaced with use of GenericFilterBean from spring-web 2009-08-10 14:18:18 +00:00
Luke Taylor
90d76373cc SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request. 2009-08-07 17:12:12 +00:00
Luke Taylor
3e6054b69f SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy. 2009-07-29 00:52:30 +00:00
Luke Taylor
609a68b12a SEC-1077: Added DefaultAuthenticatedSessionStrategy test to check that saved request attribute is retained when migrateAttributes is false. 2009-07-28 23:47:26 +00:00
Luke Taylor
db90122179 SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these. 2009-07-28 18:00:24 +00:00
Luke Taylor
f404bb3d74 SEC-1167: Introduce more flexible SavedRequest handling. Separated the concept of SavedRequest from SecurityContextHolderAwareFilter since the two are orthogonal requirements. This no longer takes a wrapper class property or uses reflection. SavedRequest functionality is accessed through the RequestCache interface, with the default implementation being HttpSessionRequestCache. A separate filter RequestCacheAwareFilter is now responsible for reconstituting the SavedRequest if it matches the current request. The functionality for matching and returning the wrapper is contained in the RequestCache method though. 2009-07-20 22:34:40 +00:00
Luke Taylor
8ddd96af2b SEC-1186: intermediate commit of namespace changes for improved tooling support 2009-06-26 12:44:46 +00:00