db913f6857
SEC-1493: Added CredentialsContainer interface and implemented it in User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken. ProviderManager makes use of this to erase the credentials of the returned Authentication object (and its contents) if configured to do so by setting the 'eraseCredentialsAfterAuthentication' property.
16 years ago
d56adb8ffb
SEC-1495: Convert User class equals and hashcode methods to only use the "username" property.
...
This prevents situations where other data may have changed when a User object is reloaded (during a subsequent authentication attempt, in which case and Set.contains()/Map.containsKey() will return false even though the collection in question contains a principal representing the same user.
16 years ago
efb600166a
SEC-1488: Remove commons-logging dependencies from maven poms.
16 years ago
0e57ce2dc3
SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection.
16 years ago
c95cf6ec7d
SEC-1483: Change User constructor to use a generic wildcard for authorities collection.
16 years ago
b3aad4cf19
Javadoc fixes.
16 years ago
e7646a65f4
SEC-1421: Add setters to JdbcUserDetailsManager for group sql operations.
16 years ago
3c3aabf5be
SEC-1465: Change empty check to a null check for list of delegates for DelegatingMethodSecurityMetadataSource.
16 years ago
a421370a3d
SEC-1465: Change DelegatingMethodSecurityMetadataSource to use constructor injection to get round the problem of it being invoked before it has been initialized properly. Also changed the contacts tests to use the same app context and loading order as the actual webapp, to give better reassurance that the app will run successfully.
16 years ago
3bbbf07235
SEC-1464: Fix broken test (flags in returned user object were not being copied from stored user).
16 years ago
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
16 years ago
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
16 years ago
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
16 years ago
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
16 years ago
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
16 years ago
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
16 years ago
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
16 years ago
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
16 years ago
e60108ca8c
SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
...
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
16 years ago
9e049dfef4
SEC-1438: Removed JoinPoint support from AbstractMethodSecurityMetadataSource
16 years ago
c09cd3a9cb
Remove unused inner class in MethodSecurityMetadataSourceAdvisor
16 years ago
55de2cfcb1
SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances.
...
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
16 years ago
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
16 years ago
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
16 years ago
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
16 years ago
0551dd89ac
SEC-1420: Add htmlEscape attribute to authentication JSP tag.
...
This allows HTML escaping to be disabled if required.
16 years ago
b147652193
Make hsqldb a testRuntime/runtime dependency.
16 years ago
f3f84da625
Increase upper bounds of Spring and Spring Security versions in bundlor templates to 3.2.0.
16 years ago
ea7ccc718d
SEC-1399: Removed AbstractAuthenticationManager.
...
MockAuthenticationManager was the only other subclass (apart from the main ProviderManager) and has been removed also.
16 years ago
dacb8dd25a
SEC-1382: Removed deprecated label-based voter and related classes.
16 years ago
b37d2ed978
SEC-593: Added PermissionCacheOptimizer strategy interface and implementation in Acl module.
...
This is used by DefaultMethodSecurityExpressionHandler to allow permissions to be cached before repeatedly evaluating an expression for a collection of domain objects.
16 years ago
2ee7696bf4
Update version number to 3.1.0.CI-SNAPSHOT.
16 years ago
44f45d21f0
3.0.2 release. Update version in build files.
16 years ago
d2b2ca3bc6
SEC-1387: Use a transient object as the advice monitor, rather than a Serializable.
...
No need for an anonymous inner class.
16 years ago
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
16 years ago
dbee91002e
Deprecate EncryptionUtils.
16 years ago
c12c43da9e
Javadoc fixes.
16 years ago
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
16 years ago
67c9a0b78d
SEC-1389: Added "iterations" property to BaseDigestpasswordEncoder to support "stretching" of passwords.
16 years ago
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
16 years ago
10d787ede2
Javadoc corrections to SessionRegistryImpl
16 years ago
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
16 years ago
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
16 years ago
51dfc0fb39
Set versions to 3.0.2-CI-SNAPSHOT, post release.
16 years ago
05634f97dc
Updated version numbers for 3.0.1 release.
16 years ago
0f90e69004
SEC-1362: Updated French messages translation.
16 years ago
b323098167
Added gradle build files for taglibs, tutorial, contacts and openid.
...
Changed build file names to match module names (by manipulating the project objects in the settings.gradle file).
16 years ago
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
16 years ago
93973a4b75
SEC-1304: Removed compareTo method from GrantedAuthorityImpl
...
This method had been left by mistake when the Comparable
interface was removed. See also SEC-1347.
16 years ago
80aacf447f
Refactored JaasAuthenticationProvider
...
The toUrl() method on File gives a deprecation warning with Java 6, so I reimplemented
the logic for building the Jaas config URL.
16 years ago
Luke Taylor