3bbbf07235
SEC-1464: Fix broken test (flags in returned user object were not being copied from stored user).
16 years ago
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
16 years ago
f5859fabcf
SEC-1464: Created InMemoryUserDetailsManager and converted user-service BDP to use it for its in-memory database.
16 years ago
82bbd09b71
SEC-1460: Documentation of changes.
16 years ago
dada047e04
SEC-1456: Set rtexprvalue=true for "url" attribute in access tag to allow dynamic values (such as URL of current page).
16 years ago
def5f88c8c
SEC-1431: Added openid-selector to openid sample, plus AX configuration for myopenid.com.
16 years ago
2f025fba6c
SEC-1460: Added AxFetchListFactory which matches OpenID identifiers to lists of attributes to use in a fetch-request.
...
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
16 years ago
3af75afec1
Clarify that multiple authentication-provider elements can be used in combination.
16 years ago
ee1fd1bc50
SEC-1431: Modify OpenID sample to use a custom UserDetailsService which allows any user to authenticate, allocating them a standard role and "registers" their ID in a map, allowing it to be retrieved in subsequent logins.
16 years ago
f5468087c2
Remove cached DiscoveryInformation from session in OpenID4JavaConsumer's endConsumption method.
16 years ago
d3d9c5db59
Refactoring of UserDetailsService injection (for X509, OpenID and RememberMeServices) to use a factory bean rather than a post-processor.
16 years ago
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
16 years ago
a45d2a4fb2
SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client.
16 years ago
93deec8d40
SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized.
16 years ago
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
16 years ago
12a6ae2ffa
SEC-1232: Add config dependency to maven build for aspectj sample.
16 years ago
a5a95a8ebc
Upgrade jython and disable cachedir.
16 years ago
a3ef8255d8
SEC-1232: GlobalMethodSecurityBeanDefinitionParser support for mode='aspectj'
...
Also added this syntax to the aspectj sample.
16 years ago
020e0aa49a
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
16 years ago
d334f6fa09
Latest gradle syntax updates.
16 years ago
2b9beffd08
SEC-1444: Fix JNDI escaping problems in LDAP authentication.
...
CompositeName adds quotes to names which contain a forward slash ("/") character. These are automatically removed by Spring LDAP's DistinguishedName, but only if they are at the ends of the String. Since we were preprending the base to the (quoted) DN, resulting in something like ["cn=joe/b",ou=people], this was causing problems with the DN value returned from the search. Additionally, the bind succeeds when a DN is used with a slash, but the subsequent call to getAttributes() fails. This call now passes in a DistinguishedName for the user DN instance instead of a String.
16 years ago
977bc2b164
SEC-1433: Reduce the number of direct dependencies on DataAccessException from spring-tx.
...
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
16 years ago
57150a6717
SEC-1440: Add entry-point-ref to http-basic element to allow setting a separate AuthenticationEntryPoint for the BasicAuthenticationFilter.
16 years ago
2a0aae1904
SEC-524: Document addition of "var" attribute in authorization tags.
16 years ago
0849dd93e9
Minor correction to namespace appendix
16 years ago
472c1fac84
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
16 years ago
bf91f2ca67
SEC-524: Added "var" attribute to authorize and accesscontrollist JSP tags.
...
Allows the result of the boolean condition granting/denying access to be stored in the page context for later use, without having to duplicate the tag.
16 years ago
2e2625873c
SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
...
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
16 years ago
e60108ca8c
SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
...
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
16 years ago
d5df53f1db
SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
...
Necessary to allow use of custom SecurityContextRepository.
16 years ago
111d49d68a
Added build file for itest-context.
16 years ago
9e049dfef4
SEC-1438: Removed JoinPoint support from AbstractMethodSecurityMetadataSource
16 years ago
1be44ecd18
SEC-1262: Added extra test for PostFilter with AspectJ interceptor.
16 years ago
c09cd3a9cb
Remove unused inner class in MethodSecurityMetadataSourceAdvisor
16 years ago
55de2cfcb1
SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances.
...
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
16 years ago
2b8b8819e4
Added gradle support for aspects project.
16 years ago
6fcaba2c46
Moved setting of 'provided' scope mapping on pom out of whenConfigured() so that the mapping is in place when the pom dependencies are assembled. Added 'skipTests' option.
16 years ago
f3264ba9ab
Addition of commons-logging exclusions and adjustments to pom generation.
16 years ago
b64a3fa725
Hans Dockter's refactoring of gradle build, plus simplification of docbook plugin.
16 years ago
d66ff32a1d
Added taglib dependency to itest-web project. Needed by additional test for SEC-1420.
16 years ago
b7aaa3447c
Updated aws-maven to 3.0.0.RELEASE
16 years ago
b38b8e55ac
SEC-1432: Convert map keys to lower-case in UserMap.setUsers().
...
Otherwise the lookup on mixed-case fails, since the lookup is performed with a lower-case key.
16 years ago
43f0e11106
SEC-1429: Removed cached authentication from session after successful authentication.
16 years ago
89d8c8cc83
Additional test classes for authentication and logout success/failure handling.
16 years ago
a3263753d9
Fix to Javadoc for AbstractAuthenticationProcessingFilter.
16 years ago
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
16 years ago
4d70f88285
SEC-1420: JSP for itest of authentication tags with and without escaping.
16 years ago
0551dd89ac
SEC-1420: Add htmlEscape attribute to authentication JSP tag.
...
This allows HTML escaping to be disabled if required.
16 years ago
43f3568b16
SEC-1407: Removed original URL matching classes and updated Javadoc of new RequestMatcher versions.
16 years ago
90caf1bb37
Manual formatting.
16 years ago
Luke Taylor
Luke Taylor
Hans Dockter