6d6c2d31ef
SEC-1462: Only apply session fixation protection strategy if request.isRequestedSessionIdValid() returns true. We don't need to create a new session if the current one already has a different Id from the client.
16 years ago
0760bb947b
SEC-1458: Remove logger field in HttpSessionEventPublisher in favour of direct lookup. Prevents early initialization of logging system when listener is initialized.
16 years ago
b8e50c0933
SEC-1439: Make getters and setters public on HttpRequestResponseHolder.
...
Necessary to allow use of custom SecurityContextRepository.(cherry picked from commit d5df53f1db
16 years ago
677576ea8b
SEC-1429: Fix test. Wasn't setting allowSessionCreation=false on failure handler.
16 years ago
5a5b62e2cb
SEC-1429: Removed cached authentication from session after successful authentication.(cherry picked from commit 43f0e11106)
16 years ago
6ac8588144
Fix to Javadoc for AbstractAuthenticationProcessingFilter.(cherry picked from commit a3263753d9)
16 years ago
5690f1c581
SEC-1428: Check if response has been committed before redirecting to target URL in AbstractAuthenticationTargetUrlRequestHandler.
16 years ago
87cf27ab7c
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
16 years ago
a7e21318bf
SEC-1425: Replace use of Java 1.6 String.isEmpty().
16 years ago
b46ae6ac62
SEC-1425: Add check for empty cookie in AbstractRememberMeServices.
...
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
16 years ago
14ae36ac3b
SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.
...
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
16 years ago
bd635edc31
SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
...
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
16 years ago
c1133d1ef3
Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name.
16 years ago
d30e31d816
Remove unnecessary @SuppressWarnings and inline dependency from ELRequestMatcher (util package) to core ExpressionUtils.
16 years ago
c12c43da9e
Javadoc fixes.
16 years ago
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
16 years ago
1e4f451352
Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources
16 years ago
dcbdfc2026
SEC-1396: Implement eager saving of SecurityContext in SessionManagementFilter on authentication.
...
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
16 years ago
90d6ff1fde
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
d32b078a8c
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
d2413cf237
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
08c7155ab5
SEC-1404: Refactored IP subnet matching into IpAddressMatcher class to allow it to be used outside expressions.
16 years ago
1ecd3e228b
SEC-1405: added RequestMatcher interface.
16 years ago
984604b026
SEC-1384: Removed check for empty authority list from DefaultWebInvocationPrivilegeEvaluator.
...
The class previously rejected access if the user had no authorities. It will now allow the AccessDecisionManager to make the decision.
16 years ago
0974e21fb6
SEC-1379: Added creation of a session if session timeout is detected (requested session ID is invalid).
...
This prevents problems with repeated detection of the same invalid session when the redirected request comes in.
16 years ago
04447bdbf0
SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs).
16 years ago
0c10efbbf8
Revert SEC-1356.
...
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
16 years ago
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
16 years ago
a9567a58d8
SEC-1359,SEC-1360,SEC-1361,SEC-1363,SEC-1364,SEC-1365,SEC-1366,SEC-1367: Minor doc and Javadoc typos.
16 years ago
f62d97b092
SEC-1356: Fix broken tests.
...
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
16 years ago
6eff4d90b7
SEC-1356: Modify AbstractRememberMeService to check the cookie path as well as the name when extracting it from the incoming request.
...
This makes things consistent with the cookie setting methods. If someone wants to share a cookie between multiple applications then they should modify the cookie extraction and setting methods to use a less-specific path.
16 years ago
2023ca283e
SEC-1358: Support empty context path in DefaultWebInvocationPrivilegeEvaluator
...
This class was failing when an application was deployed at the root context because of an assertion which checked that the contexPath was not empty. An empty context path doesn't actually cause problems for the class so I've removed the assertion.
16 years ago
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
16 years ago
bc02fc2de1
Corrected "incorrect numer of tokens" error message in TokenBasedRememberMeServices.
16 years ago
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
16 years ago
f5d36aef65
SEC-1350: Improved Javadoc for AbstractPreAuthenticatedProcessingFilter
...
Added clarification that the credentials returned
by the subclass should not be null or they will
typically be rejected by the provider. Also added
some general overview.
16 years ago
c6b8fe5e55
SEC-1346: Added missing 'return' statements after redirects.
...
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
16 years ago
893f212fa5
Tidying
16 years ago
3418aab46e
SEC-1327: Javadoc additions to clarify some behaviour
16 years ago
97a31cae04
SEC-1333: Added error message for invalid redirect URL assertion
16 years ago
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
16 years ago
76731254c0
SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name.
16 years ago
06e092d46a
Midor Javadoc correction.
16 years ago
6805761d85
Extra test to confirm http-method specific matching behaviour.
16 years ago
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
16 years ago
075e7a15ad
Corrected package name in Javadoc.
16 years ago
444d93b13f
SEC-1316: Remove 'removeAfterRequest' property from AnonymousAuthenticationFilter
16 years ago
b27d7afd24
SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.
16 years ago
aee6b8f3f9
SEC-1314: Deprecate cloneFromHttpSession and securityContextClass in HttpSessionSecurityContextRepository. Both deprecated.
16 years ago
69699431b1
SEC-1303: Added internal Hex and Base64 classes, and moved commons-codec dependency to test scope
16 years ago
Luke Taylor
Luke Taylor
Mike Wiesner