a27c33754c
SEC-2859: Add CsrfTokenArgumentResolver
11 years ago
1a35292750
SEC-2791: AbstractRememberMeServices sets the version
...
If the maxAge < 1 then the version must be 1 otherwise browsers ignore
the value.
11 years ago
1a00c397a4
SEC-2835: Polish
11 years ago
07c54e5d0e
SEC-2831: Regex/AntPath RequestMatcher handle invalid HTTP method
11 years ago
31234ecef9
SEC-2835: Add DelegatingAuthenticationFailureHandler
...
Add the DelegatingAuthenticationFailureHandler class to support
map each exception to AuthenticationFailureHandler. This class gives
more powerful options to customize default behavior for users.
11 years ago
1d0eee1d0b
SEC-2840: Modify typo in DelegatingAccessDeniedHandler
11 years ago
6627f76df7
SEC-2758: Make ROLE_ consistent
11 years ago
c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
11 years ago
6e204fff72
SEC-2781: Remove deprecations
11 years ago
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
12 years ago
2e1e9885ec
SEC-2054: Polish
...
Fix the tests to use .getName() for assertions
12 years ago
e2f7b38b87
SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch
12 years ago
fa9e7999da
SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()
...
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.
Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
12 years ago
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
12 years ago
e14e5b42fc
SEC-2599: HttpSessionEventPublisher get required ApplicationContext
...
In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
12 years ago
3289c1c92a
SEC-2683: Correct spelling of assignamble in AuthenticationPrincipalResolver Exception
12 years ago
2082d3747a
SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper
12 years ago
2b3becf666
SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo
12 years ago
8baf82532c
SEC-2015: Add spring-security-test
12 years ago
c0590e614a
SEC-2177: Polish
12 years ago
7cf37856c0
SEC-2177: Striping off all leading schemes
...
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
12 years ago
7325b97c76
SEC-2519: RememberMeAuthenticationException supports root cause
...
Added a constructor which keeps the root cause of the exception, and
added some documentation
12 years ago
ea902e5829
SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation
12 years ago
e15cee62f4
SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header
12 years ago
6de138c2f2
SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
...
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
12 years ago
8d8475deb1
SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
...
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
12 years ago
2df5541905
SEC-2448: Update to HSQL 2.3.1
12 years ago
ca1080fb96
SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter
12 years ago
aaa7cec32e
SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
...
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
12 years ago
7f714ebb23
SEC-2422: Session timeout detection with CSRF protection
12 years ago
f9998d582a
Correct typo in AbstractRememberMeServices assertion
13 years ago
59e13e7bbb
SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken
13 years ago
1a1f577a8b
SEC-2358: Add RequestHEaderRequestMatcher#toString()
13 years ago
e638f0a547
SEC-2357: old RequestMatcher interface extends new RequestMatcher
13 years ago
04b091c385
SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method
13 years ago
15a63c58a7
SEC-2368: DebugFilter outputs headers and HTTP method
13 years ago
1351c8bada
SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc
13 years ago
e50b587d60
SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd
13 years ago
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
13 years ago
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
13 years ago
45ad74a0bd
SEC-2357: Fix package cycles
13 years ago
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
13 years ago
7d99436740
SEC-2358: Add RequestHeaderRequestMatcher
13 years ago
0ac1176152
Polish RequestMatcher logging and toString
13 years ago
cffbefadd1
SEC-2306: Fix Session Fixation logging race condition
...
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.
The code now synchronizes on WebUtils.getSessionMutex(..).
13 years ago
611a97023d
SEC-2352: HttpSessionCsrfTokenRepository lazy session creation
13 years ago
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
13 years ago
cea0cf9260
SEC-2243: Remove additional Debug Filter
13 years ago
b591881e95
SEC-2302: Provide beforeSpringSecurityFilterChain hook
...
This allows inserting filters before the springSecurityFilterChain.
13 years ago
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
13 years ago
Rob Winch
Kazuki Shimizu
Mattias Severson
Rob Winch
Maciej Zasada
Julien Dubois
getvictor
David Alberto
Adrien be
kazuki43zoo