4de8b84b0d
SEC-1543: Change IpAddressMatcher to return false when comparing an Inet6Address with an Inet4Address rather than raising an exception.
16 years ago
7d97adc687
SEC-1584: Addition of HttpFirewall strategy to FilterChainProxy to reject un-normalized requests and wrap the incoming request object before processing by the security filter chain to provide a more consistent representation of paths than is guaranteed by the servlet spec. The wrapper strips path parameters from pathInfo and servletPath to provide consistency of URL matching across servlet containers and protect against bypassing security constraints by the malicious addition of such parameters to the URL. The paths are canonicalized further by replacing of multiple sequences of "/" characters with a single "/".
16 years ago
70600a0277
SEC-1552 Refactor AuthorizeTag and LegacyAuthorize tag to make them independent of JSP tag rendering.
16 years ago
ee12d54bec
SEC-1536: moved web.authentication.jaas to web.jaasapi
...
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
16 years ago
1b2b371970
SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
...
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
16 years ago
551166a577
ApacheDS workDir property should be passed to the test process, not set as a system property in the main build process.
16 years ago
de819378fc
SEC-1536: added JAAS API Integration, updated doc, updated jaas sample
16 years ago
1a1372ab84
Removed deprecated AspectJInterceptor classes since these cannot be used with the existing MethodSecurityMetadataSource implementations (which no longer support JoinPoin as a secured object). Added some more tests.
16 years ago
ba890cf7e5
Removed invalid test method.
16 years ago
d1e8b8e29d
More tests. Minor refactoring.
16 years ago
bdb906e588
Enable parameterization for log levels in logback files to allow the use of command-line options for controlling log output.
16 years ago
1680807470
Added eclipse plugin to build. Some minor fixes to remove eclipse warnings.
16 years ago
3c02989d67
Removal of jmock test dependency and upgrading of mockito version to 1.8.5. Minor adjustments to other build deps and configurations (e.g. prevent groovy from being used as a transitive dep, since we only use it for tests).
16 years ago
281d77271e
SEC-1486, SEC-1538, SEC-1537: Generification of AuthenticationDetailsSource. Deprecation of non-web pre-authentication classes and other unnecessary classes. Removal of reflection in WebAuthenticationDetailsSource.
16 years ago
2222a7be07
Use Integer.valueOf() in preference to new Integer()
16 years ago
db6da77a5f
SEC-1413: Add RedirectStrategy to AbstractRetryEntryPoint.
16 years ago
183333d189
SEC-1430: Forgot to commit changes to new ExceptionMappingAuthenticationFailureHandlerTests.
16 years ago
2e98b84494
SEC-1430: internalize session key for SavedRequest. This should be accessed using the RequestCache interface if required. Additional refactoring of related tests which were still in AbstractAuthenticationProcessingFilterTests for historical reasons, but should be in their respective success/failure handler test classes.
16 years ago
a2bd1bc9af
SEC-1498: Allow use of absolute URL fopr login form in LoginUrlAuthenticationEntryPoint.
16 years ago
64375484a1
More build and logging tuning.
16 years ago
63734cfcf9
SEC-1528: Remove logic which checks if context in the session is the same as the current context to make sure that session.setAttribute() is called when the value in the session has been modified directly.
16 years ago
8df356de29
SEC-1471: Allow use of a RequestMatcher with HttpSessionRequestCache to configure which requests should be cached by calls to saveRequest.
...
Also removed the justUseSavedRequestOnGet property, as this behaviour can be controlled by the RequestMatcher.
16 years ago
026517f674
Removal of deprecated methods and classes.
16 years ago
ea8d37892c
SEC-1496: Added support for use of any non-standard URL schemes in DefaultRedirectStrategy.
16 years ago
4d10d4b67f
SEC-1500: Convert AbstractRetryEntryPoint to use requestURI to correctly encode URLs.
16 years ago
024e6904ff
SEC-1464: Deprecate UserMap, InMemoryDaoImpl and other related classes in favour of the simpler (non-property editor based) InMemoryUserDetailsManager.
16 years ago
74896f217b
SEC-1459: Generifying AuthenticationUserDetailsService. Now parameterized with <? extends Authentication>.
16 years ago
0521d10069
SEC-1294: Enable access to beans from ApplicationContext in EL expressions.
...
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
16 years ago
2e2625873c
SEC-1446: Modified BasicAuthenticationFilter to treat invalid base64 and invalid Basic authentication tokens as a failed authentication (raising a BadCredentialsException, without calling the AuthenticationManager).
...
This solves the problem in this issue (invalid Base64 not resulting in a 401) and also prevents unnecessary calls to the AuthenticationManager.
16 years ago
89d8c8cc83
Additional test classes for authentication and logout success/failure handling.
16 years ago
530ab3ae30
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
16 years ago
93438defff
SEC-1407: Use RequestMatcher instances as the FilterInvocationSecurityMetadataSource keys and in the FilterChainMap use by FilterChainProxy.
...
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
16 years ago
cb0f3f677f
SEC-1425: Add check for empty cookie in AbstractRememberMeServices.
...
Prevents ArrayOutOfBoundsException later when processing the tokeniszed cookie.
16 years ago
e2f9be9015
SEC-1307: Modify context saving logic in HttpSessionSecurityContextRepository to check the SecurityContext and its contents (the Authentication) against the respective values when the request first arrived at the SecurityContextPersistenceFilter. As explained in the issue, this allows a definite decision to be made about whether the current thread has modified the context information during the request, indicating that it should be saved.
...
Also removed deprecated HttpSessionContextIntegrationFilter and tests.
16 years ago
14ae36ac3b
SEC-1412: Modify DefaultSavedRequest to ignore If-Not-Matched header.
...
The browser (or at least Firefox) does not send it after a redirect, and it causes problems with Spring's ShallowEtagHeaderFilter if it is stored and returned by the saved request.
16 years ago
bd635edc31
SEC-1410: Makes sure usernames which are OpenID https identities are detected as well as http ones.
...
Using ":" as the token delimiter means we accidentally mistake the URL for two tokens. This had previously been fixed for http URLs but not https ones.
16 years ago
c1133d1ef3
Removed unused import in DelegatingAuthenticationEntryPoint and corrected test class name.
16 years ago
1e4f451352
Moved DelegatingAuthenticationEntryPointTest-context.xml to test/resources
16 years ago
90d6ff1fde
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
d32b078a8c
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
d2413cf237
SEC-1406: Create a DelegatingAuthenticationEntryPoint
16 years ago
04447bdbf0
SEC-1377: Extended HTML escaping functionality to take account of control characters, whitespace and to handle Unicode supplementary characters (surrogate pairs).
16 years ago
0c10efbbf8
Revert SEC-1356.
...
Checking the path of a submitted cookie will never work as the path is not sent by the browser, so will be null.
16 years ago
f62d97b092
SEC-1356: Fix broken tests.
...
Test cookies now require that the path be set in order for them to be recognised for auto-login purposes..
16 years ago
e211f9b35f
SEC-1349: Allow configuration of OpenID with parameters which should be transferred to the return_to URL.
...
The OpenIDAuthenticationFilter now has a returnToUrlParameters property (a Set). If this is set, the named parameters will be copied from the incoming submitted request to the return_to URL. If not set, it defaults to the "parameter" property of the AbstractRememberMeServices of the parent class. If remember-me is not in use, it defaults to the empty set.
Enabled remember-me in the OpenID sample.
16 years ago
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
16 years ago
c6b8fe5e55
SEC-1346: Added missing 'return' statements after redirects.
...
ConcurrentSessionFilter and SessionManagementFilter now return immediately after redirecting to the expired URL and invalid session URLs respectively. Extra tests added to check.
16 years ago
893f212fa5
Tidying
16 years ago
76731254c0
SEC-1328: Fixed issue with redirect to context relative URLs where the context name is part of the domain name.
16 years ago
6805761d85
Extra test to confirm http-method specific matching behaviour.
17 years ago
Luke Taylor
Rossen Stoyanchev
Rob Winch
Mike Wiesner