f2345fcb21
SEC-1981: Remove dependency on Locale for the build
14 years ago
2fba10ab61
Use powermock for testing servlet 3.0 functionality instead of distinct classpaths
14 years ago
f6902471fb
SEC-1965: DefaultWebSecurityExpressionHandler is now passive from 3.0.x releases
...
There were two issues that needed resolved
- Since DefaultWebSecurityExpressionHandler no longer implemented WebSecurityExpressionHandler a bean lookup by
type would not work. This caused failures in the JSF support.
- The method createEvaluationContext needed to be explicitly defined on WebSecurityExpressionHandler since the
parameterized type from the super interface is not preserved at compile time. Without explicitly defining the
method any class compiled against a previous version would cause a NoSuchMethodException.
14 years ago
b6ec700640
SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true
14 years ago
de3dfb5b3f
SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice
...
This fixes two issues introduced by SEC-1229
* SessionRegistry.registerNewSession is invoked twice
* SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
14 years ago
520b65e2e3
SEC-1865: Remove invalid OWASP link in TextEscapeUtils
14 years ago
c446697de3
Cleaned up warnings in FilterChainProxyTests
14 years ago
bb8f3bae7c
SEC-1950: Defensively invoke SecurityContextHolder.clearContext() in FilterChainProxy
14 years ago
84141c4c76
SEC-1927: Corrected debug log in SessionManagementFilter to have a space between ID and the session and added guard to log statement
14 years ago
e7f47964ee
fix typo in setUseSecureCookie method documentation
14 years ago
5d71d2a4fa
SEC-1887: Add MethodSecurityOperations interface.
...
This should cater for implementations which want to use
the full filtering capabilities while creating a custom
expression root object.
Also cleaning whitespace.
14 years ago
538e75ce1b
SEC-1903: Use a static CRLF Pattern in FirewalledResponse
...
The Pattern was being recompiled for every request
when a single instance could be shared for performance
reasons.
14 years ago
0f9ee81df1
SEC-1887: Improve extensibility of expression-based security classes
...
Introduces a new SecurityExpressionOperations interface which is
implemented by SecurityExpressionRoot
14 years ago
22225effcc
Call SecurityContextHolder.clearContext() in tear down of HttpSessionSecurityContextRepositoryTests
14 years ago
5d94cd5e13
SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous
14 years ago
6fe6e18939
SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names
14 years ago
8ca2927761
Renamed **/Test.java to **/Tests.java to better follow conventions
14 years ago
0bccbbfc18
SEC-1779: Make new getters protected rather than public.
14 years ago
f456db267f
SEC-1779: Added getters for success and failure handlers to AbstractAuthenticationProcessingFilter.
14 years ago
09ac4bd8f9
SEC-1833: Remove unused securityContextClass from HttpSessionSecurityContextRepository.
14 years ago
44e2543015
Minor changes to make filter chain validation more robust with custom request matchers.
14 years ago
f1e63f3008
SEC-1802: Add digits to valid URL scheme regex.
14 years ago
869c6a7c18
SEC-1800: Set input size to 30 for OpenID login.
15 years ago
824464516c
SEC-1790: Reject redirect locations containing CR or LF.
15 years ago
6333909107
SEC-1797: Create a new session in AbstractPreAuthenticatedProcessingFilter when the existing session is invalidated on detecting a principal change.
15 years ago
0c2a950fa0
SEC-1788: Avoid unnecessary call to getPreAuthenticatedPrincipal() in AbstractPreAuthenticatedProcessingFilter when not checking for principal changes is not enabled.
15 years ago
8740efc0f5
Added constructor injection options to ConcurrentSessionFilter
15 years ago
a1c714cff4
SEC-1754: Added an InvalidSessionStrategy to allow SessionManagementFilter to delegate out the behaviour when an invalid session identifier is submitted.
15 years ago
8440743108
Remove Sql query objects from JdbcTokenRepositoryImpl in favour of direct JdbcTemplate use.
15 years ago
700fa9e0b6
SEC-1772: remote URL decoding of targetUrlParameter in AbstractAuthenticationTargetUrlRequestHandler.
15 years ago
de97bac85b
SEC-1763: Prevent nested switches in SwitchUserFilter by calling attemptExitUser() before doing the switch.
15 years ago
a504cfae1a
SEC-1770: Call refreshLastRequest on the session registry rather than the SessionInformation object to make sure it works with alternative SessionRegistry implementations.
15 years ago
330f82f562
SEC-1777: Corrected log in HttpSessionSecurityContextRepository to reference itself instead of HttpSessionContextIntegrationFilter
15 years ago
825f0061fb
SEC-1761: Support HttpOnly Flag for Cookies when using Servlet 3.0
15 years ago
56e86dd36f
Adding assertions on constructor arg values.
15 years ago
f92589f051
Extract a SecurityFilterChain interface and create a default implementation to facilitate other configuration options.
15 years ago
2d271666a4
Add constructors to facilitate constructor-based injection for required/shared bean properties.
15 years ago
73442125de
SEC-1775: Removed internal use of UserAttribute class in AnonymousAuthenticationFilter.
15 years ago
b15475ab3d
SEC-1771: Change TokenBasedRememberMeServices to obtain password from UserDetailsService if necessary.
15 years ago
737a9d1825
Improved toString methods on request wrappers.
15 years ago
571bfc4869
Refactoring to use Utf8 encoder instead of String.getBytes("UTF-8").
15 years ago
685f12c5a0
SEC-1733: Support explicit zero netmask correctly.
15 years ago
f5f410ae3b
Clean unused imports.
15 years ago
ec97b70df9
SEC-1668: Allow customization of username parameter in SwitchUserFilter.
15 years ago
6d04670f87
SEC-1695: Allow customization of the session key under which the SecurityContext is stored.
15 years ago
84902ebb50
Javadoc correction.
15 years ago
63f160dc72
SEC-1749: Add support for PageContext lookup of objects and use of PermissionEvaluator when using web access expressions.
15 years ago
6e91786f92
SEC-1734: AbstractRememberMeServices will now default to using a secure cookie if the connection is secure. The behaviour can be overridden by setting the useSecureCookie property in which case the cookie will either always be secure (true) or never (false).
15 years ago
04dc65c8fe
SEC-1657: Corresponding namespace updates to use SecurityFilterChain list in place of filterChainMap.
15 years ago
37d0454fd7
SEC-1657: Create SecurityFilterChain class for use in configuring FilterChinProxy. Encapsulates a RequestMatcher and List<Filter>.
15 years ago
Rob Winch
Rob Winch
Tristan Burch
Luke Taylor
Andrei Stefan