c67ff42b8a
SEC-2783: XML Configuration Defaults Should Match JavaConfig
...
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
11 years ago
6e204fff72
SEC-2781: Remove deprecations
11 years ago
eedbf44235
SEC-2348: Security HTTP Response Headers enabled by default w/ XML
11 years ago
2e1e9885ec
SEC-2054: Polish
...
Fix the tests to use .getName() for assertions
11 years ago
e2f7b38b87
SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch
11 years ago
fa9e7999da
SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()
...
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.
Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
11 years ago
5ba8f000a7
SEC-2714: Add AuthenticationPrincipal resolver for messaging support
11 years ago
e14e5b42fc
SEC-2599: HttpSessionEventPublisher get required ApplicationContext
...
In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
12 years ago
3289c1c92a
SEC-2683: Correct spelling of assignamble in AuthenticationPrincipalResolver Exception
12 years ago
2082d3747a
SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper
12 years ago
2b3becf666
SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo
12 years ago
8baf82532c
SEC-2015: Add spring-security-test
12 years ago
c0590e614a
SEC-2177: Polish
12 years ago
7cf37856c0
SEC-2177: Striping off all leading schemes
...
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
12 years ago
7325b97c76
SEC-2519: RememberMeAuthenticationException supports root cause
...
Added a constructor which keeps the root cause of the exception, and
added some documentation
12 years ago
ea902e5829
SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation
12 years ago
e15cee62f4
SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header
12 years ago
6de138c2f2
SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
...
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
12 years ago
8d8475deb1
SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
...
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
12 years ago
2df5541905
SEC-2448: Update to HSQL 2.3.1
12 years ago
ca1080fb96
SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter
12 years ago
aaa7cec32e
SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
...
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
12 years ago
7f714ebb23
SEC-2422: Session timeout detection with CSRF protection
12 years ago
f9998d582a
Correct typo in AbstractRememberMeServices assertion
12 years ago
59e13e7bbb
SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken
12 years ago
1a1f577a8b
SEC-2358: Add RequestHEaderRequestMatcher#toString()
12 years ago
e638f0a547
SEC-2357: old RequestMatcher interface extends new RequestMatcher
12 years ago
04b091c385
SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method
12 years ago
15a63c58a7
SEC-2368: DebugFilter outputs headers and HTTP method
12 years ago
1351c8bada
SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc
12 years ago
e50b587d60
SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd
12 years ago
0b0e7dbea9
SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter
12 years ago
51171efa7a
SEC-2357: Move *RequestMatcher to .matcher package
12 years ago
45ad74a0bd
SEC-2357: Fix package cycles
12 years ago
14b9050616
SEC-2357: Move *RequestMatchers to .matchers package
12 years ago
7d99436740
SEC-2358: Add RequestHeaderRequestMatcher
12 years ago
0ac1176152
Polish RequestMatcher logging and toString
12 years ago
cffbefadd1
SEC-2306: Fix Session Fixation logging race condition
...
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.
The code now synchronizes on WebUtils.getSessionMutex(..).
12 years ago
611a97023d
SEC-2352: HttpSessionCsrfTokenRepository lazy session creation
12 years ago
17efd25717
SEC-2331: Include Expires: 0 in security headers documentation
13 years ago
cea0cf9260
SEC-2243: Remove additional Debug Filter
13 years ago
b591881e95
SEC-2302: Provide beforeSpringSecurityFilterChain hook
...
This allows inserting filters before the springSecurityFilterChain.
13 years ago
ddc0ef7ab3
SEC-2339: Added Logical (Or, And, Negated) RequestMatchers
13 years ago
788ba9a1fa
SEC-2329: Allow injecting of AuthenticationTrustResolver
13 years ago
9133c33f1d
SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache
...
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.
Now the cast is to SavedRequest.
13 years ago
8f8c6169e8
SEC-2331: Cache Control now includes Expires: 0
13 years ago
0114b457c0
SEC-2330: CacheControlHeadersWriter use a single header
13 years ago
32e9239fd2
SEC-2320: AuthenticationPrincipal can be null on invalid type
...
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
13 years ago
b22acd0768
SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet
13 years ago
8e74407381
SEC-2296: HttpServletRequest.login should throw ServletException if already authenticated
...
See throws documentation at
http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html#login%28java.lang.String,%20java.lang.String%29
13 years ago
Rob Winch
Mattias Severson
Rob Winch
Maciej Zasada
Julien Dubois
getvictor
David Alberto
Adrien be
kazuki43zoo