1721 Commits

Author SHA1 Message Date
Rob Winch
c4bcce1ac3 Next development version 2012-10-08 22:24:06 -05:00
Rob Winch
23bdc7d766 Release 2.0.8.RELEASE 2012-10-08 21:18:15 -05:00
Rob Winch
f5fc94e1be SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.

The code has been updated to do comparison against a dummy password
even when the the user was not found.
2012-10-08 15:52:40 -05:00
Luke Taylor
55e501711d Set version to 2.0.8.CI-SNAPSHOT 2011-08-19 13:23:04 -07:00
Luke Taylor
d5e6f0b575 Set release version to 2.0.7.RELEASE 2011-08-19 13:18:45 -07:00
Luke Taylor
76dc21469e SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread. 2011-08-19 13:18:45 -07:00
Luke Taylor
22b7c9b905 SEC-1742: Make extraInformation in AuthenticationException transient. 2011-08-19 13:18:45 -07:00
Luke Taylor
0cdf202b10 SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider. 2011-08-19 13:18:45 -07:00
Luke Taylor
a507e3612a SEC-1741: Modify ContextPropagatingRemoteInvocation to pass a simple combination of principal/credentials as Strings, rather than serializing the whole SecurityContext object from the client. 2011-08-19 13:18:45 -07:00
Luke Taylor
f5fbda42e5 SEC-1790: Reject redirect locations containing CR or LF. 2011-08-19 13:18:35 -07:00
Rob Winch
d5b72275e5 SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers.
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
2010-12-17 09:42:25 -06:00
Luke Taylor
08a933f930 SEC-1608: Ensure request wrapper is reset for empty filter chains. 2010-12-08 13:56:08 +00:00
Rob Winch
54ffc98bb4 SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward 2010-11-03 15:01:39 -05:00
Luke Taylor
1c3d530b60 Switch versions to 2.0.7.CI-SNAPSHOT 2010-10-25 17:20:25 +01:00
Luke Taylor
beb0ec4ba9 Version 2.0.6.RELEASE 2010-10-25 17:18:16 +01:00
Luke Taylor
dec2e59fba SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy. 2010-10-14 20:32:01 +01:00
Luke Taylor
8f6ddb0f17 SEC-1584: Backport to 2.0.x branch of request firewalling (normalization checks and path-parameter stripping from servletPath and pathInfo). 2010-10-13 00:04:44 +01:00
Luke Taylor
9c6a5135a3 SEC-1532: Patch applied to 2.0.x branch 2010-08-26 14:13:01 +01:00
Luke Taylor
0acf262546 SEC-1462: Added suggested patch (effectively the same as changes in 3.0.x and master branches). 2010-04-20 18:16:45 +01:00
Luke Taylor
6ad652ae97 Update 2.0 branch pom versions. 2010-04-20 18:15:51 +01:00
Luke Taylor
d6f6a54455 SEC-1444: Backport of changes to 2.0.x 2010-04-16 15:14:01 +01:00
Luke Taylor
71adc26b0f [maven-release-plugin] prepare release spring-security-2.0.5.RELEASE 2009-07-14 00:29:53 +00:00
Luke Taylor
3e393c9df6 Tidying test class 2009-07-13 23:47:33 +00:00
Luke Taylor
149fd5d8de Add bundlor templates 2009-07-09 12:26:11 +00:00
Luke Taylor
f3f02d8aed Update sec-2.0.x branch to use bundlor 2009-07-09 11:51:26 +00:00
Luke Taylor
781c99f257 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user (for real this time) 2009-06-03 16:57:33 +00:00
Luke Taylor
b77f780993 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user 2009-06-03 16:12:54 +00:00
Luke Taylor
4c3867718e SEC-1031: Ported change from trunk. 2008-11-11 23:36:47 +00:00
Luke Taylor
97381fb448 SEC-974: Made getExceptionMappings() protected. 2008-10-01 16:25:20 +00:00
Luke Taylor
4542f00b14 SEC-975: Namespace security syntax does not interpret properties
http://jira.springframework.org/browse/SEC-975. Changed creation of AccessDeniedHandler to use a BeanDefinition to make sure placeholders work OK.
2008-09-12 19:06:53 +00:00
Luke Taylor
5e4634d216 Minor Javadoc improvement. 2008-09-12 14:57:21 +00:00
Luke Taylor
d291def963 Removed invalid comment. 2008-09-12 10:18:40 +00:00
Luke Taylor
df59cb9dcd Import cleaning. 2008-09-11 14:41:00 +00:00
Luke Taylor
ef0389ae79 SEC-976: Removed checks for presence of core-tiger classes. 2008-09-11 14:37:55 +00:00
Luke Taylor
5b9bb8ba54 [maven-release-plugin] prepare for next development iteration 2008-09-05 19:04:22 +00:00
Luke Taylor
73eed2656d [maven-release-plugin] prepare release spring-security-parent-2.0.4 2008-09-05 18:57:43 +00:00
Luke Taylor
8661e17df9 OPEN - issue SEC-960: DN Encoding in LDAPUserDetailsManager.changePassword() causes bind errors
http://jira.springframework.org/browse/SEC-960. Replaced call to toUrl() with toString() to prevent URL encoding when setting up principal name for reconnect() in changePassword() method.
2008-09-05 13:49:38 +00:00
Luke Taylor
5102be3a59 SEC-971: getter for cookieName in AbstractRememberMeServices
http://jira.springframework.org/browse/SEC-971. Added getCookieName() method.
2008-09-04 16:05:34 +00:00
Luke Taylor
4e2d6f8b2e SEC-967: TextUtils.java does not escape ampersand character
http://jira.springframework.org/browse/SEC-967. Added escaping of '&' character
2008-08-29 12:01:45 +00:00
Luke Taylor
d781deffe7 OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication
http://jira.springframework.org/browse/SEC-966.  Added escaping of rendered text as default.
2008-08-26 16:21:29 +00:00
Luke Taylor
a4e4120443 SEC-963: LDAP Group Search Root
http://jira.springframework.org/browse/SEC-963. Changed namespace instances of DefaultAuthoritiesPopulator to use the root as the default search location.
2008-08-26 13:51:01 +00:00
Luke Taylor
83868a7334 SEC-955: ability to externalize port mapping for secured channel to a property file
http://jira.springframework.org/browse/SEC-955. Changed schema to make port-mapping type xsd:string to allow placeholders.
2008-08-26 13:20:01 +00:00
Luke Taylor
150f3d97d0 SEC-832: NamingEnumeration.hasMore fails on MS AD with PartialResultException
http://jira.springframework.org/browse/SEC-832. Changed searchForSingleEntry method to ignore PartialResultException, similar to Spring LDAP's approach.
2008-08-26 12:49:37 +00:00
Luke Taylor
7f28a8bc5d Refactored DefaultLdapAuthoritiesPopulator to remove contextSource field and setter method. 2008-08-26 12:38:02 +00:00
Luke Taylor
1cfd886517 SEC-922: Spring Security should respect Spring XML boolean operators for AJ pointcut
http://jira.springframework.org/browse/SEC-922. Added method to substitute boolean operators "and, not, or" with aspectj versions "&&, !, ||".
2008-08-18 23:31:14 +00:00
Luke Taylor
bb457e1d07 SEC-957: logger.debug without guard causing massive performance hit
http://jira.springframework.org/browse/SEC-957. Added debug logging guard as requested.
2008-08-18 18:20:48 +00:00
Luke Taylor
09cf90258f SEC-758: Both AspectJSecurityInterceptor and AspectJAnnotationSecurityInterceptor not usable with @AspectJ notation
http://jira.springframework.org/browse/SEC-758. Added "throws Throwable" to AspectJAnnotationCallback signature.
2008-08-18 14:47:28 +00:00
Luke Taylor
e15d7a78cd SEC-956: Remove MapBasedMethodDefinitionSource.lookupAttributes
http://jira.springframework.org/browse/SEC-956. Done.
2008-08-18 13:13:18 +00:00
Luke Taylor
3bf5e406b7 SEC-936: NPE in AbstractFallbackMethodDefinitionSource
http://jira.springframework.org/browse/SEC-936. Changed to check if the value of MethodInvocation.getThis() is null to prevent NPE. MapBasedMethodDefinitionSource now ignores calls to findAttributes() with a null target class (all its entries require a class) and the fallback option in AbstractFallbackMethodDefinitionSource is used if the targetClass is null (i.e. Method.getDeclaringClass() will be used as the Class)
2008-08-16 02:31:36 +00:00
Luke Taylor
55d357f42d OPEN - issue SEC-905: <protect-pointcut /> pointcuts do not respect method arguments
http://jira.springframework.org/browse/SEC-905. Added extra registration method to MapBasedMethodDefinitionSource which takes a Method instance rather than the method name.
2008-08-12 17:11:38 +00:00