Luke Taylor
8f71f6febf
SEC-1557: Added getter to DelegatingMethodSecurityMetadataSource.
2010-12-01 21:57:16 +00:00
Luke Taylor
ec7b9703a6
Expand message on incorrect Spring version to suggest checking the classpath for unwanted jars.
2010-11-02 12:31:14 +00:00
Luke Taylor
fc75b69ab8
SEC-1607: Report correct version for Spring Security (not Spring version).
2010-11-02 11:18:49 +00:00
Luke Taylor
1563491322
SEC-1600: Added Implementation-Version and Implementation-Title to manifest templates and checking of version numbers in namespace config module and core. Config checks the version of core it is running against and core checks the Spring version, reporting any mismatches or situations where the app is running with less than the recommended Spring version.
2010-10-26 15:32:21 +01:00
Luke Taylor
c458311d2d
SEC-1548: Added extra logging to Dao-authentication classes to clarify reasons for authentication failure (missing user vs wrong password etc.).
2010-10-26 15:32:21 +01:00
Luke Taylor
d6f408e8bf
SEC-1583: Added hasAuthority and hasAnyAuthority imlementations to SecurityExpressionRoot.
2010-10-26 15:32:21 +01:00
Rob Winch
443231d1e8
SEC-1578: Use ThreadLocal.remove() instead of ThreadLocal.set(null)
2010-10-04 21:10:21 -05:00
Luke Taylor
a1b124def5
SEC-1532: Add cache of previously matched beans to ProtectPointcutPostProcessor to ensure that it doesn't perform pointcut matching every time a new prototype bean is created.
2010-08-11 18:29:21 +01:00
Luke Taylor
845c50a1c3
SEC-1507: Applied patch to return empty authority list rather than null from RoleHierarchyImpl.
2010-07-02 19:51:36 +01:00
Luke Taylor
02c1f02f2a
SEC-1493: Fix broken tests in 3.0.x branch
2010-06-25 13:36:08 +01:00
Luke Taylor
21a664b2eb
Deprecation warning suppression for UserMap.
2010-06-25 12:50:58 +01:00
Luke Taylor
73b62497a3
SEC-1493: Added CredentialsContainer interface and implemented it in User, AbstractAuthenticationToken and UsernamePasswordAuthenticationToken. ProviderManager makes use of this to erase the credentials of the returned Authentication object (and its contents) if configured to do so by setting the 'eraseCredentialsAfterAuthentication' property.
2010-06-20 21:11:40 +01:00
Luke Taylor
8737fe3acb
SEC-1495: Convert User class equals and hashcode methods to only use the "username" property.
...
This prevents situations where other data may have changed when a User object is reloaded (during a subsequent authentication attempt, in which case and Set.contains()/Map.containsKey() will return false even though the collection in question contains a principal representing the same user.
2010-06-10 22:28:12 +01:00
Luke Taylor
aaa7bd90b2
SEC-1481: Updated constructors of Authentication types to use a generic wildcard for authorities collection.
2010-05-21 16:02:25 +01:00
Luke Taylor
295e0ded18
SEC-1483: Change User constructor to use a generic wildcard for authorities collection.
2010-05-21 16:02:07 +01:00
Luke Taylor
8c605516b3
SEC-1463: Change namespace user-service parser to store username in lower-case when building map for in-memory UserDetailsService. Lookups are supposed to be case-insensitive with this class.
2010-04-24 16:42:00 +01:00
Luke Taylor
eda60b72b1
SEC-1448: Fixed failure to resolve generic method argument names in MethodSecurityEvaluationContext.
...
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
2010-03-27 17:22:38 +00:00
Luke Taylor
4c8e9e2d7e
SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.
...
Ensures protect-pointcut expressions match methods with generic parameters.
2010-03-24 21:03:45 +00:00
Luke Taylor
e518adbef1
SEC-1443: Modify Jsr250Voter to handle multiple "RolesAllowed" roles.
...
It now votes to abstain if there are no Jsr250 attributes present. If any are found, it will either deny or grant access. For multiple "RoleAllowed" attributes, access will be granted if any user authority matches or denied if no match is found.
2010-03-22 16:26:49 +00:00
Luke Taylor
91153df78d
SEC-1262: Added new (replacement) AspectJ interceptor which wraps the JoinPoint in a MethodInvocation adapter to provide compatibility with classes which only support MethodInvocation instances.
...
Also deprecated the existing AspectJ interceptors. This will also allow future simplification of the AbstractMethodSecurityMetadataSource, as it no longer needs to support JoinPoints.
2010-03-11 02:15:35 +00:00
Luke Taylor
87cf27ab7c
SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.
2010-03-04 21:49:38 +00:00
Luke Taylor
bc6aae132b
SEC-1420: Add htmlEscape attribute to authentication JSP tag.
...
This allows HTML escaping to be disabled if required.
2010-03-04 00:47:59 +00:00
Luke Taylor
d2b2ca3bc6
SEC-1387: Use a transient object as the advice monitor, rather than a Serializable.
...
No need for an anonymous inner class.
2010-02-19 01:02:22 +00:00
Luke Taylor
10dc72b017
SEC-1387: Support serialization of security advised beans.
...
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
2010-02-19 00:53:14 +00:00
Luke Taylor
dbee91002e
Deprecate EncryptionUtils.
2010-02-14 23:27:29 +00:00
Luke Taylor
c12c43da9e
Javadoc fixes.
2010-02-14 23:27:09 +00:00
Luke Taylor
36612377e2
Replace package.html with package-info.java files, creating new ones where missing and updating outdated contents.
2010-02-14 23:23:23 +00:00
Luke Taylor
67c9a0b78d
SEC-1389: Added "iterations" property to BaseDigestpasswordEncoder to support "stretching" of passwords.
2010-02-06 17:34:07 +00:00
Luke Taylor
bd2fd3448b
SEC-1392: Mark PermissionEvaluator and MethodSecurityExpressionHandler as AopInfrastructure beans to prevent them being advised and causing premature use of MethodSecurityMetadataSource before it is initialized properly.
2010-02-06 15:42:01 +00:00
Luke Taylor
10d787ede2
Javadoc corrections to SessionRegistryImpl
2010-02-03 23:49:36 +00:00
Luke Taylor
d931495c8a
SEC-1380: Trim whitespace from config attributes when building a list in SecurityConfig.
2010-01-23 02:12:30 +00:00
Luke Taylor
1a7f71fc0f
SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()
...
If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00
Luke Taylor
0f90e69004
SEC-1362: Updated French messages translation.
2010-01-13 15:37:18 +00:00
Luke Taylor
052537c8b0
Removing $Id$ markers and stripping trailing whitespace from the codebase.
2010-01-08 21:05:13 +00:00
Luke Taylor
93973a4b75
SEC-1304: Removed compareTo method from GrantedAuthorityImpl
...
This method had been left by mistake when the Comparable
interface was removed. See also SEC-1347.
2010-01-04 19:13:49 +00:00
Luke Taylor
80aacf447f
Refactored JaasAuthenticationProvider
...
The toUrl() method on File gives a deprecation warning with Java 6, so I reimplemented
the logic for building the Jaas config URL.
2010-01-03 16:28:44 +00:00
Luke Taylor
893f212fa5
Tidying
2010-01-02 19:53:19 +00:00
Luke Taylor
bcb1ff8921
SEC-1342: Introduced extra factory method in SecurityConfig to get round problem with Spring converting a string with commas to an array
2009-12-23 14:12:59 +00:00
Luke Taylor
fcce29f8df
SEC-1326: Updating dependencies to match Spring versions. Removing unused deps.
2009-12-21 17:32:38 +00:00
Luke Taylor
aeed49393c
Switching StringBuffer to StringBuilder throughout the codebase (APIs permitting).
2009-12-18 18:44:42 +00:00
Luke Taylor
354b043fd1
SEC-1337: Add Serializable interface to internal comparator
2009-12-18 14:12:32 +00:00
Luke Taylor
55679971f0
SEC-1337: Make User serializable by moving anonymous comparator class
2009-12-18 13:49:02 +00:00
Luke Taylor
cad32ffe39
SEC-1325: Tighten up Authentication interface contract to disallow null authorities. Modified internals of AbstractAuthenticationToken to use an empty list instead of null. Clarified Javadoc. removed unnecessary null checks in classes which use the interface.
2009-12-13 17:37:24 +00:00
Luke Taylor
ef3d9c7877
Tidying Javadoc.
2009-12-13 16:20:28 +00:00
Luke Taylor
1e8ea55030
SEC-1320: JaasAuthenticationProvider can not find jaas realm defined inside service archive. Added flag to control refresh of configuration on startup.
2009-12-13 16:19:53 +00:00
Luke Taylor
33b109f0b3
Made session maps final in SessionRegistryImpl.
2009-12-08 01:33:01 +00:00
Luke Taylor
558737363f
Added some extra tracing to SessionRegistryImpl.
2009-12-08 01:28:47 +00:00
Luke Taylor
cde9cd6b36
Correct toString() method in User class.
2009-12-08 00:16:08 +00:00
Luke Taylor
02a9db7bcf
SEC-1317: Removed check in ProviderManager.getProviders() for empty provider list. A ProviderManager with a non-null parent may have an empty provider list. The afterPropertiesSet() method performs the necessary checks.
2009-12-07 21:38:40 +00:00
Scott Battaglia
dada789814
NOJIRA
...
removed unnecessary cast and use StringBuilder rather than non-final String and concatenation.
2009-12-01 15:19:56 +00:00