Commit Graph

435 Commits

Author SHA1 Message Date
Rob Winch
c67ff42b8a SEC-2783: XML Configuration Defaults Should Match JavaConfig
* j_username -> username
* j_password -> password
* j_spring_security_check -> login
* j_spring_cas_security_check -> login/cas
* j_spring_cas_security_proxyreceptor -> login/cas/proxyreceptor
* j_spring_openid_security_login -> login/openid
* j_spring_security_switch_user -> login/impersonate
* j_spring_security_exit_user -> logout/impersonate
* login_error -> error
* use-expressions=true by default
2014-12-08 15:09:15 -06:00
Rob Winch
6e204fff72 SEC-2781: Remove deprecations 2014-12-04 15:28:40 -06:00
Rob Winch
eedbf44235 SEC-2348: Security HTTP Response Headers enabled by default w/ XML 2014-11-21 16:06:29 -06:00
Rob Winch
2e1e9885ec SEC-2054: Polish
Fix the tests to use .getName() for assertions
2014-11-21 11:08:30 -06:00
Rob Winch
e2f7b38b87 SEC-2054: BasicAuthenticationFilter not invoked on ERROR dispatch 2014-11-21 10:47:45 -06:00
Rob Winch
fa9e7999da SEC-2569: SavedRequestAwareWrapper no longer overrides getCookies()
Previously SavedRequestAwareWrapper overrode the getCookies() method. This
meant that the cookies from the original request were used instead of the
new request. In general, this does not make sense since cookies are
automatically submitted in every request by a client. Additionally, this
caused problems with using a locale cookie that was specified after the
secured page was requested.

Now SavedRequestAwareWrapper uses the new incoming request for determining
the cookies.
2014-11-18 13:17:27 -06:00
Rob Winch
5ba8f000a7 SEC-2714: Add AuthenticationPrincipal resolver for messaging support 2014-09-23 16:28:48 -05:00
Rob Winch
e14e5b42fc SEC-2599: HttpSessionEventPublisher get required ApplicationContext
In order to get better error messages (avoid NullPointerException) the
HttpSessionEventPublisher now gets the required ApplicationContext which
throws an IllegalStateException with a good error message.
2014-07-22 09:19:50 -05:00
Rob Winch
3289c1c92a SEC-2683: Correct spelling of assignamble in AuthenticationPrincipalResolver Exception 2014-07-18 13:57:13 -05:00
Rob Winch
2082d3747a SEC-2578: HttpSessionSecurityContextRepository traverses HttpServletResponseWrapper 2014-05-02 15:06:50 -05:00
Mattias Severson
2b3becf666 SEC-2573: RequestHeaderRequestMatcher constructor argument name has typo 2014-04-23 09:28:00 -05:00
Rob Winch
8baf82532c SEC-2015: Add spring-security-test 2014-04-22 16:47:48 -05:00
Rob Winch
c0590e614a SEC-2177: Polish 2014-03-18 15:48:54 -05:00
Maciej Zasada
7cf37856c0 SEC-2177: Striping off all leading schemes
Striping off all leading schemes in the DefaultRedirectStrategy, so it
will be less vulnerable to open redirect phishing attacks. More info can
be found at SEC-2177 JIRA issue.
2014-03-18 15:45:41 -05:00
Julien Dubois
7325b97c76 SEC-2519: RememberMeAuthenticationException supports root cause
Added a constructor which keeps the root cause of the exception, and
added some documentation
2014-03-11 16:11:52 -05:00
Rob Winch
91a074c744 Merge pull request #62 from dalbertom/typo
Correct typo in AbstractRememberMeServices assertion
2014-03-11 15:40:23 -05:00
Rob Winch
ea902e5829 SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation 2014-03-10 14:33:37 -05:00
Rob Winch
e15cee62f4 SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header 2014-03-06 22:01:25 -06:00
getvictor
6de138c2f2 SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
2014-03-06 22:01:23 -06:00
Rob Winch
8d8475deb1 SEC-2455: form-login@login-processing-url & logout@logout-url use matchers
Remove the deprecation warnings of using setFilterProcessingUrl by invoking
the matcher methods instead.
2014-01-29 15:35:18 -06:00
Rob Winch
2df5541905 SEC-2448: Update to HSQL 2.3.1 2013-12-14 10:19:06 -06:00
Rob Winch
ca1080fb96 SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets header instead of parameter 2013-12-13 15:47:28 -06:00
Rob Winch
aaa7cec32e SEC-2326: CsrfRequestDataValueProcessor implements RequestDataValueProcessor
Previously there was unecessary complexity in CsrfRequestDataValueProcessor
due to the non-passive changes in RequestDataValueProcessor. Now it simply
implements the interface with the methods for both versions of the interface.
This works since linking happens at runtime.
2013-12-12 08:07:22 -06:00
Rob Winch
7f714ebb23 SEC-2422: Session timeout detection with CSRF protection 2013-12-11 17:38:17 -06:00
David Alberto
f9998d582a Correct typo in AbstractRememberMeServices assertion 2013-11-26 18:06:55 -05:00
Rob Winch
59e13e7bbb SEC-2404: CsrfAuthenticationStrategy creates new valid CsrfToken 2013-11-21 15:12:08 -06:00
Rob Winch
1a1f577a8b SEC-2358: Add RequestHEaderRequestMatcher#toString() 2013-10-28 14:41:10 -05:00
Rob Winch
e638f0a547 SEC-2357: old RequestMatcher interface extends new RequestMatcher 2013-10-23 17:09:33 -05:00
Rob Winch
04b091c385 SEC-2369: PreAuthenticatedGrantedAuthoritiesUserDetailsService fix case to createUserDetails method 2013-10-17 16:18:43 -05:00
Rob Winch
15a63c58a7 SEC-2368: DebugFilter outputs headers and HTTP method 2013-10-17 14:49:45 -05:00
Rob Winch
1351c8bada SEC-2362: Clarify AbstractRememberMeServices loginSuccess javadoc 2013-10-15 13:53:23 -05:00
Adrien be
e50b587d60 SEC-2360: AbstractRememberMeServices provide message for Assert on key fieldd 2013-10-14 15:06:11 -05:00
Rob Winch
0b0e7dbea9 SEC-2359: Merge DefaultLoginPageViewFilter w/ DefaultLoginPageGeneratingFilter 2013-10-14 15:00:24 -05:00
Rob Winch
51171efa7a SEC-2357: Move *RequestMatcher to .matcher package 2013-10-14 11:55:56 -05:00
Rob Winch
45ad74a0bd SEC-2357: Fix package cycles 2013-10-14 11:15:16 -05:00
Rob Winch
14b9050616 SEC-2357: Move *RequestMatchers to .matchers package 2013-10-14 10:36:31 -05:00
Rob Winch
7d99436740 SEC-2358: Add RequestHeaderRequestMatcher 2013-10-11 14:53:11 -05:00
Rob Winch
0ac1176152 Polish RequestMatcher logging and toString 2013-10-07 15:45:42 -05:00
Rob Winch
cffbefadd1 SEC-2306: Fix Session Fixation logging race condition
Previously session fixation protection could output an incorrect warning
that session fixation protection did not work.

The code now synchronizes on WebUtils.getSessionMutex(..).
2013-10-06 17:13:40 -05:00
kazuki43zoo
611a97023d SEC-2352: HttpSessionCsrfTokenRepository lazy session creation 2013-10-06 16:44:18 -05:00
Rob Winch
17efd25717 SEC-2331: Include Expires: 0 in security headers documentation 2013-09-27 16:13:40 -05:00
Rob Winch
cea0cf9260 SEC-2243: Remove additional Debug Filter 2013-09-26 11:38:16 -05:00
Rob Winch
b591881e95 SEC-2302: Provide beforeSpringSecurityFilterChain hook
This allows inserting filters before the springSecurityFilterChain.
2013-09-25 14:52:40 -05:00
Rob Winch
ddc0ef7ab3 SEC-2339: Added Logical (Or, And, Negated) RequestMatchers 2013-09-23 20:55:49 -05:00
Rob Winch
788ba9a1fa SEC-2329: Allow injecting of AuthenticationTrustResolver 2013-09-20 15:26:52 -05:00
Rob Winch
9133c33f1d SEC-2246: HttpSessionRequestCache.getRequest casts to RequestCache
The method getRequest use to cast to DefaultRequestCache, but this
is not necessary.

Now the cast is to SavedRequest.
2013-09-19 15:08:32 -05:00
Rob Winch
8f8c6169e8 SEC-2331: Cache Control now includes Expires: 0 2013-09-19 14:06:37 -05:00
Rob Winch
0114b457c0 SEC-2330: CacheControlHeadersWriter use a single header 2013-09-18 16:12:34 -05:00
Rob Winch
32e9239fd2 SEC-2320: AuthenticationPrincipal can be null on invalid type
Previously a ClassCastException was thrown if the type was invalid. Now
a flag exists on AuthenticationPrincipal which indicates if a
ClassCastException should be thrown or not with the default being no error.
2013-09-13 15:21:13 -07:00
Rob Winch
b22acd0768 SEC-2314: AbstractSecurityWebApplicationInitializer.getSessionTrackingModes() uses EnumSet 2013-09-13 14:44:44 -07:00