Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-26 07:13:18 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,116 Commits 56 Branches 379 Tags
2.0.x
Commit Graph

1614 Commits

Author SHA1 Message Date
Rob Winch f5fc94e1be SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found 
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.

The code has been updated to do comparison against a dummy password
even when the the user was not found.
 2012-10-08 15:52:40 -05:00
Luke Taylor 76dc21469e SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread. 2011-08-19 13:18:45 -07:00
Luke Taylor 22b7c9b905 SEC-1742: Make extraInformation in AuthenticationException transient. 2011-08-19 13:18:45 -07:00
Luke Taylor 0cdf202b10 SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider. 2011-08-19 13:18:45 -07:00
Luke Taylor a507e3612a SEC-1741: Modify ContextPropagatingRemoteInvocation to pass a simple combination of principal/credentials as Strings, rather than serializing the whole SecurityContext object from the client. 2011-08-19 13:18:45 -07:00
Luke Taylor f5fbda42e5 SEC-1790: Reject redirect locations containing CR or LF. 2011-08-19 13:18:35 -07:00
Rob Winch d5b72275e5 SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers. 
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
 2010-12-17 09:42:25 -06:00
Luke Taylor 08a933f930 SEC-1608: Ensure request wrapper is reset for empty filter chains. 2010-12-08 13:56:08 +00:00
Rob Winch 54ffc98bb4 SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward 2010-11-03 15:01:39 -05:00
Luke Taylor dec2e59fba SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy. 2010-10-14 20:32:01 +01:00
Luke Taylor 8f6ddb0f17 SEC-1584: Backport to 2.0.x branch of request firewalling (normalization checks and path-parameter stripping from servletPath and pathInfo). 2010-10-13 00:04:44 +01:00
Luke Taylor 9c6a5135a3 SEC-1532: Patch applied to 2.0.x branch 2010-08-26 14:13:01 +01:00
Luke Taylor 0acf262546 SEC-1462: Added suggested patch (effectively the same as changes in 3.0.x and master branches). 2010-04-20 18:16:45 +01:00
Luke Taylor d6f6a54455 SEC-1444: Backport of changes to 2.0.x 2010-04-16 15:14:01 +01:00
Luke Taylor 3e393c9df6 Tidying test class 2009-07-13 23:47:33 +00:00
Luke Taylor 781c99f257 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user (for real this time) 2009-06-03 16:57:33 +00:00
Luke Taylor b77f780993 SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user 2009-06-03 16:12:54 +00:00
Luke Taylor 4c3867718e SEC-1031: Ported change from trunk. 2008-11-11 23:36:47 +00:00
Luke Taylor 97381fb448 SEC-974: Made getExceptionMappings() protected. 2008-10-01 16:25:20 +00:00
Luke Taylor 4542f00b14 SEC-975: Namespace security syntax does not interpret properties 
http://jira.springframework.org/browse/SEC-975. Changed creation of AccessDeniedHandler to use a BeanDefinition to make sure placeholders work OK.
 2008-09-12 19:06:53 +00:00
Luke Taylor 5e4634d216 Minor Javadoc improvement. 2008-09-12 14:57:21 +00:00
Luke Taylor d291def963 Removed invalid comment. 2008-09-12 10:18:40 +00:00
Luke Taylor df59cb9dcd Import cleaning. 2008-09-11 14:41:00 +00:00
Luke Taylor ef0389ae79 SEC-976: Removed checks for presence of core-tiger classes. 2008-09-11 14:37:55 +00:00
Luke Taylor 8661e17df9 OPEN - issue SEC-960: DN Encoding in LDAPUserDetailsManager.changePassword() causes bind errors 
http://jira.springframework.org/browse/SEC-960. Replaced call to toUrl() with toString() to prevent URL encoding when setting up principal name for reconnect() in changePassword() method.
 2008-09-05 13:49:38 +00:00
Luke Taylor 5102be3a59 SEC-971: getter for cookieName in AbstractRememberMeServices 
http://jira.springframework.org/browse/SEC-971. Added getCookieName() method.
 2008-09-04 16:05:34 +00:00
Luke Taylor 4e2d6f8b2e SEC-967: TextUtils.java does not escape ampersand character 
http://jira.springframework.org/browse/SEC-967. Added escaping of '&' character
 2008-08-29 12:01:45 +00:00
Luke Taylor d781deffe7 OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication 
http://jira.springframework.org/browse/SEC-966.  Added escaping of rendered text as default.
 2008-08-26 16:21:29 +00:00
Luke Taylor a4e4120443 SEC-963: LDAP Group Search Root 
http://jira.springframework.org/browse/SEC-963. Changed namespace instances of DefaultAuthoritiesPopulator to use the root as the default search location.
 2008-08-26 13:51:01 +00:00
Luke Taylor 83868a7334 SEC-955: ability to externalize port mapping for secured channel to a property file 
http://jira.springframework.org/browse/SEC-955. Changed schema to make port-mapping type xsd:string to allow placeholders.
 2008-08-26 13:20:01 +00:00
Luke Taylor 150f3d97d0 SEC-832: NamingEnumeration.hasMore fails on MS AD with PartialResultException 
http://jira.springframework.org/browse/SEC-832. Changed searchForSingleEntry method to ignore PartialResultException, similar to Spring LDAP's approach.
 2008-08-26 12:49:37 +00:00
Luke Taylor 7f28a8bc5d Refactored DefaultLdapAuthoritiesPopulator to remove contextSource field and setter method. 2008-08-26 12:38:02 +00:00
Luke Taylor 1cfd886517 SEC-922: Spring Security should respect Spring XML boolean operators for AJ pointcut 
http://jira.springframework.org/browse/SEC-922. Added method to substitute boolean operators "and, not, or" with aspectj versions "&&, !, ||".
 2008-08-18 23:31:14 +00:00
Luke Taylor bb457e1d07 SEC-957: logger.debug without guard causing massive performance hit 
http://jira.springframework.org/browse/SEC-957. Added debug logging guard as requested.
 2008-08-18 18:20:48 +00:00
Luke Taylor 09cf90258f SEC-758: Both AspectJSecurityInterceptor and AspectJAnnotationSecurityInterceptor not usable with @AspectJ notation 
http://jira.springframework.org/browse/SEC-758. Added "throws Throwable" to AspectJAnnotationCallback signature.
 2008-08-18 14:47:28 +00:00
Luke Taylor e15d7a78cd SEC-956: Remove MapBasedMethodDefinitionSource.lookupAttributes 
http://jira.springframework.org/browse/SEC-956. Done.
 2008-08-18 13:13:18 +00:00
Luke Taylor 3bf5e406b7 SEC-936: NPE in AbstractFallbackMethodDefinitionSource 
http://jira.springframework.org/browse/SEC-936. Changed to check if the value of MethodInvocation.getThis() is null to prevent NPE. MapBasedMethodDefinitionSource now ignores calls to findAttributes() with a null target class (all its entries require a class) and the fallback option in AbstractFallbackMethodDefinitionSource is used if the targetClass is null (i.e. Method.getDeclaringClass() will be used as the Class)
 2008-08-16 02:31:36 +00:00
Luke Taylor 55d357f42d OPEN - issue SEC-905: <protect-pointcut /> pointcuts do not respect method arguments 
http://jira.springframework.org/browse/SEC-905. Added extra registration method to MapBasedMethodDefinitionSource which takes a Method instance rather than the method name.
 2008-08-12 17:11:38 +00:00
Luke Taylor d9ab0758ee SEC-954: Removed test dependency on AbstractMethodDefinitionSource. 2008-08-12 17:08:55 +00:00
Luke Taylor 36b35e3b1f CLOSED - issue SEC-953: Query string isn't ignored while url - filterchain pattern matching 
http://jira.springframework.org/browse/SEC-953. Fixed autoboxing issue.
 2008-08-11 21:15:09 +00:00
Luke Taylor 39a656eb78 OPEN - issue SEC-953: Query string isn't ignored while url - filterchain pattern matching 
http://jira.springframework.org/browse/SEC-953. Added stripQueryStringFromUrls parameter to FilterChainProxy which works the same as the one on DefaultFilterInvocationDefinitionSource. This defaults to true when used with ant path matching.
 2008-08-11 19:15:33 +00:00
Luke Taylor b6dec19e90 SEC-932: Added supplied class and test class. 2008-08-11 16:36:01 +00:00
Luke Taylor 3ab9fcdcaf Tidying. 2008-08-11 15:05:16 +00:00
Luke Taylor 3a9eb018ba SEC-950: Added test to attempt to reproduce problem. 2008-08-08 15:41:14 +00:00
Luke Taylor b3a23b4377 Some minor improvements to schema comments 2008-08-07 19:15:13 +00:00
Luke Taylor 25814d341d Tidying. 2008-08-06 16:18:05 +00:00
Luke Taylor e951c42c2b Improved javadoc. Some tidying up. 2008-08-06 15:28:04 +00:00
Luke Taylor 7258d30e13 Reinstated missing author tag and some minor tidying (de-jalopying). Removed unused logger. 2008-08-06 13:41:01 +00:00
Luke Taylor 3ee3591feb SEC-947: Added check on "before" and "after" values to make sure they don't overflow when decremented/incremented respectfully. 2008-08-05 23:26:01 +00:00
Luke Taylor 1af7eed433 SEC-883: RoleHierarchyVoter 
http://jira.springframework.org/browse/SEC-883. Added RoleHierarchyVoter and deprecated existing approach. Also moved TestingAuthenticationToken to test package structure.
 2008-08-04 13:08:03 +00:00