1
0
mirror of synced 2026-07-12 14:20:11 +00:00

Compare commits

..

46 Commits

Author SHA1 Message Date
Spring Buildmaster 7be99ff7fa Next development version 2016-02-25 14:10:11 -08:00
Spring Buildmaster 0e9d9da46b Release version 4.0.4.RELEASE 2016-02-25 14:09:54 -08:00
Rob Winch a3a78e50cb Update to Spring 4.2.5
Fixes gh-3716
2016-02-25 11:33:55 -06:00
Rob Winch 8c8f499a69 Remove logging for "Skip invoking on" response committed
Fixes gh-3683
2016-02-25 11:00:16 -06:00
Rob Winch 80ca441e88 Remove check.dependsOn springSnapshotTest 2015-12-21 17:00:20 -06:00
Rob Winch cfd576316f SEC-3179: Set springIoVersion to explicit version 2015-12-21 17:00:18 -06:00
Alex Panchenko 409a74330e SEC-3158 findRequiredWebApplicationContext() compatibility with spring framework 4.1.x 2015-12-03 22:16:54 -06:00
Kazuki Shimizu 87247318f2 SEC-3152: Add @Retention to @WithMock documentation 2015-11-12 16:22:38 -06:00
petaure dbf883ba98 SEC-3150: Escape ' character in messages_fr.properties
Escape ' character, if not format doesn't work fine.
2015-11-12 15:44:10 -06:00
Kazuki Shimizu 675ac80926 SEC-3147: Add error parameter for default authentication-failure-url 2015-11-12 15:12:38 -06:00
Rob Winch 5f6e3855f1 Next Development Version 2015-10-30 16:41:18 -05:00
Spring Buildmaster 19f88e9179 Release version 4.0.3.RELEASE 2015-10-30 12:35:23 -07:00
Rob Winch cf9b6bc0de SEC-2848: LogoutConfigurer allows setting clearAuthentication 2015-10-30 13:54:30 -05:00
Rob Winch fc67550ff2 SEC-3135: antMatchers(<method>,new String[0]) now passive 2015-10-30 10:09:03 -05:00
Rob Winch af2a431f23 SEC-3120: Remove .and() from httpStrictTransportSecurity() doc 2015-10-30 09:10:57 -05:00
Rob Winch 8d9b06afb4 SEC-3082: make SavedRequest parameters case sensitive 2015-10-29 16:46:33 -05:00
Rob Winch 0ecdd0e856 SEC-3120: Reference hsts() -> httpStrictTransportSecurity() 2015-10-29 15:10:16 -05:00
Rob Winch edd2751ff1 SEC-3128: RoleVoter supports null Authentication 2015-10-29 14:03:47 -05:00
Rob Winch 8663ac4173 SEC-3135: antMatchers now allows method and no pattern
Previously, antMatchers(POST).authenticated() was not allowed. Instead
users had to use antMatchers(POST, "/**").authenticated().

Now we default the patterns to be "/**" if it is null or empty.
2015-10-29 12:48:56 -05:00
Rob Winch 72213b5c69 SEC-2190: Fix Javadoc 2015-10-29 11:42:03 -05:00
Rob Winch 2bbe70501b SEC-2190: Support WebApplicationContext in ServletContext attribute 2015-10-28 15:26:16 -05:00
Rob Winch da606d50c0 SEC-3108: DigestAuthenticationFilter should use SecurityContextHolder.createEmptyContext() 2015-10-27 13:57:18 -05:00
Rob Winch d648a56e16 SEC-2521: Improve StandardPasswordEncoder performance 2015-10-27 11:21:05 -05:00
Rob Winch 9c39a0e83e SEC-3109: Fix web tests 2015-10-26 21:31:40 -05:00
Rob Winch c8692b6d0b SEC-3109: DelegatingSecurityContextExecutor fails with same Thread
Previously DelegatingSecurityContextRunnable and DelegatingSecurityContextCallable
would not setup the SecurityContext if it was on the same thread as it was created.
This was intended to fix SEC-3031 but simply caused more problems.

This commit changes the strategy to keep track of the previous SecurityContext
and restore it (or clear it out if it was originally empty).
2015-10-26 17:17:31 -05:00
Rob Winch 45bbabd485 SEC-3057: Include all *.txt & *.jar in dist zip 2015-10-26 14:04:48 -05:00
Rob Winch 43fbeab106 SEC-3133: Correct test doc username parameter 2015-10-26 13:00:27 -05:00
Rob Winch b719e0fbcc SEC-3132: securityBuilder cannot be null
If a custom SecurityConfiguererAdapter applies another
SecurityConfigurerAdapter it caused an error securityBuilder cannot be null.

This commit fixes this.
2015-10-23 10:28:27 -05:00
Rob Winch 09bf290583 SEC-3129: Update Spring 2015-10-22 10:04:52 -05:00
Rob Winch 9a6f026dff SEC-3052: Doc DEFAULT_MATCHER->DEFAULT_CSRF_MATCHER 2015-10-21 16:22:53 -05:00
Rob Winch 269127c2c6 SEC-2941: Default RequestPostProcessor overrides
Previously a default RequestPostProcessor overrode additional
RequestPostProcessor instances added to the request. This was due to
SPR-12945. Now that SPR-12945 is fixed, this commit adds a test to
ensure this stays fixed.
2015-10-21 16:09:15 -05:00
Rob Winch 7074daac0e SEC-3063: rm ConditionalOnMissingBean for @Primary
ConditionalOnMissingBean can only work in a Spring Boot environment. This
means this approach is flawed.

Instead users that wish to override requestDataValueProcessor can use
@Primary.
2015-10-21 15:41:32 -05:00
Rob Winch 69446ab80f SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work
2015-10-20 15:13:01 -05:00
izeye 48bc0ad5f9 SEC-3124: Fix broken Javadoc related to < and > 2015-10-13 13:33:51 -05:00
Rob Winch db9584104c Add Gitter to README 2015-08-11 11:49:46 -05:00
Rob Winch b0701ea770 SEC-3068: Update Tutorial to use POST /logout 2015-08-10 09:53:07 -05:00
Rob Winch 8cc9108601 Merge pull request #209 from raindev/patch-1
Remove unused imports from SecureRandomBytesKeyGenerator
2015-08-06 08:54:09 -05:00
Rob Winch 41c9431fcc Test that form log in requires CSRF 2015-08-03 12:24:37 -05:00
Rob Winch 453e6332da Fix indentation of CsrfConfigTests 2015-08-03 12:03:05 -05:00
Rob Winch 969f3a7d1b Update pom.xml to latest snapshots 2015-08-03 09:46:01 -05:00
Rob Winch 4c19768e54 Update to jacoco 0.7.5.201505241946 2015-08-03 09:45:42 -05:00
Thomas Darimont ad1d858e2b SEC-3056 - Fix JavaDoc errors.
Fixed JavaDoc errors accross multiple modules in order to make javadoc happy with Java 8.
2015-08-03 08:02:24 -05:00
Rob Winch 7317c090cc SEC-2963: Disable appengineRun if contains functional tests 2015-07-29 09:57:57 -05:00
Rob Winch 485fbdc1ee SEC-2963: Select Available Port for appengine 2015-07-28 22:47:21 -05:00
Spring Buildmaster 22aa91c8e1 Next development version 2015-07-22 22:08:15 -07:00
Andrew Barchuk 3832647ecf Remove unused imports 2015-07-14 16:35:11 +03:00
181 changed files with 1621 additions and 822 deletions
+2
View File
@@ -1,3 +1,5 @@
image::https://badges.gitter.im/Join%20Chat.svg[Gitter,link=https://gitter.im/spring-projects/spring-security?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge]
= Spring Security
Spring Security provides security services for the http://docs.spring.io[Spring IO Platform]. Spring Security 3.1 requires Spring 3.0.3 as
+3 -3
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-acl</name>
<description>spring-security-acl</description>
<url>http://spring.io/spring-security</url>
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -145,7 +145,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -83,14 +83,14 @@ import org.springframework.util.StringUtils;
* Alternatively, you could have used a common superclass or interface for the
* {@link #processDomainObjectClass} if both <code>BankAccount</code> and
* <code>Customer</code> had common parents.
* </p>
*
* <p>
* If the principal does not have sufficient permissions, the voter will vote to deny
* access.
* </p>
*
* <p>
* All comparisons and prefixes are case sensitive.
* </p>
*
*
* @author Ben Alex
*/
+3 -3
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-aspects</name>
<description>spring-security-aspects</description>
<url>http://spring.io/spring-security</url>
@@ -34,7 +34,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -124,7 +124,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
+11 -6
View File
@@ -25,7 +25,7 @@ allprojects {
ext.releaseBuild = version.endsWith('RELEASE')
ext.snapshotBuild = version.endsWith('SNAPSHOT')
ext.springVersion = '4.1.6.RELEASE'
ext.springVersion = '4.2.5.RELEASE'
ext.springLdapVersion = '2.0.2.RELEASE'
group = 'org.springframework.security'
@@ -99,7 +99,7 @@ configure(coreModuleProjects) {
apply plugin: 'emma'
apply plugin: 'spring-io'
ext.springIoVersion = project.hasProperty('platformVersion') ? platformVersion : 'latest.integration'
ext.springIoVersion = project.hasProperty('platformVersion') ? platformVersion : '2.0.1.RELEASE'
configurations {
jacoco //Configuration Group used by Sonar to provide Code Coverage using JaCoCo
@@ -113,7 +113,7 @@ configure(coreModuleProjects) {
}
}
dependencies {
jacoco "org.jacoco:org.jacoco.agent:0.6.2.201302030002:runtime"
jacoco "org.jacoco:org.jacoco.agent:0.7.5.201505241946:runtime"
}
test {
jvmArgs "-javaagent:${configurations.jacoco.asPath}=destfile=${buildDir}/jacoco.exec,includes=${project.group}.*"
@@ -135,7 +135,7 @@ task coreBuild {
// Task for creating the distro zip
task dist(type: Zip) {
dependsOn subprojects*.tasks*.matching { task -> task.name == 'assemble' || task.name.endsWith('Zip') || task.name.endsWith('generatePom') }
dependsOn { subprojects*.tasks*.matching { task -> task.name.endsWith('generatePom') } }
classifier = 'dist'
evaluationDependsOn(':docs')
@@ -145,14 +145,19 @@ task dist(type: Zip) {
into(zipRootDir) {
from(rootDir) {
include '*.adoc'
include '*.txt'
}
into('docs') {
with(project(':docs').apiSpec)
with(project(':docs:manual').spec)
with(project(':docs:guides').spec)
}
into('dist') {
from coreModuleProjects.collect {project -> project.libsDir }
project.coreModuleProjects*.tasks*.withType(AbstractArchiveTask).flatten().each{ archiveTask ->
if(archiveTask!=dist){
into("$zipRootDir/dist") {
from archiveTask.outputs.files
}
}
}
sampleProjects.each { project->
into("$zipRootDir/samples/$project.name") {
+4 -4
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-cas</name>
<description>spring-security-cas</description>
<url>http://spring.io/spring-security</url>
@@ -40,13 +40,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -136,7 +136,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
+9 -9
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-config</name>
<description>spring-security-config</description>
<url>http://spring.io/spring-security</url>
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -86,28 +86,28 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-messaging</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
@@ -360,13 +360,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -390,7 +390,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -55,6 +55,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
private final Log logger = LogFactory.getLog(getClass());
private final LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>> configurers = new LinkedHashMap<Class<? extends SecurityConfigurer<O, B>>, List<SecurityConfigurer<O, B>>>();
private final List<SecurityConfigurer<O, B>> configurersAddedInInitializing = new ArrayList<SecurityConfigurer<O, B>>();
private final Map<Class<Object>, Object> sharedObjects = new HashMap<Class<Object>, Object>();
@@ -126,9 +127,9 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
@SuppressWarnings("unchecked")
public <C extends SecurityConfigurerAdapter<O, B>> C apply(C configurer)
throws Exception {
add(configurer);
configurer.addObjectPostProcessor(objectPostProcessor);
configurer.setBuilder((B) this);
add(configurer);
return configurer;
}
@@ -202,7 +203,7 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
configs.add(configurer);
this.configurers.put(clazz, configs);
if (buildState.isInitializing()) {
configurer.init((B) this);
this.configurersAddedInInitializing.add(configurer);
}
}
}
@@ -368,6 +369,10 @@ public abstract class AbstractConfiguredSecurityBuilder<O, B extends SecurityBui
for (SecurityConfigurer<O, B> configurer : configurers) {
configurer.init((B) this);
}
for (SecurityConfigurer<O, B> configurer : configurersAddedInInitializing) {
configurer.init((B) this);
}
}
@SuppressWarnings("unchecked")
@@ -58,7 +58,7 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
* Gets the {@link SecurityBuilder}. Cannot be null.
*
* @return the {@link SecurityBuilder}
* @throw {@link IllegalStateException} if {@link SecurityBuilder} is null
* @throws IllegalStateException if {@link SecurityBuilder} is null
*/
protected final B getBuilder() {
if (securityBuilder == null) {
@@ -36,9 +36,10 @@ public interface ProviderManagerBuilder<B extends ProviderManagerBuilder<B>> ext
* customizations must be done externally and the {@link ProviderManagerBuilder} is
* returned immediately.
*
* Note that an Exception is thrown if an error occurs when adding the {@link AuthenticationProvider}.
*
* @return a {@link ProviderManagerBuilder} to allow further authentication to be
* provided to the {@link ProviderManagerBuilder}
* @throws Exception if an error occurs when adding the {@link AuthenticationProvider}
*/
B authenticationProvider(AuthenticationProvider authenticationProvider);
}
@@ -61,7 +61,7 @@ public class AuthenticationManagerBuilder
/**
* Creates a new instance
* @param the {@link ObjectPostProcessor} instance to use.
* @param objectPostProcessor the {@link ObjectPostProcessor} instance to use.
*/
public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
super(objectPostProcessor, true);
@@ -196,7 +196,6 @@ public class AuthenticationManagerBuilder
* <p>
* This method <b>does NOT</b> ensure that a {@link UserDetailsService} is available
* for the {@link #getDefaultUserDetailsService()} method.
* </p>
*
* @return a {@link LdapAuthenticationProviderConfigurer} to allow customization of
* the LDAP authentication
@@ -216,11 +215,11 @@ public class AuthenticationManagerBuilder
* <p>
* This method <b>does NOT</b> ensure that the {@link UserDetailsService} is available
* for the {@link #getDefaultUserDetailsService()} method.
* </p>
*
* Note that an {@link Exception} might be thrown if an error occurs when adding the {@link AuthenticationProvider}.
*
* @return a {@link AuthenticationManagerBuilder} to allow further authentication to
* be provided to the {@link AuthenticationManagerBuilder}
* @throws Exception if an error occurs when adding the {@link AuthenticationProvider}
*/
public AuthenticationManagerBuilder authenticationProvider(
AuthenticationProvider authenticationProvider) {
@@ -27,7 +27,7 @@ import org.springframework.security.provisioning.InMemoryUserDetailsManager;
* to have in memory authentication. It also allows easily adding users to the in memory
* authentication.
*
* @param <B> the type of the {@link SecurityBuilder} that is being configured
* @param <B> the type of the {@link ProviderManagerBuilder} that is being configured
*
* @author Rob Winch
* @since 3.2
@@ -38,7 +38,6 @@ import org.springframework.security.provisioning.JdbcUserDetailsManager;
* <p>
* The only required method is the {@link #dataSource(javax.sql.DataSource)} all other
* methods have reasonable defaults.
* </p>
*
* @param <B> the type of the {@link ProviderManagerBuilder} that is being configured
*
@@ -82,7 +81,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
* </code>
* @param query The query to use for selecting the username, password, and if the user
* is enabled by username. Must contain a single parameter for the username.
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
* customizations
* @throws Exception
*/
@@ -102,7 +101,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
*
* @param query The query to use for selecting the username, authority by username.
* Must contain a single parameter for the username.
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
* customizations
* @throws Exception
*/
@@ -126,7 +125,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
*
* @param query The query to use for selecting the authorities by group. Must contain
* a single parameter for the username.
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
* customizations
* @throws Exception
*/
@@ -181,7 +180,7 @@ public class JdbcUserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B
/**
* Populates the default schema that allows users and authorities to be stored.
*
* @return The {@link JdbcUserDetailsManagerRegistry} used for additional
* @return The {@link JdbcUserDetailsManagerConfigurer} used for additional
* customizations
*/
public JdbcUserDetailsManagerConfigurer<B> withDefaultSchema() {
@@ -80,9 +80,6 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
/**
* Builds the user to be added. At minimum the username, password, and authorities
* should provided. The remaining attributes have reasonable defaults.
*
* @param <T> the type of {@link UserDetailsManagerConfigurer} to return for chaining
* methods.
*/
public class UserDetailsBuilder {
private String username;
@@ -103,11 +100,10 @@ public class UserDetailsManagerConfigurer<B extends ProviderManagerBuilder<B>, C
}
/**
* Returns the {@link UserDetailsManagerRegistry} for method chaining (i.e. to add
* Returns the {@link UserDetailsManagerConfigurer} for method chaining (i.e. to add
* another user)
*
* @return the {@link UserDetailsManagerRegistry} for method chaining (i.e. to add
* another user)
* @return the {@link UserDetailsManagerConfigurer} for method chaining
*/
public C and() {
return builder;
@@ -27,8 +27,8 @@ import org.springframework.security.core.userdetails.UserDetailsService;
* @author Rob Winch
* @since 3.2
*
* @param <B> the type of the {@link SecurityBuilder}
* @param <C> the {@link SecurityConfigurer} (or this)
* @param <B> the type of the {@link ProviderManagerBuilder}
* @param <C> the {@link UserDetailsServiceConfigurer} (or this)
* @param <U> the type of UserDetailsService being used to allow for returning the
* concrete UserDetailsService.
*/
@@ -29,9 +29,8 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
/**
* <p>
* Enables Spring Security global method security similar to the <global-method-security>
* Enables Spring Security global method security similar to the &lt;global-method-security&gt;
* xml support.
* </p>
*
* <p>
* More advanced configurations may wish to extend
@@ -25,6 +25,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.ObjectUtils;
/**
* A base class for registering {@link RequestMatcher}'s. For example, it might allow for
@@ -48,6 +49,20 @@ public abstract class AbstractRequestMatcherRegistry<C> {
return requestMatchers(ANY_REQUEST);
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
* instances.
*
* @param method the {@link HttpMethod} to use for any
* {@link HttpMethod}.
*
* @return the object that is chained after creating the {@link RequestMatcher}
*/
public C antMatchers(HttpMethod method) {
return antMatchers(method, new String[] { "/**" });
}
/**
* Maps a {@link List} of
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher}
@@ -55,7 +70,7 @@ public abstract class AbstractRequestMatcherRegistry<C> {
*
* @param method the {@link HttpMethod} to use or {@code null} for any
* {@link HttpMethod}.
* @param antPatterns the ant patterns to create
* @param antPatterns the ant patterns to create. If {@code null} or empty, then matches on nothing.
* {@link org.springframework.security.web.util.matcher.AntPathRequestMatcher} from
*
* @return the object that is chained after creating the {@link RequestMatcher}
@@ -142,11 +142,11 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>> extends
* <li>{@link LogoutFilter}</li>
* <li>{@link X509AuthenticationFilter}</li>
* <li>{@link AbstractPreAuthenticatedProcessingFilter}</li>
* <li>{@link org.springframework.security.cas.web.CasAuthenticationFilter}</li>
* <li><a href="{@docRoot}/org/springframework/security/cas/web/CasAuthenticationFilter.html">CasAuthenticationFilter</a></li>
* <li>{@link UsernamePasswordAuthenticationFilter}</li>
* <li>{@link ConcurrentSessionFilter}</li>
* <li>{@link OpenIDAuthenticationFilter}</li>
* <li>{@link DefaultLoginPageGeneratingFilter}</li>
* <li>{@link org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter}</li>
* <li>{@link ConcurrentSessionFilter}</li>
* <li>{@link DigestAuthenticationFilter}</li>
* <li>{@link BasicAuthenticationFilter}</li>
@@ -71,7 +71,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
/**
* A {@link HttpSecurity} is similar to Spring Security's XML <http> element in the
* A {@link HttpSecurity} is similar to Spring Security's XML &lt;http&gt; element in the
* namespace configuration. It allows configuring web based security for specific http
* requests. By default it will be applied to all requests, but can be restricted using
* {@link #requestMatcher(RequestMatcher)} or other similar methods.
@@ -283,7 +283,7 @@ public final class HttpSecurity extends
*
* @return
* @throws Exception
* @see {@link HeadersConfigurer}
* @see HeadersConfigurer
*/
public HeadersConfigurer<HttpSecurity> headers() throws Exception {
return getOrApply(new HeadersConfigurer<HttpSecurity>());
@@ -326,8 +326,8 @@ public final class HttpSecurity extends
*
* <pre>
* &lt;listener&gt;
* &ltlistener-class&gt;org.springframework.security.web.session.HttpSessionEventPublisher&lt;/listener-class&gt;
* &lt/listener>
* &lt;listener-class&gt;org.springframework.security.web.session.HttpSessionEventPublisher&lt;/listener-class&gt;
* &lt;/listener&gt;
* </pre>
*
* Alternatively,
@@ -378,7 +378,7 @@ public final class HttpSecurity extends
*
* @return the {@link PortMapperConfigurer} for further customizations
* @throws Exception
* @see {@link #requiresChannel()}
* @see #requiresChannel()
*/
public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception {
return getOrApply(new PortMapperConfigurer<HttpSecurity>());
@@ -716,7 +716,7 @@ public final class HttpSecurity extends
* {@link org.springframework.security.authentication.AnonymousAuthenticationToken}
* and contain the role "ROLE_ANONYMOUS".
*
* <h2>Example Configuration</h2
* <h2>Example Configuration</h2>
*
* The following configuration demonstrates how to specify that anonymous users should
* contain the role "ROLE_ANON" instead.
@@ -908,6 +908,10 @@ public final class HttpSecurity extends
return getOrApply(new HttpBasicConfigurer<HttpSecurity>());
}
public <C> void setSharedObject(Class<C> sharedType, C object) {
super.setSharedObject(sharedType, object);
}
@Override
protected void beforeConfigure() throws Exception {
setSharedObject(AuthenticationManager.class, getAuthenticationRegistry().build());
@@ -1,13 +0,0 @@
package org.springframework.security.config.annotation.web.configuration;
import org.springframework.context.annotation.Conditional;
/**
* @author Rob Winch
* @since 4.0
*/
@Conditional(OnMissingBeanCondition.class)
@interface ConditionalOnMissingBean {
Class<?> value();
}
@@ -1,40 +0,0 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package org.springframework.security.config.annotation.web.configuration;
import java.util.Map;
import org.springframework.context.annotation.ConditionContext;
import org.springframework.context.annotation.ConfigurationCondition;
import org.springframework.core.type.AnnotatedTypeMetadata;
/**
* @author Rob Winch
*/
class OnMissingBeanCondition implements ConfigurationCondition {
public ConfigurationPhase getConfigurationPhase() {
return ConfigurationPhase.REGISTER_BEAN;
}
public boolean matches(ConditionContext context, AnnotatedTypeMetadata metadata) {
Map<String, Object> attrs = metadata
.getAnnotationAttributes(ConditionalOnMissingBean.class.getName());
Class<?> type = (Class<?>) attrs.get("value");
final Map<String, ?> beans = context.getBeanFactory().getBeansOfType(type);
return beans.isEmpty();
}
}
@@ -29,7 +29,7 @@ import java.util.List;
/**
* Used to add a {@link RequestDataValueProcessor} for Spring MVC and Spring Security CSRF
* integration. This configuration is added whenever {@link EnableWebMvc} is added by
* {@link SpringWebMvcImportSelector} and the DispatcherServlet is present on the
* <a href="{@docRoot}/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.html">SpringWebMvcImportSelector</a> and the DispatcherServlet is present on the
* classpath. It also adds the {@link AuthenticationPrincipalArgumentResolver} as a
* {@link HandlerMethodArgumentResolver}.
*
@@ -47,7 +47,6 @@ class WebMvcSecurityConfiguration extends WebMvcConfigurerAdapter {
argumentResolvers.add(new CsrfTokenArgumentResolver());
}
@ConditionalOnMissingBean(RequestDataValueProcessor.class)
@Bean
public RequestDataValueProcessor requestDataValueProcessor() {
return new CsrfRequestDataValueProcessor();
@@ -262,7 +262,7 @@ public abstract class WebSecurityConfigurerAdapter implements
* {@link #userDetailsService()} instead
* @return
* @throws Exception
* @see {@link #userDetailsService()}
* @see #userDetailsService()
*/
public UserDetailsService userDetailsServiceBean() throws Exception {
AuthenticationManagerBuilder globalAuthBuilder = context
@@ -273,7 +273,7 @@ public abstract class WebSecurityConfigurerAdapter implements
/**
* Allows modifying and accessing the {@link UserDetailsService} from
* {@link #userDetailsServiceBean()()} without interacting with the
* {@link #userDetailsServiceBean()} without interacting with the
* {@link ApplicationContext}. Developers should override this method when changing
* the instance of {@link #userDetailsServiceBean()}.
*
@@ -178,8 +178,8 @@ public abstract class AbstractAuthenticationFilterConfigurer<B extends HttpSecur
}
/**
* Ensures the urls for {@link #failureUrl(String)} and
* {@link #authenticationUrls(String)} are granted access to any user.
* Ensures the urls for {@link #failureUrl(String)} as well as for the {@link HttpSecurityBuilder}, the
* {@link #getLoginPage} and {@link #getLoginProcessingUrl} are granted access to any user.
*
* @param permitAll true to grant access to the URLs false to skip this step
* @return the {@link FormLoginConfigurer} for additional customization
@@ -51,7 +51,7 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept
*
* <ul>
* <li>
* {@link org.springframework.security.config.annotation.web.builders.HttpSecurity#getAuthenticationManager()}
* {@link AuthenticationManager}
* </li>
* </ul>
*
@@ -115,7 +115,7 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
/**
* Allows setting the {@link AccessDecisionManager}. If none is provided, a
* default {@l AccessDecisionManager} is created.
* default {@link AccessDecisionManager} is created.
*
* @param accessDecisionManager the {@link AccessDecisionManager} to use
* @return the {@link AbstractInterceptUrlConfigurer} for further customization
@@ -162,7 +162,7 @@ abstract class AbstractInterceptUrlConfigurer<C extends AbstractInterceptUrlConf
/**
* If currently null, creates a default {@link AccessDecisionManager} using
* {@link #createDefaultAccessDecisionManager()}. Otherwise returns the
* {@link #createDefaultAccessDecisionManager(HttpSecurityBuilder)}. Otherwise returns the
* {@link AccessDecisionManager}.
*
* @param http the builder to use
@@ -84,7 +84,7 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
* @param accessDeniedUrl the URL to the access denied page (i.e. /errors/401)
* @return the {@link ExceptionHandlingConfigurer} for further customization
* @see AccessDeniedHandlerImpl
* @see {@link #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)}
* @see #accessDeniedHandler(org.springframework.security.web.access.AccessDeniedHandler)
*/
public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) {
AccessDeniedHandlerImpl accessDeniedHandler = new AccessDeniedHandlerImpl();
@@ -70,7 +70,7 @@ import org.springframework.util.StringUtils;
*
* @author Rob Winch
* @since 3.2
* @see {@link org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()}
* @see org.springframework.security.config.annotation.web.builders.HttpSecurity#authorizeRequests()
*/
public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>>
extends
@@ -339,7 +339,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
*
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further
* customization
* @see {@link RememberMeConfigurer}
* @see RememberMeConfigurer
*/
public ExpressionInterceptUrlRegistry rememberMe() {
return access(rememberMe);
@@ -371,7 +371,7 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
*
* @return the {@link ExpressionUrlAuthorizationConfigurer} for further
* customization
* @see {@link RememberMeConfigurer}
* @see RememberMeConfigurer
*/
public ExpressionInterceptUrlRegistry fullyAuthenticated() {
return access(fullyAuthenticated);
@@ -53,7 +53,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
* The following shared objects are used:
*
* <ul>
* <li>{@link AuthenticationManager}</li>
* <li>{@link org.springframework.security.authentication.AuthenticationManager}</li>
* <li>{@link RememberMeServices} - is optionally used. See {@link RememberMeConfigurer}</li>
* <li>{@link SessionAuthenticationStrategy} - is optionally used. See
* {@link SessionManagementConfigurer}</li>
@@ -186,7 +186,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
* X-XSS-Protection: 1
* </pre>
*
* or if {@link #setBlock(boolean)} is true
* or if {@link XXssProtectionHeaderWriter#setBlock(boolean)} of the given {@link XXssProtectionHeaderWriter} is true
*
*
* <pre>
@@ -83,7 +83,7 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>> extends
/**
* Creates a new instance
* @throws Exception
* @see {@link HttpSecurity#httpBasic()}
* @see HttpSecurity#httpBasic()
*/
public HttpBasicConfigurer() throws Exception {
realmName(DEFAULT_REALM);
@@ -187,7 +187,7 @@ public final class JeeConfigurer<H extends HttpSecurityBuilder<H>> extends
* Populates a {@link PreAuthenticatedAuthenticationProvider} into
* {@link HttpSecurity#authenticationProvider(org.springframework.security.authentication.AuthenticationProvider)}
* and a {@link Http403ForbiddenEntryPoint} into
* {@link HttpSecurity#authenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint)}
* {@link HttpSecurityBuilder#setSharedObject(Class, Object)}
*
* @see org.springframework.security.config.annotation.SecurityConfigurerAdapter#init(org.springframework.security.config.annotation.SecurityBuilder)
*/
@@ -23,6 +23,7 @@ import javax.servlet.http.HttpSession;
import org.springframework.security.config.annotation.SecurityConfigurer;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
@@ -35,7 +36,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
/**
* Adds logout support. Other {@link SecurityConfigurer} instances may invoke
* {@link #addLogoutHandler(LogoutHandler)} in the {@link #init(HttpSecurity)} phase.
* {@link #addLogoutHandler(LogoutHandler)} in the {@link #init(HttpSecurityBuilder)} phase.
*
* <h2>Security Filters</h2>
*
@@ -88,6 +89,17 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
return this;
}
/**
* Specifies if {@link SecurityContextLogoutHandler} should clear the {@link Authentication} at the time of logout.
* @param clearAuthentication true {@link SecurityContextLogoutHandler} should clear the {@link Authentication} (default), or false otherwise.
* @return the {@link LogoutConfigurer} for further customization
*/
public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication) {
contextLogoutHandler.setClearAuthentication(clearAuthentication);
return this;
}
/**
* Configures {@link SecurityContextLogoutHandler} to invalidate the
* {@link HttpSession} at the time of logout.
@@ -199,7 +199,7 @@ public final class OpenIDLoginConfigurer<H extends HttpSecurityBuilder<H>>
* {@link HttpServletRequest} matches this URL the {@link OpenIDAuthenticationFilter}
* will attempt to authenticate the request. The default is "/login/openid".
*
* @param loginUrl the URL used to perform authentication
* @param loginProcessingUrl the URL used to perform authentication
* @return the {@link OpenIDLoginConfigurer} for additional customization
*/
public OpenIDLoginConfigurer<H> loginProcessingUrl(String loginProcessingUrl) {
@@ -105,7 +105,7 @@ public class MessageSecurityMetadataSourceRegistry {
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)} .
*
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
*/
public Constraint simpDestMatchers(String... patterns) {
return simpDestMatchers(null, patterns);
@@ -122,7 +122,7 @@ public class MessageSecurityMetadataSourceRegistry {
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}.
*
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
*/
public Constraint simpMessageDestMatchers(String... patterns) {
return simpDestMatchers(SimpMessageType.MESSAGE, patterns);
@@ -139,7 +139,7 @@ public class MessageSecurityMetadataSourceRegistry {
* {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}.
*
* @return the {@link Constraint} that is associated to the {@link MessageMatcher}
* @see {@link MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)}
* @see MessageSecurityMetadataSourceRegistry#simpDestPathMatcher(PathMatcher)
*/
public Constraint simpSubscribeDestMatchers(String... patterns) {
return simpDestMatchers(SimpMessageType.SUBSCRIBE, patterns);
@@ -353,7 +353,7 @@ public class MessageSecurityMetadataSourceRegistry {
*
* @return the {@link MessageSecurityMetadataSourceRegistry} for further
* customization
* @see {@link RememberMeConfigurer}
* @see RememberMeConfigurer
*/
public MessageSecurityMetadataSourceRegistry rememberMe() {
return access(rememberMe);
@@ -385,7 +385,7 @@ public class MessageSecurityMetadataSourceRegistry {
*
* @return the {@link MessageSecurityMetadataSourceRegistry} for further
* customization
* @see {@link RememberMeConfigurer}
* @see RememberMeConfigurer
*/
public MessageSecurityMetadataSourceRegistry fullyAuthenticated() {
return access(fullyAuthenticated);
@@ -30,7 +30,7 @@ import org.springframework.web.servlet.support.RequestDataValueProcessor;
/**
* Used to add a {@link RequestDataValueProcessor} for Spring MVC and Spring Security CSRF
* integration. This configuration is added whenever {@link EnableWebMvc} is added by
* {@link SpringWebMvcImportSelector} and the DispatcherServlet is present on the
* <a href="{@docRoot}/org/springframework/security/config/annotation/web/configuration/SpringWebMvcImportSelector.html">SpringWebMvcImportSelector</a> and the DispatcherServlet is present on the
* classpath. It also adds the {@link AuthenticationPrincipalArgumentResolver} as a
* {@link HandlerMethodArgumentResolver}.
*
@@ -25,7 +25,7 @@ import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;
/**
* Stateful parser for the <password-encoder> element.
* Stateful parser for the &lt;password-encoder&gt; element.
*
* Will produce a PasswordEncoder and (optionally) a SaltSource.
*
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2012 the original author or authors.
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ import org.w3c.dom.Element;
* @author Luke Taylor
* @author Ben Alex
* @author Rob Winch
* @author Kazuki Shimizu
*/
public class FormLoginBeanDefinitionParser {
protected final Log logger = LogFactory.getLog(getClass());
@@ -209,9 +210,9 @@ public class FormLoginBeanDefinitionParser {
BeanDefinitionBuilder failureHandler = BeanDefinitionBuilder
.rootBeanDefinition(SimpleUrlAuthenticationFailureHandler.class);
if (!StringUtils.hasText(authenticationFailureUrl)) {
// Fall back to redisplaying the custom login page, if one was specified.
// Fall back to re-displaying the custom login page, if one was specified.
if (StringUtils.hasText(loginPage)) {
authenticationFailureUrl = loginPage;
authenticationFailureUrl = loginPage + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME;
}
else {
authenticationFailureUrl = DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL;
@@ -310,36 +310,36 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
verify(repo).saveToken(eq(null),any(HttpServletRequest), any(HttpServletResponse))
}
def "SEC-2495: csrf disables logout on GET"() {
setup:
httpAutoConfig {
'csrf'()
}
createAppContext()
login()
request.method = "GET"
request.requestURI = "/logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
getAuthentication(request) != null
}
def "SEC-2495: csrf disables logout on GET"() {
setup:
httpAutoConfig {
'csrf'()
}
createAppContext()
login()
request.method = "GET"
request.requestURI = "/logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
getAuthentication(request) != null
}
def login(String username="user", String role="ROLE_USER") {
login(new UsernamePasswordAuthenticationToken(username, null, AuthorityUtils.createAuthorityList(role)))
}
def login(String username="user", String role="ROLE_USER") {
login(new UsernamePasswordAuthenticationToken(username, null, AuthorityUtils.createAuthorityList(role)))
}
def login(Authentication auth) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
}
def login(Authentication auth) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
}
def getAuthentication(HttpServletRequest request) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)?.authentication
}
def getAuthentication(HttpServletRequest request) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)?.authentication
}
}
@@ -1,14 +1,19 @@
package org.springframework.security.config.http
import javax.servlet.http.HttpServletResponse
import org.springframework.beans.factory.BeanCreationException
import org.springframework.mock.web.MockFilterChain
import org.springframework.mock.web.MockHttpServletRequest
import org.springframework.mock.web.MockHttpServletResponse
import org.springframework.security.util.FieldUtils
import org.springframework.security.web.access.ExceptionTranslationFilter
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
import spock.lang.Unroll;
/**
*
@@ -116,4 +121,41 @@ class FormLoginConfigTests extends AbstractHttpConfigTests {
then:
getFilter(DefaultLoginPageGeneratingFilter) == null
}
@Unroll
def 'Form Login requires CSRF Token #csrfDisabled'(int status, boolean csrfDisabled) {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'POST',servletPath:'/login')
request.setParameter('username','user')
request.setParameter('password','password')
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
'form-login'()
csrf(disabled:csrfDisabled) {}
}
createAppContext()
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
response.status == status
where:
status | csrfDisabled
HttpServletResponse.SC_FORBIDDEN | false
HttpServletResponse.SC_MOVED_TEMPORARILY | true
}
def 'SEC-3147: authentication-failure-url should be contained "error" parameter if login-page="/login"'() {
xml.http {
'form-login'('login-page':'/login')
}
createAppContext()
def apf = getFilter(UsernamePasswordAuthenticationFilter.class);
expect:
apf.failureHandler.defaultFailureUrl == '/login?error'
}
}
@@ -0,0 +1,100 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class AuthorizeRequestsTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
loadConfig(AntMatchersNoPatternsConfig.class);
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@EnableWebSecurity
@Configuration
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers(HttpMethod.POST).denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -24,6 +24,7 @@ import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -78,6 +79,7 @@ public class CsrfConfigurerNoWebMvcTests {
@EnableWebSecurity
static class EnableWebOverrideRequestDataConfig {
@Bean
@Primary
public RequestDataValueProcessor requestDataValueProcessor() {
return mock(RequestDataValueProcessor.class);
}
@@ -0,0 +1,136 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class HttpSecurityAntMatchersTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndNoPatterns() throws Exception {
loadConfig(AntMatchersNoPatternsConfig.class);
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
}
@EnableWebSecurity
@Configuration
static class AntMatchersNoPatternsConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers(HttpMethod.POST)
.and()
.authorizeRequests()
.anyRequest().denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
// SEC-3135
@Test
public void antMatchersMethodAndEmptyPatterns() throws Exception {
loadConfig(AntMatchersEmptyPatternsConfig.class);
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
@EnableWebSecurity
@Configuration
static class AntMatchersEmptyPatternsConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/never/")
.antMatchers(HttpMethod.POST, new String[0])
.and()
.authorizeRequests()
.anyRequest().denyAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -0,0 +1,112 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import static org.fest.assertions.Assertions.assertThat;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
/**
* @author Rob Winch
*
*/
public class HttpSecurityLogoutTests {
AnnotationConfigWebApplicationContext context;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Autowired
FilterChainProxy springSecurityFilterChain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
// SEC-2848
@Test
public void clearAuthenticationFalse() throws Exception {
loadConfig(ClearAuthenticationFalseConfig.class);
SecurityContext currentContext = SecurityContextHolder.createEmptyContext();
currentContext.setAuthentication(new TestingAuthenticationToken("user", "password","ROLE_USER"));
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, currentContext);
request.setMethod("POST");
request.setServletPath("/logout");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(currentContext.getAuthentication()).isNotNull();
}
@EnableWebSecurity
@Configuration
static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.logout()
.clearAuthentication(false);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication();
}
}
public void loadConfig(Class<?>... configs) {
context = new AnnotationConfigWebApplicationContext();
context.register(configs);
context.refresh();
context.getAutowireCapableBeanFactory().autowireBean(this);
}
}
@@ -0,0 +1,67 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http.customconfigurer;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationContext;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.web.DefaultSecurityFilterChain;
/**
* @author Rob Winch
*
*/
public class CustomConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,HttpSecurity> {
@Value("${permitAllPattern}")
private String permitAllPattern;
private String loginPage = "/login";
/* (non-Javadoc)
* @see org.springframework.security.config.annotation.SecurityConfigurerAdapter#init(org.springframework.security.config.annotation.SecurityBuilder)
*/
@SuppressWarnings("unchecked")
@Override
public void init(HttpSecurity http) throws Exception {
// autowire this bean
ApplicationContext context = http.getSharedObject(ApplicationContext.class);
context.getAutowireCapableBeanFactory().autowireBean(this);
http
.authorizeRequests()
.antMatchers(permitAllPattern).permitAll()
.anyRequest().authenticated();
if(http.getConfigurer(FormLoginConfigurer.class) == null) {
// only apply if formLogin() was not invoked by the user
http
.formLogin()
.loginPage(loginPage);
}
}
public CustomConfigurer loginPage(String loginPage) {
this.loginPage = loginPage;
return this;
}
public static CustomConfigurer customConfigurer() {
return new CustomConfigurer();
}
}
@@ -0,0 +1,164 @@
/*
* Copyright 2002-2015 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.http.customconfigurer;
import static org.fest.assertions.Assertions.assertThat;
import static org.springframework.security.config.http.customconfigurer.CustomConfigurer.customConfigurer;
import java.util.Properties;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.FilterChainProxy;
/**
* @author Rob Winch
*
*/
public class CustomHttpSecurityConfigurerTests {
@Autowired
ConfigurableApplicationContext context;
@Autowired
FilterChainProxy springSecurityFilterChain;
MockHttpServletRequest request;
MockHttpServletResponse response;
MockFilterChain chain;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
chain = new MockFilterChain();
request.setMethod("GET");
}
@After
public void cleanup() {
if(context != null) {
context.close();
}
}
@Test
public void customConfiguerPermitAll() throws Exception {
loadContext(Config.class);
request.setPathInfo("/public/something");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
@Test
public void customConfiguerFormLogin() throws Exception {
loadContext(Config.class);
request.setPathInfo("/requires-authentication");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getRedirectedUrl()).endsWith("/custom");
}
@Test
public void customConfiguerCustomizeDisablesCsrf() throws Exception {
loadContext(ConfigCustomize.class);
request.setPathInfo("/public/something");
request.setMethod("POST");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
}
@Test
public void customConfiguerCustomizeFormLogin() throws Exception {
loadContext(ConfigCustomize.class);
request.setPathInfo("/requires-authentication");
springSecurityFilterChain.doFilter(request, response, chain);
assertThat(response.getRedirectedUrl()).endsWith("/other");
}
private void loadContext(Class<?> clazz) {
AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(clazz);
context.getAutowireCapableBeanFactory().autowireBean(this);
}
@EnableWebSecurity
static class Config extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.apply(customConfigurer())
.loginPage("/custom");
}
@Bean
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
// Typically externalize this as a properties file
Properties properties = new Properties();
properties.setProperty("permitAllPattern", "/public/**");
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
propertyPlaceholderConfigurer.setProperties(properties);
return propertyPlaceholderConfigurer;
}
}
@EnableWebSecurity
static class ConfigCustomize extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.apply(customConfigurer())
.and()
.csrf().disable()
.formLogin()
.loginPage("/other");
}
@Bean
public static PropertyPlaceholderConfigurer propertyPlaceholderConfigurer() {
// Typically externalize this as a properties file
Properties properties = new Properties();
properties.setProperty("permitAllPattern", "/public/**");
PropertyPlaceholderConfigurer propertyPlaceholderConfigurer = new PropertyPlaceholderConfigurer();
propertyPlaceholderConfigurer.setProperties(properties);
return propertyPlaceholderConfigurer;
}
}
}
+2 -2
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-core</name>
<description>spring-security-core</description>
<url>http://spring.io/spring-security</url>
@@ -269,7 +269,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -45,7 +45,7 @@ public interface SecurityExpressionOperations {
* is converted may depend on the implementation settings.
* </p>
*
* @param authority the authority to test (i.e. "USER")
* @param role the authority to test (i.e. "USER")
* @return true if the authority is found, else false
*/
boolean hasRole(String role);
@@ -62,7 +62,7 @@ public interface SecurityExpressionOperations {
* is converted may depend on the implementation settings.
* </p>
*
* @param authorities the authorities to test (i.e. "USER", "ADMIN")
* @param roles the authorities to test (i.e. "USER", "ADMIN")
* @return true if any of the authorities is found, else false
*/
boolean hasAnyRole(String... roles);
@@ -195,8 +195,8 @@ public class DefaultMethodSecurityExpressionHandler extends
/**
* <p>
* Sets the default prefix to be added to {@link #hasAnyRole(String...)} or
* {@link #hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
* Sets the default prefix to be added to {@link org.springframework.security.access.expression.SecurityExpressionRoot#hasAnyRole(String...)} or
* {@link org.springframework.security.access.expression.SecurityExpressionRoot#hasRole(String)}. For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
* is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is
* "ROLE_" (default).
* </p>
@@ -32,7 +32,7 @@ public interface RoleHierarchy {
* that are (transitively) reachable from them in the role hierarchy.
* <p>
* Example:<br>
* Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.<br>
* Role hierarchy: ROLE_A &gt; ROLE_B and ROLE_B &gt; ROLE_C.<br>
* Directly assigned authority: ROLE_A.<br>
* Reachable authorities: ROLE_A, ROLE_B, ROLE_C.
*
@@ -27,7 +27,7 @@ import java.util.regex.Pattern;
/**
* <p>
* This class defines a role hierarchy for use with the UserDetailsServiceWrapper.
* </p>
*
* <p>
* Here is an example configuration of a role hierarchy (hint: read the "&gt;" sign as
* "includes"):
@@ -41,19 +41,18 @@ import java.util.regex.Pattern;
* &lt;/value&gt;
* &lt;/property&gt;
* </pre>
*
* </p>
*
* <p>
* Explanation of the above:<br>
* In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and
* ROLE_UNAUTHENTICATED;<br>
* every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;<br>
* every user with ROLE_AUTHENTICATED also has ROLE_UNAUTHENTICATED.
* </p>
*
* <p>
* Hierarchical Roles will dramatically shorten your access rules (and also make the
* access rules much more elegant).
* </p>
*
* <p>
* Consider this access rule for Spring Security's RoleVoter (background: every user that
* is authenticated should be able to log out):<br>
@@ -62,10 +61,8 @@ import java.util.regex.Pattern;
* /logout.html=ROLE_AUTHENTICATED<br>
* In addition to shorter rules this will also make your access rules more readable and
* your intentions clearer.
* </p>
*
* @author Michael Mayr
*
*/
public class RoleHierarchyImpl implements RoleHierarchy {
@@ -8,7 +8,7 @@
* security facilities provided for it by Spring Security.
* For example, one secure object would be <code>MethodInvocation</code>,
* whilst another would be HTTP
* {@link org.springframework.security.web.FilterInvocation}. Note these are
* {@code org.springframework.security.web.FilterInvocation}. Note these are
* infrastructure objects and their design allows them to represent a large
* variety of actual resources that might need to be secured, such as business
* objects or HTTP request URLs.
@@ -107,7 +107,7 @@ public class MapBasedMethodSecurityMetadataSource extends
/**
* Add configuration attributes for a secure method. Method names can end or start
* with <code>&#42</code> for matching multiple methods.
* with <code>*</code> for matching multiple methods.
*
* @param name type and method name, separated by a dot
* @param attr the security attributes associated with the method
@@ -131,7 +131,7 @@ public class MapBasedMethodSecurityMetadataSource extends
/**
* Add configuration attributes for a secure method. Mapped method names can end or
* start with <code>&#42</code> for matching multiple methods.
* start with <code>*</code> for matching multiple methods.
*
* @param javaType target interface or class the security configuration attribute
* applies to
@@ -33,11 +33,11 @@ import org.springframework.util.Assert;
/**
* Abstract implementation of {@link AccessDecisionManager}.
* <p/>
*
* <p>
* Handles configuration of a bean context defined list of {@link AccessDecisionVoter}s
* and the access control behaviour if all voters abstain from voting (defaults to deny
* access).
* </p>
*/
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager,
InitializingBean, MessageSourceAware {
@@ -101,10 +101,9 @@ public abstract class AbstractAccessDecisionManager implements AccessDecisionMan
/**
* Iterates through all <code>AccessDecisionVoter</code>s and ensures each can support
* the presented class.
* <p/>
* <p>
* If one or more voters cannot support the presented class, <code>false</code> is
* returned.
* </p>
*
* @param clazz the type of secured object being presented
* @return true if this type is supported
@@ -95,6 +95,9 @@ public class RoleVoter implements AccessDecisionVoter<Object> {
public int vote(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes) {
if(authentication == null) {
return ACCESS_DENIED;
}
int result = ACCESS_ABSTAIN;
Collection<? extends GrantedAuthority> authorities = extractAuthorities(authentication);
@@ -24,7 +24,7 @@ package org.springframework.security.authentication.encoding;
* </p>
* <p>
* As SHA is a one-way hash, the salt can contain any characters. The default strength for
* the SHA encoding is SHA-1. If you wish to use higher strengths use the argumented
* the SHA encoding is SHA-1. If you wish to use higher strengths use the parametrised
* constructor. {@link #ShaPasswordEncoder(int strength)}
* </p>
* <p>
@@ -32,7 +32,7 @@ package org.springframework.security.authentication.encoding;
*
* <pre>
* &lt;bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"&gt;
* &lt;constructor-arg value="256"/>
* &lt;constructor-arg value="256"/&gt;
* &lt;/bean&gt;
* </pre>
*
@@ -51,7 +51,7 @@ import org.springframework.util.ObjectUtils;
* This <code>AuthenticationProvider</code> is capable of validating
* {@link org.springframework.security.authentication.UsernamePasswordAuthenticationToken}
* requests contain the correct username and password.
* </p>
*
* <p>
* This implementation is backed by a <a
* href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html"
@@ -68,7 +68,7 @@ import org.springframework.util.ObjectUtils;
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
* passed.
* </p>
*
* <p>
* {@link JaasAuthenticationCallbackHandler}s are passed to the
* AbstractJaasAuthenticationProvider through the
@@ -84,8 +84,7 @@ import org.springframework.util.ObjectUtils;
* &lt;/list&gt;
* &lt;/property&gt;
* </pre>
*
* </p>
*
* <p>
* After calling LoginContext.login(), the AbstractJaasAuthenticationProvider will
* retrieve the returned Principals from the Subject
@@ -95,7 +94,7 @@ import org.springframework.util.ObjectUtils;
* Authorization a role, it returns that role name from it's
* {@link AuthorityGranter#grant(java.security.Principal)} method. The returned role will
* be applied to the Authorization object as a {@link GrantedAuthority}.
* </p>
*
* <p>
* AuthorityGranters are configured in spring xml as follows...
*
@@ -61,8 +61,7 @@ import java.security.Security;
* &lt;value&gt;/WEB-INF/login.conf&lt;/value&gt;
* &lt;/property&gt;
* </pre>
*
* </p>
*
* <p>
* The loginContextName should coincide with a given index in the loginConfig specifed.
* The loginConfig file used in the JUnit tests appears as the following...
@@ -80,7 +79,6 @@ import java.security.Security;
* &lt;property name="loginContextName"&gt; &lt;value&gt;JAASTest&lt;/value&gt; &lt;/property&gt;
* </pre>
*
* </p>
* <p>
* When using JAAS login modules as the authentication source, sometimes the <a href=
* "http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html"
@@ -91,7 +89,7 @@ import java.security.Security;
* in the ApplicationContext. When the LoginContext calls the internal CallbackHandler,
* control is passed to each {@link JaasAuthenticationCallbackHandler} for each Callback
* passed.
* </p>
*
* <p>
* {@link JaasAuthenticationCallbackHandler}s are passed to the JaasAuthenticationProvider
* through the
@@ -108,7 +106,6 @@ import java.security.Security;
* &lt;/property&gt;
* </pre>
*
* </p>
* <p>
* After calling LoginContext.login(), the JaasAuthenticationProvider will retrieve the
* returned Principals from the Subject (LoginContext.getSubject().getPrincipals). Each
@@ -130,10 +127,9 @@ import java.security.Security;
* </pre>
*
* A configuration note: The JaasAuthenticationProvider uses the security properites
* &quote;login.config.url.X&quote; to configure jaas. If you would like to customize the
* "login.config.url.X" to configure jaas. If you would like to customize the
* way Jaas gets configured, create a subclass of this and override the
* {@link #configureJaas(Resource)} method.
* </p>
*
* @author Ray Krueger
* @author Rob Winch
@@ -25,10 +25,8 @@ import org.springframework.util.Assert;
* then removing the {@link SecurityContext} after the delegate has completed.
* </p>
* <p>
* By default the {@link SecurityContext} is only setup if {@link #call()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* If there is a {@link SecurityContext} that already exists, it will be
* restored after the {@link #call()} method is invoked.
* </p>
*
* @author Rob Winch
@@ -38,11 +36,18 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
private final Callable<V> delegate;
private final SecurityContext securityContext;
private final Thread originalThread;
/**
* The {@link SecurityContext} that the delegate {@link Callable} will be
* ran as.
*/
private final SecurityContext delegateSecurityContext;
private boolean enableOnOriginalThread;
/**
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
* prior to being set to the delegateSecurityContext.
*/
private SecurityContext originalSecurityContext;
/**
* Creates a new {@link DelegatingSecurityContextCallable} with a specific
@@ -57,8 +62,7 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
Assert.notNull(delegate, "delegate cannot be null");
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
this.delegateSecurityContext = securityContext;
}
/**
@@ -71,33 +75,21 @@ public final class DelegatingSecurityContextCallable<V> implements Callable<V> {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public V call() throws Exception {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
return delegate.call();
}
this.originalSecurityContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.setContext(delegateSecurityContext);
return delegate.call();
}
finally {
SecurityContextHolder.clearContext();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
if(emptyContext.equals(originalSecurityContext)) {
SecurityContextHolder.clearContext();
} else {
SecurityContextHolder.setContext(originalSecurityContext);
}
this.originalSecurityContext = null;
}
}
@@ -55,7 +55,7 @@ public class DelegatingSecurityContextExecutorService extends
* Creates a new {@link DelegatingSecurityContextExecutorService} that uses the
* current {@link SecurityContext} from the {@link SecurityContextHolder}.
*
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
* @param delegate the {@link ExecutorService} to delegate to. Cannot be
* null.
*/
public DelegatingSecurityContextExecutorService(ExecutorService delegate) {
@@ -23,10 +23,8 @@ import org.springframework.util.Assert;
* {@link SecurityContext} after the delegate has completed.
* </p>
* <p>
* By default the {@link SecurityContext} is only setup if {@link #run()} is
* invoked on a separate {@link Thread} than the
* {@link DelegatingSecurityContextRunnable} was created on. This can be
* overridden by setting {@link #setEnableOnOriginalThread(boolean)} to true.
* If there is a {@link SecurityContext} that already exists, it will be
* restored after the {@link #run()} method is invoked.
* </p>
*
* @author Rob Winch
@@ -36,11 +34,17 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
private final Runnable delegate;
private final SecurityContext securityContext;
/**
* The {@link SecurityContext} that the delegate {@link Runnable} will be
* ran as.
*/
private final SecurityContext delegateSecurityContext;
private final Thread originalThread;
private boolean enableOnOriginalThread;
/**
* The {@link SecurityContext} that was on the {@link SecurityContextHolder}
* prior to being set to the delegateSecurityContext.
*/
private SecurityContext originalSecurityContext;
/**
* Creates a new {@link DelegatingSecurityContextRunnable} with a specific
@@ -55,8 +59,7 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
Assert.notNull(delegate, "delegate cannot be null");
Assert.notNull(securityContext, "securityContext cannot be null");
this.delegate = delegate;
this.securityContext = securityContext;
this.originalThread = Thread.currentThread();
this.delegateSecurityContext = securityContext;
}
/**
@@ -69,33 +72,21 @@ public final class DelegatingSecurityContextRunnable implements Runnable {
this(delegate, SecurityContextHolder.getContext());
}
/**
* Determines if the SecurityContext should be transfered if {@link #call()}
* is invoked on the same {@link Thread} the
* {@link DelegatingSecurityContextCallable} was created on.
*
* @param enableOnOriginalThread
* if false (default), will only transfer the
* {@link SecurityContext} if {@link #call()} is invoked on a
* different {@link Thread} than the
* {@link DelegatingSecurityContextCallable} was created on.
* @since 4.0.2
*/
public void setEnableOnOriginalThread(boolean enableOnOriginalThread) {
this.enableOnOriginalThread = enableOnOriginalThread;
}
public void run() {
if(!enableOnOriginalThread && originalThread == Thread.currentThread()) {
delegate.run();
return;
}
this.originalSecurityContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.setContext(delegateSecurityContext);
delegate.run();
}
finally {
SecurityContextHolder.clearContext();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
if(emptyContext.equals(originalSecurityContext)) {
SecurityContextHolder.clearContext();
} else {
SecurityContextHolder.setContext(originalSecurityContext);
}
this.originalSecurityContext = null;
}
}
@@ -51,7 +51,7 @@ public final class DelegatingSecurityContextScheduledExecutorService extends
* Creates a new {@link DelegatingSecurityContextScheduledExecutorService} that uses
* the current {@link SecurityContext} from the {@link SecurityContextHolder}.
*
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
* @param delegate the {@link ScheduledExecutorService} to delegate to. Cannot be
* null.
*/
public DelegatingSecurityContextScheduledExecutorService(
@@ -24,7 +24,7 @@ public class SpringSecurityCoreVersion {
*/
public static final long SERIAL_VERSION_UID = 400L;
static final String MIN_SPRING_VERSION = "4.1.6.RELEASE";
static final String MIN_SPRING_VERSION = "4.2.5.RELEASE";
static {
performVersionChecks();
@@ -30,7 +30,9 @@ import org.springframework.security.core.Authentication;
* @author Rob Winch
* @since 4.0
*
* @see org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver
* See: <a href="{@docRoot}/org/springframework/security/messaging/context/AuthenticationPrincipalArgumentResolver.html">
* AuthenticationPrincipalArgumentResolver
* </a>
*/
@Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
@Retention(RetentionPolicy.RUNTIME)
@@ -40,7 +40,7 @@ import org.springframework.util.ReflectionUtils;
* <pre>
* import org.springframework.security.access.method.P;
*
* @PostAuthorize("#to == returnObject.to")
* {@code @PostAuthorize("#to == returnObject.to")}
* public Message findMessageByTo(@P("to") String to);
* </pre>
*
@@ -70,7 +70,7 @@ import org.springframework.util.ReflectionUtils;
* <pre>
* import org.springframework.security.access.method.P;
*
* @PostAuthorize("#to == returnObject.to")
* {@code @PostAuthorize("#to == returnObject.to")}
* public Message findMessageByToAndFrom(@P("to") User to, User from);
* </pre>
*
@@ -32,9 +32,8 @@ import java.util.concurrent.CopyOnWriteArraySet;
* SessionDestroyedEvent}s published in the Spring application context.
* <p>
* For this class to function correctly in a web application, it is important that you
* register an {@link org.springframework.security.web.session.HttpSessionEventPublisher
* HttpSessionEventPublisher} in the <tt>web.xml</tt> file so that this class is notified
* of sessions that expire.
* register an <a href="{@docRoot}/org/springframework/security/web/session/HttpSessionEventPublisher.html">HttpSessionEventPublisher</a>
* in the <tt>web.xml</tt> file so that this class is notified of sessions that expire.
*
* @author Ben Alex
* @author Luke Taylor
@@ -145,7 +145,7 @@ public class KeyBasedPersistenceTokenService implements TokenService, Initializi
}
/**
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be >= 0;
* @param pseudoRandomNumberBytes changes the number of bytes issued (must be &gt;= 0;
* defaults to 256)
*/
public void setPseudoRandomNumberBytes(int pseudoRandomNumberBytes) {
@@ -38,7 +38,7 @@ public interface TokenService {
Token allocateToken(String extendedInformation);
/**
* Permits verification the <{@link Token#getKey()} was issued by this
* Permits verification the {@link Token#getKey()} was issued by this
* <code>TokenService</code> and reconstructs the corresponding <code>Token</code>.
*
* @param key as obtained from {@link Token#getKey()} and created by this
@@ -47,7 +47,7 @@ import org.springframework.util.Assert;
*
* This table contains the login name, password and enabled status of the user.
*
* <table>
* <table summary="The Users Table">
* <tr>
* <th>Column</th>
* </tr>
@@ -64,7 +64,7 @@ import org.springframework.util.Assert;
*
* <h4>The Authorities Table</h4>
*
* <table>
* <table summary="The Authorities Table">
* <tr>
* <th>Column</th>
* </tr>
@@ -23,7 +23,7 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
/**
* Used by {@link InMemoryDaoImpl} to temporarily store the attributes associated with a
* Used by {@link org.springframework.security.provisioning.InMemoryUserDetailsManager} to temporarily store the attributes associated with a
* user.
*
* @author Ben Alex
@@ -50,7 +50,7 @@ public class UserAttribute {
/**
* Set all authorities for this user.
*
* @param authorities {@link List} &lt;{@link GrantedAuthority}>
* @param authorities {@link List} &lt;{@link GrantedAuthority}&gt;
* @since 1.1
*/
public void setAuthorities(List<GrantedAuthority> authorities) {
@@ -61,7 +61,7 @@ public class UserAttribute {
* Set all authorities for this user from String values. It will create the necessary
* {@link GrantedAuthority} objects.
*
* @param authoritiesAsStrings {@link List} &lt;{@link String}>
* @param authoritiesAsStrings {@link List} &lt;{@link String}&gt;
* @since 1.1
*/
public void setAuthoritiesAsString(List<String> authoritiesAsStrings) {
@@ -45,7 +45,7 @@ public class DelegatingSecurityContextTaskExecutor extends
* Creates a new {@link DelegatingSecurityContextTaskExecutor} that uses the current
* {@link SecurityContext} from the {@link SecurityContextHolder}.
*
* @param delegateTaskExecutor the {@link TaskExecutor} to delegate to. Cannot be
* @param delegate the {@link TaskExecutor} to delegate to. Cannot be
* null.
*/
public DelegatingSecurityContextTaskExecutor(TaskExecutor delegate) {
@@ -4,48 +4,48 @@
# Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n''a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
AbstractUserDetailsAuthenticationProvider.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
AbstractUserDetailsAuthenticationProvider.expired=Le compte utilisateur a expir\u00E9
AbstractUserDetailsAuthenticationProvider.locked=Le compte utilisateur est bloqu\u00E9
AbstractUserDetailsAuthenticationProvider.onlySupports=Seul UsernamePasswordAuthenticationToken est pris en charge
AccountStatusUserDetailsChecker.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
AccountStatusUserDetailsChecker.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
AccountStatusUserDetailsChecker.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
AccountStatusUserDetailsChecker.expired=Le compte utilisateur a expir\u00E9
AccountStatusUserDetailsChecker.locked=Le compte utilisateur est bloqu\u00E9
AclEntryAfterInvocationProvider.noPermission=L'authentification {0} n'a AUCUNE permission pour l'objet de domaine {1}
AnonymousAuthenticationProvider.incorrectKey=L'AnonymousAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
AclEntryAfterInvocationProvider.noPermission=L''authentification {0} n''a AUCUNE permission pour l''objet de domaine {1}
AnonymousAuthenticationProvider.incorrectKey=L''AnonymousAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
BindAuthenticator.badCredentials=Les identifications sont erron\u00E9es
BindAuthenticator.emptyPassword=Le mot de passe est obligatoire
CasAuthenticationProvider.incorrectKey=Le CasAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
CasAuthenticationProvider.noServiceTicket=Echec d'obtention d'un ticket CAS \u00E0 valider
CasAuthenticationProvider.noServiceTicket=Echec d''obtention d''un ticket CAS \u00E0 valider
ConcurrentSessionControlStrategy.exceededAllowed=Le maximum de {0} sessions a \u00E9t\u00E9 d\u00E9pass\u00E9 pour cet utilisateur
DigestAuthenticationFilter.incorrectRealm=Le nom de domaine de la r\u00E9ponse {0} ne correspond pas au nom de domaine du syst\u00E8me {1}
DigestAuthenticationFilter.incorrectResponse=R\u00E9ponse incorrecte
DigestAuthenticationFilter.missingAuth=Une valeur obligatoire manque au condens\u00E9 pour 'auth' QOP; re\u00E7u l'ent\u00EAte {0}
DigestAuthenticationFilter.missingMandatory=Une valeur obligatoire manque au condens\u00E9; re\u00E7u l'ent\u00EAte {0}
DigestAuthenticationFilter.missingAuth=Une valeur obligatoire manque au condens\u00E9 pour ''auth'' QOP; re\u00E7u l''ent\u00EAte {0}
DigestAuthenticationFilter.missingMandatory=Une valeur obligatoire manque au condens\u00E9; re\u00E7u l''ent\u00EAte {0}
DigestAuthenticationFilter.nonceCompromised=Le jeton nonce est compromis {0}
DigestAuthenticationFilter.nonceEncoding=Le nonce n'est pas encod\u00E9 en Base64; re\u00E7u le nonce {0}
DigestAuthenticationFilter.nonceEncoding=Le nonce n''est pas encod\u00E9 en Base64; re\u00E7u le nonce {0}
DigestAuthenticationFilter.nonceExpired=Le nonce a expir\u00E9
DigestAuthenticationFilter.nonceNotNumeric=Le jeton nonce aurait d\u00FB g\u00E9n\u00E9rer d'abord un jeton num\u00E9rique, mais \u00E9tait {0}
DigestAuthenticationFilter.nonceNotNumeric=Le jeton nonce aurait d\u00FB g\u00E9n\u00E9rer d''abord un jeton num\u00E9rique, mais \u00E9tait {0}
DigestAuthenticationFilter.nonceNotTwoTokens=Le nonce aurait d\u00FB g\u00E9n\u00E9rer deux jetons, mais \u00E9tait {0}
DigestAuthenticationFilter.usernameNotFound=Le nom d'utilisateur {0} n'a pas \u00E9t\u00E9 trouv\u00E9
JdbcDaoImpl.noAuthority=Le compte utilisateur {0} n'a pas de permission
JdbcDaoImpl.notFound=Le nom d'utilisateur {0} n'a pas \u00E9t\u00E9 trouv\u00E9
DigestAuthenticationFilter.usernameNotFound=Le nom d''utilisateur {0} n''a pas \u00E9t\u00E9 trouv\u00E9
JdbcDaoImpl.noAuthority=Le compte utilisateur {0} n''a pas de permission
JdbcDaoImpl.notFound=Le nom d''utilisateur {0} n''a pas \u00E9t\u00E9 trouv\u00E9
LdapAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
LdapAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
LdapAuthenticationProvider.credentialsExpired=Les identifications de l''utilisateur ont expir\u00E9
LdapAuthenticationProvider.disabled=Le compte utilisateur est d\u00E9sactiv\u00E9
LdapAuthenticationProvider.expired=Le compte utilisateur a expir\u00E9
LdapAuthenticationProvider.locked=Le compte utilisateur est bloqu\u00E9
LdapAuthenticationProvider.emptyUsername=Le nom d'utilisateur est obligatoire
LdapAuthenticationProvider.emptyUsername=Le nom d''utilisateur est obligatoire
LdapAuthenticationProvider.onlySupports=Seul UsernamePasswordAuthenticationToken est pris en charge
PasswordComparisonAuthenticator.badCredentials=Les identifications sont erron\u00E9es
PersistentTokenBasedRememberMeServices.cookieStolen=Invalid remember-me token (Series/token) mismatch. Implies previous cookie theft attack.
ProviderManager.providerNotFound=Aucun AuthenticationProvider n'a \u00E9t\u00E9 trouv\u00E9 pour {0}
ProviderManager.providerNotFound=Aucun AuthenticationProvider n''a \u00E9t\u00E9 trouv\u00E9 pour {0}
RememberMeAuthenticationProvider.incorrectKey=Le RememberMeAuthenticationToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
RunAsImplAuthenticationProvider.incorrectKey=Le RunAsUserToken pr\u00E9sent\u00E9 ne contient pas la cl\u00E9 attendue
SubjectDnX509PrincipalExtractor.noMatching=Aucun motif concordant n'a \u00E9t\u00E9 trouv\u00E9 dans le subjectDN\: {0}
SwitchUserFilter.noCurrentUser=Aucun utilisateur n'est associ\u00E9 \u00E0 la requ\u00EAte en cours
SwitchUserFilter.noOriginalAuthentication=L'objet Authentication original n'a pas \u00E9t\u00E9 trouv\u00E9
SubjectDnX509PrincipalExtractor.noMatching=Aucun motif concordant n''a \u00E9t\u00E9 trouv\u00E9 dans le subjectDN\: {0}
SwitchUserFilter.noCurrentUser=Aucun utilisateur n''est associ\u00E9 \u00E0 la requ\u00EAte en cours
SwitchUserFilter.noOriginalAuthentication=L''objet Authentication original n''a pas \u00E9t\u00E9 trouv\u00E9
@@ -1,5 +1,6 @@
package org.springframework.security.access.vote;
import static org.fest.assertions.Assertions.assertThat;
import static org.junit.Assert.*;
import org.junit.Test;
@@ -22,4 +23,13 @@ public class RoleVoterTests {
assertEquals(AccessDecisionVoter.ACCESS_GRANTED,
voter.vote(userAB, this, SecurityConfig.createList("A", "C")));
}
// SEC-3128
@Test
public void nullAuthenticationDenies() {
RoleVoter voter = new RoleVoter();
voter.setRolePrefix("");
Authentication notAuthenitcated = null;
assertThat(voter.vote(notAuthenitcated, this, SecurityConfig.createList("A"))).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
}
}
@@ -50,9 +50,12 @@ public class DelegatingSecurityContextCallableTests {
private ExecutorService executor;
private SecurityContext originalSecurityContext;
@Before
@SuppressWarnings("serial")
public void setUp() throws Exception {
originalSecurityContext = SecurityContextHolder.createEmptyContext();
when(delegate.call()).thenAnswer(new Returns(callableResult) {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
@@ -111,17 +114,10 @@ public class DelegatingSecurityContextCallableTests {
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
originalSecurityContext = securityContext;
SecurityContextHolder.setContext(originalSecurityContext);
callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(callable.call());
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
DelegatingSecurityContextCallable<Object> callable = new DelegatingSecurityContextCallable<Object>(delegate,
securityContext);
callable.setEnableOnOriginalThread(true);
assertWrapped(callable.call());
}
@@ -170,6 +166,6 @@ public class DelegatingSecurityContextCallableTests {
private void assertWrapped(Object callableResult) throws Exception {
verify(delegate).call();
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
originalSecurityContext);
}
}
@@ -51,8 +51,11 @@ public class DelegatingSecurityContextRunnableTests {
private ExecutorService executor;
private SecurityContext originalSecurityContext;
@Before
public void setUp() throws Exception {
originalSecurityContext = SecurityContextHolder.createEmptyContext();
doAnswer(new Answer<Object>() {
public Object answer(InvocationOnMock invocation) throws Throwable {
assertThat(SecurityContextHolder.getContext()).isEqualTo(securityContext);
@@ -110,19 +113,11 @@ public class DelegatingSecurityContextRunnableTests {
// SEC-3031
@Test
public void callOnSameThread() throws Exception {
originalSecurityContext = securityContext;
SecurityContextHolder.setContext(originalSecurityContext);
executor = synchronousExecutor();
runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
securityContext = SecurityContextHolder.createEmptyContext();
assertWrapped(runnable);
}
@Test
public void callOnSameThreadExplicitlyEnabled() throws Exception {
executor = synchronousExecutor();
DelegatingSecurityContextRunnable runnable = new DelegatingSecurityContextRunnable(delegate,
securityContext);
runnable.setEnableOnOriginalThread(true);
assertWrapped(runnable);
}
@@ -167,7 +162,7 @@ public class DelegatingSecurityContextRunnableTests {
submit.get();
verify(delegate).run();
assertThat(SecurityContextHolder.getContext()).isEqualTo(
SecurityContextHolder.createEmptyContext());
originalSecurityContext);
}
private static ExecutorService synchronousExecutor() {
+2 -2
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-crypto</name>
<description>spring-security-crypto</description>
<url>http://spring.io/spring-security</url>
@@ -79,7 +79,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -31,25 +31,25 @@ import java.security.SecureRandom;
* with a random salt, like this:
* <p>
* <code>
* String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); <br />
* String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); <br>
* </code>
* <p>
* To check whether a plaintext password matches one that has been hashed previously, use
* the checkpw method:
* <p>
* <code>
* if (BCrypt.checkpw(candidate_password, stored_hash))<br />
* &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It matches");<br />
* else<br />
* &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It does not match");<br />
* if (BCrypt.checkpw(candidate_password, stored_hash))<br>
* &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It matches");<br>
* else<br>
* &nbsp;&nbsp;&nbsp;&nbsp;System.out.println("It does not match");<br>
* </code>
* <p>
* The gensalt() method takes an optional parameter (log_rounds) that determines the
* computational complexity of the hashing:
* <p>
* <code>
* String strong_salt = BCrypt.gensalt(10)<br />
* String stronger_salt = BCrypt.gensalt(12)<br />
* String strong_salt = BCrypt.gensalt(10)<br>
* String stronger_salt = BCrypt.gensalt(12)<br>
* </code>
* <p>
* The amount of work increases exponentially (2**log_rounds), so each increment is twice
@@ -15,8 +15,6 @@
*/
package org.springframework.security.crypto.keygen;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
/**
@@ -17,7 +17,6 @@ package org.springframework.security.crypto.password;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
/**
* Helper for working with the MessageDigest API.
@@ -30,7 +29,7 @@ import java.security.NoSuchProviderException;
*/
final class Digester {
private final MessageDigest messageDigest;
private final String algorithm;
private final int iterations;
@@ -40,22 +39,26 @@ final class Digester {
* @param iterations the number of times to apply the digest algorithm to the input
*/
public Digester(String algorithm, int iterations) {
try {
messageDigest = MessageDigest.getInstance(algorithm);
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("No such hashing algorithm", e);
}
// eagerly validate the algorithm
createDigest(algorithm);
this.algorithm = algorithm;
this.iterations = iterations;
}
public byte[] digest(byte[] value) {
synchronized (messageDigest) {
for (int i = 0; i < iterations; i++) {
value = messageDigest.digest(value);
}
return value;
MessageDigest messageDigest = createDigest(algorithm);
for (int i = 0; i < iterations; i++) {
value = messageDigest.digest(value);
}
return value;
}
private static MessageDigest createDigest(String algorithm) {
try {
return MessageDigest.getInstance(algorithm);
}
catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("No such hashing algorithm", e);
}
}
}
+3 -3
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-data</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-data</name>
<description>spring-security-data</description>
<url>http://spring.io/spring-security</url>
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -102,7 +102,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -29,41 +29,39 @@ import java.util.Map;
* <p>
* By defining this object as a Bean, Spring Security is exposed as SpEL expressions for
* creating Spring Data queries.
* </p>
*
* <p>
* With Java based configuration, we can define the bean using the following:
* </p>
*
* <p>
* For example, if you return a UserDetails that extends the following User object:
* </p>
*
* <pre>
* @Entity
* &#064;Entity
* public class User {
* @GeneratedValue(strategy = GenerationType.AUTO)
* @Id
* &#064;GeneratedValue(strategy = GenerationType.AUTO)
* &#064;Id
* private Long id;
*
* ...
* }
* </pre>
*
* <p>
* And you have a Message object that looks like the following:
* </p>
*
* <pre>
* @Entity
* &#064;Entity
* public class Message {
* @Id
* @GeneratedValue(strategy = GenerationType.AUTO)
* &#064;Id
* &#064;GeneratedValue(strategy = GenerationType.AUTO)
* private Long id;
*
* @OneToOne
* &#064;OneToOne
* private User to;
*
* ...
* }
* </pre>
*
* You can use the following {@code Query} annotation to search for only messages that are
@@ -188,6 +188,7 @@ For example, we might create an annotation named `@WithMockCustomUser` as shown
[source,java]
----
@Retention(RetentionPolicy.RUNTIME)
@WithSecurityContext(factory = WithMockCustomUserSecurityContextFactory.class)
public @interface WithMockCustomUser {
@@ -506,7 +507,7 @@ For example, this is the above request modified to include the username on the H
[source,java]
----
mvc
.perform(formLogin("/auth").user("a","admin").password("p","pass"))
.perform(formLogin("/auth").user("u","admin").password("p","pass"))
----
[[test-logout]]
@@ -388,7 +388,7 @@ For example:
<b:bean id="csrfMatcher"
class="AndRequestMatcher">
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_MATCHER}"/>
<b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
<b:constructor-arg>
<b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
<b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+9 -11
View File
@@ -3510,18 +3510,16 @@ You can easily do this with the following Java Configuration:
----
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions()
.sameOrigin()
.and()
.hsts().disable();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.headers()
.frameOptions().sameOrigin()
.httpStrictTransportSecurity().disable();
}
}
----
+1 -1
View File
@@ -1 +1 @@
version=4.0.2.RELEASE
version=4.0.5.CI-SNAPSHOT
-1
View File
@@ -143,7 +143,6 @@ task springSnapshotTest(type: Test) {
junitXml.destination = project.file("$buildDir/reports/spring-snapshot-tests/")
}
}
check.dependsOn springSnapshotTest
dependencies {
optional "commons-logging:commons-logging:$commonsLoggingVersion"
+5 -5
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-context</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>itest-context</name>
<description>itest-context</description>
<url>http://spring.io/spring-security</url>
@@ -46,7 +46,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -121,13 +121,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -146,7 +146,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
+7 -7
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>itest-web</name>
<description>itest-web</description>
<url>http://spring.io/spring-security</url>
@@ -139,31 +139,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -194,7 +194,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
+11 -11
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-ldap</name>
<description>spring-security-ldap</description>
<url>http://spring.io/spring-security</url>
@@ -38,31 +38,31 @@
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
<artifactId>spring-data-commons</artifactId>
<groupId>org.springframework.data</groupId>
</exclusion>
<exclusion>
<artifactId>spring-core</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-data-commons</artifactId>
<groupId>org.springframework.data</groupId>
<artifactId>spring-tx</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>spring-beans</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
<exclusion>
<artifactId>spring-tx</artifactId>
<groupId>org.springframework</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -194,7 +194,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -40,7 +40,7 @@ public class DefaultSpringSecurityContextSource extends LdapContextSource {
* you want to use more than one server for fail-over, rather use the
* {@link #DefaultSpringSecurityContextSource(List, String)} constructor.
*
* @param providerUrl an LDAP URL of the form <code>ldap://localhost:389/base_dn<code>
* @param providerUrl an LDAP URL of the form <code>ldap://localhost:389/base_dn</code>
*/
public DefaultSpringSecurityContextSource(String providerUrl) {
Assert.hasLength(providerUrl, "An LDAP connection URL must be supplied.");
@@ -22,8 +22,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
* Obtains a user's information from the LDAP directory given a login name.
* <p>
* May be optionally used to configure the LDAP authentication implementation when a more
* sophisticated approach is required than just using a simple username->DN mapping.
* </p>
* sophisticated approach is required than just using a simple username-&gt;DN mapping.
*
* @author Luke Taylor
*/
@@ -75,15 +75,15 @@ import java.util.Set;
*
* <pre>
* &lt;bean id="ldapAuthoritiesPopulator"
* class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
* &lt;constructor-arg ref="contextSource"/>
* &lt;constructor-arg value="ou=groups"/>
* &lt;property name="groupRoleAttribute" value="ou"/>
* &lt;!-- the following properties are shown with their default values -->
* &lt;property name="searchSubtree" value="false"/>
* &lt;property name="rolePrefix" value="ROLE_"/>
* &lt;property name="convertToUpperCase" value="true"/>
* &lt;/bean>
* class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"&gt;
* &lt;constructor-arg ref="contextSource"/&gt;
* &lt;constructor-arg value="ou=groups"/&gt;
* &lt;property name="groupRoleAttribute" value="ou"/&gt;
* &lt;!-- the following properties are shown with their default values --&gt;
* &lt;property name="searchSubtree" value="false"/&gt;
* &lt;property name="rolePrefix" value="ROLE_"/&gt;
* &lt;property name="convertToUpperCase" value="true"/&gt;
* &lt;/bean&gt;
* </pre>
*
* A search for roles for user "uid=ben,ou=people,dc=springframework,dc=org" would return
@@ -292,7 +292,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
/**
* Sets the prefix which will be prepended to the values loaded from the directory.
* Defaults to "ROLE_" for compatibility with <tt>RoleVoter/tt>.
* Defaults to "ROLE_" for compatibility with <tt>RoleVoter</tt>.
*/
public void setRolePrefix(String rolePrefix) {
Assert.notNull(rolePrefix, "rolePrefix must not be null");
@@ -326,7 +326,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns the current LDAP template. Method available so that classes extending this
* can override the template used
* @return the LDAP template
* @see {@link org.springframework.security.ldap.SpringSecurityLdapTemplate}
* @see org.springframework.security.ldap.SpringSecurityLdapTemplate
*/
protected SpringSecurityLdapTemplate getLdapTemplate() {
return ldapTemplate;
@@ -336,7 +336,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns the attribute name of the LDAP attribute that will be mapped to the role
* name Method available so that classes extending this can override
* @return the attribute name used for role mapping
* @see {@link #setGroupRoleAttribute(String)}
* @see #setGroupRoleAttribute(String)
*/
protected final String getGroupRoleAttribute() {
return groupRoleAttribute;
@@ -346,7 +346,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns the search filter configured for this populator Method available so that
* classes extending this can override
* @return the search filter
* @see {@link #setGroupSearchFilter(String)}
* @see #setGroupSearchFilter(String)
*/
protected final String getGroupSearchFilter() {
return groupSearchFilter;
@@ -356,7 +356,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns the role prefix used by this populator Method available so that classes
* extending this can override
* @return the role prefix
* @see {@link #setRolePrefix(String)}
* @see #setRolePrefix(String)
*/
protected final String getRolePrefix() {
return rolePrefix;
@@ -366,7 +366,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns true if role names are converted to uppercase Method available so that
* classes extending this can override
* @return true if role names are converted to uppercase.
* @see {@link #setConvertToUpperCase(boolean)}
* @see #setConvertToUpperCase(boolean)
*/
protected final boolean isConvertToUpperCase() {
return convertToUpperCase;
@@ -376,7 +376,7 @@ public class DefaultLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
* Returns the default role Method available so that classes extending this can
* override
* @return the default role used
* @see {@link #setDefaultRole(String)}
* @see #setDefaultRole(String)
*/
private GrantedAuthority getDefaultRole() {
return defaultRole;
@@ -110,9 +110,6 @@ import java.util.*;
* ou: jdeveloper
* member: uid=scaladude,ou=people,dc=springframework,dc=org *
* </pre>
*
* </pre>
* </p>
*
* @author Filip Hanik
*/
+4 -4
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-messaging</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-messaging</name>
<description>spring-security-messaging</description>
<url>http://spring.io/spring-security</url>
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -91,7 +91,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
@@ -226,7 +226,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -45,7 +45,7 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
* For example:
*
* <pre>
* LinkedHashMap<MessageMatcher<?> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>();
* LinkedHashMap&lt;MessageMatcher&lt;?&gt;,String&gt; matcherToExpression = new LinkedHashMap&lt;MessageMatcher&lt;Object&gt;,String&gt;();
* matcherToExpression.put(new SimDestinationMessageMatcher("/public/**"), "permitAll");
* matcherToExpression.put(new SimDestinationMessageMatcher("/admin/**"), "hasRole('ROLE_ADMIN')");
* matcherToExpression.put(new SimDestinationMessageMatcher("/**"), "authenticated");
@@ -57,11 +57,9 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
* If our destination is "/public/hello", it would match on "/public/**" and on "/**".
* However, only "/public/**" would be used since it is the first entry. That means
* that a destination of "/public/hello" will be mapped to "permitAll".
* </p>
*
* <p>
* For a complete listing of expressions see {@link MessageSecurityExpressionRoot}
* </p>
*
* @param matcherToExpression an ordered mapping of {@link MessageMatcher} to Strings
* that are turned into an Expression using
@@ -81,7 +79,7 @@ public final class ExpressionBasedMessageSecurityMetadataSourceFactory {
* For example:
*
* <pre>
* LinkedHashMap<MessageMatcher<?> matcherToExpression = new LinkedHashMap<MessageMatcher<Object>();
* LinkedHashMap&lt;MessageMatcher&lt;?&gt;,String&gt; matcherToExpression = new LinkedHashMap&lt;MessageMatcher&lt;Object&gt;,String&gt;();
* matcherToExpression.put(new SimDestinationMessageMatcher("/public/**"), "permitAll");
* matcherToExpression.put(new SimDestinationMessageMatcher("/admin/**"), "hasRole('ROLE_ADMIN')");
* matcherToExpression.put(new SimDestinationMessageMatcher("/**"), "authenticated");
@@ -30,12 +30,10 @@ import org.springframework.util.Assert;
* <p>
* The <code>SecurityMetadataSource</code> required by this security interceptor is of
* type {@link MessageSecurityMetadataSource}.
* </p>
* <p>
* Refer to {@link AbstractSecurityInterceptor} for details on the workflow.
* </p>
*
* @see 4.0
* @since 4.0
* @author Rob Winch
*/
public final class ChannelSecurityInterceptor extends AbstractSecurityInterceptor
@@ -32,12 +32,13 @@ import org.springframework.stereotype.Controller;
* {@link Controller}:
*
* <pre>
* @Controller
* &#64;Controller
* public class MyController {
* @MessageMapping("/im")
* &#64;MessageMapping("/im")
* public void im(@AuthenticationPrincipal CustomUser customUser) {
* // do something with CustomUser
* }
* }
* </pre>
*
* <p>
@@ -47,11 +48,9 @@ import org.springframework.stereotype.Controller;
* match, null will be returned unless
* {@link AuthenticationPrincipal#errorOnInvalidType()} is true in which case a
* {@link ClassCastException} will be thrown.
* </p>
*
* <p>
* Alternatively, users can create a custom meta annotation as shown below:
* </p>
*
* <pre>
* &#064;Target({ ElementType.PARAMETER })
@@ -63,15 +62,15 @@ import org.springframework.stereotype.Controller;
*
* <p>
* The custom annotation can then be used instead. For example:
* </p>
*
* <pre>
* @Controller
* &#64;Controller
* public class MyController {
* @MessageMapping("/im")
* &#64;MessageMapping("/im")
* public void im(@CurrentUser CustomUser customUser) {
* // do something with CustomUser
* }
* }
* </pre>
*
* @author Rob Winch
@@ -55,7 +55,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
* Creates a new instance with the specified pattern, null {@link SimpMessageType}
* (matches any type), and a {@link AntPathMatcher} created from the default
* constructor.
* </p>
*
* <p>
* The mapping matches destinations despite the using the following rules:
@@ -87,7 +86,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
/**
* <p>
* Creates a new instance with the specified pattern and {@link PathMatcher}.
* </p>
*
* @param pattern the pattern to use
* @param pathMatcher the {@link PathMatcher} to use.
@@ -100,7 +98,6 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
* <p>
* Creates a new instance with the specified pattern, {@link SimpMessageType}, and
* {@link PathMatcher}.
* </p>
*
* @param pattern the pattern to use
* @param type the {@link SimpMessageType} to match on or null if any
@@ -155,10 +152,9 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
* <p>
* Creates a new instance with the specified pattern,
* {@code SimpMessageType.SUBSCRIBE}, and {@link PathMatcher}.
* </p>
*
* @param pattern the pattern to use
* @param pathMatcher the {@link PathMatcher} to use.
* @param matcher the {@link PathMatcher} to use.
*/
public static SimpDestinationMessageMatcher createSubscribeMatcher(String pattern,
PathMatcher matcher) {
@@ -170,10 +166,9 @@ public final class SimpDestinationMessageMatcher implements MessageMatcher<Objec
* <p>
* Creates a new instance with the specified pattern, {@code SimpMessageType.MESSAGE},
* and {@link PathMatcher}.
* </p>
*
* @param pattern the pattern to use
* @param pathMatcher the {@link PathMatcher} to use.
* @param matcher the {@link PathMatcher} to use.
*/
public static SimpDestinationMessageMatcher createMessageMatcher(String pattern,
PathMatcher matcher) {
+4 -4
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-openid</name>
<description>spring-security-openid</description>
<url>http://spring.io/spring-security</url>
@@ -52,13 +52,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -158,7 +158,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -246,17 +246,17 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
/**
* Maps the <tt>return_to url</tt> to a realm, for example:
*
*
* <pre>
* http://www.example.com/login/openid -> http://www.example.com/realm</tt>
* http://www.example.com/login/openid -&gt; http://www.example.com/realm
* </pre>
*
*
* If no mapping is provided then the returnToUrl will be parsed to extract the
* protocol, hostname and port followed by a trailing slash. This means that
* <tt>http://www.example.com/login/openid</tt> will automatically become
* <tt>http://www.example.com:80/</tt>
*
* @param realmMapping containing returnToUrl -> realm mappings
* @param realmMapping containing returnToUrl -&gt; realm mappings
*/
public void setRealmMapping(Map<String, String> realmMapping) {
this.realmMapping = realmMapping;
+3 -3
View File
@@ -3,7 +3,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<name>spring-security-remoting</name>
<description>spring-security-remoting</description>
<url>http://spring.io/spring-security</url>
@@ -40,7 +40,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
<version>4.0.4.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -117,7 +117,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.1.6.RELEASE</version>
<version>4.2.5.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>

Some files were not shown because too many files have changed in this diff Show More