1
0
mirror of synced 2026-07-08 12:20:02 +00:00

Compare commits

...

16 Commits

Author SHA1 Message Date
Spring Buildmaster afe5ec53d4 Release version 3.2.2.RELEASE 2014-03-10 15:24:33 -07:00
Rob Winch 7dbb8e777e SEC-2500: Prevent anonymous bind for ActiveDirectoryLdapAuthenticator 2014-03-10 14:21:32 -05:00
Rob Winch bb563967cc SEC-2507: WebExpressionVoter.supports support subclasses of FilterInvocation 2014-03-10 14:21:07 -05:00
Rob Winch 974105ed19 SEC-2515: Detect object cycle for AuthenticationManager configuration 2014-03-10 14:04:10 -05:00
Rob Winch 2cad2f401b SEC-2325: Polish CSRF Tag support
- Rename csrfField to csrfInput
- Make AbstractCsrfTag package scope
- rename FormFieldTag to CsrfInputTag
- rename MetaTagsTag to CsrfMetaTagsTag
- removed whitespace from tag output so output is
  minimized & improving browser performance
- Update @since
- changed test names to be more meaningful
2014-03-07 15:25:57 -06:00
beamerblvd 3048e2c6e7 SEC-2325 Added JSP tags for CSRF meta tags and form fields 2014-03-07 13:18:46 -06:00
beamerblvd 561f284718 SEC-2335 Added ACL schema files for MySQL, SQL Server, Oracle 2014-03-07 13:10:03 -06:00
John Tims afc6a6ee0d SEC-2514: Fix typo in hellomvc.asc
packags -> packages
2014-03-07 10:26:31 -06:00
John Tims fa05e9c590 SEC-2513: Add link to SpringSource CLA form 2014-03-07 10:22:36 -06:00
Manimaran Selvan 818be86d46 SEC-2512: Fix typo in reference`
udates -> updates
2014-03-06 22:21:22 -06:00
Rob Winch 60704eb50e SEC-2511: Remove double ALLOW-FROM in X-Frame-Options header 2014-03-06 22:00:09 -06:00
getvictor f02b77794f SEC-2511: Remove double ALLOW-FROM from X-Frame-Options header.
The interface documentation for getAllowFromValue states: Gets the value for ALLOW-FROM excluding the ALLOW-FROM.
2014-03-06 21:59:46 -06:00
Rob Winch 1172d44397 SEC-2499: Allow MethodSecurityExpressionHandler in parent context
Previously a NoSuchBeanDefintionException was thrown when the
MethodSecurityExpressionHandler was defined in the parent context. This
happened due to trying to work around ordering issues related to SEC-2136

This commit resolves this by not marking the
MethodSecurityExpressionHandler bean as lazy unless it exists.
2014-03-06 20:51:24 -06:00
Rob Winch 49738e4588 SEC-2508: Passivity test for SEC-2357 2014-03-06 15:13:34 -06:00
Rob Winch 3b13c1fdf4 SEC-2495: CSRF disables logout on GET 2014-02-20 09:33:30 -06:00
Spring Buildmaster 8f6450ede1 Next development version 2014-02-19 10:52:05 -06:00
88 changed files with 1430 additions and 525 deletions
+1 -1
View File
@@ -16,7 +16,7 @@ Is there already an issue that addresses your concern? Do a bit of searching in
If you're considering anything more than correcting a typo or fixing a minor bug , please discuss it on the [Spring Security forums](http://forum.springsource.org/forumdisplay.php?33-Security) before submitting a pull request. We're happy to provide guidance but please spend an hour or two researching the subject on your own including searching the forums for prior discussions.
# Sign the Contributor License Agreement
If you have not previously done so, please fill out and submit the SpringSource CLA form. You'll receive a token when this process is complete. Keep track of this, you may be asked for it later!
If you have not previously done so, please fill out and submit the [SpringSource CLA form](https://support.springsource.com/spring_committer_signup). You'll receive a token when this process is complete. Keep track of this, you may be asked for it later!
* For **Project** select _Spring Security_
* For **Project Lead** enter _Rob Winch_
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-acl</name>
<description>spring-security-acl</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+2 -2
View File
@@ -5,12 +5,12 @@
-- drop table acl_class;
-- drop table acl_sid;
create table acl_sid(
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
sid varchar_ignorecase(100) not null,
constraint unique_uk_1 unique(sid,principal));
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigint generated by default as identity(start with 100) not null primary key,
@@ -0,0 +1,46 @@
-- ACL Schema SQL for MySQL 5.5+ / MariaDB equivalent
-- drop table acl_entry;
-- drop table acl_object_identity;
-- drop table acl_class;
-- drop table acl_sid;
CREATE TABLE acl_sid (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
principal BOOLEAN NOT NULL,
sid VARCHAR(100) NOT NULL,
UNIQUE KEY unique_acl_sid (sid, principal)
) ENGINE=InnoDB;
CREATE TABLE acl_class (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
class VARCHAR(100) NOT NULL,
UNIQUE KEY uk_acl_class (class)
) ENGINE=InnoDB;
CREATE TABLE acl_object_identity (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
object_id_class BIGINT UNSIGNED NOT NULL,
object_id_identity BIGINT NOT NULL,
parent_object BIGINT UNSIGNED,
owner_sid BIGINT UNSIGNED,
entries_inheriting BOOLEAN NOT NULL,
UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
CREATE TABLE acl_entry (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
acl_object_identity BIGINT UNSIGNED NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT UNSIGNED NOT NULL,
mask INTEGER UNSIGNED NOT NULL,
granting BOOLEAN NOT NULL,
audit_success BOOLEAN NOT NULL,
audit_failure BOOLEAN NOT NULL,
UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
@@ -0,0 +1,82 @@
-- ACL Schema SQL for Oracle Database 10g+
-- drop trigger acl_sid_id_trigger;
-- drop trigger acl_class_id_trigger;
-- drop trigger acl_object_identity_id_trigger;
-- drop trigger acl_entry_id_trigger;
-- drop sequence acl_sid_sequence;
-- drop sequence acl_class_sequence;
-- drop sequence acl_object_identity_sequence;
-- drop sequence acl_entry_sequence;
-- drop table acl_entry;
-- drop table acl_object_identity;
-- drop table acl_class;
-- drop table acl_sid;
CREATE TABLE acl_sid (
id NUMBER(38) NOT NULL PRIMARY KEY,
principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
sid NVARCHAR2(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_sid_id_trigger
BEFORE INSERT ON acl_sid
FOR EACH ROW
BEGIN
SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_class (
id NUMBER(38) NOT NULL PRIMARY KEY,
class NVARCHAR2(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_class_id_trigger
BEFORE INSERT ON acl_class
FOR EACH ROW
BEGIN
SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_object_identity (
id NUMBER(38) NOT NULL PRIMARY KEY,
object_id_class NUMBER(38) NOT NULL,
object_id_identity NUMBER(38) NOT NULL,
parent_object NUMBER(38),
owner_sid NUMBER(38),
entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
BEFORE INSERT ON acl_object_identity
FOR EACH ROW
BEGIN
SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_entry (
id NUMBER(38) NOT NULL PRIMARY KEY,
acl_object_identity NUMBER(38) NOT NULL,
ace_order INTEGER NOT NULL,
sid NUMBER(38) NOT NULL,
mask INTEGER NOT NULL,
granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_entry_id_trigger
BEFORE INSERT ON acl_entry
FOR EACH ROW
BEGIN
SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
END;
@@ -0,0 +1,46 @@
-- ACL Schema SQL for Microsoft SQL Server 2008+
-- drop table acl_entry;
-- drop table acl_object_identity;
-- drop table acl_class;
-- drop table acl_sid;
CREATE TABLE acl_sid (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
principal BIT NOT NULL,
sid VARCHAR(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE TABLE acl_class (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
class VARCHAR(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE TABLE acl_object_identity (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
object_id_class BIGINT NOT NULL,
object_id_identity BIGINT NOT NULL,
parent_object BIGINT,
owner_sid BIGINT,
entries_inheriting BIT NOT NULL,
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE TABLE acl_entry (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
acl_object_identity BIGINT NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT NOT NULL,
mask INTEGER NOT NULL,
granting BIT NOT NULL,
audit_success BIT NOT NULL,
audit_failure BIT NOT NULL,
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-aspects</name>
<description>spring-security-aspects</description>
<url>http://spring.io/spring-security</url>
@@ -42,17 +42,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-cas</name>
<description>spring-security-cas</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.jasig.cas.client</groupId>
@@ -58,13 +52,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-config</name>
<description>spring-security-config</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -108,21 +102,21 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
<optional>true</optional>
</dependency>
@@ -361,7 +355,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
@@ -114,7 +114,7 @@ public class AuthenticationConfiguration {
lazyTargetSource.setBeanFactory(applicationContext);
ProxyFactoryBean proxyFactory = new ProxyFactoryBean();
proxyFactory.setTargetSource(lazyTargetSource);
proxyFactory.setInterfaces(new Class[] { interfaceName });
proxyFactory.setInterfaces(new Class[] { interfaceName, LazyBean.class });
return (T) proxyFactory.getObject();
}
@@ -122,6 +122,7 @@ public class AuthenticationConfiguration {
return lazyBean(AuthenticationManager.class);
}
private interface LazyBean {}
private static class EnableGlobalAuthenticationAutowiredConfigurer extends GlobalAuthenticationConfigurerAdapter {
private final ApplicationContext context;
@@ -16,11 +16,13 @@
package org.springframework.security.config.annotation.web.configuration;
import java.lang.reflect.Field;
import java.util.Arrays;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.FatalBeanException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.core.annotation.Order;
@@ -44,6 +46,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
import org.springframework.util.Assert;
import org.springframework.util.ReflectionUtils;
import org.springframework.web.accept.ContentNegotiationStrategy;
import org.springframework.web.accept.HeaderContentNegotiationStrategy;
@@ -71,8 +74,8 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
private AuthenticationConfiguration authenticationConfiguration;
private AuthenticationManagerBuilder authenticationBuilder;
private AuthenticationManagerBuilder parentAuthenticationBuilder;
private boolean disableAuthenticationRegistration;
private AuthenticationManagerBuilder localConfigureAuthenticationBldr;
private boolean disableLocalConfigureAuthenticationBldr;
private boolean authenticationManagerInitialized;
private AuthenticationManager authenticationManager;
private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
@@ -148,7 +151,7 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
* @throws Exception
*/
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
this.disableAuthenticationRegistration = true;
this.disableLocalConfigureAuthenticationBldr = true;
}
/**
@@ -163,11 +166,11 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
}
DefaultAuthenticationEventPublisher eventPublisher = objectPostProcessor.postProcess(new DefaultAuthenticationEventPublisher());
parentAuthenticationBuilder.authenticationEventPublisher(eventPublisher);
localConfigureAuthenticationBldr.authenticationEventPublisher(eventPublisher);
AuthenticationManager authenticationManager = authenticationManager();
authenticationBuilder.parentAuthenticationManager(authenticationManager);
http = new HttpSecurity(objectPostProcessor,authenticationBuilder, parentAuthenticationBuilder.getSharedObjects());
http = new HttpSecurity(objectPostProcessor,authenticationBuilder, localConfigureAuthenticationBldr.getSharedObjects());
http.setSharedObject(UserDetailsService.class, userDetailsService());
http.setSharedObject(ApplicationContext.class, context);
http.setSharedObject(ContentNegotiationStrategy.class, contentNegotiationStrategy);
@@ -221,11 +224,11 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
*/
protected AuthenticationManager authenticationManager() throws Exception {
if(!authenticationManagerInitialized) {
configure(parentAuthenticationBuilder);
if(disableAuthenticationRegistration) {
configure(localConfigureAuthenticationBldr);
if(disableLocalConfigureAuthenticationBldr) {
authenticationManager = authenticationConfiguration.getAuthenticationManager();
} else {
authenticationManager = parentAuthenticationBuilder.build();
authenticationManager = localConfigureAuthenticationBldr.build();
}
authenticationManagerInitialized = true;
}
@@ -253,7 +256,7 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
*/
public UserDetailsService userDetailsServiceBean() throws Exception {
AuthenticationManagerBuilder globalAuthBuilder = context.getBean(AuthenticationManagerBuilder.class);
return new UserDetailsServiceDelegator(Arrays.asList(parentAuthenticationBuilder, globalAuthBuilder));
return new UserDetailsServiceDelegator(Arrays.asList(localConfigureAuthenticationBldr, globalAuthBuilder));
}
/**
@@ -266,7 +269,7 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
*/
protected UserDetailsService userDetailsService() {
AuthenticationManagerBuilder globalAuthBuilder = context.getBean(AuthenticationManagerBuilder.class);
return new UserDetailsServiceDelegator(Arrays.asList(parentAuthenticationBuilder, globalAuthBuilder));
return new UserDetailsServiceDelegator(Arrays.asList(localConfigureAuthenticationBldr, globalAuthBuilder));
}
public void init(final WebSecurity web) throws Exception {
@@ -337,7 +340,7 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
this.objectPostProcessor = objectPostProcessor;
authenticationBuilder = new AuthenticationManagerBuilder(objectPostProcessor);
parentAuthenticationBuilder = new AuthenticationManagerBuilder(objectPostProcessor) {
localConfigureAuthenticationBldr = new AuthenticationManagerBuilder(objectPostProcessor) {
@Override
public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
authenticationBuilder.eraseCredentials(eraseCredentials);
@@ -413,6 +416,9 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
AuthenticationManagerDelegator(AuthenticationManagerBuilder delegateBuilder) {
Assert.notNull(delegateBuilder,"delegateBuilder cannot be null");
Field parentAuthMgrField = ReflectionUtils.findField(AuthenticationManagerBuilder.class, "parentAuthenticationManager");
ReflectionUtils.makeAccessible(parentAuthMgrField);
validateBeanCycle(ReflectionUtils.getField(parentAuthMgrField, delegateBuilder));
this.delegateBuilder = delegateBuilder;
}
@@ -430,5 +436,18 @@ public abstract class WebSecurityConfigurerAdapter implements WebSecurityConfigu
return delegate.authenticate(authentication);
}
private static void validateBeanCycle(Object auth) {
if(auth != null) {
String lazyBeanClassName = AuthenticationConfiguration.class.getName() + "$LazyBean";
Class<?>[] interfaces = auth.getClass().getInterfaces();
for(Class<?> i : interfaces) {
String className = i.getName();
if(className.equals(lazyBeanClassName)) {
throw new FatalBeanException("A dependency cycle was detected when trying to resolve the AuthenticationManager. Please ensure you have configured authentication.");
}
}
}
}
}
}
@@ -46,10 +46,12 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
final String rememberMeServices;
private ManagedList<BeanMetadataElement> logoutHandlers = new ManagedList<BeanMetadataElement>();
private boolean csrfEnabled;
public LogoutBeanDefinitionParser(String rememberMeServices, BeanMetadataElement csrfLogoutHandler) {
this.rememberMeServices = rememberMeServices;
if(csrfLogoutHandler != null) {
this.csrfEnabled = csrfLogoutHandler != null;
if(this.csrfEnabled) {
logoutHandlers.add(csrfLogoutHandler);
}
}
@@ -78,10 +80,9 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
if (!StringUtils.hasText(logoutUrl)) {
logoutUrl = DEF_LOGOUT_URL;
}
BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter$FilterProcessUrlRequestMatcher");
matcherBuilder.addConstructorArgValue(logoutUrl);
builder.addPropertyValue("logoutRequestMatcher", matcherBuilder.getBeanDefinition());
builder.addPropertyValue("logoutRequestMatcher", getLogoutRequestMatcher(logoutUrl));
if (StringUtils.hasText(successHandlerRef)) {
if (StringUtils.hasText(logoutSuccessUrl)) {
@@ -117,6 +118,19 @@ class LogoutBeanDefinitionParser implements BeanDefinitionParser {
return builder.getBeanDefinition();
}
private BeanDefinition getLogoutRequestMatcher(String logoutUrl) {
if(this.csrfEnabled) {
BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.util.matcher.AntPathRequestMatcher");
matcherBuilder.addConstructorArgValue(logoutUrl);
matcherBuilder.addConstructorArgValue("POST");
return matcherBuilder.getBeanDefinition();
} else {
BeanDefinitionBuilder matcherBuilder = BeanDefinitionBuilder.rootBeanDefinition("org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter$FilterProcessUrlRequestMatcher");
matcherBuilder.addConstructorArgValue(logoutUrl);
return matcherBuilder.getBeanDefinition();
}
}
ManagedList<BeanMetadataElement> getLogoutHandlers() {
return logoutHandlers;
}
@@ -452,6 +452,9 @@ public class GlobalMethodSecurityBeanDefinitionParser implements BeanDefinitionP
}
public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
if(!registry.containsBeanDefinition(beanName)) {
return;
}
BeanDefinition beanDefinition = registry.getBeanDefinition(beanName);
beanDefinition.setLazyInit(true);
}
@@ -0,0 +1,72 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configuration;
import org.springframework.beans.FatalBeanException;
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.authentication.AuthenticationManager
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.config.annotation.BaseSpringSpec
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
public class Sec2515Tests extends BaseSpringSpec {
def "SEC-2515: Prevent StackOverflow with bean graph cycle"() {
when:
loadConfig(StackOverflowSecurityConfig)
then:
thrown(FatalBeanException)
}
@EnableWebSecurity
@Configuration
static class StackOverflowSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
}
def "SEC-2515: @Bean still works when configure(AuthenticationManagerBuilder) used"() {
when:
loadConfig(SecurityConfig)
then:
noExceptionThrown();
}
@EnableWebSecurity
@Configuration
static class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.inMemoryAuthentication()
}
}
}
@@ -12,27 +12,29 @@
*/
package org.springframework.security.config.http
import static org.mockito.Mockito.*
import static org.mockito.Matchers.*
import static org.mockito.Mockito.*
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import org.spockframework.compiler.model.WhenBlock;
import org.springframework.mock.web.MockFilterChain
import org.springframework.mock.web.MockHttpServletRequest
import org.springframework.mock.web.MockHttpServletResponse
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurerTests.CsrfTokenRepositoryConfig;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurerTests.RequireCsrfProtectionMatcherConfig
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.access.AccessDeniedException
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
import org.springframework.security.core.Authentication
import org.springframework.security.core.authority.AuthorityUtils
import org.springframework.security.core.context.SecurityContextImpl
import org.springframework.security.web.access.AccessDeniedHandler
import org.springframework.security.web.context.HttpRequestResponseHolder
import org.springframework.security.web.context.HttpSessionSecurityContextRepository
import org.springframework.security.web.csrf.CsrfFilter
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor
import org.springframework.security.web.csrf.CsrfToken
import org.springframework.security.web.csrf.CsrfTokenRepository
import org.springframework.security.web.csrf.DefaultCsrfToken
import org.springframework.security.web.util.matcher.RequestMatcher
import org.springframework.web.servlet.support.RequestDataValueProcessor;
import org.springframework.web.servlet.support.RequestDataValueProcessor
import spock.lang.Unroll
@@ -203,6 +205,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
}
mockBean(RequestMatcher,'matcher')
createAppContext()
request.method = 'POST'
RequestMatcher matcher = appContext.getBean("matcher",RequestMatcher)
when:
when(matcher.matches(any(HttpServletRequest))).thenReturn(false)
@@ -272,10 +275,43 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
request.setParameter(token.parameterName,token.token)
request.method = "POST"
request.requestURI = "/j_spring_security_logout"
request.servletPath = "/j_spring_security_logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
verify(repo).saveToken(eq(null),any(HttpServletRequest), any(HttpServletResponse))
}
def "SEC-2495: csrf disables logout on GET"() {
setup:
httpAutoConfig {
'csrf'()
}
createAppContext()
login()
request.method = "GET"
request.requestURI = "/j_spring_security_logout"
when:
springSecurityFilterChain.doFilter(request,response,chain)
then:
getAuthentication(request) != null
}
def login(String username="user", String role="ROLE_USER") {
login(new UsernamePasswordAuthenticationToken(username, null, AuthorityUtils.createAuthorityList(role)))
}
def login(Authentication auth) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)
repo.saveContext(new SecurityContextImpl(authentication:auth), requestResponseHolder.request, requestResponseHolder.response)
}
def getAuthentication(HttpServletRequest request) {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository()
HttpRequestResponseHolder requestResponseHolder = new HttpRequestResponseHolder(request, response)
repo.loadContext(requestResponseHolder)?.authentication
}
}
@@ -0,0 +1,34 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("classpath:org/springframework/security/config/sec-2508.xml" )
public class Sec2508Tests {
@Autowired
private AuthenticationEntryPoint ep;
@Test
public void loads() {}
}
@@ -0,0 +1,50 @@
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.method.sec2499;
import org.junit.After;
import org.junit.Test;
import org.springframework.context.support.GenericXmlApplicationContext;
/**
*
* @author Rob Winch
*
*/
public class Sec2499Tests {
private GenericXmlApplicationContext parent;
private GenericXmlApplicationContext child;
@After
public void cleanup() {
if(parent != null) {
parent.close();
}
if(child != null) {
child.close();
}
}
@Test
public void methodExpressionHandlerInParentContextLoads() {
parent = new GenericXmlApplicationContext("org/springframework/security/config/method/sec2499/parent.xml");
child = new GenericXmlApplicationContext();
child.load("org/springframework/security/config/method/sec2499/child.xml");
child.setParent(parent);
child.refresh();
}
}
@@ -0,0 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler"/>
</global-method-security>
</b:beans>
@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>
</beans>
@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry>
<key>
<bean class="org.springframework.security.web.util.AntPathRequestMatcher">
<constructor-arg value="/**"/>
</bean>
</key>
<bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
</entry>
</map>
</constructor-arg>
<property name="defaultEntryPoint">
<bean class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
</property>
</bean>
</beans>
+1 -7
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-core</name>
<description>spring-security-core</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Access is denied
AbstractLdapAuthenticationProvider.emptyPassword=Empty Password
AbstractSecurityInterceptor.authenticationNotFound=An Authentication object was not found in the SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Bad credentials
AbstractUserDetailsAuthenticationProvider.credentialsExpired=User credentials have expired
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=P\u0159\u00EDstup odep\u0159en
AbstractLdapAuthenticationProvider.emptyPassword=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
AbstractSecurityInterceptor.authenticationNotFound=Nebyl nalezen \u017E\u00E1dn\u00FD Authentication objekt v SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=\u0160patn\u00E9 p\u0159ihla\u0161ovac\u00ED \u00FAdaje
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Platnost u\u017Eivatelsk\u00E9ho hesla vypr\u0161ela
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Zugriff verweigert
AbstractLdapAuthenticationProvider.emptyPassword=Ung\u00FCltige Benutzerberechtigungen
AbstractSecurityInterceptor.authenticationNotFound=Im SecurityContext wurde keine Authentifikation gefunden
AbstractUserDetailsAuthenticationProvider.badCredentials=Ung\u00FCltige Benutzerberechtigungen
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Die G\u00FCltigkeit der Benutzerberechtigungen ist abgelaufen
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Acceso denegado
AbstractLdapAuthenticationProvider.emptyPassword=Credenciales err\u00F3neas
AbstractSecurityInterceptor.authenticationNotFound=El objeto Authentication no ha sido encontrado en el SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciales err\u00F3neas
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Las credenciales del usuario han expirado
@@ -3,6 +3,7 @@
# Translation by Laurent Pireyn (laurent.pireyn@pisolutions.eu)
# Translation by Valentin Crettaz (valentin.crettaz@consulthys.com)
AbstractAccessDecisionManager.accessDenied=Acc\u00E8s refus\u00E9
AbstractLdapAuthenticationProvider.emptyPassword=Le mot de passe est obligatoire
AbstractSecurityInterceptor.authenticationNotFound=Aucun objet Authentication n'a \u00E9t\u00E9 trouv\u00E9 dans le SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Les identifications sont erron\u00E9es
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Les identifications de l'utilisateur ont expir\u00E9
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Accesso negato
AbstractLdapAuthenticationProvider.badCredentials=Credenziali non valide
AbstractSecurityInterceptor.authenticationNotFound=Nessuna autenticazione trovata dentro il Security Context
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenziali non valide
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenziali dell'utente scadute
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\uC811\uADFC\uC774 \uAC70\uBD80\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
AbstractLdapAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
AbstractSecurityInterceptor.authenticationNotFound=SecurityContext\uC5D0\uC11C Authentication \uAC1D\uCCB4\uB97C \uCC3E\uC744 \uC218 \uC5C6\uC2B5\uB2C8\uB2E4.
AbstractUserDetailsAuthenticationProvider.badCredentials=\uBE44\uBC00\uBC88\uD638(credential)\uAC00 \uB9DE\uC9C0 \uC54A\uC2B5\uB2C8\uB2E4.
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\uBE44\uBC00\uBC88\uD638(credential)\uC758 \uC720\uD6A8 \uAE30\uAC04\uC774 \uB9CC\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Pri\u0117jimas neleid\u017eiamas
AbstractLdapAuthenticationProvider.emptyPassword=Tu\u0161\u010dias slapta\u017eodis
AbstractSecurityInterceptor.authenticationNotFound=Authentication objektas nerastas SecurityContext kontekste
AbstractUserDetailsAuthenticationProvider.badCredentials=Blogi kredencialai
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Pasibaig\u0117 vartotojo kredencial\u0173 galiojimas
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=Dost\u0119p zabroniony
AbstractLdapAuthenticationProvider.emptyPassword=Niepoprawne dane uwierzytelniaj\u0105ce
AbstractSecurityInterceptor.authenticationNotFound=Obiekt Authentication nie zosta\u0142 odnaleziony w SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Niepoprawne dane uwierzytelniaj\u0105ce
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Wa\u017Cno\u015B\u0107 danych uwierzytelniaj\u0105cych wygas\u0142a
@@ -2,6 +2,7 @@
# Messages in Brazilian Portuguese
# Translation by Leonardo Pinto (leoviveiros@gmail.com)
AbstractAccessDecisionManager.accessDenied=Acesso negado
AbstractLdapAuthenticationProvider.emptyPassword=Usu\u00E1rio inexistente ou senha inv\u00E1lida
AbstractSecurityInterceptor.authenticationNotFound=Um objeto de autentica\u00E7\u00E3o n\u00E3o foi encontrado no SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Usu\u00E1rio inexistente ou senha inv\u00E1lida
AbstractUserDetailsAuthenticationProvider.credentialsExpired=Credenciais expiradas
@@ -1,6 +1,7 @@
# Spring Security Portuguese Resource Bundle
# Author: José Santos
AbstractAccessDecisionManager.accessDenied=Acesso negado
AbstractLdapAuthenticationProvider.emptyPassword=Credenciais inv\u00E1lidas
AbstractSecurityInterceptor.authenticationNotFound=Objecto Authentication n\u00E3o encontrado em SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=Credenciais inv\u00E1lidas
AbstractUserDetailsAuthenticationProvider.credentialsExpired=As credenciais do utilizador expiraram
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\u0414\u043E\u0441\u0442\u0443\u043F \u0437\u0430\u0431\u043E\u0440\u043E\u043D\u0435\u043D\u0438\u0439
AbstractLdapAuthenticationProvider.emptyPassword=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
AbstractSecurityInterceptor.authenticationNotFound=\u041E\u0431'\u0454\u043A\u0442 Authentication \u043D\u0435 \u0437\u043D\u0430\u0439\u0434\u0435\u043D\u0438\u0439 \u0432 SecurityContext
AbstractUserDetailsAuthenticationProvider.badCredentials=\u0414\u0430\u043D\u0456 \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043D\u0435\u043A\u043E\u0440\u0435\u043A\u0442\u043D\u0456
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u041F\u043E\u0432\u043D\u043E\u0432\u0430\u0436\u0435\u043D\u043D\u044F \u043A\u043E\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0438\u0447\u0435\u0440\u043F\u0430\u043B\u0438 \u0442\u0435\u0440\u043C\u0456\u043D \u0434\u0456\u0457
@@ -1,4 +1,5 @@
AbstractAccessDecisionManager.accessDenied=\u4E0D\u5141\u8BB8\u8BBF\u95EE
AbstractLdapAuthenticationProvider.emptyPassword=\u574F\u7684\u51ED\u8BC1
AbstractSecurityInterceptor.authenticationNotFound=\u672A\u5728SecurityContext\u4E2D\u67E5\u627E\u5230\u8BA4\u8BC1\u5BF9\u8C61
AbstractUserDetailsAuthenticationProvider.badCredentials=\u574F\u7684\u51ED\u8BC1
AbstractUserDetailsAuthenticationProvider.credentialsExpired=\u7528\u6237\u51ED\u8BC1\u5DF2\u8FC7\u671F
+1 -7
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-crypto</name>
<description>spring-security-crypto</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
+1 -1
View File
@@ -75,7 +75,7 @@ public class RootConfiguration {
}
----
The `@ComponentScan` is loading all configuration within the same package (and child packags) as `RootConfiguration`. Since <<security-config-java,SecurityConfig>> is in this package, it will be loaded with our existing setup and there is nothing more to do.
The `@ComponentScan` is loading all configuration within the same package (and child packages) as `RootConfiguration`. Since <<security-config-java,SecurityConfig>> is in this package, it will be loaded with our existing setup and there is nothing more to do.
NOTE: Had <<security-config-java,SecurityConfig>> not been loaded, we could have used an `@Import(SecurityConfig)` above the class definition of <<root-configuration-java,RootConfiguration>> or added <<security-config-java,SecurityConfig>> as one of the results for `getRootConfigClasses()`.
+346 -83
View File
@@ -126,7 +126,7 @@ Today Spring Security enjoys a strong and active open source community. There ar
[[release-numbering]]
=== Release Numbering
It is useful to understand how Spring Security release numbers work, as it will help you identify the effort (or lack thereof) involved in migrating to future releases of the project. Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH. The intent is that MAJOR versions are incompatible, large-scale upgrades of the API. MINOR versions should largely retain source and binary compatibility with older minor versions, thought there may be some design changes and incompatible udates. PATCH level should be perfectly compatible, forwards and backwards, with the possible exception of changes which are to fix bugs and defects.
It is useful to understand how Spring Security release numbers work, as it will help you identify the effort (or lack thereof) involved in migrating to future releases of the project. Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH. The intent is that MAJOR versions are incompatible, large-scale upgrades of the API. MINOR versions should largely retain source and binary compatibility with older minor versions, thought there may be some design changes and incompatible updates. PATCH level should be perfectly compatible, forwards and backwards, with the possible exception of changes which are to fix bugs and defects.
The extent to which you are affected by changes will depend on how tightly integrated your code is. If you are doing a lot of customization you are more likely to be affected than if you are using a simple namespace configuration.
@@ -3124,8 +3124,7 @@ public class WebSecurityConfig extends
[[csrf-include-csrf-token-form]]
===== Form Submissions
The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods. This can be done using the _csrf request attribute to obtain the current CsrfToken. An example of doing this with a JSP is shown below:
The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods. One way to approach this is to use the `_csrf` request attribute to obtain the current `CsrfToken`. An example of doing this with a JSP is shown below:
[source,xml]
----
@@ -3140,9 +3139,11 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P
</form>
----
An easier approach is to use <<the-csrfInput-tag,the csrfInput tag>> from the Spring Security JSP tag library.
[NOTE]
====
If you are using Spring MVC <form:form> tag or http://www.thymeleaf.org/whatsnew21.html#reqdata[Thymeleaf 2.1+], the `CsrfToken` is automatically included for you if you replace `@EnableWebSecurity` with `@EnableWebMvcSecurity` using the `CsrfRequestDataValueProcessor`.
If you are using Spring MVC `<form:form>` tag or http://www.thymeleaf.org/whatsnew21.html#reqdata[Thymeleaf 2.1+], and you replace `@EnableWebSecurity` with `@EnableWebMvcSecurity`, the `CsrfToken` is automatically included for you (using the `CsrfRequestDataValueProcessor`).
====
[[csrf-include-csrf-token-ajax]]
@@ -3162,6 +3163,8 @@ If you using JSON, then it is not possible to submit the CSRF token within an HT
<!-- ... -->
----
Instead of manually creating the meta tags, you can use the simpler <<the-csrfmetatags-tag,csrfMetaTags tag>> from the Spring Security JSP tag library.
You can then include the token within all your Ajax requests. If you were using jQuery, this could be done with the following:
[source,javascript]
@@ -5034,6 +5037,88 @@ The permissions are passed to the `PermissionFactory` defined in the application
This tag also supports the `var` attribute, in the same way as the `authorize` tag.
=== The csrfInput Tag
If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing.
Normally Spring Security automatically inserts a CSRF form field for any `<form:form>` tags you use, but if for some reason you cannot use `<form:form>`, `csrfInput` is a handy replacement.
You should place this tag within an HTML `<form></form>` block, where you would normally place other input fields. Do NOT place this tag within a Spring `<form:form></form:form>` block—Spring Security handles Spring forms automatically.
[source,xml]
----
<form method="post" action="/do/something">
<sec:csrfInput />
Name:<br />
<input type="text" name="name" />
...
</form>
----
=== The csrfMetaTags Tag
If CSRF protection is enabled, this tag inserts meta tags containing the CSRF protection token form field and header names and CSRF protection token value. These meta tags are useful for employing CSRF protection within JavaScript in your applications.
You should place `csrfMetaTags` within an HTML `<head></head>` block, where you would normally place other meta tags. Once you use this tag, you can access the form field name, header name, and token value easily using JavaScript. JQuery is used in this example to make the task easier.
[source,xml]
----
<!DOCTYPE html>
<html>
<head>
<title>CSRF Protected JavaScript Page</title>
<meta name="description" content="This is the description for this page" />
<sec:csrfMetaTags />
<script type="text/javascript" language="javascript">
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
// using XMLHttpRequest directly to send an x-www-form-urlencoded request
var ajax = new XMLHttpRequest();
ajax.open("POST", "http://www.example.org/do/something", true);
ajax.setRequestHeader("Content-Type", "application/x-www-form-urlencoded data");
ajax.send(csrfParameter + "=" + csrfToken + "&name=John&...");
// using XMLHttpRequest directly to send a non-x-www-form-urlencoded request
var ajax = new XMLHttpRequest();
ajax.open("POST", "http://www.example.org/do/something", true);
ajax.setRequestHeader(csrfHeader, csrfToken);
ajax.send("...");
// using JQuery to send an x-www-form-urlencoded request
var data = {};
data[csrfParameter] = csrfToken;
data["name"] = "John";
...
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
data: data,
...
});
// using JQuery to send a non-x-www-form-urlencoded request
var headers = {};
headers[csrfHeader] = csrfToken;
$.ajax({
url: "http://www.example.org/do/something",
type: "POST",
headers: headers,
...
});
<script>
</head>
<body>
...
</body>
</html>
----
If CSRF protection is not enabled, `csrfMetaTags` outputs nothing.
[[jaas]]
== Java Authentication and Authorization Service (JAAS) Provider
@@ -6029,7 +6114,7 @@ DDL statements are given for the HSQLDB database. You can use these as a guideli
=== User Schema
The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. You will need to adjust this schema to match the database dialect you are using.
[source]
----
@@ -6037,51 +6122,57 @@ The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) req
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
enabled boolean not null);
enabled boolean not null
);
create table authorities (
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);
constraint fk_authorities_users foreign key(username) references users(username)
);
create unique index ix_auth_username on authorities (username,authority);
----
==== Group Authorities
Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`. The table structure if groups are enabled is as follows:
Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`. The table structure if groups are enabled is as follows. You will need to adjust this schema to match the database dialect you are using.
[source]
----
create table groups (
id bigint generated by default as identity(start with 0) primary key,
group_name varchar_ignorecase(50) not null);
id bigint generated by default as identity(start with 0) primary key,
group_name varchar_ignorecase(50) not null
);
create table group_authorities (
group_id bigint not null,
authority varchar(50) not null,
constraint fk_group_authorities_group foreign key(group_id) references groups(id));
group_id bigint not null,
authority varchar(50) not null,
constraint fk_group_authorities_group foreign key(group_id) references groups(id)
);
create table group_members (
id bigint generated by default as identity(start with 0) primary key,
username varchar(50) not null,
group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id));
id bigint generated by default as identity(start with 0) primary key,
username varchar(50) not null,
group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id)
);
----
Remember that these tables are only required if you are using the provided JDBC `UserDetailsService` implementation. If you write your own or choose to implement `AuthenticationProvider` without a `UserDetailsService`, then you have complete freedom over how you store the data, as long as the interface contract is satisfied.
=== Persistent Login (Remember-Me) Schema
This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation. If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table.
This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation. If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table. Remember to adjust this schema to match the database dialect you are using.
[source]
----
create table persistent_logins (
username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null);
username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null
);
----
@@ -6096,85 +6187,97 @@ There are four tables used by the Spring Security <<domain-acls,ACL>> implementa
It is assumed that the database will auto-generate the primary keys for each of the identities. The `JdbcMutableAclService` has to be able to retrieve these when it has created a new row in the `acl_sid` or `acl_class` tables. It has two properties which define the SQL needed to retrieve these values `classIdentityQuery` and `sidIdentityQuery`. Both of these default to `call identity()`
==== Hypersonic SQL
The ACL artifact JAR contains files for creating the ACL schema in HyperSQL (HSQLDB), PostgreSQL, MySQL/MariaDB, Microsoft SQL Server, and Oracle Database. These schemas are also demonstrated in the following sections.
==== HyperSQL
The default schema works with the embedded HSQLDB database that is used in unit tests within the framework.
[source]
[source,ddl]
----
create table acl_sid (
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
sid varchar_ignorecase(100) not null,
constraint unique_uk_1 unique(sid,principal) );
create table acl_sid(
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
sid varchar_ignorecase(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class (
id bigint generated by default as identity(start with 100) not null primary key,
class varchar_ignorecase(100) not null,
constraint unique_uk_2 unique(class) );
create table acl_class(
id bigint generated by default as identity(start with 100) not null primary key,
class varchar_ignorecase(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity (
id bigint generated by default as identity(start with 100) not null primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint not null,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id) );
create table acl_object_identity(
id bigint generated by default as identity(start with 100) not null primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry (
id bigint generated by default as identity(start with 100) not null primary key,
acl_object_identity bigint not null,ace_order int not null,sid bigint not null,
mask integer not null,granting boolean not null,audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity)
references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
create table acl_entry(
id bigint generated by default as identity(start with 100) not null primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
==== PostgreSQL
[source,ddl]
----
create table acl_sid(
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal));
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class));
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity(
id bigserial primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object) references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class) references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid) references acl_sid(id));
id bigserial primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry(
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity)
references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties of `JdbcMutableAclService` to the following values, respectively:
@@ -6182,6 +6285,166 @@ You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties
* `select currval(pg_get_serial_sequence('acl_class', 'id'))`
* `select currval(pg_get_serial_sequence('acl_sid', 'id'))`
==== MySQL and MariaDB
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
principal BOOLEAN NOT NULL,
sid VARCHAR(100) NOT NULL,
UNIQUE KEY unique_acl_sid (sid, principal)
) ENGINE=InnoDB;
CREATE TABLE acl_class (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
class VARCHAR(100) NOT NULL,
UNIQUE KEY uk_acl_class (class)
) ENGINE=InnoDB;
CREATE TABLE acl_object_identity (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
object_id_class BIGINT UNSIGNED NOT NULL,
object_id_identity BIGINT NOT NULL,
parent_object BIGINT UNSIGNED,
owner_sid BIGINT UNSIGNED,
entries_inheriting BOOLEAN NOT NULL,
UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
CREATE TABLE acl_entry (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
acl_object_identity BIGINT UNSIGNED NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT UNSIGNED NOT NULL,
mask INTEGER UNSIGNED NOT NULL,
granting BOOLEAN NOT NULL,
audit_success BOOLEAN NOT NULL,
audit_failure BOOLEAN NOT NULL,
UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
----
==== Microsoft SQL Server
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
principal BIT NOT NULL,
sid VARCHAR(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE TABLE acl_class (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
class VARCHAR(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE TABLE acl_object_identity (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
object_id_class BIGINT NOT NULL,
object_id_identity BIGINT NOT NULL,
parent_object BIGINT,
owner_sid BIGINT,
entries_inheriting BIT NOT NULL,
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE TABLE acl_entry (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
acl_object_identity BIGINT NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT NOT NULL,
mask INTEGER NOT NULL,
granting BIT NOT NULL,
audit_success BIT NOT NULL,
audit_failure BIT NOT NULL,
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
----
==== Oracle Database
[source,ddl]
----
CREATE TABLE acl_sid (
id NUMBER(38) NOT NULL PRIMARY KEY,
principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
sid NVARCHAR2(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_sid_id_trigger
BEFORE INSERT ON acl_sid
FOR EACH ROW
BEGIN
SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_class (
id NUMBER(38) NOT NULL PRIMARY KEY,
class NVARCHAR2(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_class_id_trigger
BEFORE INSERT ON acl_class
FOR EACH ROW
BEGIN
SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_object_identity (
id NUMBER(38) NOT NULL PRIMARY KEY,
object_id_class NUMBER(38) NOT NULL,
object_id_identity NUMBER(38) NOT NULL,
parent_object NUMBER(38),
owner_sid NUMBER(38),
entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
BEFORE INSERT ON acl_object_identity
FOR EACH ROW
BEGIN
SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_entry (
id NUMBER(38) NOT NULL PRIMARY KEY,
acl_object_identity NUMBER(38) NOT NULL,
ace_order INTEGER NOT NULL,
sid NUMBER(38) NOT NULL,
mask INTEGER NOT NULL,
granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_entry_id_trigger
BEFORE INSERT ON acl_entry
FOR EACH ROW
BEGIN
SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
END;
----
[[appendix-namespace]]
== The Security Namespace
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). If you haven't used the namespace before, please read the <<ns-config,introductory chapter>> on namespace configuration, as this is intended as a supplement to the information there. Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. The namespace is written in http://www.relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. If you are familiar with this format, you may wish to examine the https://fisheye.springsource.org/browse/spring-security/config/src/main/resources/org/springframework/security/config/spring-security-3.2.rnc[schema file] directly.
+1 -1
View File
@@ -1 +1 @@
version=3.2.1.CI-SNAPSHOT
version=3.2.2.RELEASE
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-context</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>itest-context</name>
<description>itest-context</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -64,7 +58,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -155,13 +149,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>itest-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>itest-web</name>
<description>itest-web</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
@@ -149,31 +143,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-ldap</name>
<description>spring-security-ldap</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.ldap</groupId>
@@ -76,7 +70,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -1,4 +1,18 @@
package org.springframework.security.ldap.authentication;
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/package org.springframework.security.ldap.authentication;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -56,6 +70,11 @@ public abstract class AbstractLdapAuthenticationProvider implements Authenticati
"Empty Username"));
}
if (!StringUtils.hasLength(password)) {
throw new BadCredentialsException(messages.getMessage("AbstractLdapAuthenticationProvider.emptyPassword",
"Empty Password"));
}
Assert.notNull(password, "Null password was supplied in authentication token");
DirContextOperations userData = doAuthentication(userToken);
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2012 the original author or authors.
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
@@ -143,6 +143,12 @@ public class ActiveDirectoryLdapAuthenticationProviderTests {
provider.authenticate(joe);
}
// SEC-2500
@Test(expected = BadCredentialsException.class)
public void sec2500PreventAnonymousBind() {
provider.authenticate(new UsernamePasswordAuthenticationToken("rwinch", ""));
}
@SuppressWarnings("unchecked")
@Test(expected = IncorrectResultSizeDataAccessException.class)
public void duplicateUserSearchCausesError() throws Exception {
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-openid</name>
<description>spring-security-openid</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.google.inject</groupId>
@@ -70,13 +64,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-remoting</name>
<description>spring-security-remoting</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-aspectj-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-samples-aspectj-xml</name>
<description>spring-security-samples-aspectj-xml</description>
<url>http://spring.io/spring-security</url>
@@ -42,17 +42,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -84,13 +78,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-cassample-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-cassample-xml</name>
<description>spring-security-samples-cassample-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.jasig.cas.client</groupId>
@@ -66,13 +60,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -121,13 +115,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+1 -7
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-casserver</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-casserver</name>
<description>spring-security-samples-casserver</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-concurrency-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-concurrency-jc</name>
<description>spring-security-samples-concurrency-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-contacts-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-contacts-xml</name>
<description>spring-security-samples-contacts-xml</description>
@@ -50,23 +50,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -169,19 +163,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-dms-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-samples-dms-xml</name>
<description>spring-security-samples-dms-xml</description>
<url>http://spring.io/spring-security</url>
@@ -42,23 +42,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -114,7 +108,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-form-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-form-jc</name>
<description>spring-security-samples-form-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-gae-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-gae-xml</name>
<description>spring-security-samples-gae-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.google.appengine</groupId>
@@ -84,13 +78,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -163,13 +157,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-hellojs-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-hellojs-jc</name>
<description>spring-security-samples-hellojs-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
@@ -108,25 +102,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-hellomvc-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-hellomvc-jc</name>
<description>spring-security-samples-hellomvc-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-helloworld-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-helloworld-jc</name>
<description>spring-security-samples-helloworld-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -72,13 +66,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-inmemory-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-inmemory-jc</name>
<description>spring-security-samples-inmemory-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+1 -7
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-insecure</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-insecure</name>
<description>spring-security-samples-insecure</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-insecuremvc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-insecuremvc</name>
<description>spring-security-samples-insecuremvc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,7 +96,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-jaas-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-jaas-xml</name>
<description>spring-security-samples-jaas-xml</description>
@@ -50,17 +50,11 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -127,19 +121,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-jdbc-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-jdbc-jc</name>
<description>spring-security-samples-jdbc-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-ldap-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-ldap-jc</name>
<description>spring-security-samples-ldap-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -138,31 +132,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-ldap-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-ldap-xml</name>
<description>spring-security-samples-ldap-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
@@ -91,19 +85,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-samples-messages-jc</name>
<description>spring-security-samples-messages-jc</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.validation</groupId>
@@ -88,13 +82,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+6 -12
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-openid-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-openid-jc</name>
<description>spring-security-samples-openid-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,31 +96,31 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-openid-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-openid-xml</name>
<description>spring-security-samples-openid-xml</description>
@@ -50,23 +50,17 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -115,13 +109,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-preauth-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-preauth-jc</name>
<description>spring-security-samples-preauth-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+3 -9
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-preauth-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-preauth-xml</name>
<description>spring-security-samples-preauth-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
@@ -91,13 +85,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-rememberme-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-rememberme-jc</name>
<description>spring-security-samples-rememberme-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-servletapi-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-servletapi-xml</name>
<description>spring-security-samples-servletapi-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -66,13 +60,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -139,13 +133,13 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-tutorial-xml</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-tutorial-xml</name>
<description>spring-security-samples-tutorial-xml</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.slf4j</groupId>
@@ -66,7 +60,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -139,19 +133,19 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>runtime</scope>
</dependency>
<dependency>
+5 -11
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-x509-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<packaging>war</packaging>
<name>spring-security-samples-x509-jc</name>
<description>spring-security-samples-x509-jc</description>
@@ -50,12 +50,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
@@ -102,25 +96,25 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-samples-messages-jc</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
+4 -10
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-taglibs</name>
<description>spring-security-taglibs</description>
<url>http://spring.io/spring-security</url>
@@ -42,29 +42,23 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -1,3 +1,19 @@
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.taglibs;
import org.apache.commons.logging.Log;
@@ -6,7 +22,7 @@ import org.apache.commons.logging.LogFactory;
import javax.servlet.jsp.tagext.Tag;
/**
* internal cconfiguration class for taglibs.
* internal configuration class for taglibs.
*
* Not for public use.
*
@@ -0,0 +1,49 @@
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.taglibs.csrf;
import org.springframework.security.web.csrf.CsrfToken;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;
import java.io.IOException;
/**
* An abstract tag for handling CSRF operations.
*
* @since 3.2.2
* @author Nick Williams
*/
abstract class AbstractCsrfTag extends TagSupport {
@Override
public int doEndTag() throws JspException {
CsrfToken token = (CsrfToken)this.pageContext.getRequest().getAttribute(CsrfToken.class.getName());
if (token != null) {
try {
this.pageContext.getOut().write(this.handleToken(token));
} catch (IOException e) {
throw new JspException(e);
}
}
return EVAL_PAGE;
}
protected abstract String handleToken(CsrfToken token);
}
@@ -0,0 +1,35 @@
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.taglibs.csrf;
import org.springframework.security.web.csrf.CsrfToken;
/**
* A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
* information.
*
* @since 3.2.2
* @author Nick Williams
*/
public class CsrfInputTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
"\" />";
}
}
@@ -0,0 +1,36 @@
/*
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.taglibs.csrf;
import org.springframework.security.web.csrf.CsrfToken;
/**
* A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
* See the JSP Tab Library documentation for more information.
*
* @since 3.2.2
* @author Nick Williams
*/
public class CsrfMetaTagsTag extends AbstractCsrfTag {
@Override
public String handleToken(CsrfToken token) {
return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
"<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
"<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
}
}
@@ -1,5 +1,19 @@
<?xml version="1.0" encoding="ISO-8859-1" ?>
<?xml version="1.0" encoding="UTF-8" ?>
<!--
~ Copyright 2002-2014 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<taglib xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
@@ -177,4 +191,35 @@
</attribute>
</tag>
<tag>
<description><![CDATA[
If CSRF protection is enabled, this tag inserts a hidden form field with the correct name and value for the
CSRF protection token. If CSRF protection is not enabled, this tag outputs nothing. Normally Spring Security
automatically inserts this form field for any <form:form> tags, but if for some reason you cannot use
<form:form> this tag is a handy replacement. You should place this tag within an HTML <form></form> block,
where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
block—Spring Security handles Spring forms automatically.
]]></description>
<name>csrfInput</name>
<tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
<body-content>empty</body-content>
</tag>
<tag>
<description><![CDATA[
If CSRF protection is enabled, this tag inserts meta tags containing the CSRF protection token form
field and header names and CSRF protection token value. These tags are useful for employing CSRF protection
within JavaScript in your applications. You should place this tag within an HTML <head></head> block, where
you would normally place other meta tags. Once you use this tag, you can access the form field name using
the JQuery $("meta[name='_csrf_parameter']").attr("content") and the header name using
$("meta[name='_csrf_header']").attr("content"). Likewise, you can access the token value with
$("meta[name='_csrf']").attr("content"). You should use a form field when creating and submitting forms from
JavaScript, and you should use a header when sending AJAX requests. If CSRF protection is not enabled, this
tag outputs nothing.
]]></description>
<name>csrfMetaTags</name>
<tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
<body-content>empty</body-content>
</tag>
</taglib>
@@ -0,0 +1,91 @@
package org.springframework.security.taglibs.csrf;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockPageContext;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.TagSupport;
import java.io.UnsupportedEncodingException;
import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class AbstractCsrfTagTests {
public MockTag tag;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
@Before
public void setUp() {
MockServletContext servletContext = new MockServletContext();
this.request = new MockHttpServletRequest(servletContext);
this.response = new MockHttpServletResponse();
MockPageContext pageContext = new MockPageContext(servletContext, this.request, this.response);
this.tag = new MockTag();
this.tag.setPageContext(pageContext);
}
@Test
public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {
this.tag.handleReturn = "shouldNotBeRendered";
int returned = this.tag.doEndTag();
assertEquals("The returned value is not correct.", TagSupport.EVAL_PAGE, returned);
assertEquals("The output value is not correct.", "", this.response.getContentAsString());
}
@Test
public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);
this.tag.handleReturn = "fooBarBazQux";
int returned = this.tag.doEndTag();
assertEquals("The returned value is not correct.", TagSupport.EVAL_PAGE, returned);
assertEquals("The output value is not correct.", "fooBarBazQux", this.response.getContentAsString());
assertSame("The token is not correct.", token, this.tag.token);
}
@Test
public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
this.request.setAttribute(CsrfToken.class.getName(), token);
this.tag.handleReturn = "<input type=\"hidden\" />";
int returned = this.tag.doEndTag();
assertEquals("The returned value is not correct.", TagSupport.EVAL_PAGE, returned);
assertEquals("The output value is not correct.", "<input type=\"hidden\" />",
this.response.getContentAsString());
assertSame("The token is not correct.", token, this.tag.token);
}
private static class MockTag extends AbstractCsrfTag {
private CsrfToken token;
private String handleReturn;
@Override
protected String handleToken(CsrfToken token) {
this.token = token;
return this.handleReturn;
}
}
}
@@ -0,0 +1,45 @@
package org.springframework.security.taglibs.csrf;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class CsrfInputTagTests {
public CsrfInputTag tag;
@Before
public void setUp() {
this.tag = new CsrfInputTag();
}
@Test
public void handleTokenReturnsHiddenInput() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
value);
}
@Test
public void handleTokenReturnsHiddenInputDifferentTokenValue() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
value);
}
}
@@ -0,0 +1,49 @@
package org.springframework.security.taglibs.csrf;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import static org.junit.Assert.*;
/**
* @author Nick Williams
*/
public class CsrfMetaTagsTagTests {
public CsrfMetaTagsTag tag;
@Before
public void setUp() {
this.tag = new CsrfMetaTagsTag();
}
@Test
public void handleTokenRendersTags() {
CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
"<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
"<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
value);
}
@Test
public void handleTokenRendersTagsDifferentToken() {
CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");
String value = this.tag.handleToken(token);
assertNotNull("The returned value should not be null.", value);
assertEquals("The output is not correct.",
"<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
"<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
"<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
value);
}
}
+2 -8
View File
@@ -4,7 +4,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<name>spring-security-web</name>
<description>spring-security-web</description>
<url>http://spring.io/spring-security</url>
@@ -42,12 +42,6 @@
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>spring-snasphot</id>
<url>https://repo.spring.io/snapshot</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>aopalliance</groupId>
@@ -58,7 +52,7 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.2.1.CI-SNAPSHOT</version>
<version>3.2.2.RELEASE</version>
<scope>compile</scope>
</dependency>
<dependency>
@@ -49,7 +49,7 @@ public class WebExpressionVoter implements AccessDecisionVoter<FilterInvocation>
}
public boolean supports(Class<?> clazz) {
return clazz.isAssignableFrom(FilterInvocation.class);
return FilterInvocation.class.isAssignableFrom(clazz);
}
public void setExpressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler) {
@@ -30,7 +30,7 @@ abstract class AbstractRequestParameterAllowFromStrategy implements AllowFromStr
log.debug("Supplied origin '"+allowFromOrigin+"'");
}
if (StringUtils.hasText(allowFromOrigin) && allowed(allowFromOrigin)) {
return "ALLOW-FROM " + allowFromOrigin;
return allowFromOrigin;
} else {
return "DENY";
}
@@ -1,5 +1,6 @@
package org.springframework.security.web.access.expression;
import static org.fest.assertions.Assertions.*;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
@@ -19,6 +20,10 @@ import org.springframework.security.web.FilterInvocation;
import java.util.ArrayList;
import javax.servlet.FilterChain;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
* @author Luke Taylor
*/
@@ -63,4 +68,29 @@ public class WebExpressionVoterTests {
assertEquals(AccessDecisionVoter.ACCESS_DENIED, voter.vote(user, fi, attributes));
}
// SEC-2507
@Test
public void supportFilterInvocationSubClass() {
WebExpressionVoter voter = new WebExpressionVoter();
assertThat(voter.supports(FilterInvocationChild.class)).isTrue();
}
private static class FilterInvocationChild extends FilterInvocation {
public FilterInvocationChild(ServletRequest request,
ServletResponse response, FilterChain chain) {
super(request, response, chain);
}
}
@Test
public void supportFilterInvocation() {
WebExpressionVoter voter = new WebExpressionVoter();
assertThat(voter.supports(FilterInvocation.class)).isTrue();
}
@Test
public void supportsObjectIsFalse() {
WebExpressionVoter voter = new WebExpressionVoter();
assertThat(voter.supports(Object.class)).isFalse();
}
}
@@ -73,7 +73,7 @@ public class AbstractRequestParameterAllowFromStrategyTests {
assertThat(
strategy
.getAllowFromValue(request)).isEqualTo("ALLOW-FROM "+value);
.getAllowFromValue(request)).isEqualTo(value);
}
@Test
@@ -33,11 +33,11 @@ public class RegExpAllowFromStrategyTests {
request.setParameter("from", "http://abc.test.com");
String result1 = strategy.getAllowFromValue(request);
assertThat(result1, is("ALLOW-FROM http://abc.test.com"));
assertThat(result1, is("http://abc.test.com"));
request.setParameter("from", "http://foo.test.com");
String result2 = strategy.getAllowFromValue(request);
assertThat(result2, is("ALLOW-FROM http://foo.test.com"));
assertThat(result2, is("http://foo.test.com"));
request.setParameter("from", "http://test.foobar.com");
String result3 = strategy.getAllowFromValue(request);
@@ -38,7 +38,7 @@ public class WhiteListedAllowFromStrategyTests {
request.setParameter("from", "http://www.test.com");
String result = strategy.getAllowFromValue(request);
assertThat(result, is("ALLOW-FROM http://www.test.com"));
assertThat(result, is("http://www.test.com"));
}
@Test
@@ -52,7 +52,7 @@ public class WhiteListedAllowFromStrategyTests {
request.setParameter("from", "http://www.test.com");
String result = strategy.getAllowFromValue(request);
assertThat(result, is("ALLOW-FROM http://www.test.com"));
assertThat(result, is("http://www.test.com"));
}
@Test