c4bcce1ac3
Next development version
2012-10-08 22:24:06 -05:00
23bdc7d766
Release 2.0.8.RELEASE
2012-10-08 21:18:15 -05:00
d07d97838a
Update for javadoc execute with package
2012-10-08 21:09:58 -05:00
f5fc94e1be
SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found
...
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.
The code has been updated to do comparison against a dummy password
even when the the user was not found.
2012-10-08 15:52:40 -05:00
a4f13a9ae0
Added SCM information to pom for OSS requirements
2012-10-08 07:41:26 -05:00
5c308c0215
Further maven 3 cleanup
2012-10-07 18:56:51 -05:00
a0f91b2dd2
Update maven-resources-plugin to 2.6 to work with m2e
2012-10-07 18:21:16 -05:00
6cf44b9de0
Update maven-dependency-plugin to 2.5.1 to support m2e
2012-10-07 18:09:46 -05:00
55e501711d
Set version to 2.0.8.CI-SNAPSHOT
2011-08-19 13:23:04 -07:00
d5e6f0b575
Set release version to 2.0.7.RELEASE
2011-08-19 13:18:45 -07:00
76dc21469e
SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread.
2011-08-19 13:18:45 -07:00
22b7c9b905
SEC-1742: Make extraInformation in AuthenticationException transient.
2011-08-19 13:18:45 -07:00
0cdf202b10
SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider.
2011-08-19 13:18:45 -07:00
a507e3612a
SEC-1741: Modify ContextPropagatingRemoteInvocation to pass a simple combination of principal/credentials as Strings, rather than serializing the whole SecurityContext object from the client.
2011-08-19 13:18:45 -07:00
f5fbda42e5
SEC-1790: Reject redirect locations containing CR or LF.
2011-08-19 13:18:35 -07:00
d5b72275e5
SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers.
...
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
2010-12-17 09:42:25 -06:00
08a933f930
SEC-1608: Ensure request wrapper is reset for empty filter chains.
2010-12-08 13:56:08 +00:00
54ffc98bb4
SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward
2010-11-03 15:01:39 -05:00
1c3d530b60
Switch versions to 2.0.7.CI-SNAPSHOT
2010-10-25 17:20:25 +01:00
beb0ec4ba9
Version 2.0.6.RELEASE
2010-10-25 17:18:16 +01:00
dec2e59fba
SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy.
2010-10-14 20:32:01 +01:00
ed7f589998
SEC-1584: Additional integration tests.
2010-10-13 00:05:38 +01:00
8f6ddb0f17
SEC-1584: Backport to 2.0.x branch of request firewalling (normalization checks and path-parameter stripping from servletPath and pathInfo).
2010-10-13 00:04:44 +01:00
62a8aca853
.gitignore updates
2010-10-03 23:39:33 +01:00
9c6a5135a3
SEC-1532: Patch applied to 2.0.x branch
2010-08-26 14:13:01 +01:00
0acf262546
SEC-1462: Added suggested patch (effectively the same as changes in 3.0.x and master branches).
2010-04-20 18:16:45 +01:00
6ad652ae97
Update 2.0 branch pom versions.
2010-04-20 18:15:51 +01:00
068b3d48ec
Add .gitignore to 2.0.x branch
2010-04-16 15:15:54 +01:00
d6f6a54455
SEC-1444: Backport of changes to 2.0.x
2010-04-16 15:14:01 +01:00
4361211c21
Change release from milestone to release
2009-07-14 12:29:51 +00:00
71adc26b0f
[maven-release-plugin] prepare release spring-security-2.0.5.RELEASE
2009-07-14 00:29:53 +00:00
eb3288ca34
Removing unnecessary repository declarations
2009-07-13 23:53:12 +00:00
f3f4cfe804
Minor changes to readme
2009-07-13 23:48:55 +00:00
40fa884860
Updated release plugin version
2009-07-13 23:47:53 +00:00
3e393c9df6
Tidying test class
2009-07-13 23:47:33 +00:00
a61aca1abf
Update to bundlor M5
2009-07-13 13:07:44 +00:00
52d2c904f9
Disable adapters build
2009-07-09 12:38:59 +00:00
149fd5d8de
Add bundlor templates
2009-07-09 12:26:11 +00:00
f3f02d8aed
Update sec-2.0.x branch to use bundlor
2009-07-09 11:51:26 +00:00
781c99f257
SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user (for real this time)
2009-06-03 16:57:33 +00:00
b77f780993
SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user
2009-06-03 16:12:54 +00:00
22964837e9
SEC-1066
...
upgraded to CAS Client for Java 3.1.5
2008-12-22 19:37:50 +00:00
7566802a08
SEC-1046
...
upgrade to CAS Client for Java 3.1.4
2008-12-16 14:50:04 +00:00
4c3867718e
SEC-1031: Ported change from trunk.
2008-11-11 23:36:47 +00:00
ad4b5c487f
Temporarily store webflow test sample in sandbox
2008-10-02 23:24:58 +00:00
48013b2c93
typo
2008-10-02 15:26:20 +00:00
03b21494bc
Corrected typo
2008-10-02 14:53:24 +00:00
ac54976f9e
Added appendices to end of doc
2008-10-02 14:50:58 +00:00
7594e1ae2f
SEC-984
...
added template method to allow to override the default of retrieving user by username.
2008-10-01 18:49:52 +00:00
97381fb448
SEC-974: Made getExceptionMappings() protected.
2008-10-01 16:25:20 +00:00
Rob Winch
Luke Taylor
Rob Winch
Luke Taylor
Scott Battaglia