c4bcce1ac3
Next development version
2012-10-08 22:24:06 -05:00
23bdc7d766
Release 2.0.8.RELEASE
2012-10-08 21:18:15 -05:00
f5fc94e1be
SEC-2056: DaoAuthenticationProvider performs isPasswordValid when user not found
...
Previously authenticating a user could take significantly longer than
determining that a user does not exist. This was due to the fact that only
users that were found would use the password encoder and comparing a
password can take a significant amount of time. The difference in the
time required could allow a side channel attack that reveals if a user
exists.
The code has been updated to do comparison against a dummy password
even when the the user was not found.
2012-10-08 15:52:40 -05:00
55e501711d
Set version to 2.0.8.CI-SNAPSHOT
2011-08-19 13:23:04 -07:00
d5e6f0b575
Set release version to 2.0.7.RELEASE
2011-08-19 13:18:45 -07:00
76dc21469e
SEC-1750: Make sure RunAs replacement is constrained to the SecurityContext of the current thread.
2011-08-19 13:18:45 -07:00
22b7c9b905
SEC-1742: Make extraInformation in AuthenticationException transient.
2011-08-19 13:18:45 -07:00
0cdf202b10
SEC-1744: Do not trust authorities contained in the authentication request in JaasAuthenticationProvider.
2011-08-19 13:18:45 -07:00
a507e3612a
SEC-1741: Modify ContextPropagatingRemoteInvocation to pass a simple combination of principal/credentials as Strings, rather than serializing the whole SecurityContext object from the client.
2011-08-19 13:18:45 -07:00
f5fbda42e5
SEC-1790: Reject redirect locations containing CR or LF.
2011-08-19 13:18:35 -07:00
d5b72275e5
SEC-1639: FirewalledRequest is now called on the specific FirewalledRequest instance rather that looping through ServletRequestWrappers.
...
VirtualFilterChain now accepts the FirewalledRequest in the constructor. The reset method is called directly on the instance passed in instead of looping through the ServletRequestWrappers.
2010-12-17 09:42:25 -06:00
08a933f930
SEC-1608: Ensure request wrapper is reset for empty filter chains.
2010-12-08 13:56:08 +00:00
54ffc98bb4
SEC-1606: Added a FirewalledRequestAwareRequestDispatcher that will call FirewalledRequest.reset() before a forward
2010-11-03 15:01:39 -05:00
1c3d530b60
Switch versions to 2.0.7.CI-SNAPSHOT
2010-10-25 17:20:25 +01:00
beb0ec4ba9
Version 2.0.6.RELEASE
2010-10-25 17:18:16 +01:00
dec2e59fba
SEC-1584: Backport of namespace support for injecting custom HttpFirewall instance into FilterChainProxy.
2010-10-14 20:32:01 +01:00
8f6ddb0f17
SEC-1584: Backport to 2.0.x branch of request firewalling (normalization checks and path-parameter stripping from servletPath and pathInfo).
2010-10-13 00:04:44 +01:00
9c6a5135a3
SEC-1532: Patch applied to 2.0.x branch
2010-08-26 14:13:01 +01:00
0acf262546
SEC-1462: Added suggested patch (effectively the same as changes in 3.0.x and master branches).
2010-04-20 18:16:45 +01:00
6ad652ae97
Update 2.0 branch pom versions.
2010-04-20 18:15:51 +01:00
d6f6a54455
SEC-1444: Backport of changes to 2.0.x
2010-04-16 15:14:01 +01:00
71adc26b0f
[maven-release-plugin] prepare release spring-security-2.0.5.RELEASE
2009-07-14 00:29:53 +00:00
3e393c9df6
Tidying test class
2009-07-13 23:47:33 +00:00
149fd5d8de
Add bundlor templates
2009-07-09 12:26:11 +00:00
f3f02d8aed
Update sec-2.0.x branch to use bundlor
2009-07-09 11:51:26 +00:00
781c99f257
SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user (for real this time)
2009-06-03 16:57:33 +00:00
b77f780993
SEC-1145: Updated LDAP code to make sure pooling flag is removed when binding as a specific user
2009-06-03 16:12:54 +00:00
4c3867718e
SEC-1031: Ported change from trunk.
2008-11-11 23:36:47 +00:00
97381fb448
SEC-974: Made getExceptionMappings() protected.
2008-10-01 16:25:20 +00:00
4542f00b14
SEC-975: Namespace security syntax does not interpret properties
...
http://jira.springframework.org/browse/SEC-975 . Changed creation of AccessDeniedHandler to use a BeanDefinition to make sure placeholders work OK.
2008-09-12 19:06:53 +00:00
5e4634d216
Minor Javadoc improvement.
2008-09-12 14:57:21 +00:00
d291def963
Removed invalid comment.
2008-09-12 10:18:40 +00:00
df59cb9dcd
Import cleaning.
2008-09-11 14:41:00 +00:00
ef0389ae79
SEC-976: Removed checks for presence of core-tiger classes.
2008-09-11 14:37:55 +00:00
5b9bb8ba54
[maven-release-plugin] prepare for next development iteration
2008-09-05 19:04:22 +00:00
73eed2656d
[maven-release-plugin] prepare release spring-security-parent-2.0.4
2008-09-05 18:57:43 +00:00
8661e17df9
OPEN - issue SEC-960: DN Encoding in LDAPUserDetailsManager.changePassword() causes bind errors
...
http://jira.springframework.org/browse/SEC-960 . Replaced call to toUrl() with toString() to prevent URL encoding when setting up principal name for reconnect() in changePassword() method.
2008-09-05 13:49:38 +00:00
5102be3a59
SEC-971: getter for cookieName in AbstractRememberMeServices
...
http://jira.springframework.org/browse/SEC-971 . Added getCookieName() method.
2008-09-04 16:05:34 +00:00
4e2d6f8b2e
SEC-967: TextUtils.java does not escape ampersand character
...
http://jira.springframework.org/browse/SEC-967 . Added escaping of '&' character
2008-08-29 12:01:45 +00:00
d781deffe7
OPEN - issue SEC-966: Consider adding escapeXml attribute to security:authentication
...
http://jira.springframework.org/browse/SEC-966 . Added escaping of rendered text as default.
2008-08-26 16:21:29 +00:00
a4e4120443
SEC-963: LDAP Group Search Root
...
http://jira.springframework.org/browse/SEC-963 . Changed namespace instances of DefaultAuthoritiesPopulator to use the root as the default search location.
2008-08-26 13:51:01 +00:00
83868a7334
SEC-955: ability to externalize port mapping for secured channel to a property file
...
http://jira.springframework.org/browse/SEC-955 . Changed schema to make port-mapping type xsd:string to allow placeholders.
2008-08-26 13:20:01 +00:00
150f3d97d0
SEC-832: NamingEnumeration.hasMore fails on MS AD with PartialResultException
...
http://jira.springframework.org/browse/SEC-832 . Changed searchForSingleEntry method to ignore PartialResultException, similar to Spring LDAP's approach.
2008-08-26 12:49:37 +00:00
7f28a8bc5d
Refactored DefaultLdapAuthoritiesPopulator to remove contextSource field and setter method.
2008-08-26 12:38:02 +00:00
1cfd886517
SEC-922: Spring Security should respect Spring XML boolean operators for AJ pointcut
...
http://jira.springframework.org/browse/SEC-922 . Added method to substitute boolean operators "and, not, or" with aspectj versions "&&, !, ||".
2008-08-18 23:31:14 +00:00
bb457e1d07
SEC-957: logger.debug without guard causing massive performance hit
...
http://jira.springframework.org/browse/SEC-957 . Added debug logging guard as requested.
2008-08-18 18:20:48 +00:00
09cf90258f
SEC-758: Both AspectJSecurityInterceptor and AspectJAnnotationSecurityInterceptor not usable with @AspectJ notation
...
http://jira.springframework.org/browse/SEC-758 . Added "throws Throwable" to AspectJAnnotationCallback signature.
2008-08-18 14:47:28 +00:00
e15d7a78cd
SEC-956: Remove MapBasedMethodDefinitionSource.lookupAttributes
...
http://jira.springframework.org/browse/SEC-956 . Done.
2008-08-18 13:13:18 +00:00
3bf5e406b7
SEC-936: NPE in AbstractFallbackMethodDefinitionSource
...
http://jira.springframework.org/browse/SEC-936 . Changed to check if the value of MethodInvocation.getThis() is null to prevent NPE. MapBasedMethodDefinitionSource now ignores calls to findAttributes() with a null target class (all its entries require a class) and the fallback option in AbstractFallbackMethodDefinitionSource is used if the targetClass is null (i.e. Method.getDeclaringClass() will be used as the Class)
2008-08-16 02:31:36 +00:00
55d357f42d
OPEN - issue SEC-905: <protect-pointcut /> pointcuts do not respect method arguments
...
http://jira.springframework.org/browse/SEC-905 . Added extra registration method to MapBasedMethodDefinitionSource which takes a Method instance rather than the method name.
2008-08-12 17:11:38 +00:00
Rob Winch
Luke Taylor
Rob Winch
Luke Taylor