This change extends pull request https://github.com/SpringSource/spring-security/pull/26
and its subsequent changes by renaming the attribute name 'rememberme-parameter' to
'remember-me-parameter'.
The spelling including the additional hyphen in 'remember-me-parameter' is more consistent
with the default spelling of the 'remember-me' functionality.
This change extends the namespace configuration of <remember-me>
with a 'form-parameter' attribute. The introduced attribute sets
the 'parameter' property of AbstractRememberMeServices.
This enables overriding the default value of
'_spring_security_remember_me' using the namespace configuration.
Previously wiring dependencies created with a FactoryBean into
MethodSecurityExpressionHandler &
MethodSecurityExpressionHandler.expressionParser and would cause
NoSuchBeanDefinitionException's to occur. These changes make it easier
(but not impossible) to avoid such errors.
The following changes were made:
- ExpressionBasedAnnotationAttributeFactory delays the invocation of
MethodSecurityExpressionHandler.getExpressionParser()
- MethodSecurityExpressionHandler is automatically wrapped in a
LazyInitTargetSource and marked as lazyInit=true
Previously a ConcurrentModificationException could occur when
PointcutExpression.matchesMethodExecution was performed in multiple threads. Another
issue was that beans may get processed multiple times.
Now a lock is performed to ensure that only a single thread has access to
PointcutExpression.matchesMethodExecution and that each bean only gets processed once.
Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.
The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.
Previously the namespace configuration did not properly set the eraseCredentialsAfterAuthentication
property on the parent AuthenticationProvider when using http@authentication-manager-ref.
Now the ProviderManager that is created by the namespace consults the original
AuthenticationManager to determine if eraseCredentialsAfterAuthentication should
be set on the wrapped instance. If the original is not a ProviderManager the
eraseCredentialsAfterAuthentication is set to false since we should not "magically"
add behavior to the custom AuthenticationManager without knowing the desired behavior.
Due to Eclipse restrictions the classpath adding an project as a dependency picks up
the test dependencies of other projects. This caused problems when running the
config integration tests within Eclipse.
Now the tests specify a specific ldif to load. There is also one new test that ensures
that the ldif is defaulted properly, but does not rely on the ldif that is loaded.
The javadoc did not work with JDK 1.5 due to a JDK bug fixed in JDK 1.6.
This changed the javadoc that had a tag that started with <a and was not
closed to escape the < >. This resolves the issue with the JDK 1.5 javadoc
bug.
Previously the namespace configuration only populated ConcurrentSessionFilter
with SecurityContextLogoutHandler. This means that there was an inconsistency
with LogoutFilter.
Now the namespace will configure the same LogoutHandlers as it would for
LogoutFilter (i.e. RememberMeServices, SecurityContextLogoutHandler, and
CookieClearingLogoutHandler.
Previously the namespace configuration used deprecated API's
causing warnings to show up in Spring Tool suite when editing
Spring configuration files.
Now the namespace configuration uses the replacement API's for
those that have been deprecated. The tests have also been updated
to ensure the new constructors are used and that the updates did
not break anything.
Previously a warning would be logged to the parser when a URL was
configured with a SpEL expression. These changes prevent warnings from
being logged when using SpEL for URL configuration.
This issue occurred because the AutowiredAnnotationBeanPostProcessor had not been registered when the SecurityDebugBeanFactoryPostProcessor tried to obtain the FilterChainProxy. This caused
all of the FilterChainProxy's dependant beans to be resolved and if they used @Autowired they would not get processed properly.
Fixed The method parse(Element, ParserContext) of type HttpFirewallBeanDefinitionParser must override a superclass method HttpFirewallBeanDefinitionParser.java /spring-security-config/src/main/java/org/springframework/security/config/http line 23 Java Problem
Renamed org.springframework.security.web.authentication.jaas to org.springframework.security.web.jaasapi to be better aligned with org.springframework.security.web.servletapi, added package-info.java, and removed trailing whitespaces
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response.
Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
Adds a J2eePreAuthenticatedProcessingFilter to the stack, using a SimpleAttributes2GrantedAuthoritiesMapper to process the role attributes defined in the "mappable-roles" attribute. Provider uses a PreAuthenticatedGrantedAuthoritiesUserDetailsService by default.
This allows different configurations to be used based on the identity-provider (google, yahoo etc). The default implementation iterates through a map of regex patterns to attribute lists. The namespace has also been extended to support this facility, with the "identifier-match" attribute being added to the attribute-exchange element. Multiple attribute-exchange elements can now be defined, each matching a different identifier.
ExpressionHandlers are now ApplicationContextAware and set the app context on the SecurityExpressionRoot. A custom PropertyAccessor resolves the properties against the root by looking them up in the app context.
Changed to use AopUtils.getMostSpecificMethod() when obtaining the method on which the parameter resolution should be performed. Also added better error handling and log warning when parameter names cannot be resolved. The exception will then be a SpEL one, rather than a NPE.
It is still required as a compile-time dependency by classes which use Spring's JDBC support, but it doesn't really have to be used in many interfaces and classes which are not necessarily backed by JDBC implementations.
This greatly simplifies the code and opens up possibilities for other matching strategies (e.g. EL). This also means that matching is now completely strict - the order of the matchers is all that matters (not whether an HTTP method is included or not). The first matcher that returns true will be used.
MethodSecurityMetadataSourceAdvisor now takes the SecurityMetadataSource bean name as an extra constructor argument and re-obtains the bean from the BeanFactory in its readObject method. Beans that are advised using <global-method-security> should therefore now be serializable.
Converted test target to implement ApplicationListener<SessionCreatedEvent> so that it doesn't receive events from its own interceptor (which are in turn intercepted).
The user is then seen as being authenticated to further (re-entrant) requests which occur before the existing request has completed. The saving logic is contained with the SecurityContextRepository implementation.
Delays the conversion till after palceholders have been substituted, preventing the placeholder from being converted (or the value not being converted).
The use of registerBeanComponent() also registers the bean definition, which causes an error if overriding is disallowed and the bean has already been registered using registerBeanDefinition(). I've also set the allowBeanDefinitionOverriding to 'false' on InMemoryXmlApplicationContext to detect future mistakes of this kind in testing.
Oliver Becker
Rob Winch
Mike Noordermeer
Rob Winch
Luke Taylor
Rob Winch