spring-security/doc/xdocs/upgrade/upgrade-080-090.html

<html>
<head>
<title>Acegi Security - Upgrading from version 0.8.0 to 0.9.0</title>
</head>
<body>
<h1>Upgrading from 0.8.0 to 0.9.0</h1>

<p>
The following should help most casual users of the project update their
applications:

    <ul>

    <li>The most significant change in 0.9.0 is that <code>ContextHolder</code> and all of its
    related classes have been removed. This significant change was made for the sake of consistency
    with the core Spring project's approach of a single <code>ThreadLocal</code> per use case, 
    instead of a shared <code>ThreadLocal</code> for multiple use cases as the previous 
    <code>ContextHolder</code> allowed. <b>This is an important change in 0.9.0.</b> Many applications
    will need to modify their code (and possibly web views) if they directly interact with the old 
    <code>ContextHolder</code>. The replacement security <code>ThreadLocal</code> is called
    <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/context/SecurityContextHolder.html">
    SecurityContextHolder</a> and provides a single getter/setter for a
    <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/context/SecurityContextHolder.html">SecurityContext</a>.
    <code>SecurityContextHolder</code> guarantees to never return a <cod>null</code> <code>SecurityContext</code>.
    <code>SecurityContext</code> provides single getter/setter for <code>Authentication</code>.<BR><BR>
    
    To migrate, simply modify all your code that previously worked with <code>ContextHolder</code>,
    <code>SecureContext</code> and <code>Context</code> to directly call <code>SecurityContextHolder</code>
    and work with the <code>SecurityContext</code> (instead of the now removed <code>Context</code>
    and <code>SecureContext</code> interfaces).<br><br>
    
    For example, change:<br>
    <code>
	SecureContext ctx = SecureContextUtils.getSecureContext();<br> 
	</code>
	to:<br>
    <code>
	SecurityContext ctx = SecurityContextHolder.getContext();<br> 
	</code>
	<br>
    and change:<br>
    <code>
	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br> 
        &lt;property name="context">&lt;value>net.sf.acegisecurity.context.security.SecureContextImpl&lt;/value>&lt;/property><br> 
	&lt;/bean><br>
	</code>
	to:<br>
    <code>
	&lt;bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br>
        &lt;property name="context">&lt;value>net.sf.acegisecurity.context.SecurityContextImpl&lt;/value>&lt;/property><br>
	&lt;/bean><br>
	</code>
	<br>
    
    We apologise for the inconvenience, but on a more positive note this means you receive strict
    type checking, you no longer need to mess around with casting to and from <code>Context</code>
    implementations, your applications no longer need to perform checking of <code>null</code> and
    unexpected <code>Context</code> implementation types, and the new <code>SecurityContextHolder</code>
    is an <code>InheritableThreadLocal</code> - which should make life easier in rich client 
    environments.<br><br></li>

    <li><code>AbstractProcessingFilter</code> has changed its getter/setter approach used for customised
    authentication exception directions. See the <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/ui/AbstractProcessingFilter.html">
    <code>AbstractProcessingFilter</code> JavaDocs</a> to learn more.<br><br></li>
    
    <li><code>AnonymousProcessingFilter</code> now has a <code>removeAfterRequest</code> property, which defaults to <code>true</code>. This
    will cause the anonymous authentication token to be set to null at the end of each request, thus
    avoiding the expense of creating a <code>HttpSession</code> in <code>HttpSessionContextIntegrationFilter</code>. You may
    set this property to false if you would like the anoymous authentication token to be preserved,
    which would be an unusual requirement.<br><br></li>
    
	<li>Event publishing has been refactored. New event classes have been added, and the location of
	<code>LoggerListener</code> has changed. See the <code>net.sf.acegisecurity.event package</code>.<BR>
	<br>
    For example, change:<br>
    <code>
	&lt;bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/><br>
	</code>
	to:<br>
    <code>
	&lt;bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/> 
	</code><br><br>	
	</li>
		
	<li>Users of the <code>&lt;authz:authentication></code> JSP tag will generally need to set the <code>operation</code>
	property equal to "username", as reflection is now used to retrieve the property displayed.<br><br></li>
		
	<li>
	Users of net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter should note that it has been
	renamed to net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.<br><br>
	</li>
		
	<li>
	The concurrent session support handling has changed. Please refer to the Reference Guide to
	review the new configuration requirements.<br><br>
	</li>
				
		
    </ul>

</body>
</html>
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`<html>`
			`<head>`
Fix so refers to correct release. 2005-11-11 00:37:04 -05:00			`<title>Acegi Security - Upgrading from version 0.8.0 to 0.9.0</title>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`</head>`
			`<body>`
Fix so refers to correct release. 2005-11-11 00:37:04 -05:00			`<h1>Upgrading from 0.8.0 to 0.9.0</h1>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00
			`<p>`
			`The following should help most casual users of the project update their`
			`applications:`

			`<ul>`

			`<li>The most significant change in 0.9.0 is that <code>ContextHolder</code> and all of its`
			`related classes have been removed. This significant change was made for the sake of consistency`
			`with the core Spring project's approach of a single <code>ThreadLocal</code> per use case,`
			`instead of a shared <code>ThreadLocal</code> for multiple use cases as the previous`
			`<code>ContextHolder</code> allowed. <b>This is an important change in 0.9.0.</b> Many applications`
			`will need to modify their code (and possibly web views) if they directly interact with the old`
			`<code>ContextHolder</code>. The replacement security <code>ThreadLocal</code> is called`
Refactor SecurityContextHolder to return a SecurityContext instead of Authentication. 2005-05-08 19:42:14 -04:00			`<a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/context/SecurityContextHolder.html">`
			`SecurityContextHolder</a> and provides a single getter/setter for a`
			`<a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/context/SecurityContextHolder.html">SecurityContext</a>.`
			`<code>SecurityContextHolder</code> guarantees to never return a <cod>null</code> <code>SecurityContext</code>.`
			`<code>SecurityContext</code> provides single getter/setter for <code>Authentication</code>.<BR><BR>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00
			`To migrate, simply modify all your code that previously worked with <code>ContextHolder</code>,`
Refactor SecurityContextHolder to return a SecurityContext instead of Authentication. 2005-05-08 19:42:14 -04:00			`<code>SecureContext</code> and <code>Context</code> to directly call <code>SecurityContextHolder</code>`
			`and work with the <code>SecurityContext</code> (instead of the now removed <code>Context</code>`
			`and <code>SecureContext</code> interfaces).<br><br>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`For example, change:<br>`
			`<code>`
			`SecureContext ctx = SecureContextUtils.getSecureContext();<br>`
			`</code>`
			`to:<br>`
			`<code>`
			`SecurityContext ctx = SecurityContextHolder.getContext();<br>`
			`</code>`
			`<br>`
			`and change:<br>`
			`<code>`
SEC-95: General fixes reported by Mathias Bogaert. 2005-11-11 16:36:30 -05:00			`<bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br>`
			`<property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property><br>`
			`</bean><br>`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`</code>`
			`to:<br>`
			`<code>`
SEC-95: General fixes reported by Mathias Bogaert. 2005-11-11 16:36:30 -05:00			`<bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter"><br>`
			`<property name="context"><value>net.sf.acegisecurity.context.SecurityContextImpl</value></property><br>`
			`</bean><br>`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`</code>`
			`<br>`

Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`We apologise for the inconvenience, but on a more positive note this means you receive strict`
			`type checking, you no longer need to mess around with casting to and from <code>Context</code>`
			`implementations, your applications no longer need to perform checking of <code>null</code> and`
Refactor SecurityContextHolder to return a SecurityContext instead of Authentication. 2005-05-08 19:42:14 -04:00			`unexpected <code>Context</code> implementation types, and the new <code>SecurityContextHolder</code>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`is an <code>InheritableThreadLocal</code> - which should make life easier in rich client`
			`environments.<br><br></li>`

Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`<li><code>AbstractProcessingFilter</code> has changed its getter/setter approach used for customised`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`authentication exception directions. See the <a href="../multiproject/acegi-security/xref/net/sf/acegisecurity/ui/AbstractProcessingFilter.html">`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`<code>AbstractProcessingFilter</code> JavaDocs</a> to learn more.<br><br></li>`
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`<li><code>AnonymousProcessingFilter</code> now has a <code>removeAfterRequest</code> property, which defaults to <code>true</code>. This`
Avoid expense of HttpSession when working with anonymous users. 2005-07-23 05:52:42 -04:00			`will cause the anonymous authentication token to be set to null at the end of each request, thus`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`avoiding the expense of creating a <code>HttpSession</code> in <code>HttpSessionContextIntegrationFilter</code>. You may`
Avoid expense of HttpSession when working with anonymous users. 2005-07-23 05:52:42 -04:00			`set this property to false if you would like the anoymous authentication token to be preserved,`
			`which would be an unusual requirement.<br><br></li>`

SEC-70: Refactor event publishing. 2005-11-03 01:55:47 -05:00			`<li>Event publishing has been refactored. New event classes have been added, and the location of`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`<code>LoggerListener</code> has changed. See the <code>net.sf.acegisecurity.event package</code>.<BR>`
			`<br>`
			`For example, change:<br>`
			`<code>`
SEC-95: General fixes reported by Mathias Bogaert. 2005-11-11 16:36:30 -05:00			`<bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/><br>`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`</code>`
			`to:<br>`
			`<code>`
SEC-95: General fixes reported by Mathias Bogaert. 2005-11-11 16:36:30 -05:00			`<bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/>`
Added change examples and wrapped <code> around all java & XML references. Other developers please review the end result and let me know if I went too far :-) 2005-11-07 20:08:07 -05:00			`</code><br><br>`
			`</li>`
SEC-70: Refactor event publishing. 2005-11-03 01:55:47 -05:00
SEC-95: General fixes reported by Mathias Bogaert. 2005-11-11 16:36:30 -05:00			`<li>Users of the <code><authz:authentication></code> JSP tag will generally need to set the <code>operation</code>`
			`property equal to "username", as reflection is now used to retrieve the property displayed.<br><br></li>`

			`<li>`
			`Users of net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter should note that it has been`
			`renamed to net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.<br><br>`
			`</li>`

			`<li>`
			`The concurrent session support handling has changed. Please refer to the Reference Guide to`
			`review the new configuration requirements.<br><br>`
			`</li>`

Extra 0.9.0 upgrade details. 2005-11-04 20:28:44 -05:00
Remove ContextHolder and introduce SecurityContext. 2005-05-07 05:11:37 -04:00			`</ul>`

			`</body>`
			`</html>`