Acegi Security changes
JdbcDaoImpl modified to support synthetic primary keys
Greatly improve BasicAclEntryAfterInvocationCollectionFilteringProvider performance with large collections (if the principal has access to relatively few collection elements)
Reorder DaoAuthenticationProvider exception logic as per developer list discussion
ContextHolder refactored and replaced by SecurityContextHolder
Made AclEntry Serializable (correct issue with BasicAclEntryCache)
Changed order of credentials verification and expiry checking in DaoAuthenticationProvider. Password must now be successfully verified before expired credentials are reported.
AnonymousProcessingFilter offers protected method to control when it should execute
AbstractAuthenticationToken.getName() now returns username alone if UserDetails present
AuthorityGranter.grant now returns a java.util.Set of role names, instead of a single role name
JavaDoc improvements
Correct synchronization issue with FilterToBeanProxy initialization
Refactor Authentication.isAuthenticated() handling to be more performant
Silently catch NotSerializableException in AbstractProcessingFilter if rootCause is not Serializable
Remove getters and setters from JdbcDaoImpl so IoC container cannot modify MappingSqlQuerys
Refactor DAO authentication failure events under a consistent abstract superclass
JBoss container adapter to use getName() instead to toString() (see http://opensource.atlassian.com/projects/spring/browse/SEC-22)
HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
Form, CAS, X509 and Remember-Me authentication mechanisms now publish an InteractiveAuthenticationSuccessEvent (see http://opensource.atlassian.com/projects/spring/browse/SEC-5)
FilterSecurityInterceptor now has an observeOncePerRequest boolean property, allowing multiple fragments of the HTTP request to be individually authorized (see http://opensource.atlassian.com/projects/spring/browse/SEC-14)
AnonymousProcessingFilter cleans up the Authentication object, avoiding HttpSession creation overhead
HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
AbstractIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml
TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807)
Handle null Authentication.getAuthorities() in AuthorizeTag
PasswordDaoAuthenticationProvider no longer stores String against Authentication.setDetails()
Update commons-codec dependency to 1.3
AbstractProcessingFilter no longer has setters for failures, it uses the exceptionMappings property
Update to match Spring 1.2-RC2 official JAR dependencies
AuthenticationProcessingFilter now provides an obtainUsername method
Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 1.2-RC2
Refactoring to leverage Spring's Assert class and mocks where possible
X509 (certificate-based) authentication support
UserDetails now advises locked accounts, with corresponding DaoAuthenticationProvider events and enforcement
ContextHolderAwareRequestWrapper methods return null if user is anonymous
AbstractBasicAclEntry improved compatibility with Hibernate
User now provides a more useful toString() method
Update to match Spring 1.1.5 official JAR dependencies (NB: now using Servlet 2.4 and related JSP/taglib JARs)
SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint
FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans
Corrected Authz parsing of whitespace in GrantedAuthoritys
TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users
HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection
StringSplitUtils.split() ignored delimiter argument
DigestProcessingFilter now provides userCache getter and setter
Contacts Sample made to work with UserDetails-based Principal
Documentation improvements
Test coverage improvements
Added Digest Authentication support (RFC 2617 and RFC 2069)
Added pluggable remember-me services
Added pluggable mechnism to prevent concurrent login sessions
FilterChainProxy added to significantly simplify web.xml configuration of Acegi Security
AuthenticationProcessingFilter now provides hook for extra credentials (eg postcodes)
New WebAuthenticationDetails class now used by processing filters for Authentication.setDetails()
Additional debug-level logging
Improved Tapestry support in AbstractProcessingFilter
Made ConfigAttributeDefinition and ConfigAttribute Serializable
User now accepts blank passwords (null passwords still rejected)
FilterToBeanProxy now searches hierarchical bean factories
User now accepted blank passwords (null passwords still rejected)
ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method
HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily
FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh)
JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config"
JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthentication removed
Added AuthenticationException to the AutenticationEntryPoint.commence method signature
Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature
FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs servlet container) issue
Significantly refactor "well-known location model" to authentication processing mechanism and HttpSessionContextIntegrationFilter model
Correct issue with JdbcDaoImpl default SQL query not using consistent case sensitivity
Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility
Log4j now included in generated WAR artifacts (fixes issue with Log4j listener)
Correct NullPointerException in FilterInvocationDefinitionSource implementations
Major CVS repository restructure to support Maven and eliminate libraries
Major improvements to Contacts sample application (now demos ACL security)
Added AfterInvocationManager to mutate objects return from invocations
Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object
Added BasicAclEntryAfterInvocationCollectionFilteringProvider
Added security propagation during RMI invocations (from sandbox)
Added security propagation for Spring's HTTP invoker
Added BasicAclEntryVoter, which votes based on AclManager permissions
Added AspectJ support (especially useful for instance-level security)
Added MethodDefinitionSourceAdvisor for performance and autoproxying
Added MethodDefinitionMap querying of interfaces defined by secure objects
Added AuthenticationProcessingFilter.setDetails for use by subclasses
Added 403-causing exception to HttpSession via SecurityEnforcementFilter
Added net.sf.acegisecurity.intercept.event package
Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD
Added additional remoting protocol demonstrations to Contacts sample
Added AbstractProcessingFilter property to always use defaultTargetUrl
Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser()
Added attempted username to view if processed by AuthenticationProcessingFilter
Added UserDetails account and credentials expiration methods
Added exceptions and events to support new UserDetails methods
Added new exceptions to JBoss container adapter
Improved BasicAclProvider to only respond to specified ACL object requests
Refactored MethodDefinitionSource to work with Method, not MethodInvocation
Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone
Refactored AbstractSecurityInterceptor to better support other AOP libraries
Improved performance of JBoss container adapter (see reference docs)
Made DaoAuthenticationProvider detect null in Authentication.principal
Improved JaasAuthenticationProvider startup error detection
Refactored EH-CACHE implementations to use Spring IoC defined caches instead
AbstractProcessingFilter now has various hook methods to assist subclasses
DaoAuthenticationProvider better detects AuthenticationDao interface violations
The User class has a new constructor (the old constructor is deprecated)
Fixed ambiguous column references in JdbcDaoImpl default query
Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility)
Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals
Fixed HttpSessionIntegrationFilter "cannot commit to container" during logoff
Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package
Documentation improvements
Test coverage improvements
Resolved to use http://apr.apache.org/versioning.html for future versioning
Added additional DaoAuthenticationProvider event when user not found
Added Authentication.getDetails() to DaoAuthenticationProvider response
Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true)
Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP)
Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits)
Added convenience methods to ConfigAttributeDefinition
Improved sample applications' bean reference notation
Clarified contract for ObjectDefinitionSource.getAttributes(Object)
Extracted removeUserFromCache(String) to UserCache interface
Improved ConfigAttributeEditor so it trims preceding and trailing spaces
Refactored UsernamePasswordAuthenticationToken.getDetails() to Object
Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change
Fixed EH-CACHE-based caching implementation behaviour when cache exists
Fixed Ant "release" target not including project.properties
Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method
Documentation improvements
Added domain object instance access control list (ACL) packages
Added feature so DaoAuthenticationProvider returns User in Authentication
Added AbstractIntegrationFilter.secureContext property for custom contexts
Added stack trace logging to SecurityEnforcementFilter
Added exception-specific target URLs to AbstractProcessingFilter
Added JdbcDaoImpl hook so subclasses can insert custom granted authorities
Added AuthenticationProvider that wraps JAAS login modules
Added support for EL expressions in the authz tag library
Added failed Authentication object to AuthenticationExceptions
Added signed JARs to all official release builds (see readme.txt)
Added remote client authentication validation package
Added protected sendAccessDeniedError method to SecurityEnforcementFilter
Updated Authentication to be serializable (Weblogic support)
Updated JAR to Spring 1.1 RC 1
Updated to Clover 1.3
Updated to HSQLDB version 1.7.2 Release Candidate 6D
Refactored User to net.sf.acegisecurity.UserDetails interface
Refactored CAS package to store UserDetails in CasAuthenticationToken
Improved organisation of DaoAuthenticationProvider to facilitate subclassing
Improved test coverage (now 98.3%)
Improved JDBC-based tests to use in-memory database rather than filesystem
Fixed Linux compatibility issues (directory case sensitivity etc)
Fixed AbstractProcessingFilter to handle servlet spec container differences
Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue
Fixed CasAuthenticationToken if proxy granting ticket callback not requested
Fixed EH-CACHE handling on web context refresh
Documentation improvements
Added samples/quick-start
Added NullRunAsManager and made default for AbstractSecurityInterceptor
Added event notification (see net.sf.acegisecurity.providers.dao.event)
Updated JAR to Spring 1.0.2
Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release
Updated GrantedAuthorityImpl to be serializable (JBoss support)
Updated Authentication interface to present extra details for a request
Updated Authentication interface to subclass java.security.Principal
Refactored DaoAuthenticationProvider caching (refer to reference docs)
Improved HttpSessionIntegrationFilter to manage additional attributes
Improved URL encoding during redirects
Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS)
Fixed issue with NullPointerExceptions in taglib
Removed DaoAuthenticationToken and session-based caching
Documentation improvements
Upgrade Note: DaoAuthenticationProvider no longer has a "key" property
Added single sign on support via Yale Central Authentication Service (CAS)
Added full support for HTTP Basic Authentication
Added caching for DaoAuthenticationProvider successful authentications
Added Burlap and Hessian remoting to Contacts sample application
Added pluggable password encoders including plaintext, SHA and MD5
Added pluggable salt sources to enhance security of hashed passwords
Added FilterToBeanProxy to obtain filters from Spring application context
Added support for prepending strings to roles created by JdbcDaoImpl
Added support for user definition of SQL statements used by JdbcDaoImpl
Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys
Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter
Added Apache Ant path syntax support to SecurityEnforcementFilter
Added filter to automate web channel requirements (eg HTTPS redirection)
Updated JAR to Spring 1.0.1
Updated several classes to use absolute (not relative) redirection URLs
Refactored filters to use Spring application context lifecycle support
Improved constructor detection of nulls in User and other key objects
Fixed FilterInvocation.getRequestUrl() to also include getPathInfo()
Fixed Contacts sample application tags
Established acegisecurity-developer mailing list
Documentation improvements
Added HTTP session authentication as an alternative to container adapters
Added HTTP request security interceptor (offers considerable flexibility)
Added security taglib
Added Clover test coverage instrumentation (currently 97.2%)
Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests
Added HTML test and summary reporting to in-container integration tests
Updated JARs to Spring Framework release 1.0, with associated AOP changes
Updated to Apache License version 2.0
Updated copyright with permission of past contributors
Refactored unit tests to use mock objects and focus on a single class each
Refactored many classes to enable insertion of mock objects during testing
Refactored core classes to ease support of new secure object types
Changed package layout to better describe the role of contained items
Changed the extractor to extract additional classes from JBoss and Catalina
Changed Jetty container adapter configuration (see reference documentation)
Improved AutoIntegrationFilter handling of deployments without JBoss JARs
Fixed case handling support in data access object authentication provider
Documentation improvements
Added "in container" unit test system for container adapters and sample app
Added library extractor tool to reduce the "with deps" ZIP release sizes
Added unit test to the attributes sample
Added Jalopy source formatting
Modified all files to use net.sf.acegisecurity namespace
Renamed springsecurity.xml to acegisecurity.xml for consistency
Reduced length of ZIP and JAR filenames
Clarified licenses and sources for all included libraries
Updated documentation to reflect new file and package names
Setup Sourceforge.net project and added to CVS etc
Added Commons Attributes support and sample (thanks to Cameron Braid)
Added JBoss container adapter
Added Resin container adapter
Added JDBC DAO authentication provider
Added several filter implementations for container adapter integration
Added SecurityInterceptor startup time validation of ConfigAttributes
Added more unit tests
Refactored ConfigAttribute to interface and added concrete implementation
Enhanced diagnostics information provided by sample application debug.jsp
Modified sample application for wider container portability (Resin, JBoss)
Fixed switch block in voting decision manager implementations
Removed Spring MVC interceptor for container adapter integration
Documentation improvements
Initial public release