Changes in version 0.7 (2004-xx-xx) ----------------------------------- * Major CVS repository restructure to support Maven and eliminate libraries * Major improvements to Contacts sample application (now demos ACL security) * Added AfterInvocationManager to mutate objects return from invocations * Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object * Added BasicAclEntryAfterInvocationCollectionFilteringProvider * Added security propagation during RMI invocations (from sandbox) * Added security propagation for Spring's HTTP invoker * Added BasicAclEntryVoter, which votes based on AclManager permissions * Added AspectJ support (especially useful for instance-level security) * Added MethodDefinitionSourceAdvisor for performance and autoproxying * Added MethodDefinitionMap querying of interfaces defined by secure objects * Added AuthenticationProcessingFilter.setDetails for use by subclasses * Added 403-causing exception to HttpSession via SecurityEnforcementFilter * Added net.sf.acegisecurity.intercept.event package * Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD * Added additional remoting protocol demonstrations to Contacts sample * Improved BasicAclProvider to only respond to specified ACL object requests * Refactored MethodDefinitionSource to work with Method, not MethodInvocation * Refactored AbstractSecurityInterceptor to better support other AOP libraries * Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility) * Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals * Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package * Documentation improvements Changes in version 0.6.1 (2004-09-25) ------------------------------------- * Resolved to use http://apr.apache.org/versioning.html for future versioning * Added additional DaoAuthenticationProvider event when user not found * Added Authentication.getDetails() to DaoAuthenticationProvider response * Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true) * Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP) * Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits) * Added convenience methods to ConfigAttributeDefinition * Improved sample applications' bean reference notation * Clarified contract for ObjectDefinitionSource.getAttributes(Object) * Extracted removeUserFromCache(String) to UserCache interface * Improved ConfigAttributeEditor so it trims preceding and trailing spaces * Refactored UsernamePasswordAuthenticationToken.getDetails() to Object * Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change * Fixed EH-CACHE-based caching implementation behaviour when cache exists * Fixed Ant "release" target not including project.properties * Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method * Documentation improvements Changes in version 0.6 (2004-08-09) ----------------------------------- * Added domain object instance access control list (ACL) packages * Added feature so DaoAuthenticationProvider returns User in Authentication * Added AbstractIntegrationFilter.secureContext property for custom contexts * Added stack trace logging to SecurityEnforcementFilter * Added exception-specific target URLs to AbstractProcessingFilter * Added JdbcDaoImpl hook so subclasses can insert custom granted authorities * Added AuthenticationProvider that wraps JAAS login modules * Added support for EL expressions in the authz tag library * Added failed Authentication object to AuthenticationExceptions * Added signed JARs to all official release builds (see readme.txt) * Added remote client authentication validation package * Added protected sendAccessDeniedError method to SecurityEnforcementFilter * Updated Authentication to be serializable (Weblogic support) * Updated JAR to Spring 1.1 RC 1 * Updated to Clover 1.3 * Updated to HSQLDB version 1.7.2 Release Candidate 6D * Refactored User to net.sf.acegisecurity.UserDetails interface * Refactored CAS package to store UserDetails in CasAuthenticationToken * Improved organisation of DaoAuthenticationProvider to facilitate subclassing * Improved test coverage (now 98.3%) * Improved JDBC-based tests to use in-memory database rather than filesystem * Fixed Linux compatibility issues (directory case sensitivity etc) * Fixed AbstractProcessingFilter to handle servlet spec container differences * Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue * Fixed CasAuthenticationToken if proxy granting ticket callback not requested * Fixed EH-CACHE handling on web context refresh * Documentation improvements Changes in version 0.51 (2004-06-06) ------------------------------------ * Added samples/quick-start * Added NullRunAsManager and made default for AbstractSecurityInterceptor * Added event notification (see net.sf.acegisecurity.providers.dao.event) * Updated JAR to Spring 1.0.2 * Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release * Updated GrantedAuthorityImpl to be serializable (JBoss support) * Updated Authentication interface to present extra details for a request * Updated Authentication interface to subclass java.security.Principal * Refactored DaoAuthenticationProvider caching (refer to reference docs) * Improved HttpSessionIntegrationFilter to manage additional attributes * Improved URL encoding during redirects * Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) * Fixed issue with NullPointerExceptions in taglib * Removed DaoAuthenticationToken and session-based caching * Documentation improvements * Upgrade Note: DaoAuthenticationProvider no longer has a "key" property Changes in version 0.5 (2004-04-29) ----------------------------------- * Added single sign on support via Yale Central Authentication Service (CAS) * Added full support for HTTP Basic Authentication * Added caching for DaoAuthenticationProvider successful authentications * Added Burlap and Hessian remoting to Contacts sample application * Added pluggable password encoders including plaintext, SHA and MD5 * Added pluggable salt sources to enhance security of hashed passwords * Added FilterToBeanProxy to obtain filters from Spring application context * Added support for prepending strings to roles created by JdbcDaoImpl * Added support for user definition of SQL statements used by JdbcDaoImpl * Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys * Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter * Added Apache Ant path syntax support to SecurityEnforcementFilter * Added filter to automate web channel requirements (eg HTTPS redirection) * Updated JAR to Spring 1.0.1 * Updated several classes to use absolute (not relative) redirection URLs * Refactored filters to use Spring application context lifecycle support * Improved constructor detection of nulls in User and other key objects * Fixed FilterInvocation.getRequestUrl() to also include getPathInfo() * Fixed Contacts sample application tags * Established acegisecurity-developer mailing list * Documentation improvements Changes in version 0.4 (2004-04-03) ----------------------------------- * Added HTTP session authentication as an alternative to container adapters * Added HTTP request security interceptor (offers considerable flexibility) * Added security taglib * Added Clover test coverage instrumentation (currently 97.2%) * Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests * Added HTML test and summary reporting to in-container integration tests * Updated JARs to Spring Framework release 1.0, with associated AOP changes * Updated to Apache License version 2.0 * Updated copyright with permission of past contributors * Refactored unit tests to use mock objects and focus on a single class each * Refactored many classes to enable insertion of mock objects during testing * Refactored core classes to ease support of new secure object types * Changed package layout to better describe the role of contained items * Changed the extractor to extract additional classes from JBoss and Catalina * Changed Jetty container adapter configuration (see reference documentation) * Improved AutoIntegrationFilter handling of deployments without JBoss JARs * Fixed case handling support in data access object authentication provider * Documentation improvements Changes in version 0.3 (2004-03-16) ----------------------------------- * Added "in container" unit test system for container adapters and sample app * Added library extractor tool to reduce the "with deps" ZIP release sizes * Added unit test to the attributes sample * Added Jalopy source formatting * Modified all files to use net.sf.acegisecurity namespace * Renamed springsecurity.xml to acegisecurity.xml for consistency * Reduced length of ZIP and JAR filenames * Clarified licenses and sources for all included libraries * Updated documentation to reflect new file and package names * Setup Sourceforge.net project and added to CVS etc Changes in version 0.2 (2004-03-10) ----------------------------------- * Added Commons Attributes support and sample (thanks to Cameron Braid) * Added JBoss container adapter * Added Resin container adapter * Added JDBC DAO authentication provider * Added several filter implementations for container adapter integration * Added SecurityInterceptor startup time validation of ConfigAttributes * Added more unit tests * Refactored ConfigAttribute to interface and added concrete implementation * Enhanced diagnostics information provided by sample application debug.jsp * Modified sample application for wider container portability (Resin, JBoss) * Fixed switch block in voting decision manager implementations * Removed Spring MVC interceptor for container adapter integration * Documentation improvements Changes in version 0.1 (2004-03-03) ----------------------------------- * Initial public release $Id$