All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) AbstractIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807) Handle null Authentication.getAuthorities() in AuthorizeTag PasswordDaoAuthenticationProvider no longer stores String against Authentication.setDetails() Update commons-codec dependency to 1.3 AbstractProcessingFilter no longer has setters for failures, it uses the exceptionMappings property Update to match Spring 1.2-RC2 official JAR dependencies AuthenticationProcessingFilter now provides an obtainUsername method Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 1.2-RC2 Refactoring to leverage Spring's Assert class and mocks where possible X509 (certificate-based) authentication support UserDetails now advises locked accounts, with corresponding DaoAuthenticationProvider events and enforcement ContextHolderAwareRequestWrapper methods return null if user is anonymous AbstractBasicAclEntry improved compatibility with Hibernate User now provides a more useful toString() method Update to match Spring 1.1.5 official JAR dependencies (NB: now using Servlet 2.4 and related JSP/taglib JARs) SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans Corrected Authz parsing of whitespace in GrantedAuthoritys TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection StringSplitUtils.split() ignored delimiter argument DigestProcessingFilter now provides userCache getter and setter Contacts Sample made to work with UserDetails-based Principal Documentation improvements Test coverage improvements Added Digest Authentication support (RFC 2617 and RFC 2069) Added pluggable remember-me services Added pluggable mechnism to prevent concurrent login sessions FilterChainProxy added to significantly simplify web.xml configuration of Acegi Security AuthenticationProcessingFilter now provides hook for extra credentials (eg postcodes) New WebAuthenticationDetails class now used by processing filters for Authentication.setDetails() Additional debug-level logging Improved Tapestry support in AbstractProcessingFilter Made ConfigAttributeDefinition and ConfigAttribute Serializable User now accepts blank passwords (null passwords still rejected) FilterToBeanProxy now searches hierarchical bean factories User now accepted blank passwords (null passwords still rejected) ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh) JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config" JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthentication removed Added AuthenticationException to the AutenticationEntryPoint.commence method signature Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs servlet container) issue Significantly refactor "well-known location model" to authentication processing mechanism and HttpSessionContextIntegrationFilter model Correct issue with JdbcDaoImpl default SQL query not using consistent case sensitivity Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility Log4j now included in generated WAR artifacts (fixes issue with Log4j listener) Correct NullPointerException in FilterInvocationDefinitionSource implementations Major CVS repository restructure to support Maven and eliminate libraries Major improvements to Contacts sample application (now demos ACL security) Added AfterInvocationManager to mutate objects return from invocations Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object Added BasicAclEntryAfterInvocationCollectionFilteringProvider Added security propagation during RMI invocations (from sandbox) Added security propagation for Spring's HTTP invoker Added BasicAclEntryVoter, which votes based on AclManager permissions Added AspectJ support (especially useful for instance-level security) Added MethodDefinitionSourceAdvisor for performance and autoproxying Added MethodDefinitionMap querying of interfaces defined by secure objects Added AuthenticationProcessingFilter.setDetails for use by subclasses Added 403-causing exception to HttpSession via SecurityEnforcementFilter Added net.sf.acegisecurity.intercept.event package Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD Added additional remoting protocol demonstrations to Contacts sample Added AbstractProcessingFilter property to always use defaultTargetUrl Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser() Added attempted username to view if processed by AuthenticationProcessingFilter Added UserDetails account and credentials expiration methods Added exceptions and events to support new UserDetails methods Added new exceptions to JBoss container adapter Improved BasicAclProvider to only respond to specified ACL object requests Refactored MethodDefinitionSource to work with Method, not MethodInvocation Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone Refactored AbstractSecurityInterceptor to better support other AOP libraries Improved performance of JBoss container adapter (see reference docs) Made DaoAuthenticationProvider detect null in Authentication.principal Improved JaasAuthenticationProvider startup error detection Refactored EH-CACHE implementations to use Spring IoC defined caches instead AbstractProcessingFilter now has various hook methods to assist subclasses DaoAuthenticationProvider better detects AuthenticationDao interface violations The User class has a new constructor (the old constructor is deprecated) Fixed ambiguous column references in JdbcDaoImpl default query Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility) Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals Fixed HttpSessionIntegrationFilter "cannot commit to container" during logoff Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package Documentation improvements Test coverage improvements Resolved to use http://apr.apache.org/versioning.html for future versioning Added additional DaoAuthenticationProvider event when user not found Added Authentication.getDetails() to DaoAuthenticationProvider response Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true) Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP) Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits) Added convenience methods to ConfigAttributeDefinition Improved sample applications' bean reference notation Clarified contract for ObjectDefinitionSource.getAttributes(Object) Extracted removeUserFromCache(String) to UserCache interface Improved ConfigAttributeEditor so it trims preceding and trailing spaces Refactored UsernamePasswordAuthenticationToken.getDetails() to Object Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change Fixed EH-CACHE-based caching implementation behaviour when cache exists Fixed Ant "release" target not including project.properties Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method Documentation improvements Added domain object instance access control list (ACL) packages Added feature so DaoAuthenticationProvider returns User in Authentication Added AbstractIntegrationFilter.secureContext property for custom contexts Added stack trace logging to SecurityEnforcementFilter Added exception-specific target URLs to AbstractProcessingFilter Added JdbcDaoImpl hook so subclasses can insert custom granted authorities Added AuthenticationProvider that wraps JAAS login modules Added support for EL expressions in the authz tag library Added failed Authentication object to AuthenticationExceptions Added signed JARs to all official release builds (see readme.txt) Added remote client authentication validation package Added protected sendAccessDeniedError method to SecurityEnforcementFilter Updated Authentication to be serializable (Weblogic support) Updated JAR to Spring 1.1 RC 1 Updated to Clover 1.3 Updated to HSQLDB version 1.7.2 Release Candidate 6D Refactored User to net.sf.acegisecurity.UserDetails interface Refactored CAS package to store UserDetails in CasAuthenticationToken Improved organisation of DaoAuthenticationProvider to facilitate subclassing Improved test coverage (now 98.3%) Improved JDBC-based tests to use in-memory database rather than filesystem Fixed Linux compatibility issues (directory case sensitivity etc) Fixed AbstractProcessingFilter to handle servlet spec container differences Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue Fixed CasAuthenticationToken if proxy granting ticket callback not requested Fixed EH-CACHE handling on web context refresh Documentation improvements Added samples/quick-start Added NullRunAsManager and made default for AbstractSecurityInterceptor Added event notification (see net.sf.acegisecurity.providers.dao.event) Updated JAR to Spring 1.0.2 Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release Updated GrantedAuthorityImpl to be serializable (JBoss support) Updated Authentication interface to present extra details for a request Updated Authentication interface to subclass java.security.Principal Refactored DaoAuthenticationProvider caching (refer to reference docs) Improved HttpSessionIntegrationFilter to manage additional attributes Improved URL encoding during redirects Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) Fixed issue with NullPointerExceptions in taglib Removed DaoAuthenticationToken and session-based caching Documentation improvements Upgrade Note: DaoAuthenticationProvider no longer has a "key" property Added single sign on support via Yale Central Authentication Service (CAS) Added full support for HTTP Basic Authentication Added caching for DaoAuthenticationProvider successful authentications Added Burlap and Hessian remoting to Contacts sample application Added pluggable password encoders including plaintext, SHA and MD5 Added pluggable salt sources to enhance security of hashed passwords Added FilterToBeanProxy to obtain filters from Spring application context Added support for prepending strings to roles created by JdbcDaoImpl Added support for user definition of SQL statements used by JdbcDaoImpl Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter Added Apache Ant path syntax support to SecurityEnforcementFilter Added filter to automate web channel requirements (eg HTTPS redirection) Updated JAR to Spring 1.0.1 Updated several classes to use absolute (not relative) redirection URLs Refactored filters to use Spring application context lifecycle support Improved constructor detection of nulls in User and other key objects Fixed FilterInvocation.getRequestUrl() to also include getPathInfo() Fixed Contacts sample application tags Established acegisecurity-developer mailing list Documentation improvements Added HTTP session authentication as an alternative to container adapters Added HTTP request security interceptor (offers considerable flexibility) Added security taglib Added Clover test coverage instrumentation (currently 97.2%) Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests Added HTML test and summary reporting to in-container integration tests Updated JARs to Spring Framework release 1.0, with associated AOP changes Updated to Apache License version 2.0 Updated copyright with permission of past contributors Refactored unit tests to use mock objects and focus on a single class each Refactored many classes to enable insertion of mock objects during testing Refactored core classes to ease support of new secure object types Changed package layout to better describe the role of contained items Changed the extractor to extract additional classes from JBoss and Catalina Changed Jetty container adapter configuration (see reference documentation) Improved AutoIntegrationFilter handling of deployments without JBoss JARs Fixed case handling support in data access object authentication provider Documentation improvements Added "in container" unit test system for container adapters and sample app Added library extractor tool to reduce the "with deps" ZIP release sizes Added unit test to the attributes sample Added Jalopy source formatting Modified all files to use net.sf.acegisecurity namespace Renamed springsecurity.xml to acegisecurity.xml for consistency Reduced length of ZIP and JAR filenames Clarified licenses and sources for all included libraries Updated documentation to reflect new file and package names Setup Sourceforge.net project and added to CVS etc Added Commons Attributes support and sample (thanks to Cameron Braid) Added JBoss container adapter Added Resin container adapter Added JDBC DAO authentication provider Added several filter implementations for container adapter integration Added SecurityInterceptor startup time validation of ConfigAttributes Added more unit tests Refactored ConfigAttribute to interface and added concrete implementation Enhanced diagnostics information provided by sample application debug.jsp Modified sample application for wider container portability (Resin, JBoss) Fixed switch block in voting decision manager implementations Removed Spring MVC interceptor for container adapter integration Documentation improvements Initial public release