Acegi Security changes
  
  
    
      All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040
    
    
      All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040
    
    
      All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040
    
    
      All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040
    
    
      HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
    
    
      HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
    
    
      AbstractIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)
    
    
      Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml
      TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807)
      Handle null Authentication.getAuthorities() in AuthorizeTag
      PasswordDaoAuthenticationProvider no longer stores String against Authentication.setDetails()
      Update commons-codec dependency to 1.3
      AbstractProcessingFilter no longer has setters for failures, it uses the exceptionMappings property
      Update to match Spring 1.2-RC2 official JAR dependencies
      AuthenticationProcessingFilter now provides an obtainUsername method
      Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 1.2-RC2
      Refactoring to leverage Spring's Assert class and mocks where possible
    
    
      X509 (certificate-based) authentication support
      UserDetails now advises locked accounts, with corresponding DaoAuthenticationProvider events and enforcement
      ContextHolderAwareRequestWrapper methods return null if user is anonymous
      AbstractBasicAclEntry improved compatibility with Hibernate
      User now provides a more useful toString() method
      Update to match Spring 1.1.5 official JAR dependencies (NB: now using Servlet 2.4 and related JSP/taglib JARs)
      SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint
      FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans
      Corrected Authz parsing of whitespace in GrantedAuthoritys
      TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users
      HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection
      StringSplitUtils.split() ignored delimiter argument
      DigestProcessingFilter now provides userCache getter and setter
      Contacts Sample made to work with UserDetails-based Principal
      Documentation improvements
      Test coverage improvements
    
    
      Added Digest Authentication support (RFC 2617 and RFC 2069)
      Added pluggable remember-me services
      Added pluggable mechnism to prevent concurrent login sessions
      FilterChainProxy added to significantly simplify web.xml configuration of Acegi Security
      AuthenticationProcessingFilter now provides hook for extra credentials (eg postcodes)
      New WebAuthenticationDetails class now used by processing filters for Authentication.setDetails()
      Additional debug-level logging
      Improved Tapestry support in AbstractProcessingFilter
      Made ConfigAttributeDefinition and ConfigAttribute Serializable
      User now accepts blank passwords (null passwords still rejected)
      FilterToBeanProxy now searches hierarchical bean factories
      User now accepted blank passwords (null passwords still rejected)
      ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method
      HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily
      FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh)
      JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config"
      JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthentication removed
      Added AuthenticationException to the AutenticationEntryPoint.commence method signature
      Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature
      FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs servlet container) issue
      Significantly refactor "well-known location model" to authentication processing mechanism and HttpSessionContextIntegrationFilter model
      Correct issue with JdbcDaoImpl default SQL query not using consistent case sensitivity
      Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility
      Log4j now included in generated WAR artifacts (fixes issue with Log4j listener)
      Correct NullPointerException in FilterInvocationDefinitionSource implementations
    
    
      Major CVS repository restructure to support Maven and eliminate libraries
      Major improvements to Contacts sample application (now demos ACL security)
      Added AfterInvocationManager to mutate objects return from invocations
      Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object
      Added BasicAclEntryAfterInvocationCollectionFilteringProvider
      Added security propagation during RMI invocations (from sandbox)
      Added security propagation for Spring's HTTP invoker
      Added BasicAclEntryVoter, which votes based on AclManager permissions
      Added AspectJ support (especially useful for instance-level security)
      Added MethodDefinitionSourceAdvisor for performance and autoproxying
      Added MethodDefinitionMap querying of interfaces defined by secure objects
      Added AuthenticationProcessingFilter.setDetails for use by subclasses
      Added 403-causing exception to HttpSession via SecurityEnforcementFilter
      Added net.sf.acegisecurity.intercept.event package
      Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD
      Added additional remoting protocol demonstrations to Contacts sample
      Added AbstractProcessingFilter property to always use defaultTargetUrl
      Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser()
      Added attempted username to view if processed by AuthenticationProcessingFilter
      Added UserDetails account and credentials expiration methods
      Added exceptions and events to support new UserDetails methods
      Added new exceptions to JBoss container adapter
      Improved BasicAclProvider to only respond to specified ACL object requests
      Refactored MethodDefinitionSource to work with Method, not MethodInvocation
      Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone
      Refactored AbstractSecurityInterceptor to better support other AOP libraries
      Improved performance of JBoss container adapter (see reference docs)
      Made DaoAuthenticationProvider detect null in Authentication.principal
      Improved JaasAuthenticationProvider startup error detection
      Refactored EH-CACHE implementations to use Spring IoC defined caches instead
      AbstractProcessingFilter now has various hook methods to assist subclasses
      DaoAuthenticationProvider better detects AuthenticationDao interface violations
      The User class has a new constructor (the old constructor is deprecated)
      Fixed ambiguous column references in JdbcDaoImpl default query
      Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility)
      Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals
      Fixed HttpSessionIntegrationFilter "cannot commit to container" during logoff
      Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package
      Documentation improvements
      Test coverage improvements
    
    
      Resolved to use http://apr.apache.org/versioning.html for future versioning
      Added additional DaoAuthenticationProvider event when user not found
      Added Authentication.getDetails() to DaoAuthenticationProvider response
      Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true)
      Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP)
      Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits)
      Added convenience methods to ConfigAttributeDefinition
      Improved sample applications' bean reference notation
      Clarified contract for ObjectDefinitionSource.getAttributes(Object)
      Extracted removeUserFromCache(String) to UserCache interface
      Improved ConfigAttributeEditor so it trims preceding and trailing spaces
      Refactored UsernamePasswordAuthenticationToken.getDetails() to Object
      Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change
      Fixed EH-CACHE-based caching implementation behaviour when cache exists
      Fixed Ant "release" target not including project.properties
      Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method
      Documentation improvements
    
    
      Added domain object instance access control list (ACL) packages
      Added feature so DaoAuthenticationProvider returns User in Authentication
      Added AbstractIntegrationFilter.secureContext property for custom contexts
      Added stack trace logging to SecurityEnforcementFilter
      Added exception-specific target URLs to AbstractProcessingFilter
      Added JdbcDaoImpl hook so subclasses can insert custom granted authorities
      Added AuthenticationProvider that wraps JAAS login modules
      Added support for EL expressions in the authz tag library
      Added failed Authentication object to AuthenticationExceptions
      Added signed JARs to all official release builds (see readme.txt)
      Added remote client authentication validation package
      Added protected sendAccessDeniedError method to SecurityEnforcementFilter
      Updated Authentication to be serializable (Weblogic support)
      Updated JAR to Spring 1.1 RC 1
      Updated to Clover 1.3
      Updated to HSQLDB version 1.7.2 Release Candidate 6D
      Refactored User to net.sf.acegisecurity.UserDetails interface
      Refactored CAS package to store UserDetails in CasAuthenticationToken
      Improved organisation of DaoAuthenticationProvider to facilitate subclassing
      Improved test coverage (now 98.3%)
      Improved JDBC-based tests to use in-memory database rather than filesystem
      Fixed Linux compatibility issues (directory case sensitivity etc)
      Fixed AbstractProcessingFilter to handle servlet spec container differences
      Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue
      Fixed CasAuthenticationToken if proxy granting ticket callback not requested
      Fixed EH-CACHE handling on web context refresh
      Documentation improvements
    
    
      Added samples/quick-start
      Added NullRunAsManager and made default for AbstractSecurityInterceptor
      Added event notification (see net.sf.acegisecurity.providers.dao.event)
      Updated JAR to Spring 1.0.2
      Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release
      Updated GrantedAuthorityImpl to be serializable (JBoss support)
      Updated Authentication interface to present extra details for a request
      Updated Authentication interface to subclass java.security.Principal
      Refactored DaoAuthenticationProvider caching (refer to reference docs)
      Improved HttpSessionIntegrationFilter to manage additional attributes
      Improved URL encoding during redirects
      Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS)
      Fixed issue with NullPointerExceptions in taglib
      Removed DaoAuthenticationToken and session-based caching
      Documentation improvements
      Upgrade Note: DaoAuthenticationProvider no longer has a "key" property
    
    
      Added single sign on support via Yale Central Authentication Service (CAS)
      Added full support for HTTP Basic Authentication
      Added caching for DaoAuthenticationProvider successful authentications
      Added Burlap and Hessian remoting to Contacts sample application
      Added pluggable password encoders including plaintext, SHA and MD5
      Added pluggable salt sources to enhance security of hashed passwords
      Added FilterToBeanProxy to obtain filters from Spring application context
      Added support for prepending strings to roles created by JdbcDaoImpl
      Added support for user definition of SQL statements used by JdbcDaoImpl
      Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys
      Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter
      Added Apache Ant path syntax support to SecurityEnforcementFilter
      Added filter to automate web channel requirements (eg HTTPS redirection)
      Updated JAR to Spring 1.0.1
      Updated several classes to use absolute (not relative) redirection URLs
      Refactored filters to use Spring application context lifecycle support
      Improved constructor detection of nulls in User and other key objects
      Fixed FilterInvocation.getRequestUrl() to also include getPathInfo()
      Fixed Contacts sample application  tags
      Established acegisecurity-developer mailing list
      Documentation improvements
    
    
      Added HTTP session authentication as an alternative to container adapters
      Added HTTP request security interceptor (offers considerable flexibility)
      Added security taglib
      Added Clover test coverage instrumentation (currently 97.2%)
      Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests
      Added HTML test and summary reporting to in-container integration tests
      Updated JARs to Spring Framework release 1.0, with associated AOP changes
      Updated to Apache License version 2.0
      Updated copyright with permission of past contributors
      Refactored unit tests to use mock objects and focus on a single class each
      Refactored many classes to enable insertion of mock objects during testing
      Refactored core classes to ease support of new secure object types
      Changed package layout to better describe the role of contained items
      Changed the extractor to extract additional classes from JBoss and Catalina
      Changed Jetty container adapter configuration (see reference documentation)
      Improved AutoIntegrationFilter handling of deployments without JBoss JARs
      Fixed case handling support in data access object authentication provider
      Documentation improvements
    
    
      Added "in container" unit test system for container adapters and sample app
      Added library extractor tool to reduce the "with deps" ZIP release sizes
      Added unit test to the attributes sample
      Added Jalopy source formatting
      Modified all files to use net.sf.acegisecurity namespace
      Renamed springsecurity.xml to acegisecurity.xml for consistency
      Reduced length of ZIP and JAR filenames
      Clarified licenses and sources for all included libraries
      Updated documentation to reflect new file and package names
      Setup Sourceforge.net project and added to CVS etc
    
    
      Added Commons Attributes support and sample (thanks to Cameron Braid)
      Added JBoss container adapter
      Added Resin container adapter
      Added JDBC DAO authentication provider
      Added several filter implementations for container adapter integration
      Added SecurityInterceptor startup time validation of ConfigAttributes
      Added more unit tests
      Refactored ConfigAttribute to interface and added concrete implementation
      Enhanced diagnostics information provided by sample application debug.jsp
      Modified sample application for wider container portability (Resin, JBoss)
      Fixed switch block in voting decision manager implementations
      Removed Spring MVC interceptor for container adapter integration
      Documentation improvements
    
    
      Initial public release