Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: b7284964b7
Branches Tags
spring-security
/
src
/
site
/
xdoc
/
upgrade
/
upgrade-090-100.xml

upgrade-090-100.xml 5.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 
  1. <?xml version="1.0" encoding="ISO-8859-1"?>
    2. 

  2. <document><properties><title>Acegi Security - Upgrading from version 0.8.0 to 1.0.0</title></properties><body><section name="Upgrading from 0.9.0 to 1.0.0"><p>
    3. 

  3. The following should help most casual users of the project update their
    4. 

  4. applications:
    5. 

  5. </p></section><section name="Changes 0.9.0 to RC1"><ul>
    6. 

  6. 

  7. <li>The top level package name has changed. Simply find "net.sf.acegisecurity" and replace with
    8. 

  8.     "org.springframework.security".
    9. 

  9. </li>
    10. 

  10. 

  11. <li>
    12. 

  12. DaoAuthenticationProvider has a property, authenticationDao. This property should now be renamed to
    13. 

  13. userDetailsService.
    14. 

  14. </li>
    15. 

  15. 

  16. <li>
    17. 

  17. In JSPs, each "authz" taglib prefix must be changed from uri="http://acegisecurity.sf.net/authz"
    18. 

  18. to uri="http://acegisecurity.org/authz".
    19. 

  19. </li>
    20. 

  20. 

  21. <li>net.sf.acegisecurity.providers.dao.AuthenticationDao is now
    22. 

  22.     org.springframework.security.userdetails.UserDetailsService.
    23. 

  23.     The interface signature has not changed. Similarly, User and UserDetails have moved into the latter's package as well.
    24. 

  24. If you've implemented your own AuthenticationDao, you'll need to change the class it's implementing and quite likely
    25. 

  25. the import packages for User and UserDetails. In addition, if using JdbcDaoImpl or InMemoryDaoImpl please
    26. 

  26. note they have moved to this new package.</li>
    27. 

  27. 

  28. <li>Acegi Security is now localised. In net.sf.acegisecurity you will find a messages.properties. It is
    29. 

  29. suggested to register this in your application context, perhaps using ReloadableResourceBundleMessageSource.
    30. 

  30. If you do not do this, the default messages included in the source code will be used so this change is
    31. 

  31. not critical. The Spring LocaleContextHolder class is used to determine the locale of messages included in
    32. 

  32. exceptions. At present only the default messages.properties is included (which is in English). If
    33. 

  33. you localise this file to another language, please consider attaching it to a
    34. 

  34. <a href="http://opensource2.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">new JIRA task</a>
    35. 

  35. so that we can include it in future Acegi Security releases.</li>
    36. 

  36. 

  37. </ul></section><section name="Changes RC1 to RC2"><ul>
    38. 

  38. 

  39. <li>
    40. 

  40.     org.springframework.security.ui.rememberme.RememberMeProcessingFilter now requires an authenticationManager property. This will generally
    41. 

  41. point to an implementation of org.springframework.security.providers.ProviderManager.
    42. 

  42. </li>
    43. 

  43. 

  44. <li>
    45. 

  45.     org.springframework.security.intercept.web.AuthenticationEntryPoint has moved to a new location,
    46. 

  46.     org.springframework.security.ui.AuthenticationEntryPoint.
    47. 

  47. </li>
    48. 

  48. 

  49. <li>
    50. 

  50.     org.springframework.security.intercept.web.SecurityEnforcementFilter has moved to a new location and name,
    51. 

  51.     org.springframework.security.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor"
    52. 

  52. property on the old SecurityEnforcementFilter class has been removed. This is because
    53. 

  53. SecurityEnforcementFilter will no longer delegate to FilterSecurityInterceptor as it has in the
    54. 

  54. past. Because this delegation feature has been removed (see SEC-144 for a background as to why),
    55. 

  55. please add a new filter definition for FilterSecurityInterceptor to the end of your
    56. 

  56. FilterChainProxy. Generally you'll also rename the old SecurityEnforcementFilter entry in your
    57. 

  57. FilterChainProxy to ExceptionTranslationFilter, more accurately reflecting its purpose.
    58. 

  58. If you are not using FilterChainProxy (although we recommend that you do), you will need to add
    59. 

  59. an additional filter entry to web.xml and use FilterToBeanProxy to access the FilterSecurityInterceptor.
    60. 

  60. </li>
    61. 

  61. 

  62. <li>
    63. 

  63. If you are directly using SecurityContextHolder.setContext(SecurityContext) - which is not
    64. 

  64. very common - please not that best practise is now to call SecurityContextHolder.clearContext()
    65. 

  65. if you wish to erase the contents of the SecurityContextHolder. Previously code such as
    66. 

  66. SecurityContextHolder.setContext(new SecurityContextImpl()) would have been used. The revised
    67. 

  67. method internally stores null, which helps avoids redeployment issue caused by the previous
    68. 

  68. approaches (see SEC-159 for further details).
    69. 

  69. </li>
    70. 

  70. 

  71. </ul></section><section name="Changes RC2 to Final"><ul>
    72. 

  72. 

  73. <li>
    74. 

  74. AbstractProcessingFilter.onUnsuccessfulAuthentication(HttpServletRequest, HttpServletResponse)
    75. 

  75. has changed it signature (SEC-238). If subclassing, please override the new signature.
    76. 

  76. </li>
    77. 

  77. 

  78. <li>
    79. 

  79. ExceptionTranslationFilter no longer provides a sendAccessDenied() method. Use the
    80. 

  80. new AccessDeniedHandler instead if custom handling is required.
    81. 

  81. </li>
    82. 

  82. 

  83. <li>
    84. 

  84. There have been some changes to the LDAP provider APIs to allow for future improvements, as detailed in
    85. 

  85. <a href="http://opensource.atlassian.com/projects/spring/browse/SEC-264">SEC-264</a>. These
    86. 

  86. should only affect users who have written their own extensions to the provider. The general LDAP
    87. 

  87. classes are now in the packages org.springframework.security.ldap and the
    88. 

  88.     org.springframework.security.userdetails.ldap
    89. 

  89.     package has been introduced. The search and authentication classes now return an
    90. 

  90. <a href="../multiproject/acegi-security/apidocs/org/acegisecurity/userdetails/ldap/LdapUserDetails.html">LdapUserDetails</a>
    91. 

  91. instance. The LdapAuthoritiesPopulator interface and its default implementation now both make use of
    92. 

  92. LdapUserDetails. Any customized versions should be updated to use the new method signatures.
    93. 

  93. </li>
    94. 

  94. 

  95. </ul></section></body></document>
    96.