Quick Search
Learn more about
Quick Search
Log In
Access more options
Online Help
About JIRA
Dashboards
Access more options (Alt+D)
Projects
Access more options (Alt+P)
Issues
Access more options (Alt+I)
Agile
Access more options
Planning Board
Task Board
Chart Board
Released Board
Release Notes - Spring Security - Version 1.0.4 - HTML format
Configure Release Notes
Bug
[
SEC-357
] - SwitchUserProcessingFilter allows a null j_username
[
SEC-376
] - FilterSecurityInterceptor is not applied to /j_acegi_switch_user
[
SEC-395
] - HttpSessionEventPublisher causes a NullPointerException
[
SEC-397
] - TokenBasedRememberMeServices cookie path changes result in side effects.
[
SEC-401
] - AclEntryVoter and BasicAclEntryVoter use startsWith for configuration attribute matching
[
SEC-402
] - SwitchUserProcessingFilter's switchUserUrl
[
SEC-404
] - Logout when not logged in cause NullPointerException
[
SEC-407
] - Hitting LogoutFilter's URL when not logged in causes NPE
[
SEC-411
] - SecurityContextHolderAwareRequestWrapper does not define required constructor
[
SEC-416
] - jsf tag in acegi's error page not work properly!
[
SEC-419
] - org.acegisecurity.afterinvocation.CollectionFilterer's logger error
[
SEC-423
] - CLONE -SEC 356 Introduces New Bug: Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter
[
SEC-424
] - MethodDefinitionMap - Can't access inherited methods
[
SEC-425
] - <include> bypasses FilterInvocationInterceptor
[
SEC-431
] - copyFiles.bat in acegi-security-sample-tutorial.war archive
[
SEC-433
] - Fix to SEC-359 has introduced a NullPointer to TokenBasedRememberMeServices.logout()
[
SEC-434
] - AuthenticationManager.authenticate() with a valid username and a null password causes NPE.
[
SEC-437
] - Missing JAR in CAS documentation
[
SEC-438
] - exceptionMappings in ProviderManager cannot be added from subclasses
[
SEC-439
] - AclEntryAfterInvocationProvider.decide() returns null when result object not applicable to the provider
[
SEC-440
] - Documentation: Correction in CAS chapter (section 18.3.2) of Acegi Security documentation for v1.0.3
[
SEC-444
] - Race condition inside ConcurrentSessionControllerImpl
[
SEC-447
] - Exploitable XSS in sample apps
[
SEC-451
] - Empty context path in LogoutFilter and AbstractProcessingFilter
[
SEC-453
] - CasAuthenticationHandler does not log root cause of AuthenticationException.
[
SEC-459
] - Incorrect MessageSource constructor used
[
SEC-461
] - HttpSessionContextIntegrationFilter with cloneFromHttpSession = true causes problems at login
[
SEC-464
] - NPE when missing 'j_acegi_logout' when not logged in
[
SEC-466
] - BasicProcessingFilter
[
SEC-474
] - TokenBasedRememberMeServices fail with empty password
[
SEC-478
] - Incorrect decoding of base64 cookie value by TokenBasedRememberMeServices.autoLogin
Improvement
[
SEC-298
] - Max age of cookie could be limited in TokenBasedRememberMeServices
[
SEC-305
] - HttpSessionContextIntegrationFilter to retain SecurityContext when rendering error pages
[
SEC-307
] - RememberMeProcessingFilter should store authentication authenticated by authenticationManager
[
SEC-343
] - FilterChainProxy.obtainAllDefinedFilters(ConfigAttributeDefinition) should allow subclasses to override
[
SEC-363
] - jsp:include parameters are missing
[
SEC-400
] - ObjectIdentityImpl to clarify non-null contract for accessor on domain objects
[
SEC-403
] - Add messages_zh_CN.properties
[
SEC-405
] - Difficult to customise success targetUrl on AbstractProcessingFilter
[
SEC-409
] - More flexibility in UserDetailsService
[
SEC-415
] - Add Document Management System ACL sample
[
SEC-421
] - Parent of MutableAcl is a MutableAcl, should be a simple Acl
[
SEC-436
] - Make BasePermission and CumulativePermission provide hashCode() method
[
SEC-442
] - AbstractProcessingFilter.obtainFullRequestUrl is static and cannot be overridden
[
SEC-443
] - Redirect URL cannot be made relative in AbstractProcessingFilter.sendRedirect()
[
SEC-463
] - AbstractSecurityInterceptor: make retrieval and setting of Authentication object customizable
[
SEC-467
] - New Acl package not compatible with Mysql Db
[
SEC-470
] - make org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices can customize cookie name and tokenExpiryTime
[
SEC-472
] - Allow overriding AuthenticationProcessingFilterEntryPoint to choose alternative login form URLs.
[
SEC-476
] - LoggerListener logs non-AbstractAuthenticationFailureEvents at warn level
Task
[
SEC-452
] - Dependency from Spring 1.2.8 to Spring 2.0.x
Edit/Copy Release Notes
The text area below allows the project release notes to be edited and copied to another document.
Release Notes - Spring Security - Version 1.0.4 <h2> Bug </h2> <ul> <li>[<a href='https://jira.springsource.org/browse/SEC-357'>SEC-357</a>] - SwitchUserProcessingFilter allows a null j_username </li> <li>[<a href='https://jira.springsource.org/browse/SEC-376'>SEC-376</a>] - FilterSecurityInterceptor is not applied to /j_acegi_switch_user </li> <li>[<a href='https://jira.springsource.org/browse/SEC-395'>SEC-395</a>] - HttpSessionEventPublisher causes a NullPointerException </li> <li>[<a href='https://jira.springsource.org/browse/SEC-397'>SEC-397</a>] - TokenBasedRememberMeServices cookie path changes result in side effects. </li> <li>[<a href='https://jira.springsource.org/browse/SEC-401'>SEC-401</a>] - AclEntryVoter and BasicAclEntryVoter use startsWith for configuration attribute matching </li> <li>[<a href='https://jira.springsource.org/browse/SEC-402'>SEC-402</a>] - SwitchUserProcessingFilter's switchUserUrl </li> <li>[<a href='https://jira.springsource.org/browse/SEC-404'>SEC-404</a>] - Logout when not logged in cause NullPointerException </li> <li>[<a href='https://jira.springsource.org/browse/SEC-407'>SEC-407</a>] - Hitting LogoutFilter's URL when not logged in causes NPE </li> <li>[<a href='https://jira.springsource.org/browse/SEC-411'>SEC-411</a>] - SecurityContextHolderAwareRequestWrapper does not define required constructor </li> <li>[<a href='https://jira.springsource.org/browse/SEC-416'>SEC-416</a>] - jsf tag in acegi's error page not work properly! </li> <li>[<a href='https://jira.springsource.org/browse/SEC-419'>SEC-419</a>] - org.acegisecurity.afterinvocation.CollectionFilterer's logger error </li> <li>[<a href='https://jira.springsource.org/browse/SEC-423'>SEC-423</a>] - CLONE -SEC 356 Introduces New Bug: Changes to Authentication leak into synchronous requests when using HttpSessionContextIntegrationFilter </li> <li>[<a href='https://jira.springsource.org/browse/SEC-424'>SEC-424</a>] - MethodDefinitionMap - Can't access inherited methods </li> <li>[<a href='https://jira.springsource.org/browse/SEC-425'>SEC-425</a>] - <include> bypasses FilterInvocationInterceptor </li> <li>[<a href='https://jira.springsource.org/browse/SEC-431'>SEC-431</a>] - copyFiles.bat in acegi-security-sample-tutorial.war archive </li> <li>[<a href='https://jira.springsource.org/browse/SEC-433'>SEC-433</a>] - Fix to SEC-359 has introduced a NullPointer to TokenBasedRememberMeServices.logout() </li> <li>[<a href='https://jira.springsource.org/browse/SEC-434'>SEC-434</a>] - AuthenticationManager.authenticate() with a valid username and a null password causes NPE. </li> <li>[<a href='https://jira.springsource.org/browse/SEC-437'>SEC-437</a>] - Missing JAR in CAS documentation </li> <li>[<a href='https://jira.springsource.org/browse/SEC-438'>SEC-438</a>] - exceptionMappings in ProviderManager cannot be added from subclasses </li> <li>[<a href='https://jira.springsource.org/browse/SEC-439'>SEC-439</a>] - AclEntryAfterInvocationProvider.decide() returns null when result object not applicable to the provider </li> <li>[<a href='https://jira.springsource.org/browse/SEC-440'>SEC-440</a>] - Documentation: Correction in CAS chapter (section 18.3.2) of Acegi Security documentation for v1.0.3 </li> <li>[<a href='https://jira.springsource.org/browse/SEC-444'>SEC-444</a>] - Race condition inside ConcurrentSessionControllerImpl </li> <li>[<a href='https://jira.springsource.org/browse/SEC-447'>SEC-447</a>] - Exploitable XSS in sample apps </li> <li>[<a href='https://jira.springsource.org/browse/SEC-451'>SEC-451</a>] - Empty context path in LogoutFilter and AbstractProcessingFilter </li> <li>[<a href='https://jira.springsource.org/browse/SEC-453'>SEC-453</a>] - CasAuthenticationHandler does not log root cause of AuthenticationException. </li> <li>[<a href='https://jira.springsource.org/browse/SEC-459'>SEC-459</a>] - Incorrect MessageSource constructor used </li> <li>[<a href='https://jira.springsource.org/browse/SEC-461'>SEC-461</a>] - HttpSessionContextIntegrationFilter with cloneFromHttpSession = true causes problems at login </li> <li>[<a href='https://jira.springsource.org/browse/SEC-464'>SEC-464</a>] - NPE when missing 'j_acegi_logout' when not logged in </li> <li>[<a href='https://jira.springsource.org/browse/SEC-466'>SEC-466</a>] - BasicProcessingFilter </li> <li>[<a href='https://jira.springsource.org/browse/SEC-474'>SEC-474</a>] - TokenBasedRememberMeServices fail with empty password </li> <li>[<a href='https://jira.springsource.org/browse/SEC-478'>SEC-478</a>] - Incorrect decoding of base64 cookie value by TokenBasedRememberMeServices.autoLogin </li> </ul> <h2> Improvement </h2> <ul> <li>[<a href='https://jira.springsource.org/browse/SEC-298'>SEC-298</a>] - Max age of cookie could be limited in TokenBasedRememberMeServices </li> <li>[<a href='https://jira.springsource.org/browse/SEC-305'>SEC-305</a>] - HttpSessionContextIntegrationFilter to retain SecurityContext when rendering error pages </li> <li>[<a href='https://jira.springsource.org/browse/SEC-307'>SEC-307</a>] - RememberMeProcessingFilter should store authentication authenticated by authenticationManager </li> <li>[<a href='https://jira.springsource.org/browse/SEC-343'>SEC-343</a>] - FilterChainProxy.obtainAllDefinedFilters(ConfigAttributeDefinition) should allow subclasses to override </li> <li>[<a href='https://jira.springsource.org/browse/SEC-363'>SEC-363</a>] - jsp:include parameters are missing </li> <li>[<a href='https://jira.springsource.org/browse/SEC-400'>SEC-400</a>] - ObjectIdentityImpl to clarify non-null contract for accessor on domain objects </li> <li>[<a href='https://jira.springsource.org/browse/SEC-403'>SEC-403</a>] - Add messages_zh_CN.properties </li> <li>[<a href='https://jira.springsource.org/browse/SEC-405'>SEC-405</a>] - Difficult to customise success targetUrl on AbstractProcessingFilter </li> <li>[<a href='https://jira.springsource.org/browse/SEC-409'>SEC-409</a>] - More flexibility in UserDetailsService </li> <li>[<a href='https://jira.springsource.org/browse/SEC-415'>SEC-415</a>] - Add Document Management System ACL sample </li> <li>[<a href='https://jira.springsource.org/browse/SEC-421'>SEC-421</a>] - Parent of MutableAcl is a MutableAcl, should be a simple Acl </li> <li>[<a href='https://jira.springsource.org/browse/SEC-436'>SEC-436</a>] - Make BasePermission and CumulativePermission provide hashCode() method </li> <li>[<a href='https://jira.springsource.org/browse/SEC-442'>SEC-442</a>] - AbstractProcessingFilter.obtainFullRequestUrl is static and cannot be overridden </li> <li>[<a href='https://jira.springsource.org/browse/SEC-443'>SEC-443</a>] - Redirect URL cannot be made relative in AbstractProcessingFilter.sendRedirect() </li> <li>[<a href='https://jira.springsource.org/browse/SEC-463'>SEC-463</a>] - AbstractSecurityInterceptor: make retrieval and setting of Authentication object customizable </li> <li>[<a href='https://jira.springsource.org/browse/SEC-467'>SEC-467</a>] - New Acl package not compatible with Mysql Db </li> <li>[<a href='https://jira.springsource.org/browse/SEC-470'>SEC-470</a>] - make org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices can customize cookie name and tokenExpiryTime </li> <li>[<a href='https://jira.springsource.org/browse/SEC-472'>SEC-472</a>] - Allow overriding AuthenticationProcessingFilterEntryPoint to choose alternative login form URLs. </li> <li>[<a href='https://jira.springsource.org/browse/SEC-476'>SEC-476</a>] - LoggerListener logs non-AbstractAuthenticationFailureEvents at warn level </li> </ul> <h2> Task </h2> <ul> <li>[<a href='https://jira.springsource.org/browse/SEC-452'>SEC-452</a>] - Dependency from Spring 1.2.8 to Spring 2.0.x </li> </ul>
