@@ -1,203 +1 @@ -=== 0.7.0 :: In Progress - -* Implemented single-sign-out functionality as specified in CAS 3.1. See - http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out. -* Service URIs are now automatically normalized. For example, if the service - URI given to the server has a 'ticket' parameter, the ticket will now be - automatically stripped. This is to avert any possible issues raised by - misbehaving CAS clients (the CAS ticket should never be part of the service - URI). Same goes for other CAS-related parameters like 'service', 'renew', - and 'gateway'. Additionally, the trailing '/' and '?' characters are - automatically stripped from URLs, since, for example, "http://google.com/" - is almost certainly equivalent to "http://google.com". -* The expire_sessions config variable is now respected -- ticket granting - ticket cookies are set with an expiry datetime, so that the SSO session - is effectively terminated once the ticket_granting_ticket_expiry period - is reached. - -=== 0.6.0 :: 2008-03-28 - -* Much of the supporting functionality that makes RubyCAS-Server - act as a well-behaved Linux service has been abstracted out - into its own library. This new library is called Picnic and is - now a gem dependency for RubyCAS-Server. You can find out more about - it at http://code.google.com/p/camping-picnic/. -* The logout action will now accept a 'destination' parameter in lieu of - 'service'. This means that if a 'destination' parameter is given with - some URL, the logout action will show the login form, allowing the user - to immedietly log back in to the service specified by 'destination'. -* The logout action will now accept a 'url' parameter. If given, the logout - page will show a message indicating that the CAS session has been terminated - and instructing the user to click on a link to follow the given URL. If the - 'url' parameter is given, the login form will NOT be shown on the logout - page (see above). -* When an authentication failure occurs (because the user submitted - invalid credentials or the login ticket is missing), the server - now returns a 401 (Unauthorized) response instead of 200. -* An encryption-enabled version of the SQL authenticator is now - available. For more info have a look at: - http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator -* Better compatibility with Oracle databases. The database migration - no longer tries to create tables with long names when long - table names are not supported by the underlying database connector - (issue #15). -* The server now automatically removes leading and trailing whitespace from - the username entered by users. Passwords however are left intact, with no - whitespace removed. -* The server can now be configured to automatically downcase the - username entered by users (dowcase_username option). So if a user - enters "JSmith", the system will convert it to "jsmith" if the - downcase_username option is set to true. -* The server can now be made to bind to a specific address. See the - :bind_address option in the config.example.yml file. -* Fixed bug with ActiveRecord 2.0.2 where service tickets were not - being given a type (issue #37). - -=== 0.5.1 :: 2007-12-20 - -* Tickets generated by the server should now be a lot more secure. - The random string generator used for generating tickets now uses - Crypt::ISAAC. Tickets have also been extended in length; STs, PTs - and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs - up to 64. - -=== 0.5.0 :: 2007-09-20 - -* Gateway requests should now be handled correctly. When the request to the - login page is made with gateway=true as one of the parameters, the CAS - server will immediately redirect back to the target service along with - a service ticket if an SSO session exists for the user (or without a - service ticket if there is no pre-existing SSO session). - Note that if you are using RubyCAS-Client and want gatewaying, you will - need to upgrade it to 1.1.0 as gatewaying was broken in prior versions. -* If gateway=true is specified as part of the logout URI, the server will - log the user out and immediately redirect them back to the specified - service. In other words, you can now do "gatewayed logouts" as well - as logins. -* A login ticket can now be remotely requested from the server by placing - a POST request to '/loginTicket'. -* The login view can now be made to return only the login form. This is - done by adding the 'onlyLoginForm' parameter to the '/login' request. - Optionally, a 'submitToURI' parameter can be supplied to force the login - form to submit to the given URI (otherwise the server will try to figure - out the full URI to its own login controller). This functionality may be - useful when you want to embed the login form in some external page, as - an IFRAME otherwise. -* Custom views can now be used to override the default Markaby templates - by specifying a 'custom_views_file' option in the configuration. See - custom_views.example.rb. [jzylks] -* Table names have been shortened to work with Oracle. A migration has - been added that should do the shortening for you the first time you run - this new RubyCAS-Server version. -* Multiple authenticators can now be specified. During authentication, - credentials are presented to the first authenticator, then the second, - and so on, until the user is validated by any one authenticator or fails - validation for all of them. [jzylks] -* When using webrick, you can now run with SSL disabled by omitting the - ssl_cert and ssl_key parameters. -* Changed incorrect MySQL example database configuration -- option should - be 'host:' not 'server:' (issue #22). - -=== 0.4.2 :: 2007-07-26 - -* The LDAP/AD authenticator has been largely re-written. The code is a bit - cleaner now, and should work better with non-Active Directory LDAP servers - (although this has yet to be tested since I don't have access to a non-AD - LDAP server). -* The validate() method in your authenticators now receives a :service element - (in addition to :username, and :password). This is simply the service - url (if any) specified in the user's CAS request. If you call - read_standard_credentials(credentials) at the top of your validator, the value - will also be available as @service along with @username and @password. -* By request, a :username_prefix option has been added to the ldap - configuration. If entered, this string will be automatically prefixed to - the username entered by the user. -* A bug having to do with handling authenticator errors has been fixed. - Any authenticator error messages should now be correctly shown on the - login page. -* Minor improvements to error messages having to do with login tickets. - They're a bit more prescriptive now, explaining to the user what steps - they should take to correct the error. - -=== 0.4.1 :: 2007-06-07 - -* This release restores compatiblity with older versions of rubygems - (pre-0.9.0). To achieve this, we alias the 'gem' method to the old - 'require_gem' if 'gem' is not already defined. -* rubycas-server-ctl will now quiety delete an orphaned .pid file - instead complaining loudly and refusing to start up. -* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported - startup problems when in fact the server had started just fine. - - -=== 0.4.0 :: 2007-06-05 - -* Added rubycas-server-ctl script for controlling daemonized server. -* rubygems-0.9.0 or later is now required. -* Added system startup script to be used in /etc/init.d on Linux systems. -* Authenticator can now be loaded from an external file using the 'source' - configuration option. -* Better preemptive detection of startup problems with mongrel. -* User now sees an error message if the service URI is not a valid URI (i.e. - if it's not URI-encoded or otherwise malformed). - - -=== 0.3.0 :: 2007-03-29 - -* Fixed glaring security problem with LDAP/AD Authenticator where under some - circumstances blank passwords were accepted as valid. -* Autocomplete has been turned off on the password field for better security. - In the future we may allow autocomplete to be re-enabled using a - configuration setting. -* When the user visits the login page and is already authenticated (i.e. they - have a valid ticket granting cookie), a message is shown at the top - indicating that they are already logged in. -* sqlite3-ruby is no longer required by the gem as a dependency. The user - must now install it manually prior to installing rubycas-server. The - building of sqlite3 native extensions appears to be somewhat flakey - and probably defeats the original purpose of using it (which was - to have a CAS server up and running with no additional DB configuration). - We will use MySQL as the default database adapter instead, since it does - not require additional libraries and many users will have a MySQL server - already available. -* Fixed bug that was causing all proxy-granting tickets to be deleted whenever - any user logged out. Only the PGTs for the user that is logging out are now - being deleted. -* Trailing slashes in service URLs are now ignored when validating service - and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/" - are now considered to be the same service URL). -* Authenticators now raise AuthenticatorError exceptions when encountering - a problem/error. This makes it easier to send feedback to the user. - However, other exceptions should still be raised when errors ought - not be recoverable (i.e. programming errors). -* Fixed serious vulnerability in LDAP authenticator where under some - cirumstances the user could just enter '*' as their username to match - any username. The LDAP authenticator will now refuse to process logins - with usernames that contain the characters * ( ) \ / and the NULL - character \0. -* Views are no longer xhtml-validated. Markaby's auto-validation was turned - off to allow for use of the autocomplete property on inputs, since this is - the only viable way of turning off password storage in IE and Firefox at - the page level. -* You can now limit the maximum length of a login session by setting the - expire_sessions config setting to true. -* Fixed some minor bugs in the login view. - - -=== 0.2.0 :: 2007-03-20 - -* ruby-casserver now behaves more like a real command-line app, accepting - various command line arguments including -h (help), -v (version), -c (use - an alternate config.yml), and -d (daemonize, when using webrick or mongrel - mode). -* Special characters in CAS XML responses are now properly encoded into XML - entities -* CAS XML responses are no longer auto-indented... Markaby's indentation - seemed to be causing problems with the PHP CAS client. -* Misc minor bug fixes/cleanup. - - -=== 0.1.0 :: 2007-03-01 - -* First public release. - +See History.txt \ No newline at end of file CHANGELOG.txt @@ -0,0 +1,203 @@ +=== 0.7.0 :: In Progress + +* Implemented single-sign-out functionality as specified in CAS 3.1. See + http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out. +* Service URIs are now automatically normalized. For example, if the service + URI given to the server has a 'ticket' parameter, the ticket will now be + automatically stripped. This is to avert any possible issues raised by + misbehaving CAS clients (the CAS ticket should never be part of the service + URI). Same goes for other CAS-related parameters like 'service', 'renew', + and 'gateway'. Additionally, the trailing '/' and '?' characters are + automatically stripped from URLs, since, for example, "http://google.com/" + is almost certainly equivalent to "http://google.com". +* The expire_sessions config variable is now respected -- ticket granting + ticket cookies are set with an expiry datetime, so that the SSO session + is effectively terminated once the ticket_granting_ticket_expiry period + is reached. + +=== 0.6.0 :: 2008-03-28 + +* Much of the supporting functionality that makes RubyCAS-Server + act as a well-behaved Linux service has been abstracted out + into its own library. This new library is called Picnic and is + now a gem dependency for RubyCAS-Server. You can find out more about + it at http://code.google.com/p/camping-picnic/. +* The logout action will now accept a 'destination' parameter in lieu of + 'service'. This means that if a 'destination' parameter is given with + some URL, the logout action will show the login form, allowing the user + to immedietly log back in to the service specified by 'destination'. +* The logout action will now accept a 'url' parameter. If given, the logout + page will show a message indicating that the CAS session has been terminated + and instructing the user to click on a link to follow the given URL. If the + 'url' parameter is given, the login form will NOT be shown on the logout + page (see above). +* When an authentication failure occurs (because the user submitted + invalid credentials or the login ticket is missing), the server + now returns a 401 (Unauthorized) response instead of 200. +* An encryption-enabled version of the SQL authenticator is now + available. For more info have a look at: + http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator +* Better compatibility with Oracle databases. The database migration + no longer tries to create tables with long names when long + table names are not supported by the underlying database connector + (issue #15). +* The server now automatically removes leading and trailing whitespace from + the username entered by users. Passwords however are left intact, with no + whitespace removed. +* The server can now be configured to automatically downcase the + username entered by users (dowcase_username option). So if a user + enters "JSmith", the system will convert it to "jsmith" if the + downcase_username option is set to true. +* The server can now be made to bind to a specific address. See the + :bind_address option in the config.example.yml file. +* Fixed bug with ActiveRecord 2.0.2 where service tickets were not + being given a type (issue #37). + +=== 0.5.1 :: 2007-12-20 + +* Tickets generated by the server should now be a lot more secure. + The random string generator used for generating tickets now uses + Crypt::ISAAC. Tickets have also been extended in length; STs, PTs + and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs + up to 64. + +=== 0.5.0 :: 2007-09-20 + +* Gateway requests should now be handled correctly. When the request to the + login page is made with gateway=true as one of the parameters, the CAS + server will immediately redirect back to the target service along with + a service ticket if an SSO session exists for the user (or without a + service ticket if there is no pre-existing SSO session). + Note that if you are using RubyCAS-Client and want gatewaying, you will + need to upgrade it to 1.1.0 as gatewaying was broken in prior versions. +* If gateway=true is specified as part of the logout URI, the server will + log the user out and immediately redirect them back to the specified + service. In other words, you can now do "gatewayed logouts" as well + as logins. +* A login ticket can now be remotely requested from the server by placing + a POST request to '/loginTicket'. +* The login view can now be made to return only the login form. This is + done by adding the 'onlyLoginForm' parameter to the '/login' request. + Optionally, a 'submitToURI' parameter can be supplied to force the login + form to submit to the given URI (otherwise the server will try to figure + out the full URI to its own login controller). This functionality may be + useful when you want to embed the login form in some external page, as + an IFRAME otherwise. +* Custom views can now be used to override the default Markaby templates + by specifying a 'custom_views_file' option in the configuration. See + custom_views.example.rb. [jzylks] +* Table names have been shortened to work with Oracle. A migration has + been added that should do the shortening for you the first time you run + this new RubyCAS-Server version. +* Multiple authenticators can now be specified. During authentication, + credentials are presented to the first authenticator, then the second, + and so on, until the user is validated by any one authenticator or fails + validation for all of them. [jzylks] +* When using webrick, you can now run with SSL disabled by omitting the + ssl_cert and ssl_key parameters. +* Changed incorrect MySQL example database configuration -- option should + be 'host:' not 'server:' (issue #22). + +=== 0.4.2 :: 2007-07-26 + +* The LDAP/AD authenticator has been largely re-written. The code is a bit + cleaner now, and should work better with non-Active Directory LDAP servers + (although this has yet to be tested since I don't have access to a non-AD + LDAP server). +* The validate() method in your authenticators now receives a :service element + (in addition to :username, and :password). This is simply the service + url (if any) specified in the user's CAS request. If you call + read_standard_credentials(credentials) at the top of your validator, the value + will also be available as @service along with @username and @password. +* By request, a :username_prefix option has been added to the ldap + configuration. If entered, this string will be automatically prefixed to + the username entered by the user. +* A bug having to do with handling authenticator errors has been fixed. + Any authenticator error messages should now be correctly shown on the + login page. +* Minor improvements to error messages having to do with login tickets. + They're a bit more prescriptive now, explaining to the user what steps + they should take to correct the error. + +=== 0.4.1 :: 2007-06-07 + +* This release restores compatiblity with older versions of rubygems + (pre-0.9.0). To achieve this, we alias the 'gem' method to the old + 'require_gem' if 'gem' is not already defined. +* rubycas-server-ctl will now quiety delete an orphaned .pid file + instead complaining loudly and refusing to start up. +* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported + startup problems when in fact the server had started just fine. + + +=== 0.4.0 :: 2007-06-05 + +* Added rubycas-server-ctl script for controlling daemonized server. +* rubygems-0.9.0 or later is now required. +* Added system startup script to be used in /etc/init.d on Linux systems. +* Authenticator can now be loaded from an external file using the 'source' + configuration option. +* Better preemptive detection of startup problems with mongrel. +* User now sees an error message if the service URI is not a valid URI (i.e. + if it's not URI-encoded or otherwise malformed). + + +=== 0.3.0 :: 2007-03-29 + +* Fixed glaring security problem with LDAP/AD Authenticator where under some + circumstances blank passwords were accepted as valid. +* Autocomplete has been turned off on the password field for better security. + In the future we may allow autocomplete to be re-enabled using a + configuration setting. +* When the user visits the login page and is already authenticated (i.e. they + have a valid ticket granting cookie), a message is shown at the top + indicating that they are already logged in. +* sqlite3-ruby is no longer required by the gem as a dependency. The user + must now install it manually prior to installing rubycas-server. The + building of sqlite3 native extensions appears to be somewhat flakey + and probably defeats the original purpose of using it (which was + to have a CAS server up and running with no additional DB configuration). + We will use MySQL as the default database adapter instead, since it does + not require additional libraries and many users will have a MySQL server + already available. +* Fixed bug that was causing all proxy-granting tickets to be deleted whenever + any user logged out. Only the PGTs for the user that is logging out are now + being deleted. +* Trailing slashes in service URLs are now ignored when validating service + and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/" + are now considered to be the same service URL). +* Authenticators now raise AuthenticatorError exceptions when encountering + a problem/error. This makes it easier to send feedback to the user. + However, other exceptions should still be raised when errors ought + not be recoverable (i.e. programming errors). +* Fixed serious vulnerability in LDAP authenticator where under some + cirumstances the user could just enter '*' as their username to match + any username. The LDAP authenticator will now refuse to process logins + with usernames that contain the characters * ( ) \ / and the NULL + character \0. +* Views are no longer xhtml-validated. Markaby's auto-validation was turned + off to allow for use of the autocomplete property on inputs, since this is + the only viable way of turning off password storage in IE and Firefox at + the page level. +* You can now limit the maximum length of a login session by setting the + expire_sessions config setting to true. +* Fixed some minor bugs in the login view. + + +=== 0.2.0 :: 2007-03-20 + +* ruby-casserver now behaves more like a real command-line app, accepting + various command line arguments including -h (help), -v (version), -c (use + an alternate config.yml), and -d (daemonize, when using webrick or mongrel + mode). +* Special characters in CAS XML responses are now properly encoded into XML + entities +* CAS XML responses are no longer auto-indented... Markaby's indentation + seemed to be causing problems with the PHP CAS client. +* Misc minor bug fixes/cleanup. + + +=== 0.1.0 :: 2007-03-01 + +* First public release. + History.txt 2b243a0829171cbbf63410d574e9d00265f23a86 matt.zukowski matt.zukowski@fffcb96a-a727-0410-ad3e-7b35c796b8d7 http://github.com/gunark/rubycas-server/commit/d93237bcd989a6ae4b4f2e0193ba5cd55f27f4b1 d93237bcd989a6ae4b4f2e0193ba5cd55f27f4b1 2008-04-11T09:10:19-07:00 2008-04-11T09:10:19-07:00 moved CHANGELOG.txt to History.txt to make new version of Hoe happy git-svn-id: https://rubycas-server.googlecode.com/svn/trunk@285 fffcb96a-a727-0410-ad3e-7b35c796b8d7 9d02080084b7600ef512b6c53eab627214fb23f9 matt.zukowski matt.zukowski@fffcb96a-a727-0410-ad3e-7b35c796b8d7