Browse files

Cleaned up Gem distribution system.

Also it's now possible to use ActiveRecord/Support ~> 3.0
  • Loading branch information...
1 parent 2e2a411 commit 04a6bb07b83e08d50b63af6fdd52f24949ed0d63 Damien Le Berrigaud committed with zuk Sep 20, 2010
@@ -13,3 +13,6 @@ custom/*
@@ -0,0 +1,290 @@
+=== 1.0.0 :: In Progress...
+* NEW:
+ * Replaced Camping/Picnic with Sinatra
+ * Support for Ruby 1.9.2
+ * Support for Active Record 3
+ * Trying to clean
+=== 0.8.0
+* NEW:
+ * Support for localization via Ruby-GetText.
+ See
+ for details. [antono]
+ * Switched to Picnic 0.8.x, so RubyCAS-Server is now based on Rack
+ and Camping 2.0 and is now compatible with Passenger Phusion
+ * Change to authenticator API: every authenticator now has a class 'setup'
+ method that gets called at server startup. This is where class-level
+ configuration should be done (e.g. establishing a database connection).
+ This is different from the 'configure' method which gets called on a per-
+ instance basis for each authenticator. [godfat]
+ * Database connections are now automatically released back to the connection
+ pool at the end of each request. This should allow the server to handle
+ many more concurrent requests, since database connections are no longer left
+ checked out of the pool.
+ * Added new SQL authenticator (sql_rest_auth) compatible with the
+ restful_authentication Rails plugin. [antono]
+ * Re-licensed under the MIT License.
+ * Fixed weird problems with loading controllers when using older versions of
+ activesupport and/or rubygems.
+ * Failure to connect to a service during a single sign out request is now
+ handled gracefully.
+ * Required gem dependencies have been re-enabled in the gemspec.
+ * Authlogic authenticator files added to gemspec. [rajiv]
+ * Authenticators are now instantiated on a per-request basis (rather than
+ once at startup) to ensure thread safety.
+=== 0.7.1 :: 2008-11-10
+* Fixed dependency loading problems introduced by upstream changes in RubyGems
+ 1.3.1.
+=== 0.7.0 :: 2008-11-04
+* NEW:
+ * Implemented single-sign-out functionality as specified in CAS 3.3. See
+ * It is now possible to configure Authenticators to return extra attributes
+ to CAS clients alongside the username. For an example of how to do this see
+ the included SQL authenticator. Also have a look at:
+ Note that extra attributes of type other than String or Numeric are serialized
+ into YAML format before being sent along to the client.
+ * Added an MD5-password version of the SQL authenticator for Drupal and any other
+ database that stores its passwords in hashed form (thanks malcolmm).
+ * Added new Google authenticator for authenticating against Google/GMail
+ accounts.
+ * Service URIs are now automatically normalized. For example, if the service
+ URI given to the server has a 'ticket' parameter, the ticket will now be
+ automatically stripped. This is to avert any possible issues raised by
+ misbehaving CAS clients (the CAS ticket should never be part of the service
+ URI). Same goes for other CAS-related parameters like 'service', 'renew',
+ and 'gateway'. Additionally, the trailing '/' and '?' characters are
+ automatically stripped from URLs, since, for example, ""
+ is almost certainly equivalent to "".
+ * The expire_sessions config variable is now respected -- ticket granting
+ ticket cookies are set with an expiry datetime, so that the SSO session
+ is effectively terminated once the ticket_granting_ticket_expiry period
+ is reached.
+ * If present, the HTTP_X_FORWARDED_FOR header is used for recording the
+ client's address. This is useful when the server is running behind a reverse
+ proxy, but it should not be considered authoritative since it can be
+ easily spoofed.
+ * The 'service' field in the 'casserver_st' table has been changed from
+ VARCHAR(255) to TEXT in order to accomodate service URIs longer than 255
+ characters (fixes issue #46).
+ * The CAS XML responses are no longer whitespace-formatted (i.e. Markaby's
+ auto-indentation has been turned off). Apparently the whitespace was
+ causing problems with mod_auth_cas. See:
+ * When used without pre-authentication, the LDAP authenticator now tries to
+ bind by searching for the given username in the LDAP directory based on the
+ configured username_attribute. Prior to this change the authenticator
+ attempted to bind with the LDAP server by assuming that the username credential
+ matches the user's CN. This is no longer the case.
+ * CAS responses to invalid requests (for example where required parameters
+ are missing or incorrect) will now have HTTP status code 422. Internal server
+ errors (where the server rather than the client is at fault) have error 500.
+ Previously most responses had error code 200, regardless of their contents.
+ * Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
+ was changed upstream forcing a change to the way we look for ProxyGrantingTickets
+ to delete on logout).
+ * When running under Mongrel, the USR2 signal should now restart the server as
+ expected -- however currently this only works when the server is running
+ in the foregaround. When daemonized, USR2 will shut down the server without
+ restarting (see issue #58).
+ * Fixed activerecord/activesupport gem load problems, hopefully once and for all
+ (however picnic-0.7.0 is now required).
+=== 0.6.0 :: 2008-03-28
+* Much of the supporting functionality that makes RubyCAS-Server
+ act as a well-behaved Linux service has been abstracted out
+ into its own library. This new library is called Picnic and is
+ now a gem dependency for RubyCAS-Server. You can find out more about
+ it at
+* The logout action will now accept a 'destination' parameter in lieu of
+ 'service'. This means that if a 'destination' parameter is given with
+ some URL, the logout action will show the login form, allowing the user
+ to immedietly log back in to the service specified by 'destination'.
+* The logout action will now accept a 'url' parameter. If given, the logout
+ page will show a message indicating that the CAS session has been terminated
+ and instructing the user to click on a link to follow the given URL. If the
+ 'url' parameter is given, the login form will NOT be shown on the logout
+ page (see above).
+* When an authentication failure occurs (because the user submitted
+ invalid credentials or the login ticket is missing), the server
+ now returns a 401 (Unauthorized) response instead of 200.
+* An encryption-enabled version of the SQL authenticator is now
+ available. For more info have a look at:
+* Better compatibility with Oracle databases. The database migration
+ no longer tries to create tables with long names when long
+ table names are not supported by the underlying database connector
+ (issue #15).
+* The server now automatically removes leading and trailing whitespace from
+ the username entered by users. Passwords however are left intact, with no
+ whitespace removed.
+* The server can now be configured to automatically downcase the
+ username entered by users (dowcase_username option). So if a user
+ enters "JSmith", the system will convert it to "jsmith" if the
+ downcase_username option is set to true.
+* The server can now be made to bind to a specific address. See the
+ :bind_address option in the config.example.yml file.
+* Fixed bug with ActiveRecord 2.0.2 where service tickets were not
+ being given a type (issue #37).
+=== 0.5.1 :: 2007-12-20
+* Tickets generated by the server should now be a lot more secure.
+ The random string generator used for generating tickets now uses
+ Crypt::ISAAC. Tickets have also been extended in length; STs, PTs
+ and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs
+ up to 64.
+=== 0.5.0 :: 2007-09-20
+* Gateway requests should now be handled correctly. When the request to the
+ login page is made with gateway=true as one of the parameters, the CAS
+ server will immediately redirect back to the target service along with
+ a service ticket if an SSO session exists for the user (or without a
+ service ticket if there is no pre-existing SSO session).
+ Note that if you are using RubyCAS-Client and want gatewaying, you will
+ need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
+* If gateway=true is specified as part of the logout URI, the server will
+ log the user out and immediately redirect them back to the specified
+ service. In other words, you can now do "gatewayed logouts" as well
+ as logins.
+* A login ticket can now be remotely requested from the server by placing
+ a POST request to '/loginTicket'.
+* The login view can now be made to return only the login form. This is
+ done by adding the 'onlyLoginForm' parameter to the '/login' request.
+ Optionally, a 'submitToURI' parameter can be supplied to force the login
+ form to submit to the given URI (otherwise the server will try to figure
+ out the full URI to its own login controller). This functionality may be
+ useful when you want to embed the login form in some external page, as
+ an IFRAME otherwise.
+* Custom views can now be used to override the default Markaby templates
+ by specifying a 'custom_views_file' option in the configuration. See
+ custom_views.example.rb. [jzylks]
+* Table names have been shortened to work with Oracle. A migration has
+ been added that should do the shortening for you the first time you run
+ this new RubyCAS-Server version.
+* Multiple authenticators can now be specified. During authentication,
+ credentials are presented to the first authenticator, then the second,
+ and so on, until the user is validated by any one authenticator or fails
+ validation for all of them. [jzylks]
+* When using webrick, you can now run with SSL disabled by omitting the
+ ssl_cert and ssl_key parameters.
+* Changed incorrect MySQL example database configuration -- option should
+ be 'host:' not 'server:' (issue #22).
+=== 0.4.2 :: 2007-07-26
+* The LDAP/AD authenticator has been largely re-written. The code is a bit
+ cleaner now, and should work better with non-Active Directory LDAP servers
+ (although this has yet to be tested since I don't have access to a non-AD
+ LDAP server).
+* The validate() method in your authenticators now receives a :service element
+ (in addition to :username, and :password). This is simply the service
+ url (if any) specified in the user's CAS request. If you call
+ read_standard_credentials(credentials) at the top of your validator, the value
+ will also be available as @service along with @username and @password.
+* By request, a :username_prefix option has been added to the ldap
+ configuration. If entered, this string will be automatically prefixed to
+ the username entered by the user.
+* A bug having to do with handling authenticator errors has been fixed.
+ Any authenticator error messages should now be correctly shown on the
+ login page.
+* Minor improvements to error messages having to do with login tickets.
+ They're a bit more prescriptive now, explaining to the user what steps
+ they should take to correct the error.
+=== 0.4.1 :: 2007-06-07
+* This release restores compatiblity with older versions of rubygems
+ (pre-0.9.0). To achieve this, we alias the 'gem' method to the old
+ 'require_gem' if 'gem' is not already defined.
+* rubycas-server-ctl will now quiety delete an orphaned .pid file
+ instead complaining loudly and refusing to start up.
+* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported
+ startup problems when in fact the server had started just fine.
+=== 0.4.0 :: 2007-06-05
+* Added rubycas-server-ctl script for controlling daemonized server.
+* rubygems-0.9.0 or later is now required.
+* Added system startup script to be used in /etc/init.d on Linux systems.
+* Authenticator can now be loaded from an external file using the 'source'
+ configuration option.
+* Better preemptive detection of startup problems with mongrel.
+* User now sees an error message if the service URI is not a valid URI (i.e.
+ if it's not URI-encoded or otherwise malformed).
+=== 0.3.0 :: 2007-03-29
+* Fixed glaring security problem with LDAP/AD Authenticator where under some
+ circumstances blank passwords were accepted as valid.
+* Autocomplete has been turned off on the password field for better security.
+ In the future we may allow autocomplete to be re-enabled using a
+ configuration setting.
+* When the user visits the login page and is already authenticated (i.e. they
+ have a valid ticket granting cookie), a message is shown at the top
+ indicating that they are already logged in.
+* sqlite3-ruby is no longer required by the gem as a dependency. The user
+ must now install it manually prior to installing rubycas-server. The
+ building of sqlite3 native extensions appears to be somewhat flakey
+ and probably defeats the original purpose of using it (which was
+ to have a CAS server up and running with no additional DB configuration).
+ We will use MySQL as the default database adapter instead, since it does
+ not require additional libraries and many users will have a MySQL server
+ already available.
+* Fixed bug that was causing all proxy-granting tickets to be deleted whenever
+ any user logged out. Only the PGTs for the user that is logging out are now
+ being deleted.
+* Trailing slashes in service URLs are now ignored when validating service
+ and proxy tickets (e.g. "" and ""
+ are now considered to be the same service URL).
+* Authenticators now raise AuthenticatorError exceptions when encountering
+ a problem/error. This makes it easier to send feedback to the user.
+ However, other exceptions should still be raised when errors ought
+ not be recoverable (i.e. programming errors).
+* Fixed serious vulnerability in LDAP authenticator where under some
+ cirumstances the user could just enter '*' as their username to match
+ any username. The LDAP authenticator will now refuse to process logins
+ with usernames that contain the characters * ( ) \ / and the NULL
+ character \0.
+* Views are no longer xhtml-validated. Markaby's auto-validation was turned
+ off to allow for use of the autocomplete property on inputs, since this is
+ the only viable way of turning off password storage in IE and Firefox at
+ the page level.
+* You can now limit the maximum length of a login session by setting the
+ expire_sessions config setting to true.
+* Fixed some minor bugs in the login view.
+=== 0.2.0 :: 2007-03-20
+* ruby-casserver now behaves more like a real command-line app, accepting
+ various command line arguments including -h (help), -v (version), -c (use
+ an alternate config.yml), and -d (daemonize, when using webrick or mongrel
+ mode).
+* Special characters in CAS XML responses are now properly encoded into XML
+ entities
+* CAS XML responses are no longer auto-indented... Markaby's indentation
+ seemed to be causing problems with the PHP CAS client.
+* Misc minor bug fixes/cleanup.
+=== 0.1.0 :: 2007-03-01
+* First public release.
@@ -1 +0,0 @@
-See History.txt
13 Gemfile
@@ -1,6 +1,9 @@
source ""
-gem "activerecord"
-gem "activesupport"
-gem "sinatra"
-gem "gettext"
-gem "sqlite3-ruby", :require => "sqlite3"
+gem "activerecord", "~> 3.0.0"
+gem "activesupport", "~> 3.0.0"
+gem "sinatra", "~> 1.0"
+gem "gettext", "~> 2.1.0"
+group :development do
+ gem "sqlite3-ruby", "~> 1.3.1", :require => "sqlite3"
@@ -1,23 +1,35 @@
- activerecord (2.3.8)
- activesupport (= 2.3.8)
- activesupport (2.3.8)
+ activemodel (3.0.0)
+ activesupport (= 3.0.0)
+ builder (~> 2.1.2)
+ i18n (~> 0.4.1)
+ activerecord (3.0.0)
+ activemodel (= 3.0.0)
+ activesupport (= 3.0.0)
+ arel (~> 1.0.0)
+ tzinfo (~> 0.3.23)
+ activesupport (3.0.0)
+ arel (1.0.1)
+ activesupport (~> 3.0.0)
+ builder (2.1.2)
gettext (2.1.0)
locale (>= 2.0.5)
+ i18n (0.4.1)
locale (2.0.5)
rack (1.2.1)
sinatra (1.0)
rack (>= 1.0)
sqlite3-ruby (1.3.1)
+ tzinfo (0.3.23)
- activerecord
- activesupport
- gettext
- sinatra
- sqlite3-ruby
+ activerecord (~> 3.0.0)
+ activesupport (~> 3.0.0)
+ gettext (~> 2.1.0)
+ sinatra (~> 1.0)
+ sqlite3-ruby (~> 1.3.1)
Oops, something went wrong.

0 comments on commit 04a6bb0

Please sign in to comment.