290 строки
15 KiB
Plaintext
290 строки
15 KiB
Plaintext
=== 1.0.0 :: In Progress...
|
|
|
|
* NEW:
|
|
* Rewrite to replace Camping/Picnic with Sinatra
|
|
* Support for Ruby 1.9.2
|
|
* Support for Active Record 3
|
|
|
|
=== 0.8.0
|
|
|
|
* NEW:
|
|
* Support for localization via Ruby-GetText.
|
|
See http://code.google.com/p/rubycas-server/wiki/Localization
|
|
for details. [antono]
|
|
* Switched to Picnic 0.8.x, so RubyCAS-Server is now based on Rack
|
|
and Camping 2.0 and is now compatible with Passenger Phusion
|
|
* Change to authenticator API: every authenticator now has a class 'setup'
|
|
method that gets called at server startup. This is where class-level
|
|
configuration should be done (e.g. establishing a database connection).
|
|
This is different from the 'configure' method which gets called on a per-
|
|
instance basis for each authenticator. [godfat]
|
|
* Database connections are now automatically released back to the connection
|
|
pool at the end of each request. This should allow the server to handle
|
|
many more concurrent requests, since database connections are no longer left
|
|
checked out of the pool.
|
|
* Added new SQL authenticator (sql_rest_auth) compatible with the
|
|
restful_authentication Rails plugin. [antono]
|
|
* Re-licensed under the MIT License.
|
|
|
|
* FIXED:
|
|
* Fixed weird problems with loading controllers when using older versions of
|
|
activesupport and/or rubygems.
|
|
* Failure to connect to a service during a single sign out request is now
|
|
handled gracefully.
|
|
* Required gem dependencies have been re-enabled in the gemspec.
|
|
* Authlogic authenticator files added to gemspec. [rajiv]
|
|
* Authenticators are now instantiated on a per-request basis (rather than
|
|
once at startup) to ensure thread safety.
|
|
|
|
=== 0.7.1 :: 2008-11-10
|
|
|
|
* Fixed dependency loading problems introduced by upstream changes in RubyGems
|
|
1.3.1.
|
|
|
|
=== 0.7.0 :: 2008-11-04
|
|
|
|
* NEW:
|
|
* Implemented single-sign-out functionality as specified in CAS 3.3. See
|
|
http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out.
|
|
* It is now possible to configure Authenticators to return extra attributes
|
|
to CAS clients alongside the username. For an example of how to do this see
|
|
the included SQL authenticator. Also have a look at:
|
|
http://groups.google.com/group/rubycas-server/browse_thread/thread/5eade3793cb590e9
|
|
Note that extra attributes of type other than String or Numeric are serialized
|
|
into YAML format before being sent along to the client.
|
|
* Added an MD5-password version of the SQL authenticator for Drupal and any other
|
|
database that stores its passwords in hashed form (thanks malcolmm).
|
|
* Added new Google authenticator for authenticating against Google/GMail
|
|
accounts.
|
|
|
|
* CHANGED:
|
|
* Service URIs are now automatically normalized. For example, if the service
|
|
URI given to the server has a 'ticket' parameter, the ticket will now be
|
|
automatically stripped. This is to avert any possible issues raised by
|
|
misbehaving CAS clients (the CAS ticket should never be part of the service
|
|
URI). Same goes for other CAS-related parameters like 'service', 'renew',
|
|
and 'gateway'. Additionally, the trailing '/' and '?' characters are
|
|
automatically stripped from URLs, since, for example, "http://google.com/"
|
|
is almost certainly equivalent to "http://google.com".
|
|
* The expire_sessions config variable is now respected -- ticket granting
|
|
ticket cookies are set with an expiry datetime, so that the SSO session
|
|
is effectively terminated once the ticket_granting_ticket_expiry period
|
|
is reached.
|
|
* If present, the HTTP_X_FORWARDED_FOR header is used for recording the
|
|
client's address. This is useful when the server is running behind a reverse
|
|
proxy, but it should not be considered authoritative since it can be
|
|
easily spoofed.
|
|
* The 'service' field in the 'casserver_st' table has been changed from
|
|
VARCHAR(255) to TEXT in order to accomodate service URIs longer than 255
|
|
characters (fixes issue #46).
|
|
* The CAS XML responses are no longer whitespace-formatted (i.e. Markaby's
|
|
auto-indentation has been turned off). Apparently the whitespace was
|
|
causing problems with mod_auth_cas. See:
|
|
http://groups.google.com/group/rubycas-server/browse_thread/thread/e482fe09999b73d3
|
|
* When used without pre-authentication, the LDAP authenticator now tries to
|
|
bind by searching for the given username in the LDAP directory based on the
|
|
configured username_attribute. Prior to this change the authenticator
|
|
attempted to bind with the LDAP server by assuming that the username credential
|
|
matches the user's CN. This is no longer the case.
|
|
* CAS responses to invalid requests (for example where required parameters
|
|
are missing or incorrect) will now have HTTP status code 422. Internal server
|
|
errors (where the server rather than the client is at fault) have error 500.
|
|
Previously most responses had error code 200, regardless of their contents.
|
|
|
|
* FIXED:
|
|
* Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
|
|
was changed upstream forcing a change to the way we look for ProxyGrantingTickets
|
|
to delete on logout).
|
|
* When running under Mongrel, the USR2 signal should now restart the server as
|
|
expected -- however currently this only works when the server is running
|
|
in the foregaround. When daemonized, USR2 will shut down the server without
|
|
restarting (see issue #58).
|
|
* Fixed activerecord/activesupport gem load problems, hopefully once and for all
|
|
(however picnic-0.7.0 is now required).
|
|
|
|
=== 0.6.0 :: 2008-03-28
|
|
|
|
* Much of the supporting functionality that makes RubyCAS-Server
|
|
act as a well-behaved Linux service has been abstracted out
|
|
into its own library. This new library is called Picnic and is
|
|
now a gem dependency for RubyCAS-Server. You can find out more about
|
|
it at http://code.google.com/p/camping-picnic/.
|
|
* The logout action will now accept a 'destination' parameter in lieu of
|
|
'service'. This means that if a 'destination' parameter is given with
|
|
some URL, the logout action will show the login form, allowing the user
|
|
to immedietly log back in to the service specified by 'destination'.
|
|
* The logout action will now accept a 'url' parameter. If given, the logout
|
|
page will show a message indicating that the CAS session has been terminated
|
|
and instructing the user to click on a link to follow the given URL. If the
|
|
'url' parameter is given, the login form will NOT be shown on the logout
|
|
page (see above).
|
|
* When an authentication failure occurs (because the user submitted
|
|
invalid credentials or the login ticket is missing), the server
|
|
now returns a 401 (Unauthorized) response instead of 200.
|
|
* An encryption-enabled version of the SQL authenticator is now
|
|
available. For more info have a look at:
|
|
http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
|
|
* Better compatibility with Oracle databases. The database migration
|
|
no longer tries to create tables with long names when long
|
|
table names are not supported by the underlying database connector
|
|
(issue #15).
|
|
* The server now automatically removes leading and trailing whitespace from
|
|
the username entered by users. Passwords however are left intact, with no
|
|
whitespace removed.
|
|
* The server can now be configured to automatically downcase the
|
|
username entered by users (dowcase_username option). So if a user
|
|
enters "JSmith", the system will convert it to "jsmith" if the
|
|
downcase_username option is set to true.
|
|
* The server can now be made to bind to a specific address. See the
|
|
:bind_address option in the config.example.yml file.
|
|
* Fixed bug with ActiveRecord 2.0.2 where service tickets were not
|
|
being given a type (issue #37).
|
|
|
|
=== 0.5.1 :: 2007-12-20
|
|
|
|
* Tickets generated by the server should now be a lot more secure.
|
|
The random string generator used for generating tickets now uses
|
|
Crypt::ISAAC. Tickets have also been extended in length; STs, PTs
|
|
and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs
|
|
up to 64.
|
|
|
|
=== 0.5.0 :: 2007-09-20
|
|
|
|
* Gateway requests should now be handled correctly. When the request to the
|
|
login page is made with gateway=true as one of the parameters, the CAS
|
|
server will immediately redirect back to the target service along with
|
|
a service ticket if an SSO session exists for the user (or without a
|
|
service ticket if there is no pre-existing SSO session).
|
|
Note that if you are using RubyCAS-Client and want gatewaying, you will
|
|
need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
|
|
* If gateway=true is specified as part of the logout URI, the server will
|
|
log the user out and immediately redirect them back to the specified
|
|
service. In other words, you can now do "gatewayed logouts" as well
|
|
as logins.
|
|
* A login ticket can now be remotely requested from the server by placing
|
|
a POST request to '/loginTicket'.
|
|
* The login view can now be made to return only the login form. This is
|
|
done by adding the 'onlyLoginForm' parameter to the '/login' request.
|
|
Optionally, a 'submitToURI' parameter can be supplied to force the login
|
|
form to submit to the given URI (otherwise the server will try to figure
|
|
out the full URI to its own login controller). This functionality may be
|
|
useful when you want to embed the login form in some external page, as
|
|
an IFRAME otherwise.
|
|
* Custom views can now be used to override the default Markaby templates
|
|
by specifying a 'custom_views_file' option in the configuration. See
|
|
custom_views.example.rb. [jzylks]
|
|
* Table names have been shortened to work with Oracle. A migration has
|
|
been added that should do the shortening for you the first time you run
|
|
this new RubyCAS-Server version.
|
|
* Multiple authenticators can now be specified. During authentication,
|
|
credentials are presented to the first authenticator, then the second,
|
|
and so on, until the user is validated by any one authenticator or fails
|
|
validation for all of them. [jzylks]
|
|
* When using webrick, you can now run with SSL disabled by omitting the
|
|
ssl_cert and ssl_key parameters.
|
|
* Changed incorrect MySQL example database configuration -- option should
|
|
be 'host:' not 'server:' (issue #22).
|
|
|
|
=== 0.4.2 :: 2007-07-26
|
|
|
|
* The LDAP/AD authenticator has been largely re-written. The code is a bit
|
|
cleaner now, and should work better with non-Active Directory LDAP servers
|
|
(although this has yet to be tested since I don't have access to a non-AD
|
|
LDAP server).
|
|
* The validate() method in your authenticators now receives a :service element
|
|
(in addition to :username, and :password). This is simply the service
|
|
url (if any) specified in the user's CAS request. If you call
|
|
read_standard_credentials(credentials) at the top of your validator, the value
|
|
will also be available as @service along with @username and @password.
|
|
* By request, a :username_prefix option has been added to the ldap
|
|
configuration. If entered, this string will be automatically prefixed to
|
|
the username entered by the user.
|
|
* A bug having to do with handling authenticator errors has been fixed.
|
|
Any authenticator error messages should now be correctly shown on the
|
|
login page.
|
|
* Minor improvements to error messages having to do with login tickets.
|
|
They're a bit more prescriptive now, explaining to the user what steps
|
|
they should take to correct the error.
|
|
|
|
=== 0.4.1 :: 2007-06-07
|
|
|
|
* This release restores compatiblity with older versions of rubygems
|
|
(pre-0.9.0). To achieve this, we alias the 'gem' method to the old
|
|
'require_gem' if 'gem' is not already defined.
|
|
* rubycas-server-ctl will now quiety delete an orphaned .pid file
|
|
instead complaining loudly and refusing to start up.
|
|
* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported
|
|
startup problems when in fact the server had started just fine.
|
|
|
|
|
|
=== 0.4.0 :: 2007-06-05
|
|
|
|
* Added rubycas-server-ctl script for controlling daemonized server.
|
|
* rubygems-0.9.0 or later is now required.
|
|
* Added system startup script to be used in /etc/init.d on Linux systems.
|
|
* Authenticator can now be loaded from an external file using the 'source'
|
|
configuration option.
|
|
* Better preemptive detection of startup problems with mongrel.
|
|
* User now sees an error message if the service URI is not a valid URI (i.e.
|
|
if it's not URI-encoded or otherwise malformed).
|
|
|
|
|
|
=== 0.3.0 :: 2007-03-29
|
|
|
|
* Fixed glaring security problem with LDAP/AD Authenticator where under some
|
|
circumstances blank passwords were accepted as valid.
|
|
* Autocomplete has been turned off on the password field for better security.
|
|
In the future we may allow autocomplete to be re-enabled using a
|
|
configuration setting.
|
|
* When the user visits the login page and is already authenticated (i.e. they
|
|
have a valid ticket granting cookie), a message is shown at the top
|
|
indicating that they are already logged in.
|
|
* sqlite3-ruby is no longer required by the gem as a dependency. The user
|
|
must now install it manually prior to installing rubycas-server. The
|
|
building of sqlite3 native extensions appears to be somewhat flakey
|
|
and probably defeats the original purpose of using it (which was
|
|
to have a CAS server up and running with no additional DB configuration).
|
|
We will use MySQL as the default database adapter instead, since it does
|
|
not require additional libraries and many users will have a MySQL server
|
|
already available.
|
|
* Fixed bug that was causing all proxy-granting tickets to be deleted whenever
|
|
any user logged out. Only the PGTs for the user that is logging out are now
|
|
being deleted.
|
|
* Trailing slashes in service URLs are now ignored when validating service
|
|
and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/"
|
|
are now considered to be the same service URL).
|
|
* Authenticators now raise AuthenticatorError exceptions when encountering
|
|
a problem/error. This makes it easier to send feedback to the user.
|
|
However, other exceptions should still be raised when errors ought
|
|
not be recoverable (i.e. programming errors).
|
|
* Fixed serious vulnerability in LDAP authenticator where under some
|
|
cirumstances the user could just enter '*' as their username to match
|
|
any username. The LDAP authenticator will now refuse to process logins
|
|
with usernames that contain the characters * ( ) \ / and the NULL
|
|
character \0.
|
|
* Views are no longer xhtml-validated. Markaby's auto-validation was turned
|
|
off to allow for use of the autocomplete property on inputs, since this is
|
|
the only viable way of turning off password storage in IE and Firefox at
|
|
the page level.
|
|
* You can now limit the maximum length of a login session by setting the
|
|
expire_sessions config setting to true.
|
|
* Fixed some minor bugs in the login view.
|
|
|
|
|
|
=== 0.2.0 :: 2007-03-20
|
|
|
|
* ruby-casserver now behaves more like a real command-line app, accepting
|
|
various command line arguments including -h (help), -v (version), -c (use
|
|
an alternate config.yml), and -d (daemonize, when using webrick or mongrel
|
|
mode).
|
|
* Special characters in CAS XML responses are now properly encoded into XML
|
|
entities
|
|
* CAS XML responses are no longer auto-indented... Markaby's indentation
|
|
seemed to be causing problems with the PHP CAS client.
|
|
* Misc minor bug fixes/cleanup.
|
|
|
|
|
|
=== 0.1.0 :: 2007-03-01
|
|
|
|
* First public release.
|