acegi1.0發(fā)布，其實(shí)有點(diǎn)出乎意料，因?yàn)槲乙幌蛘J(rèn)為acegi的代碼已經(jīng)相當(dāng)穩(wěn)定了，但是acegi力求精益求精，從新版還是能看到不少實(shí)用的改動(dòng)和升級(jí)。這里簡(jiǎn)單分析一下。

[SEC-183] - Avoid unnecessary HttpSession creation when using Anonymous and Remember-Me authentication

以前如果使用HttpSessionContextIntegrationFilter的話，不管你是否需要?jiǎng)?chuàng)建session，他都會(huì)給你創(chuàng)建。這在一些Base驗(yàn)證的時(shí)候是多余的。現(xiàn)在加上了forceEagerSessionCreation，在創(chuàng)建session的時(shí)候做了控制。

[SEC-29] - Save POST request parameters before redirect

在前幾個(gè)版本出現(xiàn)這個(gè)問(wèn)題，如果實(shí)現(xiàn)了登陸自動(dòng)跳轉(zhuǎn)，acegi僅僅是簡(jiǎn)單記錄了URL，沒(méi)有深入的紀(jì)錄信息。新版本中acegi不僅僅是保持POST中的數(shù)據(jù)不會(huì)丟失，request里面的東西幾乎全都序列化保存下來(lái)了，實(shí)現(xiàn)可以看看SavedRequest。

[SEC-40] - HibernateDao.scroll() performance

[SEC-92] - Hibernate ACL implementation

這個(gè)比較激動(dòng)的改進(jìn)在1.0的源碼中沒(méi)有找到，看alex的意思好像是僅僅提供各演示，目的是為了生成數(shù)據(jù)腳本方便點(diǎn)。（其實(shí)這個(gè)還真的沒(méi)法做成特別通用的，畢竟每個(gè)人的ACL實(shí)現(xiàn)都有可能不同）

[SEC-147] - BasicAclEntryAfterInvocationProvider should support processDomainObjectClass

對(duì)List進(jìn)行ACL交驗(yàn)的時(shí)候，會(huì)把第一個(gè)元素取出，看看是否AssignableFrom這個(gè)processDomainObjectClass ，算是做一下安全檢查吧。

[SEC-172] - Allow SimpleAclEntry to take 'null' as recipient constructor argument

其實(shí)應(yīng)該是不允許recipient 為空。

[SEC-187] - inHttp & inHttps not fully utilized in AuthenticationProcessingFilterEntryPoint

[SEC-191] - AclTag class should use the BeanFactoryUtils.beanNamesForTypeIncludingAncestors method to search for the AclManager

AclTag在尋找AclManager 時(shí)候會(huì)更加靈活了，得益于spring的強(qiáng)大。

<明天繼續(xù)吧。。。。>

[SEC-194] - RememberMeServices should be available when using BasicAuth logins

[SEC-195] - Create Acegi-backed CAS3 AuthenticationHandler

[SEC-196] - Update web site and documentation to reference JA-SIG CAS

[SEC-203] - Allow setting the AuthenticationManager onto the ConcurrentSessionController for inverted dependency

[SEC-204] - Better detection of malformed text in FilterInvocationDefinitionSourceEditor

[SEC-205] - Allow multiple URLs in DefaultInitialDirContextFactory

[SEC-206] - TokenBasedRememberMeServices using context root when setting cookie paths (inc code)

[SEC-207] - Implement countermeasures against session attacks

[SEC-209] - Make AbstractProcessingFilter.eventPublisher field protected

[SEC-217] - Improve Siteminder Filter

[SEC-220] - Allow ExceptionTranslationFilter to not catch exceptions

[SEC-221] - AbstractProcessingFilter.onPreAuthentication exceptions should be caught

[SEC-224] - Make Authentication.getPrincipal() for CAS return the UserDetails

[SEC-229] - Allow redirects to external URLs in AbstractProcessingFilter

[SEC-231] - Add another DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles

[SEC-234] - Allow WebAuthenticationDetails pluggable implementations

[SEC-236] - JbossAcegiLoginModule to use ApplicationContext interface

[SEC-238] - Add AuthenticationException to AbstractProcessingFilter.onUnsuccessfulAuthentication method signature

[SEC-242] - Logger in AbstractProcessingFilter

[SEC-244] - Column names instead of indexes for org.acegisecurity.userdetails.jdbc.JdbcDaoImpl

[SEC-246] - Enable late-binding of UserDetailsService on DaoAuthenticationProvider

[SEC-247] - Allow to specify resources that shouldn't be filtered in FilterChainProxy

[SEC-251] - DefaultLdapAuthoritiesPopulator: Add filter argument {1} for username as in Tomcat JNDIRealm

[SEC-255] - Reorder AuthenticationProcessingFilter to create HttpSession before delegating to AuthenticationDetailsSource

[SEC-257] - ExceptionTranslationFilter to use strategy interface for AccessDeniedException handling

[SEC-259] - AccessDecisionVoter: typo in JavaDoc

[SEC-260] - AbstractAccessDecisionManager and loggers

[SEC-262] - AbstractAccessDecisionManager needs standard handling ifAllAbstainDecisions

[SEC-264] - Introduction of LdapUserDetails and changes to LdapAuthenticator and LdapAuthoritiesPopulator interfaces

[SEC-276] - Restructure reference guide