rubycas-server/CHANGELOG

=== 1.1.3 :: In progress...

* CHANGED:
   * XML responses now start with a correct XML declaration specifying UTF-8 encoding
     (<?xml version="1.0" encoding="UTF-8" ?>).

* FIXED:
   * Extra attributes with UTF-8 characters should be correctly encoded under ruby 1.8.7.
   * Improved compatibility with various versions of ActiveRecord, ActiveSupport and
     other dependencies.
   * Minor code reorganization and cleanup.

=== 1.1.2 :: 2012-09-19

* FIXED:
   * Upgraded sinatra-r18n dependency to 1.1.0. This should fix localization issues
     for some users.

=== 1.1.1 :: 2012-06-08

* NEW:
   * Google authenticator now has a "restricted_domain" option to allow logins only
     from Google accounts (email addressed) under a specific domain name.

* FIXED:
   * When installed as a gem, localization should now work correctly thanks to fixed
     translations path.

=== 1.1.0 :: 2012-04-19

 * NEW:
   * Localization is now done using R18n instead of Gettext.
   * Restored compatibility with Sinatra 1.2
   * Now compatibile with Ruby 1.9.3
   * Can now run without Bundler if all required dependencies are already installed.
   * es_AR translations.

 * CHANGED:
   * It is no longer possible to select the locale by adding a 'lang=xx' attribute to the 
   	 request URL. The locale is selected using the 'Accept-Lanuage' header sent in the 
   	 request. However the old 'lang' functionality may be restored in a future version.
   * Certain localized string keys have changed. If you are using your own custom views
     you may need to modify them accordingly.

 * FIXED:
   * Removed unnecessary bcrypt requirement for encrypted sql authenticators.
   * Single Sign Out requests should now work with SSL-enabled services.

=== 1.0.1 :: 2011-11-22

* NEW:
  * On startup the server now checks for a config.yml file in its own root directory,
    then in /etc/rubycas-server.

* FIXED:
  * Compatibilty with Sinatra 1.3 (:public changed to :public_folder).
  * Database migration files should now be correctly bundled with the gem distribution.
  * Should work with both ActiveRecord >= 2.3.12 and < 3.1. Previously the dependency
    was erronously set to accept only the 2.3.12 series.
  * Specs now pass under ActiveRecord 2.3.12 in both Ruby 1.8 and 1.9

=== 1.0.0 :: 2011-08-03

* NEW:
	* Rewrite to replace Camping/Picnic with Sinatra
	* Support for Ruby 1.9.2
	* Support for Active Record 3

* CHANGED:
  * Google authenticator proxy configuration has been changed (see config.example.yml)

=== 0.8.0

* NEW:
	* Support for localization via Ruby-GetText.
		See http://code.google.com/p/rubycas-server/wiki/Localization
		for details. [antono]
	* Switched to Picnic 0.8.x, so RubyCAS-Server is now based on Rack
		and Camping 2.0 and is now compatible with Passenger Phusion
	* Change to authenticator API: every authenticator now has a class 'setup'
		method that gets called at server startup. This is where class-level
		configuration should be done (e.g. establishing a database connection).
		This is different from the 'configure' method which gets called on a per-
		instance basis for each authenticator. [godfat]
	* Database connections are now automatically released back to the connection
		pool at the end of each request. This should allow the server to handle
		many more concurrent requests, since database connections are no longer left
		checked out of the pool.
	* Added new SQL authenticator (sql_rest_auth) compatible with the
		restful_authentication Rails plugin. [antono]
	* Re-licensed under the MIT License.

* FIXED:
	* Fixed weird problems with loading controllers when using older versions of
		activesupport and/or rubygems.
	* Failure to connect to a service during a single sign out request is now
		handled gracefully.
	* Required gem dependencies have been re-enabled in the gemspec.
	* Authlogic authenticator files added to gemspec. [rajiv]
	* Authenticators are now instantiated on a per-request basis (rather than
		once at startup) to ensure thread safety.

=== 0.7.1 :: 2008-11-10

* Fixed dependency loading problems introduced by upstream changes in RubyGems
	1.3.1.

=== 0.7.0 :: 2008-11-04

* NEW:
	* Implemented single-sign-out functionality as specified in CAS 3.3.	See
		http://www.ja-sig.org/wiki/display/CASUM/Single+Sign+Out.
	* It is now possible to configure Authenticators to return extra attributes
		to CAS clients alongside the username. For an example of how to do this see
		the included SQL authenticator. Also have a look at:
		http://groups.google.com/group/rubycas-server/browse_thread/thread/5eade3793cb590e9
		Note that extra attributes of type other than String or Numeric are serialized
		into YAML format before being sent along to the client.
	* Added an MD5-password version of the SQL authenticator for Drupal and any other
		database that stores its passwords in hashed form (thanks malcolmm).
	* Added new Google authenticator for authenticating against Google/GMail
		accounts.

* CHANGED:
	* Service URIs are now automatically normalized. For example, if the service
		URI given to the server has a 'ticket' parameter, the ticket will now be
		automatically stripped. This is to avert any possible issues raised by
		misbehaving CAS clients (the CAS ticket should never be part of the service
		URI). Same goes for other CAS-related parameters like 'service', 'renew',
		and 'gateway'. Additionally, the trailing '/' and '?' characters are
		automatically stripped from URLs, since, for example, "http://google.com/"
		is almost certainly equivalent to "http://google.com".
	* The expire_sessions config variable is now respected -- ticket granting
		ticket cookies are set with an expiry datetime, so that the SSO session
		is effectively terminated once the ticket_granting_ticket_expiry period
		is reached.
	* If present, the HTTP_X_FORWARDED_FOR header is used for recording the
		client's address. This is useful when the server is running behind a reverse
		proxy, but it should not be considered authoritative since it can be
		easily spoofed.
	* The 'service' field in the 'casserver_st' table has been changed from
		VARCHAR(255) to TEXT in order to accomodate service URIs longer than 255
		characters (fixes issue #46).
	* The CAS XML responses are no longer whitespace-formatted (i.e. Markaby's
		auto-indentation has been turned off). Apparently the whitespace was
		causing problems with mod_auth_cas. See:
		http://groups.google.com/group/rubycas-server/browse_thread/thread/e482fe09999b73d3
	* When used without pre-authentication, the LDAP authenticator now tries to
		bind by searching for the given username in the LDAP directory based on the
		configured username_attribute. Prior to this change the authenticator
		attempted to bind with the LDAP server by assuming that the username credential
		matches the user's CN. This is no longer the case.
	* CAS responses to invalid requests (for example where required parameters
		are missing or incorrect) will now have HTTP status code 422. Internal server
		errors (where the server rather than the client is at fault) have error 500.
		Previously most responses had error code 200, regardless of their contents.

* FIXED:
	* Fixed logout action to work properly with ActiveRecord 2.1 (eager loading behaviour
		was changed upstream forcing a change to the way we look for ProxyGrantingTickets
		to delete on logout).
	* When running under Mongrel, the USR2 signal should now restart the server as
		expected -- however currently this only works when the server is running
		in the foregaround. When daemonized, USR2 will shut down the server without
		restarting (see issue #58).
	* Fixed activerecord/activesupport gem load problems, hopefully once and for all
		(however picnic-0.7.0 is now required).

=== 0.6.0 :: 2008-03-28

* Much of the supporting functionality that makes RubyCAS-Server
	act as a well-behaved Linux service has been abstracted out
	into its own library. This new library is called Picnic and is
	now a gem dependency for RubyCAS-Server. You can find out more about
	it at http://code.google.com/p/camping-picnic/.
* The logout action will now accept a 'destination' parameter in lieu of
	'service'. This means that if a 'destination' parameter is given with
	some URL, the logout action will show the login form, allowing the user
	to immedietly log back in to the service specified by 'destination'.
* The logout action will now accept a 'url' parameter. If given, the logout
	page will show a message indicating that the CAS session has been terminated
	and instructing the user to click on a link to follow the given URL. If the
	'url' parameter is given, the login form will NOT be shown on the logout
	page (see above).
* When an authentication failure occurs (because the user submitted
	invalid credentials or the login ticket is missing), the server
	now returns a 401 (Unauthorized) response instead of 200.
* An encryption-enabled version of the SQL authenticator is now
	available. For more info have a look at:
	http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
* Better compatibility with Oracle databases. The database migration
	no longer tries to create tables with long names when long
	table names are not supported by the underlying database connector
	(issue #15).
* The server now automatically removes leading and trailing whitespace from
	the username entered by users. Passwords however are left intact, with no
	whitespace removed.
* The server can now be configured to automatically downcase the
	username entered by users (dowcase_username option). So if a user
	enters "JSmith", the system will convert it to "jsmith" if the
	downcase_username option is set to true.
* The server can now be made to bind to a specific address. See the
	:bind_address option in the config.example.yml file.
* Fixed bug with ActiveRecord 2.0.2 where service tickets were not
	being given a type (issue #37).

=== 0.5.1 :: 2007-12-20

* Tickets generated by the server should now be a lot more secure.
	The random string generator used for generating tickets now uses
	Crypt::ISAAC. Tickets have also been extended in length; STs, PTs
	and LTs can now extend up to 32 characters, and PGTs and PGT-IOUs
	up to 64.

=== 0.5.0 :: 2007-09-20

* Gateway requests should now be handled correctly. When the request to the
	login page is made with gateway=true as one of the parameters, the CAS
	server will immediately redirect back to the target service along with
	a service ticket if an SSO session exists for the user (or without a
	service ticket if there is no pre-existing SSO session).
	Note that if you are using RubyCAS-Client and want gatewaying, you will
	need to upgrade it to 1.1.0 as gatewaying was broken in prior versions.
* If gateway=true is specified as part of the logout URI, the server will
	log the user out and immediately redirect them back to the specified
	service. In other words, you can now do "gatewayed logouts" as well
	as logins.
* A login ticket can now be remotely requested from the server by placing
	a POST request to '/loginTicket'.
* The login view can now be made to return only the login form. This is
	done by adding the 'onlyLoginForm' parameter to the '/login' request.
	Optionally, a 'submitToURI' parameter can be supplied to force the login
	form to submit to the given URI (otherwise the server will try to figure
	out the full URI to its own login controller). This functionality may be
	useful when you want to embed the login form in some external page, as
	an IFRAME otherwise.
* Custom views can now be used to override the default Markaby templates
	by specifying a 'custom_views_file' option in the configuration. See
	custom_views.example.rb. [jzylks]
* Table names have been shortened to work with Oracle. A migration has
	been added that should do the shortening for you the first time you run
	this new RubyCAS-Server version.
* Multiple authenticators can now be specified. During authentication,
	credentials are presented to the first authenticator, then the second,
	and so on, until the user is validated by any one authenticator or fails
	validation for all of them. [jzylks]
* When using webrick, you can now run with SSL disabled by omitting the
	ssl_cert and ssl_key parameters.
* Changed incorrect MySQL example database configuration -- option should
	be 'host:' not 'server:' (issue #22).

=== 0.4.2 :: 2007-07-26

* The LDAP/AD authenticator has been largely re-written. The code is a bit
	cleaner now, and should work better with non-Active Directory LDAP servers
	(although this has yet to be tested since I don't have access to a non-AD
	LDAP server).
* The validate() method in your authenticators now receives a :service element
	(in addition to :username, and :password). This is simply the service
	url (if any) specified in the user's CAS request. If you call
	read_standard_credentials(credentials) at the top of your validator, the value
	will also be available as @service along with @username and @password.
* By request, a :username_prefix option has been added to the ldap
	configuration. If entered, this string will be automatically prefixed to
	the username entered by the user.
* A bug having to do with handling authenticator errors has been fixed.
	Any authenticator error messages should now be correctly shown on the
	login page.
* Minor improvements to error messages having to do with login tickets.
	They're a bit more prescriptive now, explaining to the user what steps
	they should take to correct the error.

=== 0.4.1 :: 2007-06-07

* This release restores compatiblity with older versions of rubygems
	(pre-0.9.0). To achieve this, we alias the 'gem' method to the old
	'require_gem' if 'gem' is not already defined.
* rubycas-server-ctl will now quiety delete an orphaned .pid file
	instead complaining loudly and refusing to start up.
* Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported
	startup problems when in fact the server had started just fine.


=== 0.4.0 :: 2007-06-05

* Added rubycas-server-ctl script for controlling daemonized server.
* rubygems-0.9.0 or later is now required.
* Added system startup script to be used in /etc/init.d on Linux systems.
* Authenticator can now be loaded from an external file using the 'source'
	configuration option.
* Better preemptive detection of startup problems with mongrel.
* User now sees an error message if the service URI is not a valid URI (i.e.
	if it's not URI-encoded or otherwise malformed).


=== 0.3.0 :: 2007-03-29

* Fixed glaring security problem with LDAP/AD Authenticator where under some
	circumstances blank passwords were accepted as valid.
* Autocomplete has been turned off on the password field for better security.
	In the future we may allow autocomplete to be re-enabled using a
	configuration setting.
* When the user visits the login page and is already authenticated (i.e. they
	have a valid ticket granting cookie), a message is shown at the top
	indicating that they are already logged in.
* sqlite3-ruby is no longer required by the gem as a dependency.	The user
	must now install it manually prior to installing rubycas-server. The
	building of sqlite3 native extensions appears to be somewhat flakey
	and probably defeats the original purpose of using it (which was
	to have a CAS server up and running with no additional DB configuration).
	We will use MySQL as the default database adapter instead, since it does
	not require additional libraries and many users will have a MySQL server
	already available.
* Fixed bug that was causing all proxy-granting tickets to be deleted whenever
	any user logged out. Only the PGTs for the user that is logging out are now
	being deleted.
* Trailing slashes in service URLs are now ignored when validating service
	and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/"
	are now considered to be the same service URL).
* Authenticators now raise AuthenticatorError exceptions when encountering
	a problem/error. This makes it easier to send feedback to the user.
	However, other exceptions should still be raised when errors ought
	not be recoverable (i.e. programming errors).
* Fixed serious vulnerability in LDAP authenticator where under some
	cirumstances the user could just enter '*' as their username to match
	any username. The LDAP authenticator will now refuse to process logins
	with usernames that contain the characters * ( ) \ / and the NULL
	character \0.
* Views are no longer xhtml-validated. Markaby's auto-validation was turned
	off to allow for use of the autocomplete property on inputs, since this is
	the only viable way of turning off password storage in IE and Firefox at
	the page level.
* You can now limit the maximum length of a login session by setting the
	expire_sessions config setting to true.
* Fixed some minor bugs in the login view.


=== 0.2.0 :: 2007-03-20

* ruby-casserver now behaves more like a real command-line app, accepting
	various command line arguments including -h (help), -v (version), -c (use
	an alternate config.yml), and -d (daemonize, when using webrick or mongrel
	mode).
* Special characters in CAS XML responses are now properly encoded into XML
	entities
* CAS XML responses are no longer auto-indented... Markaby's indentation
	seemed to be causing problems with the PHP CAS client.
* Misc minor bug fixes/cleanup.


=== 0.1.0 :: 2007-03-01

* First public release.