2005-12-06 Janne Jalkanen * 2.3.50 alpha. * Added collapsebox from BrushedTemplate. Also synced some search stuff from Brushed. * TableOfContents are now collapsable. * Moved the layout around a bit - actions are now a part of Header.jsp and Footer.jsp. This allows us to do a slightly nicer layout, I think. 2005-12-04 Janne Jalkanen * 2.3.49 * Added LinkTag at the request of Gregor Hagedorn. It does pretty much everything. Adding documentation later... This class also needs some serious working so that the functionality could be offered to other classes as well (such as the Image plugin). * Hopefully fixed the "my username is null" -problem, which would occur, if you were both logged in and had a cookie. * Added a patch from Matt Luker to allow numbering in TableOfContents. * InterWiki links are now also checked for image inlining. Merry Christmas :) * FCK.jsp had two elements reversed. Thanks Dirk Fredericx! * Diffs now use code from BrushedTemplate by Dirk. * WikiServletFilter was letting only US-ASCII through - oops... * WikiForms can now handle UTF-8. * TableOfContentsPlugin font size was set accidentally to zero in jspwiki.css. WTF? * Reworked the jolly old "include correct CSS based on browser" to be a proper Javascript method call. 2005-11-29 Andrew Jaquith * 2.3.48 * Major refactoring of UserPreferences.jsp. The separate registration page is now *gone* and merged into the prefs page. The prefs page itself now has tabs -- one for the user profile, and one for prefs. This means we can relax a few of the security assumptions at the JSP level, since they are already baked into the core UserManager APIs. (Addresses Dirk's requests.) * Setting the user name via cookies is back! * The security policy was loosened to allow anonymous users to edit their pref. WikiPermission "EditPreferences" has been broadened in meaning to include prefs AND profiles, while "RegisterUser" means simply the ability to create a profile. RegisterUser will *probably* vanish or be renamed in the near future. * SpecialPage REGISTER now points to UserPreferences.jsp * UserPreferences now implements a caching scheme for user profiles that downstream classes like UserProfileTag need. Also, UserPreferences gets a second password (confirmation) field. UserManager receives additional validation logic for processing same. Everybody's happy, but especially Dirk. * Bugfix for XMLUserDatabase that caused funny auth problems if the jspwiki.properties userdatabase prop was commented out. (Credit: Janne) * Favorites/PageActions get context-sensitive "Log in" "Logout" and "Create group" links. * Build.xml gets some stub code for HTTP/web unit testing. There aren't any tests just yet, but we do have a snappy Tomcat auto-deploy mechanism now. * Thanks to the magic of XyleScope, the default jspwiki.css gets some small tweaks to make the overall styles a bit more aesthetically pleasing and consistent. * "You are anonymous" discreetly disappears. * Temporary bugfix for infinite-redirection loop issue with Login.jsp... introduces another one... * This release introduces a known bugs: a "redirect loop" occurs when using container-managed auth and accessing a forbidden page. This will be fixed in my next checkin. 2005-11-27 Janne Jalkanen * 2.3.47 * Added "type" parameter to IncludeResourcesTag. This allows you now to include multiple types of resources in different places. * Quite a few top-level JSPs had the old EditorManager package, oops. * Added quite a lot of stuff from BrushedTemplate, including collapsible lists, sortable tables, etc. 2005-11-26 Janne Jalkanen * 2.3.46 * Reworked EditContent.jsp to account for changes in editor system. * Variable content is now escaped before shown. Thanks to Gregor Hagedorn for pointing this out. * Added new package: module, containing ModuleManager and WikiModuleInfo classes. * Added WikiContext.findContext() to make life a bit easier for template writers. * Moved TemplateManager to new package: ui. * Added etc/ini/jspwiki_module.xml to contain some defaults. * Added WikiServletFilter and the ability for plugins, etc to request an injection of things in the header. This is done by adding in commonheader.jsp. It inserts a particularly formatted comment in the header, which is then replaced by WikiServletFilter. A plugin may request a script or a CSS file by using new methods in TemplateManager. Based on ideas and code by Kees Kuip. * Removed editors from Java files and put them in JSP files under templates/default/editors/. It's now possible for a template to override any editor, or to use any editor they like. It should also make editors pluggable components. * Continuing template rework. Reworked EditorTag, removed EditorAreaTag. Added RequestResourceTag and InsertResourcesTag. 2005-11-22 Janne Jalkanen * 2.3.45 aka "The Great Template Break" * Added serialVersionUID to most classes that were missing it. * Added EditorManager class. It's currently somewhat dummy, but it should allow fully pluginizable editors in the future. Incidentally, this means that we got rid of EditorAreaTag... Sorry - this breaks quite a few templates out there. But now, if you want to create your editor, take a copy of editors/plain.jsp, put it in your own template directory, and modify the blazes out of it. * Got finally rid of the very confusing "text" parameter for all editors. The new parameter name is EditorManager.REQ_EDITEDTEXT. Note that this may break your current configurations. * Hopefully finally fixed BugHtmlCharEntitiesMishandledInPreview. * Fixed BugIncorrectServletAPIVersionInREADME. 2005-11-15 Janne Jalkanen * 2.3.44 * Tiny JSPWikiMarkupParser speed optimizations. * Added build.xml patch from DaveSB to fix signing issues on Windows. * Added patch from DaveSB to support nested plugins. * Added support in ReferringPagesPlugin for "exclude" -parameter: use "exclude='pattern1,pattern2,pattern3'". 2005-11-14 Janne Jalkanen * 2.3.43 * Fixed HTMLEntitiesAreGettingEscapedByamp and BugHtmlCharEntitiesMishandledInPreview. It was a nasty bug in the new rendering engine. 2005-11-03 Janne Jalkanen * v2.3.42 * Bold and italic markup are now carried across paragraph breaks. This is a convinience factor - XHTML does not allow it, but we store the state. 2005-11-08 Andrew Jaquith * v2.3.41 * Fixed a nasty, serious authentication bug introduced in 2.3.35 code for checking for cookie changes. Cookie changes were triggering "container logins", which caused the JAAS Subject to be rebuilt from scratch. Instead of blowing away the Subject (and associated WikiSession) at logout time (or when the user's auth status changes), the Subject is now preserved for the life of the Http Session. In addition, executing Logout.jsp no longer invalidates the HTTP session; instead, the AuthenticationManager logout() method simply resets the Subject's principal set instead. * Added an invalidate() method to WikiSession that resets user wiki session principals when requested by AuthManager.logout(). Resetting principals means making a user an anonymous guest user. Refactored WikiSession's cookie-change detection code. * All of the *LoginModule classes received tweaks to make them work with long-lived Subjects. In particular, login modules that inject Role principals now remove less-prileged ones. For example, the UserDatabaseLoginModule injects Role.AUTHENTICATED upon login; it also explicitly removes Role.ANONYMOUS and Role.ASSERTED if these are found. * regains the venerable status attribute "known", which denotes an authentication status of "not anonymous", aka either authenticated or asserted. This fixes an issue in the new JSP templates from 2.3.37. * HttpUtil gets an *even more* reliable fix to the BaseURL issue patched in 2.3.40. * Added "SpecialPage" mappings to WikiEngine for Logout, CreateGroup, CreateProfile, EditProfile, and Prefences. These map to Logout.jsp, NewGroup.jsp, Register.jsp and UserPreferences.jsp (x2). * Login.jsp, NewGroup.jsp, Register.jsp and UserPreferences.jsp all now use ViewTemplate as the master template. This removes the need for AdminTemplate.jsp, which was a kludge anyway. That means one less template to maintain, and to hack. Hooray! * Favorites.jsp receives the G'day treatment. * Cookie identities (cookie assertions) are now set to the value of the user's full name during custom auth login, and when user preferences are initially set (Register.jsp) and after user registration (UserPreferences.jsp). Previously, we used the WikiName. However, the full name is what's returned first by WikiSession's getUserPrincipal() method, so we are now consistent with that. This should partly resolve the issue JohnV reported about user names "jumping around" between wiki names, full names and login names. (But there is still one more bug out there...) * Fixed compilation errors in Rename.jsp, and added back code to hide rename fields on InfoContent.jsp for users who aren't entitled to see them. This had regressed a few revisions ago... 2005-11-03 Andrew Jaquith * v2.3.40 * Fixed a subtle bug with HttpUtil that was causing BaseURLs to always print as the name of the host as known to the web container, which in default Tomcat deployments (99%) is called "localhost". Rather than rely on the fact that the user's HttpServletRequest will *actually* return an accurate host name, we do a quick, one-time host name resolution lookup just to make sure. * Added WikiContext-to-*Content template mappings for the login and "create group" contexts. Added wiki contexts for both. * Corrected potetial bug with WikiSession's getStatus() method. It now delegates to isAnonymous(), as it should. * WikiContext's getURL() method now defaults to HttpUtil's method of building the base URL from user session request information, rather than from jspwiki.baseURL. We do this so that JSPWiki will work nicely with HTTPS sessions. This method is transparent to downstream JSP tags like EditLink; they get HTTP compatibility "for free". If the associated HTTPServletRequest is null, we default to the old method of looking up getBaseURL() from WikiEngine. * NewGroup.jsp and Login.jsp now put their content pages inside of AdminTemplate, which means they are wrapped with standard headers and footers. Note that LoginForm may be look a bit ugly until we get a few kinks worked out. 2005-11-03 Janne Jalkanen * v2.3.39 * Default RSS version is now 2.0 * Cleaned some ambiguities in the CSS file * Moved the app and company logos into a separate div of their own to make layout easier. * Enabled personal favourites in the Favorites.jsp * General cleanup and poking around in the CSS 2005-11-02 Janne Jalkanen * v2.3.38 * Added missing search-replace Javascript code * Added missing AttachmentTab.jsp to default template. * NB: While most of the code comes from BrushedTemplate, I'm cleaning it up a bit - it's not XHTML compliant, for example. 2005-10-31 Janne Jalkanen * v2.3.37 * Bug fix: RSS feeds no longer generate " whenever there is a quote (") in the stream. * Rearranged some code relating to search and reference managing; hopefully squashing some hard-to-find bugs. * Bug fix: safeGetParameter() is now deprecated, as createContext() now does the proper request.setCharacterEncoding() as per Servlet API 2.3. Fixes BugClobberedUTF8InWikiBody. Thanks to Chris Wilson and msb0b! * Mass commit of new default template code, based on the BrushedTemplate from Dirk Frederix. Note that this thing is probably pretty broken, so please be careful. 2005-10-25 Andrew Jaquith * v2.3.36 * Cosmetic fix: cookie-asserted identities containing spaces were passing enclosing double-quotes on to the LoginModule, which had the effect of "scare-quoting" the user's name. The offending quotes are now snipped if detected, in HttpUtil. * Added a bang (!) to a particular line in XMLUserDatabase that was causing a spurious error message. (Credit: John Volkar) * Changed JDBC init tests so that they use column and table mappings from tests/etc/jspwiki.properties, not jspwiki.properties. This was confusing the JDBCUserDatabaseTest class big-time, when custom mappings were used. Also, added JDBC test properties to the various test/etc templates. * Added an optional property 'jspwiki.userdatabase.hashPrefix' that tells JDBCUserDatabase whether or not to prepend its hash algorithm to the password hash (e.g., {SHA}). This should increase compatibility with certain third-party applications that might wish to share the user database, such as Tomcat. * Fixed a NPE in JDBCUserDatabase that was triggered by a user editing a profile, but electing not to change the password. It now exhibits correct behavoir: no password means "use the old one", just like with XMLUserDatabase. * Added 'drop user' to the Postgres and Mckoi database scripts; it was causing an error in some cases. 2005-10-22 Andrew Jaquith * v2.3.35 * Fixed issue in that prevented users checking the 'remember me' box Comment.jsp from seeing their identity assertion reflected in the WikiSession. This feature now works as it should. Reworked a WikiSession method, and added a WikiSessionTest unit test. WikiSession now senses when the 'asserted' user cookie in the user's session appears, changes, or disappears. * Clarified the logic in WikiSession.isAnonymous() for determining when a user is considered "anonymous". This will be the case when any of these conditions are true, as evaluted in this order: - The session's Principal set contains Role.ANONYMOUS - The session's Principal set contains WikiPrincipal.GUEST - The Principal returned by WikiSession.getUserPrincipal() evaluates to an IP address WikiSession includes a new, fast method for determining whether a string represents an IP address. The previous technique was totally b0rked. These are the sorts of things one discovers when writing unit tests... * Fixed minor issue with AbstractUserDatabase that inadvertently introduced a bug into the way users are found (or not). This was causing AuthorizationManager's resolvePrincipal() method to fail in certain cases. 2005-10-22 Janne Jalkanen * v2.3.34 * Did a general sweep of a bunch of classes to make sure they use TextUtil.getStringProperty() instead of Properties.getProperty(). Also fixed BugTextUtil.parseIntParameterFailsInCaseOfTrailingBanks to get rid of all space-related issues in jspwiki.properties. * No longer generates empty -elements for markup "____". The parser is now smart enough to check if a markup would result in something that would not be recommended in XHTML 1.0. Fixes BugEmptyMarkupDoesntWorkForBoldAndItalic. * RSS 2.0 and Atom feeds no longer double-encode ampersands. Oops. :) * PageModified.jsp now properly escape XHTML markup. * JSPWiki Auth tests are run now only if "jspwiki.tests.auth" system property is set. This helps everyone that is using Eclipse... * Bug fix: exclamation marks are no longer doubled. 2005-10-19 Andrew Jaquith * v2.3.33 * Initial JDBC support for storing user profiles has landed. See the build.xml file for details on configuring unit testing with JDBC. See also the Javadoc for com.ecyrd.jspwiki.auth.user.JDBCUserDatabase. * Changed VariableManager and BaseURLTag to use a new makeBaseURL method in HTTPUtil so that HTTPS-related URLs are generated correctly. This partially supercedes the WikiEngine.getBaseURL method, but the changes are completely transparent to the and tags. So you shouldn't notice any differences unless using HTTPS. * Several small Javadoc fixes. 2005-10-17 Janne Jalkanen * 2.3.32 * Changed the way TableOfContents is created - it no longer creates a nested list. Thanks to Gregory Pentz and Gregor Hagedorn. 2005-10-16 Janne Jalkanen * 2.3.31 * Bug fix: JSPWikiMarkupParser was not calling link text mutators at all, so ReferringPagesPlugin (among others) were ignoring maxlength. * Bug fix: WikiRenderer did not set context properly, which killed TableOfContents plugin. * Improved RSS generation for blogs: now it's also possible to set the channel title, description, language and author by using the SET directive. * 2.3.30 * Removed dependencies of TranslatorReader from a number of classes. * Added new "VersioningProvider" interface to fix a serious problem with page info listings. Based on an idea by Kees Kuip. A Provider can now declare it supports VersioningProvider if it wants to be able to support pageExists( name, version). Yes, it's a kludge, but it does speed up things considerably until we refactor the entire provider interface. 2005-10-09 Janne Jalkanen * v2.3.29 * Security fix: it was possible to inject javascript using CSS. Reported by Martijn Brinkers. * Bug fix: In certain cases, }}} would loop forever. * CachingProvider should now be a bit smarter about refreshing metadata. * Added patch from Kees Kuip to cache the file properties in VersioningFileProvider, providing faster performance. * Rearranged quite a lot of code in URL providers to fix a bunch of problems. Unfortunately, it also means that URLs are no longer relative at all; they're always absolute, but they don't always include the host name (depending on the setting with jspwiki.referenceStyle). 2005-10-09 Andrew Jaquith * v2.3.28 * For once, no public auth API changes! * CMA and custom authentication JSPs re-factored so that they use the same "special page" for logins: Login.jsp. This makes for much cleaner JSP code; for example, LeftMenu.jsp no longer needs conditional logic for Login.jsp v. LoginRedirect.jsp. * The web.xml file's constrained resources for CMA expanded to include NewGroup.jsp, Upload.jsp and Login.jsp. Constraint for LoginRedirect.jsp removed (the page no longer exists). The login form for CMA now uses the same as for custom auth (LoginForm.jsp). * WebContainerAuthorizer now tests for Login.jsp constraints rather than LoginRedirect.jsp when determining whether CMA is used. WebContainerAuthorizerTest changed accordingly. * Security fix: Authorization algorithm fixed to prevent privilege escalation with asserted Principals when wiki page contains ACL. Authorization now checks to make sure the security allows the requested permission /in addition to/ matching the user's principals with those in the ACL. This meant we needed to add PagePermission "*:Group*", "edit" entries to the Authenticated policy block. * Bug fix: AuthenticationManager no longer flushes Principals during custom logins. This was hosing user sessions if the user failed to log in. * Bug fix: AuthorizationManagerTest's testGetRoles() method no longer b0rks. * Bug fix: default/LoginContent.jsp whitespace goof. * Bug fix: both custom and container successful logins set the user cookie, like they should. (Credit: John Volkar) * Bug fix: group creation page (NewGroup.jsp) checks for previous existence of group before saving, and gives user chance to change the name if it does. * Bug fix: NewGroup.jsp no longer triggers the 'direct access to login form' error when CMA is used. This is due to the refactoring mentioned above. 2005-10-03 Janne Jalkanen * v2.3.27 * Bug fix: RenderingManager would cache old versions on top of new ones. * Bug fix: CheckVersionTag would cause unnecessary page rendering. Reported by Kees Kuip. * Switched most of the code to use the new RenderingManager to find problems with the code. 2005-10-02 Janne Jalkanen * 2.3.26 * Restored the the Ant "guitests" target, who had gone MIA accidentally. * Added (and modified a bit) a patch from Kees Kuip which allows plugin writers to just specify properties in the plugin archive itself. * Added TemplateManager.listSkins(), which lists any and all skins from templates//skins/ 2005-09-28 Janne Jalkanen * 2.3.25 * Added ReferredPagesPlugin from Dirk Fredericx. 2005-09-27 Janne Jalkanen * v2.3.24 * IncludeTag now prints an error to the screen instead of a NPE when the template file in question does not exist. * CheckRequestContextTag now supports an extended parameter list: evaluates its body, if the current context matches ANY of the contexts. It also supports negation with !, i.e. evaluates the body in every context but "view". * JSPWikiMarkupParser is now a lot more XHTML compliant, thanks to Gregor Hagedorn. * RSS Generator Thread now has a proper name. * Moved TranslatorReader.Heading to com.ecyrd.jspwiki.parser. This should not really cause any compatibility issues. * Moved HeadingListener to com.ecyrd.jspwiki.parser * Added two new methods from John Volkar to ReferenceManager. 2005-09-26 Erik Bunn * Added CookieTag. See the class for documentation. Intended for custom JSPWiki installations, mostly useful for doing conditional logic based on e.g. a custom preferences cookie. 2005-09-24 Andrew Jaquith * 2.3.23 * WikiContext, WikiSession and the auth.login.* login modules gain significantly enhanced debugging code. Changing Log4J settings in jspwiki.properties to DEBUG will dump a large amount of information about user session IDs and Principal creation activities. * In the continued spirit of clowing-back little-used methods that clutter the API, WikiContext's setHttpRequest() method goes the way of the dodo bird. It was used by WikiEngine, and only in one place, and it was redundant to boot. 2005-09-19 Janne Jalkanen * 2.3.22 * Added patch from John Volkar to: * Puts a catch block in DifferenceManager in case an underlying provider throws. * Adds some unit tests * Handles whitespace "better" (see the tests), words and whitespace are both elements that get diffed. Whitespace edits show up in the diff output. (This is an interesting point of debate, after bruising battles whitespace in wiki-text is significant and deserves to be diffed. Consider two lines '* foo' and ' * foo') * Adds a optional property 'jspwiki.contextualDiffProvider.unchangedContextLimit" that is the number of *elements* to be emitted before and after each change. (element=word or space or newline, so if you want ~50 'words' of leading context set the limit to 100) This defaults to a huge number, so it essentially doesn't serve as much of a limit (Preserves a 1 word change in 10 pages by default returns the whole 10 pages.) 2005-09-17 Andrew Jaquith * 2.3.21 * Added a simple web test plan to docs. * WikiPermission gains support for wiki namespaces. This introduces what I hope is the "final" tweak required to jspwiki.policy. The WikiPermission syntax ...WikiPermission "*", "registerUser"; replaces the previous format. The wiki name may contain wildcards. This change was made to support wiki farms. See the WikiPermission Javadoc for more details. * PagePermission constructor WikiPage(String,WikiPage,String) eliminated in favor of WikiPage(WikiPage,String) because wiki name is now carried inside WikiPage. This means we don't need to pass the wiki name into the constructor, which is nice and simple. This change was propagated to 8 other classes and about a half-dozen top-level JSPs. * Fixed return values in various WikiContext/WikiSession get*Principal methods so that they return WikiSession.GUEST if not otherwise set. This removes neeed to check for nulls in calling code. (Credit: John Volkar) * Assitional WikiSession/WikiContext cleanup: Fixed bug preventing initial HttpRequest 'login'. Removed public WikiSession.isUnknown(); was only used by one caller. Also, reduced visibility of WikiSession.isContainerStatusChanged() to protected. Bug fix: added Role.ALL to guestSession(). * Rename.jsp now checks for the rename permission before actually undertaking the action. InfoContent.jsp now checks for the same permission also when rendering the info page UI for renaming. * Bugfix for NPE in PagePermission. * Much cleanup of web.xml, and tweaked the Ant script to use this during tests (reduces maintenance). * build.xml slightly refactored to better account for using signed JARs during test runs. Certain static files (web.xml/policy/jaas/jks) in tests/etc eliminated in favor of dynamic files copied from etc at test-time. This means we only have to maintain one version of each file, instead of two. * WebContainerAuthorizer includes an improved heuristic for detecting CMA. Instead of looking for specific role names contrained to Register.jsp, Delete.jsp and UserPreferences.jsp, we just look for ANY role. This means you can use your container's preferred role names, instead forcing you to use "Admin" and "Authenticated". * DefaultGroupManager.getRoles() returns an array of Group[] (downcasted to Principal[] by interface. This should make 'instanceof' checks easier. (Credit: John Volkar) * Bugfix for Register.jsp so that authenticated users who already have profiles are always redirected to EditPreferences. This wasn't a security risk but it was non-intuitive. * Replaced that old Wiki.jsp favorite, the "looped config" message, with something more appropriate to 2.3. * Weblog plugin now accepts additional parameter for customizing the date format. It also tries to extract the "headline" of the blog and puts it at the top of the entry section. * Tweaks to Ant script to better encapsulate Jar-signing operations. Also, test-prep activities more automated. 2005-09-16 Janne Jalkanen * v2.3.20 * Both default ShortURLConstructors now check if the NONE -context already has some parameters. Requested by Erik Bunn. * PageLock is now serializable. This should reduce some warnings on some containers. * Forms are now XHTML conformant instead of HTML 4.01. 2005-09-16 Janne Jalkanen * v2.3.19. * Fixed the rest of the new renderer tests, and turned the new renderer on by default. You can now turn it off with "jspwiki.newRenderingEngine=false" in your property file. * FormInput now also accepts XHTML-like "checked=checked". Suggested by Murray Altheim. * Added patch from Erik Bunn to allow clean compilation on JDK 5.0. * Included patch from JohnV to add time and date format parameters to RecentChangesPlugin. * Incorporated even more patches from Patrik to fix some problems with tests targets and diff noise. Thanks a heap! * Added patch from Patrik Woodworth to fix tests compilation failing due to jar file signing. 2005-09-09 Janne Jalkanen * v2.3.18 * Two patches from Patrick Woodworth to fix broken URL in jspwiki.tld and compilation directives. This removes the jar-optimized target and makes it an option for build.properties. * Fixed problem with ReferenceManager: unmodifiable maps were not updated at unserialization time. Reported by JohnV. * Removing misc debug code from auth. * Moved to StopWatch() instead of System.currentTimeMillis() in all places ;-) 2005-09-07 Janne Jalkanen * v2.3.17 * Massive import of patches from 2.2.33. * Added two new methods in ReferenceManager to facilitate LinkIndexPlugin. * Added patch from Joerg Luedecker to fix a problem with pages deleted not affecting RefMgr. * Added a small note to the ShortURLConstructor: do NOT use without baseURL. * Fixes BugAttachFilesEvenIfPageDoesNotExist. It is no longer possible to upload a file if the page does not exist. * Install.jsp was Tomcat-specific. Fixes BugInstall.jspDoesNotCompileOnWebLogic8.1. Reported by JoachimMaes. * Fixed BugAttachmentWithHashCannotBeViewed by replacing now all illegal character values during upload. * Undid change for BugShortViewURLConstructorAndShortURLConstructorProblems - it apparently broke quite a lot of stuff. * Changed to OSCache 2.2.1 to protect against a pretty nasty memory leak. * Added generic null protection to CachingProvider, and also protected against spurious input in RCSFileProvider as a stopgap measure to some probable scaling issues. * It was possible to get the authentication master password by inserting simply it on a page as a variable. Oops. The master password is now saved under a different name (jspwiki-s.auth.masterPassword), which may break existing installations. Also added a check in the VariableManager to prevent reporting of that variable. Reported by Trevor Yann. * Bug fix: Attachments might get looping forever, if the page did not exist. Fixes BugHasAttachmentsAndAttachmentsIteratorTagsWhenPageDoesntExist * Bug fix: You can now set the 'checked' attribute of checkboxes in WikiForms with the parameter 'checked=true'. Reported by JohnV. * Bug fix: BugWrongRecognitionOfWikiWords. A CamelCase WikiWord would not be escaped correctly, if the word would have two capital letters. * Bug fix: BugShortViewURLConstructorAndShortURLConstructorProblems ShortViewURLConstructor did not have a default prefix. Reported by Olaf Kock. * Added patch from Patrick Woodworth to fix a FIXME in javadoc creation. 2005-08-20 Andrew Jaquith * v2.3.16 * This release introduces a number of changes to the AAA (package auth.*) APIs. If you have created custom top-level templates, they will break. However, the changes are not major. Regular template JSPs like *Content.jsp should work without requiring changes. * jspwiki.policy has changed. The PagePermission syntax ....PagePermission "mywiki:Group*", "edit"; replaces the previous format, and adds support for wiki name spaces. Either the wiki name or the page name may contain wildcards. This change was made to support wiki farms. See the PagePermission Javadoc for more details. You should update your policy files accordingly, since the change will "probably" break your existing policies. * AuthenticationManager supports named admin user in jspwiki.properties: jspwiki.admin.user * AuthenticationManager public methods have changed: a. public boolean login(HttpServletRequest) replaces boolean loginContainer(WikiContext) b. public boolean login(WikiSession, String, String) replaces boolean loginCustom( String, String, HttpServletRequest) * AuthorizationManager public methods have changed: a. checkPermission(WikiSession, Permission) replaces checkPermission(WikiContext, Permission) b. isUserInRole(WikiSession, Principal) replaces isUserInRole(WikiContext, Subject, Principal) c. new getRoles() method returns Principal[]; delegates to GroupManager and Authorizer and returns union d. public method getAuthorizer() changed to protected access * Authorizer public methods have changed: a. isUserInRole(WikiSession, Principal) replaces isUserInRole(WikiContext, Subject, Principal) b. new getRoles() method returns Principal[] These changes were propagated to WebContainerAuthorizer, GroupManager and DefaultGroupManager. * GroupManager public methods have changed: a. Enumeration members() removed. * WikiPrincipal adds static inner Comparator class for sorting arrays of Principals. * WikiContext public methods have changed: a. void setHttpRequest(HttpServletRequest) changed to protected access b. void setWikiSession(WikiSession) removed. * WikiSession was refactored to allow independence from WikiContext. Public GUEST_SESSION static instance eliminated in favor of public static factory method guestSesssion(). * UserManager get/setUserProfile(WikiSession...) replaces same methods with WikiContext parameter. * PagePermission now includes a wiki namespace. Syntax is wiki:pagename. Wildcards are allowed as prefixes or suffixes for either part. * WikiPermission now accepts a "login" target * LeftMenu slightly tweaked * PreferencesContent.jsp for default template now displays roles and groups user possesses. * will print the user's current set of group and role memberships, nicely sorted. Pretty nifty. * Many, many unit test changes. 2005-08-20 Andrew Jaquith * Minor changes to TestAuthorizer, AuthorizationManagerTest and build.xml to correct test failures in AuthorizationManagerTest. This also fixes XMLRPC test failures. No version bump. 2005-08-19 Janne Jalkanen * 2.3.15 * The "Wow, instead of sleep you can code and chat on IRC thanks to WiFi on airplanes" -release. * Added patch from Mark Rawlings to get rid of Javascript errors in cssinclude.js * Added support for generating Atom 1.0 feeds. There is still a bit of a problem in generating proper Atom ID's, as our metadata storage does not work too well. 2005-08-16 Janne Jalkanen * v2.3.14 * Fixed plugin and variable evaluation policy: because using clone() on the entire DOM tree is very expensive, what we do is that we store new, specific elements PluginContent and VariableContent into the DOM tree, which at evaluation time produce the actual content. * v2.3.13 * RenderingManager cache did not work correctly, because it was relying in WikiContext.getPage() to get the page under which things should be cached. Of course, if the wiki template includes any other page using IncludePageTag, the context is always the same, and therefore the cache is never valid. Fixed this by adding a new getRealPage() in WikiContext, which should always point at the real page which is being rendered. * Added some simple profiling/stopwatch code to rendering. You can now see the speed results by setting the WikiEngine log level to DEBUG. * Fixed CamelCase parsing. There are still a few inconsistencies between old TranslatorReader and the new JSPWikiMarkupParser. 2005-08-14 Janne Jalkanen * v2.3.12 * Even more tweaks. It is now possible to test the new rendering engine by setting "jspwiki.newRenderingEngine" to true in your jspwiki.properties (this will be gone in near future; it really is for testing only). Note, however, that CamelCase does not currently work. * Some more tweaks of the new renderer. isExternalLink() is now about 3x faster than it was before (it was the biggest bottleneck so far). Still not usable (lists don't work). * Change test property files to use BasicSearchProvider (Lucene startup was taking too much time), and TestAuthorizer (WebContainerAuthorizer takes about a second to start each time). 2005-08-13 Janne Jalkanen * Did a mass commit of the new rendering engine. It is not enabled yet, but I wanted to save the code to a very safe place :-). Please look at the code in the new parser and render -packages. There is still time to change the API... (No version bump; there is no changes in JSPWiki functionality with this). 2005-08-12 Andrew Jaquith * 2.3.11 * Changed WebContainerAuthorizer to auto-detect whether web container authorization is used; it does this by looking for certain constraints in web.xml. The effect of this change is to make the out-of-the box configuration default to custom authentication. Also, changing to container auth is now very easy -- just uncomment the constraints and JSPWiki will know what to do without needing to fiddle with jspwiki.properties. Added a unit test and tests/WEB-INF/web.xml sample file also. * Added new "super-template" for administrative pages: AdminTemplate.jsp. This is a peer of ViewTemplate and EditTemplate, and is used by the registration and user preferences pages. * Loosened the default security policy to permit edits by anonymous uses. This is good for getting up and running, but a bad idea for Internet-facing wikis. The adminstrator is suitably forewarned in the policy file. * Added an initialize() method to the Authorizer interface. We probably needed one anyway, and the tweaks to WebContainerAuthorizer forced the issue. * Minor tweak to LeftMenu to replace the geeky "you are authenticated/asserted" messages with something more friendly. 2005-08-11 Erik Bunn * Added WikiPage.getAttributes(). This will be useful for external code that wants to display page attributes; for example, a hypothetical "MetaData.jsp" that would allow editing of page attributes without content-inlined [{SET...}] tags. 2005-08-07 Andrew Jaquith * 2.3.10 * Major fixes to the authentication and authorization codebase. Most outstanding issues with the prior commits have been resolved; it should be ready for prime time. * JSPWiki now installs a default Java 2 security policy and JAAS login configuration, which allows JSPWiki AAA to work "out of the box" without additional customization. Admnistrators can override these defaults using the standard policy/JAAS system properties if desired. * UserPreferences.jsp has been significantly tweaked. It also includes support for standard