2006-10-12 Janne Jalkanen * 2.4.69 * Added a couple of patches from Tomasz Szymko to fix a problem with messages from the AttachmentServlet, and a problem with EditLinkTag. * Added patch from Murray Altheim to fix a problem with TextUtil.replaceString() - it would be dying under certain circumstances. * Added patch from Murray to add "_bounds" parameter to the plugin invocation. _bounds consists of an integer array (int[]), where element 0 is the start of the plugin position in the page, and element 1 the end. * Small fixes to LuceneSearchProvider. 2006-10-09 Janne Jalkanen * 2.4.68 * Hopefully fixed the "ACL not refreshed at startup" problem, reported by many people. 2006-10-08 Andrew Jaquith * 2.4.67 * Enhancement: JDBCUserDatabase will now use transactions, if the back-end database supports them. In addition, JDBCUserDatabase now nails up a single, long-running connection instead of continually opening and closing them. Log message verbosity expanded slightly. * Enhancement: GroupDatabase now has a relational database implementation called JDBCGroupDatabase. It supports transactions and is configured using a container-managed JNDI DataSource, exactly like JDBCUserDatabase. Unit tests and DDL setup/teardown scripts were upgraded for the new implementation. Sample scripts are included for PostgreSQL and Hypersonic. 2006-10-06 Janne Jalkanen * Fixed a bunch of javadoc warnings; not enough to warrant a version bump. 2006-10-05 Janne Jalkanen * 2.4.66 * Added small patch from Neil Miller to fix WikiEngine.getInstance() which was not properly passing its arguments. Thanks! * Added patch from Murray Altheim which makes ReferenceManager and SearchManager to behave as EventListeners for page deletion. Notably, AttachmentManager and RenderingManager do not yet fire or listen these events (needs fix). * Added PAGE_DELETED and PAGE_DELETE_REQUESTED from Murray. * Added patch to JSPWikiMarkupParser from Murray to make some of the attributes publically accessible and less magic. * Fixed ShortURLConstructor again for some contexts (FIND, DELETE & PREFS) 2006-10-01 Andrew Jaquith * 2.4.65 * Bug fix: fixed an issue with WikiContext that caused ACLs and policy settings to be ignored when accessing the default front page. This bug was introduced during the AAA mega-patch in July (2.4.25). Note: we still have an unrelated bug with ACLs not being applied the *first time* pages are loaded. 2006-10-01 Janne Jalkanen * 2.4.64 * WikiPage.clone() was not cloning everything; this should now be fixed. * Included patch from Neil Miller to make RenderingManager use the eventing system instead of PageFilters. Thanks! * ShortURLConstructor now supports group functionality. * Fixed an annoying bug which appeared if saving failed for some reason (e.g. when SpamFilter would reject an edit): the cache would still contain the changed page metadata. We now make a clone of the WikiPage before we attempt a save. 2006-10-01 Andrew Jaquith * 2.4.63 * WikiSession receives several under-the-hood changes to improve session stability. The technique used to detect session status changes now includes an explicit check for prior authentication; this should prevent sudden "downgrades" from authenticated status to asserted (cookies). User/login Principals and the status strings (anonymous/asserted/authenticated) are cached now, rather than dynamically calculated. WikiSession gains a new public method, isAsserted() that does what it says. Finally, WikiSession now takes responsibility for populating the JAAS Subject with user profile principals, rather than the various login modules. * AuthenticationManager now fires an event called LOGIN_INITIATED whenever the authentication status changes, signifying that the JAAS login stack executed (but without regard to whether it succeeded). WikiSession listens for this event and updates its cached principals. AuthenticationManager also now fires explicit events called LOGIN_ANONYMOUS and LOGIN_ASSERTED in addition to LOGIN_AUTHENTICATED. * In the name of code simplification, event support was removed from the Group class. It was redundant and made things more complicated. Consequently, GroupManager loses its GroupListener inner class, and WikiSecurityEvent gets rid of types GROUP_ADD_MEMBER, GROUP_REMOVE_MEMBER, GROUP_CLEAR_MEMBERS. If you really really need these let me know, but in the meantime the coarser- grained GROUP_ADD and GROUP_REMOVE will do what we need. * UserDatabaseLoginModule no longer populates WikiSession's Subject with user profile principals; this was moved to WikiSession. This should make pure, authentication-only login modules possible, such as for LDAP and Kerberos. Because authentication and user profile storage are better separated, it will prevent the need to subclass and hack XMLUserDatabase. WebContainerCallbackHandler no longer needs a UserDatabaseCallback as a result, so the callback was removed. * Bug fix: LoginForm now injects a WikiContext, but only if one does not already exist in the page context. This plugs the bug introduced in 2.4.60. Page redirection after login works for both container and custom authentication; the web unit tests now test for this condition explicitly. The fix has been tested with Tomcat and JBoss 4. * Fixed a bunch of failing auth tests. 2006-09-28 Andrew Jaquith * 2.4.62 * Fixed the fix for the login-redirection issue, patched in 2.4.60. "Regular" logins (those without a subsequent redirection) now work again. Thanks to the indefatigable Terry Steichen. 2006-09-27 Janne Jalkanen * 2.4.61 * Fixed a couple of failing tests (recent changes caused slight behaviour change) * Bug fix: the Wiki Event INITIALIZING is now fired after log4j is running - this stops about a zillion of errors in the container log file. * Slightly juggled with the built-in system filter priorities to make sure that they are executed in correct order. * Added a small fix to saveText() to check if it possibly fixes some problems with disappearing ACL lists or other metadata. Our provider interface is desperately in the need of an overhaul... 2006-09-27 Andrew Jaquith * 2.4.60 * Fixed typo in SecurityConfig.jsp that caused group verification to report the number of "users" rather thank groups. Credit: Chuck Deal. * Fixed a series of related, minor bugs that caused JSPWiki to always redirect to the front page after login, even when instructed to redirect to another page. This fix also resulted in the removal of a redundant WikiContext creation in LoginForm. Thanks to Terry Steichen for figuring out where to look. 2006-09-24 Andrew Jaquith * 2.4.59 * XMLGroupDatabase and XMLUserDatabase now represent dates using a locale-independent, machine-independent format. To preserve backwards compatibility, JSPWiki will attempt to parse dates using the platform default format if parsing with the standard format fails. New records will always be saved in the standard format. 2006-09-24 Janne Jalkanen * 2.4.58 * Some internal reshuffling of Managers. * PluginManager and EditorManager now check if a module is compatible with JSPWiki. You can state your own compatibility by declaring it in the jspwiki_module.xml file, as 2.4, and/or 2.6.32. * 2.4.57 * Added change notes also to attachments * Attachment names are now also beautified (though just the page name part). This should help the problem when RecentChanges plugin overflows. * Cleaned away a few compiler warnings * Improved some PluginManager javadocs * BasicAttachmentProvider has now more sanity checks and should no more throw wild NPEs at startup. * Fixed BugLuceneSearchProviderNotReadJspwiki.lucene.analyzerFromConfiguration Thanks to Ekkasit Takoungsakdakul for pointing this one out! (And I am very sorry I did not notice that bug report earlier.) 2006-09-21 Janne Jalkanen * 2.4.56 * Added patch from Kalle Kivimaa to fire the event with the proper principal at logout. Thanks! 2006-09-15 Janne Jalkanen * 2.4.55 * Added patch from Joseph Schmigel to recognize IP addresses in sortable tables. Thanks! * Added new icons from Murray Altheim so that we could get rid of all Creative Commons-licensed icons. This was done so that JSPWiki 2.4 could be included on Debian. Thanks heaps for the good work! * Reverted to previous behaviour with respect to WikiWizard: no longer closes applet and div with javascript, which should help in IE. 2006-09-12 Janne Jalkanen * 2.4.54 * Added patch from Murray Altheim to fix WikiEventManager javadocs, as well as made it return booleans on a couple of methods. Thanks Murray! 2006-09-10 Janne Jalkanen * 2.4.53 * Removed FCK.jsp from the distribution (since we don't distribute FCK, it's sort of weird to have it there breaking things). * Bug fix: Comment.jsp now catches RedirectExceptions * Bug fix: BugReportHandler also catches RedirectExceptions and now gives a proper error report. * Limited change note length to 80 characters. 2006-09-09 Andrew Jaquith * 2.4.52 * UserManager now checks to make sure that a user can't specify as a wiki name somebody elses's full name or login name. This check is peformed for all other combinations of these three user profile fields also. This is a potentially serious security flaw, so all users should upgrade. 2006-09-08 Janne Jalkanen * 2.4.51 * Added patch from Malte Kiesel to fix a problem which caused overwriting of user profile. * Fixed WikiJSPFilter writing the wrong content length to the response (we're skipping setting the length for now). 2006-09-07 Janne Jalkanen * 2.4.50 * Test release to check whether we can solve some WebLogic issues. * Split WikiServletFilter to WikiServletFilter and WikiJSPFilter. The latter takes care of JSP stuff, the former of all other types of data. WikiJSPFilter uses getWriter() extensively, while WikiServletFilter is for those instances that use getOutputStream(). Thanks to Marc Patteet for the help. * Renaming now also renames attachments (assuming that the attachments exist - if they don't, then there's no way to know which pages refer to them (bar going through all pages). * Changed web.xml to reflect the new filters. Don't forget to update! * Added "print" style for jspwiki.css in commonheader.jsp. This should fix problems with printing looking different from screen. Reported by Steve Lihn, fix from Dirk Frederickx * Fixed InfoContent.jsp for WebLogic. By Marc Patteet. 2006-09-06 Janne Jalkanen * 2.4.49 * Witness the awesome p0w3r of unit testing. Fixed the unit tests added in the morning so that we now hopefully are fixing BugStrangeRenameBehaviour. Reported by Candid Dauth. * Bug fix: ReferenceManager was not removing all references to a page if it was renamed, resulting in "hanging" pages. * Added a bunch of new unit tests to check for page renaming problems. At the moment most of them fail, suggesting that there is something wrong in PageRenamer... 2006-09-05 Janne Jalkanen * 2.4.48 * Bug fix: it was possible to gain user privileges simply by faking the cookie. This is a serious problem and all people running 2.4.x are suggested to upgrade. Thanks to Andrew for the fix. * SecurityVerifier no longer gets confused, if you state a property using "==" instead of "=". 2006-09-05 Christoph Sauer * 2.4.47 * Added title and accesskey attribute to LinkTag, EditLinkTag and PageInfoTag. You can now set accesskeys to edit pages in the PageActions.jsp Use the title attribute to add a tooltip text to indicate the speedkey you used. 2006-09-04 Janne Jalkanen * 2.4.46 * Bug fix: PageLock was using acquisition time for both expiry and acquisition. Fixes BugLockNotWorking. Reported by Terry Steichen. * Added WikiContext.hasAdminPermission() as a convenience method. * Changed SpamFilter to check for AllPermission instead of a group called Admin - this is better because of i18n. * SpamFilter now checks also the changenote before saving. * Added the possibility to escape }}} within a preformatted section by using ~}}}. Suggested by several people at WikiCreole.org... 2006-09-04 Janne Jalkanen * 2.4.45 * Bug fix: When SpamFilter rejected something, there would be no message shown in RejectedMessage. Reported by Terry Steichen. * Removed plenty of documentation from the default wikipages package. It was out of date, and better written up at doc.jspwiki.org anyway. * Removed doc/Templates.txt, which was no longer accurate. 2006-09-03 Janne Jalkanen * 2.4.44 * Both XMLUserDatabase and XMLGroupDatabase will now check if the database is up to date. This allows propagation of databases across wikis (though it's rather flaky; there are concurrency issues). 2006-09-03 Janne Jalkanen * 2.4.43 * Bug fix: If the front page did not exist, would die with a NullPointerException, when accessed with the default URL (e.g. /Wiki.jsp, or /wiki/ without the page). Should fix BugBadDefaultConfig. 2006-09-02 Christoph Sauer * 2.4.42 * Fixed Bug with WikiWizard.jsp and Weblogic reported by Marc Patteet 2006-09-02 Janne Jalkanen * 2.4.41 * LinkTag should no longer crash if WikiContext does not have a page attached. Reported by Fabiano Bonin. 2006-08-30 Janne Jalkanen * 2.4.40 * Christoph Sauer joins in as a contributor (if only I got him to update the ChangeLog... ;) * WikiWizard is now included. Hooray for WIKIWYG editing! * Small tweaks to the EditTemplate. * Changed "jspwiki.security=container" to "jspwiki.security=off". This should make it more clear to people. The old setting will continue to work. * Added page info links back to attachments in RecentChanges. Unfortunate side effect of the new renderer... 2006-08-30 Janne Jalkanen * 2.4.39 - The "Piko" release. Rest in Peace. * Added SearchManagerTest to make sure that our search works. * Bug fix: LuceneSearchProvider was not indexing the WikiName of the page. * Bug fix: SearchManager now always indexes the latest version of the page (thanks heaps to John Volkar for finding this). * Disabled ContextualDiffProviderTest.testKnownProblemCases(), I have no idea how to fix those, and it was never running anyway. * Disabled JSPWikiMarkupParserTest.testSpanJavascript2() - it would need a lot more care to make it really run. * Fixed failing XMLRPC tests. * Upgraded to Lucene 2.0.0. 2006-08-27 Janne Jalkanen * 2.4.38 * WikiEvents are now fired at almost any occasion that seems suitable. Thanks to Murray Altheim for this mega-patch. Some of the event classes were also reorganized (thanks to Andrew and Murray). * SpamFilter no longer counts admins as evil, if they make many changes/minute. * WikiServletFilter fails now gracefully if WikiEngine instatiation fails - should no longer emit dumb NullPointerExceptions. * FindContent.jsp now hopefully calculates previous- and next search sizes correctly. * Change Notes are now visible in page history as well. Unfortunately, the visuals suck. Anyone want to help to make them look better? Just don't make them too wide... * Change Notes are now limited to 60 characters (totally arbitrary). 2006-08-21 Janne Jalkanen * 2.4.37 * Faced with physical threats at WikiSym, I added the "change note" feature. Hope y'all are happy now :-D (Well, okay, it does not work in the page info yet; I'm thinking what would be a good presentation so that the page does not get overly wide). * Bug fix: jspwiki.tld had the wrong attribute for RequestResourceTag. Reported by Marc ?. 2006-08-14 Janne Jalkanen * 2.4.36 * Bug fix: UserProfileTag was not printing groups. Reported by Dirk Fredericx. 2006-08-13 Janne Jalkanen * 2.4.35 * Fixed BugPreformattedTextWithHtmlDoesnTWorkIfAllowHTMLTrue. Thanks to RealGagnon and an unknown submitter. * Fixed BugStyleDoublePercentProblem. There are two new tokens: /% can also be used to stop a style, and ~ is a non-rendering space. * Fixed BugNullPointerExceptionWhenInsertingImagesWithoutAlignAttribute. Thanks to Candid Dauth for pointing it out. * Added patch from Laurent Courtin to fix BugTableOfContentsDoesnTWorkWithPageNotInAscii. Thanks! 2006-08-12 Janne Jalkanen * 2.4.34 * Implemented RequestResourceTag (oops, it had been skipped for some reason). 2006-08-09 Janne Jalkanen * 2.4.33 * RecentChangesPlugin was missing a quote in the generation of author names. 2006-08-08 Andrew Jaquith * 2.4.32 * Fixed an astoundingly brain-damaged bug in WikiContext that caused all wiki contexts to use the default template in all cases, regardless of the setting in jspwiki.properties. This bug was introduced by the 2.4.25 security mega-patch. The fix, of course, was three lines of code. Now that it's in, I'd like to put down my crack pipe long enough to thank Terry Steichen for spotting this. 2006-08-01 Janne Jalkanen * 2.4.31 * Bug fix: BugArbitraryHTMLMarkupInHeadingIsRenderedByTableOfContentPlugin, reported by Jerome Duprez. * Bug fix: BugCenteringImagesUsingImagePluginDoesNotWorkInFirefox, contributed by Alex Reid. * Bug fix: BugCanKeepPressingNext20ResultsOnResultSearchPage. Rewrote the scriptlets in FindContent.jsp to provide a better experience overall. * Bug fix: BugReferringPagesPluginDontWriteNobobyAfterFiltering. Reported by François Burtin. * Removed a bunch of compiler warnings found thanks to upgrade to Eclipse 3.2. 2006-08-04 Andrew Jaquith * 2.4.30 * Fixed cosmetic bug that was causing all search results to appear with the name "Search". 2006-08-01 Janne Jalkanen * 2.4.29 * Character encoding is now set in the servlet filter, not WikiEngine.createContext() anymore. This should remove certain cases where character encoding got lost. * 2.4.28 * Fixed a HUGE number of potential problems, found using FindBugs. Problems included such as: * Now many Comparators are also Serializable * hashCode() is now implemented properly on objects that do equals() * clone() is rewritten to use super.clone() * Many inner classes were made static to save extra effort * Forms package classes had really dubious null checks which were rewritten. * TranslatorReader is no longer used in the code anywhere. Even the TranslatorReaderTest is gone. The class, however, remains, until we can refactor it to be a facade for JSPWikiMarkupParser. * Coding style is now a local setting instead of a global setting... * And a lot of small bits and pieces... 2006-07-31 Andrew Jaquith * 2.4.27 * Bug fix: SecurityConfig was erroneously reporting that externally set values for java.security.policy did not resolve to existing files, even when they did. * Bug fix: SecurityConfig was erroneously reporting that wiki groups could not be deleted, even when this function actually worked properly. 2006-07-30 Janne Jalkanen * 2.4.26 * Fixed editor textarea width, thanks to Gordon Smith. 2006-07-29 Andrew Jaquith * 2.4.25 - a.k.a. the AAA mega-patch * This release completely changes the way JSPWiki manages wiki groups. They are no longer stored in pages; instead, GroupManager controls access, while back-end storage is provided by the GroupDatabase interface. This change has caused many other changes. More details: * GroupManager changes from an interface to a concrete, final class. Group storage is now handled by a separate GroupDatabase interface. The default implmentation is XMLGroupDatabase. In addition, Group becomes a concrete final class; DefaultGroup and DefaultGroupManager disappear. Group gets a new method groupPrincipal() that returns the equivalent GroupPrincipal. Many new unit tests created for all of these changes. * Group creation handled in UI by NewGroup.jsp. Editing is via EditGroup.jsp. * UserProfileTag gains a property "groups" that will print the list of wiki groups the current user belongs to. The "roles" property now just prints the roles. * Default security policy (jspwiki.policy) gains grant entries for group viewing, editing, deletion permissions. By default, users must be at least "asserted" to view group members, and must be a member of a group to edit the membership. * PermissionTag gains three new permission checks: "viewGroup", "editGroup", "deleteGroup". * Group principal injection responsibilities moves to WikiSession from AuthenticationManager. * The hard-coded restriction on pages prefixed "Group" has been lifted. * SecurityVerifier adds tests for GroupPermission. Better support for detecting exceptions. Adds tests for adding/deleting Groups. * New Groups plugin prints a sorted list of the wiki groups in the group database; generates a hyperlink to each group page. * JSPWikiInstaller (Install.jsp) receives a makeover and substantial enhancements to support the new group scheme. When the wiki is set up, we now create an administrative user and an Admin group. It also uses the default CSS. * The new Command class is now fully integrated into WikiEngine.createContext() and the WikiContext constructors. Practically speaking, this means that the page names and redirect errors shown on pages will actually show something useful when non-pages are accessed (e.g., access denied for UserPreferences.jsp won't print the non-sensical "you don't have access to 'Main'). WikiEngine delegates page-resolution responsibilities to CommandResolver. Minor changes to new Command/CommandResolver classes to make JSP page names "friendlier". * WikiSession.getUserPrincipal now defaults to the wiki principal, rather than the full name. This means that favorites auto-linking won't break. It also gains a method getRoles() that returns the roles and groups the user possesses. The method doPrivileged(WikiSession,PrivilegedAction) allows actions to be executed using the user's privileges. WikiSession's getSubject() method has been removed; it was a security risk. * Substantial changes to the AAA package tests. Web unit tests changed to accomodate groups. * Minor refactoring: AllPermission, WikiPermission, PagePermission. AllPermissionCollection. * Bug fix: closed tag in InsertPagePlugin * WikiContext.getName() provides a "safer" shortcut than calling WikiContext.getPage().getName() because not all wiki contexts apply to pages. This change was made to: TableOfContents plugin; most of the top-level JSPs; TranslatorReader; PageNameTag. * Container role principals are now injected at login time by WebContainerLoginModule, rather than the AuthenticationManager. * More use of checked exceptions. Authorizer.initialize() throws WikiSecurityException * WikiSecurityEvent gains the event type PROFILE_SAVED, emitted by UserDatabase. Most of the security events are now marked as "debug" level events, which means the logs will be much less chatty (this is a temporary hack). * AuthorizationManager gains a new public method: getAuthorizer() * The WikiEventSource "marker interface" added to class declarations for AuthorizationManager AuthenticationManager, WikiEngine. EventSourceDelegate used in place of cut-and-paste code for these classes also. * TextUtil.password generator now uses SecureRandom instead of Random. 2006-07-24 Andrew Jaquith * 2.4.23 * Andy J. fixes what he broke... namely the build. Thanks to Mark Rawling for pointing it out. * SessionMonitor achieves escape velocity and becomes its own class, breaking free of WikiSession's gravity. * WikiSession.guestSession() changes to guestSession(WikiEngine). This required small tweaks to a few classes, notably the RPC handlers and parts of the Auth code. * Various classes receive small code tweaks in preparation for upcoming builds. WikiContext gains three new group-related contexts; WikiEngine gains code to initialize CommandResolver and a related accessor; * GroupPrincipal gains a two-argument constructor that accepts the wiki name as the first parameter. * WikiPermission's action strings are now public. Ebu's been waiting a while for this. * CommentedPropertiesTest's missing test.properties file is now in CVS. 2006-07-23 Andrew Jaquith * 2.4.22 * Added several classes and interfaces to support upcoming AAA refactoring. These do not affect functionality, because they are not referenced by any existing classes. New classes include: (1) Command interface and related AbstractCommand, PageCommand, GroupCommand and WikiCommand implementations; (2) WikiEventSource interface and EventSourceDelegate class, both in events package; (3) GroupDatabase interface and sample groupdatabase.xml files and (4) CommentedProperties class for reading and re-saving properties files that include comments. Again, these classes are not yet actively used. * Minor tweak to TestHttpServletRequest to support parameters and servlet path. * Removed cruft from HttpUtil; no functionality changes. * WikiBackgroundThread now contains a getEngine() accessor. 2006-07-17 Janne Jalkanen * 2.4.21 * RCSFileProvider had a rare concurrency issue with the SimpleDateFormat. Reported by Bosmon on IRC. 2006-07-17 Erik Bunn * Modularized RenderingManager. By setting jspwiki.renderingManager.renderer in jspwiki.properties, a custom WikiRenderer can be specified. Defaults to XHTMLRenderer. 2006-07-13 Janne Jalkanen * 2.4.20 * Fixed BugNoMoreThanOneSortableTablePerPage. Thanks to Juan Pablo Santos Rodriguez! 2006-07-13 Janne Jalkanen * 2.4.19 * Added "InternalModule" interface. This is just an empty interface which a module can declare and not get listed in SystemInfo, for example. Used internally by JSPWiki. * Fixed a major issue with page renaming: thanks to an erroneus context sent downstream, the page which was renamed from would get random contents. * Page rename would not change referrers if the breakTitleWithSpaces option was set on. 2006-07-12 Erik Bunn * Made ParamTag attribute 'value' non-required; tag body is acceptable for value. (This should not warrant a version bump.) 2006-07-02 Janne Jalkanen * 2.4.18 * BugReportHandler was dutifully adding the "_cmdline" to the pages it was creating... * Fixed some quote issues in commonheader.jsp and PreferencesContent.jsp which were causing issues with WebSphere. Reported by Robin Tew and Thorsten Nordholm S?birk. 2006-06-28 Janne Jalkanen * 2.4.17 * WikiSecurityEvent.toString() would die if you had a null principal... 2006-06-17 Andrew Jaquith * 2.4.16 * Bug fix: SessionMonitor.sessions() now returns the same number of sessions as userPrincipals(). Credit: Terry Steichen. Also, the array of Principals returned by userPrincipals() is now sorted. * WikiSession receives lots of Javadoc tweaks and minor cleanup-oriented fixes (e.g., member visibility changes) that do not change functionality. The class, and all of its methods, are now marked final. The setSubject() method, which was not called anywhere, was removed; it was a potential security risk. * Ant 'javadoc' task now links to J2EE 1.3 API. * Added table entry to SystemInfo page to display list of active users. If you feel this is a privacy risk, remove the line from SystemInfo. 2006-06-23 Janne Jalkanen * 2.4.15 * Fixed issue with absolute URLs and ShortURLConstructor (we were using %U where %u should've been used in ERROR and NONE contexts). Thanks to jim from IRC for pointing this out. * Added patch from Brad Johnson to give better error output if RCSFileProvider fails. * Added patch from Murray Altheim to support _cmdline in PluginManager. This allows a plugin to do completely custom parsing. 2006-06-17 Andrew Jaquith * 2.4.14 * Enhancement: all background threads now subclass a new class called WikiBackgroundThread which will gracefully shut themselves down when they hear a 'wiki shutdown' event. These threads are, at present: WikiSession.SessionMonitor, PageManager.LockReaper, RSSThread, and LuceneSearchProvider.LuceneUpdater. These threads are NO LONGER daemon threads, which means they won't stay in memory when the wiki webapp is removed. * Enhancement: Added protected method shutdown() to WikiEngine that is triggered by WikiServlet catching webapp destroy() events. Shutdown() fires a WikiEngineEvent called 'shutdown' to all listeners, which at present includes all WikiBackgroundThreads. New class added: WikiEngineEvent. To catch container events, WikiServlet was changed in web.xml to load at startup. This is a dirty hack, but not too dirty. * Enhancement: Major refactoring of WikiSession to include a background 'monitor' thread that removes expired wiki sessions. This means that session-count information should be accurate to within a minute of when your web container expires its sessions. The background thread is an inner class called SessionMonitor that subclasses WikiBackgroundThread. WikiSession also gains a method called getUserPrincipals(WikiEngine) that returns an array of Principals that represents the current users currently using the wiki. * Enhancement: SessionsPlugin receives parameter 'property' to specify what session information should be returned. If set to 'users', plugin returns the list of current users. If omitted, it returns the number of active sessions. Thus, [{INSERT SessionsPlugin property=users}] will actually print the names of current users -- neat! * Enhancement: Group interface receives a long-awaited members() method that returns the wiki group's current members as an array of Principals. * Enhancement: thread responsible for RSS generation extracted out of WikEngine and moved to its own RSSThread class. * Bug fix: to support multi-wiki webapps, WikiSession.getWikiSession's method signature now includes a parameter for the current WikiEngine. Check your custom JSPs to see if this affects you (it shouldn't; none of the default JSPs currently use this method). * Bug fix: Fixed deprecated methods used in LuceneSearchProvider. * Bug fix: added sensible session timeout defaults to TestHttpSession to prevent some tests from failing. * Minor signature change to GroupManager: commit() now throws WikiException. * Minor refactoring of WikiEvent class and subclasses to add getType() method to superclass. 2006-06-05 Janne Jalkanen * 2.4.13 * Added EditorManager patch from Chuck Smith. This now allows fully dynamic editor selection using a drop-down menu in EditContent.jsp * Added EditorIterator tag from Chuck, too. * Fixed some IE tab layout issues, thanks to Dirk Fredericx. 2006-06-05 Andrew Jaquith * 2.4.12 * Added Hypersonic embedded database for JDBC testing. Enabled JDBC testing in build.properties to use Hypersonic by default. Added license file; corrected file extensions of two others. * Removed database scripts for Mckoi embedded database. * Added Ant target called 'tests-auth' for JDPA debugging of AuthorizationManagerTest. * Minor Javadoc fixes. 2006-05-28 Andrew Jaquith * 2.4.11 * WikiSession received minor refactorings to remove the set/getLastContext() methods. These were used for only one purpose anyhow (WebContainerAuthorizer) and the net result was that their inclusion was preventing garbage collection of expired WikiSessions. WikiSession also receives a removeWikiSession() method, which removes wiki sessions from its internal cache, and is called during logout. * Bug fix: WikiSession.sessions() and the related SessionsPlugin now more accurately reflect the number of current WikiSessions, instead of continuously incrementing. (Technically, the counter shows the number of non-GCed sessions.) In the future a "session reaper" would make this even better. * Bug fix: Removed divide-by-zero error from SecurityVerifier. * Bug fix: DefaultGroup and DefaultGroupManager now store their WikiEventListeners in WeakHashMaps to prevent listener objects (such as WikiSession) from being reclaimed by GC. * Bug fix: WikiDocument now stores its reference to WikiContext as a WeakReference, so that caching operations won't prevent GC of the WikiContext. * Bug fix: Corrected text on the default PreferencesContent.jsp to reflect recent e-mail reset function. * Bug fix: Fixed listener bug DefaultGroupManager that was preventing WikiSessions from receiving updated GroupPrincipals when groups were changed to include new members in certain cases. * Bug fix: Fixed 'index out of range' error caused by zero-length cookies. * Bug fix: WebContainerAuthorizer now recognizes roles declared in web.xml for elements web-app/security-role/role-name, in addition to those declared for web-app/security-constraint/auth-constraint/role-name. * Moved hack-ey code that injects web container Role Principals from AuthenticationManager to WebContainerLoginModule, where it belongs. * As part of the memory-leak fix, WebContainerAuthorizer no longer relies on a sneaky call to WikiSession.getLastContext().getHttpRequest() to test whether a user possesses a particular container role. Instead, we (only) inspect the user's Subject's Principal set for the desired role. This means that changes to container's user/role mappings are NOT reflected until the next time the user logs in. 2006-05-28 Janne Jalkanen * 2.4.10 * Atom feeds now validate properly * RSS and Atom feeds are now served with proper media type 2006-05-20 Andrew Jaquith * 2.4.9 * Enhancement: UserDatabase interface includes two new methods: getWikiNames() for enumerating the users in the current database, and deleteByLoginName( String ), for removing users. I have implemented these methods to the concrete classes JDBCUserDatabase and XMLUserDatabase. Thanks to Frank Fischer for his patches; they served as the basis for these changes. I have *not* added convenience methods to UserManager... yet. * Enhancement: SecurityVerifier includes new code that checks to make sure the UserDatabase is initialized properly, and that it can add and delete users correctly. Also, admin/SecurityConfig.jsp includes a new section ('UserDatabase') where results of the checks are displayed. * Minor tweaks to the database setup scripts to include update/delete privileges for the roles table. * Minor tweak to web unit tests to account for cleared cookies at logout. 2006-05-20 Andrew Jaquith * 2.4.8 * Enhancement: AuthenticationManager now injects role Principals at login time from the external authorizer into our WikiSession's subject. This works with all Authorizers, including (of course) WebContainerAuthorizer. This enables grants to Principals of type com.ecyrd.jspwiki.auth.authorize.Role to be specified in the Java security policy. In particular, this means that policy files can be broadened to include container roles. WebContainerAuthorizer received a new method to accomodate this. * Enhancement: Added grant block in jspwiki for administrator groups principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" (wiki group) and principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" (container role). Added new wiki page to distribution, GroupAdmin.txt with an empty (disabled) membership, which makes the administrator group secure by default. We expect that a future enhancement to Install.jsp will overwrite the contents of this file, thus "enabling" the admin group. * Bug fix: Uploaded JDK1.4-compatible version of freshcookies-security.jar. * Bug fix: Fixed error in jspwiki.policy. * Bug fix: Changed WikiEvent so that its toString() method does not leak credentials. * Bug fix: Logout.jsp now removes "asserted" identity cookies. This is arguably less confusing to users. * Bug fix: Removed SecurityConfig.jsp from web.xml constraint (for now). * Removed spurious import in AuthorizationManager. * Massive refactoring and huge improvements to SecurityVerifier and admin/SecurityConfig.jsp. Janne, it should even for you now. :) * AllPermissionCollection now accepts WikiPermission and PagePermission types in its add() method. The newPermissionCollection() method for WikiPermission and PagePermission returns a new AllPermissionCollection(). 2006-05-09 Dan Frankowski * 2.4.7 * Fixed SearchBox "edit" bug when jspwiki.urlConstructor=ShortURLConstructor * Add a link on the attachment page back to the original page 2006-05-09 Janne Jalkanen * 2.4.6 * Fixed NPE in ReferenceManager.pageRemoved (thanks to JMarquart). * ShortURLConstructor did not have PREVIEW context available; thanks to Malte Kiesel for the fix. * Added quick fix from Dan Frankowski to generate JDOM javadoc links. * Plain URIs in text are now parsed properly and no longer cut at the first "=" sign. * NewGroup.jsp would occasionally throw NPEs if the context was null - fixed by ICantRememberWhoAnymoreBecauseILostTheEmail. Thanks anyway! 2006-05-07 Andrew Jaquith * 2.4.5 * Added a new JSP for verifying JSPWiki's security configuartion, admin/SecurityConfig.jsp. This JSP collaborates with a new class, c.e.j.auth.SecurityVerifier. SecurityConfig will verify the presence or absence of the JAAS login config file, the security policy file, and container-managed auth constraints. It will also validate that the correct JAAS login configations exist, and will print a summary table showing the privileges that apply to each role. Much needed, and should help folks get their security working. * To support the security verifier, small (non-public) changes were made to WebContainerAuthorizer. This class also gains a new public method isConstrained(String, Principal). * Bug fix: AuthenticationManager's method of finding its JAAS and security policy files changed so that full (absolute) patchs are discovered, rather than local (JNDI) paths. * Bug fix: small change to default security policy file jspwiki.policy. It now includes commas between the codebase and principal entries, as it should have. * Added a small third-party utility jar (my own) for parsing security policy files. 2006-05-06 Janne Jalkanen * 2.4.4 * Added activation.jar and mail.jar to the distribution * AuthenticationManager now complains if it cannot locate the JAAS LoginManager information, instead of failing with NPE. * PagePermission.hashCode() no longer fails with NPE if wiki is not set (normally, though, you would never need it, but there are certain cases where this might occur). * Added a great patch from Dan Frankowski which allows recovery of forgotten passwords! Please see your jspwiki.properties for new SMTP options. * Added search results filtering based on permissions, i.e. you no longer see pages to which you have no access to. Requested by many people. * Login button is now on its own line instead of being hidden in the right corner. Helps those people who like to "hunt and click" on the mouse. 2006-05-01 Janne Jalkanen * 2.4.3 * Added fix from Rolf Schumacher: no longer outputs password to the log file in Tomcat. Oops. * Fixed a failing unit test * atom.jsp is now gone; please use "rss.jsp?type=atom" * Fixed SearchBox.jsp issue reported by Dirk Fredericx. * FeedDiscoveryTag should now offer Atom 1.0 feeds. * WeblogPlugin no longer considers empty comment pages as "1 comment". 2006-04-30 Janne Jalkanen * 2.4.2 * Page Renamer did not write the author name properly to any pages that were changed due to referrers changing. * Page Renamer would accidentally do double-encoding of XHTML entities... Yes, there's a difference between getText() and getPureText(). Thanks to suomigo.net community for finding this one out. * WikiEngine.renamePage() API signature was changed because of this... It now takes a WikiContext as well. * Login.jsp did not write proper content encoding. 2006-04-26 Janne Jalkanen * 2.4.1 * Updated README. * Split old stuff from ChangeLog to OldChangeLog * Added missing SearchPageHelp * PageActions.jsp now checks if login is allowed * Install.jsp now sets "jspwiki.security=container" to make first-time installs easier. * AuthorizationManager returns now "false", if security is set to container and you ask for login permissions. This drops the "Login" button from the display, if JSPWiki is not managing authentication, fixing an annoyance. 2006-04-25 Janne Jalkanen * 2.4.0 * SearchResultsIterator now can start from a given place * You can now see all of the search results - just click on "next 20 results". * Included patch from Dan Frankowski to support returning of search fragments. Thanks! * Upgraded to Lucene 1.9.1 * Removed slash from allowed characters in wikipage - that would create pages that were impossible to link to. Oops! It must've been some debug code left in... * LinkTag now removes extra whitespace from link text; this allows you to use multi-line tags without the text becoming too unwieldy... * Search now also supports Google-like "are you feeling lucky" -functionality. Just click on "Go!" in the search page. * Search help is now on a page called "SearchPageHelp". * Added support for left-to-right and right-to-left markup with the %%ltr and %%rtl default styles. You can copy them from the "jspwiki.css" file. * Minor cleanups to build.xml. * CheckLockTag would get confused if two people were trying to create a non-existent page at the same time. Reported by Mark Rawlings. 2006-04-20 Janne Jalkanen * 2.3.104 * Tiny beautification: the attachment URLs no longer have %2F but a slash. Reported by Mikkel Troest. * LockReaper and RSSThread actually start now; we were calling the setDaemon() in a wrong place. Reported by Mikkel Troest. * Removed a dumb auth statement from SandBox. Thanks to Murray Altheim. 2006-04-19 Janne Jalkanen * 2.3.103 * Great URL mixup fix: we're now using %20 to encode spaces instead of "+". This is because of http://issues.apache.org/bugzilla/show_bug.cgi?id=39278. In addition, we're moving away from using TextUtil.urlEncode(). This fix should by the way also fix plenty of issues with non-latin1 page names. * All JSPWiki daemon threads are now, well, official daemon threads, so they should not hold up any exit. This should fix an issue with Tomcat not quitting properly. * When login failed, you would get the URLEncoded page name instead of plain text. * If the java.security.policy is already set, makes a sanity check and tries to find also the keystore file in the same directory. If it's not there, prints out a warning to the log. Otherwise, there's no way to know about this: Java itself won't mention this at all - it would just fail silently when instantiating permissions. Boo hiss! 2006-04-17 Janne Jalkanen * 2.3.102 * DavServlet was not properly reading UTF-8 file names * CachingProvider was calling cancelUpdate() accidentally when it wasn't supposed to. * BreadCrumbsTag default icon is now "," instead of ">", since it was not a) proper XHTML, and b) it was confusing people. Reported by Dirk Fredericx et al. * DefaultURLConstructor was still assuming all URIs are in Latin1 instead of relying on the request encoding. This would cause problems with non-Latin1 page names (even when using UTF-8). Reported and fixed by Mikkel Troest. * 2.3.101 * Upgraded to OSCache 2.3.1 to fix some issues with stability * VariableManager is now slightly faster. * VariableManager no longer outputs HTML (due to the new rendering system which thinks that HTML is dangerous). * WebContainerAuthorizer is now a bit more verbose if there is no internet connection and it cannot find local DTDs. It also throws a InternalWikiExcepton instead of a generic RuntimeException or a NullPointerException... * I don't know why, but SpamFilter.Host was a public class; made it private for now... * JSPWikiMarkupParser now caches the outlink image, and does not generate it new each time. This gives us roughly a 2% saving on each rendering... Oh, the things you learn when you run a profiler against your app! * Added plenty'o'javadocs to parser/rendering routines. * Tiny cleanups and tweaks all around; mostly concerning allocating proper size StringBuffers to avoid resizing overhead. * CachingAttachmentProvider no longer outputs HTML when asked about the cache size. * CachingProvider would fail to call Cache.cancelUpdate() in some certain rare conditions. Over time on a busy wiki they would accumulate and hang all the HTTP responder threads. * VersioningFileProvider was a bit relaxed about closing streams in error situations. Now handles them properly. * RenderingManager cleaned up a lot; new parameter jspwiki.renderingManager.capacity added. Also the renderingManager.useCache is now gone; set the capacity to zero to turn off caching. * WikiServletFilter is now a bit more tolerant towards Exceptions - it actually restores the NDC now... * Rename.jsp had an extraneous encodeName(), causing page rename failing if it was renamed to anything outside the ASCII range. Fix contributed by Mikkel Troest. * TestHttpServletRequest now implements the required extra methods for the newest servlet API, so it can be compiled in newer environments. 2006-04-13 Janne Jalkanen * 2.3.100 * Fixed BugOptimizeFileUtil.copyContents. FileUtil ops are now way faster. Thanks to Kees Kuip! * Typo fixed in BasicSearchProvider; thanks to Chuck Smith. 2006-04-12 Janne Jalkanen * 2.3.99 * Variables in plugin parameters and body are now expanded. e.g. [{SamplePlugin text='{$jspwiki.baseurl}'}] * Added missing accessKey parameter to LinkTag. Reported by Dirk Fredericx. 2006-04-10 Janne Jalkanen * 2.3.98 * Killed extra tag definition from jspwiki.tld; it was there twice. * AuthorizationManager.resolvePrincipal() no longer dies if JAAS is not in use and someone still tries to set an Acl. * WikiSecurityEvent now uses Jakarta Lang ArrayUtils. Hooray for code reuse! * SpamFilter rewritten so that it can use the usual format of a blacklist; default is to use SpamFilterWordList/blacklist.txt, but you can control it with a filter parameter "blacklist". * Both CachingAttachmentProvider and CachingProvider had issues in case the underlying provider would fail, and might hang. * LinkTag was not properly parsing the Param tag in case you just specified a context. * Fixed a huge bunch of Javascript and CSS issues from Dirk Fredericx. Fixes BugV2.3.90SomeJavascriptBugfixes. * InfoContent.jsp was behaving erratically with attachments; e.g. the version history was missing altogether. Thanks to DF! 2006-04-10 Erik Bunn * 2.3.97 * Fixed PageRenamer.renamePage(): pages referring to renamed page are now looked up before that information is destroyed. Makes updating referring pages much easier. 2006-04-09 Janne Jalkanen * 2.3.96 * Split the wikipages to corepages and documentation. We now generate two zip files into the binary distro: JSPWiki-doc.zip, which contains all the javadocs, plain-text documentation and documentation-related wikipages, and JSPWiki-corepages.zip, which contains the pages which are necessary for JSPWiki to run. This should make it easier for people to get going. The file which determines which pages belong to the "corepages" set is under src/webdocs/.corepages * Added patch from Mikkel Troest to fix an attachment delete issue. * Added patch from Lars Orta to create a HTML report for all JUnit tests. 2006-04-05 Erik Bunn * 2.3.95 * Added missing call to super.initTag in LinkTag.initTag * 2.3.94 * Added initTag() to all tags extending WikiTagBase, and release() to all extending regular tag support classes. (Switched release() to initTag() in WikiLinkTag, accordingly.) * Added release() to WikiLinkTag to clear page etc. from cached tags. This caused the wrong page name to be used in certain uses of LinkTag. 2006-04-03 Janne Jalkanen * 2.3.93 * RenderingManager would hang if rendering would fail. This might explain some hangs. * With relation to the above: JSPWikiMarkupParser is now protected against lines which are too long (the PushBackReader would overflow). Interestingly, this and the above bug were exposed by a spammer advertising mobile ringtones with a really, really, really long line and lots of links. * Added "jspwiki.security" to turn off jspwiki security model. Allowed values are "jaas" (default) to use built-in JAAS security model, or "container" to use the old 2.2 model. Please note that using "container" does not yet disable any UI functionality. 2006-04-02 Janne Jalkanen * 2.3.92 * Fixed BIG issue with LinkTag: it did not clean its parameters properly in case it was pooled. Added initTag() method to WikiTagBase. Reported by Terry Steichen; found by Frank Fischer. 2006-03-29 Andrew Jaquith * 2.3.91 * Enhancement: Added a new PagePermission target "update" that serves as a shorthand for "edit the text on the page" AND "upload files". The "edit" target, meanwhile, has been changed to mean ONLY "edit the text on the page." The default policy file now states that anonymous and asserted users can edit all pages (but they cannot upload files). Authenticated users can, by default, modify all pages (i.e., edit AND upload). * Bugfix: Fixed PolicyLoader so that there are no import dependencies on private Sun classes for PolicyFile and Configuration (JAAS). Instead, we read the appropriate security provider properties from the JVM and instantiate the classes using Class.forName().newInstance. This is MUCH cleaner and portable, and it *should* enable JSPWiki to work on WebSphere, Resin and other containers that use non-Sun JDKs, JAAS configuration implementations or J2SE PolicyFile implementations. As fixes go, this is a good'un. If you have been having trouble making JSPWiki work on combinations other than Sun JDK + Tomcat, you should give this version a try. * BugFix: Added a new PermissionCollection implementation that fixes a subtle corner-case bug with the security policy file. If only the JSPWiki AllPermission was granted to a particular group (i.e., the grant block did not specify any other permissions), the implied WikiPermissions and PagePermissions were NOT inferred as they should have been. * Bugfix: Found and killed an NPE in TextUtil that was causing NewGroups.jsp to fail. * Minor changes to test security policy file. 2006-03-22 Janne Jalkanen * 2.3.90 * Fixes BugTemplateManagerRESOURCESTYLESHEETNok * Adds a new resource request type RESOURCE_INLINECSS at the request of Dirk Fredericx. * Added the necessary include to INLINECSS to commonheader.jsp * WikiEngine.getViewURL() is now null-protected. Some templates were actually using it, but code wasn't working as expected. * Added patch from Kalle Kivimaa to flush the referring rendered pages if page started to exist. * Tabs for UserPreferences did not work due to a slight mistake in previous patch... 2006-03-22 Janne Jalkanen * 2.3.89 * Bug fix: in certain cases DefaultURLConstructor would get a null name and have a seizure. Thanks to Terry Steichen. * Incorporated patch from Chuck Smith to support multiple editors. * Bug fix: BugDefaultTemplateViolatesJSPSpecification. 2006-03-20 Janne Jalkanen * 2.3.88 * Previews are now fixed. We no longer use pageContext.forward() but we send an honest, hardworking redirect (and store the edited text in the session). * Ditto for PageModified. 2006-03-16 Janne Jalkanen * 2.3.87 * Bug fix: XmlUserDatabase would default to the distro user database in /WEB-INF/ if the user-set database was not found. However, this made it practically impossible to bootstrap a new user database, as you needed to create the file by hand... * Bug fix: Page attributes were not available, if the page data was saved by ReferenceManager. Now ReferenceManager also caches the page data under $workDir. This should resolve quite a few problems relating to user groups not being valid until they are modified, etc. * Made the ACCESS_DENIED event an INFO level event, simply because my mailbox started to fill with JSPWiki ACCESS_DENIED events (they are generated in a bit too chatty fashion). * DefaultURLConstructor now gets Delete.jsp as well * Mucked about in InfoContent.jsp to fix a problem with it actually sending the wrong context... Credit to Terry Steichen. 2006-03-07 Erik Bunn * src/webdocs/templates/default/InfoContent.jsp: Moved delete forms into single td blocks. Fixes weird rendering problem that sometimes caused delete tr to be invisible in firefox. 2006-02-23 Janne Jalkanen * 2.3.86 * Removed HttpUtil.getBaseURL(). It just did not work, and was causing major pains with people. However: * Got rid of from the default template. Now, if you specify jspwiki.referenceStyle=relative, you should be getting relative URLs everywhere, if possible. This was a major change, so there might still be bugs related to this. To be precise, you are likely to get absolute paths, but with no hostname (this depends on your URLConstructor). * LinkTag gained a new parameter: templatefile (which is a shortcut to point at a file in the current template) * Added missing Param tag in the jspwiki.tld * Bug fix: Attachments would generate an illegal id for headings. Removed the "/" and replaced it with "_". * Deprecated RSSCoffeeCupImageTag. No point in coding for a single platform. It will be removed in 2.6... * Added a new RSS feed icon. * Fixed problem with LinkTag forgetting to close anchor (reported by many people, sorry I totally missed this). 2006-02-28 Andrew Jaquith * 2.3.85 * Added an informational logging message to PolicyLoader that makes it clear when JSPWiki can't install its security policy because another one is already in use. Credit: Terry Steichen * Bug fix: PermissionTag didn't recognize the new root-like AllPermission. It now accepts it as an argument to the "permission" attribute (the first letter is lowercase). Thus, will evaluate the tag body if the current user posseses AllPermission for the wiki; if not, the contents will be skipped. Credit: Terry Steichen 2006-02-26 Andrew Jaquith * 2.3.84 * Cosmetic: added NewGroup.jsp and Login.jsp as "special page" references in jspwiki.properties. This prevents these pages from displaying the name "Main" at odd times. * Bug fix: eliminated that annoying "User 'null' has started editing this page...." bug. Embarassingly dumb error. * Bug fix: in WikiSession class, wrapped cached WikiSessions with WeakRefererences to allow garbage collection when user's HttpSession expires. * Enhancement: added a static method sessions() to WikiSession that counts the number of active wiki sessions. Added a simple wiki plugin, SessionsPlugin, that returns the same. Slight re-organization of WikiSession (static methods now at bottom). Sample usage: There are [{INSERT SessionsPlugin}] active wiki sessions 2006-02-25 Andrew Jaquith * 2.3.83 * The jspwiki.policy file now includes a sample 'Admin' group that demonstrates how to grant administrative privileges (AllPermission). It is *not* enabled by default. * Bug fix: Authenticated users belonging to wiki groups were erroneously seeing the group name, not their full names, added as authors to comments and pages. WikiSession was not checking for GroupPrincipals in several places. This has been fixed. Credit: Janne Jalkanen * Bug fix: Group principals are now only injected if a user has successfully authenticated. * Enhancement: build.properties and jspwiki.properties now support configuration of a log4j-based security log. The default name is security.log. Use it to view error conditions or more detailed trace information about login/logout events, authorization decisions and more. To provide this capability, WikiSecurityEvent constructors were modified to add log entries to the Log4J Logger "SecurityLog". * AuthenticationManager and AuthorizationManager gain support for wiki security events: login/logout, and access granted/denied, respectively. These classes also were lightly re-organized; the classes themselves, and all of their methods, were made final. * All add/removeWikiEventListener() methods, in all classes, are now synchronized. * Due to the addition of logout events to WikiSecurityEvent, the method AuthenticationManager.logout() is no longer static. As a result, Logout.jsp changed slightly. 2006-02-23 Janne Jalkanen * 2.3.82 * BreadcrumbsTag.doWikiStartTag() is no longer final. I don't understand why it was final in the first place... * Tiny refactoring: moved Event routines to a new com.ecyrd.jspwiki.event package. No functionality changes today. 2006-02-21 Janne Jalkanen * 2.3.81 * Bug fix: BugPreformattedTextDoesntWorkAnyMore * Bug fix: BugPleaseMakePaperclipPicsConfigurableJustLikeOutlinks by making the "jspwiki.translatorReader.useAttachmentImage" available. Set to "false" to turn paperclip images disappear. * Bug fix: page deletion would screw up Refmgr internal databases, and not serialize on disk. * Bug fix: BugTableOfContentsCausesHeapdump * Bug fix: BugTimingErrorInVersioningFileProvider.getPageProviderString (Thanks to BobKerns!) * Tinkered around a bit more with RefMgr, hoping to fix these "disappearing references" -issues. * Bug fix: BugStrangePageNameLogic (Fixed by changing MarkupParser.cleanLink() to a far more efficient version. It's a whole lotta faster, too.) * Bug fix: If the local entity resolver cannot resolve the entities, it now reverts to default operation (instead of dying with an NPE). * Added a bunch of Javascript issues from Dirk Fredericx. Thanks, man! 2006-02-21 Andrew Jaquith * 2.3.80 * Bug fix: Granting default permissions to wiki groups in the jspwiki.policy security policy file is now supported. To do this, AuthenticationManager injects 'GroupPrincipal' tokens into the wiki session's Subject at login time. GroupPrincipals are also dynamically injected into the appropriate sessions when groups are created or changed -- this means that users do not need to log out in order to see the effect of group membership changes on default policies. This is a rather clever bit of programming if I do say so myself. * Enhancement/API change: to support dynamic GroupPrincipal injection, the core jspwiki package receives a new top-level class WikiEvent, a subclass auth.WikiSecurityEvent, and a listener class WikiEventListener. GroupManager and the Group interface gain a new method to register listeners (addWikiEventListener()), and a corresponding method for removal (removeWikiEventListener()). DefaultGroupManager and DefaultGroup fire security events to these listeners whenever wiki groups are added, changed or deleted. * Enhancement: the JSPWiki security policy now supports permission grants to wiki group principals (GroupPrincipal). In addition, a new Permission class, auth.permissions.AllPermission, grants administrative rights to specific wikis (or all, with the wildcard). The combination of these two enhancements means that wiki groups can now possess administrative rights. See the security policy for a sample grant block. * Deprecation: the built-in Role.ADMIN enum has been eliminated. Use com.ecyrd.jspwiki.auth.GroupPrincipal in jspwiki.properties instead. * Deprecation: the jspwiki.properties property 'jspwiki.admin.user' is now irrelevant because all administrative grants are handled exclusively via the policy file. * Bug fix: added a "local entity resolver" to WebContainerAuthorizer to prevent the need to call out to the network for the webapp 2.3 DTD when parsing web.xml. Also, refactored the parsing logic to use the JDom SAX parser (and XPath) instead of JAXP. Added new directory etc/dtd; this is copied to tests/etc/WEB-INF at test-time, and also into the WAR. Credit: Marc Patteet * Bug fix: patched WikiSession to treat null messages as empty strings. Credit: Dan Frankowski. * Build.xml now uses its own security policy file for testing rather than the production version in etc. The build file also copies the webapp 2.3 DTD to the WAR. 2006-02-21 Janne Jalkanen * 2.3.79. Moved to new apartment, now back on coding track... * WikiEngine.deletePage() is now protected against trying to delete pages that don't exist. * FileSystemProvider did not delete associated metadata files during deletePage(). * ReferenceManagerTest is now a lot more careful about not leaving a corrupted refmgr.ser file behind. Unfortunately, this exposed a consistent bug somewhere... * Some tests tweaks and iterations. 2006-02-12 Andrew Jaquith * 2.3.78 * Pulled JSP scriptlet code that stashes WikiContexts into into the WikiContext method hasAccess(). * Bug fix: added "temporary" fix to WikiContext.hasAccess() to redirect users to the login page, rather than send a "forbidden" error, for authenticated users failing to access a page. This resolves a case where access to pages fail "open" due to WikiServletFilter's response wrapping. * Bug fix: modified the way WikiSession.getUserPrincipal() parses Principal objects that was causing this method to return either "full name" or "wiki name" principals, seemingly randomly. The method is now guaranteed to return a "full name" principal for users who have logged in. 2006-02-09 Erik Bunn * 2.3.77 * Added option jspwiki.renderingManager.useCache to properties; set to false to prevent RenderingManager from caching DOM trees. 2006-02-04 Andrew Jaquith * 2.3.76 * Bug fix: changed behavior of AuthorizationManager to prevent privilege escalation with Asserted users. The method AuthorizationManager.hasRoleOrPrincipal() now ALWAYS returns false when the user isn't authenticated, AND the principal/role being queried isn't a built-in role like Anonymous, Asserted etc. Thus, to gain access to pages that name a specific user, that user is now REQUIRED to log in. Ditto for groups he or she belongs to. The exception is for ACLs that contain built-in roles; e.g., "allow Asserted users to view" is allowed. Adjusted several unit tests and created a new web unit test to verify. NOTE: a consequence of this change is that ALCs that specify "ALLOW Guest" **will not work** any longer (because Guest is a principal, not a built-in role). Please use "ALLOW Anonymous" instead. * Bug fix: build.xml's web unit tests were not guaranteeing use of XMLUserDatabase for non-JDBC tests. If built with a jspwiki.properties.tmpl that specified the JDBC database, this caused certain web unit tests to fail. We now force the user database implementation for all web unit tests. * Bug fix: Ebu's 2.3.75 fix had the undesirable side effect of hosing all relative URLs (while fixing all of the absolute ones). WikiContext has been reverted to its previous state. The real culprit turns out to be in DefaultURLConstructor.doReplacement(). We have added a web unit test suite to test for absolute URLs, and also for relative URLs (these are manipulated in jspwiki.properties prior to deployment of the test WARs). * WebContainerAuthorizer now throws a RuntimeException if it cannot somehow parse the web.xml. This isn't ideal, but it's better than ignoring the error. Credit: J?rgen Weber. * Removed unused imports and unreferenced objects in multiple classes. This does not affect functionality. * Removed obsolete "useOldAuth" refs from test jspwiki.properties. * Many Javadoc tweaks and additional comments. 2006-02-02 Erik Bunn * 2.3.75 * Fixed WikiContext.getURL(...) test for absolute reference style. 2006-01-29 Andrew Jaquith * 2.3.74 * Web unit test scripts gain 3 more tests, which verify that JSPWiki users can 1) create new pages (no ACL), 2) create new pages with unrestricted view permissions and 3) create new pages with restricted view permissions. * Slightly tweaked WikiContext to make hasAccess() more flexible; redirection-on-failure can optionally be turned off. Removed WikiContext.REGISTER; it is obsolete. Also, removed WikiPermission.REGISTER target; please use EDIT_PROFILE instead. * WikiServletFilter now takes responsibility for setting Log4J NDC logging contexts. It also now takes care of WikiSession message cleanup. All top-level JSPs changed (very) slightly, and are simpler, as a result. * Bug fix: CommentContent.jsp now defaults to the "Add Comment" tab. Credit: Dirk Frederickx. * Bug fix: quick2Top and quick2Bottom markers no longer have an annoying underline. Credit: Dirk Frederickx. * Bug fix: inlined images were not being displayed due to the attachment not being considered in PagePermission.implies(). We now discard the attachment name completely when constructing PagePermissions, which means that a page's permissions now ALWAYS imply the same permission on its attachments, and vice-versa. * Bug fix: LoginContent's error message now correctly displays a "you don't have access to page __(foo)__" if the user needs to log in. * Bug fix: test version of userdatabase.xml modified to include dummy created/lastModified timestamps. The lack thereof was creating scary (but entirely harmless) messages in jspwiki.log. * Bug fix: added WikiPermission "*", "login" to jspwiki.policy. It should have been there previously... * Bug fix: changed WikiServletFilterMappings to explicitly list URL patterns, rather than the wildcard (/*). This fixes the infamous "disappearing images" problem with Tomcat 4.1. Also removed Register.jsp as protected resource, since it vanished a long time ago anyhow. 2006-01-23 Erik Bunn * 2.3.73 * Added ParamTag (provide name-value pairs to enclosing ParamHandler tag) and ParamHandler (capability to accept contained name-value pairs). * Modified LinkTag to implement ParamHandler and accept body content. The purpose is to support linking to custom JSPs with any parameters. 2006-01-22 Janne Jalkanen * 2.3.72 * Changed WikiContext.checkAccess() to return a boolean, so that JSP pages can actually check whether they should return from processing or not. This should fix a number of strange bugs. * Renamed WikiContext.checkAccess() to WikiContext.hasAccess() to reflect its new role. * Added TabTag and TabbedSectionTag, which cleaned up the default templates *enormously*. Thanks heaps to Dirk Fredericx! * Added some extra safeties to URL Constructors to make sure the proper encoding is being used in UTF-8. * The Ant war-task did not properly place jspwiki.jks in the WAR file, causing problems if the keystore was somewhere else than in the default location. 2006-01-16 Andrew Jaquith * 2.3.71 * Weblogentry-related CSS are now less fugly. 2006-01-14 Janne Jalkanen * DefaultPermissions.txt is now gone. Thanks to Frank Fischer. 2006-01-13 Andrew Jaquith * 2.3.70 * Tweaks to web unit tests to make auto-deploy scripts work with Tomcat 4.1. * Bug fix: XMLUserDatbase was dying horribly in certain cases with WAR deployments. * Added more 'create wiki group' unit tests 2006-01-11 Andrew Jaquith * 2.3.69 * Minor tweaks to web unit tests; they now use the same test user and password as the unit tests. Small adjiustments to JDBC setup scripts to inject test users into database at setup time. * Added 'create wiki group' web unit test 2006-01-10 Andrew Jaquith * 2.3.68 * We now have basic web unit tests, courtesy of the integration of JWebUnit into build.xml and tests/etc/webtests.xml. Four jars were added to the 'lib' dir for testing. Web unit testing simulates a browser's experience and verifies that the following test cases run properly: - Anonymous viewing (Main and About pages) - Setting asserted name via cookies - Creating user profiles - Logging in to JSPWiki using a password Four combinations are explicitly tested: custom and container authentication, each of these with both the XML and JDBC user database types. Note to developers: the Ant task "webtests" should be part of your test plan. Learn, love and embrace JWebUnit. It's easy to express test cases with it, and we will (no doubt) be creating more test cases as we go... see examples in package com.ecyrd.jspwiki.web. * Rules for accessing UserPreferences in container-mananged environments have been relaxed significantly: users do not have to be logged in to edit preferences or their profiles. Instead, unauthenticated users attempting to create a profile receive a polite error message directing them to log in first. If the container shares user data with JSPWiki, the profile will be saved, and the user will as a result be registered with the container. * UserDatabase interface receives one new method: isSharedWithContainer(), to permit JSPWiki to serve as a web container user registrar (see previous bullet). Also, jspwiki.properties receives a new property: jspwiki.userdatabase.isSharedWithContainer which defaults to false. Only JDBCUserDatabase uses it now. * UserCheckTag gains an extra status type: "setPassword" which identifies whether users are allowed to change their JSPWiki passwords. For custom-auth configurations and container-auth configurations with shared user databases, this will be true. For most container auth scenarios (i.e., where user data is not shared), this will be false. * WikiPermission receives a new permission type, "editProfile" that is better aligned with the streamlined profile pages introduced in 2.3.48; "registerUser" is officially deprecated and will be completely eliminated in a future build. To register users, you MUST add the "editProfile" permission for each required Role, otherwise the profile tab will be blank. I am sorry about this -- but I promise this will absolutely be the last change we make to the policy grammar prior to official release. See the sample jspwiki.properties. * Bug fix: UserDatabase contract now specifies that setting created/modified timestamps is now the responsibility of the implementation, and is no longer done by UserManager. * Bug fix: email field on profile form now obeys the docs: is is now, in fact, optional, and won't prevent profile saving if omitted. * Bug fix: PreferencesContent's tab highlighting works better, if not perfectly. Credit: Dirk Frederickx. * Bug fix: etc/db was erroneously (if harmlessly) being included in WAR builds. * JBoss login-config.xml JAAS sample snippet appended to jspwiki.jaas. Credit: Milt Taylor. 2006-01-10 Janne Jalkanen * 2.3.67 * XHTMLToWikiTranslator now supports and * XHTMLToWikiTranslator now supports different URL Constructors (which makes FCK run again) * Fix for BugRSSHasInvalidDccreatorProperty (well, not really a fix, but it should play nicer with aggregators). * Refactored XHTMLToWikiTranslator tests - they were actually not working at all... Shame on me for not noticing earlier. 2006-01-07 Janne Jalkanen * 2.3.66 * WikiEngine now checks whether a page has changed before committing it. This should help reduce all the empty changes that people do when they just click "save" in panic. * InputValidator now accepts email addresses of the form "firstname.lastname@something" and "name+extension@something". * Added a tiny sanity check in WikiServletFilter * Added EditFindReplaceHelp which was missing... 2006-01-05 Andrew Jaquith * 2.3.65 * Bug fix: XMLUserDatabase now commits using proper UTF-8. It was not doing so previously, in spite of an XML header that suggested otherwise. * Bug fix: InputValidator's validate() was rejecting null or blank strings as invalid. This is incorrect behavior, and these values now validate. Note that the validateNotNull() method should be used if checking for blank/null strings is required. * JDBCUserDatabase gets basic support for inserting an "initial role" row into a admin-defined roles table. This is designed to enable JSPWiki to serve as an enrollment mechanism for container-managed users, in those cases where the container and JSPWiki share user information. A future set of commits will include adjustments to WikiPermission, UserManager and UserPreferences to support the UI aspects of container enrollment functionality. We do *not* envison broader role management capabilities for JDBCUserDatabase, other than just this initial role row insert support. 2006-01-02 Janne Jalkanen * 2.3.64 * Fixed a relatively serious bug which was caused by FormSet doing a very selective remove() on its parameters; this was relying on the fact that the FormSet parameters are not stored (which was true on the old TranslatorReader). The new RenderingManager stores the parsed parameter arrays, which means that plugins Shall Not Modify their parameters, or risk getting the same data back again the next time. (However, if the page data expires, then you shall get the original parameters.) I am not sure whether this is good behaviour... In effect, this fixes problems with jspwiki.org bug reporting system. 2006-01-01 Janne Jalkanen * 2.3.63 * Fixed a number of failing tests (table and refmgr) * Fixed table of contents generating faulty section references for percent-encoded headings. 2005-12-30 Erik Bunn * 2.3.62 * Modified AttachmentServlet, LinkTag, InfoContent.jsp to fix attachment revision upload bug. 2005-12-21 Janne Jalkanen * 2.3.61 * Quick fix from Dirk: table sorting works again. * Favourites menu looks a bit better now. * Added link to the Favourites menu in the UserPreferences. * Bug fix: trying to upload a new revision of an attachment resulted in a broken directory structure. This is still buggy, you can't upload a new revision of a file. * Did some tweaking of the jspwiki.css to make it a bit more accessible (the link underlines are back, and you can now actually read the titles, if you made the array sortable). 2005-12-20 Erik Bunn * Modified jspwiki-common.js: overriding Array prototype potentially breaks 3rd party scripts using arrays as maps. Use ExtArray, instead. 2005-12-19 Andrew Jaquith * 2.3.60 aka the "Neat and Tidy" release * Complete, radical overhaul of the standard CSS jspwiki.css. It is organized (!) and significantly trimmed back from its former sprawling self. Note the new
classes "error" "information" and "warning". These have been substituted into one-timer classes like "versionnote". The styles, overall, have had most of the rough edges rubbed out... not perfect but it's a start -- not all of Dirk's recommendations made it in. * Tweaked PageActions by substituting page up/down icons for webdings. Also, comment permissions are checked instead of assuming edit (credit: Benedikt Rausch). * Adjusted table generation routines in JSPWikiMarkupParser and ListLocksPlugin to inject class="odd" attributes into generated table rows. LLP also gives tables the style "wikitable" and now emits XHTML-compliant markup. * Added attribute "div" to tag to allow messages to be neatly wrapped. Default class is "information". This required minor tweaks to several JSPs. * Turned LeftMenuFooter into a blank page, which makes the left menu area nicer and cleaner. The default did nothing but display referring pages, which we already know how to do via the PageContent tabs. Less clutter, mo' better! * LeftMenu.jsp and LeftMenuFooter.jsp are laid to rest, with honors. * Commented out the in web.xml for jdbc/UserDatabase; it isn't on by default anyway, and it was causing JBoss to emit a harmless (but annoying) error messages (credit: Milt Taylor). 2005-12-19 Erik Bunn * 2.3.59 * Bug fix: reordered AttachmentServlet to get rid of an HttpServletRequest reader/input stream access error when running under Jetty. The Multipart library in the servlet fetched the input, WikiEngine.createContext() attempted to modify it, and Jetty, being strict about this, threw an exception. 2005-12-17 Janne Jalkanen * 2.3.58 * Bug fix: Comment preview no longer views double * Bug fix: Comment preview no longer loses author/link information. 2005-12-14 Janne Jalkanen * 2.3.57 * Just improved some output coming from the AttachmentServlet. * Fixed a few instances of still using Category instead of Logger. 2005-12-13 Andrew Jaquith * 2.3.56 * Lots of cleanup to the top-level JSP pages: all of the permission-checking is now in a new WikiContext method called checkAccess(HttpServletResponse). The workflow now goes like this: if a non-authenticated user tries to access an unauthorized page, he or she is redirected to the login page. If already logged in, JSPWiki returns a standard 403 (forbidden) code. We will likely use a nicer error page in the future. LoginError.txt goes away; it is not needed any more. * User profile save operations now have *actual* input validation, courtesy of InputValidator. The email address is checked for conformance, and the other fields (except password) are checked for nasty characters like angle brackets. Yes, yes, we know... what took us so long? There's more to do but it's a good start. * UserProfile.jsp gets some clever scriptlet hackery via the 'tab' parameter to activate (or preserve) a particular tab. This fixes the "disappearing profile" issue during save operations. * WikiSession receives a series of new methods for stashing, retrieving and clearing UI messages. These are used primarily for auth-related messages but are generic. All of the JSP pages that previously stashed "msg" objects in the HttpSession now use these methods. A companion JSP tag makes printing messages dead-simple. * AuthManager's logout() method resets the entire HTTP session, like it used to. * UserManager validation routines were moved into new UI class InputValidator; additional refactorings including the new validation classes and WikiSession messages. * XMLUserDatabase now relies on its own cheap-and-cheerful DOM writing routine. Errors using the standard J2SE TRAX APIs were previously causing the users not to be written to disk. * Fixed several failing auth.* tests. 2005-12-12 Janne Jalkanen * 2.3.55 * ReferringPagesPlugin and the like now also have the "include" -parameter. * Preview was showing things twice (missing return -statement in Edit.jsp... oops.) 2005-12-10 Janne Jalkanen * 2.3.54 * AttachmentServlet no longer throws an exception with overzealous clients. 2005-12-09 Janne Jalkanen * 2.3.53 * Unknown file types would cause an exception when generating enclosures in RSS feed. * Wiki page RSS feeds are now a bit more descriptive. * Removed extra attributes for EditorTag from jspwiki.tld. * AuthenticationManager now uses less invasive logging levels if someone typos their username... Less email for me, hooray! * DiffLinkTag has now some small NPE protection... Fixes symptoms, not cause. * RSS now also supports ETags. * Fixed an issue with Javascript - HighlightWord would sometimes die (thanks Dirk!) 2005-12-07 Janne Jalkanen * 2.3.52 * Removed some extra crud from jspwiki.css. * Removed extra quotes from LinkTag. Oops... * Fixed an issue with Diff.jsp (page names were not recorded, if you changed from it). * Hopefully fixed an issue with IE and leftmenu disappearing. * 2.3.51 * Added "accesskey" parameter to LinkTag. Thanks to Gregor Hagedorn! * InfoContent.jsp would fail if there was only one version of a page. Thanks to Dirk for pointing this out! 2005-12-06 Janne Jalkanen * 2.3.50 alpha. * Added collapsebox from BrushedTemplate. Also synced some search stuff from Brushed. * TableOfContents are now collapsable. * Moved the layout around a bit - actions are now a part of Header.jsp and Footer.jsp. This allows us to do a slightly nicer layout, I think. 2005-12-04 Janne Jalkanen * 2.3.49 * Added LinkTag at the request of Gregor Hagedorn. It does pretty much everything. Adding documentation later... This class also needs some serious working so that the functionality could be offered to other classes as well (such as the Image plugin). * Hopefully fixed the "my username is null" -problem, which would occur, if you were both logged in and had a cookie. * Added a patch from Matt Luker to allow numbering in TableOfContents. * InterWiki links are now also checked for image inlining. Merry Christmas :) * FCK.jsp had two elements reversed. Thanks Dirk Fredericx! * Diffs now use code from BrushedTemplate by Dirk. * WikiServletFilter was letting only US-ASCII through - oops... * WikiForms can now handle UTF-8. * TableOfContentsPlugin font size was set accidentally to zero in jspwiki.css. WTF? * Reworked the jolly old "include correct CSS based on browser" to be a proper Javascript method call. 2005-11-29 Andrew Jaquith * 2.3.48 * Major refactoring of UserPreferences.jsp. The separate registration page is now *gone* and merged into the prefs page. The prefs page itself now has tabs -- one for the user profile, and one for prefs. This means we can relax a few of the security assumptions at the JSP level, since they are already baked into the core UserManager APIs. (Addresses Dirk's requests.) * Setting the user name via cookies is back! * The security policy was loosened to allow anonymous users to edit their pref. WikiPermission "EditPreferences" has been broadened in meaning to include prefs AND profiles, while "RegisterUser" means simply the ability to create a profile. RegisterUser will *probably* vanish or be renamed in the near future. * SpecialPage REGISTER now points to UserPreferences.jsp * UserPreferences now implements a caching scheme for user profiles that downstream classes like UserProfileTag need. Also, UserPreferences gets a second password (confirmation) field. UserManager receives additional validation logic for processing same. Everybody's happy, but especially Dirk. * Bugfix for XMLUserDatabase that caused funny auth problems if the jspwiki.properties userdatabase prop was commented out. (Credit: Janne) * Favorites/PageActions get context-sensitive "Log in" "Logout" and "Create group" links. * Build.xml gets some stub code for HTTP/web unit testing. There aren't any tests just yet, but we do have a snappy Tomcat auto-deploy mechanism now. * Thanks to the magic of XyleScope, the default jspwiki.css gets some small tweaks to make the overall styles a bit more aesthetically pleasing and consistent. * "You are anonymous" discreetly disappears. * Temporary bugfix for infinite-redirection loop issue with Login.jsp... introduces another one... * This release introduces a known bugs: a "redirect loop" occurs when using container-managed auth and accessing a forbidden page. This will be fixed in my next checkin. 2005-11-27 Janne Jalkanen * 2.3.47 * Added "type" parameter to IncludeResourcesTag. This allows you now to include multiple types of resources in different places. * Quite a few top-level JSPs had the old EditorManager package, oops. * Added quite a lot of stuff from BrushedTemplate, including collapsible lists, sortable tables, etc. 2005-11-26 Janne Jalkanen * 2.3.46 * Reworked EditContent.jsp to account for changes in editor system. * Variable content is now escaped before shown. Thanks to Gregor Hagedorn for pointing this out. * Added new package: module, containing ModuleManager and WikiModuleInfo classes. * Added WikiContext.findContext() to make life a bit easier for template writers. * Moved TemplateManager to new package: ui. * Added etc/ini/jspwiki_module.xml to contain some defaults. * Added WikiServletFilter and the ability for plugins, etc to request an injection of things in the header. This is done by adding in commonheader.jsp. It inserts a particularly formatted comment in the header, which is then replaced by WikiServletFilter. A plugin may request a script or a CSS file by using new methods in TemplateManager. Based on ideas and code by Kees Kuip. * Removed editors from Java files and put them in JSP files under templates/default/editors/. It's now possible for a template to override any editor, or to use any editor they like. It should also make editors pluggable components. * Continuing template rework. Reworked EditorTag, removed EditorAreaTag. Added RequestResourceTag and InsertResourcesTag. 2005-11-22 Janne Jalkanen * 2.3.45 aka "The Great Template Break" * Added serialVersionUID to most classes that were missing it. * Added EditorManager class. It's currently somewhat dummy, but it should allow fully pluginizable editors in the future. Incidentally, this means that we got rid of EditorAreaTag... Sorry - this breaks quite a few templates out there. But now, if you want to create your editor, take a copy of editors/plain.jsp, put it in your own template directory, and modify the blazes out of it. * Got finally rid of the very confusing "text" parameter for all editors. The new parameter name is EditorManager.REQ_EDITEDTEXT. Note that this may break your current configurations. * Hopefully finally fixed BugHtmlCharEntitiesMishandledInPreview. * Fixed BugIncorrectServletAPIVersionInREADME. 2005-11-15 Janne Jalkanen * 2.3.44 * Tiny JSPWikiMarkupParser speed optimizations. * Added build.xml patch from DaveSB to fix signing issues on Windows. * Added patch from DaveSB to support nested plugins. * Added support in ReferringPagesPlugin for "exclude" -parameter: use "exclude='pattern1,pattern2,pattern3'". 2005-11-14 Janne Jalkanen * 2.3.43 * Fixed HTMLEntitiesAreGettingEscapedByamp and BugHtmlCharEntitiesMishandledInPreview. It was a nasty bug in the new rendering engine. 2005-11-03 Janne Jalkanen * v2.3.42 * Bold and italic markup are now carried across paragraph breaks. This is a convinience factor - XHTML does not allow it, but we store the state. 2005-11-08 Andrew Jaquith * v2.3.41 * Fixed a nasty, serious authentication bug introduced in 2.3.35 code for checking for cookie changes. Cookie changes were triggering "container logins", which caused the JAAS Subject to be rebuilt from scratch. Instead of blowing away the Subject (and associated WikiSession) at logout time (or when the user's auth status changes), the Subject is now preserved for the life of the Http Session. In addition, executing Logout.jsp no longer invalidates the HTTP session; instead, the AuthenticationManager logout() method simply resets the Subject's principal set instead. * Added an invalidate() method to WikiSession that resets user wiki session principals when requested by AuthManager.logout(). Resetting principals means making a user an anonymous guest user. Refactored WikiSession's cookie-change detection code. * All of the *LoginModule classes received tweaks to make them work with long-lived Subjects. In particular, login modules that inject Role principals now remove less-prileged ones. For example, the UserDatabaseLoginModule injects Role.AUTHENTICATED upon login; it also explicitly removes Role.ANONYMOUS and Role.ASSERTED if these are found. * regains the venerable status attribute "known", which denotes an authentication status of "not anonymous", aka either authenticated or asserted. This fixes an issue in the new JSP templates from 2.3.37. * HttpUtil gets an *even more* reliable fix to the BaseURL issue patched in 2.3.40. * Added "SpecialPage" mappings to WikiEngine for Logout, CreateGroup, CreateProfile, EditProfile, and Prefences. These map to Logout.jsp, NewGroup.jsp, Register.jsp and UserPreferences.jsp (x2). * Login.jsp, NewGroup.jsp, Register.jsp and UserPreferences.jsp all now use ViewTemplate as the master template. This removes the need for AdminTemplate.jsp, which was a kludge anyway. That means one less template to maintain, and to hack. Hooray! * Favorites.jsp receives the G'day treatment. * Cookie identities (cookie assertions) are now set to the value of the user's full name during custom auth login, and when user preferences are initially set (Register.jsp) and after user registration (UserPreferences.jsp). Previously, we used the WikiName. However, the full name is what's returned first by WikiSession's getUserPrincipal() method, so we are now consistent with that. This should partly resolve the issue JohnV reported about user names "jumping around" between wiki names, full names and login names. (But there is still one more bug out there...) * Fixed compilation errors in Rename.jsp, and added back code to hide rename fields on InfoContent.jsp for users who aren't entitled to see them. This had regressed a few revisions ago... 2005-11-03 Andrew Jaquith * v2.3.40 * Fixed a subtle bug with HttpUtil that was causing BaseURLs to always print as the name of the host as known to the web container, which in default Tomcat deployments (99%) is called "localhost". Rather than rely on the fact that the user's HttpServletRequest will *actually* return an accurate host name, we do a quick, one-time host name resolution lookup just to make sure. * Added WikiContext-to-*Content template mappings for the login and "create group" contexts. Added wiki contexts for both. * Corrected potetial bug with WikiSession's getStatus() method. It now delegates to isAnonymous(), as it should. * WikiContext's getURL() method now defaults to HttpUtil's method of building the base URL from user session request information, rather than from jspwiki.baseURL. We do this so that JSPWiki will work nicely with HTTPS sessions. This method is transparent to downstream JSP tags like EditLink; they get HTTP compatibility "for free". If the associated HTTPServletRequest is null, we default to the old method of looking up getBaseURL() from WikiEngine. * NewGroup.jsp and Login.jsp now put their content pages inside of AdminTemplate, which means they are wrapped with standard headers and footers. Note that LoginForm may be look a bit ugly until we get a few kinks worked out. 2005-11-03 Janne Jalkanen * v2.3.39 * Default RSS version is now 2.0 * Cleaned some ambiguities in the CSS file * Moved the app and company logos into a separate div of their own to make layout easier. * Enabled personal favourites in the Favorites.jsp * General cleanup and poking around in the CSS 2005-11-02 Janne Jalkanen * v2.3.38 * Added missing search-replace Javascript code * Added missing AttachmentTab.jsp to default template. * NB: While most of the code comes from BrushedTemplate, I'm cleaning it up a bit - it's not XHTML compliant, for example. 2005-10-31 Janne Jalkanen * v2.3.37 * Bug fix: RSS feeds no longer generate " whenever there is a quote (") in the stream. * Rearranged some code relating to search and reference managing; hopefully squashing some hard-to-find bugs. * Bug fix: safeGetParameter() is now deprecated, as createContext() now does the proper request.setCharacterEncoding() as per Servlet API 2.3. Fixes BugClobberedUTF8InWikiBody. Thanks to Chris Wilson and msb0b! * Mass commit of new default template code, based on the BrushedTemplate from Dirk Frederix. Note that this thing is probably pretty broken, so please be careful. 2005-10-25 Andrew Jaquith * v2.3.36 * Cosmetic fix: cookie-asserted identities containing spaces were passing enclosing double-quotes on to the LoginModule, which had the effect of "scare-quoting" the user's name. The offending quotes are now snipped if detected, in HttpUtil. * Added a bang (!) to a particular line in XMLUserDatabase that was causing a spurious error message. (Credit: John Volkar) * Changed JDBC init tests so that they use column and table mappings from tests/etc/jspwiki.properties, not jspwiki.properties. This was confusing the JDBCUserDatabaseTest class big-time, when custom mappings were used. Also, added JDBC test properties to the various test/etc templates. * Added an optional property 'jspwiki.userdatabase.hashPrefix' that tells JDBCUserDatabase whether or not to prepend its hash algorithm to the password hash (e.g., {SHA}). This should increase compatibility with certain third-party applications that might wish to share the user database, such as Tomcat. * Fixed a NPE in JDBCUserDatabase that was triggered by a user editing a profile, but electing not to change the password. It now exhibits correct behavoir: no password means "use the old one", just like with XMLUserDatabase. * Added 'drop user' to the Postgres and Mckoi database scripts; it was causing an error in some cases. 2005-10-22 Andrew Jaquith * v2.3.35 * Fixed issue in that prevented users checking the 'remember me' box Comment.jsp from seeing their identity assertion reflected in the WikiSession. This feature now works as it should. Reworked a WikiSession method, and added a WikiSessionTest unit test. WikiSession now senses when the 'asserted' user cookie in the user's session appears, changes, or disappears. * Clarified the logic in WikiSession.isAnonymous() for determining when a user is considered "anonymous". This will be the case when any of these conditions are true, as evaluted in this order: - The session's Principal set contains Role.ANONYMOUS - The session's Principal set contains WikiPrincipal.GUEST - The Principal returned by WikiSession.getUserPrincipal() evaluates to an IP address WikiSession includes a new, fast method for determining whether a string represents an IP address. The previous technique was totally b0rked. These are the sorts of things one discovers when writing unit tests... * Fixed minor issue with AbstractUserDatabase that inadvertently introduced a bug into the way users are found (or not). This was causing AuthorizationManager's resolvePrincipal() method to fail in certain cases. 2005-10-22 Janne Jalkanen * v2.3.34 * Did a general sweep of a bunch of classes to make sure they use TextUtil.getStringProperty() instead of Properties.getProperty(). Also fixed BugTextUtil.parseIntParameterFailsInCaseOfTrailingBanks to get rid of all space-related issues in jspwiki.properties. * No longer generates empty -elements for markup "____". The parser is now smart enough to check if a markup would result in something that would not be recommended in XHTML 1.0. Fixes BugEmptyMarkupDoesntWorkForBoldAndItalic. * RSS 2.0 and Atom feeds no longer double-encode ampersands. Oops. :) * PageModified.jsp now properly escape XHTML markup. * JSPWiki Auth tests are run now only if "jspwiki.tests.auth" system property is set. This helps everyone that is using Eclipse... * Bug fix: exclamation marks are no longer doubled. 2005-10-19 Andrew Jaquith * v2.3.33 * Initial JDBC support for storing user profiles has landed. See the build.xml file for details on configuring unit testing with JDBC. See also the Javadoc for com.ecyrd.jspwiki.auth.user.JDBCUserDatabase. * Changed VariableManager and BaseURLTag to use a new makeBaseURL method in HTTPUtil so that HTTPS-related URLs are generated correctly. This partially supercedes the WikiEngine.getBaseURL method, but the changes are completely transparent to the and tags. So you shouldn't notice any differences unless using HTTPS. * Several small Javadoc fixes. 2005-10-17 Janne Jalkanen * 2.3.32 * Changed the way TableOfContents is created - it no longer creates a nested list. Thanks to Gregory Pentz and Gregor Hagedorn. 2005-10-16 Janne Jalkanen * 2.3.31 * Bug fix: JSPWikiMarkupParser was not calling link text mutators at all, so ReferringPagesPlugin (among others) were ignoring maxlength. * Bug fix: WikiRenderer did not set context properly, which killed TableOfContents plugin. * Improved RSS generation for blogs: now it's also possible to set the channel title, description, language and author by using the SET directive. * 2.3.30 * Removed dependencies of TranslatorReader from a number of classes. * Added new "VersioningProvider" interface to fix a serious problem with page info listings. Based on an idea by Kees Kuip. A Provider can now declare it supports VersioningProvider if it wants to be able to support pageExists( name, version). Yes, it's a kludge, but it does speed up things considerably until we refactor the entire provider interface. 2005-10-09 Janne Jalkanen * v2.3.29 * Security fix: it was possible to inject javascript using CSS. Reported by Martijn Brinkers. * Bug fix: In certain cases, }}} would loop forever. * CachingProvider should now be a bit smarter about refreshing metadata. * Added patch from Kees Kuip to cache the file properties in VersioningFileProvider, providing faster performance. * Rearranged quite a lot of code in URL providers to fix a bunch of problems. Unfortunately, it also means that URLs are no longer relative at all; they're always absolute, but they don't always include the host name (depending on the setting with jspwiki.referenceStyle). 2005-10-09 Andrew Jaquith * v2.3.28 * For once, no public auth API changes! * CMA and custom authentication JSPs re-factored so that they use the same "special page" for logins: Login.jsp. This makes for much cleaner JSP code; for example, LeftMenu.jsp no longer needs conditional logic for Login.jsp v. LoginRedirect.jsp. * The web.xml file's constrained resources for CMA expanded to include NewGroup.jsp, Upload.jsp and Login.jsp. Constraint for LoginRedirect.jsp removed (the page no longer exists). The login form for CMA now uses the same as for custom auth (LoginForm.jsp). * WebContainerAuthorizer now tests for Login.jsp constraints rather than LoginRedirect.jsp when determining whether CMA is used. WebContainerAuthorizerTest changed accordingly. * Security fix: Authorization algorithm fixed to prevent privilege escalation with asserted Principals when wiki page contains ACL. Authorization now checks to make sure the security allows the requested permission /in addition to/ matching the user's principals with those in the ACL. This meant we needed to add PagePermission "*:Group*", "edit" entries to the Authenticated policy block. * Bug fix: AuthenticationManager no longer flushes Principals during custom logins. This was hosing user sessions if the user failed to log in. * Bug fix: AuthorizationManagerTest's testGetRoles() method no longer b0rks. * Bug fix: default/LoginContent.jsp whitespace goof. * Bug fix: both custom and container successful logins set the user cookie, like they should. (Credit: John Volkar) * Bug fix: group creation page (NewGroup.jsp) checks for previous existence of group before saving, and gives user chance to change the name if it does. * Bug fix: NewGroup.jsp no longer triggers the 'direct access to login form' error when CMA is used. This is due to the refactoring mentioned above. 2005-10-03 Janne Jalkanen * v2.3.27 * Bug fix: RenderingManager would cache old versions on top of new ones. * Bug fix: CheckVersionTag would cause unnecessary page rendering. Reported by Kees Kuip. * Switched most of the code to use the new RenderingManager to find problems with the code. 2005-10-02 Janne Jalkanen * 2.3.26 * Restored the the Ant "guitests" target, who had gone MIA accidentally. * Added (and modified a bit) a patch from Kees Kuip which allows plugin writers to just specify properties in the plugin archive itself. * Added TemplateManager.listSkins(), which lists any and all skins from templates//skins/ 2005-09-28 Janne Jalkanen * 2.3.25 * Added ReferredPagesPlugin from Dirk Fredericx. 2005-09-27 Janne Jalkanen * v2.3.24 * IncludeTag now prints an error to the screen instead of a NPE when the template file in question does not exist. * CheckRequestContextTag now supports an extended parameter list: evaluates its body, if the current context matches ANY of the contexts. It also supports negation with !, i.e. evaluates the body in every context but "view". * JSPWikiMarkupParser is now a lot more XHTML compliant, thanks to Gregor Hagedorn. * RSS Generator Thread now has a proper name. * Moved TranslatorReader.Heading to com.ecyrd.jspwiki.parser. This should not really cause any compatibility issues. * Moved HeadingListener to com.ecyrd.jspwiki.parser * Added two new methods from John Volkar to ReferenceManager. 2005-09-26 Erik Bunn * Added CookieTag. See the class for documentation. Intended for custom JSPWiki installations, mostly useful for doing conditional logic based on e.g. a custom preferences cookie. 2005-09-24 Andrew Jaquith * 2.3.23 * WikiContext, WikiSession and the auth.login.* login modules gain significantly enhanced debugging code. Changing Log4J settings in jspwiki.properties to DEBUG will dump a large amount of information about user session IDs and Principal creation activities. * In the continued spirit of clowing-back little-used methods that clutter the API, WikiContext's setHttpRequest() method goes the way of the dodo bird. It was used by WikiEngine, and only in one place, and it was redundant to boot. 2005-09-19 Janne Jalkanen * 2.3.22 * Added patch from John Volkar to: * Puts a catch block in DifferenceManager in case an underlying provider throws. * Adds some unit tests * Handles whitespace "better" (see the tests), words and whitespace are both elements that get diffed. Whitespace edits show up in the diff output. (This is an interesting point of debate, after bruising battles whitespace in wiki-text is significant and deserves to be diffed. Consider two lines '* foo' and ' * foo') * Adds a optional property 'jspwiki.contextualDiffProvider.unchangedContextLimit" that is the number of *elements* to be emitted before and after each change. (element=word or space or newline, so if you want ~50 'words' of leading context set the limit to 100) This defaults to a huge number, so it essentially doesn't serve as much of a limit (Preserves a 1 word change in 10 pages by default returns the whole 10 pages.) 2005-09-17 Andrew Jaquith * 2.3.21 * Added a simple web test plan to docs. * WikiPermission gains support for wiki namespaces. This introduces what I hope is the "final" tweak required to jspwiki.policy. The WikiPermission syntax ...WikiPermission "*", "registerUser"; replaces the previous format. The wiki name may contain wildcards. This change was made to support wiki farms. See the WikiPermission Javadoc for more details. * PagePermission constructor WikiPage(String,WikiPage,String) eliminated in favor of WikiPage(WikiPage,String) because wiki name is now carried inside WikiPage. This means we don't need to pass the wiki name into the constructor, which is nice and simple. This change was propagated to 8 other classes and about a half-dozen top-level JSPs. * Fixed return values in various WikiContext/WikiSession get*Principal methods so that they return WikiSession.GUEST if not otherwise set. This removes neeed to check for nulls in calling code. (Credit: John Volkar) * Assitional WikiSession/WikiContext cleanup: Fixed bug preventing initial HttpRequest 'login'. Removed public WikiSession.isUnknown(); was only used by one caller. Also, reduced visibility of WikiSession.isContainerStatusChanged() to protected. Bug fix: added Role.ALL to guestSession(). * Rename.jsp now checks for the rename permission before actually undertaking the action. InfoContent.jsp now checks for the same permission also when rendering the info page UI for renaming. * Bugfix for NPE in PagePermission. * Much cleanup of web.xml, and tweaked the Ant script to use this during tests (reduces maintenance). * build.xml slightly refactored to better account for using signed JARs during test runs. Certain static files (web.xml/policy/jaas/jks) in tests/etc eliminated in favor of dynamic files copied from etc at test-time. This means we only have to maintain one version of each file, instead of two. * WebContainerAuthorizer includes an improved heuristic for detecting CMA. Instead of looking for specific role names contrained to Register.jsp, Delete.jsp and UserPreferences.jsp, we just look for ANY role. This means you can use your container's preferred role names, instead forcing you to use "Admin" and "Authenticated". * DefaultGroupManager.getRoles() returns an array of Group[] (downcasted to Principal[] by interface. This should make 'instanceof' checks easier. (Credit: John Volkar) * Bugfix for Register.jsp so that authenticated users who already have profiles are always redirected to EditPreferences. This wasn't a security risk but it was non-intuitive. * Replaced that old Wiki.jsp favorite, the "looped config" message, with something more appropriate to 2.3. * Weblog plugin now accepts additional parameter for customizing the date format. It also tries to extract the "headline" of the blog and puts it at the top of the entry section. * Tweaks to Ant script to better encapsulate Jar-signing operations. Also, test-prep activities more automated. 2005-09-16 Janne Jalkanen * v2.3.20 * Both default ShortURLConstructors now check if the NONE -context already has some parameters. Requested by Erik Bunn. * PageLock is now serializable. This should reduce some warnings on some containers. * Forms are now XHTML conformant instead of HTML 4.01. 2005-09-16 Janne Jalkanen * v2.3.19. * Fixed the rest of the new renderer tests, and turned the new renderer on by default. You can now turn it off with "jspwiki.newRenderingEngine=false" in your property file. * FormInput now also accepts XHTML-like "checked=checked". Suggested by Murray Altheim. * Added patch from Erik Bunn to allow clean compilation on JDK 5.0. * Included patch from JohnV to add time and date format parameters to RecentChangesPlugin. * Incorporated even more patches from Patrik to fix some problems with tests targets and diff noise. Thanks a heap! * Added patch from Patrik Woodworth to fix tests compilation failing due to jar file signing. 2005-09-09 Janne Jalkanen * v2.3.18 * Two patches from Patrick Woodworth to fix broken URL in jspwiki.tld and compilation directives. This removes the jar-optimized target and makes it an option for build.properties. * Fixed problem with ReferenceManager: unmodifiable maps were not updated at unserialization time. Reported by JohnV. * Removing misc debug code from auth. * Moved to StopWatch() instead of System.currentTimeMillis() in all places ;-) 2005-09-07 Janne Jalkanen * v2.3.17 * Massive import of patches from 2.2.33. * Added two new methods in ReferenceManager to facilitate LinkIndexPlugin. * Added patch from Joerg Luedecker to fix a problem with pages deleted not affecting RefMgr. * Added a small note to the ShortURLConstructor: do NOT use without baseURL. * Fixes BugAttachFilesEvenIfPageDoesNotExist. It is no longer possible to upload a file if the page does not exist. * Install.jsp was Tomcat-specific. Fixes BugInstall.jspDoesNotCompileOnWebLogic8.1. Reported by JoachimMaes. * Fixed BugAttachmentWithHashCannotBeViewed by replacing now all illegal character values during upload. * Undid change for BugShortViewURLConstructorAndShortURLConstructorProblems - it apparently broke quite a lot of stuff. * Changed to OSCache 2.2.1 to protect against a pretty nasty memory leak. * Added generic null protection to CachingProvider, and also protected against spurious input in RCSFileProvider as a stopgap measure to some probable scaling issues. * It was possible to get the authentication master password by inserting simply it on a page as a variable. Oops. The master password is now saved under a different name (jspwiki-s.auth.masterPassword), which may break existing installations. Also added a check in the VariableManager to prevent reporting of that variable. Reported by Trevor Yann. * Bug fix: Attachments might get looping forever, if the page did not exist. Fixes BugHasAttachmentsAndAttachmentsIteratorTagsWhenPageDoesntExist * Bug fix: You can now set the 'checked' attribute of checkboxes in WikiForms with the parameter 'checked=true'. Reported by JohnV. * Bug fix: BugWrongRecognitionOfWikiWords. A CamelCase WikiWord would not be escaped correctly, if the word would have two capital letters. * Bug fix: BugShortViewURLConstructorAndShortURLConstructorProblems ShortViewURLConstructor did not have a default prefix. Reported by Olaf Kock. * Added patch from Patrick Woodworth to fix a FIXME in javadoc creation. 2005-08-20 Andrew Jaquith * v2.3.16 * This release introduces a number of changes to the AAA (package auth.*) APIs. If you have created custom top-level templates, they will break. However, the changes are not major. Regular template JSPs like *Content.jsp should work without requiring changes. * jspwiki.policy has changed. The PagePermission syntax ....PagePermission "mywiki:Group*", "edit"; replaces the previous format, and adds support for wiki name spaces. Either the wiki name or the page name may contain wildcards. This change was made to support wiki farms. See the PagePermission Javadoc for more details. You should update your policy files accordingly, since the change will "probably" break your existing policies. * AuthenticationManager supports named admin user in jspwiki.properties: jspwiki.admin.user * AuthenticationManager public methods have changed: a. public boolean login(HttpServletRequest) replaces boolean loginContainer(WikiContext) b. public boolean login(WikiSession, String, String) replaces boolean loginCustom( String, String, HttpServletRequest) * AuthorizationManager public methods have changed: a. checkPermission(WikiSession, Permission) replaces checkPermission(WikiContext, Permission) b. isUserInRole(WikiSession, Principal) replaces isUserInRole(WikiContext, Subject, Principal) c. new getRoles() method returns Principal[]; delegates to GroupManager and Authorizer and returns union d. public method getAuthorizer() changed to protected access * Authorizer public methods have changed: a. isUserInRole(WikiSession, Principal) replaces isUserInRole(WikiContext, Subject, Principal) b. new getRoles() method returns Principal[] These changes were propagated to WebContainerAuthorizer, GroupManager and DefaultGroupManager. * GroupManager public methods have changed: a. Enumeration members() removed. * WikiPrincipal adds static inner Comparator class for sorting arrays of Principals. * WikiContext public methods have changed: a. void setHttpRequest(HttpServletRequest) changed to protected access b. void setWikiSession(WikiSession) removed. * WikiSession was refactored to allow independence from WikiContext. Public GUEST_SESSION static instance eliminated in favor of public static factory method guestSesssion(). * UserManager get/setUserProfile(WikiSession...) replaces same methods with WikiContext parameter. * PagePermission now includes a wiki namespace. Syntax is wiki:pagename. Wildcards are allowed as prefixes or suffixes for either part. * WikiPermission now accepts a "login" target * LeftMenu slightly tweaked * PreferencesContent.jsp for default template now displays roles and groups user possesses. * will print the user's current set of group and role memberships, nicely sorted. Pretty nifty. * Many, many unit test changes. 2005-08-20 Andrew Jaquith * Minor changes to TestAuthorizer, AuthorizationManagerTest and build.xml to correct test failures in AuthorizationManagerTest. This also fixes XMLRPC test failures. No version bump. 2005-08-19 Janne Jalkanen * 2.3.15 * The "Wow, instead of sleep you can code and chat on IRC thanks to WiFi on airplanes" -release. * Added patch from Mark Rawlings to get rid of Javascript errors in cssinclude.js * Added support for generating Atom 1.0 feeds. There is still a bit of a problem in generating proper Atom ID's, as our metadata storage does not work too well. 2005-08-16 Janne Jalkanen * v2.3.14 * Fixed plugin and variable evaluation policy: because using clone() on the entire DOM tree is very expensive, what we do is that we store new, specific elements PluginContent and VariableContent into the DOM tree, which at evaluation time produce the actual content. * v2.3.13 * RenderingManager cache did not work correctly, because it was relying in WikiContext.getPage() to get the page under which things should be cached. Of course, if the wiki template includes any other page using IncludePageTag, the context is always the same, and therefore the cache is never valid. Fixed this by adding a new getRealPage() in WikiContext, which should always point at the real page which is being rendered. * Added some simple profiling/stopwatch code to rendering. You can now see the speed results by setting the WikiEngine log level to DEBUG. * Fixed CamelCase parsing. There are still a few inconsistencies between old TranslatorReader and the new JSPWikiMarkupParser. 2005-08-14 Janne Jalkanen * v2.3.12 * Even more tweaks. It is now possible to test the new rendering engine by setting "jspwiki.newRenderingEngine" to true in your jspwiki.properties (this will be gone in near future; it really is for testing only). Note, however, that CamelCase does not currently work. * Some more tweaks of the new renderer. isExternalLink() is now about 3x faster than it was before (it was the biggest bottleneck so far). Still not usable (lists don't work). * Change test property files to use BasicSearchProvider (Lucene startup was taking too much time), and TestAuthorizer (WebContainerAuthorizer takes about a second to start each time). 2005-08-13 Janne Jalkanen * Did a mass commit of the new rendering engine. It is not enabled yet, but I wanted to save the code to a very safe place :-). Please look at the code in the new parser and render -packages. There is still time to change the API... (No version bump; there is no changes in JSPWiki functionality with this). 2005-08-12 Andrew Jaquith * 2.3.11 * Changed WebContainerAuthorizer to auto-detect whether web container authorization is used; it does this by looking for certain constraints in web.xml. The effect of this change is to make the out-of-the box configuration default to custom authentication. Also, changing to container auth is now very easy -- just uncomment the constraints and JSPWiki will know what to do without needing to fiddle with jspwiki.properties. Added a unit test and tests/WEB-INF/web.xml sample file also. * Added new "super-template" for administrative pages: AdminTemplate.jsp. This is a peer of ViewTemplate and EditTemplate, and is used by the registration and user preferences pages. * Loosened the default security policy to permit edits by anonymous uses. This is good for getting up and running, but a bad idea for Internet-facing wikis. The adminstrator is suitably forewarned in the policy file. * Added an initialize() method to the Authorizer interface. We probably needed one anyway, and the tweaks to WebContainerAuthorizer forced the issue. * Minor tweak to LeftMenu to replace the geeky "you are authenticated/asserted" messages with something more friendly. 2005-08-11 Erik Bunn * Added WikiPage.getAttributes(). This will be useful for external code that wants to display page attributes; for example, a hypothetical "MetaData.jsp" that would allow editing of page attributes without content-inlined [{SET...}] tags. 2005-08-07 Andrew Jaquith * 2.3.10 * Major fixes to the authentication and authorization codebase. Most outstanding issues with the prior commits have been resolved; it should be ready for prime time. * JSPWiki now installs a default Java 2 security policy and JAAS login configuration, which allows JSPWiki AAA to work "out of the box" without additional customization. Admnistrators can override these defaults using the standard policy/JAAS system properties if desired. * UserPreferences.jsp has been significantly tweaked. It also includes support for standard