=== 0.5.0 :: 2007-09-20 * Gateway requests should now be handled correctly. When the request to the login page is made with gateway=true as one of the parameters, the CAS server will immediately redirect back to the target service along with a service ticket if an SSO session exists for the user (or without a service ticket if there is no pre-existing SSO session). Note that if you are using RubyCAS-Client and want gatewaying, you will need to upgrade it to 1.1.0 as gatewaying was broken in prior versions. * If gateway=true is specified as part of the logout URI, the server will log the user out and immediately redirect them back to the specified service. In other words, you can now do "gatewayed logouts" as well as logins. * A login ticket can now be remotely requested from the server by placing a POST request to '/loginTicket'. * The login view can now be made to return only the login form. This is done by adding the 'onlyLoginForm' parameter to the '/login' request. Optionally, a 'submitToURI' parameter can be supplied to force the login form to submit to the given URI (otherwise the server will try to figure out the full URI to its own login controller). This functionality may be useful when you want to embed the login form in some external page, as an IFRAME otherwise. * Custom views can now be used to override the default Markaby templates by specifying a 'custom_views_file' option in the configuration. See custom_views.example.rb. [jzylks] * Table names have been shortened to work with Oracle. A migration has been added that should do the shortening for you the first time you run this new RubyCAS-Server version. * Multiple authenticators can now be specified. During authentication, credentials are presented to the first authenticator, then the second, and so on, until the user is validated by any one authenticator or fails validation for all of them. [jzylks] * When using webrick, you can now run with SSL disabled by omitting the ssl_cert and ssl_key parameters. * Changed incorrect MySQL example database configuration -- option should be 'host:' not 'server:' (issue #22). === 0.4.2 :: 2007-07-26 * The LDAP/AD authenticator has been largely re-written. The code is a bit cleaner now, and should work better with non-Active Directory LDAP servers (although this has yet to be tested since I don't have access to a non-AD LDAP server). * The validate() method in your authenticators now receives a :service element (in addition to :username, and :password). This is simply the service url (if any) specified in the user's CAS request. If you call read_standard_credentials(credentials) at the top of your validator, the value will also be available as @service along with @username and @password. * By request, a :username_prefix option has been added to the ldap configuration. If entered, this string will be automatically prefixed to the username entered by the user. * A bug having to do with handling authenticator errors has been fixed. Any authenticator error messages should now be correctly shown on the login page. * Minor improvements to error messages having to do with login tickets. They're a bit more prescriptive now, explaining to the user what steps they should take to correct the error. === 0.4.1 :: 2007-06-07 * This release restores compatiblity with older versions of rubygems (pre-0.9.0). To achieve this, we alias the 'gem' method to the old 'require_gem' if 'gem' is not already defined. * rubycas-server-ctl will now quiety delete an orphaned .pid file instead complaining loudly and refusing to start up. * Fixed minor bug in rubycas-server-ctl that sometimes incorrectly reported startup problems when in fact the server had started just fine. === 0.4.0 :: 2007-06-05 * Added rubycas-server-ctl script for controlling daemonized server. * rubygems-0.9.0 or later is now required. * Added system startup script to be used in /etc/init.d on Linux systems. * Authenticator can now be loaded from an external file using the 'source' configuration option. * Better preemptive detection of startup problems with mongrel. * User now sees an error message if the service URI is not a valid URI (i.e. if it's not URI-encoded or otherwise malformed). === 0.3.0 :: 2007-03-29 * Fixed glaring security problem with LDAP/AD Authenticator where under some circumstances blank passwords were accepted as valid. * Autocomplete has been turned off on the password field for better security. In the future we may allow autocomplete to be re-enabled using a configuration setting. * When the user visits the login page and is already authenticated (i.e. they have a valid ticket granting cookie), a message is shown at the top indicating that they are already logged in. * sqlite3-ruby is no longer required by the gem as a dependency. The user must now install it manually prior to installing rubycas-server. The building of sqlite3 native extensions appears to be somewhat flakey and probably defeats the original purpose of using it (which was to have a CAS server up and running with no additional DB configuration). We will use MySQL as the default database adapter instead, since it does not require additional libraries and many users will have a MySQL server already available. * Fixed bug that was causing all proxy-granting tickets to be deleted whenever any user logged out. Only the PGTs for the user that is logging out are now being deleted. * Trailing slashes in service URLs are now ignored when validating service and proxy tickets (e.g. "http://www.google.com" and "http://www.google.com/" are now considered to be the same service URL). * Authenticators now raise AuthenticatorError exceptions when encountering a problem/error. This makes it easier to send feedback to the user. However, other exceptions should still be raised when errors ought not be recoverable (i.e. programming errors). * Fixed serious vulnerability in LDAP authenticator where under some cirumstances the user could just enter '*' as their username to match any username. The LDAP authenticator will now refuse to process logins with usernames that contain the characters * ( ) \ / and the NULL character \0. * Views are no longer xhtml-validated. Markaby's auto-validation was turned off to allow for use of the autocomplete property on inputs, since this is the only viable way of turning off password storage in IE and Firefox at the page level. * You can now limit the maximum length of a login session by setting the expire_sessions config setting to true. * Fixed some minor bugs in the login view. === 0.2.0 :: 2007-03-20 * ruby-casserver now behaves more like a real command-line app, accepting various command line arguments including -h (help), -v (version), -c (use an alternate config.yml), and -d (daemonize, when using webrick or mongrel mode). * Special characters in CAS XML responses are now properly encoded into XML entities * CAS XML responses are no longer auto-indented... Markaby's indentation seemed to be causing problems with the PHP CAS client. * Misc minor bug fixes/cleanup. === 0.1.0 :: 2007-03-01 * First public release.