Release notes
--------------------------------------------------------------------------------
A-Select 1.5.7

--------------------------------------------------------------------------------
- fix LDAP direct_login so that it also accepts usernames without a realm, in which
  case the username is checked against the default LDAP directory; this enables 
  organizations with a single authentication method (cq. LDAP directory) to use a
  login procedure where both username and password and entered on just one page (instead
  of two separate screens), without having to add a realm to that username (either
  manually by the user or automatically in the backend)
- Shibboleth/SAML1.1: add ConfirmationMethod to the Subject in the AttributeStatement
  so it complies with the stricter Shibboleth 2.x validation

--------------------------------------------------------------------------------
A-Select 1.5.6

--------------------------------------------------------------------------------
- avoid cookie hijacking on https by marking cookies as secure when using a secure connection
  see: http://fscked.org/proj/cookiemonster/README-First.txt

--------------------------------------------------------------------------------
A-Select 1.5.6rc1

--------------------------------------------------------------------------------
- merged Entree 2.0 features
- JNDI UDB connector, JDBC UDB connector and JNDI attribute requestor
  close InitialDir context handle after initial active resource check
- JDBC attribute requestor
  maintain active connection handler instead of re-opening for each call

--------------------------------------------------------------------------------
A-Select 1.5.5

--------------------------------------------------------------------------------
- fixed memory and cookie corruption in Apache filter:
  change calls to ap_table_addn with non-const chars to ap_table_add
  (this bug was triggered when large attribute sets are passed and reallocation of
  memory in the pool occurs)
- fixed attribute release (ARP) issue when an application is accessed after a
  federated login: the ARP for the local A-Select server would be applied
  to the application instead of the application ARP itself
- avoid default infinite DNS lookup caching in client communicator which would
  prohibit correct operation of round-robin DNS load-balancing on the server side
  java.security.Security.setProperty("networkaddress.cache.ttl" , "60");

--------------------------------------------------------------------------------
A-Select 1.5.4

--------------------------------------------------------------------------------
- modified (Shibboleth) samlbp.html page so the "continue" button will no longer
  be shown when javascript is enabled (and the form will automatically be posted)
- for SFS ApplicationBrowser: log SSO events with message "updated" (instead of
  only login events with "granted"/"denied" messages); useful for application
  and/or local-server statistics
- for SFS ApplicationBrowser: check for forced_organization and remove tgt if
  present (ie. don't do SSO when forced_organization is set); generalizes the Shibboleth
  patch in 1.5.2 for already logged in users at different IDP
- fix logging issue when multiple A-Select servers run in a single JVM (ie. Tomcat)
  environment where all instances would write file-based logging to *all* individually
  configured log files, instead of only their own
- set standard timeout of 10 seconds on Radius reads from DatagramSocket to avoid
  possible thread pool depletion when requests are sent but never answered; should be
  extended with a configurable option
- urlencode the SAML 1.1 IdP identifier set as Issuer and NameQualifier (improve on
  patch from 1.5.2: handle IdP identifiers that contain spaces)
- set "language" and "country" template variables in A-Select server templates
- AttributeGatherer: added option for dealing with attribute conflicts between
  multiple requestors; configuration as in: <release_policy duplicate="[merge|replace|delete]">
    "merge": merge all attributes from both AttributeRequestors as a multi-valued attribute
    "replace": use value from "new" attribute requestor
    "delete": delete the complete attribute when a conflict is detected
  else: no action, retain existing values (also for backwards compatibility)

--------------------------------------------------------------------------------
A-Select 1.5.3

--------------------------------------------------------------------------------

- fixed update session context in cross_logins for remote_organization setting
  (required when using JDBC session storage)
- add possibility in SAML 1.1 to override the <Issuer> element value in
  the SAML 1.1 assertion with a pre-configured value (instead of the "organization")
- added attribute name mapping capability to TGT requestor, with a choice between
  mapping and copying to a new attribute name
- changed SAMResourceGroup resource list from Hashtable into Vector so the list
  of polled resources is accordingly ordered by priority in a consistent way
- sign requests from Shibboleth applications (with server signing key), if signing
  is required/configured for (all) applications

--------------------------------------------------------------------------------
A-Select 1.5.2

--------------------------------------------------------------------------------

- avoid potential memory leaks in JDBC and JNDI code (depending on the actual
  underlying implementations used eg. MySQL vs. Oracle)
  - JDBC storage handler (2x)
    explicitly close prepared statements through "finally" clauses and before re-using
  - JNDI AuthSP (2x)
    explicitly close JDNDI search results in plain and SSL LDAP handlers
  - JDBC UDB connector (2x)
    explicitly close prepared statement and search results in case of exceptions
    or "user-not-found" in getUserProfile calls
  - JNDI attribute requestor
    explicitly close JDNDI search results through "finally" clause after attribute retrieval
  - JNDI UDB connector (3x)
    explicitly close JDNDI search results through "finally" clause
  - DB AuthSP
    explicitly close prepared statement and search result through "finally" clause
  - PKI AuthSP (2x)
    explicitly close JDNDI DirContext and search results through "finally" clause
- Shibboleth patch so Shibboleth SPs can directly be redirected through a WAYF
  to the actual IDP without intervenience of a WAYF IDP selection page
- SAML 1.1 patch to set the Issuer and NameQualifier to the IDP organization,
  instead of the WAYF
- Shibboleth patch for already logged in users requesting authentication at a
  different IDP than the one they are currently logged in with
- added JDBC attribute requestor
- support direct_authsp/direct_login in cross A-Select logins in "aselect" Authentication profile
- fixed a number of issues related to usage of JDBC storage for sessions
  - fix direct_login session update
  - fixed session update issue for user_id/authsp_level parameters in
    authsp Ldap protocol handler
  - fixed session update issue for direct_logins with invalid credentials ("allowed_retries")
- added getCount operation to StorageManager:
  avoid out-of-memory errors using getAll in SAM servlet

--------------------------------------------------------------------------------
A-Select 1.5.1 (SURFnet Federation Service)

--------------------------------------------------------------------------------

This release includes the SURFnet Federation Service (SFS) patches, useful for
operation in the SURFfederatie. It also fixes some known problems, mainly
related to those patches.

NB: this release is required for Service Providers in the SURFederation that use
the cross_login API call for accessing so-called Home Identity Providers behind
the Central Federation Components (CFC) directly withouth intervenience of the
CFC itself (using the IdpSelector), and *also* need to redirect to other remote
servers (IdPs or CFCs of other federations) connected to their local A-Select server.

Enhancements and bugs fixed in this release:

- included SFS patches, see: http://www.a-select.org/version/1.5/guide/sfssrv.html
- support for a "home_organization" parameter in "cross_login" calls to local A-Select
  servers using the SFS IdPSelector and support for specifying both "remote_organization"
  and "home_organization" in a "cross_login"
  NB: "home_organization" is the organization identifier of the IdP, as opposed to the
  the "friendly name" used in the "home_idp" parameter!
- support for a "relay" parameter in the SFS section, a remote server to which all
  logins will be redirected for organizations that are not configured on this
  A-Select server (as remote server or sfs entry)
- support for a "display" parameter in the "remote_server" section, for optional display
  of a remote server in the HTML IDP selector page and "get_home_idp" call
  (default="true", useful for hiding a relay when set to "false")
- JDBCStorageHandler fix for containsKey which is required for Oracle databases
- multi-valued attribute fix in APIAttributeRequestor (so far only reported to work
  without signing)
- support for passing a port number parameter to StopAgent; this allows to stop agents
  running on a non-standard port using the provided StopAgent.class
- an empty SFS section configuration (<sfs/>) no longer raises an exception
- fix the message that an SFS server already exists in the list for all requests after
  the first SFS request (deep copy the list)
- added DB AuthSP for database based authentication, with support for MD5 encrypted
  passwords

--------------------------------------------------------------------------------
A-Select 1.5

--------------------------------------------------------------------------------
1. Components

 This release contains the following A-Select components
   - A-Select IIS Filter
   - A-Select Apache 1.3/2.0 Filter
   - A-Select Agent
   - A-Select Server
   - A-Select AuthSP Server
   
   - A-Select NullAuthSP handler
   - A-Select Radius AuthSP handler
   - A-Select IP AuthSP handler	
   - A-Select LDAP AuthSP handler
   - A-Select PKI AuthSP handler
   
   - A-Select Null AuthSP
   - A-Select Radius AuthSP
   - A-Select IP AuthSP
   - A-Select LDAP AuthSP
   - A-Select PKI AuthSP   
   
   - A-Select JDBC UDB Connector
   - A-Select FlatFile UDB Connector
   - A-Select SASDB UDB Connector
   - A-Select LDAP UDB Connector

   - A-Select JNDI Attribute Requestor
   - A-Select Opaque Attribute Requestor
   - A-Select TGT Attribute Requestor
   - A-Select FlatFile Attribute Requestor      
   - A-Select API Attribute Requestor

--------------------------------------------------------------------------------
2. Features

 New features in this release are:

- SAML 1.1 support
 The A-Select Server can act as a SAML 1.1 Identity Provider.
 Including:
 > Browser/Post WebSSO profile
 > Browser/Artifact WebSSO profile (type 0001 & 0002)
 > SAML Subject Queries (Attribute, Authentication, Authorization)

- Compatibility with Shibboleth 1.3 Service Provider
 The A-Select Server can be used as an Identity Provider for Shibboleth 1.3 
 Service Providers. The following interfaces are supported by the A-Select 
 Server: 
 > Shibboleth Identity Provider
 > Shibboleth Where Are You From
 
- Improved A-Select Server Request Handling
 The request handlers are separated from the A-Select Server core. The request 
 handlers that will be used need specific configuration.
 Requests are handled by the RequestHandler that matches the configured 
 regular expression. 
 The following Request Handlers are included in the default A-Select Server 
 installation:
 > A-Select Authentication Profile
 > A-Select Restart Request Handler
 
 > Shibboleth Authentication Profile
 > Shibboleth WAYF Profile
 
 > SAML 1.1 Request Handler
 > SAML 1.1 Query Request Handler
 > SAML 1.1 Artifact Request Handler

- Session management in AuthSP Server
 AuthSPs can now use the session management of the AuthSP Server to store 
 information during authentication.

- Multivalue attributes
 The JNDI and TGT Attribute Requestors now support multivalue attributes. Also a 
 FlatFile Attribute Requestor is added for testing with multivalue attributes.

- Displaying application specific information 
 For every application configured in the A-Select Server specific information 
 can be configured that will be displayed in the HTML templates if that 
 information is available. The following configuration items can be configured 
 for an application:
 > friendly_name (HTML template tag name: [requestor_friendly_name])
 > maintainer_email (HTML template tag name: [requestor_maintainer_email])
 > show_url (HTML template tag name: [requestor_url])
 
- Opaque User ID
 The uid parameter returned after initiating authentication by the API call 
 request=authenticate contains an opaque value for security reasons. Returning 
 the opaque value can be configured per application.
 
- SSL Offloading support
 When the A-Select Server is located behind a loadbalancer, the A-Select Server 
 URL which is used to redirect to in the request=authenticate request must be 
 replaced by the URL of the load balancer. This feature is added to 
 A-Select 1.5 RC2 and can be enabled by using the <redirect_url> configuration 
 item.
 
- Direct login
 When "direct_authsp" is enabled for an AuthSP Handler and the application is 
 configured so that only this specific AuthSP is available, the A-Select server 
 shows a new form where a user can submit his/her username and password in one 
 screen. The AuthSP must support this. Currently (A-Select 1.5RC2), only the 
 Ldap AuthSP is extended with this new functionality.
 
- Max level
 For every configured application in the A-Select Server the maximum application 
 level can be set. This level can be used to limit the number of available 
 AuthSP's for an application. For example, this can be useful to trigger 
 "Direct Login".
 
- Regex Selector Handler
 The Regex selector handler is an implementation of the cross selector handler 
 interface. The regex selector handler determines, on base of regular expressions, 
 to which remote_organization a user belongs. If this selector handler is used, 
 the user will directly be sent to the remote A-Select Server for authentication.
 
- Cross fallback
 When "cross_fallback" is set to "true" and cross A-Select is configured,
 A-Select will automatically switch to cross_mode, when a user not is found in 
 the local A-Select user database.
  
-------------------------------------------------------------------------------
3. Bugfixes

 Bugs fixed in this release are:

115	enh	P5	AuthSP's			
Radius AuthSP doesn't support wildcard as realm

113	enh	P2	A-Select Server		
Cross A-Select: Local Server configuration of Remote Server

117	min	P2	A-Select Server		
cross: local organization works only in lowercase

123	nor	P2	A-Select Server		
Use of string.trimline() without checking if string is valid

126	nor	P2	A-Select Server		
Problem with closeHandlers()

134	nor	P2	A-Select Server		
@domain.com is stripped from username

136	nor	P1	A-Select Server	
SOAP 1.1 over HTTP not according to specification

138	nor	P1	A-Select Server	
A-Select JDBC UDB Handler SQL insertion possibility

139	enh	P2	A-Select Server	
require_signing is not optional in <applications>

141	nor	P2	A-Select Server	
AttributeMapping not optional in (JNDI)AttributeGatherer

112	nor	P2	A-Select Agent	
Agent logs wrong configuration parameter name.

125	nor	P2	IIS ISAPI Filter	
redirect_mode enabled the logout_bar

135	nor	P2	A-Select Server	
Logout not possible when application ticket has expired

156	nor	P2	IIS ISAPI Filter	
An empty or incorrect page is shown in the application frame when use logout bar 
is configured.

118	enh	P2	AuthSP Server	
Web Application Deployment Descriptor (web.xml) is not conform dtd

127	nor	P2	AuthSP Server	
Problem with closeHandlers()

140	nor	P2	A-Select Server	
CrossASelectManager.isForcedAuthenticateEnabled is case sensitive

202 nor P1 	A-Select Server 1.5 RC2 
When determining which AuthSP's are allowed for a user in the ApplicationBrowser
handlelogin2 and it didn't exist for that user in the flatfile UDB an internal
error will occur.

-------------------------------------------------------------------------------
4. Known issues

Known issues in this release are:

155 enh P4 A-Select Server
Because the A-Select Server ID isn't an URLEncoded parameter in redirects send
by the A-Select Server and AuthSPs, it may not contain an '&' character.

179 nor P1 Apache Filters
Authorization rules configuration doesn't correspond to the A-Select Agent 
authorization rules configuration.

180 nor P2 A-Select Server
Wrong configured StorageManager causes high CPU load.
When a StorageManager in A-Select is configured with an interval of '0' the
Cleaner thread will run continuous (without a sleep) which causes a very high
CPU load.

185 nor P2 Apache Filters
Apache filter comes in a loop by a bug in the secured app url checking 
functionality.
When for example the following application /secured/ is configured to be
protected by the Apache A-Select filter, the filter will react on all requests
which  ends on it e.g "/test/secured/" or /testx/secured/. 
After the verify credentials the filter comes in a loop until the response if
too long and an error 910 will be shown.

203 nor P4 A-Select Server
User which is authenticated but not authorized does not have the ability to log 
out.
User approaching an application for which they do not have authorization do not 
have the ability to log out.

204 nor P2 A-Select System Package
SAM service status page is not showed when using Tomcat 5.5.
When Tomcat 5.5 is used as a servlet container the A-Select Server and A-Select
AuthSP Server will not show a server status page when no querystring is send.

205 enh P2 A-Select Server
use_opaque_uid is not supported for local organizations.
The "use_opaque_uid" functionality is only supported for applications not for
local organizations.

-------------------------------------------------------------------------------