XSLWeb release v4.1.0
- Several bug fixes (see commit log).
- The Jetty application server in the Ready-to-Run distribution now uses the Logback framework, just like XSLWeb itself. Jetty now logs to {xslweb.home}/logs/jetty.log. This Ready-to-Run distribution does not have any dependency to Log4J/Log4J2.
- Upgrade from Saxon version 10.5 to Saxon version 10.6.
- Added dependencies to Pac4J and Buji-Pac4J (Pac4J for Apache Shiro), see Security: authentication and authorization. In addition to the functionality provided by XSLWeb's Apache Shiro integration, Pac4J adds the possiblity to use additional authentication mechanismes like OAuth 1/2, SAML, CAS, OpenID Connect, JWT, Kerberos (SPNEGO), REST API or authorization mechanisms like Roles/permissions, Anonymous/remember-me/(fully) authenticated, CORS, CSRF, HTTP Security headers. At this moment, only the Pac4J OpenID Connect and OAuth2 libraries are bundled with XSLWeb, but others can be added by placing them in de classpath of XSLWeb.
- Added BinarySerializer pipeline step.
- Refactoring of the caching functionality; transition from Ehcache version 2.6 to 3.9. NB. this refactoring has some backward compatibility issues, see differences in caching example. Also the Response Caching functionality is not supported anymore because Ehcache dropped the support for SimpleCachingHeadersPageCachingFilter. Removed support for the response caching pipeline attributes.
- Added configuration attribute "expire-time" to ResourceSerializer.
- Added configuration "ssl-check-server-identity" to XPath extension function email:send-mail().
- Added extension function webapp:remove-cache-value().
- Authentication information (for the legacy authentication mechanism) can now also be stored as request attribute, useful for clients that do not support sessions. Whether information is stored as session attribute and/or request attribute can now be overridden by implementing the named templates "auth:store-profile-in-session" and "auth:store-profile-in-request". Default implementations return true().
- Avoid creating of unnecessary HttpSession objects, for instance in the extension function session:get-attribute() when no session object exists yet.
- Overrides and additions for mimetype mapping properties file (MimeUtil), especially for the extension .css.
- Change to nested/internal pipeline requests: all attributes that are stored in the "parent" request using req:set-attribute($name, $value) will now be available in the nested/internal request using req:get-attribute($name). That means you now can pass any sequence (including nodes) to the nested/internal request without the need for serialization/deserialization.
- Added several exclusions to pom.xml to avoid duplicate Java classes on classpath; added scanning for duplicate classes when opening the XSLWeb Context
- Changed default value of XSLWeb property "xslweb.parserhardening" from false -> true (which avoids XXE attacks)
- Dependency with javautil (org.clapper) and asm removed. Functionality regarding dynamic loading of "external/plugin" classes (XPath extension functions) ported to the ClassGraph library.
- Several dependencies upgraded: Saxon 10.5 -> 10.6, Apache Shiro 1.6 -> 1.8, Quartz 2.2.3 -> 2.3.2, Logback 1.2.3 -> 1.2.8, Apache FOP 2.5 -> 2.6, Slf4J 1.7.5 -> 1.7.32.
Binaries:
- https://armatiek.nl/downloads/xslweb/xslweb-ready-to-run-v4.1.0-linux-x64.tar.gz (for Linux 64-bits machines)
- https://armatiek.nl/downloads/xslweb/xslweb-ready-to-run-v4.1.0-osx-x64.tar.gz (for macOS 64-bits machines)
- https://armatiek.nl/downloads/xslweb/xslweb-ready-to-run-v4.1.0-windows-x64.zip (for Windows 64-bits machines)
- https://armatiek.nl/downloads/xslweb/xslweb-war-v4.1.0.tar.gz (Linux/macOS)
- https://armatiek.nl/downloads/xslweb/xslweb-war-v4.1.0.zip (Windows)