acegi1.0發布，其實有點出乎意料，因為我一向認為acegi的代碼已經相當穩定了，但是acegi力求精益求精，從新版還是能看到不少實用的改動和升級。這里簡單分析一下。

[SEC-183] - Avoid unnecessary HttpSession creation when using Anonymous and Remember-Me authentication

以前如果使用HttpSessionContextIntegrationFilter的話，不管你是否需要創建session，他都會給你創建。這在一些Base驗證的時候是多余的。現在加上了forceEagerSessionCreation，在創建session的時候做了控制。

[SEC-29] - Save POST request parameters before redirect

在前幾個版本出現這個問題，如果實現了登陸自動跳轉，acegi僅僅是簡單記錄了URL，沒有深入的紀錄信息。新版本中acegi不僅僅是保持POST中的數據不會丟失，request里面的東西幾乎全都序列化保存下來了，實現可以看看SavedRequest。

[SEC-40] - HibernateDao.scroll() performance

[SEC-92] - Hibernate ACL implementation

這個比較激動的改進在1.0的源碼中沒有找到，看alex的意思好像是僅僅提供各演示，目的是為了生成數據腳本方便點。（其實這個還真的沒法做成特別通用的，畢竟每個人的ACL實現都有可能不同）

[SEC-147] - BasicAclEntryAfterInvocationProvider should support processDomainObjectClass

對List進行ACL交驗的時候，會把第一個元素取出，看看是否AssignableFrom這個processDomainObjectClass ，算是做一下安全檢查吧。

[SEC-172] - Allow SimpleAclEntry to take 'null' as recipient constructor argument

其實應該是不允許recipient 為空。

[SEC-187] - inHttp & inHttps not fully utilized in AuthenticationProcessingFilterEntryPoint

[SEC-191] - AclTag class should use the BeanFactoryUtils.beanNamesForTypeIncludingAncestors method to search for the AclManager

AclTag在尋找AclManager 時候會更加靈活了，得益于spring的強大。

<明天繼續吧。。。。>

[SEC-194] - RememberMeServices should be available when using BasicAuth logins

[SEC-195] - Create Acegi-backed CAS3 AuthenticationHandler

[SEC-196] - Update web site and documentation to reference JA-SIG CAS

[SEC-203] - Allow setting the AuthenticationManager onto the ConcurrentSessionController for inverted dependency

[SEC-204] - Better detection of malformed text in FilterInvocationDefinitionSourceEditor

[SEC-205] - Allow multiple URLs in DefaultInitialDirContextFactory

[SEC-206] - TokenBasedRememberMeServices using context root when setting cookie paths (inc code)

[SEC-207] - Implement countermeasures against session attacks

[SEC-209] - Make AbstractProcessingFilter.eventPublisher field protected

[SEC-217] - Improve Siteminder Filter

[SEC-220] - Allow ExceptionTranslationFilter to not catch exceptions

[SEC-221] - AbstractProcessingFilter.onPreAuthentication exceptions should be caught

[SEC-224] - Make Authentication.getPrincipal() for CAS return the UserDetails

[SEC-229] - Allow redirects to external URLs in AbstractProcessingFilter

[SEC-231] - Add another DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles

[SEC-234] - Allow WebAuthenticationDetails pluggable implementations

[SEC-236] - JbossAcegiLoginModule to use ApplicationContext interface

[SEC-238] - Add AuthenticationException to AbstractProcessingFilter.onUnsuccessfulAuthentication method signature

[SEC-242] - Logger in AbstractProcessingFilter

[SEC-244] - Column names instead of indexes for org.acegisecurity.userdetails.jdbc.JdbcDaoImpl

[SEC-246] - Enable late-binding of UserDetailsService on DaoAuthenticationProvider

[SEC-247] - Allow to specify resources that shouldn't be filtered in FilterChainProxy

[SEC-251] - DefaultLdapAuthoritiesPopulator: Add filter argument {1} for username as in Tomcat JNDIRealm

[SEC-255] - Reorder AuthenticationProcessingFilter to create HttpSession before delegating to AuthenticationDetailsSource

[SEC-257] - ExceptionTranslationFilter to use strategy interface for AccessDeniedException handling

[SEC-259] - AccessDecisionVoter: typo in JavaDoc

[SEC-260] - AbstractAccessDecisionManager and loggers

[SEC-262] - AbstractAccessDecisionManager needs standard handling ifAllAbstainDecisions

[SEC-264] - Introduction of LdapUserDetails and changes to LdapAuthenticator and LdapAuthoritiesPopulator interfaces

[SEC-276] - Restructure reference guide