Good morning peeps, I would like to give to you a heads up to avoid any
kind of confusion (sorry for the long e-mail). If you are too lazy to
read the whole e-mail here is the TL;DR:
Don't make use of AeroGear Security PicketLink 1.1.2/1.2.0 because they
have critical bugs. Use the snapshot release 1.2.1-SNAPSHOT.
Some weeks ago AeroGear Security 1.2.0 was released with PicketLink Beta
6, Before the released I tested it against AeroGear Controller demo and
couldn't find any issue.
Changelog
- AeroGear Security 1.2.0
* [7743790] - Formatting
* [85805a4] - POJO is an acronym, should be uppercase
* [ee0f8fb] - mention Apache Shiro and Hawk
* [b65e403] - bump up to 1.2.0
* [a177956] - Adding unit tests for empty passwords and certificates
* [7d7e6ed] - [maven-release-plugin] prepare for next development iteration
* [c1f8aee] - [maven-release-plugin] prepare release 1.2.0
- AeroGear Security PicketLink 1.2.0 (PL beta6)
* [3d1407a] - [maven-release-plugin] prepare for next development iteration
* [10b05d7] - [maven-release-plugin] prepare release 1.2.0
* [7c1001f] - Merge branch 'AGSEC-93'
* [1d84d7d] - Fixing unit tests and ignoring some methods
* [93ce3f2] - Display the correct OTP login name
* [98b444f] - Bump up to PicketLink beta6
After the released we found some compatibility issues with the push
server and also security issues, so we had to keep the Unified push
server stable and for this reason was created a branch '1.1.x' on
AeroGear Security and released 1.1.2 with PicketLink Beta 5.
Changelog
- AeroGear Security 1.1.2
* [86f1a3c] - [maven-release-plugin] prepare for next development iteration
* [271d52e] - [maven-release-plugin] prepare release 1.1.2
* [4851dc7] - Equate API release with ag-sec PL to prevent Broken APIs
* [df99702] - Merge branch 'password_reset' into 1.1.x
* [60b5d1f] - Grab the HTTP status provided by AG Exception
* [138ac22] - Message and HTTP status to credential already expired
* [29e6ca2] - Exception handling for AeroGear messages
* [475ecea] - Some Javadoc would be nice
* [6ee19ae] - Inclusion of contracts to revoke roles
* [d8afc7d] - Formatting
- AeroGear Security PicketLink 1.1.2
* [091ef0f] - [maven-release-plugin] prepare for next development
iteration
* [c4c0199] - [maven-release-plugin] prepare release 1.1.2
* [79abc3c] - Switch to the correct version of AGSec API
* [d0e80b0] - Merge branch 'password_reset' into 1.1.x
* [8c69551] - Validate if credential has expired
* [6eda9ae] - Credential matcher
* [9df4cc6] - Validate provided credentials and reset password if
credentials are valid or already expired
* [24ddf34] - Extracting password validation to the credential matcher
* [ffc70fd] - Make travis happy with snapshot repository
* [bd44bb3] - Update the snapshot release from AGSec
* [387e2c2] - Optimizing imports
* [a7719f9] - Inclusion of a method to revoke roles to the specified
user and avoiding a bunch of conditional statements at developers side
* [b38185a] - Formatting
* [757238c] - Parent POM
* [ac321a6] - Bump up to the snapshot release
* [4d9e397] - Validate the password expiration
* [22e1b7e] - Preparing to release 1.1.1
* [d0e339a] - Merge branch 'AGSEC-75'
* [4d98c9b] - Fixes NPE from PicketLink when some role can't be found
Today PicketLink Beta7 was released
(
http://lists.jboss.org/pipermail/security-dev/2013-August/001415.html)
with the security fixes based on team's feedback and I already deployed
AeroGear Security 1.2.1 on snapshots.
Changelog
- AeroGear Security
* [f1900fe] - Removing any dependencies on Resteasy
- AeroGear Security PicketLink
* [393a810] - Update to PicketLink 2.5.0 Beta7
* [829ff1a] - Bump up to snapshot release from PicketLink
* [99cd2e5] - Fixes the API compatibility broken by PL
The PicketLink API has changed a lot since Beta5 and some projects
already received my PR:
-
https://github.com/aerogear/aerogear-unified-push-server/pull/72
-
https://github.com/aerogear/aerogear-controller-demo
Thanks for your patience and time reading it, 1.2.1 will be released on
the next week after some feedback.
--
abstractj