HISTORY
-------

CAS 2.0.12 (May 2004):
 - no functional changes from CAS 2.0.12beta3.  Modified documentation
   to make newly-required login ticket more prominent.

CAS 2.0.12beta3 (February 2004):
 - synchronized the ticket hash maps.  Occasionally the clean-up timer
   thread would bail, throwing a java.util.ConcurrentModificationException.
   This resulted in a memory leak and potential security hole where tickets
   would not be expired.

CAS 2.0.12beta2 (January 2004): 
 - changed 2.0.12beta to use a new LoginTicket rather than a
   transaction ID stored in a WeakHashMap.  It turned out the JVM's
   garbage collection was too aggressive for this setup.

CAS 2.0.12beta (December 2003): security fix, minor bug fixes/enhancements
 - fixed issue with browsers caching using credentials.  Here is a
   description of that fix that was posted to the CAS mailing list:

   ------------------------------------------------------------
   We've recently noticed several security issues with CAS's interaction 
   with certain web browsers, specifically Internet Explorer in Windows 
   and Safari in OS X.  First I'll explain the Internet Explorer behavior.

   After a user logs into CAS, he is redirected to the service.  Once he
   logs out, if he doesn't close his browser, he is able to click back a 
   few times until Internet Explorer offers to repost his form data 
   (i.e. login credentials).  Clicking Refresh will resubmit the credentials 
   and the user will be logged in again.  This isn't so much an issue on 
   users' personal machines as it is on public kiosks.  If the user walks
   away without closing the browser, the next kiosk user can go back 
   through the browser's history and log in to CAS by reposting that
   form data.

   Safari exhibits a similar behavior, only a lot more insecurely.  When
   the user sees the dialog box that offers to repost the credentials, if 
   he clicks yes, Safari will repost the login credentials to the web
   application -- not to CAS.

   We have fixed both of these bugs in our CAS distribution which we will
   officially release in January.  The fixes are as follows:

   * The Javascript redirect page (goService.jsp) was modified to use an 
     HTTP Refresh instead.  This fixed the Internet Explorer issue.
   * Upon detecting that the remote browser is Safari, the automatic refresh
     is disabled on initial login.  Safari users will see a page that states 
     they have been logged in successfully and they are asked click a link 
     to access the requested service.  This appears to be the only way to 
     keep Safari from incorrectly posting the credentials to the web 
     application.  Even after this fix, though, Safari still exhibited the 
     same behavior Internet Explorer did from the start -- it still offered
     to repost the login credentials.
   * To fix this new Safari bug, a transaction ID was added to each login.
     The login page now includes a one-time-use transaction ID as one of its
     post parameters.  If the transaction ID has already been used, it cannot
     be used for another login.

   - Drew Mazurek
     ITS Technology & Planning
   ------------------------------------------------------------
 - changed the println("...")'s in LegacyValidate to print("...\n")'s.
   This fixes a compatibility issue with certain CAS clients such as 
   mod_cas that relied on lines to end in a single '\n' rather than '\r\n'.
 - added xmlns descriptor to the XML response in Proxy.java.
 - added a "doc" ant build target that builds Javadoc for CAS.
 - added a getSerialNumber() method to the service ticket cache that
   allows for monitoring.

CAS 2.0.11 (July 2003): security fix, minor bug fix
 - Modified ServiceTicketCache and GrantorCache to make sure the ticket
   grantor is still valid before vending a ticket.  This fixes a bug
   where the user can have logged out of CAS but still have proxy tickets
   vended and validated to his login name.
 - Fixed a bug in Login where renew=true caused the user's TGC to be
   deleted.

CAS 2.0.10 (June 2003): product maturation
 - Generally improved packaging, documentation, and installation
   instructions.
 - Improved the security of "renew=true"; applications may now specify
   this flag during ticket validation to ensure that a ticket was
   acquired by a request that set this flag on the login page.  This
   lets an application be surer that a user truly reauthenticated with
   primary credentials.  (Thanks to Mads Freek Petersen from Roskilde
   University in Denmark for reporting this problem.)
 - The "warn me before logging into other services" feature is now
   properly shut off upon a second login to CAS during which the user
   doesn't check the box; the cookie was formerly inappropriately
   "sticky."  (Thanks to Andrew Draskoy from Memorial University in
   Newfoundland for reporting this problem.)
 - The servlets no longer call Cookie.setDomain() when the goal is to
   send the ticket back only to the CAS server; this is the default,
   is more clearly correct and portable, and is conceivably more
   restrictive too.  (No apparent security-related vulnerability is
   associated with the former call to Cookie.setDomain(request.
   getServerName()) because, while getServerName() does indeed use the
   HTTP "Host" header -- which led to a client-side problem fixed in
   version 2.0.2 of the client distribution -- an attacker should have
   no way to coerce a browser to send a malformed or hijacked "Host"
   header, which would be necessary to exploit getServerName()'s
   dependency on "Host" in this case.)
 - The "logout" servlet now sets the "TGC overwrite" cookie's path
   explicitly and marks it "secure."  This has no effect on security
   since the CAS server destroys all records of the session anyway,
   but if we're going to try to delete the cookie, we may as well do
   so in a manner that will work with as many browsers as possible.  
   (Thanks to Trenton Adams at Athabasca University.)

CAS 2.0.6 (October 2002): minor adjustments
 - SimpleHandler in the sample web.xml changed to SampleHandler to match
   the sample code that is provided
 - reference to JSTL removed from goService.jsp; it wasn't being used.

CAS 2.0.5 (September 2002): minor adjustment
 - included JSTL dependencies for web application

CAS 2.0.4 (September 2002): minor bugfix release
 - fixed a typo in web.xml affecting the CAS logout page
 - included a missing utility library in support of the change introduced
   in CAS 2.03.

CAS 2.0.3 (August 2002): minor bugfix release
 - prevents the characters \n, \r, and \" from being encoded in a service
   URL in order to avoid letting these characters corrupt the structure
   of the goService.jsp and warnService.jsp responses.  There appears
   to be no way to escape such characters safely in a compatible manner
   (specifically, both on Netscape 4.7x and Internet Explorer 5.x).

CAS 2.0.2 (July 2002): minor bugfix release
 - XML documents returned by ServiceValidate service use XML namespaces
 - other minor changes

CAS 2.0.1 (June 2002): minor bugfix release
  - service IDs returned in proxy chain now correspond to authenticated
    callback PGT receptor, not the service ID for the original service
    ticket

CAS 2.0.0 (May 2002): n-tier, proxiable single sign-on, plus extra features:
  - services can require CAS to reauthenticate users
  - services can direct CAS to perform NO primary authentication
  - users can now choose to be warned before using CAS to log into a service

CAS 1.0 (2001): 1-tier, centralized single sign-on
