1.9. Change Log

Caution

This version is already obsolete. Please check the latest guideline.

Modified on Modified locations Modification details
2017-03-17 -

5.3.0 RELEASE version published

  General

Correction of guideline mistakes (typing errors, simple mistakes, etc.)

Description details improved

Modification in Maven command’s startup option for generating a blank project due to the change of Maven archetype (change to Maven Central)(guideline#2444)

  Criteria based mapping of guideline

Description details added

  • A table listing a point of view by CVE is added in Mapping based on security measures (guideline#2439)
  Terms of Use

Description details modified

  Stack of TERASOLUNA Server Framework for Java (5.x)

Version of OSS to be used updated(guideline#2441)

  • Update version of Spring IO Platform to Athens-SR2
  • Update version of MyBatis to 3.4.2
  • Update version of MyBatis-Spring to 1.3.1
  • Update mybatis-typehandlers-jsr310 to 1.0.2

OSS version to be used in accordance with version update of Spring IO Platform is updated

  Domain Layer Implementation

Description details modified

  • Modified signature-limiting interface and base class implementation sample(guideline#2219)
  Implementation of Application Layer

Description details added

  • Added “<mvc:view-controller> is used when a simple view controller is to be created” (guideline#2371)
  • Precautions to indicate the existence of unusable characters in Cookie name or value added (guideline#2518)

Modifications related to Spring Framework 4.3

  • Precautions while using @DateTimeFormat for JSR-310 Date and Time API class deleted (guideline#2505)
  Input Validation

Description details added

  • Added input check method to values in collection(guideline#407)

Description details modified

  • Added explanation on how to include input check target in message(guideline#2002)
  • Corrected description about check content of input check by @URL(guideline#2260)
  Exception Handling

Fix according to Spring Framework 4.3 support

  Session Management

Description details added

  • Added about how to prevent binding of request parameters when receiving object is stored in session scope(guideline#1293)
  Internationalization

Description details added

  • Example when internationalization is not applied and its countermeasures added (guideline#2427)
  File Upload

Description details added

  • Added explanation on how to avoid garbled characters when using JBoss EAP 7.0(guideline#2403)
  RESTful Web Service

Modification related to Spring Framework 4.3

  • Added explanation that HEAD and OPTIONS methods are implicitly prepared (guideline#1704)

Description details added

  • Added description related to output specification of explanation cause of HTTP status code (reason-phrase)(guideline#2518)
  REST Client (HTTP Client)

Modification related to Spring Framework 4.3

  • Added explanation about implementation of common processing of asynchronous request (guideline#2369)
  Database Access (MyBatis3)

Description details updated,added

  • Updated description on setting method when using JSR-310 Date and Time API (guideline#2365)

Description details added

  • Added description about setting for invoking rollback processing when an error occurs at commit(guideline#2375)

Description details modified

  • Modified implementation example when using BLOB and CLOB (guideline#1775)
  • Modified explanation of the option to control the timing of “Lazy Load” execution (guideline#2364)
 

Description details added

  • Added warning for a bug in which “nowait” clause is not added when using PostgreSQL(guideline#2372)
 

Description details added

  • Precautions added for issue “”nowait” not added while using PostgreSQL” (guideline#2372)
  Sending E-mail (SMTP)

Description details added

  • Issues occuring in JavaMail and the methods to avoid the same added (guideline#2190)
  Authentication

Description details added

  • Description added for value attribute of checkbox used in Remember Me authentication (guideline#785)
  • Precautions while using <mvc:view-controller> added (guideline#2371)

Description details modified

  Authorization

Modification related to Spring Framework 4.3

  • Modified desctiption and note about mitigation of CVE-2016-5007as the default value of trimTokensproperty in AntPathMatcherwas changed. (guideline#2565)

Description details added

  • Warning related to access control for specific URL added (guideline#2399)
  • Description for how to use path variable and precautions for use added (guideline#2406)
  • Precautions for changing specifications of path matching of AntPathRequestMatcher added (guideline#2428)
    * -
    • 2016-08-31
    • -
    • 5.2.0 RELEASE version published
    • Stack of TERASOLUNA Server Framework for Java (5.x)

    • Description details added

      • Embedding status of common library standards of blank project added (guideline#1700)
      • mybatis-typehandlers-jsr310, jackson-datatype-jsr310 added to OSS stack (guideline#1966)
      • spring-jms and its dependent libraries added to OSS stack (guideline#1992)

      Version of OSS used (Spring IO Platform version) updated)

      • Spring IO Platform version updated to 2.0.6.RELEASE
      • Spring Framework version updated to 4.2.7.
      • Spring Security version updated to 4.0.4.RELEASE

      OSS version used in accordance with Spring IO Platform version update is updated

    • Input Validation

    • Addition of description contents

      Description details modified

      • A method to directly handle a message property file without conversion from Native to Ascii is added (guideline#994)
      • Description for cross-field validation added (guideline#1561)
      • @DateTimeFormat description added (guideline#1873)
      • Description for ValidationMessages.properties modified (guideline#1948)
      • Precautions for input check which use Method Validation added (guideline#1998)

      Description details added

    • Double Submit Protection

    • Description details added

      • Description for specifications and implementation methods of TransactionTokenType.CHECK which was newly added in type attribute of @TransactionTokenCheck annotation (guideline#2071)

      “How to manage transaction token life cycle in How To Extend programmatic” deleted.

      • When API for application offered by TransactionTokenContextis used, it impacts the behaviour of internal framework like inability to maintain TransactionToken in the appropriate state Current API is deprecated. Description for how to use function in accordance with deprecation, deleted.
    • RESTful Web Service
    • Description details changed / added
      • Description for the configuration while using JSR-310 Date and Time API / Joda Time changed (guideline#1966)
      • Precautions while using Jackson in Java SE 7 environment described (guideline#1966)
      • Configuration while using JSR-310 Date and Time API in JSON described (guideline#1966)
    • Logging
    • Description details added
      • “How to extend in order to output log message with ID” described (guideline#1928)
    • String Processing
    • Description details added
      • An example to add terasoluna-gfw-string to dependency is added (guideline#1699)
      • Precautions for surrogate pair added to description of @Size annotation (guideline#1874)
      • Description for JIS characters U+2014(EM DASH) UCS(Unicode) characters added (guideline#1914)
    • Authentication
    • Modifications for Spring Security 4.0.4
      • Code example modified to include modification of specifications of authentication-failure-url in Spring Security 4.0.4 and Note deleted (guideline#1963)
    • 2016-02-24
    • -
    • 5.1.0 RELEASE version published
    • General

    • Correction of errors in the guideline (typo mistakes and simple description errors)

      Description details modified

    • In the Beginning
    • Description details added
      • Description related to operation verification environment of the details described in the guideline added
    • Stack of TERASOLUNA Server Framework for Java (5.x)

    • OSS version to be used (Spring IO Platform version) updated

      • Spring IO Platform version updated in 2.0.1.RELEASE
      • Spring Framework version updated in 4.2.4.RELEASE
      • Spring Security version updated in 4.0.3.RELEASE

      OSS version to be used along with Spring IO Platform version update is updated

      New project added

      • Descriptions for terasoluna-gfw-string, terasoluna-gfw-codepoints, terasoluna-gfw-validator, terasoluna-gfw-web-jsp projects added.

      New function of common library added

      terasoluna-gfw-string
      • Half width to full width conversion
      terasoluna-gfw-codepoints
      • Codepoint check
      • Bean Validation constraint annotation for code point check
      terasoluna-gfw-validator
      • Bean Validation constraint annotation for byte length check
      • Bean Validation constraint annotation for field value comparison correlation check
    • Tutorial (Todo Application)

    • Modifications corresponding to Spring Security 4

      • Modification of source corresponding to Spring Security 4 (guideline#1519)
      • AuthenticationPrincipalArgumentResolver package changed
      • Since the specification is true by default, <use-expressions="true"> deleted from sample source
    • Database Access (MyBatis3)
    • Description details corresponding to MyBatis 3.3 added
      • Setup method of defaultFetchSize added (guideline#965)
      • “Changed the default at the time of delayed reading to JAVASSIST” added (guideline#1384)
      • Sample code which assigns Genrics to ResultHandler modified (guideline#1384)
      • Source example which use newly added @Flush annotation, and precautions added (guideline#915)
    • Database Access (JPA)

    • Bug correction for the guideline

      • Utility which use Like condition modified appropriately (guideline#1464)
      • Incorrect implementation of true value in JPQL corrected (guideline#1525)
      • Incorrect implementation of pagination corrected (guideline#1463)
      • Incorrect implementation of sample code corrected which implements DateTimeProvider (guideline#1327)
      • Incorrect implementation in Factory class for generating an instance of implementation class for common Repository interface corrected (guideline#1327)

      Description details modified

    • Logging

    • Description details modified

      • Description where ServiceLoader mechanism is used in Logback setting, is added (guideline#1275)
      • Sample source corresponding to Spring Security 4 modified (guideline#1519)
      • Since the specification is true by default, <use-expressions="true"> deleted from the sample source
    • Codelist
    • Description details added
      • Description which recommends a pattern wherein JdbcTemplate is specified in JdbcCodeList, is added (guideline#501)
    • RESTful Web Service
    • Description details modified
      • Creation of ObjectMapper which use Jackson2ObjectMapperFactoryBean added (guideline#1022)
      • Modified to a format where MyBatis3 is used as a prerequisite in the implementation of domain layer of REST API application (guideline#1323)
    • File Upload
    • Description details modified
      • Basic flow of uploading process and its description modified to description which use MultipartFilter of Spring (guideline#193)
      • “A method which sends CSRF token by query parameter” deleted due to issues like security issues, variation in the operation according to AP server etc. Precaution - “when allowable size for file upload exceeds, CSRF token check is not carried out appropriately in some AP servers” added (guideline#1602)
    • File Download

    • Description details corresponding to Spring Framework4.2 added

      • AbstractXlsxView which manages xlsx format, is added (guideline#996)

      Description details modified

      • Source example which use com.lowagie:itext:4.2.1 modified to a format which uses com.lowagie:itext:2.1.7 for the specification change of the iText
    • Date Operations (Joda Time)
    • Description details added and modified
      • The object of sample code which handles the date that does not use Timezone modified to LocalDate (guideline#1283)
      • A method to handle Japanese calendar in Java8 and earlier versions is added (guideline#1450)
    • Logging
    • Description details added
      • Extension method to output log message with ID is described (guideline#1928)
    • Spring Security Overview

    • Modify corresponding to Spring Security 4

      • Restructuring overall description
      • spring-security-test introduction
      • Since the specification is true by default, <use-expressions="true"> deleted from sample source
      • Description related to RedirectAuthenticationHandlerdeprecation deleted
    • Authentication

    • Modified corresponding to Spring Security 4 (guideline#1519)

      • Restructuring of overall description
      • Deleted auto-config="true"
      • Authentication event listener modified to @org.springframework.context.event.EventListener
      • Modified AuthenticationPrincipal package
      • Since prefix is assigned by default, ROLE_ prefix deleted from sample source
    • Authorization

    • Modified corresponding to Spring Security 4 (guideline#1519)

      • Restructuring of overall description
      • Since the prefix is assigned by default, ROLE_ prefix deleted from sample source
      • Since the specification is true by default, <use-expressions="true"> deleted from sample source
      • Definition example of @PreAuthorize added
    • CSRF Countermeasures

    • Modified corresponding to Spring Security 4

      • Restructuring of overall description
      • CSRF invalidation settings modified <sec:csrf disabled="true"/>
      • Description details modified
    • Tutorial (Todo Application REST)

    • Modified corresponding to Spring Security 4

      • CSRF invalidation settings modified <sec:csrf disabled="true"/>
      • Since the specification is true by default, <use-expressions="true"> deleted from sample source
    • 2015-08-05
    • -
    • Released “5.0.1 RELEASE” version
    • Overall modifications

    • Fixed guideline errors (corrected typos, mistakes in description, etc.)

      Improved the description

      Fixed the description about application server

      • Removed the description for the Resin
      • Updated the link of reference page
    • In the Beginning
    • Added the description
      • Added description about tested environments for contents described in this guideline
    • Stack of TERASOLUNA Server Framework for Java (5.x)

    • Updated the OSS version(Spring IO Platform version) to protect security vulnerability

      • Spring IO Platform version updated to 1.1.3.RELEASE
      • Spring Framework version updated to 4.1.7.RELEASE (CVE-2015-3192)
      • JSTL version updated to 1.2.5 (CVE-2015-0254)

      Updated the OSS version by the Spring IO Platform version update

      Improved the description (guideline#1148)

      • Added the description of terasoluna-gfw-recommended-dependencies,terasoluna-gfw-recommended-web-dependencies and terasoluna-gfw-parent
      • Modified the description for some project
      • Added the illustration to indicate project dependencies
    • Logging
    • Improved the description
      • Added the description about additivity attribute of <logger> tag (guideline#977)
    • Authentication
    • Improved the description
      • Added the notes about handling with some properties of parent class of ExceptionMappingAuthenticationFailureHandler (guideline#812)
      • Modified the setting example for the requiresAuthenticationRequestMatcher property of AbstractAuthenticationProcessingFilter (guideline#1110)
    • Authorization
    • Fixed the guideline bug
      • Modified the setting example for the access attribute of <sec:authorize> tag (JSP tag library) (guideline#1003)
    • Elimination of environmental dependency
    • Added the description
      • Added how to apply the external classpath(alternative functionality of VirtualWebappLoader of Tomcat7) at the time of Tomcat8 use (guideline#1081)
    • 2015-06-12
    • Overall modifications
    • Released English version of “5.0.0 RELEASE”
    • 2015-03-06
    • RESTful Web Service
    • Guideline bug modification
      • Modification of sample code for exception handling (the code that contains the issue of generating NullPointerException). For improvement details, refer to guideline#918.
    • Tutorial (Todo Application)
    • Updated in accordance with version 5.0.0
      • Use of Spring Framework 4.1.
      • MyBatis3 support as infrastructure layer.
      • Revised document structure.
    • Domain Layer Implementation

    • Modified in accordance with Spring Framework 4.1

      • Added description about handling @Transactional of JTA 1.2. For modification details, refer to guideline#562 issue.
      • Modified description about handling @Transactional(readOnly = true) when using JPA (Hibernate implementation). With SPR-8959 (Spring Framework 4.1 and later versions) support, it has been improved so that instruction can be given so as to handle as “Read-only transactions” for JDBC driver.

      Added description

      • Added notes regarding the cases where “Read-only transactions” are not enabled. For added contents, refer to guideline#861 issue.
    • Database Access (Common)

    • Modified in accordance with bug fixes of common library

      • Added description about handling double byte wild card characters (, _), in accordance with bug fixes of common library (terasoluna-gfw#78). For modification details, refer to guideline#712 issue.

      Modified in accordance with Spring Framework 4.1

      • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).

      Modified in accordance with Apache Commons DBCP 2.0

      • Changed the sample code and its description to use component for Apache Commons DBCP 2.0.
    • Exclusive Control

    • Fixed guideline bugs

      • Modified the sample code of optimistic locking of long transactions (processing when records cannot be fetched). For modification details, refer to guideline#450 issue.

      Modified in accordance with Spring Framework 4.1

      • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).

      Modified in accordance with MyBatis3

      • Added methods to implement exclusive control when using MyBatis3.
    • Input Validation

    • Fixed guideline bugs

      • Modified the description of @GroupSequence. For modification details, refer to guideline#296 issue.

      Modified in accordance with bug fixes of common library

      Added description

      • Added a method to link with the mechanism of Group Validation of Bean Validation at the time of correlated item check using Spring Validator. For added contents, refer to guideline#320 issue.

      Modified in accordance with Bean Validation 1.1 (Hibernate Validator 5.1)

      • Added description about inclusive attribute of @DecimalMin and @DecimalMax.
      • Added description about Expression Language.
      • Described about deprecated API from Bean Validation 1.1.
      • Added description about a bug related to ValidationMessages.properties of Hibernate Validator 5.1.x (HV-881) and methods to prevent the same.
    • Exception Handling

    • Added description

      • Added a description that simple error page is likely to be displayed in Internet Explorer when an error having size lesser than 513 bytes is sent as response. For added contents, refer to guideline#189 issue.

      Modified in accordance with Spring Framework 4.1

      • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).
    • Session Management
    • Modified in accordance with Spring Security 3.2
      • Removed the description about a problem where CSRF token error occurs (SEC-2422 ) instead of session time out at the time of POST request. A mechanism to detect session time out is included in formal version of Spring Security 3.2, hence the problem is resolved.
    • Message Management
    • Reflected changes of common library
      • Added description about newly added message type (warning) and deprecated messages types (warn), in accordance with the improvement of common library (terasoluna-gfw#24). For modification details, refer to guideline#74 issue.
    • Pagination

    • Reflected changes of common library

      • Changed description of page link in active state, in accordance with the improvement of common library (terasoluna-gfw#13). For modification details, refer to guideline#699 issue.
      • Changed description of page link in disabled state, in accordance with the improvement of common library (terasoluna-gfw#14). For modification details, refer to guideline#700 issue.

      Modified in accordance with Spring Data Common 1.9

      • Added notes for the classes where API specifications (Page interface, etc.) are changed due to version upgrade.
    • Codelist

    • Modified in accordance with bug fixes of common library

      • Added notes about version upgrade and changing message key of ExistInCodeList in accordance with bug fixes of common library (terasoluna-gfw#16). For modification details, refer to guideline#638 issue.
      • Added notes about message definition of @ExistInCodeList in accordance with bug fixes of common library (terasoluna-gfw#256). For modification details, refer to guideline#766 issue.

      Reflected changes of common library

      • Added a method to use EnumCodeList class in accordance with addition of common library functions (terasoluna-gfw#25).
    • Ajax

    • Modified in accordance with Spring Security 3.2

      • Changed the sample code for CSRF measures (method to create <meta> tag for CSRF measures).

      Modified in accordance with Jackson 2.4

      • Changed the sample code and description to use components for Jackson 2.4.
    • RESTful Web Service

    • Improvement in description

      • Improve the method to build an URL to be set in location header and hypermedia link. For improvement details, refer to guideline#374 issue.

      Modified in accordance with Spring Framework 4.1

      • Added a description about @RestController. For modification details, refer to guideline#560 issue.
      • Changed the sample code to create ResponseEntity using builder style API.

      Modified in accordance with Jackson 2.4

      • Changed the sample code and description to use components for Jackson 2.4.

      Modified in accordance with Spring Data Common 1.9

      • Added notes for the classes where API specifications (Page interface, etc.) are changed due to version upgrade.
    • File Upload

    • Fixed guideline bugs

      • Modified version of Apache Commons FileUpload with resolved CVE-2014-0050 (File Upload vulnerabilities). For modification details, refer to guideline#846 issue.

      Added description

      • File upload function of Servlet 3 has a problem of garbled characters on a part of application server. Therefore, added a method to use Apache Commons FileUpload as a measure to prevent this event. For added contents, refer to guideline#778 issue.
    • Screen Layout using Tiles

    • Modified in accordance with Tiles 3.0

      • Changed the example of settings and description to use component for Tiles 3.0.

      Modified in accordance with Spring Framework 4.1

      • Added description about <mvc:view-resolvers>, <mvc:tiles>, <mvc:definitions>. For modification details, refer to guideline#609 issue.
    • Date Operations (Joda Time)

    • Added description

      Modified in accordance with Joda Time 2.5

      • Since DateMidnight class is deprecated in accordance with version upgrade, changed the method to fetch start time of specific date (0:00:00.000).
    • Spring Security Overview
    • Modified in accordance with Spring Security 3.2
      • Added “Settings to create secure HTTP header” in appendix.
    • Spring Security Tutorial
    • Updated in accordance with version 5.0.0
      • Made changes so as to use MyBatis3 as infrastructure layer.
      • Applied Spring Framework 4.1
      • Applied Spring Security 3.2
      • Revised document structure.
    • Authentication

    • Fixed guideline bugs

      • Modified the erroneous and inadequate description of <form-login>, <logout>, <session-management> tag. For modification details, refer to guideline#754 issue.
      • Modified the sample code that indicates extension method of AuthenticationFilter (added settings to validate CSRF measures and session fixation attack measures). For details, refer to guideline#765 issue.

      Modified in accordance with Spring Security 3.2

      • Added notes about logout method when CSRF measures are validated.
      • Added description of @AuthenticationPrincipal, as a method to access UserDetails (authentication user information class) from Controller.
      • Added description of changeSessionId, as parameters of session-fixation-protection attribute of <sec:session-management>.
      • Added methods to detect session time-out and notes for same.
      • Changed setting method to validate concurrent session control of identical users (made changes so as to use <sec:concurrency-control>).
      • Added a point that a class of concurrent session control of identical users is deprecated and other class is provided.
    • CSRF Countermeasures

    • Modified in accordance with Spring Security 3.2

      • Removed description about the component for CSRF measures of Spring Security 3.2.0 (provisional version before formal release) included in common library of version 1.0.x.
      • Changed setting method to validate CSRF measures by a proper method of Spring Security 3.2 (method using <sec:csrf>).
      • Added description about JSP tag library (<sec:csrfInput> and <sec:csrfMetaTags>) for CSRF measures.
      • Added methods to detect session time-out and precautions when CSRF measures are validated.

      Modified in accordance with Spring Framework 4.1

      • Changed description about the condition where CSRF token is output as hidden, when <form:form> is used.
    • Tutorial (Todo Application REST)

    • Improved the description

      Updated in accordance with version 5.0.0

      • Applied Spring Framework 4.1.
      • Applied Spring Security 3.2.
      • Applied Jackson 2.4.
    • Create a new project from a blank project
    • Improved the description
      • Supported method to create a project having multi project structure.
      • Updated the method to create a project having single project structure.
    • Stack of TERASOLUNA Server Framework for Java (5.x)
    • Updated the OSS version in accordance with bug fixes.
      • GroupId (org.springframework ) updated to 3.2.10.RELEASE from 3.2.4.RELEASE
      • GroupId (org.springframework.data )/ArtifactId(spring-data-commons ) updated to 1.6.4.RELEASE from 1.6.1.RELEASE
      • GroupId (org.springframework.data )/ArtifactId(spring-data-jpa ) updated to 1.4.3.RELEASE from 1.4.1.RELEASE
      • GroupId (org.aspectj ) updated to 1.7.4 from 1.7.3
      • Deleted GroupId (javax.transaction )/ArtifactId(jta )
    • Japanese version

      Ajax

    • Updated description of countermeasures against XXE Injection

    • Japanese version

      File Upload

    • Added a warning about CVE-2014-0050 (File Upload Vulnerability)

      Fixed guideline bugs.

      • Added how to handle MultipartException using error-page functionality of servlet container, because your application can’t handle MultipartException using SystemExceptionResolver when used MultipartFilter. Refer to Issue of guideline#59 for details.
    • Japanese version
    • Minor modifications in how to create following Maven archetype
    • 2013-12-17
    • Japanese version
    • Released “1.0.0 Public Review” version