1.9. Change Log

Modified on Modified locations Modification details
2018-03-16 - 5.4.1 RELEASE version published
  General

Correction of guideline mistakes (typing errors, simple mistakes, etc.)

Description details improved

  Stack of TERASOLUNA Server Framework for Java (5.x)

OSS version to be used is updated (Management ID#3061)

  • Spring IO Platform version updated to Brussels-SR5
  • MyBatis version updated to 3.4.5

OSS version to be used along with version update of Spring IO Platform updated

Updated OSS version used for compliance with CVE-2018-1199(Management ID#3300)

  • Updated Spring Framework version to 4.3.14
  • Updated Spring Security version to 4.2.4
  Domain Layer Implementation

Description details added

  • Description related to timeout attribute of @Transactional annotation added (Management ID#1776)
  Input Validation

Description details added

  • Added description for value of NOT_EQUAL which was newly added in operator attribute of @Compare annotation (Management ID#2842)
  • Notes while using @Email annotation are added (Management ID#2930)

Bug fixes in the guidelines

  • Fixed implementation example of check rule extension method of common library (Management ID#2822)
  Exception Handling

Description details modified

  • Modification related to change in common library (ExceptionLoggingFilter ), and correction of existing clerical mistakes (Management ID#2794)
  Screen Layout using Tiles

Description details modified

  • Descriptions related to matching of name attribute of <definition> tag (Tiles definition file), and misleading descriptions of related parts modified (Management ID#2717)
  REST Client (HTTP Client)

Modification related to Spring Framework 4.3

  • Description related to settings of request header for Basic authentication changed (Management ID#2742)
  SOAP Web Service (Server/Client)

Description details modified

  • Annotation used for injection associated with SOAP Web Service implementation changed from @Inject to @Autowired (Management ID#2763)
  • Correction of errors for JAX-WS linkage function of Spring Framework, and notes related to running of SOAP server on JAW-WS implementation of Java EE server added (Management ID#2770)
  JMS(Java Message Service)

Description details modified

  • Description modified such that asynchronous transmission transaction management is to be done by DefaultMessageListenerContainer instead of ChainedTransactionManager (Management ID #2814)
  Authentication

Description details modified

  • Added explanation for class (Pbkdf2PasswordEncoder) for password hashing, and then a description that recommends BCryptPasswordEncoderis deleted (Management ID#3011)
  Authorization

Modified according to Spring Framework 4.3 support

  • Description details modified due to deleting definition of mvc:path-matching from blank project and changing the default setting of Spring MVC (Management ID#2941)

Description details modified

  • Description details related to definition of access policy which use path variable in Spring Security are modified (Management ID#3090)
  XSS Countermeasures

Description details modified, added

  • Sample source of JavaScript Escaping modified (Management ID#2531)
  • Precautions while using document.write() added (Management ID#2531)
  OAuth

Structure reviewed

  • Changed to a chapter structure where How to use is explained for each grant type (Management ID#2818)

Description details added

  • List of exceptions occured in Spring Security OAuth and handling methods added (Management ID#2819)
  • Explanation added for extension points of Spring Security OAuth (Management ID#2820)
  • Basic authentication setup method for resource server added (Management ID#2891)
  • Post processing for implicit (access token clear) added (Management ID#2891)

Description details modified

  • Sample code modified (Management ID#2891)
  • Flow and its explanation modified (Management ID#2891)
  • Deleted the defect warning when the URL setting of check token endpoint of authorization server is not reflected (Management ID#3263)
  Unit test

Added new

  • Unit test added (Management ID#1817)
2017-11-10 - 5.3.1 RELEASE version published
  General Correction of guideline mistakes (typing errors, simple mistakes etc.)
2017-03-17 - 5.3.0 RELEASE version published
  General

Correction of guideline mistakes (typing errors, simple mistakes, etc.)

Description details improved

Start-up options associated with Maven archetype deployment change for Blank project generation (Change to Maven Central) modified (Management ID#2444)

  Criteria based mapping of guideline

Description details added

  • A table listing a point of view by CVE is added in Mapping based on security measures (Management ID#2439)
  Terms of Use

Description details modified

  • Terms of use modified (Management ID#2625)
  Stack of TERASOLUNA Server Framework for Java (5.x)

Version of OSS to be used updated (Management ID#2441)

  • Update version of Spring IO Platform to Athens-SR2
  • Update version of MyBatis to 3.4.2
  • Update version of MyBatis-Spring to 1.3.1
  • Update mybatis-typehandlers-jsr310 to 1.0.2

OSS version to be used in accordance with version update of Spring IO Platform is updated

  Domain Layer Implementation

Description details modified

  • Modified signature-limiting interface and base class implementation sample (Management ID#2219)
  Implementation of Application Layer

Description details added

  • Added “<mvc:view-controller> is used when a simple view controller is to be created” (Management ID#2371)
  • Precautions to indicate the existence of unusable characters in Cookie name or value added (Management ID#2518)

Modifications related to Spring Framework 4.3

  • Precautions while using @DateTimeFormat for JSR-310 Date and Time API class deleted (Management ID#2505)
  Input Validation

Description details added

  • Added input check method to values in collection (Management ID#407)

Description details modified

  • Added explanation on how to include input check target in message (Management ID#407)
  • Corrected description about check content of input check by @URL(Management ID#2260)
  Exception Handling

Fix according to Spring Framework 4.3 support

  • Added description of how to handle a fatal error (Management ID#2368)
  Session Management

Description details added

  • Added about how to prevent binding of request parameters when receiving object is stored in session scope (Management ID#1293)
  Internationalization

Description details added

  • Example when internationalization is not applied and its countermeasures added (Management ID#2427)
  File Upload

Description details added

  • Added explanation on how to avoid garbled characters when using JBoss EAP 7.0 (Management ID#2403)
  RESTful Web Service

Modification related to Spring Framework 4.3

  • Added explanation that HEAD and OPTIONS methods are implicitly prepared (Management ID#1704)

Description details added

  • Added description related to output specification of explanation cause of HTTP status code (Management ID#2518)
  REST Client (HTTP Client)

Modification related to Spring Framework 4.3

  • Added explanation about implementation of common processing of asynchronous request (Management ID#2369)
  Database Access (MyBatis3)

Description details updated,added

  • Updated description on setting method when using JSR-310 Date and Time API (Management ID#2365)

Description details added

  • Added description about setting for invoking rollback processing when an error occurs at commit (Management ID#2375)

Description details modified

  • Modified implementation example when using BLOB and CLOB (Management ID#1775)
  • Modified explanation of the option to control the timing of “Lazy Load” execution (Management ID#2364)
 

Description details added

  • Added warning for a bug in which “nowait” clause is not added when using PostgreSQL (Management ID#2372)
 

Description details added

  • Precautions added for issue “”nowait” not added while using PostgreSQL” (Management ID#2372)
  Sending E-mail (SMTP)

Description details added

  • Issues occuring in JavaMail and the methods to avoid the same added (Management ID#2190)
  Authentication

Description details added

  • Description added for value attribute of checkbox used in Remember Me authentication (Management ID#785)
  • Precautions while using <mvc:view-controller> added (Management ID#2371)

Description details modified

  • Description for use of SecureRandom modified (Management ID#2177)
  Authorization

Modification related to Spring Framework 4.3

  • Modified desctiption and note about mitigation of CVE-2016-5007as the default value of trimTokensproperty in AntPathMatcherwas changed. (Management ID#2565)

Description details added

  • Warning related to access control for specific URL added (Management ID#2399)
  • Description for how to use path variable and precautions for use added (Management ID#2406)
  • Precautions for changing specifications of path matching of AntPathRequestMatcher added (Management ID#2428)
  Coordinating with browser security countermeasure function

Modifications associated with Spring Security 4.1.4 support

  • Added description on Content Security Policy (CSP)” (Management ID#2400)
  • Description added for HTTP Public Key Pinning (HPKP)(Management ID#2401)
  OAuth

New addition

  • Added OAuth (Management ID#2145)
  Tutorial (Todo Application)

Correction of description

  • Code example of entity when using JPA modified (Management ID#2476)
  Maven Repository Management using NEXUS

Modification to migration into Maven Central

  • Delete the description about TERASOLUNA Server Framework for Java (5.x) repository (Management ID#2496)
2016-08-31 - 5.2.0 RELEASE version published
  General

Correction of errors in the guideline (typos or simple description errors)

Description details modified

Review of all the chapters

Update common library version to 5.2.0.

Description details modified

  Stack of TERASOLUNA Server Framework for Java (5.x)

Description details added

  • Embedding status of common library standards of blank project added (Management ID#1700)
  • mybatis-typehandlers-jsr310, jackson-datatype-jsr310 added to OSS stack (Management ID#1966)
  • spring-jms and its dependent libraries added to OSS stack (Management ID#1992)

Version of OSS used (Spring IO Platform version) updated)

  • Spring IO Platform version updated to 2.0.6.RELEASE
  • Spring Framework version updated to 4.2.7.
  • Spring Security version updated to 4.0.4.RELEASE

OSS version used in accordance with Spring IO Platform version update is updated

  Domain Layer Implementation

Description details added

  • For MyBatis 3.3 + MyBatis-Spring 1.2, “value specified in timeout attribute of @Transactinal is not used” is added (Management ID#1777)
  Implementation of Application Layer

Description details added

  • HttpSession should not be used as an argument for handler method (Management ID#1313)
  • Precautions for using JSR-310 Date and Time API are described (Management ID#1991)
  Input Validation

Description details modified

  • A method to directly handle a message property file without conversion from Native to Ascii is added (Management ID#994)
  • Description for cross-field validation added (Management ID#1561)
  • @DateTimeFormat description added (Management ID#1873)
  • Description for ValidationMessages.properties modified (Management ID#1948)
  • Precautions for input check which use Method Validation added (Management ID#1998)

Description details added

  • Description for OS command injection added (Management ID#1957)
  Exception Handling

Modification associated with Spring Framework 4.2.7

  • Description details for HTTP response header output modified (Management ID#1965)
  Double Submit Protection

Description details added

  • Description for specifications and implementation methods of TransactionTokenType.CHECK which was newly added in type attribute of @TransactionTokenCheck annotation (Management ID#2071)

“How to manage transaction token life cycle in How To Extend programmatic” deleted.

  • When API for application offered by TransactionTokenContextis used, it impacts the behaviour of internal framework like inability to maintain TransactionToken in the appropriate state Current API is deprecated. Description for how to use function in accordance with deprecation, deleted.
  Internationalization

Description details modified

  • Position of request parameter (default parameter name) description modified (Management ID#1354)
  File Upload

Description details added

  • CVE-2016-3092Precautions for (File Upload vulnerability) added (Management ID#1973)
  • Description for directory traversal attack added (Management ID#2010)
  Health Check

Added new

  • Health check added (Management ID#1698)
  RESTful Web Service

Description details changed / added

  • Description for the configuration while using JSR-310 Date and Time API / Joda Time changed (Management ID#1966)
  • Precautions while using Jackson in Java SE 7 environment described (Management ID#1966)
  • Configuration while using JSR-310 Date and Time API in JSON described (Management ID#1966)
  REST Client (HTTP Client)

Description details modified

  • HTTP Proxy server configuration for RestClient added (Management ID#1856)
  SOAP Web Service (Server/Client)

Description details added

  • Added an option “Do not connect to SOAP server at the time of SOAP client start (Management ID#1871)
  • Description for env project of SOAP client modified (Management ID#1901)
  • How to fetch status code at the time of SOAP Web service exception occurrence added (Management ID#2007)
  Database Access (MyBatis3)

Description details added

  • “How to avoid tentative WARN log output” deleted (Management ID#1292)
  • “How to configure for using JSR-310 Date and Time API in Mybatis3.3” described (Management ID#1966)
  • Precautions while using MyBatis in Java SE 7 environment described (Management ID#1966)
  Exclusive Control

Description details added

  • warning message added to ExclusionControl (Management ID#1694)
  Logging

Description details added

  • “How to extend in order to output log message with ID” described (Management ID#1928)
  String Processing

Description details added

  • An example to add terasoluna-gfw-string to dependency is added (Management ID#1699)
  • Precautions for surrogate pair added to description of @Size annotation (Management ID#1874)
  • Description for JIS characters U+2014(EM DASH) UCS(Unicode) characters added (Management ID#1914)
  Bean Mapping (Dozer)

Description details added

  • Precautions while using JSR-310 Date and Time API described (Management ID#1966)
  JMS(Java Message Service)

Added new

  • JMS added (Management ID#1407)
  Authentication

Modifications for Spring Security 4.0.4

  • Code example modified to include modification of specifications of authentication-failure-url in Spring Security 4.0.4 and Note deleted (Management ID#1963)
  Authorization

Description details added

  Implementation Example of Typical Security Requirements

Description details added

  • “Input value check for security” added
  • “Audit log output” added
  Reference Books

Description details added

  • Spring thorough introduction” added as a reference material (Management ID#2043)
2016-02-24 - 5.1.0 RELEASE version published
  General

Correction of errors in the guideline (typo mistakes and simple description errors)

Description details modified

  In the Beginning

Description details added

  • Description related to operation verification environment of the details described in the guideline added
  Stack of TERASOLUNA Server Framework for Java (5.x)

OSS version to be used (Spring IO Platform version) updated

  • Spring IO Platform version updated in 2.0.1.RELEASE
  • Spring Framework version updated in 4.2.4.RELEASE
  • Spring Security version updated in 4.0.3.RELEASE

OSS version to be used along with Spring IO Platform version update is updated

New project added

  • Descriptions for terasoluna-gfw-string, terasoluna-gfw-codepoints, terasoluna-gfw-validator, terasoluna-gfw-web-jsp projects added.

New function of common library added

terasoluna-gfw-string
  • Half width to full width conversion
terasoluna-gfw-codepoints
  • Codepoint check
  • Bean Validation constraint annotation for code point check
terasoluna-gfw-validator
  • Bean Validation constraint annotation for byte length check
  • Bean Validation constraint annotation for field value comparison correlation check
  First application based on Spring MVC

Description details modified

  • Modification of sample source corresponding to Spring Security 4 (Management ID#1519)
  • AuthenticationPrincipalArgumentResolver package changed
  Tutorial (Todo Application)

Modifications corresponding to Spring Security 4

  • Modification of source corresponding to Spring Security 4 (Management ID#1519)
  • AuthenticationPrincipalArgumentResolver package changed
  • Since the specification is true by default, <use-expressions="true"> deleted from sample source
  Create Web application development project

Modification of description details

  • A method wherein mvn command is used in the offline environment is added (Management ID#1197)
  Implementation of Application Layer

Description details modified

  • A method to create a request URL using EL function is added (Management ID#632)
  Database Access (Common)

Description details added

  • Precautions for Log4jdbcProxyDataSource overhead added (Management ID#1471)
  Database Access (MyBatis3)

Description details corresponding to MyBatis 3.3 added

  • Setup method of defaultFetchSize added (Management ID#965)
  • “Changed the default at the time of delayed reading to JAVASSIST” added (Management ID#1384)
  • Sample code which assigns Generics to ResultHandler modified (Management ID#1384)
  • Source example which use newly added @Flush annotation, and precautions added (Management ID#915)
  Database Access (JPA)

Bug correction for the guideline

  • Utility which use Like condition modified appropriately (Management ID#1464)
  • Incorrect implementation of true value in JPQL corrected (Management ID#1525)
  • Incorrect implementation of pagination corrected (Management ID#1463)
  • Incorrect implementation of sample code corrected which implements DateTimeProvider(Management ID#1327)
  • Incorrect implementation in Factory class for generating an instance of implementation class for common Repository interface corrected (Management ID#1327)

Description details modified

  • Default value of hibernate.hbm2ddl.auto corrected (Management ID#1282)
  Input Validation

Description details modified

  • Description for MethodValidation added (Management ID#708)
  Logging

Description details modified

  • Description where ServiceLoader mechanism is used in Logback setting, is added (Management ID#1275)
  • Sample source corresponding to Spring Security 4 modified (Management ID#1519)
  • Since the specification is true by default, <use-expressions="true"> deleted from the sample source
  Session Management

Description details modified

  • Description of session scope reference which use SpEL expression is added (Management ID#1306)
  Internationalization

Description details modified

  • Description for appropriately reflecting locale in JSP is added (Management ID#1439)
  • Description of defaultLocale of SessionLocalResolver corrected (Management ID#686)
  Codelist

Description details added

  • Description which recommends a pattern wherein JdbcTemplate is specified in JdbcCodeList, is added (Management ID#501)
  RESTful Web Service

Description details modified

  • Creation of ObjectMapper which use Jackson2ObjectMapperFactoryBean added (Management ID#1022)
  • Modified to a format where MyBatis3 is used as a prerequisite in the implementation of domain layer of REST API application (Management ID#1323)
  REST Client (HTTP Client)

Added new

  • REST client (HTTP client) added (Management ID#1307)
  SOAP Web Service (Server/Client)

Added new

  • SOAP Web Service (Server / Client) added (Management ID#1340)
  File Upload

Description details modified

  • Basic flow of uploading process and its description modified to description which use MultipartFilter of Spring (Management ID#193)
  • “A method which sends CSRF token by query parameter” deleted due to issues like security issues, variation in the operation according to AP server etc. Precaution - “when allowable size for file upload exceeds, CSRF token check is not carried out appropriately in some AP servers” added (Management ID#1602)
  File Download

Description details corresponding to Spring Framework4.2 added

  • AbstractXlsxView which manages xlsx format, is added (Management ID#996)

Description details modified

  • Source example which use com.lowagie:itext:4.2.1 modified to a format which uses com.lowagie:itext:2.1.7 for the specification change of the iText
  Sending E-mail (SMTP)

Added new

  • E-mail sending (SMTP) added (Management ID#1165)
  Date operations (JSR-310 Date and Time API)

Added new

  • Date and time operation (JSR-310 Date and Time API) added (Management ID#1450)
  Date Operations (Joda Time)

Description details added and modified

  • The object of sample code which handles the date that does not use Timezone modified to LocalDate (Management ID#1283)
  • A method to handle Japanese calendar in Java8 and earlier versions is added (Management ID#1450)
  String Processing

Added new

  • String processing added (Management ID#1451)
  Security countermeasures

Configuration review

  Spring Security Overview

Modify corresponding to Spring Security 4

  • Restructuring overall description
  • spring-security-test introduction
  • Since the specification is true by default, <use-expressions="true"> deleted from sample source
  • Description related to RedirectAuthenticationHandlerdeprecation deleted
  Spring Security Tutorial

Modified corresponding to Spring Security 4

  • Modified tutorial source to a format corresponding to Spring Security 4 (Management ID#1519)
  Authentication

Modified corresponding to Spring Security 4 (Management ID#1519)

  • Restructuring of overall description
  • Deleted auto-config="true"
  • Authentication event listener modified to @org.springframework.context.event.EventListener
  • Modified AuthenticationPrincipal package
  • Since prefix is assigned by default, ROLE_ prefix deleted from sample source
  Authorization

Modified corresponding to Spring Security 4 (Management ID#1519)

  • Restructuring of overall description
  • Since the prefix is assigned by default, ROLE_ prefix deleted from sample source
  • Since the specification is true by default, <use-expressions="true"> deleted from sample source
  • Definition example of @PreAuthorize added
  CSRF Countermeasures

Modified corresponding to Spring Security 4

  • Restructuring of overall description
  • CSRF invalidation settings modified <sec:csrf disabled="true"/>
  • Description details modified
  • Items related to multi-part request moved to File Upload (Management ID#1602)
  Encryption

Added new

  • Encryption guidelines added (Management ID#1106)
  Implementation Example of Typical Security Requirements Added new
  Implementation Example of Typical Security Requirements

Description details added

  • “Input check for security” added
  • “Audit log output” added
  • Typical implementation example of security requirements added (Management ID#1604)
  Session tutorial

Added new

  • Session tutorial added (Management ID#1599)
  Tutorial (Todo Application REST)

Modified corresponding to Spring Security 4

  • Modified source corresponding to Spring Security 4 (Management ID#1519)
  • CSRF invalidation settings modified <sec:csrf disabled="true"/>
  • Since the specification is true by default, <use-expressions="true"> deleted from sample source
2015-08-05 - Released “5.0.1 RELEASE” version
  Overall modifications

Fixed guideline errors (corrected typos, mistakes in description, etc.)

Improved the description

Fixed the description about application server

  • Removed the description for the Resin
  • Updated the link of reference page
  In the Beginning

Added the description

  • Added description about tested environments for contents described in this guideline
  Stack of TERASOLUNA Server Framework for Java (5.x)

Updated the OSS version(Spring IO Platform version) to protect security vulnerability

  • Spring IO Platform version updated to 1.1.3.RELEASE
  • Spring Framework version updated to 4.1.7.RELEASE (CVE-2015-3192)
  • JSTL version updated to 1.2.5 (CVE-2015-0254)

Updated the OSS version by the Spring IO Platform version update

Description details modified (Management ID#1148)

  • Added the description of terasoluna-gfw-recommended-dependencies,terasoluna-gfw-recommended-web-dependencies and terasoluna-gfw-parent
  • Modified the description for some project
  • Added the illustration to indicate project dependencies
  Create Web application development project

Added the description

  • Added how to build a war file (Management ID#1146)
  Database Access (Common)

Added the description

  • Added the description of DataSource switching functionality (Management ID#1071)
  Database Access (MyBatis3)

Fixed the guideline bug

  • Modified the description about timing of batch execution (Management ID#903)
  Logging

Improved the description

  • Added the description about additivity attribute of <logger> tag (Management ID#977)
  Session Management

Improved the description

  • Modified the description about how to define a session scope bean (Management ID#1082)
  Double Submit Protection

Added the description

  • Added the description about the transaction token check in case that response cache is disabled (Management ID#1260)
  Codelist

Added the description

  • Added how to display a code name (Management ID#1109)
 

Added the warning about CVE-2015-3192(XML security vulnerability)

  • Added the warning at the time of the StAX(Streaming API for XML) use (Management ID#1211)
 

Modified in accordance with bug fixes of common library

  • Modified the description about f:query specification , in accordance with bug fixes of common library (terasoluna-gfw#297) (Management ID#1244)
  Authentication

Improved the description

  • Added the notes about handling with some properties of parent class of ExceptionMappingAuthenticationFailureHandler (Management ID#812)
  • Modified the setting example for the requiresAuthenticationRequestMatcher property of AbstractAuthenticationProcessingFilter (Management ID#1110)
  Authorization

Fixed the guideline bug

  • Modified the setting example for the access attribute of <sec:authorize> tag (JSP tag library) (Management ID#1003)
  Elimination of environmental dependency

Added the description

  • Added how to apply the external classpath(alternative functionality of VirtualWebappLoader of Tomcat7) at the time of Tomcat8 use (Management ID#1081)
2015-06-12 Overall modifications Released English version of “5.0.0 RELEASE”
2015-03-06 RESTful Web Service

Guideline bug modification

Sample code for exception handling (Problem which includes code causing NullPointerException) modified (Management ID#918)
  Tutorial (Todo Application REST)

Guideline bug modification

An issue wherein NullPointerExceptionoccurs in exception handling is fixed (Management ID#918)

2015-02-23 - Released “5.0.0 RELEASE” version
  Overall modifications

Fixed guideline errors (corrected typos, mistakes in description, etc.)

Improved the description

Added new

Updated in accordance with version 5.0.0

  • Deleted MyBatis2
  Stack of TERASOLUNA Server Framework for Java (5.x)

Spring IO Platform compatible

  • Added a point that except for some libraries, the management of recommended libraries is changed to a structure delegating it to Spring IO Platform.

Updated the OSS version

  First application based on Spring MVC

Updated in accordance with version 5.0.0

  • Used Spring Framework 4.1
  • Reviewed structure of document.
  Application Layering

Fixed bugs in English translation.

  • Translation mistake related to relation between domain layer and other layers corrected (Management ID#364)
  Tutorial (Todo Application)

Updated in accordance with version 5.0.0

  • Use of Spring Framework 4.1.
  • MyBatis3 support as infrastructure layer.
  • Revised document structure.
  Create Web application development project

Added new

  • Added a method to create a project having multi project structure
  Domain Layer Implementation

Modified in accordance with Spring Framework 4.1

  • Description related to handling of @Transactionalof JTA1.2 added (Management ID#562)
  • Modified description about handling @Transactional(readOnly = true) when using JPA (Hibernate implementation). With SPR-8959 (Spring Framework 4.1 and later versions) support, it has been improved so that instruction can be given so as to handle as “Read-only transactions” for JDBC driver.

Added description

  • Added notes regarding the cases where “Read-only transactions” are not enabled. For added contents, refer to (Management ID#861)
  Implementation of Infrastructure Layer

Modified in accordance with MyBatis3

  • Added a method to use MyBatis3 mechanism as implementation of RepositoryImpl.
  Implementation of Application Layer

Modified in accordance with Spring Framework 4.1

  • Explanation related to attribute added to @ControllerAdvice(attributes to narrow down the target by Controller (Management ID#549)
  • Explanation related to <mvc:view-resolvers>added (Management ID#609)
  Database Access (Common)

Modified in accordance with bug fixes of common library

  • Added description about handling double byte wild card characters (“%” , “_”), in accordance with bug fixes of common library (terasoluna-gfw#78) (Management ID#712).

Modified in accordance with Spring Framework 4.1

  • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).

Modified in accordance with Apache Commons DBCP 2.0

  • Changed the sample code and its description to use component for Apache Commons DBCP 2.0.
  Database Access (MyBatis3)

Added new

  • Added method to implement an infrastructure layer using MyBatis3 as O/R Mapper.
  Exclusive Control

Fixed guideline bugs

  • Sample code of optimistic lock of long transaction (processing when records cannot be fetched) corrected (Management ID#450)

Modified in accordance with Spring Framework 4.1

  • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).

Modified in accordance with MyBatis3

  • Added methods to implement exclusive control when using MyBatis3.
  Input Validation

Fixed guideline bugs

  • @GroupSequenceexplanation corrected (Management ID#296)

Modified in accordance with bug fixes of common library

  • Precautions related to ValidationMessages.propertiesadded associated with bug correction of common library (terasoluna-gfw#256) (Management ID#766)

Added description

  • Added a method to link with the mechanism of Group Validation of Bean Validation at the time of correlated item check using Spring Validator. For added contents, (Management ID#320)

Modified in accordance with Bean Validation 1.1 (Hibernate Validator 5.1)

  • Added description about inclusive attribute of @DecimalMin and @DecimalMax.
  • Added description about Expression Language.
  • Described about deprecated API from Bean Validation 1.1.
  • Added description about a bug related to ValidationMessages.properties of Hibernate Validator 5.1.x (HV-881) and methods to prevent the same.
  Exception Handling

Added description

  • Added a description that simple error page is likely to be displayed in Internet Explorer when an error response having size lesser than 513 bytes is sent. For added contents, (Management ID#189)

Modified in accordance with Spring Framework 4.1

  • Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into PessimisticLockingFailureException of Spring Framework. This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).
  Session Management

Modified in accordance with Spring Security 3.2

  • Removed the description about a problem where CSRF token error occurs (SEC-2422 ) instead of session time out at the time of POST request. A mechanism to detect session time out is included in formal version of Spring Security 3.2, hence the problem is resolved.
  Message Management

Reflected changes of common library

  • Explanation related to newly added message type (warning) and deprecated message type (warn) added associated with bug correction of common library (terasoluna-gfw#24) (Management ID#74)
  Pagination

Reflected changes of common library

  • Page link of active status explanation changed associated with common library modification (terasoluna-gfw#13) (Management ID#699)
  • Page link of disabled status explanation changed associated with common library modification (terasoluna-gfw#14) (Management ID#700)

Modified in accordance with Spring Data Common 1.9

  • Added notes for the classes where API specifications (Page interface, etc.) are changed due to version upgrade.
  Codelist

Modified in accordance with bug fixes of common library

  • Message key change of ExistInCodeList and notes at the time of version-up added associated with bug modification of common library (terasoluna-gfw#16) (Management ID#638)
  • Notes for message definition of @ExistInCodeListadded associated with bug modification of common library (terasoluna-gfw#256) (Management ID#766)

Reflected changes of common library

  • Added a method to use EnumCodeList class in accordance with addition of common library functions (terasoluna-gfw#25).
  Ajax

Modified in accordance with Spring Security 3.2

  • Changed the sample code for CSRF measures (method to create <meta> tag for CSRF measures).

Modified in accordance with Jackson 2.4

  • Changed the sample code and description to use components for Jackson 2.4.
  RESTful Web Service

Improvement in description

  • Improve the method to build an URL to be set in location header and hypermedia link. For improvement details, (Management ID#374)

Modified in accordance with Spring Framework 4.1

  • Explanation related to @RestControlleradded (Management ID#560)
  • Changed the sample code to create ResponseEntity using builder style API.

Modified in accordance with Jackson 2.4

  • Changed the sample code and description to use components for Jackson 2.4.

Modified in accordance with Spring Data Common 1.9

  • Added notes for the classes where API specifications (Page interface, etc.) are changed due to version upgrade.
  File Upload

Fixed guideline bugs

  • Version of Apache Commons FileUpload which have resolved CVE-2014-0050(File Upload vulnerability) modified (Management ID#846)

Added description

  • File upload function of Servlet 3 has a problem of garbled characters on a part of application server. Therefore, added a method to use Apache Commons FileUpload as a measure to prevent this event. For added contents, (Management ID#778)
  System Date

Reflected changes of common library

  • Structure in the document, package name and class name changed associated with modification of common library (terasoluna-gfw#224) (Management ID#701)
  Screen Layout using Tiles

Modified in accordance with Tiles 3.0

  • Changed the example of settings and description to use component for Tiles 3.0.

Modified in accordance with Spring Framework 4.1

  • Explanation related to <mvc:view-resolvers>, <mvc:tiles>and <mvc:definitions>added (Management ID#609)
  Date Operations (Joda Time)

Added description

  • Added method to use LocalDateTime. For added contents, (Management ID#584)

Modified in accordance with Joda Time 2.5

  • Since DateMidnight class is deprecated in accordance with version upgrade, changed the method to fetch start time of specific date (0:00:00.000).
  Spring Security Overview

Modified in accordance with Spring Security 3.2

  • Added “Settings to create secure HTTP header” in appendix.
  Spring Security Tutorial

Updated in accordance with version 5.0.0

  • Made changes so as to use MyBatis3 as infrastructure layer.
  • Applied Spring Framework 4.1
  • Applied Spring Security 3.2
  • Revised document structure.
  Authentication

Fixed guideline bugs

  • Incorrect or missing explanation for <form-login>, <logout>and <session-management>tags corrected (Management ID#754)
  • Sample code showing extension method of AuthenticationFilter modified (settings added for enabling session, fixation counterattack measures and CSRF measures) (Management ID#765)

Modified in accordance with Spring Security 3.2

  • Added notes about logout method when CSRF measures are validated.
  • Added description of @AuthenticationPrincipal, as a method to access UserDetails (authentication user information class) from Controller.
  • Added description of changeSessionId, as parameters of session-fixation-protection attribute of <sec:session-management>.
  • Added methods to detect session time-out and notes for same.
  • Changed setting method to validate concurrent session control of identical users (made changes so as to use <sec:concurrency-control>).
  • Added a point that a class of concurrent session control of identical users is deprecated and other class is provided.
  CSRF Countermeasures

Modified in accordance with Spring Security 3.2

  • Removed description about the component for CSRF measures of Spring Security 3.2.0 (provisional version before formal release) included in common library of version 1.0.x.
  • Changed setting method to validate CSRF measures by a proper method of Spring Security 3.2 (method using <sec:csrf>).
  • Added description about JSP tag library (<sec:csrfInput> and <sec:csrfMetaTags>) for CSRF measures.
  • Added methods to detect session time-out and precautions when CSRF measures are validated.

Modified in accordance with Spring Framework 4.1

  • Changed description about the condition where CSRF token is output as hidden, when <form:form> is used.
  Tutorial (Todo Application REST)

Improved the description

  • By adding REST API to a project created by Tutorial (Todo Application), changed to the contents which are not dependent on a specific infrastructure layer (O/R Mapper) (Management ID#325)

Updated in accordance with version 5.0.0

  • Applied Spring Framework 4.1.
  • Applied Spring Security 3.2.
  • Applied Jackson 2.4.
  Create a new project from a blank project

Improved the description

  • Supported method to create a project having multi project structure.
  • Updated the method to create a project having single project structure.
  JSP Tag Libraries and EL Functions offered by common library

Added new

  • Added description about EL functions and JSP tag libraries provided by common libraries.
  Reducing Boilerplate Code (Lombok)

Added new

  • Added description about how to remove a boilerplate code where Lombok is used.
  English version

Added English version of the following.

2014-08-27 - Released “1.0.1 RELEASE” version
  Overall modifications Fixed guideline bugs (corrected typos, mistakes in description etc.)
  Japanese version

Added Japanese version of the following.

  English version

Added English version of the following.

  Stack of TERASOLUNA Server Framework for Java (5.x)

Updated the OSS version in accordance with bug fixes.

  • GroupId (org.springframework ) updated to 3.2.10.RELEASE from 3.2.4.RELEASE
  • GroupId (org.springframework.data )/ArtifactId(spring-data-commons ) updated to 1.6.4.RELEASE from 1.6.1.RELEASE
  • GroupId (org.springframework.data )/ArtifactId(spring-data-jpa ) updated to 1.4.3.RELEASE from 1.4.1.RELEASE
  • GroupId (org.aspectj ) updated to 1.7.4 from 1.7.3
  • Deleted GroupId (javax.transaction )/ArtifactId(jta )
  Implementation of Application Layer Added a warning about CVE-2014-1904 (XSS Vulnerability of action attribute in <form:form> tag)
 

Japanese version

Message Management

Added description about bug fix

 

Japanese version

Pagination

Updated description about bug fix

 

Japanese version

Ajax

Updated description of countermeasures against XXE Injection
 

Japanese version

File Upload

Added a warning about CVE-2014-0050 (File Upload Vulnerability)

Fixed guideline bugs.

  • Added how to handle MultipartException using error-page functionality of servlet container, because your application can’t handle MultipartException using SystemExceptionResolver when used MultipartFilter. (Management #ID59)
  Japanese version

Change how to create following projects to be carried out from mvn archetype:generate

  Japanese version

Minor modifications in how to create following Maven archetype

2013-12-17 Japanese version Released “1.0.0 Public Review” version