Change Log ================================================================================ .. tabularcolumns:: |p{0.15\linewidth}|p{0.25\linewidth}|p{ 0.60\linewidth}| .. list-table:: :header-rows: 1 :widths: 15 25 60 * - Modified on - Modified locations - Modification details * - 2018-03-16 - \- - 5.4.1 RELEASE version published * - - General - Correction of guideline mistakes (typing errors, simple mistakes, etc.) Description details improved * - - :doc:`../Overview/FrameworkStack` - OSS version to be used is updated (Management ID#3061) * Spring IO Platform version updated to Brussels-SR5 * MyBatis version updated to 3.4.5 OSS version to be used along with version update of Spring IO Platform updated Updated OSS version used for compliance with CVE-2018-1199(Management ID#3300) * Updated Spring Framework version to 4.3.14 * Updated Spring Security version to 4.2.4 * - - :doc:`../ImplementationAtEachLayer/DomainLayer` - Description details added * Description related to \ ``timeout`` \ attribute of \ ``@Transactional`` \ annotation added (Management ID#1776) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` - Description details added * Added description for value of \ ``NOT_EQUAL`` \ which was newly added in \ ``operator`` \ attribute of \ ``@Compare`` \ annotation (Management ID#2842) * Notes while using \ ``@Email`` \ annotation are added (Management ID#2930) Bug fixes in the guidelines * Fixed implementation example of check rule extension method of common library (Management ID#2822) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/ExceptionHandling` - Description details modified * Modification related to change in common library (\ ``ExceptionLoggingFilter`` \), and correction of existing clerical mistakes (Management ID#2794) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/TilesLayout` - Description details modified * Descriptions related to matching of \ ``name`` \ attribute of \ ```` \ tag (Tiles definition file), and misleading descriptions of related parts modified (Management ID#2717) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/RestClient` - Modification related to Spring Framework 4.3 * Description related to settings of request header for Basic authentication changed (Management ID#2742) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/SOAP` - Description details modified * Annotation used for injection associated with SOAP Web Service implementation changed from \ ``@Inject`` \ to \ ``@Autowired`` \ (Management ID#2763) * Correction of errors for JAX-WS linkage function of Spring Framework, and notes related to running of SOAP server on JAW-WS implementation of Java EE server added (Management ID#2770) * - - :doc:`../ArchitectureInDetail/MessagingDetail/JMS` - Description details modified * Description modified such that asynchronous transmission transaction management is to be done by DefaultMessageListenerContainer instead of ChainedTransactionManager (Management ID #2814) * - - :doc:`../Security/Authentication` - Description details modified * Added explanation for class (\ ``Pbkdf2PasswordEncoder``\ ) for password hashing, and then a description that recommends \ ``BCryptPasswordEncoder``\ is deleted (Management ID#3011) * - - :doc:`../Security/Authorization` - Modified according to Spring Framework 4.3 support * Description details modified due to deleting definition of \ ``mvc:path-matching`` \ from blank project and changing the default setting of Spring MVC (Management ID#2941) Description details modified * Description details related to definition of access policy which use path variable in Spring Security are modified (Management ID#3090) * - - :doc:`../Security/XSS` - Description details modified, added * Sample source of JavaScript Escaping modified (Management ID#2531) * Precautions while using \ ``document.write()`` \ added (Management ID#2531) * - - :doc:`../Security/OAuth` - Structure reviewed * Changed to a chapter structure where How to use is explained for each grant type (Management ID#2818) Description details added * List of exceptions occured in Spring Security OAuth and handling methods added (Management ID#2819) * Explanation added for extension points of Spring Security OAuth (Management ID#2820) * Basic authentication setup method for resource server added (Management ID#2891) * Post processing for implicit (access token clear) added (Management ID#2891) Description details modified * Sample code modified (Management ID#2891) * Flow and its explanation modified (Management ID#2891) * Deleted the defect warning when the URL setting of check token endpoint of authorization server is not reflected (Management ID#3263) * - - :doc:`../UnitTest/index` - Added new * Unit test added (Management ID#1817) * - 2017-11-10 - \- - 5.3.1 RELEASE version published * - - General - Correction of guideline mistakes (typing errors, simple mistakes etc.) * - 2017-03-17 - \- - 5.3.0 RELEASE version published * - - General - Correction of guideline mistakes (typing errors, simple mistakes, etc.) Description details improved Start-up options associated with Maven archetype deployment change for Blank project generation (Change to `Maven Central `_\) modified (Management ID#2444) * :doc:`../Overview/FirstApplication` * :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` * :doc:`../Tutorial/TutorialTodo` * :doc:`../Tutorial/TutorialSecurity` * - - :doc:`../Introduction/CriteriaBasedMapping` - Description details added * A table listing a point of view by CVE is added in Mapping based on security measures (Management ID#2439) * - - :doc:`../Introduction/TermsOfUse` - Description details modified * Terms of use modified (Management ID#2625) * - - :doc:`../Overview/FrameworkStack` - Version of OSS to be used updated (Management ID#2441) * Update version of Spring IO Platform to Athens-SR2 * Update version of MyBatis to 3.4.2 * Update version of MyBatis-Spring to 1.3.1 * Update mybatis-typehandlers-jsr310 to 1.0.2 OSS version to be used in accordance with version update of Spring IO Platform is updated * - - :doc:`../ImplementationAtEachLayer/DomainLayer` - Description details modified * Modified signature-limiting interface and base class implementation sample (Management ID#2219) * - - :doc:`../ImplementationAtEachLayer/ApplicationLayer` - Description details added * Added "\ ```` \ is used when a simple view controller is to be created" (Management ID#2371) * Precautions to indicate the existence of unusable characters in Cookie name or value added (Management ID#2518) Modifications related to Spring Framework 4.3 * Precautions while using \ ``@DateTimeFormat`` \ for JSR-310 Date and Time API class deleted (Management ID#2505) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` - Description details added * Added input check method to values in collection (Management ID#407) Description details modified * Added explanation on how to include input check target in message (Management ID#407) * Corrected description about check content of input check by @URL(Management ID#2260) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/ExceptionHandling` - Fix according to Spring Framework 4.3 support * Added description of how to handle a fatal error (Management ID#2368) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/SessionManagement` - Description details added * Added about how to prevent binding of request parameters when receiving object is stored in session scope (Management ID#1293) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Internationalization` - Description details added * Example when internationalization is not applied and its countermeasures added (Management ID#2427) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` - Description details added * Added explanation on how to avoid garbled characters when using JBoss EAP 7.0 (Management ID#2403) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Modification related to Spring Framework 4.3 * Added explanation that HEAD and OPTIONS methods are implicitly prepared (Management ID#1704) Description details added * Added description related to output specification of explanation cause of HTTP status code (Management ID#2518) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/RestClient` - Modification related to Spring Framework 4.3 * Added explanation about implementation of common processing of asynchronous request (Management ID#2369) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` - Description details updated,added * Updated description on setting method when using JSR-310 Date and Time API (Management ID#2365) Description details added * Added description about setting for invoking rollback processing when an error occurs at commit (Management ID#2375) Description details modified * Modified implementation example when using BLOB and CLOB (Management ID#1775) * Modified explanation of the option to control the timing of "Lazy Load" execution (Management ID#2364) * - - | :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessJpa` - Description details added * Added warning for a bug in which "nowait" clause is not added when using PostgreSQL (Management ID#2372) * - - | :doc:`../ArchitectureInDetail/DataAccessDetail/ExclusionControl` - Description details added * Precautions added for issue ""nowait" not added while using PostgreSQL" (Management ID#2372) * - - :doc:`../ArchitectureInDetail/MessagingDetail/Email` - Description details added * Issues occuring in JavaMail and the methods to avoid the same added (Management ID#2190) * - - :doc:`../Security/Authentication` - Description details added * Description added for value attribute of checkbox used in Remember Me authentication (Management ID#785) * Precautions while using \ ```` \ added (Management ID#2371) Description details modified * Description for use of SecureRandom modified (Management ID#2177) * - - :doc:`../Security/Authorization` - Modification related to Spring Framework 4.3 * Modified desctiption and note about mitigation of \ `CVE-2016-5007 `_\ as the default value of \ ``trimTokens``\ property in \ ``AntPathMatcher``\ was changed. (Management ID#2565) Description details added * Warning related to access control for specific URL added (Management ID#2399) * Description for how to use path variable and precautions for use added (Management ID#2406) * Precautions for changing specifications of path matching of \ ``AntPathRequestMatcher``\ added (Management ID#2428) * - - :doc:`../Security/LinkageWithBrowser` - Modifications associated with Spring Security 4.1.4 support * Added description on Content Security Policy (CSP)" (Management ID#2400) * Description added for HTTP Public Key Pinning (HPKP)(Management ID#2401) * - - :doc:`../Security/OAuth` - New addition * Added OAuth (Management ID#2145) * - - :doc:`../Tutorial/TutorialTodo` - Correction of description * Code example of entity when using JPA modified (Management ID#2476) * - - :doc:`../Appendix/Nexus` - Modification to migration into Maven Central * Delete the description about TERASOLUNA Server Framework for Java (5.x) repository (Management ID#2496) * - 2016-08-31 - \- - 5.2.0 RELEASE version published * - - General - Correction of errors in the guideline (typos or simple description errors) Description details modified Review of all the chapters Update common library version to 5.2.0. Description details modified * - - :doc:`../Overview/FrameworkStack` - Description details added * Embedding status of common library standards of blank project added (Management ID#1700) * mybatis-typehandlers-jsr310, jackson-datatype-jsr310 added to OSS stack (Management ID#1966) * spring-jms and its dependent libraries added to OSS stack (Management ID#1992) Version of OSS used (Spring IO Platform version) updated) * Spring IO Platform version updated to 2.0.6.RELEASE * Spring Framework version updated to 4.2.7. * Spring Security version updated to 4.0.4.RELEASE OSS version used in accordance with Spring IO Platform version update is updated * - - :doc:`../ImplementationAtEachLayer/DomainLayer` - Description details added * For MyBatis 3.3 + MyBatis-Spring 1.2, "value specified in timeout attribute of @Transactinal is not used" is added (Management ID#1777) * - - :doc:`../ImplementationAtEachLayer/ApplicationLayer` - Description details added * HttpSession should not be used as an argument for handler method (Management ID#1313) * Precautions for using JSR-310 Date and Time API are described (Management ID#1991) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` - Description details modified * A method to directly handle a message property file without conversion from Native to Ascii is added (Management ID#994) * Description for cross-field validation added (Management ID#1561) * @DateTimeFormat description added (Management ID#1873) * Description for ValidationMessages.properties modified (Management ID#1948) * Precautions for input check which use Method Validation added (Management ID#1998) Description details added * Description for OS command injection added (Management ID#1957) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/ExceptionHandling` - Modification associated with Spring Framework 4.2.7 * Description details for HTTP response header output modified (Management ID#1965) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/DoubleSubmitProtection` - Description details added * Description for specifications and implementation methods of \ ``TransactionTokenType.CHECK``\ which was newly added in type attribute of \ ``@TransactionTokenCheck``\ annotation (Management ID#2071) "How to manage transaction token life cycle in How To Extend programmatic" deleted. * When API for application offered by \ ``TransactionTokenContext``\ is used, it impacts the behaviour of internal framework like inability to maintain \ ``TransactionToken``\ in the appropriate state Current API is deprecated. Description for how to use function in accordance with deprecation, deleted. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Internationalization` - Description details modified * Position of request parameter (default parameter name) description modified (Management ID#1354) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` - Description details added * \ `CVE-2016-3092 `_\ Precautions for (File Upload vulnerability) added (Management ID#1973) * Description for directory traversal attack added (Management ID#2010) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/HealthCheck` - Added new * Health check added (Management ID#1698) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Description details changed / added * Description for the configuration while using JSR-310 Date and Time API / Joda Time changed (Management ID#1966) * Precautions while using Jackson in Java SE 7 environment described (Management ID#1966) * Configuration while using JSR-310 Date and Time API in JSON described (Management ID#1966) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/RestClient` - Description details modified * HTTP Proxy server configuration for RestClient added (Management ID#1856) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/SOAP` - Description details added * Added an option "Do not connect to SOAP server at the time of SOAP client start (Management ID#1871) * Description for env project of SOAP client modified (Management ID#1901) * How to fetch status code at the time of SOAP Web service exception occurrence added (Management ID#2007) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` - Description details added * "How to avoid tentative WARN log output" deleted (Management ID#1292) * "How to configure for using JSR-310 Date and Time API in Mybatis3.3" described (Management ID#1966) * Precautions while using MyBatis in Java SE 7 environment described (Management ID#1966) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/ExclusionControl` - Description details added * warning message added to ExclusionControl (Management ID#1694) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/Logging` - Description details added * "How to extend in order to output log message with ID" described (Management ID#1928) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/StringProcessing` - Description details added * An example to add terasoluna-gfw-string to dependency is added (Management ID#1699) * Precautions for surrogate pair added to description of @Size annotation (Management ID#1874) * Description for JIS characters \ ``U+2014``\(EM DASH) UCS(Unicode) characters added (Management ID#1914) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/Dozer` - Description details added * Precautions while using JSR-310 Date and Time API described (Management ID#1966) * - - :doc:`../ArchitectureInDetail/MessagingDetail/JMS` - Added new * JMS added (Management ID#1407) * - - :doc:`../Security/Authentication` - Modifications for Spring Security 4.0.4 * Code example modified to include modification of specifications of authentication-failure-url in Spring Security 4.0.4 and Note deleted (Management ID#1963) * - - :doc:`../Security/Authorization` - Description details added * How to handle \ `CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency `_\ added (Management ID#1976) * - - :doc:`../Security/SecureLoginDemo` - Description details added * "Input value check for security" added * "Audit log output" added * - - :doc:`../Appendix/ReferenceBooks` - Description details added * Spring thorough introduction" added as a reference material (Management ID#2043) * - 2016-02-24 - \- - 5.1.0 RELEASE version published * - - General - Correction of errors in the guideline (typo mistakes and simple description errors) Description details modified * - - :doc:`index` - Description details added * Description related to operation verification environment of the details described in the guideline added * - - :doc:`../Overview/FrameworkStack` - OSS version to be used (Spring IO Platform version) updated * Spring IO Platform version updated in 2.0.1.RELEASE * Spring Framework version updated in 4.2.4.RELEASE * Spring Security version updated in 4.0.3.RELEASE OSS version to be used along with Spring IO Platform version update is updated * OSS version to be used updated. For update details, refer \ `version 5.1.0 migration guide `_\. New project added * Descriptions for \ ``terasoluna-gfw-string``\ , \ ``terasoluna-gfw-codepoints``\ , \ ``terasoluna-gfw-validator``\ , \ ``terasoluna-gfw-web-jsp``\ projects added. New function of common library added \ ``terasoluna-gfw-string``\ * Half width to full width conversion \ ``terasoluna-gfw-codepoints``\ * Codepoint check * Bean Validation constraint annotation for code point check \ ``terasoluna-gfw-validator``\ * Bean Validation constraint annotation for byte length check * Bean Validation constraint annotation for field value comparison correlation check * - - :doc:`../Overview/FirstApplication` - Description details modified * Modification of sample source corresponding to Spring Security 4 (Management ID#1519) * \ ``AuthenticationPrincipalArgumentResolver``\ package changed * - - :doc:`../Tutorial/TutorialTodo` - Modifications corresponding to Spring Security 4 * Modification of source corresponding to Spring Security 4 (Management ID#1519) * \ ``AuthenticationPrincipalArgumentResolver``\ package changed * Since the specification is true by default, \ ````\ deleted from sample source * - - :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` - Modification of description details * A method wherein mvn command is used in the offline environment is added (Management ID#1197) * - - :doc:`../ImplementationAtEachLayer/ApplicationLayer` - Description details modified * A method to create a request URL using EL function is added (Management ID#632) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessCommon` - Description details added * Precautions for \ ``Log4jdbcProxyDataSource``\ overhead added (Management ID#1471) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` - Description details corresponding to MyBatis 3.3 added * Setup method of \ ``defaultFetchSize``\ added (Management ID#965) * "Changed the default at the time of delayed reading to \ ``JAVASSIST``\" added (Management ID#1384) * Sample code which assigns Generics to \ ``ResultHandler``\ modified (Management ID#1384) * Source example which use newly added \ ``@Flush``\ annotation, and precautions added (Management ID#915) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessJpa` - Bug correction for the guideline * Utility which use Like condition modified appropriately (Management ID#1464) * Incorrect implementation of true value in JPQL corrected (Management ID#1525) * Incorrect implementation of pagination corrected (Management ID#1463) * Incorrect implementation of sample code corrected which implements \ ``DateTimeProvider``\ (Management ID#1327) * Incorrect implementation in Factory class for generating an instance of implementation class for common Repository interface corrected (Management ID#1327) Description details modified * Default value of \ ``hibernate.hbm2ddl.auto``\ corrected (Management ID#1282) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` - Description details modified * Description for MethodValidation added (Management ID#708) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/Logging` - Description details modified * Description where \ ``ServiceLoader``\ mechanism is used in Logback setting, is added (Management ID#1275) * Sample source corresponding to Spring Security 4 modified (Management ID#1519) * Since the specification is true by default, \ ````\ deleted from the sample source * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/SessionManagement` - Description details modified * Description of session scope reference which use SpEL expression is added (Management ID#1306) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Internationalization` - Description details modified * Description for appropriately reflecting locale in JSP is added (Management ID#1439) * Description of \ ``defaultLocale``\ of \ ``SessionLocalResolver``\ corrected (Management ID#686) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Codelist` - Description details added * Description which recommends a pattern wherein \ ``JdbcTemplate``\ is specified in JdbcCodeList, is added (Management ID#501) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Description details modified * Creation of ObjectMapper which use \ ``Jackson2ObjectMapperFactoryBean``\ added (Management ID#1022) * Modified to a format where MyBatis3 is used as a prerequisite in the implementation of domain layer of REST API application (Management ID#1323) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/RestClient` - Added new * REST client (HTTP client) added (Management ID#1307) * - - :doc:`../ArchitectureInDetail/WebServiceDetail/SOAP` - Added new * SOAP Web Service (Server / Client) added (Management ID#1340) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` - Description details modified * Basic flow of uploading process and its description modified to description which use \ ``MultipartFilter``\ of Spring (Management ID#193) * "A method which sends CSRF token by query parameter" deleted due to issues like security issues, variation in the operation according to AP server etc. Precaution - "when allowable size for file upload exceeds, CSRF token check is not carried out appropriately in some AP servers" added (Management ID#1602) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/FileDownload` - Description details corresponding to Spring Framework4.2 added * \ ``AbstractXlsxView``\ which manages xlsx format, is added (Management ID#996) Description details modified * Source example which use \ ``com.lowagie:itext:4.2.1``\ modified to a format which uses \ ``com.lowagie:itext:2.1.7``\ for the specification change of the iText * - - :doc:`../ArchitectureInDetail/MessagingDetail/Email` - Added new * E-mail sending (SMTP) added (Management ID#1165) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/DateAndTime` - Added new * Date and time operation (JSR-310 Date and Time API) added (Management ID#1450) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/JodaTime` - Description details added and modified * The object of sample code which handles the date that does not use Timezone modified to \ ``LocalDate``\ (Management ID#1283) * A method to handle Japanese calendar in Java8 and earlier versions is added (Management ID#1450) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/StringProcessing` - Added new * String processing added (Management ID#1451) * - - :doc:`../Security/index` - Configuration review * \ ``Password hashing``\ moved in :doc:`../Security/Authentication` * Session management items are separated as :doc:`../Security/SessionManagement` from :doc:`../Security/Authentication` * - - :doc:`../Security/SpringSecurity` - Modify corresponding to Spring Security 4 * Restructuring overall description * \ ``spring-security-test``\ introduction * Since the specification is true by default, \ ````\ deleted from sample source * Description related to \ ``RedirectAuthenticationHandler``\ deprecation deleted * - - :doc:`../Tutorial/TutorialSecurity` - Modified corresponding to Spring Security 4 * Modified tutorial source to a format corresponding to Spring Security 4 (Management ID#1519) * - - :doc:`../Security/Authentication` - Modified corresponding to Spring Security 4 (Management ID#1519) * Restructuring of overall description * Deleted \ ``auto-config="true"``\ * Authentication event listener modified to \ ``@org.springframework.context.event.EventListener``\ * Modified \ ``AuthenticationPrincipal``\ package * Since prefix is assigned by default, \ ``ROLE_``\ prefix deleted from sample source * - - :doc:`../Security/Authorization` - Modified corresponding to Spring Security 4 (Management ID#1519) * Restructuring of overall description * Since the prefix is assigned by default, \ ``ROLE_``\ prefix deleted from sample source * Since the specification is true by default, \ ````\ deleted from sample source * Definition example of \ ``@PreAuthorize``\ added * - - :doc:`../Security/CSRF` - Modified corresponding to Spring Security 4 * Restructuring of overall description * CSRF invalidation settings modified \ ````\ * Description details modified * Items related to multi-part request moved to :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` (Management ID#1602) * - - :doc:`../Security/Encryption` - Added new * Encryption guidelines added (Management ID#1106) * - - :doc:`../Security/SecureLoginDemo` - Added new * - - :doc:`../Security/SecureLoginDemo` - Description details added * "Input check for security" added * "Audit log output" added * Typical implementation example of security requirements added (Management ID#1604) * - - :doc:`../Tutorial/TutorialSession` - Added new * Session tutorial added (Management ID#1599) * - - :doc:`../Tutorial/TutorialREST` - Modified corresponding to Spring Security 4 * Modified source corresponding to Spring Security 4 (Management ID#1519) * CSRF invalidation settings modified \ ````\ * Since the specification is true by default, \ ````\ deleted from sample source * - 2015-08-05 - \- - Released "5.0.1 RELEASE" version * - - Overall modifications - Fixed guideline errors (corrected typos, mistakes in description, etc.) Improved the description Fixed the description about application server * Removed the description for the Resin * Updated the link of reference page * - - :doc:`index` - Added the description * Added description about tested environments for contents described in this guideline * - - :doc:`../Overview/FrameworkStack` - Updated the OSS version(Spring IO Platform version) to protect security vulnerability * Spring IO Platform version updated to 1.1.3.RELEASE * Spring Framework version updated to 4.1.7.RELEASE (\ `CVE-2015-3192 `_\ ) * JSTL version updated to 1.2.5 (\ `CVE-2015-0254 `_\ ) Updated the OSS version by the Spring IO Platform version update * OSS version to be used updated. For update details, refer \ `version 5.0.1 migration guide `_\. Description details modified (Management ID#1148) * Added the description of \ ``terasoluna-gfw-recommended-dependencies``\ ,\ ``terasoluna-gfw-recommended-web-dependencies``\ and \ ``terasoluna-gfw-parent``\ * Modified the description for some project * Added the illustration to indicate project dependencies * - - :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` - Added the description * Added how to build a war file (Management ID#1146) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessCommon` - Added the description * Added the description of \ ``DataSource``\ switching functionality (Management ID#1071) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` - Fixed the guideline bug * Modified the description about timing of batch execution (Management ID#903) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/Logging` - Improved the description * Added the description about \ ``additivity``\ attribute of \ ````\ tag (Management ID#977) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/SessionManagement` - Improved the description * Modified the description about how to define a session scope bean (Management ID#1082) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/DoubleSubmitProtection` - Added the description * Added the description about the transaction token check in case that response cache is disabled (Management ID#1260) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Codelist` - Added the description * Added how to display a code name (Management ID#1109) * - - | :doc:`../ArchitectureInDetail/WebApplicationDetail/Ajax` | :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Added the warning about \ `CVE-2015-3192 `_\ (XML security vulnerability) * Added the warning at the time of the StAX(Streaming API for XML) use (Management ID#1211) * - - | :doc:`../ArchitectureInDetail/WebApplicationDetail/Pagination` | :doc:`../ArchitectureInDetail/WebApplicationDetail/TagLibAndELFunctions` - Modified in accordance with bug fixes of common library * Modified the description about \ ``f:query``\ specification , in accordance with bug fixes of common library (\ `terasoluna-gfw#297 `_\ ) (Management ID#1244) * - - :doc:`../Security/Authentication` - Improved the description * Added the notes about handling with some properties of parent class of \ ``ExceptionMappingAuthenticationFailureHandler``\ (Management ID#812) * Modified the setting example for the \ ``requiresAuthenticationRequestMatcher``\ property of \ ``AbstractAuthenticationProcessingFilter``\ (Management ID#1110) * - - :doc:`../Security/Authorization` - Fixed the guideline bug * Modified the setting example for the \ ``access``\ attribute of \ ````\ tag (JSP tag library) (Management ID#1003) * - - Elimination of environmental dependency - Added the description * Added how to apply the external classpath(alternative functionality of \ ``VirtualWebappLoader``\ of Tomcat7) at the time of Tomcat8 use (Management ID#1081) * - 2015-06-12 - Overall modifications - Released English version of "5.0.0 RELEASE" * - 2015-03-06 - :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Guideline bug modification Sample code for exception handling (Problem which includes code causing \ ``NullPointerException``\) modified (Management ID#918) * - - :doc:`../Tutorial/TutorialREST` - Guideline bug modification An issue wherein \ ``NullPointerException``\ occurs in exception handling is fixed (Management ID#918) * - 2015-02-23 - \- - Released "5.0.0 RELEASE" version * - - Overall modifications - Fixed guideline errors (corrected typos, mistakes in description, etc.) Improved the description Added new * :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` * :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` * :doc:`../ArchitectureInDetail/WebApplicationDetail/TagLibAndELFunctions` * :doc:`../Appendix/Lombok` Updated in accordance with version 5.0.0 * Deleted MyBatis2 * - - :doc:`../Overview/FrameworkStack` - Spring IO Platform compatible * Added a point that except for some libraries, the management of recommended libraries is changed to a structure delegating it to Spring IO Platform. Updated the OSS version * OSS version to be used is updated. For update details, refer \ `version 5.0.0 migration guide `_\. * - - :doc:`../Overview/FirstApplication` - Updated in accordance with version 5.0.0 * Used Spring Framework 4.1 * Reviewed structure of document. * - - :doc:`../Overview/ApplicationLayering` - Fixed bugs in English translation. * Translation mistake related to relation between domain layer and other layers corrected (Management ID#364) * - - :doc:`../Tutorial/TutorialTodo` - Updated in accordance with version 5.0.0 * Use of Spring Framework 4.1. * MyBatis3 support as infrastructure layer. * Revised document structure. * - - :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` - Added new * Added a method to create a project having multi project structure * - - :doc:`../ImplementationAtEachLayer/DomainLayer` - Modified in accordance with Spring Framework 4.1 * Description related to handling of \ ``@Transactional``\ of JTA1.2 added (Management ID#562) * Modified description about handling \ ``@Transactional(readOnly = true)``\ when using JPA (Hibernate implementation). With \ `SPR-8959 `_\ (Spring Framework 4.1 and later versions) support, it has been improved so that instruction can be given so as to handle as "Read-only transactions" for JDBC driver. Added description * Added notes regarding the cases where "Read-only transactions" are not enabled. For added contents, refer to (Management ID#861) * - - :doc:`../ImplementationAtEachLayer/InfrastructureLayer` - Modified in accordance with MyBatis3 * Added a method to use MyBatis3 mechanism as implementation of RepositoryImpl. * - - :doc:`../ImplementationAtEachLayer/ApplicationLayer` - Modified in accordance with Spring Framework 4.1 * Explanation related to attribute added to \ ``@ControllerAdvice``\ (attributes to narrow down the target by Controller (Management ID#549) * Explanation related to \ ````\ added (Management ID#609) * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessCommon` - Modified in accordance with bug fixes of common library * Added description about handling double byte wild card characters ("\ ``%``\" , "\ ``_``\")\ , in accordance with bug fixes of common library (\ `terasoluna-gfw#78 `_\ ) (Management ID#712). Modified in accordance with Spring Framework 4.1 * Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into \ ``PessimisticLockingFailureException``\ of Spring Framework. This problem is resolved in \ `SPR-10815 `_\ (Spring Framework 4.0 and later versions). Modified in accordance with Apache Commons DBCP 2.0 * Changed the sample code and its description to use component for Apache Commons DBCP 2.0. * - - :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` - Added new * Added method to implement an infrastructure layer using MyBatis3 as O/R Mapper. * - - :doc:`../ArchitectureInDetail/DataAccessDetail/ExclusionControl` - Fixed guideline bugs * Sample code of optimistic lock of long transaction (processing when records cannot be fetched) corrected (Management ID#450) Modified in accordance with Spring Framework 4.1 * Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into \ ``PessimisticLockingFailureException``\ of Spring Framework. This problem is resolved in \ `SPR-10815 `_\ (Spring Framework 4.0 and later versions). Modified in accordance with MyBatis3 * Added methods to implement exclusive control when using MyBatis3. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` - Fixed guideline bugs * \ ``@GroupSequence``\ explanation corrected (Management ID#296) Modified in accordance with bug fixes of common library * Precautions related to \ ``ValidationMessages.properties``\ added associated with bug correction of common library (\ `terasoluna-gfw#256 `_\) (Management ID#766) Added description * Added a method to link with the mechanism of Group Validation of Bean Validation at the time of correlated item check using Spring Validator. For added contents, (Management ID#320) Modified in accordance with Bean Validation 1.1 (Hibernate Validator 5.1) * Added description about \ ``inclusive``\ attribute of \ ``@DecimalMin``\ and \ ``@DecimalMax``\ . * Added description about Expression Language. * Described about deprecated API from Bean Validation 1.1. * Added description about a bug related to \ ``ValidationMessages.properties``\ of Hibernate Validator 5.1.x (\ `HV-881 `_\ ) and methods to prevent the same. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/ExceptionHandling` - Added description * Added a description that simple error page is likely to be displayed in Internet Explorer when an error response having size lesser than 513 bytes is sent. For added contents, (Management ID#189) Modified in accordance with Spring Framework 4.1 * Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into \ ``PessimisticLockingFailureException``\ of Spring Framework. This problem is resolved in \ `SPR-10815 `_\ (Spring Framework 4.0 and later versions). * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/SessionManagement` - Modified in accordance with Spring Security 3.2 * Removed the description about a problem where CSRF token error occurs (\ `SEC-2422 `_\ ) instead of session time out at the time of POST request. A mechanism to detect session time out is included in formal version of Spring Security 3.2, hence the problem is resolved. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/MessageManagement` - Reflected changes of common library * Explanation related to newly added message type (warning) and deprecated message type (warn) added associated with bug correction of common library (\ `terasoluna-gfw#24 `_\) (Management ID#74) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Pagination` - Reflected changes of common library * Page link of active status explanation changed associated with common library modification (\ `terasoluna-gfw#13 `_\) (Management ID#699) * Page link of disabled status explanation changed associated with common library modification (\ `terasoluna-gfw#14 `_\) (Management ID#700) Modified in accordance with Spring Data Common 1.9 * Added notes for the classes where API specifications (\ ``Page``\ interface, etc.) are changed due to version upgrade. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Codelist` - Modified in accordance with bug fixes of common library * Message key change of \ ``ExistInCodeList`` and notes at the time of version-up added associated with bug modification of common library (\ `terasoluna-gfw#16 `_\) (Management ID#638) * Notes for message definition of \ ``@ExistInCodeList``\ added associated with bug modification of common library (\ `terasoluna-gfw#256 `_\) (Management ID#766) Reflected changes of common library * Added a method to use \ ``EnumCodeList``\ class in accordance with addition of common library functions (\ `terasoluna-gfw#25 `_\ ). * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/Ajax` - Modified in accordance with Spring Security 3.2 * Changed the sample code for CSRF measures (method to create \ ````\ tag for CSRF measures). Modified in accordance with Jackson 2.4 * Changed the sample code and description to use components for Jackson 2.4. * - - :doc:`../ArchitectureInDetail/WebServiceDetail/REST` - Improvement in description * Improve the method to build an URL to be set in location header and hypermedia link. For improvement details, (Management ID#374) Modified in accordance with Spring Framework 4.1 * Explanation related to \ ``@RestController``\ added (Management ID#560) * Changed the sample code to create \ ``ResponseEntity``\ using builder style API. Modified in accordance with Jackson 2.4 * Changed the sample code and description to use components for Jackson 2.4. Modified in accordance with Spring Data Common 1.9 * Added notes for the classes where API specifications (\ ``Page``\ interface, etc.) are changed due to version upgrade. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` - Fixed guideline bugs * Version of Apache Commons FileUpload which have resolved \ `CVE-2014-0050 `_\ (File Upload vulnerability) modified (Management ID#846) Added description * File upload function of Servlet 3 has a problem of garbled characters on a part of application server. Therefore, added a method to use Apache Commons FileUpload as a measure to prevent this event. For added contents, (Management ID#778) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/SystemDate` - Reflected changes of common library * Structure in the document, package name and class name changed associated with modification of common library (\ `terasoluna-gfw#224 `_\) (Management ID#701) * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/TilesLayout` - Modified in accordance with Tiles 3.0 * Changed the example of settings and description to use component for Tiles 3.0. Modified in accordance with Spring Framework 4.1 * Explanation related to \ ````\, \ ````\ and \ ````\ added (Management ID#609) * - - :doc:`../ArchitectureInDetail/GeneralFuncDetail/JodaTime` - Added description * Added method to use \ ``LocalDateTime``\ . For added contents, (Management ID#584) Modified in accordance with Joda Time 2.5 * Since \ ``DateMidnight``\ class is deprecated in accordance with version upgrade, changed the method to fetch start time of specific date (0:00:00.000). * - - :doc:`../Security/SpringSecurity` - Modified in accordance with Spring Security 3.2 * Added "Settings to create secure HTTP header" in appendix. * - - :doc:`../Tutorial/TutorialSecurity` - Updated in accordance with version 5.0.0 * Made changes so as to use MyBatis3 as infrastructure layer. * Applied Spring Framework 4.1 * Applied Spring Security 3.2 * Revised document structure. * - - :doc:`../Security/Authentication` - Fixed guideline bugs * Incorrect or missing explanation for \ ````\, \ ````\ and \ ````\ tags corrected (Management ID#754) * Sample code showing extension method of AuthenticationFilter modified (settings added for enabling session, fixation counterattack measures and CSRF measures) (Management ID#765) Modified in accordance with Spring Security 3.2 * Added notes about logout method when CSRF measures are validated. * Added description of \ ``@AuthenticationPrincipal``\ , as a method to access \ ``UserDetails``\ (authentication user information class) from Controller. * Added description of \ ``changeSessionId``\ , as parameters of \ ``session-fixation-protection``\ attribute of \ ````\ . * Added methods to detect session time-out and notes for same. * Changed setting method to validate concurrent session control of identical users (made changes so as to use \ ````\ ). * Added a point that a class of concurrent session control of identical users is deprecated and other class is provided. * - - :doc:`../Security/CSRF` - Modified in accordance with Spring Security 3.2 * Removed description about the component for CSRF measures of Spring Security 3.2.0 (provisional version before formal release) included in common library of version 1.0.x. * Changed setting method to validate CSRF measures by a proper method of Spring Security 3.2 (method using \ ````\ ). * Added description about JSP tag library (\ ````\ and \ ````\ ) for CSRF measures. * Added methods to detect session time-out and precautions when CSRF measures are validated. Modified in accordance with Spring Framework 4.1 * Changed description about the condition where CSRF token is output as hidden, when \ ````\ is used. * - - :doc:`../Tutorial/TutorialREST` - Improved the description * By adding REST API to a project created by \ :doc:`../Tutorial/TutorialTodo`\, changed to the contents which are not dependent on a specific infrastructure layer (O/R Mapper) (Management ID#325) Updated in accordance with version 5.0.0 * Applied Spring Framework 4.1. * Applied Spring Security 3.2. * Applied Jackson 2.4. * - - Create a new project from a blank project - Improved the description * Supported method to create a project having multi project structure. * Updated the method to create a project having single project structure. * - - :doc:`../ArchitectureInDetail/WebApplicationDetail/TagLibAndELFunctions` - Added new * Added description about EL functions and JSP tag libraries provided by common libraries. * - - :doc:`../Appendix/Lombok` - Added new * Added description about how to remove a boilerplate code where Lombok is used. * - - English version - Added English version of the following. * :doc:`../ImplementationAtEachLayer/CreateWebApplicationProject` * :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessCommon` * :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessJpa` * :doc:`../ArchitectureInDetail/DataAccessDetail/DataAccessMyBatis3` * :doc:`../ArchitectureInDetail/DataAccessDetail/ExclusionControl` * :doc:`../ArchitectureInDetail/GeneralFuncDetail/Logging` * :doc:`../ArchitectureInDetail/GeneralFuncDetail/PropertyManagement` * :doc:`../ArchitectureInDetail/WebApplicationDetail/Pagination` * :doc:`../ArchitectureInDetail/WebApplicationDetail/DoubleSubmitProtection` * :doc:`../ArchitectureInDetail/WebApplicationDetail/Internationalization` * :doc:`../ArchitectureInDetail/WebApplicationDetail/Codelist` * :doc:`../ArchitectureInDetail/WebApplicationDetail/Ajax` * :doc:`../ArchitectureInDetail/WebServiceDetail/REST` * :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` * :doc:`../ArchitectureInDetail/WebApplicationDetail/FileDownload` * :doc:`../ArchitectureInDetail/WebApplicationDetail/TilesLayout` * :doc:`../ArchitectureInDetail/GeneralFuncDetail/SystemDate` * :doc:`../ArchitectureInDetail/GeneralFuncDetail/Dozer` * :doc:`../Security/SpringSecurity` * :doc:`../Security/Authentication` * :doc:`../Security/Authorization` * :doc:`../Security/CSRF` * Create a new project from a blank project * :doc:`../Appendix/Nexus` * Elimination of environmental dependency * Project Structure Standard * :doc:`../Appendix/Lombok` * :doc:`../Appendix/SpringComprehensionCheck` * - 2014-08-27 - \- - Released "1.0.1 RELEASE" version * - - Overall modifications - Fixed guideline bugs (corrected typos, mistakes in description etc.) * - - Japanese version - Added Japanese version of the following. * :doc:`CriteriaBasedMapping` * :doc:`../ArchitectureInDetail/WebServiceDetail/REST` * :doc:`../Tutorial/TutorialREST` * - - English version - Added English version of the following. * :doc:`index` * :doc:`../Overview/index` * :doc:`../Tutorial/TutorialTodo` * :doc:`../ImplementationAtEachLayer/index` * :doc:`../ArchitectureInDetail/WebApplicationDetail/Validation` * :doc:`../ArchitectureInDetail/WebApplicationDetail/ExceptionHandling` * :doc:`../ArchitectureInDetail/WebApplicationDetail/MessageManagement` * :doc:`../ArchitectureInDetail/GeneralFuncDetail/JodaTime` * :doc:`../Security/XSS` * :doc:`../Appendix/ReferenceBooks` * - - :doc:`../Overview/FrameworkStack` - Updated the OSS version in accordance with bug fixes. * GroupId (\ ``org.springframework``\ ) updated to 3.2.10.RELEASE from 3.2.4.RELEASE * GroupId (\ ``org.springframework.data``\ )/ArtifactId(\ ``spring-data-commons``\ ) updated to 1.6.4.RELEASE from 1.6.1.RELEASE * GroupId (\ ``org.springframework.data``\ )/ArtifactId(\ ``spring-data-jpa``\ ) updated to 1.4.3.RELEASE from 1.4.1.RELEASE * GroupId (\ ``org.aspectj``\ ) updated to 1.7.4 from 1.7.3 * Deleted GroupId (\ ``javax.transaction``\ )/ArtifactId(\ ``jta``\ ) * - - :doc:`../ImplementationAtEachLayer/ApplicationLayer` - Added a warning about `CVE-2014-1904 `_\ (XSS Vulnerability of \ ``action``\ attribute in \ ````\ tag) * - - Japanese version :doc:`../ArchitectureInDetail/WebApplicationDetail/MessageManagement` - Added description about bug fix * Fixed bugs of \ ````\ tag of common library (\ `terasoluna-gfw#10 `_\ ) * - - Japanese version :doc:`../ArchitectureInDetail/WebApplicationDetail/Pagination` - Updated description about bug fix * Fixed bugs of \ ````\ tag of common library (\ `terasoluna-gfw#12 `_\ ) * Fixed bugs of Spring Data Commons (\ `terasoluna-gfw#22 `_\ ) * - - Japanese version :doc:`../ArchitectureInDetail/WebApplicationDetail/Ajax` - Updated description of countermeasures against XXE Injection * - - Japanese version :doc:`../ArchitectureInDetail/WebApplicationDetail/FileUpload` - Added a warning about `CVE-2014-0050 `_\ (File Upload Vulnerability) Fixed guideline bugs. * Added how to handle \ ``MultipartException``\ using error-page functionality of servlet container, because your application can't handle \ ``MultipartException``\ using \ ``SystemExceptionResolver``\ when used \ ``MultipartFilter``\ . (Management #ID59) * - - Japanese version - Change how to create following projects to be carried out from \ ``mvn archetype:generate``\ * :doc:`../Overview/FirstApplication` * :doc:`../Tutorial/TutorialTodo` * :doc:`../Tutorial/TutorialTodo` * - - Japanese version - Minor modifications in how to create following Maven archetype * :doc:`../Tutorial/TutorialSecurity` * Create a new project from a blank project * - 2013-12-17 - Japanese version - Released "1.0.0 Public Review" version .. raw:: latex \newpage