2016-02-24 |
- |
5.0.2 RELEASE version published
|
|
General |
Correction of errors in the guideline (typo mistakes and simple description errors)
Description details modified
|
|
In the Beginning |
Description details added
- Description related to operation verification environment of the details described in the guideline added
|
|
Stack of TERASOLUNA Server Framework for Java (5.x) |
OSS version to be used (Spring IO Platform version) updated
- Spring IO Platform version updated in 1.1.5.RELEASE
- Spring Framework version updated in 4.1.9.RELEASE
- Spring Security version updated in 3.2.9.RELEASE
OSS version to be used along with Spring IO Platform version update is updated
|
|
Create Web application development project |
Description details modified
- A method wherein SQL is executed by using
SQL Maven Plugin is added (guideline#1428)
|
|
Database Access (Common) |
Description details added
- Precautions for
Log4jdbcProxyDataSource overhead added (guideline#1471)
|
|
Database Access (MyBatis3) |
Description details corresponding to MyBatis 3.3 added
- “Changed the default at the time of delayed reading to
JAVASSIST ” added (guideline#1384)
|
|
Database Access (JPA) |
Bug correction for the guideline
- Utility which use Like condition modified appropriately (guideline#1464)
|
|
Input Validation |
Description details modified
- Added that “Index position of attribute value” for input validation error message is in alphabetical order” (guideline#1296)
|
|
Logging |
Description details modified
- Description where
ServiceLoader mechanism is used in Logback setting, is added (guideline#1275)
|
|
Internationalization |
Description details modified
- Description for appropriately reflecting locale in JSP is added (guideline#1439)
|
|
Codelist |
Description details added
- Description which recommends a pattern wherein
JdbcTemplate is specified in JdbcCodeList, is added (guideline#501)
|
|
File Upload |
Description details modified
- Basic flow of uploading process and its description modified to description which use
MultipartFilter of Spring (guideline#193)
- “A method which sends CSRF token by query parameter” deleted due to issues like security issues, variation in the operation according to AP server etc.
Precaution - “when allowable size for file upload exceeds, CSRF token check is not carried out appropriately in some AP servers” added (guideline#1602)
|
|
File Download |
Description details modified
- Source example which use
com.lowagie:itext:4.2.1 modified to the format which use com.lowagie:itext:2.1.7 for specification change in iText (guideline#1310)
|
|
RESTful Web Service |
Description details modified
- Added creation of ObjectMapper which use
Jackson2ObjectMapperFactoryBean (guideline#1022)
- Modified to a format wherein MyBatis3 is considered as a prerequisite in the implementation of domain layer of REST API application (guideline#1323)
|
|
Spring Security Tutorial |
Bug correction in the guideline
- Corrected places in the source code where logout was not possible (guideline#1300)
|
|
Authentication |
Description details modified
|
|
Password Hashing |
Bug correction in the guideline
- VM argument which resolves delay issues associated with SecureRandom is corrected for errors (guideline#1502)
|
|
CSRF Countermeasures |
Description details modified
|
2015-08-05 |
- |
Released “5.0.1 RELEASE” version
|
|
Overall modifications |
Fixed guideline errors (corrected typos, mistakes in description, etc.)
Improved the description
Fixed the description about application server
- Removed the description for the Resin
- Updated the link of reference page
|
|
In the Beginning |
Added the description
- Added description about tested environments for contents described in this guideline
|
|
Stack of TERASOLUNA Server Framework for Java (5.x) |
Updated the OSS version(Spring IO Platform version) to protect security vulnerability
- Spring IO Platform version updated to 1.1.3.RELEASE
- Spring Framework version updated to 4.1.7.RELEASE (CVE-2015-3192)
- JSTL version updated to 1.2.5 (CVE-2015-0254)
Updated the OSS version by the Spring IO Platform version update
Improved the description (guideline#1148)
- Added the description of
terasoluna-gfw-recommended-dependencies ,terasoluna-gfw-recommended-web-dependencies and terasoluna-gfw-parent
- Modified the description for some project
- Added the illustration to indicate project dependencies
|
|
Create Web application development project |
Added the description
|
|
Database Access (Common) |
Added the description
- Added the description of
DataSource switching functionality (guideline#1071)
|
|
Database Access (MyBatis3) |
Fixed the guideline bug
- Modified the description about timing of batch execution (guideline#903)
|
|
Logging |
Improved the description
- Added the description about
additivity attribute of <logger> tag (guideline#977)
|
|
Session Management |
Improved the description
- Modified the description about how to define a session scope bean (guideline#1082)
|
|
Double Submit Protection |
Added the description
- Added the description about the transaction token check in case that response cache is disabled (guideline#1260)
|
|
Codelist |
Added the description
|
|
|
Added the warning about CVE-2015-3192(XML security vulnerability)
- Added the warning at the time of the StAX(Streaming API for XML) use (guideline#1211)
|
|
|
Modified in accordance with bug fixes of common library
|
|
Authentication |
Improved the description
- Added the notes about handling with some properties of parent class of
ExceptionMappingAuthenticationFailureHandler (guideline#812)
- Modified the setting example for the
requiresAuthenticationRequestMatcher property of AbstractAuthenticationProcessingFilter (guideline#1110)
|
|
Authorization |
Fixed the guideline bug
- Modified the setting example for the
access attribute of <sec:authorize> tag (JSP tag library) (guideline#1003)
|
|
Removing Environment Dependency |
Added the description
- Added how to apply the external classpath(alternative functionality of
VirtualWebappLoader of Tomcat7) at the time of Tomcat8 use (guideline#1081)
|
2015-06-12 |
Overall modifications |
Released English version of “5.0.0 RELEASE” |
2015-02-23 |
- |
Released “5.0.0 RELEASE” version
|
|
Overall modifications |
Fixed guideline errors (corrected typos, mistakes in description, etc.)
Improved the description
Added new
Updated in accordance with version 5.0.0
|
|
Stack of TERASOLUNA Server Framework for Java (5.x) |
Spring IO Platform compatible
- Added a point that except for some libraries, the management of recommended libraries is changed to a structure delegating it to Spring IO Platform.
Updated the OSS version
|
|
First application based on Spring MVC |
Updated in accordance with version 5.0.0
- Used Spring Framework 4.1
- Reviewed structure of document.
|
|
Application Layering |
Fixed bugs in English translation.
- Fixed translation bugs related to domain layer and other layers.
For modification details, refer to guideline#364 issue.
|
|
Tutorial (Todo Application) |
Updated in accordance with version 5.0.0
- Use of Spring Framework 4.1.
- MyBatis3 support as infrastructure layer.
- Revised document structure.
|
|
Create Web application development project |
Added new
- Added a method to create a project having multi project structure
|
|
Domain Layer Implementation |
Modified in accordance with Spring Framework 4.1
- Added description about handling
@Transactional of JTA 1.2.
For modification details, refer to guideline#562 issue.
- Modified description about handling
@Transactional(readOnly = true) when using JPA (Hibernate implementation).
With SPR-8959 (Spring Framework 4.1 and later versions) support,
it has been improved so that instruction can be given so as to handle as “Read-only transactions” for JDBC driver.
Added description
- Added notes regarding the cases where “Read-only transactions” are not enabled.
For added contents, refer to guideline#861 issue.
|
|
Implementation of Infrastructure Layer |
Modified in accordance with MyBatis3
- Added a method to use MyBatis3 mechanism as implementation of RepositoryImpl.
|
|
Implementation of Application Layer |
Modified in accordance with Spring Framework 4.1
- Added description about the attribute (attribute to filter the Controllers to be used) added in
@ControllerAdvice .
For modification details, refer to guideline#549 issue.
- Added description about
<mvc:view-resolvers> .
For modification details, refer to guideline#609 issue.
|
|
Database Access (Common) |
Modified in accordance with bug fixes of common library
- Added description about handling double byte wild card characters (
% , _ ), in accordance with bug fixes of common library (terasoluna-gfw#78).
For modification details, refer to guideline#712 issue.
Modified in accordance with Spring Framework 4.1
- Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into
PessimisticLockingFailureException of Spring Framework.
This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).
Modified in accordance with Apache Commons DBCP 2.0
- Changed the sample code and its description to use component for Apache Commons DBCP 2.0.
|
|
Database Access (MyBatis3) |
Added new
- Added method to implement an infrastructure layer using MyBatis3 as O/R Mapper.
|
|
Exclusive Control |
Fixed guideline bugs
- Modified the sample code of optimistic locking of long transactions (processing when records cannot be fetched).
For modification details, refer to guideline#450 issue.
Modified in accordance with Spring Framework 4.1
- Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into
PessimisticLockingFailureException of Spring Framework.
This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).
Modified in accordance with MyBatis3
- Added methods to implement exclusive control when using MyBatis3.
|
|
Input Validation |
Fixed guideline bugs
- Modified the description of
@GroupSequence .
For modification details, refer to guideline#296 issue.
Modified in accordance with bug fixes of common library
Added description
- Added a method to link with the mechanism of Group Validation of Bean Validation at the time of correlated item check using Spring Validator.
For added contents, refer to guideline#320 issue.
Modified in accordance with Bean Validation 1.1 (Hibernate Validator 5.1)
- Added description about
inclusive attribute of @DecimalMin and @DecimalMax .
- Added description about Expression Language.
- Described about deprecated API from Bean Validation 1.1.
- Added description about a bug related to
ValidationMessages.properties of Hibernate Validator 5.1.x (HV-881) and methods to prevent the same.
|
|
Exception Handling |
Added description
- Added a description that simple error page is likely to be displayed in Internet Explorer when an error having size lesser than 513 bytes is sent as response.
For added contents, refer to guideline#189 issue.
Modified in accordance with Spring Framework 4.1
- Removed the description about the problem where pessimistic locking error of JPA (Hibernate implementation) is not converted into
PessimisticLockingFailureException of Spring Framework.
This problem is resolved in SPR-10815 (Spring Framework 4.0 and later versions).
|
|
Session Management |
Modified in accordance with Spring Security 3.2
- Removed the description about a problem where CSRF token error occurs (SEC-2422 ) instead of session time out at the time of POST request.
A mechanism to detect session time out is included in formal version of Spring Security 3.2, hence the problem is resolved.
|
|
Message Management |
Reflected changes of common library
- Added description about newly added message type (warning) and deprecated messages types (warn), in accordance with the improvement of common library (terasoluna-gfw#24).
For modification details, refer to guideline#74 issue.
|
|
Pagination |
Reflected changes of common library
- Changed description of page link in active state, in accordance with the improvement of common library (terasoluna-gfw#13).
For modification details, refer to guideline#699 issue.
- Changed description of page link in disabled state, in accordance with the improvement of common library (terasoluna-gfw#14).
For modification details, refer to guideline#700 issue.
Modified in accordance with Spring Data Common 1.9
- Added notes for the classes where API specifications (
Page interface, etc.) are changed due to version upgrade.
|
|
Codelist |
Modified in accordance with bug fixes of common library
- Added notes about version upgrade and changing message key of
ExistInCodeList in accordance with bug fixes of common library (terasoluna-gfw#16).
For modification details, refer to guideline#638 issue.
- Added notes about message definition of
@ExistInCodeList in accordance with bug fixes of common library (terasoluna-gfw#256).
For modification details, refer to guideline#766 issue.
Reflected changes of common library
- Added a method to use
EnumCodeList class in accordance with addition of common library functions (terasoluna-gfw#25).
|
|
Ajax |
Modified in accordance with Spring Security 3.2
- Changed the sample code for CSRF measures (method to create
<meta> tag for CSRF measures).
Modified in accordance with Jackson 2.4
- Changed the sample code and description to use components for Jackson 2.4.
|
|
RESTful Web Service |
Improvement in description
- Improve the method to build an URL to be set in location header and hypermedia link.
For improvement details, refer to guideline#374 issue.
Modified in accordance with Spring Framework 4.1
- Added a description about
@RestController .
For modification details, refer to guideline#560 issue.
- Changed the sample code to create
ResponseEntity using builder style API.
Modified in accordance with Jackson 2.4
- Changed the sample code and description to use components for Jackson 2.4.
Modified in accordance with Spring Data Common 1.9
- Added notes for the classes where API specifications (
Page interface, etc.) are changed due to version upgrade.
|
|
File Upload |
Fixed guideline bugs
- Modified version of Apache Commons FileUpload with resolved CVE-2014-0050 (File Upload vulnerabilities).
For modification details, refer to guideline#846 issue.
Added description
- File upload function of Servlet 3 has a problem of garbled characters on a part of application server. Therefore, added a method to use Apache Commons FileUpload as a measure to prevent this event.
For added contents, refer to guideline#778 issue.
|
|
System Date |
Reflected changes of common library
- Changed document structure, package name and class name in accordance with the improvement of common library (terasoluna-gfw#224).
For modification details, refer to guideline#701 issue.
|
|
Screen Layout using Tiles |
Modified in accordance with Tiles 3.0
- Changed the example of settings and description to use component for Tiles 3.0.
Modified in accordance with Spring Framework 4.1
- Added description about
<mvc:view-resolvers> , <mvc:tiles> , <mvc:definitions> .
For modification details, refer to guideline#609 issue.
|
|
Date Operations (Joda Time) |
Added description
Modified in accordance with Joda Time 2.5
- Since
DateMidnight class is deprecated in accordance with version upgrade, changed the method to fetch start time of specific date (0:00:00.000).
|
|
Spring Security Overview |
Modified in accordance with Spring Security 3.2
- Added “Settings to create secure HTTP header” in appendix.
|
|
Spring Security Tutorial |
Updated in accordance with version 5.0.0
- Made changes so as to use MyBatis3 as infrastructure layer.
- Applied Spring Framework 4.1
- Applied Spring Security 3.2
- Revised document structure.
|
|
Authentication |
Fixed guideline bugs
- Modified the erroneous and inadequate description of
<form-login> , <logout> , <session-management> tag.
For modification details, refer to guideline#754 issue.
- Modified the sample code that indicates extension method of AuthenticationFilter (added settings to validate CSRF measures and session fixation attack measures).
For details, refer to guideline#765 issue.
Modified in accordance with Spring Security 3.2
- Added notes about logout method when CSRF measures are validated.
- Added description of
@AuthenticationPrincipal , as a method to access UserDetails (authentication user information class) from Controller.
- Added description of
changeSessionId , as parameters of session-fixation-protection attribute of <sec:session-management> .
- Added methods to detect session time-out and notes for same.
- Changed setting method to validate concurrent session control of identical users (made changes so as to use
<sec:concurrency-control> ).
- Added a point that a class of concurrent session control of identical users is deprecated and other class is provided.
|
|
CSRF Countermeasures |
Modified in accordance with Spring Security 3.2
- Removed description about the component for CSRF measures of Spring Security 3.2.0 (provisional version before formal release) included in common library of version 1.0.x.
- Changed setting method to validate CSRF measures by a proper method of Spring Security 3.2 (method using
<sec:csrf> ).
- Added description about JSP tag library (
<sec:csrfInput> and <sec:csrfMetaTags> ) for CSRF measures.
- Added methods to detect session time-out and precautions when CSRF measures are validated.
Modified in accordance with Spring Framework 4.1
- Changed description about the condition where CSRF token is output as hidden, when
<form:form> is used.
|
|
Tutorial (Todo Application REST) |
Improved the description
Updated in accordance with version 5.0.0
- Applied Spring Framework 4.1.
- Applied Spring Security 3.2.
- Applied Jackson 2.4.
|
|
Create a New Project from Blank Project |
Improved the description
- Supported method to create a project having multi project structure.
- Updated the method to create a project having single project structure.
|
|
JSP Tag Libraries and EL Functions offered by common library |
Added new
- Added description about EL functions and JSP tag libraries provided by common libraries.
|
|
Reducing Boilerplate Code (Lombok) |
Added new
- Added description about how to remove a boilerplate code where Lombok is used.
|
|
English version |
Added English version of the following.
|
2014-08-27 |
- |
Released “1.0.1 RELEASE” version
Refer to Issue list of 1.0.1 for details.
|
|
Overall modifications |
Fixed guideline bugs (corrected typos, mistakes in description etc.)
Refer to Issue list of 1.0.1 (bug & clerical error) for details.
|
|
Japanese version |
Added Japanese version of the following.
|
|
English version |
Added English version of the following.
|
|
Stack of TERASOLUNA Server Framework for Java (5.x) |
Updated the OSS version in accordance with bug fixes.
- GroupId (
org.springframework ) updated to 3.2.10.RELEASE from 3.2.4.RELEASE
- GroupId (
org.springframework.data )/ArtifactId(spring-data-commons ) updated to 1.6.4.RELEASE from 1.6.1.RELEASE
- GroupId (
org.springframework.data )/ArtifactId(spring-data-jpa ) updated to 1.4.3.RELEASE from 1.4.1.RELEASE
- GroupId (
org.aspectj ) updated to 1.7.4 from 1.7.3
- Deleted GroupId (
javax.transaction )/ArtifactId(jta )
|
|
Implementation of Application Layer |
Added a warning about CVE-2014-1904 (XSS Vulnerability of action attribute in <form:form> tag) |
|
Japanese version
Message Management
|
Added description about bug fix
|
|
Japanese version
Pagination
|
Updated description about bug fix
|
|
Japanese version
Ajax
|
Updated description of countermeasures against XXE Injection |
|
Japanese version
File Upload
|
Added a warning about CVE-2014-0050 (File Upload Vulnerability)
Fixed guideline bugs.
- Added how to handle
MultipartException using error-page functionality of servlet container, because your application can’t handle MultipartException using SystemExceptionResolver when used MultipartFilter .
Refer to Issue of guideline#59 for details.
|
2013-12-17 |
Japanese version |
Released “1.0.0 Public Review” version |