# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

This is not an official release notes document.  It exists for Shiro developers
to jot down their notes while working in the source code.  These notes will be
combined with Jira's auto-generated release notes during a release for the
total set.

###########################################################
# 1.2.0
###########################################################

Backwards Incompatible Changes
--------------------------------
- The following org.apache.shiro.mgt.DefaultSecurityManager methods have been removed:
  bindPrincipalsToSession(principals, context)

  This logic has been moved into a SubjectDAO concept to allow end-users to control
  exactly how the Session may be used for subject state persistence.  This allows a
  single point of control rather than needing to configure Shiro in multiple places.

  If you overrode this method in Shiro 1.0 or 1.1, please look at the new
  org.apache.shiro.mgt.DefaultSubjectDAO implementation, which performs compatible logic.
  Documentation for this is covered here:
  http://shiro.apache.org/session-management.html#SessionManagement-SessionsandSubjectState

- The org.apache.shiro.web.session.mgt.ServletContainerSessionManager implementation
  (enabled by default for all web applications) no longer subclasses
  org.apache.shiro.session.mgt.AbstractSessionManager.  AbstractSessionManager existed
  originally to consolidate a 'globalSessionTimeout' configuration property for
  subclasses.  However, the ServletContainerSessionManager has been changed to always
  reflect the session configuration from web.xml (per its namesake).  Because web.xml
  is the definitive source for session timeout configuration, the 'extends' clause
  was removed to avoid configuration confusion: if someone attempted to configure
  'globalSessionTimeout' on a ServletContainerSessionManager instance, it would never
  be honored.  It was better to remove the extends clause to ensure that any
  such configuration would fail fast when Shiro starts up to reflect the invalid config.


Potential Breaking Changes
--------------------------------
- The org.apache.shiro.web.filter.mgt.FilterChainManager class's
  addFilter(String name, Filter filter) semantics have changed.  It now no longer
  attempts to initialize a filter by default before adding the filter to the chain.
  If you ever called this method, you can call the
  addFilter(name, filter, true) method to achieve the <= 1.1 behavior.

- The org.apache.shiro.crypto.SecureRandomNumberGenerator previously defaulted to generating
  128 random _bytes_ each time the nextBytes() method was called.  This is too large for most purposes, so the
  default has been changed to 16 _bytes_ (which equals 128 bits - what was originally intended).  If for some reason
  you need more than 16 bytes (128 bits) of randomly generated bits, you will need to configure the
  'defaultNextByteSize' property to match your desired size (in bytes, NOT bits).

- Shiro's Block Cipher Services (AesCipherService, BlowfishCipherService) have had the following changes:

  1) The internal Cipher Mode and Streaming Cipher Mode have been changed from CFB to the new default of CBC.
     CBC is more commonly used for block ciphers today (e.g. SSL).
     If you were using an AES or Blowfish CipherService you will want to revert to the previous defaults in your config
     to ensure you can still decrypt previously encrypted data.  For example, in code:

     blockCipherService.setMode(OperationMode.CFB);
     blockCipherService.setStreamingMode(OperationMode.CFB);

     or, in shiro.ini:

     blockCipherService.modeName = CFB
     blockCipherService.streamingModeName = CFB

  2) The internal Streaming Padding Scheme has been changed from NONE to PKCS5 as PKCS5 is more commonly used.
     If you were using an AES or Blowfish CipherService for streaming operations, you will want to revert to the
     previous padding scheme default to ensure you can still decrypt previously encrypted data.  For example, in code:

     blockCipherService.setStreamingPaddingScheme(PaddingScheme.NONE);

     or, in shiro.ini:

     blockCipherService.streamingPaddingSchemeName = NoPadding

     Note the difference in code vs shiro.ini in this last example: 'NoPadding' is the correct text value, 'NONE' is
     the correct Enum value.

###########################################################
# 1.1.0
###########################################################

Backwards Incompatible Changes
--------------------------------
- The org.apache.shiro.web.util.RedirectView class's
  appendQueryProperties(StringBuffer targetUrl, Map model, String encodingScheme)
  method has been changed to accept a StringBuilder argument instead of a
  StringBuffer per SHIRO-191.  RedirectView is considered an internal
  implementation support class and Shiro end-users should not be affected by this.