The Jetty application server in the Ready-to-Run distribution now uses the Logback framework, just like XSLWeb itself. Jetty now logs to {xslweb.home}/logs/jetty.log. This Ready-to-Run distribution does not have any dependency to Log4J/Log4J2.
Added dependencies to Pac4J and Buji-Pac4J (Pac4J for Apache Shiro), see Security: authentication and authorization. In addition to the functionality provided by XSLWeb's Apache Shiro integration, Pac4J adds the possiblity to use additional authentication mechanismes like OAuth 1/2, SAML, CAS, OpenID Connect, JWT, Kerberos (SPNEGO), REST API or authorization mechanisms like Roles/permissions, Anonymous/remember-me/(fully) authenticated, CORS, CSRF, HTTP Security headers. At this moment, only the Pac4J OpenID Connect and OAuth2 libraries are bundled with XSLWeb, but others can be added by placing them in de classpath of XSLWeb.
Refactoring of the caching functionality; transition from Ehcache version 2.6 to 3.9. NB. this refactoring has some backward compatibility issues, see differences in caching example. Also the Response Caching functionality is not supported anymore because Ehcache dropped the support for SimpleCachingHeadersPageCachingFilter. Removed support for the response caching pipeline attributes.
Authentication information (for the legacy authentication mechanism) can now also be stored as request attribute, useful for clients that do not support sessions. Whether information is stored as session attribute and/or request attribute can now be overridden by implementing the named templates "auth:store-profile-in-session" and "auth:store-profile-in-request". Default implementations return true().
Avoid creating of unnecessary HttpSession objects, for instance in the extension function session:get-attribute() when no session object exists yet.
Overrides and additions for mimetype mapping properties file (MimeUtil), especially for the extension .css.
Change to nested/internal pipeline requests: all attributes that are stored in the "parent" request using req:set-attribute($name, $value) will now be available in the nested/internal request using req:get-attribute($name). That means you now can pass any sequence (including nodes) to the nested/internal request without the need for serialization/deserialization.
Added several exclusions to pom.xml to avoid duplicate Java classes on classpath; added scanning for duplicate classes when opening the XSLWeb Context
Changed default value of XSLWeb property "xslweb.parserhardening" from false -> true (which avoids XXE attacks)
Dependency with javautil (org.clapper) and asm removed. Functionality regarding dynamic loading of "external/plugin" classes (XPath extension functions) ported to the ClassGraph library.
Serving of static files (StaticResourceFilter, ResourceSerializer) is now handled by a new FileServlet (based on org.omnifaces.servlet.FileServlet) with more extensive support for ETag, If-None-Match and If-Modified-Since caching requests and Range and If-Range ranging requests ("byte serving").
The request XML document is now also passed as stylesheet parameter $req:request-xml-doc to all pipeline transformation steps (see Stylesheet Parameters)
Nodes that are stored using the context, session and webapp's set-attribute() extension functions are now no longer copied to a new tiny tree but are stored "as is". Note that this is a breaking change because the node that is returned using the get-attribute() functions is not necessarily a document node, but now can be an element, attribute or other node type.
The EXPath extension function: file:move() incorrectly throwed execption when the target file already existed. Now works conform specs.
Ready-to-run distributions are now available for Linux, macOS and Windows 64-bits platforms, containing a Jetty Application Server, OpenJDK 13 and startup scripts. The .war distribution is still available; the tomcat-7-runner "uber-jar" distribution has been removed.
The former "XSLWeb Quick Start Guide" in PDF format has been converted and extended to the "XSLWeb Developer Manual" in HTML format (using Asciidoctor). The Developer Manual is available through Github Pages.
XSLWeb's Security is vastly improved and is now based on the Apache Shiro security framework. Apache Shiro is a powerful, easy-to-use and "battle-tested" Java security framework that performs authentication (Basic, Token based, LDAP, JDBC, ActiveDirectory, etc), authorization (subject/role/permission based), cryptography, and session management. The functionality of Apache Shiro is available within XSLWeb through a library of XPath extension functions.
WebDAV support: all webapp's resources (XSLT stylesheets, CSS stylesheets, Javascripts, images) are now available through WebDAV.
Dependency library upgrades:
The Saxon XSLT and XQuery Processor library is upgraded to the version 10.5. This means (among other things) that higher order functions and the xsl:evaluate instruction are available in the Saxon-HE (Open Source) version.
The Saxon-JS integration now implements version 2.
The Apache Commons Upload, Text, IO, Lang, Collections, E-mail, Exec libraries are all upgraded to their latest versions.
The Quartz Scheduler framework is upgraded to version 2.3.2.
The Apache FOP (Formatting Objects Processor) is upgraded to version 2.5
The c3p0 connection pooling library is upgraded to version 0.9.5.5.
Serving of static files (StaticResourceFilter, ResourceSerializer) is now handled by a new FileServlet (based on org.omnifaces.servlet.FileServlet) with more extensive support for ETag, If-None-Match and If-Modified-Since caching requests and Range and If-Range ranging requests ("byte serving").
The request XML document is now also passed as stylesheet parameter $req:request-xml-doc to all pipeline transformation steps (see Stylesheet Parameters)
Nodes that are stored using the context, session and webapp's set-attribute() extension functions are now no longer copied to a new tiny tree but are stored "as is". Note that this is a breaking change because the node that is returned using the get-attribute() functions is not necessarily a document node, but now can be an element, attribute or other node type.
The EXPath extension function: file:move() incorrectly throwed execption when the target file already existed. Now works conform specs.
v4.0.0-RC1
3 years ago
New in this release:
Ready-to-run distributions are now available for Linux, macOS and Windows 64-bits platforms, containing a Jetty Application Server, OpenJDK 13 and startup scripts. The .war distribution is still available; the tomcat-7-runner "uber-jar" distribution has been removed.
The former "XSLWeb Quick Start Guide" in PDF format has been converted and extended to the "XSLWeb Developer Manual" in HTML format (using Asciidoctor). The Developer Manual is available through Github Pages.
XSLWeb's Security is vastly improved and is now based on the Apache Shiro security framework. Apache Shiro is a powerful, easy-to-use and "battle-tested" Java security framework that performs authentication (Basic, Token based, LDAP, JDBC, ActiveDirectory, etc), authorization (subject/role/permission based), cryptography, and session management. The functionality of Apache Shiro is available within XSLWeb through a library of XPath extension functions.
WebDAV support: all webapp's resources (XSLT stylesheets, CSS stylesheets, Javascripts, images) are now available through WebDAV.
Dependency library upgrades:
The Saxon XSLT and XQuery Processor library is upgraded to the version 10.2. This means (among other things) that higher order functions and the xsl:evaluate instruction are available in the Saxon-HE (Open Source) version.
The Saxon-JS integration now implements version 2.
The Apache Commons Upload, Text, IO, Lang, Collections, E-mail, Exec libraries are all upgraded to their latest versions.
The Quartz Scheduler framework is upgraded to version 2.3.2.
The Apache FOP (Formatting Objects Processor) is upgraded to version 2.5
The c3p0 connection pooling library is upgraded to version 0.9.5.5.
v3.0.1
4 years ago
Minor bugfixes
Binary releases
v3.0.0
6 years ago
New functionalities:
XQuery 3.1 pipeline step
STX (Streaming Transformations for XML) pipeline step. Can for example be used to selectively read and transform data from very large XML files.
Asynchronous HTTP requests
Multiple performance improvements (most important is that RequestSerializer now serializes directly to Saxon's TinyTree format).
Upgrade of multiple 3rd party library versions; i.a. Saxon 9.8 (latest and greatest) en Apache FOP 2.2
Several bug fixes
v2.0.0
7 years ago
New functionalities:
Support for XSLT version 3.0
New pipeline steps:
XML Schema validation
Schematron validation
JSON serialization
Apache FOP serialization (i.a. to PDF or RTF)
ZIP serialization
New XPath extension functions, i.a.:
Start external processes
Scaling of images
JSON parsing and serialization
Extended logging and error messages
New global configuration options:
Resist XML External Entity (XXE) attacks
Trust SSL certificates of external HTTPS servers
Support for Saxon PE (Professional Edition) and EE (Enterprise Edition)
Proxy server support for XSLT document() function
Runs on Java 1.8 or higher
Upgrade of 3rd party library versions i.a. Saxon 9.7, Quartz 2.2.3, Apache Commons, ehcache 2.6.10.