ChangeLog.txt

This file contains a listing of all Jira tickets that have been closed
for a given release.  

Portions of this report were generated using the ReleaseNotes facility
in Jira.

Release 3.0.1
==============

Bug

    [WSS-699] - org.apache.wss4j.dom.transform.STRTransform not compliant with Oracle spec

Improvement
    [WSS-700] - WSSecEncrypt cannot set Security Provider

Release 3.0.0
==============

New Feature
     [WSS-694] - Move wss4j to native jakarta namespace

Improvement
    [WSS-695] - Unmarshalling failure with OpenSAML 4

Wish
    [WSS-684] - Support OpenSaml 4

Task

    [WSS-687] - Upgrade OpenSAML to v4.1.x
    [WSS-696] - Upgrade ehcache to 3.10.0 with jakarta classfier

Release 2.4.1
==============

Bug
    [WSS-692] - Timestamp of content in jar-files are invalid.

Release 2.4.0
==============

Bug
    [WSS-678] - OpenSAML Decrypter initialization failed

Improvement
    [WSS-679] - Fix regression in signing KeyInfos

Release 2.3.2
==============

Bug

    [WSS-685] - Signature before timestamp results in signing after encryption


Release 2.3.1
==============

Bug

    [WSS-677] - Comparison in validate class is vulnerable to timing side channels
    [WSS-678] - OpenSAML Decrypter initialization failed

Improvement

    [WSS-679] - Fix regression in signing KeyInfos


Release 2.3.0
==============

Bug

    [WSS-634] - Nodes are not imported correctly when creating headers
    [WSS-643] - NullPointerException in getCacheManager
    [WSS-644] - Error when a SOAP-Fault is thrown with MTOM enabled
    [WSS-648] - Performance problem with very big request
    [WSS-651] - Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
    [WSS-652] - MTOM Content-Id handling doesn't comply with RFC2392: .NET issues
    [WSS-659] - SecurityContextToken validator set by wrong QName
    [WSS-663] - Missing ECC key support
    [WSS-670] - Expected signature algorithm is overwriten with default in case of DSA and EC Keys

Improvement

    [WSS-640] - Streaming Sender-Vouches validation does not work with SOAP 1.2
    [WSS-641] - Add the ability to configure a different separator for certificate constraints
    [WSS-650] - Exclude guava 19.0 dependency
    [WSS-656] - Add the ability to specify a security Provider to use with Signature
    [WSS-657] - Update OpenSAML Dependency to 3.4.x
    [WSS-658] - Enable signature confirmation for signed SAML tokens
    [WSS-661] - Change BouncyCastle provider registering
    [WSS-662] - [OSGi] Support for SAAJ-RI 1.4.0
    [WSS-666] - Support processing SignatureValue bytes stored in attachments
    [WSS-667] - Support JDK14
    [WSS-668] - Rename WSSConstants ENCRYPT actions
    [WSS-669] - Rename ConfigurationConstants ENCRYPT actions
    [WSS-673] - Using default Java Security and Merlin is very slow for PKCS12

Task

    [WSS-632] - Support EhCache 3+
    [WSS-633] - Upgrade ErrorProne to support Java 11
    [WSS-637] - Refactor ReplayCache interface to use an expiry Instant instead of a long TTL value
    [WSS-649] - Remove Doctypes from the streaming schemas
    [WSS-672] - Make sure to process all elements of the SAML Signature KeyInfo



Release 2.2.5
==============

Bug

    [WSS-659] - SecurityContextToken validator set by wrong QName
    [WSS-663] - Missing ECC key support

Improvement

    [WSS-653] - Better diagnostics for null password
    [WSS-656] - Add the ability to specify a security Provider to use with Signature
    [WSS-658] - Enable signature confirmation for signed SAML tokens
    [WSS-666] - Support processing SignatureValue bytes stored in attachments

Task

    [WSS-665] - Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226


Release 2.2.4
==============

Bug

    [WSS-648] - Performance problem with very big request
    [WSS-651] - Incorrect signature if document has WSU_NS declared on SOAP Header or Envelope
    [WSS-652] - MTOM Content-Id handling doesn't comply with RFC2392: .NET issues

Task

    [WSS-633] - Upgrade ErrorProne to support Java 11
    [WSS-649] - Remove Doctypes from the streaming schemas


Release 2.2.3
==============

Bug

    [WSS-634] - Nodes are not imported correctly when creating headers
    [WSS-644] - Error when a SOAP-Fault is thrown with MTOM enabled

Improvement

    [WSS-640] - Streaming Sender-Vouches validation does not work with SOAP 1.2
    [WSS-641] - Add the ability to configure a different separator for certificate constraints
    [WSS-642] - Use LinkedHashSet instead of TreeSet within getInclusivePrefixes


Release 2.2.2
==============

Bug

    [WSS-624] - Support for SAAJ-RI 1.4.0
    [WSS-625] - Use RFC4648 base64 encoder for signature values and BST
    [WSS-626] - Duplicates in the PrefixList

New Feature

    [WSS-623] - NameIdBean SPNameQualifier support

Improvement

    [WSS-627] - Java 10 SAAJ support
    [WSS-628] - Support processing xop:Include for the streaming WS-Security stack
    [WSS-629] - Support additional elements in SubjectConfirmationData

Wish

    [WSS-622] - from SAMLCallback no possible setting SAML2 SubjectConfirmation.NameID


Release 2.2.1
==============

Bug

    [WSS-540] - Need to load properties outside of classpath
    [WSS-617] - Allow to configure the SAML Signed Action with "signatureUser"
    [WSS-618] - Cannot create signature which includes KeyInfo
    [WSS-620] - The SecurityTokenRefSTRParser should derive the key length from the DerivedKeyToken "Length" parameter

Improvement

    [WSS-619] - Support adding a custom KeyInfo Element for Signature

Release 2.2.0
==============

Bug

    [WSS-558] - org.apache.ws.security.message.WSSecSignature can't support custom provider
    [WSS-560] - NullPointerException in WSSecEncrypt when encrypted header element has attributes
    [WSS-562] - Support processing EncryptedAssertions that contain EncryptedKey children
    [WSS-563] - Cannot decrypt non XML conform attachements
    [WSS-564] - Allow WS-SecurityPolicy 1.1 tokens to have an optional policy element
    [WSS-565] - Support the ability to create and process EncryptedKeys that reference a PublicKey
    [WSS-580] - ThreadLocalSecurityProvider returns null instead of empty collection
    [WSS-582] - Don't cache Crypto key references in WSHandler
    [WSS-583] - crypto.verifyTrust can fail when the DN of the issuer is more than once in the truststore
    [WSS-587] - Concurrency issue in EHCacheManagerHolder
    [WSS-590] - WSS4J relies on deafult locale
    [WSS-594] - Copy Security Header SOAP MustUnderstand/Actor to an EncryptedHeader element
    [WSS-602] - ConfigurationConstants.VALIDATOR_MAP is not supported
    [WSS-603] - Improper date check in SamlAssertionWrapper.checkIssueInstant
    [WSS-604] - UsernameTokenNoPassword does not work via WSHandler
    [WSS-610] - WSSecurityUtil.decodeAction misbehaving when sending NoSecurity
    [WSS-611] - CAs with the NameConstraint extension cause exceptions when verifying trust
    [WSS-612] - CertificateStore crypto implementation does not correctly handle certificate chains

Improvement

    [WSS-569] - Improvements to error messages
    [WSS-570] - Typo in the constant name for "RSAOAEP"
    [WSS-584] - Don't create ReplayCache instances internally
    [WSS-586] - Don't query a CallbackHandler for a secret key when parsing a SAML Subject for credentials
    [WSS-592] - Add support for a comma-separated list of crls
    [WSS-596] - org.apache.wss4j.common.crypto.CryptoFactory add security provider always
    [WSS-597] - Implement equals/hashCode for the WSS4J policy model
    [WSS-599] - Upgrade to Java 8 DateTime API
    [WSS-600] - Get the configured ParserPool via OpenSAMLUtil
    [WSS-601] - Optionally skip XACML initialization for OpenSAML
    [WSS-605] - Ensure the ws-security-dom can work with the saaj impl in latest Java9 EA kit
    [WSS-608] - Allow policy tokens not to have a wsp:Policy child element
    [WSS-613] - Update OpenSAMLUtil to be able to sign generic SignableSAMLObjects

New Feature

    [WSS-571] - Truststore Provider
    [WSS-593] - Implement Certificate Issuer DN Constraint support
    [WSS-598] - Add support for signing + encrypting messages using MTOM

Wish

    [WSS-573] - Ignore IntelliJ user files


Release 2.1.10
==============

Improvement

    [WSS-608] - Allow policy tokens not to have a wsp:Policy child element

New Feature

    [WSS-606] - Possibility to configure the SAML attribute //Assertion/Subject/NameID/@SPProvidedID in a CallbackHandler


Release 2.1.9
=============

Bug

    [WSS-558] - org.apache.ws.security.message.WSSecSignature can't support custom provider
    [WSS-602] - ConfigurationConstants.VALIDATOR_MAP is not supported
    [WSS-603] - Improper date check in SamlAssertionWrapper.checkIssueInstant
    [WSS-604] - UsernameTokenNoPassword does not work via WSHandler

Improvement

    [WSS-597] - Implement equals/hashCode for the WSS4J policy model
    [WSS-600] - Get the configured ParserPool via OpenSAMLUtil
    [WSS-601] - Optionally skip XACML initialization for OpenSAML


Release 2.1.8
=============

Bug

    [WSS-585] - Kerberos processing fails on HP Java 8.0.06
    [WSS-587] - Concurrency issue in EHCacheManagerHolder
    [WSS-590] - WSS4J relies on deafult locale
    [WSS-594] - Copy Security Header SOAP MustUnderstand/Actor to an EncryptedHeader element

Improvement

    [WSS-592] - Add support for a comma-separated list of crls

New Feature

    [WSS-593] - Implement Certificate Issuer DN Constraint support


Release 2.1.7
=============

Bug

    [WSS-582] - Don't cache Crypto key references in WSHandler
    [WSS-583] - crypto.verifyTrust can fail when the DN of the issuer is more than once in the truststore

Improvement

    [WSS-584] - Don't create ReplayCache instances internally


Release 2.1.6
=============

Bug

    [WSS-577] - Binary compatibility broken between version <=2.1.3 and >=2.1.4 with org.apache.wss4j.dom.WSSecurityEngineResult
    [WSS-578] - Binary compatibility breaks between 2.1.5 and 2.1.6-SNAPSHOT
    [WSS-580] - ThreadLocalSecurityProvider returns null instead of empty collection

New Feature

    [WSS-575] - Support for Digest other than sha1 in xenc:EncryptionMethod


Release 2.1.5
=============

Bug

    [WSS-560] - NullPointerException in WSSecEncrypt when encrypted header element has attributes
    [WSS-562] - Support processing EncryptedAssertions that contain EncryptedKey children
    [WSS-563] - Cannot decrypt non XML conform attachements
    [WSS-564] - Allow WS-SecurityPolicy 1.1 tokens to have an optional policy element
    [WSS-565] - Support the ability to create and process EncryptedKeys that reference a PublicKey
    [WSS-566] - AES_128_GCM does not work for attachments
    [WSS-567] - processSecurityHeadaers does not work for 1.1 namespace

Improvement

    [WSS-561] - No way to set SAML Issuer Format Value
    [WSS-569] - Improvements to error messages
    [WSS-570] - Typo in the constant name for "RSAOAEP"

New Feature

    [WSS-571] - Truststore Provider

Wish

    [WSS-573] - Ignore IntelliJ user files


Release 2.1.4
=============

Bug

    [WSS-552] - The KerberosServiceExceptionAction and KerberosClientExceptionAction do not support HP JDK
    [WSS-553] - <wsu:Expires> and <wsu:Created> elements not use UTC time format
    [WSS-556] - Basic256Sha256 policy uses wrong minimum symmetric key length for signature
    [WSS-557] - Using MTOM and WS-Security leads to "Attachment not found"
    [WSS-559] - NullPointerException in TimestampInputHandler.checkBSPCompliance

Improvement

    [WSS-554] - Improved error message for timestamp in the future


Release 2.1.3
=============

Bug

    [WSS-548] - logging secretKey
    [WSS-549] - Don't write out a ReferenceList if there are no elements to encrypt
    [WSS-551] - Property passwordEncryptorInstance is not honored

Improvement

    [WSS-550] - Add the ability to specify a MGF-SHA algorithm in the policy AlgorithmSuiteType


Release 2.1.2
=============

Bug

    [WSS-541] - No support for signing and encrypting attachments while using derived keys
    [WSS-542] - Secure Conversation Renew is missing Instance creation
    [WSS-546] - Support sp11:WssX509V1Token10 in the policy model

Improvement

    [WSS-539] - Support MTOM/XOP-optimized content within a CipherValue element
    [WSS-544] - Support the ability to store message bytes in attachments (when using MTOM)
    [WSS-545] - Add the ability to create DelegateRestrictionType Conditions when creating SAML Assertions

New Feature

    [WSS-543] - Create a Merlin implementation that retrieves CA certs via their SubjectKeyIdentifier


Release 2.1.1
=============

Bug

    [WSS-538] - Signing/Validating SAML Assertions not working in an OSGi container


Release 2.1.0
=============

Bug

    [WSS-535] - Add WSSE and WSU xmlns definitions to signature's SecurityTokenReference
    [WSS-536] - WSSecurityUtil.getCipherInstance() does not use configured provider

Improvement

    [WSS-529] - Support Inclusive C14N via policy
    [WSS-530] - Add a property to enforce that a received Timestamp has an "Expires" Element
    [WSS-531] - Only create an EncryptedHeader if the parent node is the SOAP Header
    [WSS-533] - Also use signing key when trying to detect message replay attacks
    [WSS-534] - Allow SupportingToken policies to have more than one token


Release 2.0.3
=============

Bug

    [WSS-514] - Missing CUSTOM_TOKEN action in WSSecurityUtil#decodeHandlerAction @l961
    [WSS-517] - Cannot resolve WSS signature reference URI that points to AssertionID attribute of SAML 1.1 token
    [WSS-519] - SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion element

Improvement

    [WSS-515] - Add support for creating SAML Assertions with "Advice" Elements
    [WSS-518] - WSConfig static initializer attempts to modify JCE Providers fail in JVM with restrictive security policies
    [WSS-521] - Validate that a SAML Assertion "IssueInstant" is not "in the future"
    [WSS-522] - Enforce security constraints on SAML AuthnStatement attributes
    [WSS-523] - Add the ability to supply AudienceRestrictions when validating SAML tokens
    [WSS-524] - Set a default TTL of 30 minutes on a SAML Assertion with no NotOnOrAfter Condition
    [WSS-525] - Provide a means of unifying all error messages


Release 2.0.2
=============

Bug

    [WSS-508] - When using "add inclusive prefixes" and EXC C14N - signature cannot be validated
    [WSS-513] - Fails to parse Timestamp headers in Thai locale

Improvement

    [WSS-499] - Re-enable KerberosTests
    [WSS-510] - Provide a way of requiring a particular SAML subject confirmation method
    [WSS-511] - Provide a (default) way of requiring at least one standard Subject Confirmation Method
    [WSS-512] - Provide a configurable way of enforcing that SAML Bearer Tokens must have an internal signature

New Feature

    [WSS-507] - ThreadLocal based Security Provider proxy


Release 2.0.1
=============

Bug

    [WSS-500] - Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form
    [WSS-501] - Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory

Improvement

    [WSS-502] - Add an easy way to retrieve signature digest values
    [WSS-503] - Share an existing global ehcache manager for ws security replay caches

Release 2.0.0
=============

Sub-task

    [WSS-343] - Move 1.6.x code into a new module.
    [WSS-344] - Refactor Crypto functionality to be used by both implementations
    [WSS-345] - Refactor Exception functionality to be used by both implementations
    [WSS-346] - Refactor SAML functionality to be used by both implementations
    [WSS-347] - Refactor configuration and constants to be used by both implementations
    [WSS-348] - Refactor Caching nonces/timestamp functionality to be used by both implementations
    [WSS-349] - Refactor Derived Key / SecureConveration functionality to be used by both implementations
    [WSS-350] - Update package names
    [WSS-352] - Reconcile AssertionWrapper & SAMLAssertionWrapper
    [WSS-353] - Add support in the streaming code for decrypting an EncryptedKey in the Subject of a SAML Assertion.
    [WSS-354] - Add support for specifying different algs for sign or c14n a SAML Assertion in the streaming code.
    [WSS-355] - Reconcile SAMLCallback between the two implementations
    [WSS-356] - Investigate signing Crypto differences
    [WSS-360] - Port BSP enforcer to streaming code.
    [WSS-361] - Update code to use correct WSPasswordCallback code as per the DOM code.
    [WSS-362] - Port Kerberos & SPNEGO work to streaming code
    [WSS-363] - Support pluggable Validation of received tokens as per DOM code
    [WSS-364] - Ensure that SecurityEvents let us see what was processed for the non-policy case.
    [WSS-366] - Disable Cobertura by default
    [WSS-367] - Set up a parent pom with dependency management.
    [WSS-368] - Log4j configuration
    [WSS-370] - Add CXF support for custom Algorithm Suites.
    [WSS-371] - Add support for (custom) GCM algorithm-suites.
    [WSS-372] - Add stricter enforcement of required policy elements as added to CXF.
    [WSS-373] - Check sender-vouches and holder-of-key requirements for SAML tokens.
    [WSS-374] - Support Kerberos token policy validation.
    [WSS-375] - Support IssuedToken policy validation
    [WSS-376] - Support Derived Keys policy validation
    [WSS-377] - Verify Signed/Endorsing/Encrypted/SupportingTokens policy validation
    [WSS-378] - Update tests in ws-security module to check security events.
    [WSS-379] - Does the policy validation code support checking the token requirement against whether it is an initiator or recipient?
    [WSS-381] - Support KeyValueTokens
    [WSS-386] - Introduce proprietary Compress-Transformation for Encryption / Decryption

Bug

    [WSS-408] - StAX - Exception handling and correct Fault-Codes per WSS spec
    [WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
    [WSS-423] - Support CRL checking for streaming code
    [WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
    [WSS-427] - Add support for processing UsernameToken Created Dates
    [WSS-433] - Specifying actions of "WSSConstants.SIGNATURE_CONFIRMATION, WSSConstants.SIGNATURE" hangs WSS4J
    [WSS-436] - Outbound StaX code should fail on not finding a signature/encryption part
    [WSS-437] - Error in using StaX WS-Security + CXF WS-Addressing
    [WSS-439] - Error in using StaX WS-Security + CXF WS-Addressing
    [WSS-442] - "Never" Token Inclustion is not handled correctly (for X.509 tokens)
    [WSS-443] - Treat tokens received over TLS as "encrypted"
    [WSS-446] - Enable SignatureConfirmation without a Signature
    [WSS-448] - OnlySignEntireHeadersAndBody policy validation is incorrect
    [WSS-449] - Receiving code can't handle the case of a Thumbprint reference to a BST in the token
    [WSS-450] - Inbound Processing code fails with an Encrypted Signature
    [WSS-452] - Streaming code does not support an EncryptedData security header element without a preceeding ReferenceList
    [WSS-453] - "Once" Token Inclusion handling is not working
    [WSS-454] - TokenProtection error
    [WSS-457] - Incorrect validation of ProtectTokens assertion
    [WSS-458] - Allow no security header in certain use-cases
    [WSS-459] - RequiredParts + EncryptedParts policy validation not working
    [WSS-462] - ProtectionOrderAssertionState.testProtectionOrder is not working
    [WSS-463] - Refactor Signature + Encryption referencing
    [WSS-466] - assure compatibility with the change in ehcache CacheManager's create method from version 2.5.1 to 2.5.2 and up
    [WSS-468] - Symmetric Binding + EncryptBeforeSigning puts the Signature in front of the EncryptedKey
    [WSS-469] - Symmetric Binding + Derived Keys is not currently working
    [WSS-470] - AsymmetricBinding + ProtectTokens validation not working
    [WSS-471] - AsymmetricBinding validation without IncludeTimestamp doesn't work
    [WSS-472] - Incorrect Symmetric Key Derivation Length validation
    [WSS-479] - Inbound streaming does not handle Symmetric Holder-Of-Key correctly
    [WSS-480] - Streaming code hangs on a symmetric derived key response
    [WSS-481] - Problem with EncryptSignature + EndorsingSupportingTokens
    [WSS-482] - EncryptedElements + SignedElements validation not working
    [WSS-484] - Streaming code can't process a Key reference pointing to an EncryptedData element
    [WSS-486] - Streaming code does not process a (non-secured) SOAP Fault correctly
    [WSS-487] - Certain action combinations causes WSS4J to hang
    [WSS-490] - Derived Endorsing policy validation error
    [WSS-491] - Problem storing custom Principals
    [WSS-496] - "tests" classifier artifacts dependencies should not have compile scope
    [WSS-498] - Retrieving of public key from certificates in missing for signed results in compare credential method of org.apache.wss4j.dom.saml.DOMSAMLUtil

Improvement

    [WSS-383] - Allow encrypted password storage in signaturePropFile
    [WSS-391] - Create a PrivateKeyPasswordCallback for retrieval of server key passwords
    [WSS-403] - Use a common method for all of the P_hash implementations
    [WSS-412] - Unify error messages for the streaming code
    [WSS-413] - EncryptedKey security issue with streaming code
    [WSS-414] - Ensure that Algorithms are checked in streaming code before they are used
    [WSS-415] - Reject RSA v1.5 Key Transport Algorithm by default
    [WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
    [WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator
    [WSS-426] - Support future TTL in the StaX code for Timestamps
    [WSS-438] - Support Signature Cert Constraints as per the DOM code
    [WSS-447] - Add the ability to include the signing token for IssuerSerial/Thumbprint Reference cases
    [WSS-489] - Extend Crypto interface with verifyTrustDirect() method
    [WSS-495] - Add support to configure the digest method used for SAML Assertions

New Feature

    [WSS-311] - Streaming-WebService-Security-Framework contribution/donation
    [WSS-430] - Support for secured SOAP attachments
    [WSS-497] - Support for SAML 2.0 EncryptedAssertion Element

Task

    [WSS-342] - Refactoring
    [WSS-351] - SAML work
    [WSS-359] - Streaming WS-Security support
    [WSS-365] - Build issues
    [WSS-369] - WS-SecurityPolicy work
    [WSS-405] - Support for XML Encryption 1.1 algorithms
    [WSS-425] - Add + update OSGi import/export information in the new modules
    [WSS-429] - Consider some @Deprecated classes in the old namespace
    [WSS-432] - Support EncryptedKeySHA1 KeyIdentifier in the StaX code
    [WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken
    [WSS-460] - Support RequireSignatureConfirmation policy validation
    [WSS-494] - WSS4j documentation links are broken.

Release 1.6.15
=============

Bug

    [WSS-491] - Problem storing custom Principals
    [WSS-492] - WSS4J adds invalid wsu:Id attribute on SAML assertions

Improvement

    [WSS-495] - Add support to configure the digest method used for SAML Assertions

Release 1.6.14
=============

Bug

    [WSS-488] - Regression in parsing SecurityTokenReferences inside of a SAML Signature KeyInfo

Release 1.6.13
=============

Improvement

    [WSS-428] - It should be possible to use the useReqSigCert even when the certificate is not sent in the request
    [WSS-477] - Support the ability to create SAML2 Assertions with OneTimeUse + ProxyRestriction Conditions
    [WSS-478] - Support the ability to cache SAML2 Assertions with "OneTimeUse" Conditions
    [WSS-483] - wsse:Reference without ValueType

Release 1.6.12
=============

Bug

    [WSS-418] - Cannot configure SAML properties in WSS4JOutInterceptor without having to add that config file in the classpath
    [WSS-473] - BST signature element
    [WSS-474] - Missing the 'EncodingType' attribute in element built by STRTransformUtil#createBSTX509
    [WSS-475] - Issue with multiple processing of ReferenceList in EncryptedKey element

Improvement

    [WSS-465] - Possible information leak: incremental IDs
    [WSS-467] - Support creating SAML 2.0 Tokens with the AuthnStatement SessionNotOnOrAfter attribute.
    [WSS-476] - Add the ability to configure the Signature Canonicalization Algorithm via WSHandler

Release 1.6.11
=============

Improvement

    [WSS-441] - Allow the date/time in the security headers to be spoofed

Task

    [WSS-434] - Add ValueType attribute to a Signature/Encryption Reference to a DerivedKeyToken

Release 1.6.10
=============

Bug

    [WSS-421] - WSSecSignature does not allow access to the internal BinarySecurityToken after it is applied to the security header
    [WSS-424] - Signature Element is not inserted in the correct place in the header in certain circumstances
    [WSS-427] - Add support for processing UsernameToken Created Dates
    [WSS-431] - Performance bottleneck in MemoryReplayCache on high load

Improvement

    [WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
    [WSS-422] - Move SAML Signature Profile Validation to the SamlAssertionValidator

Release 1.6.9
=============

Bug

    [WSS-417] - Cannot deploy WSS4J 1.6.8 to an OSGi container

Release 1.6.8
=============

Sub-task

    [WSS-410] - Reduce dependency on xmlsec library

Bug

    [WSS-231] - There is an issue with the position of the <Timestamp> element in the <Security> header when using WSS4J calling .NET Web Services with WS-Security.
    [WSS-399] - WSS4J: cannot set DigestMethod for KEYTRANSPORT_RSAOEP though requested by W3C
    [WSS-407] - Error when signing a SOAP Body that is encrypted with a reference to a SAML Token
    [WSS-409] - explicit dependency on XMLDSigRI in WSSConfig causes java.lang.ClassNotFoundException: org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI on WAS 8.5

Improvement

    [WSS-404] - Store Subject from JAAS LoginContext in WSSecurityEngineResult
    [WSS-406] - Add the ability to define which algorithms are acceptable when processing a security header
    [WSS-411] - STRTransform does not work in certain circumstances


Release 1.6.7
=============

Bug

    [WSS-392] - WSS4J can't handle SAML KeyIdentifier references to encrypted SAML Assertions stored in the cache
    [WSS-393] - WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
    [WSS-394] - WSS4J is not handling X509Data inside SecurityTokenReference inside a KeyInfo
    [WSS-396] - ConcurrentModificationException in MemoryReplayCache.processTokenExpiry
    [WSS-398] - Can't create a UsernameToken without a password

Improvement

    [WSS-395] - Support Certificate Constraints on the Subject DN of the certificate used for signature validation

Release 1.6.6
=============

Bug

    [WSS-357] - WSS4J can't handle thumbprint/ski references to a token in the security header
    [WSS-385] - UsernameToken handles long strings badly
    [WSS-389] - WSS4J TimeToLive value has a maximum of 25 days
    [WSS-390] - AssertionWrapper always tries to re-marshal when toDOM is called

Improvement

    [WSS-387] - Support future TTL setting when processing SAML Tokens
    [WSS-388] - Add support for populating SAML2 SubjectConfirmationData attributes when creating a SAML Assertion

New Feature

    [WSS-380] - SAML1 AuthenticationStatement only supports AuthenticationMethod Password

Task

    [WSS-358] - Record how a certificate was referenced for signature or encryption


Release 1.6.5
=============

Bug

    [WSS-316] - Tests failing with: The signature or decryption was invalid
    [WSS-331] - Insufficient checking of SAML Condition NotBefore/NotOnOrAfter validation dates (?)
    [WSS-333] - MerlinDevice tries to load truststore of type "trustStorePassword"
    [WSS-335] - SAML NotOnOrAfter Conditions not set correctly in certain circumstances
    [WSS-341] - the "FIRST step" check in SignatureTrustValidator.verifyTrustInCert ignore the enableRevocation status

Improvement

    [WSS-187] - Support Nonce Caching in Username Token Processing
    [WSS-325] - Add support for GCM algorithms via BouncyCastle
    [WSS-326] - Upgrade to Santuario 1.5.0
    [WSS-329] - Support validating Conditions in the SAMLAssertionValidator.
    [WSS-332] - Make Spnego Client and Service Actions pluggable
    [WSS-337] - Validate SAML Assertions against schema/specs
    [WSS-340] - support Certificates revocation check before encrypt on sender side

New Feature

    [WSS-336] - Option for checking EncryptedData elements are covered by signature

Release 1.6.4
=============

Bug

    [WSS-319] - NPE when certificate identified by SKI can't be found
    [WSS-320] - ClassCastException when verifying XML signature, multiple WARs deployed to same Tomcat instance
    [WSS-321] - Cannot configure for no password element expected using Spring configuration
    [WSS-323] - WS-Trust 1.3 namespace not supported when looking for a BinarySecret in a SAML KeyInfo
    [WSS-324] - org.apache.ws.security.str.SignatureSTRParser throws ArrayIndexOutOfBoundsException: 0 when crypto returns zero-length array of certificates

Improvement

    [WSS-322] - Add the ability to set DOM Elements directly on a SAMLCallback object
    [WSS-327] - Add support for obtaining and validating SPNEGO tokens.


Release 1.6.3
=============

Bug

    [WSS-304] - WSSecEncryptedKey should initialize cipher using WRAP_MODE instead of ENCRYPT_MODE.
    [WSS-306] - It would be nice to have WSSecEncryptedKey generate secret keys by means of KeyGenerator
    [WSS-317] - SAML Assertions have invalid ID values
    [WSS-318] - WsiBSPCompliant defaults to true

Improvement

    [WSS-305] - Migrate to OpenSaml2 2.5.1 from 2.4.1
    [WSS-307] - Support the ability to sign and encrypt message parts using a Kerberos Ticket
    [WSS-309] - Improve the configurability of the SAML signature creation in AssertionWrapper
    [WSS-310] - Reference and DerivedKeyToken message tokens are missing equals and hashcode methods for logical comparision
    [WSS-312] - Improve logging levels
    [WSS-314] - Add a Merlin configuration option to specify a default password to use to access a private key
    [WSS-315] - jaasLoginModuleName methods in KerberosTokenValidator.java should be renamed to contextName

New Feature

    [WSS-313] - Support UsernameToken validation against JAAS LoginModule


Release 1.6.2
=============

Bug

    * [WSS-294] - Merlin doesn't support physical providers with no keystore file
    * [WSS-295] - org.apache.ws.security.saml.ext.bean.AttributeBean attributeValues is not correct
    * [WSS-296] - SubjectLocality is missing from AuthenticationStatementBean
    * [WSS-297] - Subject Bean is missing NameID Format variable
    * [WSS-299] - UsernameToken Salt Mac/Encryption Flag on Wrong End of Array
    * [WSS-300] - SubjectKeyIidentifier (SKI) incorrectly calculated for 2048-bit RSA key
    * [WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers
    * [WSS-302] - Unable to load keystore/truststore when it cannot be loaded from an InputStream
    * [WSS-303] - Support SKI_KEY_IDENTIFIER, THUMBPRINT_IDENTIFIER, ISSUER_SERIAL when signing "sender vouches" assertions

New Feature

    * [WSS-251] - Support WSS Kerberos Token Profile

Release 1.6.1
=============

Bug

    * [WSS-273] - org.apache.ws.security.transform.STRTransform causes ClassCastException when wss4j is running on IBM 1.6 JVM
    * [WSS-276] - Support signing a SAML Assertion using a derived key
    * [WSS-280] - USE_DERIVED_KEY instead of USE_DERIVED_KEY_FOR_MAC in WSHandler
    * [WSS-283] - ClassCastException when signing message with existing WSSE header containing Text as first child
    * [WSS-285] - Error in SAML1.1 Conditions support
    * [WSS-286] - Evidence element not present in SAML AuthzDecisionStatement
    * [WSS-291] - Default to allowing Timestamps Created up to 60 seconds in the future to avoid clock skew problems

Improvement

    * [WSS-275] - Use SLF4J for logging framework for 1.6
    * [WSS-278] - verifyTrust in Crypto should use CRLs as well
    * [WSS-284] - Improvements to wsse11:EncryptedHeader support
    * [WSS-287] - No longer use keystore for truststore purposes if the latter is explicitly specified.
    * [WSS-288] - Incorporating Colm's Blog entries into WSS4J documentation
    * [WSS-289] - Text improvements to website pages
    * [WSS-290] - Create Principals when processing SAML and BinarySecurityTokens

Release 1.6.0
=============

Bug

    * [WSS-40] - WSSecurityEngine does not support chained certificates
    * [WSS-81] - Compatibility between WSS4J and WebLogic 9 for Encryption
    * [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
    * [WSS-99] - JCE provider ordering on solaris
    * [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
    * [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security
    * [WSS-147] - WCF interop issue: Security header ordering constraint
    * [WSS-175] - Remove static class variables from WSHandler
    * [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
    * [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
    * [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
    * [WSS-185] - NullPointerException on empty UsernameToken
    * [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
    * [WSS-198] - Problem when body is signed and then an XPath is encrypted
    * [WSS-201] - Some of the processors use the wrong Crypto implementation
    * [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
    * [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
    * [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
    * [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
    * [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
    * [WSS-212] - Replace deprecated references to getSubject/IssuerDN
    * [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
    * [WSS-220] - WSHandler is using default configuration
    * [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
    * [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
    * [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
    * [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
    * [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
    * [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
    * [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
    * [WSS-234] - Comment as first element in document causes NPE
    * [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
    * [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
    * [WSS-243] - Can't use Password Digest on Z/OS
    * [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
    * [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for
    * [WSS-254] - Encryption/signing of multiple message parts with same name not working
    * [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
    * [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
    * [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
    * [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
    * [WSS-270] - No need to ensure Crypto object is non-null for SAML signature verification using a secret key

Improvement

    * [WSS-69] - maven2
    * [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
    * [WSS-131] - no support for extension of SecurityHeader
    * [WSS-146] - Upgrade opensaml dependency to 2.x line
    * [WSS-158] - Upgrade to BouncyCastle 1.43
    * [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
    * [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance
    * [WSS-171] - Improve XML encryption processing
    * [WSS-173] - Remove unnecessary namespace definitions
    * [WSS-174] - Remove deprecated APIs
    * [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
    * [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
    * [WSS-180] - Support symmetric signature/encryption via configuration
    * [WSS-183] - Change the UsernameTokenProcessor to validate plaintext passwords
    * [WSS-184] - Specifying alternate cacerts keystore via properties?
    * [WSS-186] - Move TTL validation to the TimestampProcessor
    * [WSS-188] - CallbackHandler behaviour for derived keys
    * [WSS-189] - Refactor signature confirmation code
    * [WSS-190] - Replace all Vector references with Lists.
    * [WSS-191] - Move certificate validation our of WSHandler and into SignatureProcessor
    * [WSS-192] - Share code between the EncryptedKeyProcessor and the ReferenceListProcessor
    * [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
    * [WSS-199] - Add support for WCF non-standard Username Tokens
    * [WSS-202] - Upgrade to XML Security 1.4.3.
    * [WSS-203] - Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature functionality.
    * [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
    * [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
    * [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
    * [WSS-229] - UsernameTokenProcessor should be able to act as a UsernameToken parser only and not enforce the validation of passwords
    * [WSS-232] - Performance Improvement in WSSConfig
    * [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
    * [WSS-236] - Provide signature digest algorithm in signature processor results.
    * [WSS-237] - Provide key transport algorithm in encryption processor results
    * [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
    * [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
    * [WSS-240] - Support KeyValue in SAML subject
    * [WSS-247] - Upgrade to XML Security 1.4.4
    * [WSS-253] - UsernameTokenProcessor logs the password to the log
    * [WSS-257] - Avoid converting the SOAP Body to DOM on the processing side if possible
    * [WSS-259] - Improve outbound DOM element location
    * [WSS-263] - Store secret key from signature processor
    * [WSS-264] - OSGi bundle should NOT specify the universal DynamicImport-Package: *
    * [WSS-266] - Provide better support for pluggable authentication/verification of security tokens
    * [WSS-271] - Add support for custom validation of BinarySecurityTokens
    * [WSS-274] - Add support for allowing future-dated Timestamps

New Feature

    * [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
    * [WSS-204] - Support validating SAML 2.0 tokens
    * [WSS-255] - Add support for enforcing a text or digest password type when processing a UsernameToken

Task

    * [WSS-246] - Upgrade to BouncyCastle 1.45
    * [WSS-248] - Remove Axis1 artifacts in WSS4J 1.6
    * [WSS-249] - Parameterize Collections in WSS4J 1.6
    * [WSS-250] - Refactor testing
    * [WSS-256] - Review Basic Security Profile and Reliable Secure Profile spec compliance
    * [WSS-268] - Upload Opensaml2 artifacts, and dependencies, to Maven Central
    * [WSS-269] - Refactor the Crypto interface

Test

    * [WSS-172] - Test encrypted headers

Release 1.5.11
=============

Bug

    * [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
    * [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
    * [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
    * [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future

Improvement

    * [WSS-263] - Store secret key from signature processor


Release 1.5.10
=============

** Bug

    * [WSS-40] - WSSecurityEngine does not support chained certificates

** Improvement

    * [WSS-238] - Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
    * [WSS-239] - Need ability to handle password "equivalent" between WSPasswordCallback and UsernameToken when it's binary data
    * [WSS-247] - Upgrade to XML Security 1.4.4
    * [WSS-253] - UsernameTokenProcessor logs the password to the log


Release 1.5.9
=============

** Bug

    * [WSS-205] - WSS4J Handler passes null to MessageContext.setProperty
    * [WSS-206] - The way referncelist processing of SAML issued tokens doesn't work properly and need to extract necessary information to do algorithm validation
    * [WSS-209] - NPE in AbstractCrypto.getCryptoProvider()
    * [WSS-210] - NPE in CryptoBase.getAliasForX509Cert(Certificate cert) if Keystore does not contain a Certifcate entry for each alias
    * [WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
    * [WSS-212] - Replace deprecated references to getSubject/IssuerDN
    * [WSS-219] - empty/blank password not supported in username token. value read by wss4j is null instead of empty string
    * [WSS-220] - WSHandler is using default configuration
    * [WSS-221] - UUIDGenerator generates duplicate identifiers when used in a multi-threaded environment
    * [WSS-222] - SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform
    * [WSS-223] - Incorrect xpath set on WSDataRef when decrypting an EncryptedHeader instance.
    * [WSS-224] - SAMLTokenSignedAction and WSSecSignatureSAML do not honor signature algorithm or digest algorithm from WSSHandler configuration
    * [WSS-225] - 'Unprintable' characters in Distinguished Name causing comparison failure
    * [WSS-226] - Interoperability b/w Java consumer of .NET Web Service with WS-Security on WSE 2.0
    * [WSS-227] - CryptoBase.getPrivateKey() unable to handle empty (null) passwords
    * [WSS-234] - Comment as first element in document causes NPE
    * [WSS-241] - WSS4j needs to export a version in it's Export-Package directive.
    * [WSS-242] - Signing EncryptedData or EncryptedKey elements creates extraneous Id attributes
    * [WSS-243] - Can't use Password Digest on Z/OS
    * [WSS-244] - Loading of Signature and Encryption property files not trimming trailing whitespace - Leads to ClassNotFoundException
    * [WSS-245] - WSHandlerConstants.PW_CALLBACK_REF isn't correctly searched for

** Improvement

    * [WSS-180] - Support symmetric signature/encryption via configuration
    * [WSS-214] - SignatureProcessor is not reusing results from BinarySecurityTokenProcessor or DerivedKeyTokenProcessor
    * [WSS-215] - SignatureProcessor is not reusing results from WSDocInfo for the Reference case.
    * [WSS-216] - SignatureProcessor does not support directly referencing a SecurityContextToken
    * [WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
    * [WSS-233] - Allow configuration of UsernameTokenSpec 1.1 derived key functionality through WSHandler
    * [WSS-236] - Provide signature digest algorithm in signature processor results.
    * [WSS-237] - Provide key transport algorithm in encryption processor results
    * [WSS-240] - Support KeyValue in SAML subject

** New Feature

    * [WSS-204] - Support validating SAML 2.0 tokens

** Task

    * [WSS-246] - Upgrade to BouncyCastle 1.45


Release 1.5.8
=============

** Bug

    * [WSS-147] - WCF interop issue: Security header ordering constraint
    * [WSS-176] - Problem with WSSecurityUtil.prependChildElement and JBossWS
    * [WSS-178] - signature verification failure of signed saml token due to The Reference for URI (bst-saml-uri) has no XMLSignatureInput
    * [WSS-182] - Encryption with symmetric key with encryptSymmKey set to false generates invalid xml without xenc defined
    * [WSS-196] - STRTransform not compatible with Sun's SAAJ implementation
    * [WSS-198] - Problem when body is signed and then an XPath is encrypted
    * [WSS-201] - Some of the processors use the wrong Crypto implementation

** Improvement

    * [WSS-131] - no support for extension of SecurityHeader
    * [WSS-158] - Upgrade to BouncyCastle 1.43
    * [WSS-177] - Allow encryption using a symmetric key and EncryptedKeySHA1
    * [WSS-179] - Allow signature using a symmetric key and EncryptedKeySHA1
    * [WSS-195] - More detailed exception thrown from CryptoBase.getPrivateKey()
    * [WSS-199] - Add support for WCF non-standard Username Tokens
    * [WSS-202] - Upgrade to XML Security 1.4.3.

** New Feature

    * [WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken


Release 1.5.7
=============

** Bug

    * [WSS-90] - SamlUtil.java throws XMLSecurityException when SAML SubjectConfirmation element doesn't have KeyInfo child
    * [WSS-99] - JCE provider ordering on solaris
    * [WSS-117] - WSS4J does not supports KeyIdentifiers to reference SAML tokens but this is allowed by the WSS specification. Integration tesitng with owsm failed.
    * [WSS-136] - POM files needed in Maven repository for OpenSAML, WSS4J, and XML Security

** Improvement

    * [WSS-84] - Make the use of the VM-wide keystore (lib/security/cacerts) optional
    * [WSS-169] - Add an EncodingType attribute for a UsernameToken nonce
    * [WSS-170] - SignatureAction does not set DigestAlgorithm on WSSecSignature instance

** Test

    * [WSS-172] - Test encrypted headers


Release 1.5.6
=============

** Bug

    * [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
    * [WSS-162] - With SecureConv tokens, URI reference processing can strip off first char of ID....
    * [WSS-163] - No way to set SC ValueType attribute for references in WSSecEncrypt
    * [WSS-164] - Related to WSS-162, there isn't anyway to create a direct Reference based on identifier
    * [WSS-165] - Problems verifying trusted certs if provider not specified in properties
    * [WSS-168] - Verification/Decryption failure with a DN String from a different provider

** Improvement

    * [WSS-143] - Better management of namespace declarations....
    * [WSS-157] - Remove spurious calls to MessageDigest.reset()
    * [WSS-160] - Add AccessController.doPrivileged blocks to the Loader
    * [WSS-161] - Add JAX-WS handler support
    * [WSS-166] - Refactor unit tests
    * [WSS-167] - Apply PMD to source tree

** New Feature

    * [WSS-156] - Add support for RSAKeyValue tokens/signatures (needed for WS-SecurityPolicy KeyValueToken)


Release 1.5.5
=============

** Bug

    * [WSS-42] - java.lang.NoClassDefFoundError: org/apache/xml/security/encryption/XMLEncryptionException
    * [WSS-60] - Problems when SOAP envelope namespace prefix is null
    * [WSS-62] - the crypto file not being retrieved in the doReceiverAction method for the Saml Signed Token
    * [WSS-86] - CryptoBase.splitAndTrim does not take into account the format of a DN constructed by different providers
    * [WSS-87] - CryptoBase.getAliasForX509Cert(String, BigInteger) fails when issuer string contains OIDs
    * [WSS-94] - Security Breach : The client certificate signature is not verified if the serial number is known in the keystore
    * [WSS-111] - Some work on UsernameToken derived keys
    * [WSS-121] - Bug in default value for SAML issuer class property
    * [WSS-126] - SignatureProcessor:verifyXMLSignature method - Crypto object can have null values in the following scenario but it throws an Exception if the Crypto object is null
    * [WSS-127] - No way of signing with UsernameToken without sending the password
    * [WSS-129] - Couple places where "cause" of WSSecurityException not set
    * [WSS-133] - Method and variable misspellings fixed
    * [WSS-140] - WSSecEncryptedKey produces EncryptedKey element with invalid Id attribute
    * [WSS-141] - handleUsernameToken gives too much information. Can be used to deternine if a username exists or not
    * [WSS-142] - We ship opensaml 1.0.1 even though we use opensaml 1.1 in maven
    * [WSS-149] - AbstractCrypto requires org.apache.ws.security.crypto.merlin.file to be set and point to an existing file
    * [WSS-151] - Password type in UsernameToken not deserialized correctly
    * [WSS-152] - Problem with processing Username Tokens with no password type
    * [WSS-153] - Signature confirmation of multiple signatures doesn't work

** Improvement

    * [WSS-79] - Compatibility issue with weblogic wsse
    * [WSS-85] - Better exception handling in the crypto (e.g. no e.printStackTrace())
    * [WSS-110] - Add OSGi entries to jar manifest.
    * [WSS-118] - Support for SAML 1.1 SecurityTokenReferences in /org/apache/ws/security/processor/DerivedKeyTokenProcessor
    * [WSS-122] - Some fixes for the website
    * [WSS-123] - 1.5.4 requires opensaml jar, older versions did not
    * [WSS-125] - Upgrade BouncyCastle version
    * [WSS-128] - Use xml-sec 1.4.1 version
    * [WSS-135] - Fix for minor checkstyle issues
    * [WSS-137] - "Unexpected number of X509Data: for Signature" error doesn't make sense.
    * [WSS-138] - Add Nabble to site mailing list page
    * [WSS-145] - Problem in upgrading to xml-sec 1.4.2
    * [WSS-150] - Upgrade to XALAN 2.7.1
    * [WSS-154] - Allow WSSConfig injection in WSHandler and improve WSSConfig for injection of Processors instances

** New Feature

    * [WSS-23] - no way to programmatically set crypto.properties

** Task

    * [WSS-124] - Get maven dependencies pushed to central
    * [WSS-132] - TestWSSecurityX509v1 failing
    * [WSS-144] - Remove tab characters from WSS4J files

** Wish

    * [WSS-75] - remove dependency on xalan because it gets in the way of trax resolution
    * [WSS-91] - carriage return/line feed in the security header


Release 1.5.4
=============

** Bug
    * [WSS-51] - Incorrect test for null in WSHandler
    * [WSS-52] - ArrayIndexOutOfBoundsException if certs.length > 1
    * [WSS-54] - UsernameTokenProcessor not processing unhashed UsernameToken
    * [WSS-56] - WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
    * [WSS-66] - Possible security hole when PasswordDigest is used by client.
    * [WSS-68] - No way to create a UsernameToken with absent <Password> element
    * [WSS-70] - WSHandler checkReceiverResults causes security problem
    * [WSS-82] - Add the ability to use a custom-loaded JCE provider instance instead of using the system-provided one
    * [WSS-89] - Error in verifying the signature with encrypted key
    * [WSS-93] - xmlsec NPE on Reference URI and ValueType attributes
    * [WSS-95] - Missing NOTICE file in WSS4J release
    * [WSS-96] - Error when making a signature when containing a WSSecTimestamp
    * [WSS-97] - Merlin passes invalid OID to getExtensionValue
    * [WSS-100] - Bug in wsse11 element creation
    * [WSS-101] - Bug in Encrypted SOAP Header creation
    * [WSS-103] - BinarySecurityToken processor does not allow for custom token types
    * [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
    * [WSS-106] - Certs are expired in wss4j.keystore
    * [WSS-108] - Some work on KeyIdentifiers
    * [WSS-109] - Review of error handling messages
    * [WSS-112] - DerivedKeyProcessor is overwritten if more derivedkeys are present in a Soap Message.
    * [WSS-113] - Bug in WSHandler#getPassword
    * [WSS-114] - Some test reports are deleted by intermediate tasks in the ant build
    * [WSS-116] - EncryptedKeyProcessor fails to record QName of decrypted element
    * [WSS-119] - Error in Singature Processor 

** Improvement
    * [WSS-37] - Make it easier to set key-stores programmatically
    * [WSS-38] - Make it easier to set key-stores programmatically
    * [WSS-74] - Allow Actions and Processors to be customizable
    * [WSS-80] - Doc fixes to main WSS4J page
    * [WSS-88] - SecureRandom.getInstance("SHA1PRNG") is slow on IBM JDK 1.4.2 (And perhaps others)
    * [WSS-92] - Support for Encrypted Header 
    * [WSS-104] - Reference List processor should provide more information
    * [WSS-107] - X509NameTokenizer.java contains Bouncy Castle JCE copyright code


Version prior to 1.5.4
======================

no record