The release candidate for version 2 contains a decent set of bug fixes including once that several people found annoying - our new CSRF protection confused WebLogic. WebLogic does some fairly funky things with the JSESSIONID security cookie for some reason that I don't understand yet, so reading the value of the cookie using
request.getCookie("JSESSIONID") (not the literal code, but close enough) will get you a different result from using
request.getRequestedSessionId(). Does anyone know why?
Both 2.0rc2 and 1.1.4 contain 2 security related fixes. It was possible to craft special requests that would evade the
<exclude> mechanism for denying access to functions or to perform a large number of requests that could cause an out of memory exception, which could in turn affect other processes.
We got fixes out for both issues less than 24 hours after we found out about them so while I'm not pleased that we needed to fix anything, I think we did a good job in being responsive.