The Http Security API now supports CORS. Now you can enable and configure CORS for each of your protected paths or path groups.

For those using JSF, a new example was added to our quickstart repository that demonstrates how to perform FORM authentication using JSF and the Http Security API. You can find the quickstart here.

Better integration with PrettyFaces Rewrite.

Better support when using PicketLink JEE Security in HA environments.

Added support for Managed Attributes. This is a major improvement on how you create your identity model, specially when using JPA. In conjunction with the Default Schema, you can write your own types very easily without create their corresponding JPA entities. Managed attributes allows you to store properties as ad-hoc attributes and still use them in a type-safe manner.

Permission API is now supporting cross-partition references for identity types. That means you can use, for example, a LDAP identity store for your users and still be able to manage permissions for them using a JPA identity store.

LDAP authentication was improved in order to authenticate users despite their location in the LDAP tree. This is specially useful if you are using PicketLink and LDAP in read-only mode.

Improvements to Backchannel Logout, specially when using SSL/TLS.

A number of important bug fixes and improvements.