Skip to main content
Version: 4.25.x.x LTS

Release notes

nevisAuth 4.25.14.1 LTS - 17.05.2023

Changes and new features

  • UPGRADED: We updated the Jackson third-party dependency to version 2.15.0. (NEVISAUTH-3964)
  • UPGRADED: We upgraded Snakeyaml third-party dependencies to version 2.0. (NEVISAUTH-3964)

nevisAuth 4.25.13.2 LTS - 27.03.2023

Changes and new features

  • CHANGED: To protect better against XML Signature Wrapping Attacks, we count the number of Response and Assertion elements in SAML responses. (NEVISAUTH-4152)

nevisAuth 4.25.13.1 LTS - 16.11.2022

Changes and new features

General

  • FIXED: Fixed locking related performance issue in the session cache which caused general response time spikes when the session reaper run and the EnablePollTerminatedCalls was set to true in the esauth4Connector in nevisProxy. (NEVISAUTH-3781)
  • UPGRADED: SnakeYaml third party dependency is upgraded to version 1.31. (NEVISAUTH-3788)

nevisAuth 4.25.12.1 LTS - 17.08.2022

Changes and new features

General

  • UPGRADED: Tinyradius third party dependency is upgraded to version 1.1.3 (NEVISAUTH-3663).
  • UPGRADED: Jetty third party dependencies are upgraded to version 9.4.48.v20220622 (NEVISAUTH-3738).

nevisAuth 4.25.11.2 LTS - 18.05.2022

Changes and new features

General

  • FIXED: We fixed the Jetty issue where KeyStores with multiple certificates were not supported (NEVISAUTH-3562).
  • UPGRADED: Apache xmlbeans third party dependency is upgraded to version 3.1.0 (NEVISAUTH-3623).
  • UPGRADED: Jackson third party dependencies are upgraded to version 2.13.2 and jackson-dababind to 2.13.2.2 (NEVISAUTH-3623).
  • UPGRADED: Json-smart third party dependency is upgraded to version 2.4.8 (NEVISAUTH-3623).
  • UPGRADED: Jetty third party dependency is upgraded to version 9.4.45.v20220203 (NEVISAUTH-3568).

nevisAuth 4.25.10.1 LTS - 16.02.2022

Changes and new features

  • REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISAUTH-3491)

nevisAuth 4.25.9.1 LTS - 17.11.2021

Changes and new features

  • NEW: Introduced a new property syncRemoteSessionIndexFormat in session synchronization, to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".
  • FIXED: TokenIntrospectionService crashed with error message "java.lang.IllegalStateException: The output stream has already been closed." when providing an incorrect AuthorizationServer name request parameter. The issue is now fixed.
  • FIXED: The retry mechanism of Session synchronization was broken because of a possible JDBC error. The issue is now fixed.
  • UPGRADED: We upgraded javax.mail:mail 1.4.7 to com.sun.mail:jakarta.mail 2.0.1.

nevisAuth 4.25.8.1 LTS - 05.08.2021

Changes

  • FIXED: The error message U**nknown variable source 'litdict' erroneously appeared when you configured useLiteralDictionary="false" in the AuthEngine. This bug is fixed.
  • FIXED: No truststore information was returned in the case of SAML truststore validation errors. This bug is fixed.
  • FIXED: The hostname verification in a TLS server setting triggered misleading warning messages. Additionally, the description of the relevant hostname verification property server.tls.verify-hostname in the nevisAuth Reference Guide was incorrect. These issues are now fixed.

nevisAuth 4.25.7.1 LTS - 05.05.2021

Changes

  • FIXED: The bug regarding URLs with commas has been fixed. It is now possible to store URLs that include commas in the SAMLContext.
  • FIXED: OAuth public client previously needed a client secret for login. OAuth public client can now log in without a client secret.
  • FIXED: Excessive warning logs in case the translation of LitDict messages were turned off in nevisAuth. The messages have been moved to the debug logging category.

nevisAuth 4.25.6.1 LTS - 17.02.2021

Changes

  • FIXED: The bug where a ClassNotFoundException was thrown when using the NevisSyslogAppender in the log4j configuration.
  • FIXED: The issue regarding the nevisMeta clients with the client resource attribute pkce_mode set to "s256-required". These clients are now enforced with code challenge.

nevisAuth 4.25.5.101 LTS - 18.11.2020

Changes

  • FIXED: The bug where the property delegateMode of the AttributeDelegater AuthState was not working properly.
  • FIXED: The bug where spaces inside JVM arguments in JAVA_OPTS environment variables in the env.conf configuration file for standalone deployments caused the following error: "Error: Could not find or load main class". This prevented nevisAuth from starting. As a solution, a new definition syntax as array has been introduced for JAVA_OPTS. Now it also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you need to change the definition to the array type. For more information, see the section "Standalone" in the chapter "Deployment Types".

When directly using the server CLI to start nevisAuth, the manual sourcing of the env.conf configuration file is no longer necessary. See the section "Example usage of the standalone CLI" in the chapter "Deployment Types".

This change has been applied since the May 2020 release, but was not included in the corresponding release notes. We therefore announce the change here. At the same time, the May release notes have been updated: nevisAuth 4.25.2.46 LTS - 20.05.2020.

nevisAuth 4.25.4.97 LTS - 09.10.2020

Changes

  • NEW: There is a new property available for client authentication in TLS settings: server.tls.client-auth. This property is the successor of the property server.tls.require-client-auth and provides the options "required", "requested", and "disabled". The "old" property server.tls.require-client-auth is deprecated but remains backwards compatible. If you use the new property server.tls.client-auth, the system will ignore the property server.tls.require-client-auth and logs a warning.
  • FIXED: The issue with the shutdown of standalone nevisAuth deployments, which caused ongoing connections to be interrupted, has been fixed. When you now execute the stop command, nevisAuth waits a maximum of 30 seconds before it stops, until all connections have finished.
  • UPDATED: Log4j has been updated to the latest minor version.

nevisAuth 4.25.3.77 LTS - 29.07.2020

Changes

  • FIXED: The incorrect handling of "?" in the redirect URI of the AuthorizationServer AuthState has been fixed. The bug was fixed in the Nimbus oauth2-oidc-sdk library, which in certain cases incorrectly created "??" in the URI on redirect.

The content of /opt/nevisauth/plugin/thirdparty/oauth/ is changed due to the library upgrade. If you use the contents of that library in custom AuthStates, you may need to change the classPath setting of that specific AuthState and include the old libraries.

nevisAuth 4.25.2.46 LTS - 20.05.2020

Changes

  • CHANGED: For security reasons, the [IdentityProviderState] now requires the property acsUrlWhitelist.urisand refuses to start without it. This breaking change was introduced to prevent opening the infrastructure to XSS attacks. If desired, it can be disabled by configuring the flag disableAcsURLWhitelistEnforcement to be"true",however, this is strongly discouraged.
  • FIXED: The bug where spaces inside JVM arguments in JAVA_OPTS environment variables in the env.conf configuration file for standalone deployments caused the following error: "Error: Could not find or load main class". This prevented nevisAuth from starting. As a solution, a new definition syntax as array has been introduced for JAVA_OPTS. Now it also allows comments to be used between new lines. The old string type definition is still supported, but to fix the previously mentioned error, you need to change the definition to the array type. For more information, see the section "Standalone" in the chapter "Deployment Types".

When directly using the server CLI to start nevisAuth, the manual sourcing of the env.conf configuration file is no longer necessary. See the example in the section "Example usage of the standalone CLI" in the chapter "Deployment Types".

nevisAuth 4.25.1.28 LTS - 10.02.2020

Changes

  • NEW: nevisAuth now supports variable resolution for the ttl attribute of the SubjectConfirmationExtender. For more information on the SubjectConfirmationExtender, see the description of the out.extension property of the [IdentityProviderState] AuthState.
  • CHANGED: SHA256 is now the default and recommended sign algorithm for SAML AuthStates.

There is an unlikely possibility that this change breaks existing environments. This may happen if no sign algorithm has been defined in the AuthState.

In the rare event that the upgrade to SHA256 does break your environment, downgrading back to SHA1 is not recommended. Rather, investigate how you can upgrade your environment to support SHA256.

  • FIXED: The bug that caused the nevisauth status command to write warning messages of type "lsof: WARNING: can't stat() ..." in the standard output (standalone deployment type).
  • FIXED: The SAML logout issue that occurred in a setup with multiple nevisAuth instances using a remote SQL session DB.
  • FIXED: The problem with the session binding returned by the [ScriptState](when the session was not defined.

nevisAuth 4.25.0.2 LTS - 05.11.2019

Initial Long Term Support Release

Changes and new features

  • NEW: Variable expression resolution is now available for

  • NEW: nevisAuth now provides the [SQL out-of-context data service](.

  • NEW: It is now possible to configure the maximum HTTP header size in standalone mode. See Server Configuration Properties in the nevisAuth Reference Guide.

  • NEW: You can now specify that an OAuth 2.0 client requires the use of PKCE (to provide a code challenge) in the authorization flow. For more information, see PKCE: https://tools.ietf.org/html/rfc7636#section-4.4.1.

  • NEW: nevisAuth now offers support for OAuth 2.0 token introspection as defined in the RFC 7662 with nevisMeta. For more information, see(.

  • NEW: EL expression support is now available for the following properties:

    - out.ttl- in.audience.checkrequired- limitSessionLifetime**- out.sign.hashAlgorithm

  • CHANGED: nevisAuth does not require the OAuth 2.0 client to provide the client secret if the client is public. If you want to enforce the client to provide the secret, define the client as confidential.

  • CHANGED: For security reasons, the number of TLS protocols and ciphers supported by default by the standalone server has been reduced. See Server Configuration Properties in the nevisAuth Reference Guide for the updated list of supported ciphers and protocols.

This change might break existing deployments. If you use the protocols and ciphers supported by default and your clients do not support them, it is recommended updating your HTTP clients. If this is not possible, then:

  • CHANGED: For security reasons, nevisAuth will now use SHA256withRSA as a signing algorithm in case no algorithm is specified in the DynCert AuthState configuration.

In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the certificate to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the DynCert AuthState. For more information about the DynCert AuthState, see Dynamic Certificate Generation AuthState.

  • CHANGED: For security reasons, nevisAuth will now use SHA256withRSA to sign the SecTokens in case no algorithm is specified in the token assembler configuration.

In the unlikely case where this change will break your deployment, it is recommended upgrading the consumers of the SecToken to support SHA256withRSA. If this is not possible, specify the use of SHA1withRSA in the configuration of the token assembler. For more information about the token assembler configuration, see Token assembler.

  • CHANGED: When obtaining bearer tokens from the Token Endpoint in case of OAuth2 Authorization Code Grant or OpenID Connent Hybrid Flow, nevisAuth now calculates the issue and expiration time of the tokens based on the Token Request time. Previously, these calculations were based on the Authorization Request time.

The OAuth2 authorization codes issued with a previous version of nevisAuth cannot be exchanged after upgrading nevisAuth to this version. As a consequence, ongoing OAuth2 authentications might be interrupted after the upgrade.

  • FIXED: The issue regarding the default value of the validityPeriod attribute in the DynCertAuthState.
  • FIXED: The contention issue regarding the TANService when using the Swissphone channel.
  • FIXED: The issue regarding the use of initialization vectors (IV) when encrypting content in the [TransformAttributes]AuthState. Now, the use of randomly generated initialization vectors, instead of static initialization vectors, is recommended.

This change might break existing deployments for external clients relying on the encrypted content of the [TransformAttributes] AuthState.

Running in "Backwards Compatibility Mode"

It is recommended updating the external clients that are impacted by this change - see chapter TransformAttributes]* AuthState to "true". This will generate static initialization vectors as used in previous nevisAuth versions. Note that this backwards compatibility mode might be removed in future releases.

  • REMOVED: The backwards compatibility system property flag ch.nevis.session.jdbc.connector.store.absTo has been removed. This flag was introduced in nevisAuth 4.15.1.0.

This removal can break old setups where the ABSTO column is not available in the remote session cache database table TNSSA_AUTH_SESSION_CACHE.

In these cases, manually patch the database with the following SQL command:

ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD ABSTO TIMESTAMP NOT NULL;

If the ABSTOcolumn is not available, most probably the SESSION_INDEX column is missing as well. The column SESSION_INDEXwas introduced in nevisAuth 4.19.0.0. In the case of a missing SESSION_INDEX column, you can manually patch the database with the following SQL commands:

ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD SESSION_INDEX VARCHAR(255);
ALTER TABLE NSS.TNSSA_AUTH_SESSION_CACHE ADD INDEX (SESSION_INDEX);
  • REMOVED (breaking change): The binary /opt/nevisauth/bin/keystorepwget is no longer part of nevisAuth. In case this binary is used in configuration files, use the binary provided with nevisKeybox instead: /opt/neviskeybox/bin/keystorepwget.
  • REMOVED (breaking change): The undocumented system property ch.nevis.esauth.defaultpassphrasegetters.enable has been removed. This property is related to the removed binary /opt/nevisauth/bin/keystorepwget.
  • DEPRECATED: The CouchBase out-of-context data service has been deprecated. For more information about this service, see CouchBase out-of-context data service.