Release notes
nevisAuth 4.32.16.1 - 21.02.2024
Breaking changes
- CHANGED: The scope in request parameter for OAuth 2.0/OpenID Connect can only separate by space
" ". This is directly related to a breaking change in the Nimbus 3rd party library and you are only affected if you combine scopes manually with a "," separator. (NEVISAUTH-4535)
General Changes
- UPGRADED: We updated the Nimbus third-party dependency to version 10.9.1. (NEVISAUTH-4580)
nevisAuth 4.32.15.1 - 15.11.2023
General Changes
- FIXED: We fixed NPE when Authorization Request to Authorization Server without client_id. (NEVISAUTH-4403)
- UPGRADED: We updated the Jetty third-party dependency to version 9.4.53.v20231009. (NEVISAUTH-4431)
nevisAuth 4.32.14.1 - 25.09.2023
General Changes
- FIXED: Invalid sessions are now removed from memory to avoid filling it up. The issue can raise when using ThottleSessionState or SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
nevisAuth 4.32.13.3 - 16.08.2023
General Changes
- UPGRADED: We updated the commons-io third-party dependency to version 2.13.0. (NEVISAUTH-4280)
- UPGRADED: We updated the checker-qual third-party dependency to version 3.34.0. (NEVISAUTH-4280)
- UPGRADED: We updated the Guava third-party dependency to version 32.1.1-jre. (NEVISAUTH-4324)
- FIXED: The SwissPhone TAN channel incorrectly sent UTF-8 encoded payload to the SMS provider. We now use ISO-8859-1 as stated by the provider specification. This fixes weird characters showing instead of umlauts in the text message for example. (NEVISAUTH-4321)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.2. (NEVISAUTH-4280)
- UPGRADED: We upgraded the Jetty third-party dependency to version 9.4.51.v20230217. (NEVISAUTH-4280)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.5.0. (NEVISAUTH-4280)
- UPGRADED: We upgraded the joda-time third-party dependency to version 2.12.5. (NEVISAUTH-4280)
- UPGRADED: We upgraded the http cient third-party dependency to version 4.5.14. (NEVISAUTH-4280)
- UPGRADED: We upgraded the http core third-party dependency to version 4.5.16. (NEVISAUTH-4280)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.11. (NEVISAUTH-4280)
- UPGRADED: We upgraded the ldap unboundid third-party dependency to version 6.0.8. (NEVISAUTH-4280)
- UPGRADED: We upgraded the log4j third-party dependency to version 2.20.0. (NEVISAUTH-4280)
- UPGRADED: We upgraded the Nimbus oauth sdk third-party dependency to version 10.9. (NEVISAUTH-4280)
- UPGRADED: We upgraded the woodstox-core third-party dependency to version 6.5.1. (NEVISAUTH-4280)
nevisAuth 4.32.12.0 - 10.07.2023
General Changes
- FIXED: We fixed the expired SecToken causing HTTP 500 error when trying to acquire the sessionId. This case is handled the same if the session is not found, or if it is already removed. (NEVISAUTH-4297)
- FIXED: We fixed the concurrency issue where that SAML message sign and signature verification threads sometimes used wrong keys in case HSM was configured. (NEVISAUTH-3952)
nevisAuth 4.32.11.0 - 19.06.2023
General Changes
- FIXED: We fixed the error handling of the StaleSessionException, which incorrectly caused authentication call failure. Normally some events should be only logged on info level. (NEVISAUTH-4256)
- FIXED: We fixed the issue where special characters in the input validation triggered an error:
org.mozilla.javascript.EvaluatorException: missing ; before statement. (NEVISAUTH-3222) - UPGRADED: We updated the commons-io third-party dependency to version 2.12.0. (NEVISAUTH-4280)
- UPGRADED: We updated the Guava third-party dependency to version 32.0.0-jre. (NEVISAUTH-4280)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.2. (NEVISAUTH-4280)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.11. (NEVISAUTH-4280)
nevisAuth 4.32.10.1 - 17.05.2023
General Changes
- CHANGED: The excessive warning message
AuthState '<AuthState>' did not specify a GUI descriptor for GUI 'null'. HINT: if this AuthState displays a GUI, check the configurationis now only logged on debug level. (NEVISAUTH-3757) - CHANGED: Some startup related log messages from
EsAuthSvandAuthEngineare moved toEsAuthStart. (NEVISAUTH-4225) - FIXED: Fixed incorrect maxAge handler for connection between nevisAuth and nevisMeta. (NEVISAUTH-4067)
- UPGRADED: We updated the Jackson third-party dependency to version 2.15.0. (NEVISAUTH-3964)
- UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.10. (NEVISAUTH-4163)
- UPGRADED: We upgraded Snakeyaml third-party dependencies to version 2.0. (NEVISAUTH-3964)
nevisAuth 4.32.9.3 LTS - 27.03.2023
Changes and new features
- CHANGED: To protect better against XML Signature Wrapping Attacks, we count the number of
ResponseandAssertionelements in SAML responses. (NEVISAUTH-4152)
nevisAuth 4.32.9.2 - 15.02.2023
General Changes
- CHANGED: Logging of the OAuth2 metadata that was newly fetched from nevisMeta is moved to
DEBUGfromINFOinOAuth2logger. (NEVISAUTH-4185) - FIXED: The RadiusFacade is no longer filling up the memory with diagnostic messages in
ThreadLocalof the worker thread. (NEVISAUTH-3891) - FIXED: Directories under
/opt/nevisauth/<version>are now removed when the package is uninstalled. (NEVISAUTH-3907) - FIXED: Java Util Logging messages were incorrectly logged in
/var/log/messagesdue to previous log4j2 upgrade causing the JUL bridging to not work correctly. The proper configuration is now added automatically at runtime. (NEVISAUTH-3826) - FIXED: The errorDetail is now trimmed in case it is exceeding the limit to prevent triggering IOException in OperationFailedEvent and OperationOngoingEvent. (NEVISAUTH-3933)
- FIXED: Access token generated by refresh token and client credential grant missing issuer. We now added issuer to the access token. (NEVISAUTH-3922)
- FIXED: Fixed failure to create SecTokens using Securosys HSM key material. Sideaffect of NEVISAUTH-3838 introduced in the November release. (NEVISAUTH-4018)
- UPGRADED: We upgraded the checker-qual third-party dependency to version 3.29.0. (NEVISAUTH-3985)
- UPGRADED: We upgraded the eclipse moxy third-party dependency to version 2.7.11. (NEVISAUTH-3925)
- UPGRADED: We upgraded the google autovalue third-party dependency to version 1.10.1. (NEVISAUTH-3925)
- UPGRADED: We upgraded the jackson third-party dependency to version 2.14.1. (NEVISAUTH-3925)
- UPGRADED: We upgraded the jetty third-party dependency to version 9.4.50.v20221201. (NEVISAUTH-3985)
- UPGRADED: We upgraded the joda-time third-party dependency to version 2.12.2. (NEVISAUTH-3925)
- UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.5. (NEVISAUTH-3985)
- UPGRADED: We upgraded the snakeyaml third-party dependency to version 1.33. (NEVISAUTH-3925)
- UPGRADED: We upgraded the ldap unboundid third-party dependency to version 6.0.7. (NEVISAUTH-3953)
- UPGRADED: We upgraded the woodstox-core third-party dependency to version 6.5.0. (NEVISAUTH-3953)
nevisAuth 4.32.8.3 - 30.11.2022
- FIXED: AuthorizationServer initiated excessive requests towards nevisMeta when multiple requests arrived having client was not found. We introduced several improvements in this area. (NEVISAUTH-3840)
- FIXED: RadiusFacade was filling up the memory with diagnostic messages in
ThreadLocalof the worker thread. The issue is now fixed. (NEVISAUTH-3891) - NEW: AuthorizationServer AuthState now uses pooled connections towards nevisMeta. Maximum size of the connection pool can be configured via
nevismeta.http.connection-manager.max-total. (NEVISAUTH-3840)
nevisAuth 4.32.8.2 LTS - 16.11.2022
Changes and new features
- FIXED: Fixed a PNG string comparison issue in the CaptchaState. (NEVISAUTH-3765)
- FIXED: Fixed a session flag string comparison issue in the MobileSignatureState. (NEVISAUTH-3765)
- FIXED: Fixed locking related performance issue in the session cache which caused general response time spikes when the session reaper run and the EnablePollTerminatedCalls was set to true in the esauth4Connector in nevisProxy. (NEVISAUTH-3781)
- FIXED: Improved exception handling of invalid sessions to reduce the number of error logs and stacktraces in scenarios where this is to be expected. (NEVISAUTH-3727)
- FIXED: Inconsistent remote and local session cache leading to a StackOverflowError. (NEVISAUTH-3726)
- FIXED: All certificates are now correctly parsed from KeyObjects into SecToken trust. (NEVISAUTH-3291)
- CHANGED: We now validate upon nevisAuth startup that the SecToken signer privateKey and certificate are matching key material pairs. (NEVISAUTH-3838)
- UPGRADED: jetty third party dependency is upgraded to version 9.4.49.v20220914. (NEVISAUTH-3804)
- UPGRADED: checker-qual third party dependency is upgraded to version 3.25.0. (NEVISAUTH-3804)
- UPGRADED: groovy-all third party dependency is upgraded to version 3.0.13. (NEVISAUTH-3804)
- UPGRADED: jackson third party dependency is upgraded to version 2.13.4. (NEVISAUTH-3804)
- UPGRADED: joda-time third party dependency is upgraded to version 2.11.1. (NEVISAUTH-3804)
- UPGRADED: libphonenumber third party dependency is upgraded to version 8.12.55. (NEVISAUTH-3804)
- UPGRADED: log4j2 third party dependency is upgraded to version 2.19.0. (NEVISAUTH-3804)
- UPGRADED: snakeyaml third party dependency is upgraded to version 1.32. (NEVISAUTH-3788)
- UPGRADED: unboundid-ldapsdk third party dependency is upgraded to version 6.0.6. (NEVISAUTH-3804)
- UPGRADED: oauth2-oidc-sdk third party dependency is upgraded to version 9.43.1. (NEVISAUTH-3805)
nevisAuth 4.32.7.0 LTS - 31.08.2022
Changes and new features
- FIXED: After upgrading oauth2-oidc-sdk library, the client_id in Access Token was wrapped wrongly as
{ "value": "<client_id>" }. Now the wrapping is fixed. (NEVISAUTH-3766)
nevisAuth 4.32.6.3 LTS - 17.08.2022
Changes and new features
- FIXED: We fixed the duplicated key index definition in SqlOOCDService implementation. The change affects the automatic table creation in the nevisAuth component. No automatic migration is provided. The side-effect of the current behavior is increased disk space usage, as the key index values are stored twice. (NEVISAUTH-3626)
To fix or migrate existing systems, delete the duplicate index, assuming that the table definition from the reference guide or by the nevisAuth component are used:
DROP INDEX IF EXISTS key_idx ON nevisauth_out_of_context_data_service;
If a custom SQL script was used to create the database table, or it is not clear which index should be deleted, the following statement can be used to list indexes:
SHOW indexes FROM nevisauth_out_of_context_data_service;
If docker-based DB images are used, no changes are required.
- FIXED: We fixed the java.lang.NoSuchMethodException: com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl in the WS-Trust 1.4 SecurityTokenService. (NEVISAUTH-3699)
- FIXED: We fixed the broken
nevisauth <instance> encSecretcommand of the admin CLI. (NEVISAUTH-3717) - FIXED: SAML AuthStates are now able to handle AuthNRequests without issuer. (NEVISAUTH-3659)
- FIXED: We fixed the exception "Could not initialize SSL context: TLSV1_2 SSLContext not available" in AuthStates using the AuthHttpClient when specifying SslContextType TLSV1.2. (NEVISAUTH-3740)
- UPGRADED: Jackson third party dependencies are upgraded to version 2.13.3. (NEVISAUTH-3738)
- UPGRADED: Jetty third party dependencies are upgraded to version 9.4.48.v20220622. (NEVISAUTH-3738)
- UPGRADED: Log4j third party dependencies are upgraded to version 2.18.0. (NEVISAUTH-3738)
- UPGRADED: Checker-qual third-party dependency is upgraded to version 3.22.2. (NEVISAUTH-3738)
- UPGRADED: Libphonenumber third-party dependency is upgraded to version 8.12.51. (NEVISAUTH-3738)
- UPGRADED: Unboundid-ldapsdk third-party dependency is upgraded to version 6.0.5. (NEVISAUTH-3738)
- UPGRADED: oauth2-oidc-sdk third-party dependency is upgraded to version 9.37.2. (NEVISAUTH-3690)
- NEW: We introduce integration testing support for Custom Java and Groovy AuthState development through existing artifacts. The AuthStateHarness is now part of nevisAuth SDK, containing examples for both Java and Groovy AuthState testing. Note, that this is a medium term solution only. The long term solution is under discussion. For more details, see the new testing chapter in the SDK documentation shipped as part of the SDK in the nevisAuth RPM, or separately on the [documentation home]
nevisAuth 4.32.5.1 LTS - 07.06.2022
Changes and new features
General
- FIXED: We fixed the inappropriate handling for
DeferredResponseinSAMLContext. (NEVISAUTH-3698) - FIXED:
java.lang.NoSuchMethodException:com.sun.xml.internal.messaging.saaj.soap.impl.ElementImplin the WS-Trust 1.4SecurityTokenService. (NEVISAUTH-3699)
nevisAuth 4.32.4.14 LTS - 18.05.2022
Changes and new features
Breaking changes
- CHANGED: We replaced the previous log4j1 logging implementations with log4j2. (NEVISAUTH-3520).
Log4j2 uses different a configuration structure than log4j1, and they are not compatible. If you are not using nevisAdmin4, you have to migrate the logging configuration manually. Check the default template supplied in the RPM: /opt/nevisauth/template/conf/logging.yml.
NevisAuth requires a logging.yml file in the instance config directory. If it is missing, or the file is incorrectly formatted, a default configuration logs into the stdout which can be viewed in the systemd journal.
nevisAuth now uses log4j2 via Slf4j. In case of custom-developed Java AuthStates, delivering the Slf4j jar together with your custom AuthState can cause issues. The general recommendation is to define every dependency with a scope that is already provided by nevisAuth.
- CHANGED: The automatic reload of logging configuration is supported using the
monitorIntervalproperty of(https://logging.apache.org/log4j/2.x/manual/configuration.html#ConfigurationSyntax). The previous configuration option ch.nevis.tracing.refresh is removed. (NEVISAUTH-3520) - REMOVED: The NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. You can find the reasons and an example in the Logging configuration / Syslog section in the reference guide. (NEVISAUTH-3520)
- REMOVED: The previously deprecated and not supported Couchbase out-of-context data serviceis removed completely. In case this affects your setup, migrate to MariaDB. (NEVISAUTH-3521)
- REMOVED: The Oracle JDBC and MSSQL JDBC jar are no longer bundled into the application, download them manually from Oracle and Microsoft. This only affects the JDBCAuthState. See the updated description on how to add the manually downloaded jars. (NEVISAUTH-3086)
- CHANGED: There is a minor change in the RPM structure. The content of the server directory is now in lib. The original lib directory contained duplicated entries compared to the WAR file. Sub-folders under the plugin directory are exploded, all sub-directories are removed. This only has an effect if you extract internal artifacts (not recommended) from the RPM for third party AuthState development. (NEVISAUTH-3546)
- UPGRADED: Jradius third party dependency is upgraded to version 1.1.5. It is now downloaded from maven central as net.jradius:jradius-core instead of the previous org.coova.jradius:jradius-core. Additionally, net.jradius:jradius-extended is no longer shipped as it is not required for the SecuridAuthenticateState. Note that some third party extensions in the protocol might still require the library, and that can cause issues in your setup. In such a case, open a support ticket. (NEVISAUTH-3546).
- REMOVED: The eCH SAML extensions called eCH-0113 is no longer supported. The ch.glue.suisseid:sdk:1.1.0 dependency is removed to improve security, as it is no longer in active use. (NEVISAUTH-3598).
General
- CHANGED: The AuthState#getHttpHeaderFromRequest() method visibility is upgraded to public. This allows custom auth states to obtain HTTP headers case-insensitively. (NEVISAUTH-3587)
- FIXED: Inappropriate separator handling for DeferredResponse in SAMLContext (NEVISAUTH-3425)
- FIXED: ArtifactResponse now can be verified by setting in.verify with ArtifactResponse. (NEVISAUTH-3531)
- UPGRADED: Auto-value third party dependency is upgraded to version 1.9 (NEVISAUTH-3568).
- UPGRADED: Checker-qual third party dependency is upgraded to version 3.21.3 (NEVISAUTH-3568).
- UPGRADED: Commons-cli third party dependency is upgraded to version 1.5.0 (NEVISAUTH-3568).
- UPGRADED: Commons-io third party dependency is upgraded to version 2.11 (NEVISAUTH-3470).
- UPGRADED: Commons-lang3 third party dependency is upgraded to version 3.12.0 (NEVISAUTH-3568).
- UPGRADED: Commons-pool third party dependency is upgraded to version 1.6 (NEVISAUTH-3568).
- UPGRADED: Jackson third party dependencies are upgraded to version 2.13.2 and jackson-dababind to 2.13.2.2 (NEVISAUTH-3568).
- UPGRADED: Jaxb third party dependency is upgraded to version 2.3.6 (NEVISAUTH-3568).
- UPGRADED: Jaxrs-ri third party dependency is upgraded to version 2.3.5 (NEVISAUTH-3471).
- UPGRADED: Jdom third party dependency is upgraded to version 2.0.6.1 (NEVISAUTH-3473).
- UPGRADED: Jetty third party dependency is upgraded to version 9.4.46.v20220331 (NEVISAUTH-3568).
- UPGRADED: Joda-time third party dependency is upgraded to version 2.10.1 (NEVISAUTH-3568).
- UPGRADED: Json-smart third party dependency is upgraded to version 2.4.8 (NEVISAUTH-3468).
- UPGRADED: Guava third party dependency is upgraded to version 31.1-jre (NEVISAUTH-3568).
- UPGRADED: HikariCP third party dependency is upgraded to version 4.0.3 (NEVISAUTH-3568).
- UPGRADED: Libphonenumber third party dependency is upgraded to version 8.12.45 (NEVISAUTH-3568).
- UPGRADED: Mariadb-java-client third party dependency to version 2.7.5 (NEVISAUTH-3568).
- UPGRADED: Rhino third party dependency is upgraded to version 1.7.14 (NEVISAUTH-3568).
- UPGRADED: Tinyradius third party dependency is upgraded to version 1.1.3 (NEVISAUTH-3568).
- UPGRADED: Unboundid-ldapsdk third party dependency is upgraded to version 6.0.4 (NEVISAUTH-3568).
nevisAuth 4.32.3.3 LTS - 16.02.2022
Changes and new features
- FIXED: nevisAuth did not start up when the truststore configuration was not provided for disabled client-auth. The issue is now fixed. (NEVISAUTH-3460)
- FIXED: The ScriptStates could not access the actor certificate in the request due to a NullPointerException. The issue is now fixed. (NEVISAUTH-3505)
- FIXED: Incorrect absolute timeout of unauthentic sessions (authentication flows not yet reached AUTH_DONE) synchronized into the Remote session cache. The incorrect behavior also caused excessive warning messages before. (NEVISAUTH-3033)
So far the absolute timeout for the Remote session cache was always 24h + syncRemoteSessionAbsToTolerance. From now on, the absolute timeout for unauthentic sessions is properly set based on the initialMaxLifetime configuration option. Therefore you might have to set a different value for the initialMaxLifetime to experience the same behavior as before.
Your setup is involved if the syncUnauthenticSessions SessionCache property is set to true in the esauth4.xml. By default, it is false, and it is a not documented flag intended to be used in Kubernetes setups. It is officially not supported in on-premise installations.
- NEW: Added database index to the documentation for the Remote session cache. It can help with response time spikes when caused by a slower remote session store reaper (therefore blocking other database operations). There is no automatic database migration. (NEVISAUTH-3416)
ALTER TABLE TNSSA_AUTH_SESSION_CACHE ADD INDEX (ABSTO);
- REMOVED: The supplied log4j version 1.2.17 is patched to remove vulnerable classes org/apache/log4j/net/JMSAppender.class and org/apache/log4j/net/SocketServer.class. (NEVISAUTH-3491)
nevisAuth 4.32.2.2 LTS - 17.11.2021
Changes and new features
- NEW: Introduced a new property syncRemoteSessionIndexFormat in session synchronization, to control the format of the session index value used in the remote session cache. For more information, see "Session synchronization" in "Session management".
- FIXED: TokenIntrospectionService crashed with error message "java.lang.IllegalStateException: The output stream has already been closed." when providing an incorrect AuthorizationServer name request parameter. The issue is now fixed.
- FIXED: The retry mechanism of Session synchronization was broken because of a possible JDBC error. The issue is now fixed.
- FIXED: From now on, RelyingPartyState can understand the callback from IdP without query string while using form_post.
- UPGRADED: We upgraded javax.mail:mail 1.4.7 to com.sun.mail:jakarta.mail 2.0.1.