CHANGED: The default value connectionMaxPoolSize property of the Remote session store and OOCD is changed to 10 from the previous 20 to be aligned with the underlying library recommended defaults. (NEVISAUTH-4819)
REMOVED: We removed the validation that acr_values must contain the value of the acr claim. (NEVISAUTH-4854)
FIXED: SecurityTokenService logging confusing error message SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1 when generating an error response. (NEVISAUTH-4681)
FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
FIXED: Default logging.yml incorrectly containing jcan.Op instead of OpTrace. (NEVISAUTH-4774)
FIXED: WSSHeaderValidation auth state not sanitizing passwords in soap headers in the log. (NEVISAUTH-4826)
FIXED: NullPointerException in the ScripState session variable validation. (NEVISAUTH-4856)
FIXED: We fixed AccessTokenConsumer not accepting URLs that contain space. (NEVISAUTH-4788)
FIXED: We removed the limitation of only allowing a certain prefix in the envelope of SOAP logout requests in IdentityProviderState. (NEVISAUTH-4852)
FIXED: The session was not terminated after a SAML concurrent logout. (NEVISAUTH-4491)
FIXED: We reduced the verbosity of the log entries related to the translation of scope metadata. (NEVISAUTH-4507)
NEW: HTTP headers can be referred in the log pattern with syntax %X{httpHeader.yourHttpHeader}. Differences in source: authenticate/stepup requests arriving from nevisProxy will contain the original HTTP headers of the client in the SOAP request body and made available in the logging context. Other Web and Rest services does not have this proprietary mechanism therefore in case of those nevisAuth will simply use the HTTP headers of the current request. (NEVISAUTH-4776)
NEW: Configuration option server.tls.verify-sni which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. (NEVISAUTH-4624)
NEW: connectionMinPoolSize configuration option for the Remote session store and OOCD. Note that by default connectionMinPoolSize takes the value of connectionMaxPoolSize which means that the pool opens all connections on start, which is the recommended way to maximise performance. For cases where you only want to create connections on demand, you can specify a lower connectionMinPoolSize value. (NEVISAUTH-4819)
DOWNGRADED: We fixed encrypted SAML message generation with xenc11:MGF tag by downgrading the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4870)
UPGRADED: We upgraded the Apache EL third-party dependency to version 10.1.25. (NEVISAUTH-4836)
UPGRADED: We upgraded the Apache XML beans third-party dependency to version 5.2.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Bouncy Castle third-party dependencies to version 1.78.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Checker-qual third-party dependency to version 3.47.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the Commons-cli third-party dependency to version 1.19.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the Commons codec third-party dependency to version 1.17.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Commons-lang3 third-party dependency to version 3.17.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the Commons-text third-party dependency to version 1.12.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.2. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jaxrs-ri third-party dependency to version 3.1.8. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jaxws-rt third-party dependency to version 4.0.3. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.13. (NEVISAUTH-4836)
UPGRADED: We upgraded the Groovy third-party dependencies to version 4.0.22. (NEVISAUTH-4836)
UPGRADED: We upgraded the Guava third-party dependencies to version 33.3.0-jre. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jackson third-party dependencies to version 2.17.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4836)
UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4836)
UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 3.1.6. (NEVISAUTH-4836)
UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2411.0.x. (NEVISAUTH-4836)
UPGRADED: We upgraded the Jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4836)
UPGRADED: We upgraded the Ldap-unboudid third-party dependency to version 7.0.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Libphonenumber third-party dependency to version 8.13.45. (NEVISAUTH-4836)
UPGRADED: We upgraded the Log4j third-party dependencies to version 2.24.0. (NEVISAUTH-4836)
UPGRADED: We upgraded the MariaDB connector third-party dependency to version 3.4.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Nimbus oicd sdk third-party dependency to version 11.19.1. (NEVISAUTH-4836)
UPGRADED: We upgraded the Opensaml third-party dependencies to version 4.3.2. (NEVISAUTH-4836)
UPGRADED: We upgraded the Opentelemetry api third-party dependency to version 1.42.0 (NEVISAUTH-4836)
UPGRADED: We upgraded the PostgreSQL jdbc driver third-party dependency to version 42.7.4. (NEVISAUTH-4836)
UPGRADED: We upgraded the Parsson third-party dependency to version 1.1.7. (NEVISAUTH-4836)
UPGRADED: We upgraded the Rhino third-party dependency to version 1.7.15. (NEVISAUTH-4836)
UPGRADED: We upgraded the Slf4j third-party dependency to version 2.0.16. (NEVISAUTH-4836)
UPGRADED: We upgraded the Woodstox third-party dependency to version 7.0.0. (NEVISAUTH-4836)
FIXED: We changed the SAML Single Logout SOAP implementations of the SP and the IDP to align them more to the specification. Although this is a bugfix, the behavior has changed, so it may break implementations that use them. (NEVISAUTH-4761)
FIXED: Unreleased lock causing threads to hang in scenarios where several clients are using the same session and this session is killed by multiple nevisProxy instances at the same time. Also some warning messages not requiring operational attention are downgraded to info. (NEVISAUTH-4738)
FIXED: We now set the kid field in the JWKS endpoint with the property keyID of the AuthorizationServer, in case the keyID property exists. (NEVISAUTH-4501)
FIXED: SecurityTokenService logging confusing error message SAAJ0303.ver1_1.msg.op.unsupported.in.SOAP1.1 when generating an error response. (NEVISAUTH-4681)
REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)
REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash. (NEVISAUTH-4553)
FIXED: The OOCD and Remote session store incorrectly storing time data in certain cases when using MariaDB. This caused an error during daylight saving time switch in spring while 1 hour disappears from time. MariaDB JDBC driver defaulting to the server timezone caused to double convert from local timezone to UTC. Normally this does not cause any issue for nevisAuth as the read/write uses the same logic. During the daylight saving time switch this causes a validation error at db that we try to insert a not existing (valid) time. Database connection session is now using UTC timezone to avoid this. Note that because of this change OOCD entries and Sessions will expire earlier with the timezone offset. If this is not acceptable you can fix the data in the DB like this: update nevisauth_out_of_context_data_service set reap_timestamp = DATE_ADD(reap_timestamp, INTERVAL 2 HOUR); update TNSSA_AUTH_SESSION_CACHE set ABSTO = DATE_ADD(ABSTO, INTERVAL 2 HOUR); These statements assume Central European Time and that the data was created in Summer time. (With winter time you have to add only 1 hour) In case of getting an error like Unknown or incorrect time zone: 'UTC' afterwards that means your database did not have the timezone database initilized. You have to run mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p to verifiy the result of that you can run SELECT * FROM mysql.time_zone_name;. Note that this will only impact you if you upgrading from the java8 els versions or any rolling version >= 4.40.0.10. Upgrading from LTS21 is not impacted as LTS21 does not have this issue yet as it was introduced in NEVISAUTH-4265. (NEVISAUTH-4650)