Changes in 7.3.x
The supported constructor,
public AMIdentity(SSOToken token, String universalId) throws IdRepoException,
no longer throws an
IllegalArgumentException if the provided string is not a valid representation of a DN.
Instead, these exceptions are now converted to instances of
Deletion of site data on logout
For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.
Session condition advice behavior
Session condition failure resulted in a
No configuration found error. This behavior has been changed
trueand policy evaluation is requested, AM sends the session advice to the Java, Web, or IG agent when the
maxSessionTimeelapses and the user is required to reauthenticate.
falseand policy evaluation is requested, AM does not send the session advice to the Java, Web, or IG agent when the
maxSessionTimeelapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.
Password change messages can now be returned in sentence case
Previously, all password change and password reset messages were transformed to upper case; for example,
YOU MUST RESET YOUR PASSWORD. The LDAP Decision node now provide an option
to disable this transformation, letting messages be returned in the case in which they are configured; for example
You must reset your password.
This option is disabled by default.
Previously, if you set the Base URL source to
X-Forwarded-* headersand no
X-Forwarded-Protoheader was provided, the generated URL would have a protocol of
null, for example
null://host, which would result in a broken URL.
From this release, if no
X-Forwarded-Protoheader is provided, a fallback scheme is used, based on the URI of the request.
You can now specify a port in the Base URL, using the
X-Forwarded-Hostheaders are specified, the outermost proxy host is used.
The supported interface,
org.forgerock.openam.services.email.MailServer has moved from the
openam-core module to
You need to update the dependencies to recompile your implementation of this interface.
Removal of CTS worker thread pool
To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes :
org.forgerock.services.cts.async.queue.timeoutadvanced configuration properties are no longer used.
The following monitoring metrics have been replaced:
For details, refer to CTS metrics.
The primary way to tune the CTS connection pool is to use the
org.forgerock.services.cts.store.max.connectionsproperty. The default value has been increased from
100. Existing deployments will be upgraded to whichever is greater:
100or the original value.