Changes in AM 7.3.x
AM 7.3
Artifact updates
If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:
| Class / interface | Module |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AMIdentity constructor
The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException,
no longer throws an IllegalArgumentException if the provided string is not a valid representation of a DN.
Instead, these exceptions are now converted to instances of IdRepoException.
Deletion of site data on logout
For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.
Session condition advice behavior
Previously, a Session condition failure resulted in a No configuration found error. This behavior has been changed
as follows:
-
If
terminateSessionistrueand policy evaluation is requested, AM sends the session advice to the Java, Web, or IG agent when themaxSessionTimeelapses and the user is required to reauthenticate. -
If
terminateSessionisfalseand policy evaluation is requested, AM does not send the session advice to the Java, Web, or IG agent when themaxSessionTimeelapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.
Password change messages can now be returned in sentence case
Previously, all password change and password reset messages were transformed to upper case; for example,
YOU MUST RESET YOUR PASSWORD. The LDAP Decision node now provide an option
to disable this transformation, letting messages be returned in the case in which they are configured; for example
You must reset your password.
This option is disabled by default.
Base URL X-Forwarded-* headers
-
Previously, if you set the Base URL source to
X-Forwarded-* headersand noX-Forwarded-Protoheader was provided, the generated URL would have a protocol ofnull, for examplenull://host, which would result in a broken URL.From this release, if no
X-Forwarded-Protoheader is provided, a fallback scheme is used, based on the URI of the request. -
You can now specify a port in the Base URL, using the
X-Forwarded-Portheader. -
If multiple
X-Forwarded-Hostheaders are specified, the outermost proxy host is used.
org.forgerock.openam.services.email.MailServer interface
The supported interface, org.forgerock.openam.services.email.MailServer has moved from the openam-core module to mail-api.
You need to update the dependencies to recompile your implementation of this interface.
Removal of CTS worker thread pool
To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:
-
The
org.forgerock.services.cts.async.queue.sizeandorg.forgerock.services.cts.async.queue.timeoutadvanced configuration properties are no longer used. -
The following monitoring metrics have been replaced:
-
Old:
cts.task.queueandcts.task.queue.size -
New:
cts.connection.state.outandcts.connection.state.pendingFor details, refer to CTS metrics.
-
-
The primary way to tune the CTS connection pool is to use the
org.forgerock.services.cts.store.max.connectionsproperty. The default value has been increased from10to100. Existing deployments will be upgraded to whichever is greater:100or the original value. -
In previous AM releases, calls to the
/json/health/readyendpoint returned anHTTP 200 OKresponse if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the
/json/health/readyendpoint now return anHTTP 503 Service Unavailableerror.