Java Policy Agents 5.10.2

What’s new

What’s new in Java Agent 5.10.2

Java Agent 5.10.2 is the latest maintenance release for Java Agent 5.10 deployments. Install this release for an initial deployment or to update an existing Java Agent deployment.

What’s new in Java Agent 5.10.1

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

What’s new in Java Agent 5.10

Support for Jakarta EE standard

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, see Jakarta EE platform requirements.

Matching FQDNs to URL patterns

A file globbing pattern (containing * and ?) can now be used to match a hostname, in FQDN Map. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

Detect the path of a resource loaded by classloader

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, see Detect the path of a resource loaded by classloader.


Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, see Logging.

POST data can be preserved in files

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

For more information, see POST data preservation.

Encoding for extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

For more information, see Not-enforced rules.

Limitation on the size to which a JWT can be decompressed

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

Signing of pre-authentication cookies

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

  • The path is not provided

  • The path to an empty file is provided

  • The value found in the file is too short

The signing value is stored in the file.

Retrieval of agent password

A new option is available in agentadmin to reveal the agent profile password.

Copyright © 2010-2023 ForgeRock, all rights reserved.