Java Policy Agents

What’s new

What’s new in Java Agent 2024.3

Hardened security

With Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.

Jetty Java Agent 12

Installation of Java Agent with Jetty 12 is supported.

For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.

Java Agent on Jetty 12 runs on Java 17.

Learn more from Install Jetty Java Agent.

What’s new in Java Agent 2023.11

Improved error reporting for authentication failures

The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn’t contain a required one-time code, the agent now logs a message to describe the failure.

Improved management of infinite authentication loops

When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level.

If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate.

The following new properties are available to manage infinite authentication loops:

Deployment with Docker

A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to Deploy Java Agent with Docker.

Integration with Bouncy Castle FIPS provider

Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to Integrate with Bouncy Castle FIPS provider.

What’s new in Java Agent 2023.9

Continued improvement to drop-in software update

Procedures for drop-in software update are simplified and testing is now automated. For information about changes to drop-in software update, refer to Incompatible changes.

What’s new in Java Agent 2023.6

Authentication of Java Agent to Identity Cloud and AM

Java Agent agents are automatically authenticated to Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Java Agent to Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

Override alternate host, port, and protocol in constructed URLs

Retain previous override behavior is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation:

For backward compatibility, the property is true by default; the override properties are not used to construct URLs.

What’s new in Java Agent 2023.3

Conditional redirect of unauthenticated requests based on request query parameters

Query parameters can now be used in the property OAuth Login URL List to create rules that evaluate request URLs for login redirect. Previously, the rules were based only on the request domain, path, and header.

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

DENY keyword for not-enforced rules

The new DENY keyword immediately denies access to matching resources. Access is always denied. A not-enforced rule with the DENY keyword is not inverted by the NOT keyword or by the following properties Invert Not-Enforced IPs or Invert Not-Enforced URIs.

For information, refer to Deny access.

JDK 8

Support for JDK 8 is removed in this release.

What’s new in Java Agent 5.10.1

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

What’s new in Java Agent 5.10

Support for Jakarta EE standard

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, see Jakarta EE platform requirements.

Matching FQDNs to URL patterns

A file globbing pattern (containing * and ?) can now be used to match a hostname, in ?. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

Detect the path of a resource loaded by classloader

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, see Detect the path of a resource loaded by classloader.

Logback

Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to Logging.

POST data can be preserved in files

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

For more information, refer to POST data preservation.

Encoding for extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

For more information, refer to Not-enforced rules.

Limitation on the size to which a JWT can be decompressed

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

Signing of pre-authentication cookies

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

  • The path is not provided

  • The path to an empty file is provided

  • The value found in the file is too short

The signing value is stored in the AgentKey.properties file.

Retrieval of agent password

A new option is available in agentadmin to reveal the agent profile password.

What’s New in Java Agent 5.9.1

Encoding of extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

What’s New in Java Agent 5.9

JBOSS Installer Allows Profiles in Standalone Mode

In previous releases, the JBoss installer requested a profile only when the deployment mode was domain. From this release, the JBoss installer also requests a profile when the deployment mode is standalone.

For more information, see Install JBoss Java Agent.

Profile, Response, and Session Attributes Take Multiple Values

The following properties can now take multiple values:

In previous releases, these properties could take only one value.

Responding to AM Unavailability During Runtime

When the agent is not in autonomous mode, the following properties configure how Java Agent responds if AM becomes unavailable at runtime (for example, due to network errors):

Better Management of Agent Session Retirement

A problem was identified when an active agent session was retired, and ? was NONE. The first call made on behalf of an unauthenticated user was to retrieve session information. In these circumstances, AM returned an HTTP 200, with a reduced property set.

From this release, the agent monitors session notifications for destruction of its own session. Additionally, the agent assumes that if it has not received an HTTP 200 response to any request from AM for more than one minute, its token might have been subject to idle timeout retirement. In these circumstances, the agent validates its own token before retrieving the session information.

Improved Performance

In previous releases, the agent automatically maintained an internal not-enforced list, populated with all entries in the logout URI map, all entries in the access denied URI map, optionally the favicon.ico, and so on. For every incoming request, the agent searched the list without using the customary not-enforced caches.

The following improvements in this release improve results in ForgeRock’s performance testing framework:

  • More efficient matching of entries in the list

  • Optimized use of regular expressions in the remaining not-enforced code

  • Improved canonicalization of incoming URLs

Support for Multi-Byte Characters

Support for multibyte characters has been developed as follows:

  • Multibyte users are supported

  • Events are correctly audited for multibyte users

  • Correct local auditing of events associated with multibyte users, to files specified with multibyte paths

  • Correct remote auditing of events associated with multibyte users

  • Multibyte agent profile name

  • Multibyte agent password

  • Multibyte agent realm

  • Multibyte webapps

  • Multibyte not-enforced rules successfully match resources

  • Agent debug log can be specified with a multibyte path

  • Agent monitoring directory can be specified with a multibyte path

Copyright © 2010-2024 ForgeRock, all rights reserved.