What’s new

To improve security, the audit handling code is deprecated and replaced by the Commons Audit Framework. Sensitive information, such as cookies and some headers, is no longer audited by default.

New properties are available to define the audit log directory and include or exclude elements from audit logs. Learn more from Deprecated and Incompatible changes.

A new option, --raw-encrypt, is available in agentadmin to encrypt the agent password before agent installation.

With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.

Learn more from Create agent profiles in AM and Create an agent profile in PingOne Advanced Identity Cloud.

Installation of Java Agent with Jetty 12 is supported.

For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.

Java Agent on Jetty 12 runs on Java 17.

Learn more from Install Jetty Java Agent.

The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn’t contain a required one-time code, the agent now logs a message to describe the failure.

When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level.

If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate.

The following new properties are available to manage infinite authentication loops:

A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to Deploy Java Agent with Docker.

Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to Integrate with Bouncy Castle FIPS provider.

Procedures for drop-in software update are simplified and testing is now automated. For information about changes to drop-in software update, refer to Incompatible changes.

Java Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Java Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.

Retain previous override behavior is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation:

For backward compatibility, the property is true by default; the override properties are not used to construct URLs.

Query parameters can now be used in the property OAuth Login URL List to create rules that evaluate request URLs for login redirect. Previously, the rules were based only on the request domain, path, and header.

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

The new DENY keyword immediately denies access to matching resources. Access is always denied. A not-enforced rule with the DENY keyword is not inverted by the NOT keyword or by the following properties Invert Not-Enforced IPs or Invert Not-Enforced URIs.

For information, refer to Deny access.

Support for JDK 8 is removed in this release.

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, see Jakarta EE platform requirements.

A file globbing pattern (containing * and ?) can now be used to match a hostname, in ?. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, see Detect the path of a resource loaded by classloader.

Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to Logging.

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

For more information, refer to POST data preservation.

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

For more information, refer to Not-enforced rules.

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

The signing value is stored in the AgentKey.properties file.

A new option is available in agentadmin to reveal the agent profile password.

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

In previous releases, the JBoss installer requested a profile only when the deployment mode was domain. From this release, the JBoss installer also requests a profile when the deployment mode is standalone.

For more information, see Install JBoss Java Agent.

The following properties can now take multiple values:

In previous releases, these properties could take only one value.

When the agent is not in autonomous mode, the following properties configure how Java Agent responds if AM becomes unavailable at runtime (for example, due to network errors):

A problem was identified when an active agent session was retired, and ? was NONE. The first call made on behalf of an unauthenticated user was to retrieve session information. In these circumstances, AM returned an HTTP 200, with a reduced property set.

From this release, the agent monitors session notifications for destruction of its own session. Additionally, the agent assumes that if it has not received an HTTP 200 response to any request from AM for more than one minute, its token might have been subject to idle timeout retirement. In these circumstances, the agent validates its own token before retrieving the session information.

In previous releases, the agent automatically maintained an internal not-enforced list, populated with all entries in the logout URI map, all entries in the access denied URI map, optionally the favicon.ico, and so on. For every incoming request, the agent searched the list without using the customary not-enforced caches.

The following improvements in this release improve results in the performance testing framework:

Support for multibyte characters has been developed as follows: