Java Agents

What’s new

Java Agent 2024.9

Java Agent 2024.9 is a minor release that introduces new features, functional enhancements, and fixes.

URL validation and path normalization

Raw URL path invalidation regex list is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation.

Incoming URLs are evaluated against this property before path normalization and rejected with an HTTP 400 if a match is found.

Additionally, %5C is no longer converted to / during path normalization. If required, %5C can be added to the new property as an invalid string.

Temporary files

A new temporary files directory (/tmp) has been created in /path/to/java_agents/agent_type/Agent_n.

This /tmp directory is used by Prometheus monitoring for any temporary files.

Additionally, the /pdp directory used by default for POST data preservation (PDP) data when POST data is saved to files has moved to this /tmp directory. You can change the default directory using the existing POST Data Preservation File Directory property.

Changes to Prometheus metrics

Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated:

  • Metric names ending _total now end _sum.

  • ja_jvm_thread_state metrics ending _count now end _result.

  • Other metric names ending _count no longer include the _count suffix.

  • The agent-exception decision for denied ja_request metrics has been replaced by bad-request and unexpected-exception decisions depending on the reason.

  • The following WebSocket metric names have been updated to include a _total suffix:

    • ja_websocket_config_change_processed

    • ja_websocket_config_change_received

    • ja_websocket_policy_change_processed

    • ja_websocket_policy_change_received

    • ja_websocket_session_logout_processed

    • ja_websocket_session_logout_received

The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum.

Learn more in Monitor services.

Java Agent 2024.6

Java Agent 2024.6 is a minor release that introduces new features, functional enhancements, and fixes.

Commons Audit Framework

To improve security, the audit handling code is deprecated and replaced by the Commons Audit Framework. Sensitive information, such as cookies and some headers, is no longer audited by default.

New properties are available to define the audit log directory and include or exclude elements from audit logs. Learn more from Deprecated and Incompatible changes.

Offline agent password encryption

A new option, --raw-encrypt, is available in agentadmin to encrypt the agent password before agent installation.

Java Agent 2024.3

Java Agent 2024.3 is a major release that introduces new features, functional enhancements, and fixes.

Hardened security

With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.

Jetty Java Agent 12

Installation of Java Agent with Jetty 12 is supported.

For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.

Java Agent on Jetty 12 runs on Java 17.

Learn more from Install Jetty Java Agent.

Java Agent 2023.11.1

Java Agent 2023.11.1 is a maintenance release. It contains no new features.

Java Agent 2023.11

Java Agent 2023.11 is a minor release that introduces new features, functional enhancements, and fixes.

Improved error reporting for authentication failures

The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn’t contain a required one-time code, the agent now logs a message to describe the failure.

Improved management of infinite authentication loops

When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level.

If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate.

The following new properties are available to manage infinite authentication loops:

Deployment with Docker

A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to Deploy Java Agent with Docker.

Integration with Bouncy Castle FIPS provider

Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to Integrate with Bouncy Castle FIPS provider.

Java Agent 2023.9

Java Agent 2023.9 is a minor release that introduces new features, functional enhancements, and fixes.

Continued improvement to drop-in software update

Procedures for drop-in software update are simplified and testing is now automated. For information about changes to drop-in software update, refer to Incompatible changes.

Java Agent 2023.6

Java Agent 2023.6 is a minor release that introduces new features, functional enhancements, and fixes.

Authentication of Java Agent to PingOne Advanced Identity Cloud and AM

Java Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Java Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.

Override alternate host, port, and protocol in constructed URLs

Retain previous override behavior is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation:

  • Alternative Agent Host Name

  • Alternative Agent Port Number

  • Alternative Agent Protocol

For backward compatibility, the property is true by default; the override properties are not used to construct URLs.

Java Agent 2023.3

Java Agent 2023.3 is a major release that introduces new features, functional enhancements, and fixes.

Conditional redirect of unauthenticated requests based on request query parameters

Query parameters can now be used in the property OAuth Login URL List to create rules that evaluate request URLs for login redirect. Previously, the rules were based only on the request domain, path, and header.

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so the agent additionally invokes the AM REST logout endpoint to invalidate the session.

DENY keyword for not-enforced rules

The new DENY keyword immediately denies access to matching resources. Access is always denied. A not-enforced rule with the DENY keyword is not inverted by the NOT keyword or by the following properties Invert Not-Enforced IPs or Invert Not-Enforced URIs.

For information, refer to Deny access.

JDK 8

Support for JDK 8 is removed in this release.

Java Agent 5.10.3

Java Agent 5.10.3 is a maintenance release. It contains no new features.

Java Agent 5.10.2

Java Agent 5.10.2 is a maintenance release. It contains no new features.

Java Agent 5.10.1

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

Java Agent 5.10

Support for Jakarta EE standard

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, refer to Jakarta EE platform requirements.

Matching FQDNs to URL patterns

A file globbing pattern (containing * and ?) can now be used to match a hostname, in FQDN Map. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

Detect the path of a resource loaded by classloader

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, refer to Detect the path of a resource loaded by classloader.

Logback

Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to Logging.

POST data can be preserved in files

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

For more information, refer to POST data preservation.

Encoding for extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

For more information, refer to Not-enforced rules.

Limitation on the size to which a JWT can be decompressed

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

Signing of pre-authentication cookies

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

  • The path is not provided

  • The path to an empty file is provided

  • The value found in the file is too short

The signing value is stored in the AgentKey.properties file.

Retrieval of agent password

A new option is available in agentadmin to reveal the agent profile password.

Java Agent 5.9.1

Encoding of extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

  • Container Character Encoding

  • Container Parameter Encoding

Java Agent 5.9

JBOSS installer allows profiles in standalone mode

In previous releases, the JBoss installer requested a profile only when the deployment mode was domain. From this release, the JBoss installer also requests a profile when the deployment mode is standalone.

For more information, refer to Install JBoss Java Agent.

Profile, response, and session attributes take multiple values

The following properties can now take multiple values:

  • Profile Attribute Map

  • Response Attribute Map

  • Session Attribute Map

In previous releases, these properties could take only one value.

Responding to AM unavailability during runtime

When the agent is not in autonomous mode, the following properties configure how Java Agent responds if AM becomes unavailable at runtime (for example, due to network errors):

  • Strategy when AM unavailable

  • Recheck availability of AM

Better management of agent session retirement

A problem was identified when an active agent session was retired, and Profile Attribute Fetch Mode was NONE. The first call made on behalf of an unauthenticated user was to retrieve session information. In these circumstances, AM returned an HTTP 200, with a reduced property set.

From this release, the agent monitors session notifications for destruction of its own session. Additionally, the agent assumes that if it has not received an HTTP 200 response to any request from AM for more than one minute, its token might have been subject to idle timeout retirement. In these circumstances, the agent validates its own token before retrieving the session information.

Improved performance

In previous releases, the agent automatically maintained an internal not-enforced list, populated with all entries in the logout URI map, all entries in the access denied URI map, optionally the favicon.ico, and so on. For every incoming request, the agent searched the list without using the customary not-enforced caches.

The following improvements in this release improve results in the performance testing framework:

  • More efficient matching of entries in the list

  • Optimized use of regular expressions in the remaining not-enforced code

  • Improved canonicalization of incoming URLs

Support for multi-byte characters

Support for multibyte characters has been developed as follows:

  • Multibyte users are supported

  • Events are correctly audited for multibyte users

  • Correct local auditing of events associated with multibyte users, to files specified with multibyte paths

  • Correct remote auditing of events associated with multibyte users

  • Multibyte agent profile name

  • Multibyte agent password

  • Multibyte agent realm

  • Multibyte webapps

  • Multibyte not-enforced rules successfully match resources

  • Agent debug log can be specified with a multibyte path

  • Agent monitoring directory can be specified with a multibyte path

Copyright © 2010-2024 ForgeRock, all rights reserved.