Web Policy Agents 5.10

What’s new

Matching FQDNs to URL patterns

The wildcard * can now be used in FQDN Virtual Host Map. to match a domain name. Use this feature to pass requests with dynamically allocated hostnames, for example, in Kubernetes deployments, without redirecting them to another domain.

For more information, see FQDN checking.

Authorization flow for single page applications using Javascript

Authorization flow for applications using Javascript is a new property to enable callbacks into JavaScript applications, after an authentication or transactional authorization journey.

The property provides support for single page applications (SPAs) that use embedded login or authorization dialogs within iframes or embedded tags.

This feature is in Technology Preview, as defined in Release levels and interface stability, for use only with assistance from Forgerock.

Current limitations:

  • The property cannot be set in agent.conf. Set it in the Advanced tab of the AM console.

  • The feature might require configuration changes to on-prem AM servers.

  • The feature does not work with the Identity Cloud, unless the service is accessed through a reverse proxy on the application site.

Apache built-in modules available for authentication

Use Built-in Apache HTTPD Authentication Directives is a new property to enable Apache Web Agent to use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require for specified not-enforced URLs.

In previous releases, use of built-in Apache authentication directives was not supported. The agent replaced authentication functionality provided by Apache.

POST data preservation: use a single agent profile for multiple agent instances

In previous releases, to correctly configure POST data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.

Use this feature for scalable deployments, where resources are dynamically created or destroyed.

URI fragments persisted in custom login mode

When the value of Enable Custom Login Mode is 2, URI fragments were previously lost during login. From this release, URI fragments in the browser are not lost after the custom login procedure.

Pre-authentication cookies expire immediately after authentication

In previous releases, the pre-authentication cookie, agent-authn-tx, expired when it reached the age configured by Profile Attributes Cookie Maxage. From this release, the pre-authentication cookie expires when the first of the following events occur:

Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.

Limit on the size to which a JWT can be decompressed

The maximum size to which a compressed JWT can be decompressed is now limited to 1 MB, and is not configurable. This change reduces the risk of memory exhaustion DOS by reducing the risk of a decompressed JWT consuming too much available memory.

Copyright © 2010-2022 ForgeRock, all rights reserved.