New in Java Agent 2023.x
Java Agent 2023.11.x
Java Agent 2023.11.2
Java Agent 2023.11.2 is a maintenance release that introduces security enhancements and fixes.
URL handling
We’ve made changes to the Java Agent to improve the security of handling incoming request URLs.
|
These changes may affect the agent’s behavior in your environment. You should review these settings and make sure they are suitable for your requirements. In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed. |
By default, the agent will now reject an incoming request URL with an HTTP 400 in the following scenarios:
-
One or more of the following characters exist in the URL path or path parameters:
-
%2E(encoded period character) -
%2F(encoded forward slash) -
%3B(encoded semicolon) -
%5C(encoded backslash) -
\(unencoded backslash)
-
-
The incoming URL path contains encoded control characters. These are characters in the range
%00to%1Finclusive, and%7F. -
The incoming URL path contains invalid encodings, such as
%G1. -
The incoming URL path doesn’t conform with the rules in the Jakarta Servlet Specification Request URI Path Processing section.
Encoded characters are case-insensitive. For example, %2E and %2e are handled in the same way.
|
Learn more in Path traversal attempts.
Corresponding new properties are available to control this behavior if you need to make any changes:
Additionally, a new Control
Handling of Path Traversal Attempts property lets you reject incoming URLs that contain .., or
combinations of . and %2E as a path segment.
By default, this property is set to false and the agent doesn’t reject URLs with these path segments.
URL validation and path normalization
Raw URL path invalidation regex list is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation.
Incoming URLs are evaluated against this property before path normalization and rejected with an HTTP 400 if a match is found.
Additionally, %5C is no longer converted to / during path normalization. If required, %5C can be added to the new property as an invalid string.
Changes to Prometheus metrics
Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated:
-
Metric names ending
_totalnow end_sum. -
ja_jvm_thread_statemetrics ending_countnow end_result. -
Other metric names ending
_countno longer include the_countsuffix. -
The
agent-exceptiondecision for deniedja_requestmetrics has been replaced bybad-requestandunexpected-exceptiondecisions depending on the reason. -
The following WebSocket metric names have been updated to include a
_totalsuffix:-
ja_websocket_config_change_processed -
ja_websocket_config_change_received -
ja_websocket_policy_change_processed -
ja_websocket_policy_change_received -
ja_websocket_session_logout_processed -
ja_websocket_session_logout_received
-
The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum.
Learn more in Monitor services.
Java Agent 2023.11
Java Agent 2023.11 is a minor release that introduces new features, functional enhancements, and fixes.
Improved error reporting for authentication failures
The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn’t contain a required one-time code, the agent now logs a message to describe the failure.
Improved management of infinite authentication loops
When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level.
If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate.
The following new properties are available to manage infinite authentication loops:
Deployment with Docker
A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to Deploy Java Agent with Docker.
Integration with Bouncy Castle FIPS provider
Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to Integrate with Bouncy Castle FIPS provider.
Java Agent 2023.9
Java Agent 2023.9 is a minor release that introduces new features, functional enhancements, and fixes.
Continued improvement to drop-in software update
Procedures for drop-in software update are simplified and testing is now automated. For information about changes to drop-in software update, refer to Incompatible changes.
Java Agent 2023.6
Java Agent 2023.6 is a minor release that introduces new features, functional enhancements, and fixes.
Authentication of Java Agent to PingOne Advanced Identity Cloud and AM
Java Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.
You can now authenticate Java Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.
For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.
Override alternate host, port, and protocol in constructed URLs
Retain previous override behavior is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation:
-
Alternative Agent Host Name -
Alternative Agent Port Number -
Alternative Agent Protocol
For backward compatibility, the property is true by default; the override
properties are not used to construct URLs.
Java Agent 2023.3
Java Agent 2023.3 is a major release that introduces new features, functional enhancements, and fixes.
Conditional redirect of unauthenticated requests based on request query parameters
Query parameters can now be used in the property OAuth Login URL List
to create rules that evaluate request URLs for login redirect.
Previously, the rules were based only on the request domain, path, and header.
Invalidation of sessions on logout
Always invalidate sessions is a new property to invoke the AM REST logout endpoint.
If Conditional Logout URL List
is set to a URL that does not perform a REST logout to AM, set
Always invalidate sessions to true so the agent additionally invokes the AM REST logout endpoint to invalidate the session.
DENY keyword for not-enforced rules
The new DENY keyword immediately denies access to matching resources.
Access is always denied.
A not-enforced rule with the DENY keyword is not inverted by the NOT keyword
or by the following properties Invert Not-Enforced IPs or Invert Not-Enforced URIs.
For information, refer to Deny access.