New in Java Agent 2024.x
Java Agent 2024.11.x
Java Agent 2024.11
Java Agent 2024.11 is a minor release that introduces new features, functional enhancements, and fixes.
URL handling
We’ve made changes to the Java Agent to improve the security of handling incoming request URLs.
|
These changes may affect the agent’s behavior in your environment. You should review these settings and make sure they are suitable for your requirements. In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed. |
By default, the agent will now reject an incoming request URL with an HTTP 400 in the following scenarios:
-
One or more of the following characters exist in the URL path or path parameters:
-
%2E(encoded period character) -
%2F(encoded forward slash) -
%3B(encoded semicolon) -
%5C(encoded backslash) -
\(unencoded backslash)
-
-
The incoming URL path contains encoded control characters. These are characters in the range
%00to%1Finclusive, and%7F. -
The incoming URL path contains invalid encodings, such as
%G1. -
The incoming URL path doesn’t conform with the rules in the Jakarta Servlet Specification Request URI Path Processing section.
Encoded characters are case-insensitive. For example, %2E and %2e are handled in the same way.
|
Learn more in Path traversal attempts.
Corresponding new properties are available to control this behavior if you need to make any changes:
Additionally, a new Control
Handling of Path Traversal Attempts property lets you reject incoming URLs that contain .., or
combinations of . and %2E as a path segment.
By default, this property is set to false and the agent doesn’t reject URLs with these path segments.
JWT signature validation
A new Enable internal checking of JWT signature property controls how the JWT signature is validated. By default, the property is set to false, which doesn’t change JWT signature validation.
Set this property to true to validate the JWT signature internally.
The agent caches the AM public keys used for JWT signing when the JWT signature is validated internally. Configure this cache using the following new properties:
| When the JWT signature is validated internally, there is an expected performance impact. |
List properties
We’ve made changes to let you update list properties in bulk rather than individually.
You do this by specifying @ in the index location and entering the value as comma-separated values.
For example, property[@]=one,two,three is the equivalent of setting the following properties individually:
property[]=one
property[]=two
property[]=threeLearn more in List properties.
Java Agent 2024.9
Java Agent 2024.9 is a minor release that introduces new features, functional enhancements, and fixes.
URL validation and path normalization
Raw URL path invalidation regex list is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation.
Incoming URLs are evaluated against this property before path normalization and rejected with an HTTP 400 if a match is found.
Additionally, %5C is no longer converted to / during path normalization. If required, %5C can be added to the new property as an invalid string.
Temporary files
A new temporary files directory (/tmp) has been created in /path/to/java_agents/agent_type/Agent_n.
This /tmp directory is used by Prometheus monitoring for any temporary files.
Additionally, the /pdp directory used by default for POST data preservation (PDP) data when POST data is saved to files has
moved to this /tmp directory. You can change the default directory using the existing POST Data Preservation File Directory property.
Changes to Prometheus metrics
Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated:
-
Metric names ending
_totalnow end_sum. -
ja_jvm_thread_statemetrics ending_countnow end_result. -
Other metric names ending
_countno longer include the_countsuffix. -
The
agent-exceptiondecision for deniedja_requestmetrics has been replaced bybad-requestandunexpected-exceptiondecisions depending on the reason. -
The following WebSocket metric names have been updated to include a
_totalsuffix:-
ja_websocket_config_change_processed -
ja_websocket_config_change_received -
ja_websocket_policy_change_processed -
ja_websocket_policy_change_received -
ja_websocket_session_logout_processed -
ja_websocket_session_logout_received
-
The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum.
Learn more in Monitor services.
Java Agent 2024.6
Java Agent 2024.6 is a minor release that introduces new features, functional enhancements, and fixes.
Commons Audit Framework
To improve security, the audit handling code is deprecated and replaced by the Commons Audit Framework. Sensitive information, such as cookies and some headers, is no longer audited by default.
New properties are available to define the audit log directory and include or exclude elements from audit logs. Learn more from Deprecated and Incompatible changes.
Java Agent 2024.3
Java Agent 2024.3 is a major release that introduces new features, functional enhancements, and fixes.
Hardened security
With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.
Learn more from Create agent profiles in AM and Create an agent profile in PingOne Advanced Identity Cloud.
Jetty Java Agent 12
Installation of Java Agent with Jetty 12 is supported.
For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.
Java Agent on Jetty 12 runs on Java 17.
Learn more from Install Jetty Java Agent.