----------------- Changes in Ceptor ----------------- - 2/11 2022, KR . Version 6.5.6 released - 25/10 2022, KR . CS-251 Added support for specifying codepage to use for password / hash of password in RadiusClient. this enables compatibility with Windows NPS for ascented and special characters since NPS does not follow the RFC specification which states that password must be UTF-8 encoded - it instead uses CP1252. call AccessRequest setPasswordCharset() with the characterset to use, e.g. Charset.forName("CP1252")) MS-CHAP-V2 changed to always use UTF-16LE encoding for password, no matter what codepage is otherwise set. - 23/10 2022, KR . snakeyaml and jackson-databind updated. - 15/10 2022, KR . Embedded Vaadin framework used in Admin Console updated to fix security vulnerabilities. - 8/10 2022, KR . PP-1043 Added support for token exchange and resource owner password grant types to JWT Authentication plugin. Added new configuration property for JWTAuthenticationType - "resourceownerpassword.authtype" to specify a particular authentication type to be used for ResourceOwnerPassword grant type. If not specified, default auth plugin is used. For each client, you can now specify if refresh tokens should be revoked upon use, and if you want to issue new refresh token when a refresh token is used. Wildcards can now be used when specifying valid scopes for a client, if no valid scopes are listed then all scopes are considered as valid. - 24/9 2022, KR . Version 6.5.5 released - 24/9 2022, KR . Upgraded various open-source dependencies to fix security issues Vaadin 8, Jackson, snakeyaml, jsoup, swagger-parser, swagger-models, jython, jetty OpenJDK updated Apache xmlsec updated - 19/9 2022, KR . Added convenience method to Gateway context; public void respond(CompletedRequest req); to send a completed request back to the client - can be used from gateway scripts. . Updated undertow to 2.2.19.Final - this fixes a known denial-of-service vulnerability, so you should update as soon as possible - 19/9 2022, KR . CS-249 When enumerating web server status in Administration API, any errors resulting from stale connection information is now ignored. - 13/8 2022, KR . CS-236 Added new Weblogic 12 and Weblogic 14 specific version of the integration - these no longer use log4j for logging, but instead SLF4J like the rest of the agent and should be used for WLS12/14 integrations. For more information, please see this link to the documentation: https://ceptor.atlassian.net/wiki/spaces/CEPTOR/pages/852093/Integrating+with+Oracle+WebLogic - 30/6 2022, KR . CS-238 http2.enable was false in the gateway by default, but true in the Config UI and in the documentation. Updated UI and documentation to match reality. - 15/6 2022, KR . CS-232 PasswordVerifier now supports hashed SHA1 passwords being specified as a Base64 encoded string - 23/5 2022, KR . Version 6.5.4 released - 23/5 2022, KR . CS-228 LDAP OTP plugin now supports email OTP as another new factor, authsms examples modified - remember to backup existing version if you have made any changes to it. Default LdapAuthenticationPlugin which is also used for authenticating administrators if configured is also updated tto use the UnboundID LDAP client implementation. The old is still available by setting ldapauthenticationplugin.classname to dk.itp.security.ldap.LdapAuthenticationPluginNS - but it should no longer be used. - 10/5 2022, KR . CS-226 Fix a bug in reloading GeoIP ISP database when configured - it could result in a NullPointerException. . CS-228 LDAP OTP Plugin modified to use unboundid ldap implementation instead of the older Netscape LDAP libraries. unboundid has better performance, and much better handling of clustering and failures that might occur inside a cluster. This means that some of the old properties are now ignored and a few new ones have been added - the old that are now removed are: ldap.xxxx.usepool and ldap.xxxx.userandom. New properties are: ldap.xxxx.pool.maximum.connections (defaults to value of pool.size, if not specified defaults to 50) ldap.xxxx.pool.cache.connection.seconds (defaults to 3600) ldap.xxxx.pool.minimum.connections (defaults to value of pool.size if specified, or number of servers if not) Anyone using custom authentication plugin and the older LdapUserConnection and LdapGroupConnection classes from the "dk.itp.security.ldap" package should migrate to using unboundid as soon as possible. Unfortunately an internal migration of these classes is not possible since they expose the netscape LDAP classes and exceptions. The class "io.ceptor.ldap.Pool" might help in this regard, since it wraps the setup of cluster, DNS lookup and use of TLS certificates so they are eaiser to use - contact us if more info is required. - 1/5 2022, KR . Version 6.5.3 released - 1/5 2022, KR . CS-226 Admin API Updated - new methods for getting and changing webserver status added to match java API capabilities. . PP-1042 Open source dependencies updated to fix vulnerabilities; gson, jackson, swagger-parser Log4j v1.2.x replaced with reload4j Undertow updated to v2.2.17.Final - 25/3 2022, JN . PP-1041 Added warning to certificate overview in administration console so certificates expiring in less than 4 weeks will be flagged. - 17/3 2022, KR . Version 6.5.2 released - 17/3 2022, KR . CS-221 / CS-222 Unfortunately the upgrade to Jetty 9.4 caused a problem with keystores containing multiple certificates (see https://github.com/eclipse/jetty.project/issues/4385 ) - 08/3 2022, KR . CS-217 In SessionCookieResolver in Ceptor Gateway, if samesite for cookie is set to "none", and request is HTTP unsecured and not https - then the SameSite attribute is not added since the spec requires that it is sent as Secure - but doing so would not work with unsecured http. - 06/3 2022, KR . Version 6.5.1 released - 05/3 2022, KR . Bundled Java version updated to jre-11.0.14.1_1 - 05/3 2022, KR . CS-218 Jose4j updated to v0.7.10 to fix support for matching against multiple keys in the returned jwks - 03/3 2022, KR . CS-219 OpenSource dependencies updated. Log4jv1, Postgres, Undertow, jackson, snakeyaml, jython, swagger-parser, swagger-models, json-path, commons-io, guava Logback updated to 1.2.10, and slf4j to 1.7.36 - remember to update your launch configurations if not using the installer to do it for you automatically Jetty updated to 9.4 from 9.3 Note that as part of upgrading from Jetty 9.3 to 9.4 Ceptor is unfortunately no longer compatible with Jetty 9.3 The properties ws.sslkeymanagerfactoryalgorithm and ws.http2_initialstreamsendwindow no longer exists since they are not supported by Jetty 9.4 - also ssl.sslKeyManagerFactoryAlgorithm is no longer supported for the proxy. - 22/2 2022, KR . CS-215 OCSPResponder improvement - if OCSP response does not contain a certificate, the issuer certificate is used to validate the response as default, instead of requiring that the OCSP server always returns a certificate. - 27/1 2022, KR . PP-1040 New Feature: WWPass support. Added support for WWPass for login without userid/password - 27/1 2022, KR . CS-214 GeoUpdater was not always able to rename newly downloaded file, since old memory-mapped bytebuffer might not have been garbage-collected in time. Now cleaned up by calling undocumented methods on DirectByteBuffer. Added option "geoip.storeinmemory" - if set to true, memory mapped file is not used, but full file is loaded into heap memory increasing memory usage and performance. - 8/1 2022, KR . PP-1039 Fixed code-completion support in default mapper editors. - 25/11 2021, KR . CS-204 Added "locksessions" configuration property session controller to control if locking is enabled or not. Default value is true, but it can be set to false to disable locking - disabling it means that multiple concurrent requests can modify the same session at the same time potentially causing problems, so it should not be set but is provided anyway to be able to turn locking off in case some authentication plugins have odd behavior like calling the same session recursively through the agent or similar. - 07/11 2021, KR . CS-204 SessionController now locks user object while making changes on it, preventing multiple concurrent logins or on other modifications on the session from causing issues. Note that concurrent logins on the same session should never be done, but now even misbehaving clients cannot cause issues. - 28/9 2021, KR . Version 6.5.0 released - 22/9 2021, KR . PP-1038 When Adding CORS headers is enabled in API Manager, Access-Control-Allow-Credentials is now set to true along with the other headers. In addition, any request headers in Access-Control-Request-Headers are now added to the response Access-Control-Allow-Headers. - 17/9 2021, KR . Docker JVM updated to adoptopenjdk/jre-11.0.12_7 - 11/9 2021 KR . PP-1036 Updated swagger editor/ui to newest available version - 9/9 2021 KR . PP-1036 Undertow updated to v2.2.10 common-validator updated to version 1.7 commons-beanutils updated to version 1.9.4 commons-digester updated to version 2.1 Apache ignite updated to version 2.9.1 json-path updated to 2.6.0 swagger-parser updated to 2.0.27 swagger-models updated to 1.6.2 guava updated to v30.1.1-jre - 1/9 2021 . PP-1037 Added support for configuring multiple keystores in Ceptor Gateway - this allows you to load keys and certificates directly from configuration, files or hardware HSMs or a combination of all and use this in the same gateway instance. - 28/8 2021, KR . PP-972 Added dynatrace support to both Dispatcher and Gateway. For Dispatcher, it is controlled by the new options dynatrace.applicationid, dynatrace.contextroot, dynatrace.enabled, dynatrace.traceincoming, dynatrace.webservername See documentation for info on those. In the gateway, the gateway settings has new options for the dynatrace names, and the locations has a new value to enable tracing for this particular location. This means the an additional .jar file; oneagent-sdk-.jar is now required for both dispatcher and gateway. - 7/8 2021, KR . PP-1036 Updated various open-source dependencies Undertow updated to v2.2.9.Final which includes the fix for UNDERTOW-1882, allowing special characters in the URL. Embedded Groovy updated to version 3.0.8 JVM Updated to v11.0.12.7 for installers, and 11.0.11_9 for docker images SLF4j Updated to v1.7.32 Logback updated to 1.2.5 Bouncycastle updated to v1.69 - note that a new bcutil-jdk15on-169.jar file is added Jackson updated to 2.12.4 Snakeyaml updated to 1.29 - 4/7 2021, KR . Version 6.4.12 released - 03/07 2021, KR . PP-995 Fixed problem in PasswordVerifier that did not work with encoded passwords for PasswordUtils, but only with bcrypt, pbkdf2 and the old sha1 passwords hashes. . PP-1031 When adding radius attribute to a packet it now checks for max length of 255 bytes and throws InvalidArgumentException if length is too large. Updated default radius dictionary to include Cisco ASA specific attribute definitions - 01/07 2021, KR . PP-1034 Fixed timing issue if authentication plugin sent response - in that case, adding the session fixation cookie might fail depending on timing since the response might have already been committed by the time the cookie is added. - 18/06 2021, KR . CEPTOR-32 When issuing tokens via Agent's newToken() call, it failed if tokens, e.g. SAML tickets was larger than 64k, since writeUTF() was used to write the token. . CEPTOR-32 RetrieveURLTask in pipelines or API Management can now specify SSL settings to be used for URLs that are used directly instead of via a Destination configuration. - 11/05 2021, KR . CEPTOR-30 Gateway now discards Connection header and Expect headers and never copies from client to server or from server to client. - 21/4 2021, KR . PP-1024 - fixed issue in parsing both embedded userinfo_token and id_token - when doing the 2nd parsing of the id token the userid and name was reverted back to default values so if those attributes originated from the userinfo_token they were overwritten in the 2nd parsing of the id_token. - 7/4 2021, KR . PP-1024 If an OpenID Connnect Identity Provider returns a userinfo_token in addition to id_token and access_token, the userinfo_token object is now validated and parsed into the session so any contents of it is available for use. - 21/3 2021, KR . PP-1027 Created minimal ceptor configuration - see ceptor_minimal_launch.xml and ceptor-minimal-configuration.xml Updated styling of authentication app. Radius server script in demonstration now enables end-user choosing between 2nd factor authentication methods (email smsotp or totp codes). Fixed issue where configuration diff might shown an empty line even if no differences existed. - 18/3 2021, KR . Version 6.4.11 released - 18/3 2021, KR . PP-1026 Additional ldap improvements for loadbalancing connections - and adding ability to select a random connection on next request. LDAP client API changed to v4.17 - 15/3 2021, KR . Version 6.4.10 released - 15/3 2021, KR . PP-1025 LDAP Improvements, added ldap.authenticationtimeoutseconds which sets auth timeout to the specified number of seconds. Default is 10. Also added ldap.usepool=true/false, ldap.pool.size=10 - if LDAP connection is not closed by ldap server, and ldap.usepool is set to true, LDAP connection is kept alive and reused - multiple connections can be used concurrently - each thread spawns up a new and keeps up to connections alive for later use. - 14/2 2021, KR . Version 6.4.9 released - 14/2 2021, KR . PP-998 Added class io.ceptor.http.ContentDisposition - can be used in gateway scripts by calling io.ceptor.http.ContentDisposition.convertAndEncode(value) to convert a non-compliant Content-Disposition HTTP response header that contains non-ascii characters to its equivalent UTF-8 encoded variant. - 13/2 2021, KR . PP-1023 Gateway did not retry connecting to backend servers if connection to the server refused and if there was only a single target server defined for a destination. This also affected the temporary destinations created when using context.proxyToServer() to proxy the call from a script. Now it retries properly. Added "max.connect.retries" property with default value 3 for destination which allows to adjust the number of retry attempts if a connection fails. - 26/1 2021, KR . Version 6.4.8 released - 26/1 2021, KR . Undertow updated to v2.2.3 . CEPTOR-28 Added new proxyToServer methods and ensured specific timeout for target server is set instead of using the default value. - 5/1 2021, KR . Version 6.4.7 released - 5/1 2021, KR . PP-1018, db.schema support for API management extended to work for SQLserver which does not have "set schema" support. - 3/1 2021, KR . Version 6.4.6 released - 30/12 2020, KR . PP-1017 db.schema can now be set to specify a specific database schema name to use by default in the connction pool. This allows you to override the default schema and have multiple schemas for different environments in the same database for e.g. API management. . PP-1010 -Djdk.tls.acknowledgeCloseNotify=true JDK option added to launcher configuration for gateway by default. This fixes high CPU issue bug in JVM. - 16/11 2020, KR . PP-1008 LDAP loadbalancing improvement: If multiple servers are defined, connection timeout is lowered to 1 second to reduce the performance impact on slowly responding/dead servers. If there is only a single server configured the connection timeout is set to 3 seconds to give it more time. - 9/11 2020, KR . Version 6.4.5 released - 9/11 2020, KR . PP-1007: Bugfix: Samesite value was not always added properly in gateway, also session fixaction cookie was added if response hooks were defined, even if not needed. . PP-1006 Bugfix: High CPU usage in gateway when calling proxyToServer from script - 25/10 2020, KR . PP-1003 Added support for redirect and POST binding that generates and transmits SAMLRequest to identity provider in the ADFS/SAML WebSSO authentication plugin in the gateway. Specify binding=redirect or binding=POST as query/POST parameter when calling the URL that triggers the authentication plugin in the gateway to use one of these instead of the default passive binding. Fixed potential issue with validating NotBefore in SAML response, which did not properly factor in the clock skew. Added ability to override binding and Identity Provider URL in Gateway SAML/WebSSO authentication plugin. When issuing a SAML Request, the generated ID is saved in the state variable "expected_saml_id" - and when validating¨ the SAML response from the identity provider, if this state variable exists in the session, the InResponseTo attribute on the SAML Response must match this value or the authentication will fail. - 12/10 2020, KR . PP-1002 LoadbalancingProxyClient might use 100% CPU in HashMap.balanceDeletion() trying to cleanup after using a dynamically generated destination/host (generated by calling context.proxyToServer() ) - implementation changed from HashMap to ConcurrentHashMap to fix this issue. - 25/9 2020, KR . PP-997 Fixed NPE in RetrieveURLTask if overwrite url was turned on at the same time as copyfromrequest was turned on. . PP-996 LDAP OTP plugin fails recognizing expired password if more than 1 ldap and user is not found in the 2nd. - 21/9 2020, KR . Version 6.4.4 released - 21/9 2020, KR . PP-993 Redirect URI can now be a script, and URI on RetrieveURLTask can now be overwritten even if everything is copied from the request. . PP-992 Added QR code TOTP registration support to /auth and /authsms example logins, so new Authenticator Apps can be registered. . PP-994 Added support for changing initial or expired password to the /authsms example plugins. - 18/9 2020, KR . PP-991 Fixed NPE if url in RetrieveURLTask did not have a scheme set on it. - 16/9 2020, KR . Version 6.4.3 released - 16/9 2020, KR . PP-988 - Fixed an issue in the session controller if login took > 15 seconds to complete, and other agents accessed a session while waiting for login to complete - and if this access was done by a different session controller instance in the same cluster, then that access could overwrite the session we logged the user into causing a session without correct user information to be sent back to the agent immediately after login. This would cause the agent to fail with the error: "Unable to logon - probably because userid or password is invalid" To trigger this error, login needed to take > 15 seconds, and the same session needed to be accessed by a different agent talking to a different session controller in the same cluster while waiting for login to complete. . PP-989 - Fixed bug in errorhandling in radius server - if it got a PTException without an error message, it would fail trying to send the reject packet back to the client, since attempting to set the reply-message attribute fails if the attribute value is null. - 14/9 2020, KR . PP-987 Added support for changing password in AD to LDAPOTPAuthentication plugin. Changing expired passwords will also work - in addition, password reset is supported if the system user used to connect to AD has the appropriate permissions to do so. - 3/9 2020, KR . PP-984 Regression in 6.4.2 - AD group name for some AD's ended up containing member=.... when added to the session. Added new property; ldap.group.name.is.cn - if set to true, only CN is kept from ldap group name, otherwise the group name is the full DN. . When logging login attempts, in addition to authType: xx, the name of the authentication plugin is now also logged. - 1/9 2020, KR . PP-983 Radius server did not set session ID as MDC context parameter so it was part of all log entries made. - 31/8 2020, KR . PP-982 If configuration updates, geoip updater schedules another task to update GeoIP information without canceling the previous task. - 26/8 2020, KR . Version 6.4.2 released - 26/8 2020, KR . PP-980 Using proxyToServer() in gateway script risks filling memory up with statistics entries. This is now fixed by using a predictable server name instead of a random unique one. . PP-981 When LDAP groups were looked up using memberof attribute on a user, full group names including DN was used but when looking up group memberships by searching for member on groups, only the CN was used instead of the full name by the default LDAP authentication plugin. Now, the full DN is used in both cases. - 24/8 2020, KR . Version 6.4.1 released - 20/8 2020, KR . PP-979 Added ldap.groupMemberAttributeName to LdapAuthentication plugin so the groupmembername can be configured for reading LDAP group membership - default is "member". If you set it to "member:1.2.840.113556.1.4.1941:" then it is a magic name that causes Active Directory to return nested group membership. Information here: https://docs.microsoft.com/da-dk/windows/win32/adsi/search-filter-syntax The same attribute is added to LdapOTPAuthenticationPlugin. - 18/8 2020, KR . PP-977 GeoIPUpdater did not log if old file could not be delete or if rename of newly downloaded file to old failed. . PP-978 Dashboard refresh fails if autorefresh is turned on and custom interval is selected but dates not input - 6/8 2020, KR . PP-974 Added new method in gateway; proxyToServer() in a variant that can be told to ignore SSL server certificate checks. - 8/7 2020, KR . PP-971 If debug is enabled, Radius attribute User-Password length is now logged, e.g. "secret (length: 8)" (the actual password is of course not logged, but the word "secret" is. - 19/6 2020, KR . PP-967 Identifier names specified for SAML service provider can now contain wildcard characters. You can now specify returnurl in service provider JSON configuration or websso.sp.xxxx.returnurl in property to override the service provider url and send the response to a different URL. - 8/6 2020, KR . PP-961 - Fix in TAuthenticatorBasicAuth target authentication plugin for gateway - if userid or password is set to an empty string, the authorization header is not populated instead of populating it with an empty value. - 1/6 2020, KR . Version 6.4.0 released - 26/5 2020, KR . PP-960 gson, Snakeyaml and Jackson updated to newest versions. - 25/5 2020, KR . PP-959 Undertow updated to 2.1.1 - 24/5 2020, KR . PP-950, PP-913 Naming of .jar files changed, so they are no longer called PortalProtect* but instead Ceptor*. As an example, PortalProtectAgent.jar is renamed to CeptorAgent.jar If Ceptor's installer (install4j based) is used to upgrade, it will automatically rename from PortalProtectAgent.jar to CeptorAgent.jar within Ceptor's launcher files - if you use a different installation method, it is important that you either rename the .jar files to the old names yourself, or you must update the path in your launcher files. . PP-958 Embedded Jetty updated to 9.3.28 . PP-954 Added Radius Client to the Tools menu, allowing you to authenticate to a Radius server using the builtin Radius Client in order to test Radius Server functionality. - 23/5 2020, KR . PP-951 New GUI for managing federations. In order to make it easier to configure JWT / OAuth2 / OpenID Connect / SAML / WebSSO federations, Ceptor now has a separate GUI for defining these federations, and the properties are now stored in JSON format within the configuration instead of the older name/value properties. The old format is still supported for backwards compatibility. See the new documentation at https://confluence.asseco.dk/display/CEPTOR/Federations for details. In addition to the configuration enhancements, some functionality improvements have been added, such as being able to define scripts to fully control the contents of issued tokens. - 20/5 2020, KR . PP-955 Logsuppression added - can be configured for radiusserver and session controller. Normal successful logs will not be done if userid matches the pattern defined in the "logsuppression" configuration property - this allows suppression of logs entries for e.g. healthchecks. Note that this might not take effect everywhere, since specific authentication plugins might not recognize this, and any customer-specific plugins need to be changed to take advantage of this setting if needed. . PP-956 Radius server improvement: If the new property duplicatecheck.session is set to true, then the radius server will add a flag in the session when a login is in progress - and ignore any retransmission attempts from the client attempting to perform multiple concurrent logins on the same session. This is only really needed if the retransmissions do not show up using the same source IP and port, which can be the case if e.g. Netscaler is used as an UDP loadbalancer for the Radius server. - 9/5 2020, KR . PP-606 Now that list of loaded certificates are visible in the console, the code is changed so it no longer logs the full certificate as it is being loaded, but instead the subject, issuer and expiration date - the full certificate can always be viewed in the console. . CertificateLoader updated, so instead of specifying a filename, a full certificate can be specified. . Default eticket configuration removed. - 8/5 2020, KR . PP-607 Added support for alerts - alerts are generated e.g. if a server goes down and later goes up again, or if certificates are expired or close to expiration. Alert actions, such as sending emails or SMS/Text messages, running scripts or creating actions/events in the console can now be configured. To be able to send emails/SMS messages, now configuration values have been added to the config servers with details on SMS provider and email server. . PP-606 Created list of all loaded certificates for each module - shown in the Console to be able to see every single loaded certificate and its expiration date and info. . PP-595 When loading certificates, we now send out an alert if they are expired or close to expire. - 6/5 2020, KR . Version 6.3.6 released - 6/5 2020, KR Note that from next version (v6.4.0 we plan to change the names of the distribute files, renaming e.g. PortalProtectAgent.jar to CeptorAgent.jar - the old names have been kept from back when Ceptor was called PortalProtect for compatibility reasons, but we do plan to make this change in the next version to be able to provide a more consistent naming. There will be no changes to the classes/package names inside the .jar files - so just the names will be changing. - 1/5 2020, KR . PP-948 Gateway Fix for UTF000079 when adding session fixation cookie and server disconnects. - 30/4 2020, KR . PP-929 Undertow updated to version 2.1.0 . Samesite cookie handling in gateway also updated so it recognizes none, and forces secure cookies if "none" is selected, the default is now changed to blank/empty. In addition, browsers that do not support the samesite cookie or do not support the none value are recognized and will not get it sent to them. - 25/4 2020, KR . PP-947 Added support for defining Response Hooks in Gateway - this allows you to hook into individual HTTP responses from backend servers and do specific processing based upon these, such as redirecting to other URLs or modifying HTTP status codes. - 24/4 2020, KR . PP-936 If samesite is set to NONE for dispatcher, any cookies used for server stickiness are automatically set to Secure as well. Added the new property sticky.cookies.are.secure which default to false - if set to true, sticky cookies are always set as Secure - 14/4 2020, KR . PP-946 Fixed rare timing issue in gateway, which could produce the exception "UT000070: method can only be called by IO thread" if request to backend failed. - 13/4 2020, KR . Version 6.3.5 released - 13/4 2020, KR . PP-945 Radius server config failed if ca.providers is not set, now it simply ignores it. - 9/4 2020, KR . PP-940 - LDAP connector now automatically retries with another server in case connection to one server fails, instead of letting the error propagate to the caller. Note that this only happens if multiple servers are set as LDAP servers. . PP-941 Added client IP to list of requests in gateway trace. . PP-942 Date is now shown in log viewer . PP-943 Log radius response in condensed format instead of full packet with info, if debug is off . PP-944 Cisco attributes added to default radius dictionary - 31/3 2020, KR . Version 6.3.4 released - 28/3 2020, KR . PP-910 - Added support for the RadSec protocol to Radius Server - RadSec is Radius over TLS encrypted TCP/IP instead of using UDP - this offers much better security than standard encryption available in Radius over UDP - in addition, it is much easier to loadbalance since it is not dependant on source IP address. - 27/3 2020, KR . PP-932 - Added "samesite" attribute to dispatcher - if set to "None", "Lax" or "Strict" then the SameSite attribute on session cookies, persistence cookies and session fixation cookies set the "SameSite" attribute to the value. - 21/3 2020, KR . PP-912 Embedded Groovy upgraded to version 3.0.2 . PP-920 Close Dashboard button renamed to "Delete Dashboard" to be more clear about what it does. . PP-921 Dashboards can now be shared with others. Shared dashboards are now marked with a small icon so it is easy to see if you are modifying a shared dashboard. . PP-931 Update NemID test certificate in default distribution, and add better errorhandling/logging when we get an error instead of a valid XMLDSIG document back from Nets. . PP-912 Embedded Groovy upgraded to version 3.0.2 - 18/3 2020, KR . PP-905 Removed JDK1.4 compatible Agent and application server plugins, since this is no longer supported. . PP-911 If connection to elasticsearch fails while trying to fetch API usage statistics, less messages are now logged. Also, after a recent failure, it now takes 5 seconds until it will attempt to retry. . PP-327 IP Range checker now supports IPv6 ranges - ranges can be specified both as CIDR ranges and with - notation, e.g. ::1-::2 or 2001:db8::/112 . PP-924 IP Range checker now supports IP wildcard notation, e.g. 192.168.* - 17/3 2020, KR . PP-927 If LDAP disconnect fails while trying to update configuration, exception is now swallowed, otherwise the rest of the configuration update might have failed. . PP-893 Update bundled JDK to OpenJDK 11 Update 6 . PP-928 Maxmind now requires authentication to download free databases - added sample API/license key for the free GeoLite city database. - 21/1 2020, KR . PP-896 Fixed a problem in Radius threadpool server that kept it from growing up to the maximum. - 13/12 2019, KR . Version 6.3.3 released - 13/12 2019, KR . PP-887 LDAP OTP plugin now supports multiple LDAP servers, each with their own configuration. . PP-888 Better errorhandling instead of failing if an APIVersion without a corresponding API definition is loaded by the gateway. . PP-889 SAML2 responses now have NameID attribute in subject included as standard. - 07/12 2019, KR . Version 6.3.2 released - 07/12 2019, KR . Fixed bug in jdk1.4 version of Agent - was not reading ticket in session written by servers. - 06/12 2019, KR . Added Example of using LDAP with SMS OTP to authenticate clients, reached by /authsms/ in gateway. - 06/12 2019, KR . PP-881 All Default LDAP plugins now support SSL connections. Added new properties: ldap.ssl=true/false, ldap.verifysslcert=true/false and ldap.acceptedcertissuers which can point to one or more files containing accepted root/CA certificates. . Added new Authentication Plugin that supports LDAP and TOTP/SMSOTP in one. Mobile number is read from LDAP, and TOTP secrets are stored encrypted in LDAP. Classname: dk.itp.security.authentication.ldapotp.LdapOTPAuthenticationPlugin - 04/12 2019, KR . PP-884 If a server had connections to so many agents that the uuid list exceeded 64k, getting service status would fail because writeUTF() was used to serialize the JSON string containing the list. - 30/11 2019, KR . PP-880 Dynamically created destination now has a unique name to avoid clashes with other destinations. . UserAdmin SMS Auth plugin now sets OTP_UIDPW_OK after verifying password, if this plugin is also used to verify the initial userid+password and not just the SMS OTP. . GeoIPUpdater now logs exception if updating fails. . When verifying SSL server certificate chain, verification of root certs keyusage no longer done, since root is already trusted, and some CA's - e.g. GoDaddy has broken keyusage information even in trusted root certificates. . Better exception handle in GeoIP database reader, more info is logged if it fails. - 19/11 2019, KR . Fixed warning that was logged if updating geoip file from 2 processes simultaneously - now this is silently ignored. - 04/11 2019, KR . Version 6.3.1 released - 03/11 2019, KR . PP-874 When validating configuration changes, environment macros were not resolved prior to validation, generating false warnings. . PP-875 Added new flag to listener settings - "sni.requirematch" - if set to true, the client must send an SNI hostname matching the server certificate exactly. Note that SSL protocol negotiation will fail and the client will display an SSL error if you have set this flag, and try to connect to the server using e.g. the IP address instead of the hostname. . PP-876 Added support for automatic download of GeoIP or GeoIP/GeoLite databases from MaxMind. The default configuration will download the freely available GeoLite2-City database, and schedule a new check each 24 hours. Note that for this to work, the session controller must be able to access https://updates.maxmind.com . PP-877 Statistics cleanup did not work when trying to delete all entries for a specific server. . If Elasticsearch is not configured, but PDF report contains elasticsearch data, generation failed - this is now fixed so instead of failing, empty data is inserted. - 27/10 2019, KR . Version 6.3.0 released - 26/10 2019, KR . Bugfix - gateway looked at "response.compression" instead of "response.compress" when determining if responses should be compressed or not. . PP-873 A gateway script can now call context.proxyTo() or context.proxyToServer() to ask the gateway to proxy to an existing destination or a new one created dynamically from the given hostname/port. Note that when called from a script, proxying is initiated at once, and further actions within a location, such as authorizations, limits are not processed. These actions should then be done in an earlier location. - 21/10 2019, KR . PP-871 Added OpenAPI "Statistics" API to internal gateway, exposing Ceptor statistics. - 20/10 2019, KR . PP-871 All changes to the API Management done using Admin API are now audited in the config server. . Updated Undertow to 2.0.27.Final . Folder Console saves reportsettings/sharedsettings to changed to home folder (System property ceptor.home) instead of using currect directory. . Fixed bug in matching of default implementation for non-remote OpenAPI specs - path matching did not always work correctly, so default implementation might not be found. - 19/10 2019, KR . PP-870 Added Subscription Request support to API Developer Portal, Console and APIs. A subscription plan can be configured to require approval - and if done so, an Action is created to an Administrator who can review and either approve or reject the subscription request. - 01/10 2019, KR . Version 6.2.10 released - 01/10 2019, KR . PP-869 Fixed problem in LDAPConnection introduced in 6.2.9 - for some servers, disconnecting failed, causing new connections to also fail. - 29/09 2019, KR . Version 6.2.9 released - 28/09 2019, KR . PP-868 Added websso.idp.xxxxx.expectedAudiencePattern to specify a pattern to require in the audience SAML ticket from the identity provider. - 14/09 2019, KR . Added 2 new APIs to IUseradminAccess interfaces; public void attachGroupToACL( String aclname, int groupId ) throws UserAdminException; public void detachGroupFromACL( String aclname, int groupId ) throws UserAdminException; These methods allows attaching / detaching a single group from the ACL . PP-863 Added UserAdmin REST API to list of Ceptor APIs, exposing all the methods in the UserAdmin and UserAdmin Access Java APIs using OpenAPI/REST. The implementation of these APIs are inside the API Gateway. . When saving OpenAPI spec, securitySchemes is removed if empty to avoid causing swagger ui to show an empty list of authentication options. . Changed the idle handling of ldapConnectionTimeout for LDAP connections, so they are now properly closed if they have been idle for longer than the timeout to ensure that older stale connections that might have been closed by firewalls or such will not stay open. . Install4j updated to version 8 - 04/09 2019, KR . Added config options to Console Launcher for setting vaadin options for heartbeatInterval and closeIdleSessions for the console, their values are 120 and false respectively. If you want sessions with the console to timeout, you must set closeIdleSession=true in the launcher properties for the console - but note that if you do so, running the console as a dashboard on a full-screen will not work, since users will be timed out on inactivity. Note that pages that refresh automatically, such as the server status or dashboards cancels inactivity timeout. Also added "sessiontimeoutminutes" as a property in the launcher for the webserver config which can change the default 30 minute session timeout for a webapp. . Implementation within the API Gateway for the HTTP method PATCH would not always be found. - 29/08 2019, KR . PP-864 When using API Profiles to specify security, openapi spec is not adjusted to profiles security when trying out API - 20/08 2019, KR . PP-861 State variables not listed in safeStateVariables were not removed before session was sent to the gateway when creating session from a ticket - only later retrievals of the session removed them. - 19/08 2019, KR . PP-860 Bugfix in gateway: sessionfixation cookie is now always set to secure, and httponly flag is set on this too if configured in the session configuration. . PP-859 Added configurable threadpool to specify how many concurrent requests can be handled by radius server. Added new property for radius server: threadpool.size - 15/08 2019, KR . Version 6.2.8 released - 15/08 2019, KR . PP-858 Added mschapv2 support to Radius client. - 14/08 2019, KR . PP-857 It is now possible to specify a custom timeout for the logon command, useful if logon is hitting a backend service that can take more than the default 30 seconds to complete (such as Azure MFA). - PP-855 Dashboards can now be created as shared - if they are, they are shared between all users. - 13/08 2019, KR . PP-856 Mirror connections between session controllers was not shown in component overview graph in console. - 31/07 2019, KR . PP-853 If we get a certificate with a link to an issuer cert using an unsupported protocol (e.g. ldap:) then we will treat it as the link did not exist instead of fail with a MalformedURLException. . PP-854 Viewing diff of configuration changes failed with exception if diff was >64k long. - 29/06 2019, KR . Added check for empty string in configuration when loading keystore files, treating it as if the configuration entry was not present. - 19/06 2019, KR . Version 6.2.7 released - 17/06 2019, KR . When creating a new API Version, you can now paste in the API Version JSON to create it from - this allows easy creation from previously exported APIs. In addition, you can now edit the API Version JSON directly when editing the API Version. This functionality acts like export and import APIs, but is available from the API Designer directly. It can be turned off in the API Profile, and controlled by ACL membership if you do not wish everyone to have this possibility. - 16/06 2019, KR . ConfigurationXMLImpl now has all fields and methods that were previously private changed to protected, to make it easier to extend it and override selected functionality. . Updated bundled java version to 11.0.3 . Docker images are now based upon adoptopenjdk images, as they are considered more stable and are also smaller. This means that both docker images and installables are now distributed with same build of the JDK. - 06/06 2019, KR . PP-848 When parsing JWT tokens, they normally require a subject to be present - this requirement can now be turned off by setting oauth2.token.xxxx.requireSubject=false . In session controllers status text, when displaying details for a session, the value of statevariables and state objects is now shown urlencoded. . Fixed NPE when parsing SAML response from unknown issuer in ADFS/WebSSO plugin - 05/06 2019, KR . PP-847 Added new application on /auth/ to Ceptor Gateway, and new "CeptorAuthenticate" API that is a user-facing API implemented within the gateway for proving an OpenAPI REST interface to the client HTML/Javascript user interface. . Ceptor Gateway now logs a warning with more information if a script within an API fails during execution. - 03/06 2019, KR . PP-845 Added support for pre- and post logon scripts in sessioncontroller, which when defined are called before and after authentication plugins are called. This allows the scripts to customize behavior of all authentication plugins, standard or custom. - 30/05 2019, KR . PP-844 If an implementation was defined for an API, but override was turned off, it was still being used in the API Gateway. - 19/05 2019, KR . Better error handling in Gateway, if action on a location is set to Proxy, but destination does not exist. - 15/05 2019, KR . PP-843 If dispatcher or gateway receives a session ID in invalid format, it now ignores it and creates a new one instead. This could happen - e.g. after updating Ceptor and using a newer format, but downgrading later - or if a client sends a malformed session ID. - 05/05 2019, KR . API Usage data in elasticsearch support updated to work with Elasticsearch 7. If Elasticsearch 6 is detected, we use the index in ceptor_index.json and if elasticsearch 7 is detected, the one in ceptor_index_elastic7.json is used instead. Both are located in the /classes directory in the ceptor distribution. . Added statistics in the gateway on outgoing call establishment - client.connect, client.connect.completed and client.connect.failed. The first client.connect includes the time spend on DNS lookup, the 2nd track time until success/fail callbacks are called. This is to diagnose potential openshift DNS lookup bug. See https://bugzilla.redhat.com/show_bug.cgi?id=1661928 - 28/04 2019, KR . API Usage saving of request/response body in base64 changed naming from "body.base64" to "body_base64" to work around issues with elasticsearch indexing, since it has trouble treating body as an object containing subfields in some cases and as a string in other cases. - 24/04 2019, KR . Version 6.2.6 released - 24/04 2019, KR . PP-837 Fixed a bug in the gateway; if a destination was called twice within the same request, e.g using 2 RetrieveURL tasks, and if the destination only had one target server defined, the 2nd call would fail claiming that no live servers were found. This was due to the connection pool handling that remembered which servers were being tried, but did not clear that information after a task completed, but only after the entire request processing was completed. - 23/04 2019, KR . PP-836 Regression in 6.2.5 - creating new API in GUI required API profile name to be entered, even if not required in API Profile configuration. - 22/04 2019, KR . Version 6.2.5 released - 21/04 2019, KR . Updated Undertow to 2.0.20.Final, fixes TLS1.3 half-close error - if you are using TLS 1.3 in your environment, this is a MUST upgrade. See https://issues.jboss.org/projects/UNDERTOW/issues/UNDERTOW-149 for more info. - 20/04 2019, KR . PP-830 Added support for API Profiles in API Manager configuration and individual APIs. API Profiles can share e.g. security or request modification settings across multiple APIs and they can restrict the actions an API Designer can do for a specific API, e.g. not publish at all, or only publish changes to specific environments. - 15/04 2019, JN . PP-834 Added email address support to security users in admin console (view from LDAP, edit/view from XML) Any customers implementing the IConfigurationService interface - needs to change the signature of the updateSecurityConfigurationUser method to support email address as well. - 14/04 2019, JN . Fixed potential pipeline nullpointer exception when using Request URL task and using a destination . PP-788 Support for JSON path validation in pipelines . Fixed code assist in Groovy editor, showing incorrect results for Hashmap objects (set instead of put) . Added log entries from admin console so config server crashes can be detected in the log - 14/04 2019, KR . Fixed timing issue in NonblockSocketPeer when called from SSL task thread, bytesRead() could get called simultaneously both from tasks thread and from peer thread. - 09/04 2019, KR . Ceptor logo in menu moved to top. . API Version info now expanded by default to show path, description etc. . If loading of remote openapi spec failed, creating a sample response afterwards would also fail. . PDF report cover page updated with new logo. . If elasticsearch connection breaks while generating PDF reports from statistics, graphs are now shown empty instead of failing to create the entire PDF. . Loading of remote API spec could fail - now we no longer call available() to check if there are more bytes, but instead read until EOF. . Docker demo image default configuration was missing elements to make developerportal work properly. . Updated swagger-ui and swagger-editor to newest available versions, fixed swagger editor styling so menu items now work properly making it possible to generate clients / servers and insert elements using the UI instead of typing in the openapi spec. . Editing an API operation no longer requires confirmation if it or the API version is not deprecated. . Name, description etc. for APIs and API Versions now shown expanded by default. - 04/04 2019, KR . Updated icon. . Updated Ceptor Console to Vaadin 7.7.17 . Unselecting transparent background on a graph setting in a dashboard in Ceptor Console did not reenable the background color settings. - 01/04 2019, KR . PP-831 Installer did not includer all needed files when selecting just the Gateway to install. - 28/03 2019, KR . Gateway Authentication and Target Authentication plugins now measure time taken in gateway statistics. . Target authentication plugins such as SPNEGO can now function without an active session provided the input to them does not require one. . Installer was missing lib folder in Gateway only component. - 24/03 2019, KR . If a Gateway location script returns a response, the gateway now immediately stops processing. . Added example location script for returning all available deployed/published APIs for a location/environment. - 17/03 2019, KR . Version 6.2.4 released - 16/03 2019, KR . Bundled JRE updated to 11.0.2 . Undertow updated to 2.0.19.Final - 14/03 2019, KR . PP-828 Fixed incorrect INFO message logged by DBPool every 5 minutes. . PP-829 Allow changing various undertow default values, such as max parameters, max headers, headersize etc. This is now available in the gateway settings. . Fixed missing MDC log context in gateway when logging 503 errors caused by connection failures. - 10/03 2019, KR . PP-827 Changes to WS-Security WSSAgent signAndEncryptSOAP() - new option; KEYIDENTIFIER_BINARYSECURITYTOKEN_AND_THUMBPRINT_ONESIGNATURE which means binarysecuritytoken is added, and thumbprint is used for signature within a single signature, instead of KEYIDENTIFIER_BINARYSECURITYTOKEN_AND_THUMBPRINT which created two separate signature elements, where the BinarySecurityToken header ended up last. - 06/03 2019, KR . PP-825 Fixed bug in Parsing of Mapper if javascript tag started with %{script:JavaScript} instead of %{script} - 03/03 2019, KR . Version 6.2.3 released - 02/03 2019, KR . PP-824 Fixed a bug introduced in PP-812 where the autogenerated Host header in RetrieveURLTask and OAuth2TokenTask was generated as host/ip:port instead of host:port. - 27/02 2019, KR . Version 6.2.2 released - 27/02 2019, KR . PP-822 Groovy scripts reports errors when referring to Undertow classes - Ceptor Console was missing the undertow classes in its classpath definition inside ceptor_launcher.xml . PP-821 Location with Cookie based condition causes nullpoint if cookie does not exist. . PP-823 In the gateway, when CompletedRequest.getResponseAsString() is called, it defaults to iso8859-1 if a character set is not specified on the content-type header according to the HTTP spec. Now, we default to UTF-8 if no charset is specified, but the content-type is application/json. In addition, there is a new getResponseAsString() where the default characterset can be specified. - 25/02 2019, KR . PP-818 Google Authenticator authentication plugin now supports configuration of digits, period, issuer, secretsize and windowsize - see https://confluence.asseco.dk/display/CEPTOR/TOTP+%28Google%29+Authenticator for details. . PP-819 Radius module now supports specifying a script that can process incoming authentication and accounting packets. . PP-820 Logo in Ceptor Console would be painted on top of menu text if size was too small - menu is now scrollable and logo is displayed after contents. - 24/02 2019, KR . Version 6.2.1 released - 24/02 2019, KR . "Try API" in Ceptor Console failed with an error if the API was not published in any environments. - 22/02 2019, JN, KR . Add new OpenAPI / REST API for administering API Partners, Partner Applications and developers. This API is exposed via the internal API Gateway. To update your API database with the new API, you need to import samples/ceptor_apis.zip which contains both the various Admin APIs as well as the new Ceptor Agent REST API. . PP-817 Code assist in Ceptor Console for gateway expanded with newer methods added to the context, and all agent and admin API methods. - 21/02 2019, JN . Added missing API Management methods in AdminClient for handling of API Partners . Fixed bug in AdminClient when updating an API Partner Application - the application was updated but the response was always an exception - 21/02 2019, KR . PP-782 Introducing Ceptor Microgateway. The Ceptor Microgateway is a small full-features instance of Ceptor, focused on being deployed as a Gateway or API gateway in memory constrained scenarios - it can function with less than 256Mb memory and uses less than 50Mb at startup). This allows you to deploy Ceptor Microgateway along with your APIs and applications in case you do not wish a central installation, but still want to take advantage of Ceptor Gateway's many features such as application firewalling, request throttling, loadbalancing or recording of API usage information. - 19/02 2019, JN . PP-811 Support for deprecation of API's, API versions and individual API operations. . Added collapsible details on API Groups and API's so users can see the content without scrolling on existing API Groups and API's without having to scroll on the screen. This also aligns with API version screens. . Fixed spelling errors in admin console and developer portal english version - 16/02 2019, KR . PP-815 Ceptor Agent API now implemented fully as OpenAPI, and available in the internal gateway. You can find it in the samples directory, both in the complete example APIs zip, and the ceptor_apis.zip which only contain Ceptor's own APIs. . PP-816 PasswordUtils now also generates hashed passwords, both when invoked from the tools menu, and from the command-line. - 13/02 2019, KR . PP-812 Added support for parsing the RFC7239 Forwarded header in the gateway - this can be configured for a specific listener. Also added example on generating the forwarded header in the request using the new macro; %{GENERATE_FORWARDED_HEADER} . PP-812 Added new option to a destination; keep.hostheader - if set to false, the host header will not be kept, but a new one matching the target server hostname and port will be sent instead. The default for this is set to false. *Important* Note that this breaks backwards compatibility, but follows the HTTP specification. If you want your destination servers to use the incoming host header for virtual host processing, you need to check this setting. - 09/02 2019, JN . PP-810 Support for chunked transfer encoding in the old dispatcher for REST http method PUT and PATCH. previously it was only support for POST requests. - 08/02 2019, JN/KR . PP-809 Fixed classloading issue when executing scripts doing dynamic classloading - 06/02 2019, JN . PP-806 X509 certificate plugin for API management wrongly looked up PID for personal certificates. It has now been removed . PP-807 Added support for linking to a user profile in developer portal when the user session is not logged in through the developer portal . Fixed missing language entries in developer portal so menu can also be translated to other languages if needed - 03/02 2019, JN . PP-805 Fixed issues with challenge messages from Radius server so two factor login now works with later Radius clients. . Removed not needed logging from login in session controller on OTP challenges from authentication plugins . Added Radius debugging allowing for debugging of all incomming and outgoing radius packages . Added more statistics output from Radius server . Moved Radius accounting messages to their own log file (using own appender) . Added "locallogging" option to SMS/OTP authentication plugin for simple and easy local testing - 16/01 2019, JN . PP-799 Removed API usage tab from application create dialog . PP-800 Old config server admin webapp had unreadable content everywhere due to missing background color . PP-801 Online documentation link in popup menu does not work - pointed to a wrong URL . PP-802 Server configuration view needs a splitter that can move - so long server names can be seen in the server component list to the left . PP-803 Fixed default configuration so API Developer Portal will correctly be identified by the Gateway as being "up" when the web application is started - 15/01 2019, JN . Added error handling when showing API Usage data from elastic search in API Developer portal - 13/01 2019, KR . Version 6.2.0 released - 08/01 2019, KR . PP-797 Configuration Macros can now have a default values - this works for systemproperty, environment and file macros. A default value is added by adding :-xxxxx to the macro, where xxxxx is the default, e.g. ${environment:elasticsearch_enabled:-false} which returns either the value of the elasticsearch_enabled variable name, or false in case it is not defined. - 08/01 2019, JN . PP-789 Added Oauth2 token task to Gateway pipeline to allow for requesting and caching Oauth2 tokens in a pipeline . Streamlined tracing and debug logging from several pipeline tasks . Added better error handling to Trace and Log pipeline tasks - 06/01 2019, KR . PP-794 Show API Usage information from Elasticsearch in PDF reports. . HTTP Headers store in Elasticsearch are now always changed to lowercase . Ceptor Gateway Elasticsearch API Usage plugin will now create an index called "ceptor_1" in elasticsearch when starting up with an alias called "ceptor", and a mapping called "apiusage" This is made from the ceptor_index.json file which you can find in the classes directory in the default Ceptor distribution. . PP-795 Show API Usage information in Developer Portal, when viewing details for a Partner Application. - 02/01 2019, KR . Groovy updated to v2.5.5 . Vaadin in Ceptor Console updated to 7.7.15 . PP-793 Show API Usage information when viewing APIs in API Manager inside Ceptor Console. Shows number of calls and average response time for API calls, along with list of top calling partners and client IP addresses. - 30/12 2018, KR . PP-792 Added ability to create API Usage charts, by selecting a specific API, API Partner, application or version. You can also enter any Elasticsearch query and e.g. create charts matching calls from specific client etc. You have full control over the Elasticsearch input, and can add any aggregations you require to do detailed analysis on the collected data. This requires that Ceptor API Gateway is configured to use the API Usage plugin which stores API Usage information in an Elasticsearch cluster. Ceptor Console now has several new configuration entries used to point to the Elasticsearch cluster to use; elasticsearch.url, elasticsearch.userid, elasticsearch.password, elasticsearch.searchindex and elasticsearch.enabled. A chart in the dashboard now has a new type; Elasticsearch - selecting this allows you to create and edit a custom search. - 23/12 2018, KR . Fixed a few possible NPE's in Gateway's sendResponse if called with null instead of an empty byte array, and in StateHolder.copyCompletedRequestHeadersToResponse() if completed request did not have any response headers. - 13/12 2018, JN . PP-791 Verified support for latest MariaDB update along side MySQL. Conclusion is that the drivers have a hard time co-existing. So customers should be careful having MariaDb Connector/J 1.7.4/2.3.0 and MySQL Connector/J 8.0.x in the same classpath - 12/12 2018, KR . PP-790 Fixed a bug in Ceptor Console where it was possible to drag a task in on top of a specific HTTP header or to the list of headers. . Added "copy.from.input" boolean - if set, HTTP method, url and body are copied from the incoming request so you do not need to specify them directly, providing an easy way of proxying the request to a destination, but saving the response for further processing. . Fixed bug where full url was sent to remote as path, if the full url was specified, this could cause issues with some servers. . Added methods to Gateway context; getResponseFromCompletedRequestAsBytes(), getResponseFromCompletedRequestAsString and copyCompletedRequestHeadersToResponse() - all can be used to simplify scripts which uses the result from RetrieveURLTask to modify the contents of the response and send it back to the client. - 11/12 2018, KR . PP-790 RetrieveURLTask in gateway did not process additional request and response headers defined on the destination configuration before sending the request and after reading the response. - 10/12 2018, KR . PP-787 Fixed bug in encoding of SSL client certificate when sent from gateway to session controller in call to login using SSL client cert. - 28/11 2018, KR . Version 6.1.0 released - 28/11 2018, KR . PP-786 Bugfix in call to Agent getSessionFromTicket() - server now correctly marks agent as interested in session so it gets updated if contents change. - 22/11 2018, KR . PP-785 Fixed NullPointerException in condition matching if checking against a nonexisting query param during url e.g rewrite. . PP-785 When redirect=true in urlrewrite, query parameters were stripped from the URL. - 13/11 2018, KR . Discovery of PID in ManagedService changed to use reflection that does not give warnings in Java 11. . PP-783 Bundle OpenJDK 11 with Ceptor installer, and build/distribute docker images. - 11/11 2018, KR . Online documentation link in Ceptor Console changed to https://docs.ceptor.io - 10/11 2018, KR . Added additional check to ensure that Host header is always present when request is proxied onwards . Added getQueryOrPostParamValues() methods to StateHolder/context which can be used from scripts. This allows you to easily retrieve multivalues from a query or post parameter - if the same parameter has multiple values, you will get all of them returned instead of just picking the first as getQueryOrPostParam() does. - 06/11 2018, KR . Gateway pipeline RetrieveURLTask did not always set a Host header on the request if only an URL without a hostname and no Host header was explicitly set. This does not follow the HTTP spec, which always requires a Host header to be present - so now if nothing else is provided, it will default to using the IP address and port of the remote server it connects to. - 05/11 2018, KR . Added new condition type in gateway; "probability" - this can be set to a percent value - and when matching, a random number between 0 and 100 is generated - if the number is below or equal to the specified percentage value then the condition matches. This can be done to apply a condition randomly to only some requests - e.g. sending a request to a new version of a service for 20% of the requests. . Fixed bug in Ceptor Console, where changes to regular expressions in Parameter Validation on a gateway location was not detected in the GUI. - 04/11 2018, KR . Each time connection to a backend failed in the gateway, it would schedule a new task to attempt to reconnect to it later to discover when it is available again - this could lead to many scheduled tasks - now, only a single task per backend is scheduled at a time. . Fixed issues that might occur when loading large remote API spec from slow remote sources. . New option on launcher: -excludeclasses - if set, the classes directory (which normally contains logback.xml) is not added to the classpath as it is by default. . Better logging if fetching of remote API spec fails - now logs exception too. . Fixed bug in API Gateway Settings in Ceptor Console - the values for elasticsearch URL was not saved. This bug was introduced in 6.0.4. . Ceptor Console log view failed if no log server was found. . Better exception handling if writing API Usage data to Elasticsearch failed with an otherwise unhandle exception. . Datastores are reused and shared across plugins if already loaded to save on concurrent connections to database. - 29/10 2018, JN . PP-778 DataStores are now synced in table creation across components in the same PP configuration cluster. To avoid multiple datastores trying to create non-existing tables at the same time - 28/10 2018, KR . PP-756 Added AdminClient.exportAPIManagementDataToZip() that takes a Config.APIExportParameters defining what API Groups, APIs and Versions to export. Also added REST API in the Ceptor Admin API v1 for this. Admin GUI now has a partial export view, where you can select which APIs/groups/versions to export, and you can choose to export partners and configuration too. . If an Error (not just Exception) is thrown while processing a script, that is now also caught and handled / logged so a proper error is sent back to the client. - 14/10 2018, KR . Version 6.0.4 released - 13/10 2018, KR . Derby updated to 10.14.2.0 - 12/10 2018, JN . Added stall warning when configuration changes to authentication plugins takes more than 30 seconds. It is then logged in the ceptor log file with a warning containing the authentication class name . PP-744 Looser coupling to user admin from api management. Now developers in the admin console does not have to be in the useradmin database as they are by default. If useradmin is not used - the integration can be turned off in the console now (as well as it already can in the developer portal). - 10/10 2018, KR . Added new method to gateway context; getDeployedAPIsForLocation(Config.Location location) which returns a list of APIs that are deployed and available within the particular location. This can be used to create and publish a list of available services. - 08/10 2018, KR . PP-773 Added SQL implementations of Access token, Refresh tokens and OAuthSQLStore. Default configuration now uses database instead of ignite, and ignite servers are no longer started in default config. . Renamed datastore in default config from datastore-derby to datastore-primary to allow changing of database type in a single place without having to do too much search/replace. - 05/10 2018, KR . PP-773 Added RateLimiterSQL - and SQL/JDBC implementation of API Rate limiting which allow you to use a database for storing shared rate limiting information for API calls. - 03/10 2018, KR . PP-770 Added hook to enable AppDynamics to instrument dispatcher (TunnelServlet). - 02/10 2018, KR . PP-776 new method in java agent: updateTicketInSession(String sessionid, String ticket) - this allows the agent to update the ticket/token within a session, replacing it with the new one - this can be used if the token is e.g. a JWT token, an if it needs to be replaced with another while keeping the same session. - 29/09 2018, JN . PP-771 Added API management ACL's to ldap security configuration. Added LDAP group support for logged in users (which means they can now be seen in the UI when logged in through LDAP). . Added JDBC rate limiter functionality for Derby (default) and PostgreSQL - 29/09 2018, KR . NIO and NIOS connections were using default TCP connection timeout when attempting to establish connections to servers - this is now changed to 3 seconds max to ensure timely responses if a platforms default timeout is set to a high value. . When only one operation was defined on an API, it was not possible to override the implementation for the specific operation using the user interface - this is now fixed and it is also clarified that the default implementation is called for undefined operations on the same base path too, giving it a chance to implement those even if they are not defined in an OpenAPI spec. . When deleting a property in the server configuration, the status of configuration was not updated, so it was not possible to commit unless you refreshed/reloaded from the configuration file. . PP-771 You can now see the groups a user is member of within the console, see it by clicking on the username in the top right and select "Show info". - 28/09 2018, KR . PP-771 Added new property to ldap authentication plugin - if ldap.searchFirstThenBind is set to true, we will first search the LDAP tree for the user, then if found, we will do a bind with the full DN to authenticate the user. This allows for finding the user using attributes that will not work directly when binding, and in some AD configurations, bind will not work on users in subtrees without doing a search first. - 26/09 2018, JN . Fixed issue with configuration of initial pools sizes of datastores - 23/09 2018, KR . PP-750 Added record.responses option to API Gateway when serving APIs - if set, response body will be saved and is available for use by API Usage plugins - it is also included in the default elasticsearch SLF4J plugins that log the request/response JSON. . Both request/response headers and body if available are now also logged by the default API Usage plugins. When the Response body is stored as binary in response.body.base64, it is stored base64 encoded as a copy of the actual bytes sent - this means that if it was gzipped or compressed, it must be unzipped/decompressed first. If response body appears to be textual, (content-type is text/* or application/xml, application/json) then it is stored as a string in "response.body" instead of being base64 encoded. . Previously, when calling gateway.sendResponse() or context.respond() with a string as response body, the body was sent as UTF-8 encoded - now, if a charset is specified in the content-type, that characterset is used instead. - 22/09 2018, KR . Version 6.0.3 released - 21/09 2018, KR . PP-572 XML Validation Tasks added to gateway pipelines. This includes support for specifying multiple XSD schemas directly in the configuration, or loading them from remote. Validation can be done with or without XML schema, and with optional restrictions on lengths of element / attributes name, values, depth etc. . Fixed bug in configservers handling of its own properties - macros, e.g. ${environment:XXXX} were not expanded for properties belonging to the configserver itself - while it worked for all other servers. . Newest available postgres JDBC driver now bundled with distribution by default. - 18/09 2018, KR . PP-772 Added -restartall option to launcher, which shuts all services down, then re-reads the launcher xml file and starts up again. . Logging for org.atmosphere.cpr turned off to ignore errors logged from comet/vaadin complaining about missing atmosphere classes for async support. - 16/09 2018, KR . Version 6.0.2 released - 16/09 2018, KR . PP-754 Ceptor Admin APIs for configuration, services and API Management are now available for use in a separate internal API Gateway that is setup to require basic auth. The required APIs are in samples/example_apimanager_apis.zip which must be imported. - 14/09 2018, KR . PP-769 When adding oauth2 security to an API, the openapi spec got the list of scopes generated as an array instead of as an JSON object. This was only an issue for swagger 2.0 specs, not openapi 3 specs. . PP-739 Added proper error msg if API manager is attempted to be used before it is initialized properly - 12/09 2018, KR . PP-768 Connections between configserver and statisticsserver can now be reversed. Previously, the statisticsserver needed to know all the configservers so it could connect to them - now, the statisticsserver can listen for connections instead, and config servers can call it. This allows easier scaling configservers up/down since the statistics server does not need to know all clients until they connect to it. Added new properties to statistics server: remote.servers and statistics.server.listenurl Added new property to configserver: statistics.server.url When using these, you should not use the corresponding statistics.sources in statisticsserver, and statistics.server.listenurls in configserver. - 09/09 2018, KR . Added methods to AdminClient to create/read/update/delete individual locations and destinations within a gateway configuration. . Added byte[] getRequestBody() and String getRequestBodyAsString() methods to gateway to make it easier to obtain the request body from a script. Note that for the body to be available, you must either be within an API, or a location must have already prefetched the body. . Arguments to APIs that are defined in the openapi spec as arrays, are now delivered to the script as an array of strings. . Saving/reloading API tab now much faster, and implementation tabs no longer show all overriden operations by default since with many concurrent operations, editors etc. open, the browser slows down. - 09/09 2018, JN . Added functionality so API Developer Portal can be access through the Gateway with authenticated users that are not registered as API developers and still able to explore and try out API's. - 07/09 2018, KR . Heapdump filename changed to end with .hprof instead of .bin, since newer JVMs require the name to end with .hprof or the dump will fail. . API gui improvements - keeps toolbar in top when scrolling through large API implementations with many operations. - 04/09 2018, KR . Added safeStateVariablesPattern to session controller - in addition to safeStateVariables, this allows you to defined a pattern for which state variables will be available in the gateway. Normally, unless a state variable is whilelisted in the "stateVariables" property, it will be removed before being sent out to a restricted agent in the DMZ zone (which a typical gateway is considered to be) - now, if the name matches what is defined in the pattern, it is allowed too. . When editing an API version, the tab you that was selected when you saved will be selected again after refreshing instead of the API Definition tab. . Fixed exception creating sample API response, if openapi schema contained an empty response without schema definition. . Added dk.itp.security.server.NoOpAuthenticationPlugin - this plugin does not authenticate a user, but allows creating an empty session from a ticket, essentially giving two keys to the session - the regular ID and the ticket, but without using it for any type of authentication or deriving any value from it. . Process ID and hostname is now displayed in server status within Console when viewing status for a server. . Added Gateway.getAdminClient() method, which can be used within scripts to get an instance of the AdminClient that uses the credentials of the authenticated user - note that this requires an active session, and an authenticated user. . Better helptext for creating session resolver scripts in Console. . ConfigServerLauncher now saves configuration to agent if not already setup - this is to enable use of the agent later - e.g. if a session is used as authentication instead of userid/password. . ConfigServerAuthenticationPlugin now stores ACLs in session, and DefaultValidator in the agent checks against ACLs therein if present. - 02/09 2018, KR . Version 6.0.1 released - 02/09 2018, KR . Loading swagger-ui inside developerportal did not work if context-root was set to something other than / . Developer portal try button now only available for openapi type APIs. - 01/09 2018, PA . New developer portal startup page. - 01/09 2018, KR . PP-764 APIs can now use resources defined within a gateway configuration, such as destinations, pipelines or canned replies - this is done per environment, by adding gateway.config.name to an environment setting so when set, resources defined on this gateway configuration can be used within the APIs. - PP-757 New feature in Ceptor Gateway: You can now define a number of IP ranges, with IP addresses included and/or excluded in these ranges. You can then configure conditions on Locations that match these ranges. In addition, you can now load ranges from remote locations and use IP Reputation databases to decide what level of service you want to give to a particular request. Any database that lists IPv4 addresses in CIDR, CIDR/netmask or IP range format is supported. You can e.g. deny all traffic from known "bad" clients, or you can put limits on, severely limiting the amount of load traffic from these clients are allowed to generate. There are many other usecases for this, e.g. you can require SSL client certificate for only IP requests coming from certain ranges, or you can require additional authentication, e.g. add two-factor authentication for requests coming from addresses used by known spammers. As an example of a freely available database of known bad IP addresses, look at http://iplists.firehol.org/ - this combines many known spammers, tor exit nodes, anonymizers, malware spreaders, attackers and spammers. - PP-758 Authorization can now include "iprange" - if set, the remote IP needs to be within one of the IP addresses defined in the IP range in order to get access. This can be configured both for locations, and for APIs and API operations. - 31/08 2018, KR . PP-761 If parsing groovy script failed, the console would stop getting updates from the editor, and save an invalid script - also, editing a property with failed json content would fail, causing an exception stacktrace to be shown in vaadin. Also, groovy and python was not added to the classpath of the session controller and console in the default launcher configuration - the .jar files are now moved to extlib_extras/groovy and extlib_extras/jython and included in the launcher classpath for both gateway, sessioncontroller and console. . PP-760 API Gateway displayed active API in it statustext twice, if two locations served APIs from the same environment. . PP-763 When AuthenticatorSSLClientCert plugin is installed in a location within the gateway, and required flag is set SSL renegotiation to request client certificate is trigged - this allows requesting certificates only for specific paths or controlled by other means (IP addresses, query parmeters etc.) - 30/08 2018, JN . PP-742 Fixed in DBPool to handle two different databases at the same time in the same JVM. Changed table and index creation for postgres to work with newer versions. - 30/08 2018, KR . PP-748 In the Ceptor Gateway, you can now add values to the SLF4J MDC which will be available for logging from a script. The StateHolder class has this new map: logContextVariablesSeen - anything you add in there will be added to the MDC and removed afterwards. Call context.addToMDC(key, value) to add it to the map, and to the MDC immediately . PP-758 Updated description in Console when adding entries to IP ranges to clarify that you can also point to a file instead to read entries from. . When importing APIs from a .zip file in the console or admin API, gateways were not notified of any changes made as a result of the import until another change took place. . PP-745 Read and Write Access to API Groups (and APIs / API Versions inside the group) can now be restricted by adding required groups/roles to the list. This restriction is present both in the console and via the administration API. This allows you to limit who can work on a particular subset of APIs. The restriction here has no effect on the actual APIs via the API Gateway, only administration of them. . U2F support updated in demoapp to handle the case where Thinkpad's with built-in U2F devices do not supply any device information. - 29/08 2018, KR . PP-741 Better errorhandling in gateway (shows warning and continues parsing configuration) if API gateway configuration is not yet completed for a location. . Bugfix in Console gateway condition settings: Adding a 2nd value for a condition did not show the editor window when adding a value for a script. . In Gateway Settings, ignoring changes when switching to a different view was ignored and did not have any effect, essentially forcing you to either save settings or close the dialog and reopen it. . In Console, when selecting an item in a tree list, e.g. a Location in the gateway settings, it is not expanded automatically - you need to either click the arrow, doubleclick or press right-arrow to expand. . PP-738 When adding an API Partner application from the Console, then clicking on another partner and clicking ignore when asked to save did not ignore it since the partner was already saved to the datastore upon creation. Now, when adding or removing an API Partner Application to an API Partner, it is automatically saved. - 29/08 2018, JN . PP-753 User admin application had duplicate agent connections to config server when using the adminstrative login . PP-743 Added Agent method for writing multiple state variables at one time through a map see new method setStateVariables - 24/08 2018, JN . PP-737 Admin console and Developer Portal now checks for duplicate certificates in other applications on the same partner. . Fixed Developer portal to show same application view after editing an application (it was jumping from my applications to partner applications) . Removed old download link (webload) from demo app. Not valid anymore - 23/08 2018, KR . Version 6.0.0 released - 23/08 2018, KR . PP-678 Added API Manager support for Ceptor. This includes Ceptor API Gateway, Ceptor API Developer Portal and Ceptor API Management to Ceptor itself. Please read the new documentation for information about this. - PP-728 Renamed various installer, launcher and configuration files from PortalProtect to Ceptor. We have on purpose left names of .jar files, generated launcher .exe files etc. intact to enable easy upgrading from v5.xx. Benefits of Ceptor API Management / API Gateway Ceptor API Gateway, which is build upon Ceptor Gateway has the unique benefits of Ceptor's proven flexibility and many authentication options, Ceptor API Gateway offers: - Request throttling - Queue API calls to avoid overburdening backend API servers - Rate limiting Subscription-based limits on how many calls specific clients / partner applications are able make within a configured time periods. - API Usage recording - Flexible API Usage recording, with support for plugins for customizing where API Usage data is stored - Hide implementation details - Loadbalance between multiple sets of API Backend servers - Rewrite URLs to provide outward consistency - API Mocking Mock API calls, returning test data - mocks are executed as JavaScript/Python/Groovy scripts within the API Gateway, allowing high flexibility. - Pipelines and Tasks Allows full flexibility and easy of configuration, here you can weave together tasks to e.g. make remote API calls, convert between XML and JSON, modify response content etc. This allows you absolute flexibility in implementing your APIs where needed. - Serve APIs within multiple environments - Mock your API in a sandbox environment - Proxy API to backend server in test environment - Use Pipelines and Tasks to orchestrate multiple API calls into one or to modify response data, removing certain data from the response. - Serve multiple environments from the same Ceptor API Gateway instance - Security - Authentication Ceptor API Gateway provides many different authentication methods, some are configured and expressed per API and specified in the OpenAPI Specification, others are configured directly within the Gateway, ensuring that no matter what developers define for an API, it can be overwritten and controlled centrally within the API Gateway configuration. Typically, these kinds of Authentication are used, but others can be provides as well, however it is important to consider which REST clients are being used to call the APIs and what capabilities they have for calling your APIs. - API-Keys (can be managed by partners using self-service within the Ceptor Developer Portal) - Basic Authentication using Client ID / Client Secret - Bearer Token (can be issued by Ceptor after e.g. authenticating using NemID, SAML or other more advanced form of authentication). - OAuth2 / OpenID Connect - Authorization Ceptor API Gateway can authorize individual API calls, supporting: - Role Based Access Control (RBAC) - Attribute Based Access Control (ABAC) - Subscription checking - OAuth2 scope required - Custom scripts (JavaScript, Python or Groovy implemented within Ceptor API Gateway - Request modification - Rewrite URLs - Modify request/response headers and cookies - 23/08 2018, KR . PP-736 Reworked SSL client certificate handling in gateway, so all client certificates are now accepted by gateway, and validation of them, including authentication is now up to the authentication plugin. - 19/08 2018, KR . PP-735 Added support for ${file:/some/file.name} in ConfigurationMacroHandler - this allows reading configuration entries or part thereof from files - this is useful for reading secrets exposed in containers as files. - 16/08 2018, KR . PP-733 Session IDs are now by default created with URLsafe characters only - these IDs start with CEPID_ instead of the old variant that starts with PPID_ Unfortunately, this means that it is not backwards compatible with older agents, so you will need to upgrade all agents when you switch to version 6.0.0 If you for some reason are not able to do that for the moment, you can set the property usePPStyleSessionID to true on the session controllers - this will cause them to use the format containing non-urlsafe characters that is compatible with existing old agents. - 10/08 2018, KR . pp_launch.xml, portalprotect-configuration.xml and portalprotect-security.xml renamed to ceptor equivalents. - 04/08 2018, KR . PP-729 Added ability to turn off validation of server hostname / certificate name in the gateway when connecting to servers using https, and using the truststore. X509 Trustmanager now sorts the certificate chain sent by the server in case it sends a chain in invalid order before attempting to validate it. Added "verify.server.name" option to the Ceptor Console - 02/08 2018, JN . PP-662 Added colors to easily identify changes in remote statistics. Green for changed values, blue for new values. Added support for datastore configuration in admin UI. Useradmin server now support JDBC datastore as well as direct JDBC configuration - 24/07 2018, KR . Added location.script in gateway - here, you can configure a script that is executed after limits are processed before pipeline is called - this is a useful place to e.g. manipulate the session or perform other actions for a particular location so you no longer need to do that in a pipeline or authorization / authentication scripts. - 22/07 2018, KR . Updated Undertow to 2.0.11.Final - 22/07 2018, KR . PP-120 Within the peer2peer communication layer, if remote fails with an otherwise unhandled exception, the caller is now immediately notified with a PeerException with the contents of the failing exception. - 18-07 2018, KR . PP-725 Configuration now has active and uncommitted versions - when configserver starts, if no active configuration exists, it reads the uncommitted and activates it. The previous configuration (usually portalprotect-configuration.xml) is the uncommitted version, and a serialized version is stored as the active one for each configserver. Configuration can be commmitted or rolled back, and differences between the two can be viewed. . Added auditing of config changes done via the admin API. - 01/05 2018, KR . Gateway cookiesnapper failed if there were no session present. - 30/04 2018, KR . Bootstrapper prints out more output when a process terminates, and attempts to destroy it before restarting in case it is not entirely dead but still dead enough to have lost the connection to the service launcher. . Added support for modifying request headers and response headers on a destination in the gateway. This allows a destination to carry its own Host header or similar independent on location. Destination headers are processed before the ones defined on locations or APIs to ensure that a specific location can overwrite the values if needed. . When downloading logfiles from configserver, filename was not properly URL decoded. - 17-07 2018, KR . PP-722 Fixed bug in parsing conditions for user and usergroup - if conditions matches, script execution was also attempted, which would cause an error in parsing the script. - 16/06 2018, KR . Version 5.71.4 released - 13/06 2018, KR . Refactored JWTAuthentication Plugin - if some attributes in the configuration for the access token, such as sub or username is replaced with non-default values, they are now carried over and used for introspection endpoints. . When using the authorization code flow, the default JWT Authentication plugin did not store the created access token for use when presenting the authorization code later. - 12/06 2018, KR . PP-715: Added support for PKCE / RFC7636 when issuing OAuth2 tokens. This allows an insecure client to use the authorization_code flow instead of the implicit flow to obtain a token. This works around an issue in mobile clients where it is possible for applications to hijack other applications URLs and thereby their tokens. - 29/05 2018, KR . PP-713: Fixed parsing of SAML2 subject. - 23/05 2018, KR . Version 5.71.3 released - 23/05 2018, KR . PP-711 When validating SAML responses, we now support the signature being present on the Response object instead of the Assertion object since some clients are known to send it that way in a (slight) violation of the standard. - 23/05 2018, ARL . CL-350: Refactored CA.NemIDProviderEntry and AbstractX509CertificatePlugin - getCAFromNemIDProvider() is now called with session as well - this can be used by subclasses to override the logic of which NemID signing certificate to use. - 21/05 2018, KR . Added LTPAAuthenticationPlugin - this plugin can both issue and validate LTPA Tokens for easier SSO with IBM products such as WAS, Liberty Server or iNotes. Added Gateway Authentication plugin and Target authentication plugin for both authenticating using LTPA token cookies, and for generating cookies for sending to backend servers. - 15/5 2018, KR . Version 5.71.2 released - 15/5 2018, KR . Useradminserver did not react to dynamic configuration changes to multisegment properties. . Embedded undertow updated to 2.0.6.Final . Gateway HTTP timeout now cancelled when response is committed, allowing streaming of response to continue beyond the timeout - this otherwise could cause failures for huge responses with low timeouts and clients on slow connections. . Added logging of eventual "unhandled" exceptions in gateway. . Gateway HTTP timeout now cancelled when response is committed, allowing streaming of response to continue beyond the timeout - this otherwise could cause failures for huge responses with low timeouts and clients on slow connections. . SessionNeeded on locations was not ignored for disabled locations. . Added support for json: prefix in macros to allow for JSON encoding of strings. . RetrieveURLTask did not work for URLs constructed using the mapper using scripts/macros but only for static urls. . Added introspection and revoke urls to default response to /.well-known/openid-configuration url in gateway. - 13/5 2018, JN . PP-708 Added new search method in user admin API to search on external user attributes directly - 11/5 2018, KR . The method "QuickUser[] searchUsers( Hashtable attributes, String sortRow )" is moved from IUserAdminAccess to IUserAdmin so it can be accessed by a system user in a batch job without logging anyone in. - 28/04 2018, KR . Fixed regression in dispatcher getStatusText() - listing of alternateservers and their status had disappeared as part of generics refactoring. - 11/04 2018, KR . Version 5.71.1 released - 11/04 2018, KR . PP-703 When running with multischema enabled in the useradmin server, ACLs were still checked without adding the instance ID as identifier. So if session controller from where the ACLs are fetched uses the an AuthorizationPlugin that goes to to the database to fetch ACLs, then they would be fetched from the default schema instead of the specific one. - 10/04 2018, KR . Performance increase in repeated checkPermission calls made via admin API to console - speeds up all commands executed by the ceptor console. . DefaultValidator now uses provided agent instance when fetching ACLs instead of default. - 10/04 2018, JN . Fixed possible db connection leak when schema was not found in user admin - 04/04 2018, KR . PP-697 Fixed bug in generating saml2 response, where audience would end up being null and the wrong URL (audience) used to send the response to. - 27/03 2018, JN . PP-702 Fixed version handling for peer commands not being available if no peer was on the current thread (web apps could easily run into this). - 25/03 2018, KR . Version 5.71.0 released - 25/03 2018, KR . Performance optimization in LRUCache - no longer synchronized on gets - synchronization in agent moved to sync on same session, so a single session is only retrieved once in case of multiple concurrent requests. . Fix in useradmin server - if user does not have access to any organisations, an error is now thrown instead of attempting to lookup an empty list of organisations in the database. Fixed a but in SQL search for searchUser() - if no search criteria we given (empty attributes hashmap) then the useradmin server generated invalid SQL (where and) - this is now fixed, even for empty search criteria. . When installing only the Ceptor Gateway using the installer, the dispatcher directory was not included with the default SSL server certificate, causing the startup to fail. - 25/03 2018, KR . PP-697 Added support for generating and sending out IDP metadata for any configured service provider. This is available from the ADFS/WebSSO plugin, which supports the new configuration entry: websso.sp.xxxx.idp_metadata_XML_ (where xxxx is the service provider name). This WebSSO metadata is optionally signed. The gateways ADFS/WebSSO authentication plugin supports this, so you can get the metadata using these urls: https://localhost:8443/adfs?spname=local&metadatasigned https://localhost:8443/adfs?spname=local&metadataunsigned You must specify the name of the service provider, and ?metadatasigned or ?metadataunsigned to retrieve a signed or unsigned version of it. It is also possible to get SP Metadata for a configured identity provider by specifying the identity provider name and specifying if the data should be signed or not. https://localhost:8443/adfs?idpname=local&metadatasigned https://localhost:8443/adfs?idpname=local&metadataunsigned The configuration entry for storing SP metadata for an identity provider is: websso.idp.xxxx.sp_metadata_XML_ (where xxxx is the identity provider name). SAML requests can now be created for identity providers - template is in the configuration for websso.idp.xxxx.samlrequest_XML_ You can also specify keystore to load for creating signed and/or encrypted SAML requests when requesting authentication at an identity provider - this is done in the websso.idp.xxxx.keystore.* properties if websso.idp.xxxx.encryptioncertificate is set, this certificate is loaded and can be used to encrypt SAML requests. A certificate specified in identity provider metadata can also be used instead. Encrypted SAML responses are now supported. - 20/03 2018, KR . PP-697 Added support for specifying audience in SAML2 assertions on adfs/saml SSO service provider by setting websso.sp.xxxx.audience - the default is the URL specified in websso.sp.xxxx.url - 18/03 2018, KR . Version 5.70.7 released - 18/03 2018, KR . Dispatcher no longer started in default/example configuration. Anyone still using the dispatcher should migrate to the gateway as soon as possible. The dispatcher is still supported, but deprecated. . Animations in Ceptor console disabled, this will make it load all screens faster in slower browsers. . If the system property "ceptor.environment" is set, the environment name is shown in the title of the console. This can be used to indicate which environment (e.g. development, test1, test2, production) the console is for and is useful if you have many environments. - 16/03 2018, KR . Fixed bug in gateway, when sending 0 byte response body from a script undertow would fail terminating the connection without sending a response. . Added support for client_credentials grant type to oauth2 token url in JWT Authentication plugin. . Server jar now built with Java 8 and will no longer load on earlier versions. - 14/03 2018, KR . Slight changes in coloring in Ceptor Console, dark theme to make the green color more readable. Also changed a few icons in the menu. - 07/03 2018, KR . Removed robots.txt from demoapp, and disabled directory browsing in jetty. . Added X-Frame-Options, X-XSS-Protection, X-Content-Type-Options and Strict-Transport-Security response headers in default gateway configuration. . Gateway now sends secure cookie by default when using https - and also sets domain when deleting sessionfixation cookie. . Fixed XSS problem when displaying errors in demoapp. - 04/03 2018, KR . Version 5.70.6 released - 04/03 2018, KR . In the gateway, session check/establishment can now be postponed until after the conditions match - this makes it easier to create a setup where you have e.g. different cookie names for different url paths without needing to create nested locations to first check the match, then change the session definitions. - 26/02 2018, KR . JWT Authentication plugins now get a chance to override which client_id and client_secret is used to call the token URL on an OpenID provider during the authorization_code flow - this allows to control the ID used by means other than using the configuration. . OpenID Connect authentication plugin in gateway (and GUI in admin console) now allows using macros/scripts to specify client_id, identityprovider name and authorization url. - 15/02 2018, KR . PP-695 Embedded Jetty updated to 9.3.22 Fixed bug in httpproxy when encoding query string before forwarding it. - PP-693 When deleting cookies from the dispatcher, domain is now set on the cookie to delete. - 09/02 2018, KR . PP-694 Added tools menu to Ceptor Console, where you can obfuscate/deobfuscate session ID, parse it and show details from within it, it can also encrypt/obfuscate passwords for use in configuration. . JWT and DemoOAuth2AuthenticationPlugin now keeps session owner when restoring sessions. - 06/02 2018, JN . PP-568 Implemented remaining agent methods in the agent rest API - 27/01 2018, KR . Version 5.70.5 released - 27/01 2018, KR . Upgraded gateway undertow version to 1.4.22.Final - 26/01 2018, KR . PP-689 Conditions in gateway can now be flagged with "lowercase" - if so, the value (path, query parameter, macro etc. is lowercased before checking against any of the defined values). This allow case-insensivity for e.g. URLs or query parameter values. Note that hostnames are (still) always converted to lowercase before matching conditions nomatter what the flag is set to. . Fixed a problem in the Admin Console, where any flags defined on regex pattern matching for URL Rewrites was written incorrectly to the configuration as "flags" instead of "pattern.flags". - 24/01 2018, KR . PP-688 Added cache of ACLs and Groups in UAAuthorizationPlugin to speed up first access after startup where ACLs are loaded and checked. - 22/01 2018, JN . PP-526 Ceptor Console can now be used to manage ACLs, groups and users including creating, editing or deleting users that are able to use the Administration API and the Ceptor Console. - 18/01 2018, KR . Updated ALPN to alpn-boot-8.1.12.v20180117.jar - please remember to change the path in your pp_launch.xml to point to the new file. Note that this requires Java 1.8.0_162 which is now bundled with Ceptor. The new bundled java version no longer requires the unrestricted JCE policy files, so that part have been removed from the installation. - 17/01 2018, KR . Gateway trace can now be activated explicitly from a script by calling context.trace.activate(); - 07/01 2018, JN . PP-685 Updated ACL information for ppadmin interface on confluence and aligned ACl naming in the code for all API methods - 04/01 2018, JN . PP-680 Updated Ceptor support libraries to contain generic in the API methods for easier integration and to eliminate code warnings. - 03/01 2018, KR . PP-681 Gateway status now displays current number active, available and queued connections for each host. When HTTP/2 was not enabled between gateway and backend web server available connections were not reused after a backend webserver was down for new requests, instead new connections were opened. Added trace info to gateway trace to tell if we reused connection or not. - 23/12 2017, JN . PP-670 Removed code warnings due to missing generics in some of the old API's in PTAgent, UserAdmin and UserAdminAgent as well as authentication and authorization interfaces - 12/12 2017, KR . PP-676 Added defaults for domain.xxxxxx.crossdomain.transferstatenames so configuration does not fail if it is not specified. - 11/12/2017, KR . PP-674 If a POST request was processed by a location, which pre-read the POST parameters to use for e.g. a location, then since upgrading Undertow, the request would fail with a NullPointerException. . PP-675 Upgraded apache-ignite to version 2.3.1 - please note that you cannot do a rolling upgrade if you use Ignite since the open source version specifically does not allow working with multiple versions concurrently. - 08/12/2017 KR . Gateway now validates that targets defined in destinations have unique names and refuses to validate the configuration if they do not. - 04/12/2017, KR . PP-672 If ProxyCommandHandler's command fails with any exception, the exception is now handled and sent back to the requesting configserver so it can handle it - previously, it could cause the connection between the config servers to fail, cascading any errors from the agents. - 02/12 2017, KR . Version 5.70.4 released - 30/11 2017, KR . PP-668 When login() is about to be called, but the user is already logged in, logoff() is called first on the authentication plug which previously logged the user in. Now, logoff() has an extra parameter that specifies when this is the case, so the plugin can decide if it wants to keep some state or not. . PP-669 Add string escaping by default to all filters used in ldap lookups. - 28/11 2017, JN . PP-664 Add login method to Agent REST API that takes authentication plugin ID and userid/password so the plugin can be specified instead of relying on the default. - 16/11 2017, KR . Gateway bugfixes: SESSION_CUSTOMERID macro was not replaced with the customer ID, but was ignored. . Console bugfix: When adding JSON properties via the GUI for target authenticators on destinations, e.g. basic auth fields, they were incorrectly added as JSON object in the destination instead of in the authentication object. Editing existing attributes within the authentication object worked fine, it was only a problem when creating new objects. - 13/11 2017, JN . PP-650 Added support for useradmin supporting multiple schemas for different "instances" of the user admin database. . PP-651 Fixed an issue where an organisation could not be deleted through the user admin web application in certain situations (without an error being shown) . PP-652 Fixed an issue where an ACL could not be deleted in certain situations due to remaining foreign keys not cleaned up properly . PP-655 It was not possible to search for challenges when timestamp was added as search parameters due to wrong database access on some database types . PP-656 Organisations could be parents to them selves, ending up in endless searches for customers in those organisations. . PP-658 User administration server now requires Java7 to support JDBC 4.1 - 12/11 2017, KR . Version 5.70.3 released - 12/11 2017, KR . PP-661 Upgrade untertow in gateway to v1.4.21.Final - 10/11 2017, KR . PP-569 Added support for Microsoft Owin and ClaimsIdentity in .NET Agent - This requires minimum .NET v4.5 but the agent itself is still backwards compatible with .NET v2.0 . If error page script failed in the gateway, it could cause it to fail trying to handle the failure. . Updates to default pp_launch.xml Removed -XX:+UseG1GC option from gateway, which would cause it to crash and die after some time where the process would use a full cpu core and be dead (unreachable from e.g. visualvm) but not exited. Also increased max memory size of ignite servers to 2gb - 06/11 2017, KR . PP-657 Refactored CACertHandler to use newest bouncycastle API to avoid deprecated classes. Also, if pkcs_9_at_challengePassword is specified in a CSR, we now attempt to decode it using a ASN.1 decoder and defaults to just treating it as a string in UTF-8 format if it is not sent as a printable string or utf-8 string which is recommeded in the PKCS#9 specification. - 26/10 2017, KR . PP-647 When a session is removed (the agent calls remove) it was previously an async operation, meaning the call completed immediately without waiting for the removal to take place and all agents holding the session being informed they need to remove it. Now, the call is changed to be synchronous instead, so it only returns after the session has been guarantied to be removed everywhere. This ensures it is possible to remove a session, and then immediately redirect a browser to call back in and get a new session. If this use-case was used when the remove call was asynchronous there was a small chance that the actual removal of the session would taker longer time than the browser would take to make the new call. This might be theoretical but better safe than sorry. - 24/10 2017, KR . PP-616 Dispatcher failed with NullPointerException if allowAllFromIPRange was not defined in configuration - 23/10 2017, KR . PP-653 Added support for specifying SSL accelerator rules (sslacceleratorrule.xxxx) to dispatcher as an alternate method of specifying that an SSL accelerator is used. It allows you to check HTTP headers to determine if the call went via an accelerator or not. Beware of the possibility of spoofing, since without relying on an IP address the network infrastructure needs to ensure that requests cannot reach the dispatcher without going through an SSL accelerator box. . Added setIsFromSSLAccelerator() to the gateway so the check within the gateway can be overwritten from a script in case the builtin check possibilities on IPs / patterns is not enough. - 20/10 2017, KR . PP-613 Gateway Trace can now be exported to PDF directly from the console - you can either export all entries, or select a single one and just export it. . In chrome, when downloading a PDF, it would get a size of 0 - this is now fixed by no longer setting cache settings on generated PDF files. - 18/10 2017, KR . PP-649 Added Apache Ignite cluster. Added support for using Apache Ignite as JWT datastore for access and refresh tokens. Over time, Apache Ignite will be used for more and more - but now, it is an optional component which can be used or not. The two classes dk.itp.security.authentication.oauth.data.AccessTokenIgniteStore and dk.itp.security.authentication.oauth.data.RefreshTokenIgniteStore implement the access and refresh token datastores respectively. The default timeout of authorization codes, is 120 seconds - but you can change that by setting oauth2.authorizationcode.timeoutseconds to a different value. Note that if you wish, you can purchase enterprise versions of Apache Ignite, named GridGrain instead of the default open-source version that ships with Ceptor. - 17/10 2017, JN . PP-651 Fixed it so organisations can be deleted through the user administration UI. - 15/10 2017, KR . PP-644 Added oauth2 introspection support to JWTAuthenticationPlugin and added default configuration to the gateway to call it. In the gateway, it is on the url /oauth2/introspect . PP-643 Added oauth2 token revocation support to JWTAuthenticationPlugin and added configuration to the gateway to support it when /oauth2/revoke is called. . RefreshTokenMemoryStore now supports sharing tokens in the cluster - but you should still not use it for production since tokens are not persisted but only kept in memory. - 12/10 2017, KR . Save/cancel buttons in script/macro dialogs are now slightly better looking, and Ctrl-S is shortcut for save. . charset in default config changed from UTF to UTF-8 to comply with particularly picky clients. . Fixed .cmd/.sh files so they now start the correct jvms from the default pp_launch.xml - also added pp_all.cmd/.sh and pp_gateway.cmd/.sh - 10/10 2017, JN . Added save and cancel buttons to script and macro dialogs in Ceptor admin UI so users have the chance to cancel their changes without saving (previsouly closing the window would save data no matter what). - 08/10 2017, JN . PP-637 The the Ceptor console, added more convenient code completion in script editors, only showing the actual allowed attributes/methods at the time ctrl-space is pushed (the previous implementation showed a complete list of everything). Not it works like normal code completion in an editor. - 08/10 2017, KR . Version 5.70.2 released - 08/10 2017, KR . PP-640 In the Ceptor Console, you an now choose between the default light scheme, and a dark scheme - this allows you to customize the console based upon your preferences. . PP-630: Added support for creating session controller authentication plugins in scripts instead of just java code. Creating plugins as scripts means that you do not need to recompile and deploy changes - only update the script in the configuration, so for some organisations this is easier. - 06/10 2017, KR . PP-638 ClassCastException would accur when session controller tried to serialize object to send it to an agent if one of the state variables contained an object instead of a string. Non-string values have never been allowed in state variables, but it has worked somewhat, since previously there were converted to strings when serialized, but since we added generics to the code, the compiler added a cast to a string automatically, and this caused this error. Now, all non-strings are removed before sending them and an error is logged. The reason why only strings are supported in state variables is that it forces you to think about sizes - you cannot throw entire object trees into the session by mistake. State Objects however exists and can be used with care if you need to have actual serializable objects in the session. - 05/10 2017, KR . PP-636 Ceptor now passes the OpenID Connect certification tests for basic, implicit and hybrid. . When using hybrid flow, issuing "token id_token code", the id_token did not contain the c_hash claim - it is now added. . Added oauth2.accesstoken.datastoreclass which can be used to specify an access token datastore that is able to persist access tokens and look them up. By default, an im-memory datastore is used which shares data between session controllers in the cluster, but it does not offer persistence. To provider proper persistense of both access tokens and refresh tokens, you should implement the proper stores and point to your preferred datastore. JWT AuthenticationPlugin refactored so it is easier to extend - you can now just subclass it, overwrite the login method, and then do whatever you need to do after super.login() has completed. - 04/10 2017, JN . PP-637 First cut on code completion in scripts with method completion available on httpExchange, sessionId, geoip and more. - 03/10 2017, KR . If JWT certificates were loaded from an URL, they were not properly reloaded after signerCertificatesRefreshIntervalMinutes expired. . Requested scope is now always added to access tokens if they are in JWT format. . Errors sent on token url now sent with HTTP response code 200. . Default JWTAuthenticationPlugin now returns an error if offline_access scope is requested but not permitted for a particular client instead of ignoring it. . max_age checking in default authentication script in gateway was not working correctly. - 02/10 2017, KR . Gateway scripts can now get the value of a macro by calling context.macro() - e.g. context.macro("%{HOST}") This allows for a simple way of getting e.g. the hostname, or the value of a header without having to code a call to the appropriate undertow API to obtain it. . If request to oauth2/token does not contain client_secret in post params, and it is present in basic auth header then the one from the basicauth header is used by default. - 01/10 2017, KR . PP-628 Added support for authentication using Swedish BankID using the authentication plugin: dk.itp.security.authentication.bankid.se.BankIDSEAuthenticationPlugin This allows authentication and signing using the swedish Bank ID. . Demoapp did not look in ceptor session for client id and state when showing confirm page - so if gateway originated the request, it would display null instead of the client_id and scope. . Gateway did not read SSL header from "header.secure" json property, but by mistake from "header.issecure". - 29/09 2017, KR . PP-629 Admin client and GetConfigurationCommand is now able to handle >64k size for a single property. Note that this is implemented in the .NET and Java agents, but older Java 1.4 agents will see truncated values. This should not be an issue, since none of them have configuration entries of this size. . Fixed bug in handling excluded SSL protocols/ciphers - depending on JDK version, you might get an UnsupportedOperationException if the JRE default settings contained excluded SSL protocols/ciphers. . PP-634 Added oauth2.refreshtoken.datastoreclass property to JWT Authentication plugin - this allows to specify a data store for long-lived refresh tokens - the datastore must be able to store and lookup persisted sessions based upon refresh tokens, and must support automatic cleanup. For testing, you can use oauth2.refreshtoken.datastoreclass.RefreshTokenMemoryStore which only keeps refresh tokens in memory. . If a gateway location is disabled, it now shows a different icon in the gateway configuration in the console. - 29/09 2017, JN . PP-633 LDAP Access controller implementation and code cleanup of unused certificate methods . It is now possible to configuration a standard names authentication plugin LDAPAuthenticationPlugin instead of the old name LoginHandlerLdapImpl. Functionality is exactly the same! - 24/09 2017, KR . PP-625 When editing a configuration property in the console, if the property is a JSON property (the name ends with _JSON_ then an JSON editor is used instead of the plain textfield. If the content is a script (value starts with "%{script") then the corresponding script editor is shown, and script is compiled and any errors are shown in the validation GUI. Also fixed the layout and handling of very large strings in the edit dialog. . PP-626 When returning connections to connection pool, IO thread is now always used. . PP-627 Improved context-dependant authorization examples - ConfigBasedAuthorizationPlugin can now add scripts and JSON property data policy entries to an ACL by reading them from the configuration. This is done by reading acl.script.XX and acl.json.XX property entries and adding new DataPolicíes for them. The DefaultValidator now calls the PolicyExecutor if any data policies are defined on an ACL. Added IExtendedAgentValidator2 interface - it allows the validator to receive more information, such as the identifier and agent as well as User class so it has more information available to do its authorization. Having the agent instance available makes it easier to use in a setup where multiple agents are used in the same process. . Hexdump offsets are now 8 character long instead of 4 - this will improve logging of large dumps. . Added dk.itp.security.utils.XMLEncoder which can be used to encode/escape XML. . Removed bogus error in the log upon startup of JWTHelper if no keys were configured, but an URL to retrieve them was. - 18/09 2017, KR . Version 5.70.1 released . 18/09 2017, KR . Previously, if login was done on a session where a previous user had already logged in, the old userid was remembered, and and restored if login failed - this could lead to weird behavior in multi-step authentication, where the userid would be restored to be previous user. So, this is now removed and userid is not restored. It is up to the authentication plugin to wait with changing the userid until it wants to keep it in the session. . Dispatcher would add session fixaction cookie even when not needed since user was not authenticated. . PP-616 Added allowAllFromIPRange to dispatcher - if set to a valid range name, any session is allowed to be used from an IP address within this range - this allows you to setup a range of internal IP addresses from which all sessions may be used. It must point to a valid configured range Can be overwritten per alternateserver with: alternateserver.xxxx.allowAllFromIPRange - 15/09 2017, JN . PP-623 Fixed login error using challenge/authentication method when organisation does not exist any more . Added additional SQL server side logging on user admin server exceptions - 14/09 2017, KR . PP-617 UserAdminAgentImpl now has an init() method that takes no arguments to be compatible with earlier versions. . PP-621 Add ability to list sessions for authenticated users within session controller per auth plugin in console. . PP-622 Successful SSL handshakes are now logged as debug info, and failed SSL handshakes are logged as warnings. This uses the logger named "jetty.sslhandshake" and only applies to Jetty - meaning the dispatcher and any other services that are configured in pp_launch.xml with a webserver section. - 13/09 2017, JN . PP-618 On some useradmin databases, it was not possible to delete an organisation without attached profiles. . PP-619 Fixed an issue where it was not possible to fetch a user after deleting the organisation the user was attached to. . PP-620 Cleaning up references to users when an organisation is deleted - 10/09 2017, KR . When recording CPU info, results are now cached in 1 second, since it is relatively expensive to do it often. . If fetching of any remote servers serviceinfo fails, console will no longer log that it had problems logging in. Instead, it will just only show the servers overview for the working components. - 02/09 2017, KR . Version 5.70.0 released - 01/09 2017, KR . PP-611 Gateway improvement: You can now customize the error page response body which is sent if e.g. all backend servers are down. This is done using a script which creates the response body - see the Gateway -->Plugins page in the documentation for more information and example script. . Bundled java JRE is updated to Java 8 update 144. . PP-612 Clicking on a session ID within the gateway trace in the console that contained + characters didn't work, but showed empty session contents. . Gateway accesslog type can now be set to "none" to disable access logging completely. - 30/08 2017, KR . PP-610 Added wildcard pattern matching in sslaccelerator IP list in gateway - allows to specify that e.g. 172.* IP addresses are all SSL accelerators - especially useful in AWS setup where loadbalancer in front of gateway keep changing IP address. - 28/08 2017, KR . JWTHelper now supports loading jwks urls in v2 and 3 format from google. . signerCertificatesRefreshIntervalMinutes added and if specified is used instead of signerCertificatesRefreshIntervalHours when determining how often to reload certificates/keys - default also reduced from 24 hours to 1 hour. . Sample derby database, custid2 column now 40 chars to leave room for UUID. . Small change to JWTHelper - subject is now only set when issuing claims if not already set by list of configured scope claims. This makes it possible to override the value of the sub claim. - 27/08 2017, KR . PP-604 Add transformation of attributes from identityprovider sources to JWTHelper. This means that when parsing individual tokens from facebook, linkedin or from a JWT token issued by an OpenID Connect compliant identity provider, tokens can now be mapped from one values to another. The mapping supports macros and scripts and can map simple things like e.g combine firstName+lastName into one username, or it can do complex mapping by running javascript code to process incoming claims and calculate values depending upon them. - 24/08 2017, KR . PP-601 If a script in the gateway sends a response, the remaining locations and/or pipeline tasks are now cancelled . PP-605 OpenID Connect / JWT plugin now supports linkedIn variant of openid connect - they do not support the ID token, but instead issue an access token that can be used with their API to retrieve user information. . PP-603 Updated to Undertow v4.19.Final - this fixes some logging noise. Also added the possibility of disabling HTTP/2 support on listeners - this is done on a per-gateway level in the gateway settings, and can be used if you do not wish to use the HTTP/2 protocol. Also added support for the proxy protocol defined by HA proxy - this allows supporting products in front of Ceptor - e.g. HAProxy to forward information about the clients source/destination IP and TCP ports in a much more efficient manner than having to modify the HTTP headers. This can be enabled per-listener. - 23/08 2017, KR . PP-600 When gateway webserver is enabled, you can now customize the 404 not found page sent if a resource was not found on disk. - 21/08 2017, KR . PP-598 Added support for oauth2 logout url, updated sample gateway config to include /oauth2/logout and send it to sessioncontroller to validate input parameters. If valid, user is logged off and redirected to resource providers logoff url. Added new property to specify valid logout urls to sessioncontroller; oauth2.client.xxxx.allowedlogouturis if using oauth2 client properties provider. . Added validation of webserver directory to gateway. - 15/08 2017, KR . PP-596 RouteNode used by admin api / config server to match nodes bug introduced in v5.67 which caused admin API methods to stop working when being called with a plain server name, it only worked if full routenode name was given as input. Now fixed so it works if only a plain servername like "configserver1" was found. . Moved LogbackEvent2Log4jWrapper from server to agent so it is available for use by the admin client API - without it it could not deserialize log events. - 15/08 2017, KR . Version 5.69.1 released. - 15/08 2017, KR . Version naming changed - from now on, the versioning is .. instead of . as it previously was. - 15/08 3027, KR . PP-592 pp_custom_expiresat attribute within a session check didn't work - any session with an expires at would get timed out at the next check. . PP-594 Fixed Gateway bug in cookiesnapper that occured if more than one cookie was attempted to removed from the response for a single request - and if the session already contained previously snapped cookies it would generate an ArrayIndexOutOfBoundsException and the cookie would not be removed from the response. . PP-593 WebServicesLauncher now adds bouncycastle provider so it is available for use from SSL libraries. - 10/08 2017, KR . Version 5.69 released. - 08/08 2017, KR . PP-590 Jetty accesslog in dispatcher now works again - Jetty had changed their format so you need to update jetty-requestlog.xml on the dispatchers so they resemble the updated one in dispatchers/jetty-requestlog.xml . Gateway tracer now also displays host header in list of recorded URLs. . Gateway now contains additional methods that can be used by scripts, which write a response containing either a byte[], ByteBuffer or a file as a response. . PP-591 New feature in gateway - it now supports serving static resources from disk - this can be used for e.g. emergency pages, error pages, stylesheets etc. that you wish to serve directly from the gateway. . Locations can now also be marked as disabled (by setting location.enabled to false). If they are, they are ignored. This provides an easy way of keeping a location in the configuration but only enabling it when you need to. . Created sample maintenance location which can be manually enabled if a site is under maintenance. - 06/08 2017, KR . PP-588 You can now add a gateway usage overview diagram to a dashboard - this enables you to get a visual overview of the traffic on the various locations and destinations as well as the average response time per destination. This diagram is also available within the server status for each gateway. Gateway now adds statistics for time used within a pipeline - 06/08 2017, JN . Added getServerConfiguration method to AdminClient for access to full server configuration of a named server - 03/08 2017, KR . PP-586 Support inheritance in JSON configuration and create GUI for overwriting listener settings in gateway config. If an inherited JSON configuration contains the array "json.config.override", it can contain a list of keys for which configuration from the parent is overwritten. Additionally, the console now allows gateway configuration for multiple gateways to inherit from multiple parents and override listener settings for each gateway (e.g. to specify separate IP addresses to bind on). - 22/07 2017, JN . PP-585 Added support for statistics REST service to take formatted start/end time (not only time in milliseconds) - 21/07 2017, JN . PP-582 Rest services sample configuration added Rest statistics services now supporting details and time search . PP-583 With some Rest client - query parameters where not URL decoded properly - which means that providing a list of elements for the REST services would not work . PP-584 Lookup in statistics through REST services when function names contain spaces resulted in wrong lookup without proper result. - 20/07 2017, KR . Version 5.68 released. - 20/07 2017, KR . PP-580: Within gateway tracer in console, all session IDs displayed in the "Debug information" view are now clickable links. If you click on them, you can see the session contents/details. If multiple session controllers exists, you are prompted to select which one to view the session within. - 19/07 2017, KR . Undertow updated to v1.4.18Final . Previously in the gateway, Connection, TE, Transfer-Encoding and Expect headers were not copied form client to server to ensure we avoid problems with differences, but using the newer undertow version, it filters out these headers for the protocols they do not work on. So we now copy all of them by default. This behavior can be changed by removing them (setting them to blank) in the headers on a location, but keeping them ensures that websocket works by default without needing to add any headers to the location manually. - 18/07 2017, KR . PP-527 Added support for groovy and python scripting languages, and reworked implementation to precompile all script types and keep "Bindings" seperate per thread. . Fixed issue in saving portalprotect-configuration.xml - JSON values were saved as CDATA, but danish characters were not saved properly - now, the XML characterset is explicitly set to UTF-8 when saving the file. . Gateway trace now shows response time in list of requests. - 16/07 2017, KR . Version 5.67 released. - 16/07 2017, KR . PP-469 Dispatchers alternateservers / targets and their status now also show in the component overview graphs. - 14/07 2017, KR . PP-579 Session settings can now be overwritten per location within the gateway - this allows you to e.g. only support bearer tokens, if the content type is "application/json" or if the hostname is api.mysite.com - 13/07 2017, KR . PP-578 Gateway bugfix - if sslaccelerator property was not set, the gateway failed with a NullpointerException when parsing the configuration. - 12/07 2017, KR . Added new macros for the gateway; SERVER_PROTOCOL_VERSION, GATEWAY_NAME and SERVER_SOFTWARE_VERSION - this allows you to specify the Via: header like this: %{SERVER_PROTOCOL_VERSION} %{GATEWAY_NAME} (%{SERVER_SOFTWARE}/%{SERVER_SOFTWARE_VERSION}) which ensures that it follows the regular standard. - Note that you can omit the software/version if you wish to hide that from clients. . PP-573 Dispatcher updated to allow IP switching for anonymous users (besides the other rules based on IP list or GeoIP matching) - allowAnonymousIPSwitch can now be set to true - or alternateserver.xxxx.allowAnonymousIPSwitch can be used to enable this for specific alternate servers. You should be careful when using this, since if a user then logs on after having changed IP, his next request will immediately fail since he is no longer anonymous. Instead, you should use GeoIP or similar. - 11/07 2017, KR . PP-576: Bugfix in gateway, any configured http response header on a location was created/added twice if action on a location was "respond". . PP-577: Bugfix in gateway, Domain on response cookies added was not used - configuration was parsed improperly. - 10/07 2017, KR . PP-574: OpenID Connect / JWT plugin now supports facebook variant of openid connect; Facebook Connect. - 07/07 2017, KR . PP-469: Added Graphical overview to ceptor console - allows you to see all agents, session controllers, config servers etc. and how they connect to each other. For gateways, you can also see the status of all destination target servers. If any are down, you can see their status immediately. - 06/07 2017, KR . PP-570 Bugfix in Ceptor Console: Server Status did not show how many requests were processed by dispatchers, the graph was empty. - 05/07 2017, KR . PP-569 Added macro as a condition type to gateway - can e.g. be used to check if %{SERVER_ADDR} matches a specific IP address in case of listening on multiple interfaces. . SPNEGO target authenticator could get a nullpointerexception while pinging a destination target server, when attempting to log authentication failure. - 02/07 2017, JN . PP-568 Added more REST methods for the Agent service - 30/6 2017, JN . PP-554 New REST API for status, administration and Agent functionality. The REST API Services can be instantiated as a self contained web-app or inside existing servers to share configuration. Functionality to extract status, statistics, run administration commands or agent integrations runs seperately allowing for distributed deployment as needed. Refer to the confluence page for more information on the API and configuration. - 24/06 2017, KR . Version 5.66 released. - 23/06 2017, KR . PP-561 Major new functionality added to Ceptor Gateway; Pipelines and Tasks. This enable Enterprise Service Bus like functionality where you can call multiple APIs, do data format conversions and chain responses together to aggregate service calls. Refer to the online documentation for details. Also note that the default configuration in the distribution contains a few examples of how to use pipelines to construct complex services within the Gateway itself. More tasks will be added in future releases - please also give us input if there is any funtionality you would like prioritized. - 22/06 2017, KR . PP-567 Reordered gateway tracing so newest request shows up on top, and response codes are now shown colored depending on status. - 21/06 2017, KR . PP-564 Added sample configuration for oauth2 identity provider in ceptor gateway. . PP-565 Add organisation read methods to IUserAdmin interface so they can be read by a system. . PP-566 Implemented OpenID Connect discovery API server, and JWKS endpoint. Refer to https://asseco-dk.atlassian.net/wiki/display/CEPTOR/OpenID+Connect+Identity+Provider for details. - 20/06 2017, KR . PP-553 Fixed classpath when initializing javascript library in ceptor gateway, so classes from the agent can be loaded and referenced from javascript code within the gateway. - 17/06 2017, KR . Fixed gateway bug in handling nested locations that did not return a result or proxy - handling those could lead to loops. - 16/06 2017, KR . PP-560 Gateway improvement: Conditions on locations, urlrewrite, tracing etc. now have a flag telling if they are of type "AND" or "OR" - "AND" is the default, which means all specified conditions must match, and with "OR" only a single condition needs to match. - 14/06 2017, KR . PP-563 WS-Security cleanup - axis 1.4 webservice handler deleted and is no longer supported. WebService axis classes moved to extlib_extras so they are no longer in the main classpath. WSS4J 1.6.19 and xmlsec 1.5.8 now provided in the distribution replacing the older versions. You are not forced to update your current older versions, they will still work. - 13/06 2017, KR . PP-562: Update undertow to v4.1.16_Final to get various HTPT/2 fixes into gateway. - 08/06 2017, KR . Added support for %{literal} prefix in gateway mappers/script values. . Bugfix in console - spnego authentication plugin configuration entered in the GUI was not saved, so you needed to specify it directly in the json settings instead. - 30/05 2017, KR . Version 5.65 released. - 30/05 2017, KR . Gateway looked for JSON key "samesite" instead of "cookie.samesite" in settings when looking up cookie session settings. . Gateway StateHolder class now has getSessionVariable() . Added sample script for authorization in gateway configuration. . Ceptor Console - updated vaadin to v7.7.9 . PP-555 Gateway bugfix - if target server sets cookie on its first request, sticky cookie set earlier during processing would be overwritten. . PP-556 Gateway fails trying to activate configuration if hostname of a single target server contains characters which java.net.URI will not parse - this includes underscores, too many dots and other oddities. Now, the gateway validates this as part of parsing the configuration and the console also validates it so invalid hostname values can no longer be specified within the console. . PP-557 Gateway bugfix: Marking a target server as disabled or unavailable in the configuration had no effect. . Ceptor Console improvement - when viewing traces with gzipped content, you can now elect to show the unzipped content instead within the console. If full content is not recorded, as much as possible will be shown. - 29/05 2017, KR . Gateway Config refactored, some inner classes moved out. New pipeline tasks added, they are not yet actively used. User-Agent header now set to "ceptor.io" instead of "PortalProtect" when pinging server. If frontend is HTTP/2, and request is not yet completed, we add a transfer-encoding: chunked header to the backend request, since we might have additional data to send. - 11/05 2017, KR . Version 5.64 released. - 11/05 2017, KR . PP-552 Fixed bug where set-cookie header was not copied from target server response if sticky was enabled. - 10/05 2017, KR . PP-551 Added various style changes for Ceptor Console. Login screen reworked, Ceptor logo added and UI tweaked. - 30/04 2017, KR . PP-549 Added support for limit qualifiers to gateway locations - enables qualifying limits so requests per second or concurrent requests are per IP address, per client ID or whatever attribute or state variable you wish to base it upon. - 29/04 2017, KR . PP-548 - Added "Canned Responses" to gateway - instead of specifying complete response in a Location, you can now configure Canned Responses and reuse them from multiple locations. It is still possible to override individual parts, e.g. HTTP status code and copy the rest from the canned response. - 24/04 2017, KR . PP-528 - Added support for validation of configuration before it is saved - can be done via the admin API where e.g. the Ceptor Console can ask servers to validate the result of a property change before saving it. This is now used for the Gateway, where gateway configuration is validated by the gateway which checks that e.g. SSL protocol is valid, JCE provider exists, SSL certificate files and keys exists and can be opened and DNS names are valid. . Closing/deleting a dashboard in the Ceptor Console did not work. - 18/04 2017, KR . Version 5.63 released - 18/04 2017, KR . PP Distribution was shipped with Undertow v1.4.10Final instead of v1.4.12Final, this is now fixed. . Added description of REQUEST_URL to Ceptor Console editor. . PP-543 When verify.server.certificate is set to false in the gateway, SSL hostname validation is now also turned off, previously that was done by the JRE's validation no matter if our validation of the actual certificate was turned off. - 15/04 2017, JN . PP-542 Sample database engine for useradmin is not Derby instead of the deprecated JavaDB. - 11/04 2017, KR . Version 5.62 released - 11/04 2017, KR . PP-540 Fixed bug in Gateway which caused configured request cookies to be added to the response instead of just to the request. This was introduced as part of reversing the order that response headers and cookies are processed in. - PP-541 Gateway updates: trusted.server.certificates can now contain an JSON array of filenames or PEM encoded certificates (prefixed with -----BEGIN CERTIFICATE) - if specified, these are used as trusted certificates. SSL Server certificate validation can also be turned complete off by setting verify.server.certificate to false. - 09/04 2017, KR . Version 5.61 released - 09/04 2017, KR . Default authentication plugins which rely on useradmin database now looks on statuscode 2 as well as statuscode 6 and considers both to be locked, refusing login. . Added additional tracing of gateway response headers, visible when tracing is enabled. Gateway now reverses order that response headers and cookies are processed in - they are processed with the last location first, where request headers and cookies are processed sequentially starting with the first defined mapping rule. When creating a new gateway configuration, it now has a reasonable default, listening on port 8000/8443 and forwarding all requests to port 127.0.0.1:8080. . Ceptor Console now displays timing in milliseconds in trace. - 06/04 2017, KR . Updated Ceptor Gateway's undertow version to 1.4.12Final - 04/04 2017, KR . PP-537 Ceptor Console javascript/mapper editor failed to validate all invalid mapper constructs, e.g. invalid regular expressions. . PP-536 Ceptor Console login failed in a setup with older agents (e.g. v5.20) which did not reply with to service info with expected parameters. . Varous small Ceptor Console updates: Fixed html styling issue in console server view in MSIE11, where server type appeared on top of CPU percentage. Updated to vaadin 7.7.8 to enable "right-clicking" by long-tabbing on ipad. Default gateway configuration now contains empty sessions, gateway, locations and destinations objects to allow parsing without errors. SSL settings truststore provider and keystore type textfields no longer prefilled with values. . PP-538 Added support for bindaddress and bindport for destinations and target servers. This allows you to specify a specific network interface (and TCP port) to use when connecting to a target server. . PP-539 Added example configuration for storing logs in elasticsearch - refer to classes/logback.xml and classes/launcher/logback.xml for examples. - 31/03 2017, KR . Ceptor Console's server view now uses different icons depending on server type to make it easier to find a particular server in the list. Changed color of loading indicator to make it easier to see. . Ceptor Gateway changes; added Http2UpgradeHandler to support HTTP2 Upgrade requests and not just ALPN with http/2 Updated gateway's handling of SSL client certificates forwarded in an HTTP header to support formats where PEM encoding identifiers (-----BEGIN CERTIFICATE-----) was missing. - 27/03 2017, KR . PP-534 Agent.getInstance().getSessionFromTicket() now accepts an additional parameter, "queryAllClusters" - when set to true, all connected sessioncontroller clusters will be queried first to check if one of them had a session for the ticket/token provided before one of them are asked to create it. This allows e.g. JWT tokens to work with multiple clusters where you might not know which cluster already has a copy of the token, if any. Dispatcher and gateway updated to set this flag to true. - 19/03 2017, KR . PP-533 Added support for specifying clock skew in seconds per JWT token configuration - used when validating JWT tokens when there is a potential time difference between the issuer and validator machines. - 15/03 2017, KR . Version 5.60 released - 13/03 2017, KR . PP-523 Added wss.timestampslack to ws-security, it specifies the number of seconds to allow in timestamp "slack", meaning the number of second the creation or expiration timestamp is allowed to be out of sync. The default is 60 seconds. . PP-532 Added two new properties to SMS OTP; sms.verifysslhostname and sms.verifysslservercert - both have default values set to true, and can be set to false to turn off SSL hostname verification and SSL server certificate validation respectively. - 26/02 2017, KR . PP-524 Fixed ProxyCommand so it handles and returns any exception that occurs - this is used for the case where one config server contacts another and asks it to e.g. ping a service - if that ping fails, e.g. if the service has disappeared the original config server now gets that exception passed to it so it can handle the error too. . Updated slf4j to 1.7.24 and logback to 1.2.1 - 15-02 2017, KR . Instead of failing startup if ALPN support classes are not found for HTTP/2, launcher now just logs the error and continues on without HTTP/2 support. . PP-521 Added optionsMethodBypassesAuthentication option to dispatcher - if set to true, authentication will not be done for OPTIONS method - instead it will always pass through - this is to support CORS preflight requests. - 11/02 2017, KR . Thread dump previously logged at info: "Thread Dump at time of giving up waiting for IdentifyPeerCommand" now changed to debug. This is logged if a non-ceptor client connects to one of ceptors ports, e.g. the configserver or session controller. Some customers have invalid setups where a loadbalancer or similar connects to the wrong port to check accesss, and in these cases this makes a lot of noise in the logs, so the loglevel is changed to debug. - 08/02 2017, KR . PortalProtect is now renamed to Ceptor - for compatibility reasons, we are currently also keeping the name PortalProtect and java packagenames etc. are not affected. . All documentation is now available online at https://asseco-dk.atlassian.net/wiki/ - Users Guide and the various integration guides as well as the configuration reference is no longer kept in static PDF files, but instead available at the documentation site. . We are introducing a totally rewritten Management Interface - this is now in the default configuration running on https://localhost:4243 - the old interface is still available for a time, but will be removed in a future version. The new interface adds a number of new features, you can create dashboards with tailored views showing the statistics and information you need to create updated overviews over the status of your entire system. You can create multiple dashboards with different focus, e.g. one with memory/CPU usage, response times etc. meant for your technical people, and another which focuses on business type of data. You can create PDF reports based upon the statistics, and get detailed information about all running services as well as update log4j/logback settings for all components including any application simply running with a Ceptor Agent. You get a new server view, where you can view updated information about all running servers, including CPU and memory usage. You can also change configuration entries realtime which take effect immediately. . Introducing Ceptor Gateway - the gateway is a replacement for the dispatcher, rewritten from scratch with fully asynchronous IO, HTTP/2 support both for server and client, WebSocket support etc. Configuration is done in JSON with a full featured configuration GUI, with more than 60 individual configuration screens. Full support for scripting, request throttling, various authentication methods, OpenID Connect, ADFS, Detailed Tracing, Application Firewall. Full documentation available at https://asseco-dk.atlassian.net/wiki/display/CEPTOR/Ceptor+Gateway . Both Ceptor Console and Ceptor Gateway requires java 1.8 - which has been bundled with distributions since may 2015. . Updated launcher API - added -startjvm, -stopjvm and -restartjvm options to launcher - this allows asking the launcher service, which is running e.g. as a windows service, to start/stop/restart individual JVMs. This allows you to restart individual JVMs, if you e.g. update a deployed webapp and only want to restart it without affecting other processes. You can keep a single service and still get the benefits from running multiple separate processes. See more information in the "Getting Started" documentation. . Installer updated to no longer offer two separate options for services - instead the combined launcher is now used. It is still possible to run multiple different services if you need to - you can do this by copying the launcher .exe file and its associated .vmoptions to a new name, and run it with /i to install it as a new service. You can then modify the .vmoptions file to only start the specific services you wish it to. . Demoapp updated with support for nemid codefile - which is used for employee keystores and certificates kept in either files or stored in the windows system keystore. - 07/02 2017, KR . Updated slf4j to 1.7.22 and logback to 1.1.10 . Updated bundled java version to 1.8.0_121 - ALPN jar updated, if you are running HTTP/2 and not updating PP via the installer, you need to adjust pp_launch.xml to use the new version (alpn-boot-8.1.11.v20170118.jar). . 32-bit windows version of downloadable installer with bundled JRE is no longer available. - 06/02 2017, JN . PP-519 Added JSON configuration support to original administration UI - 4/2 2017, KR . Added NemID Codefile (file-based certificates with browser plugin) examples to demoapp. . NemID signing param Timestamp is now generated in the timeformat, and no longer in msecs since 1970 since that is not supported by codefile flow. - 1/2 2017, KR . All components that already records used/free heap in the statistics now also records process and system CPU usage - note that this requires minimum java 1.7. . Added new options to bootstrapper; -startjvm, -stopjvm and -restartjvm. Can be used to ask the service to start or stop a particular JVM. Useful when you have a combined launcher running with multiple JVMs and you need to start one of them without restarting the whole service and all the running processes. - 31/1 2017, KR . Updated statreport.xml/.xsd with markdown samples. . Updated installer name. . Added isArrayByteBase64Basic() to Base64 class, to check if contents is in the non-urlsafe basic character set. - 30/1 2017, KR . JFreechart version updated to 1.0.19 . Jetty updated to v9.3.15 - 25/1 2017, KR . PP-518 HTMLEncoder breaks with exception if characters integer value is >= 10000. - 9/1 2017, KR . Version 5.53 released. - 9/1 2017, KR . PP-513 When creating a session from a JWT token, an authentication plugin is called so it can fill data into the session. Previously, an incomplete session could be returned if multiple concurrent calls were made with the same JWT token. Now, the session is not added to the list of active sessions upon creation, but only when the authentication plugin has finished moving data into it. - 8/1 2017, JN . PP-512 Added possibility to add profiles to organisations through user administration UI - 8/1 2017, KR . Version 5.52 released. - 7/1 2017, KR . PP-510 Added defense for "session fixation attack" to dispatcher. Added new properties; sessionfixationdefense=true/false (default true), sessionfixationdefensecookiename (default sslsessionid_sf), sessionfixationdefenseaddcookie (default false) To protect against possible session fixation attack (see https://www.owasp.org/index.php/Session_fixation for details about this type of attack) the dispatcher can now automatically add a session fixation cookie with a random value - the same value is added to the session, and for all future requests, the value of the cookie needs to match. - 7/1 2017, JN . PP-511 Added possibility to delete a user through the user administation client - it will delete a user with all references in related tables - 6/1 2017, KR . PP-509 When session are created from a ticket, using the "oldstyle" session id format, the session ID inside the session object is now 60 characters instead of 40, just like when a normal session is created. . PP-508 When creating a session from a ticket, if the session results in a user that is logged in, audit log is now called to log the login event - also, if creating the session from the ticket fails, audit of the failure is logged. - 5/1 2017, KR . Version 5.51 released. - 5/1 2017, KR . PP-507 HTTPProxy fails with "javax.net.ssl.SSLHandshakeException: No negotiable cipher suite" when using upstream proxy. This was a sideffect of upgrading both Java 8 patchlevel, and jetty, causing jetty to attempt to use SSL when contacting upstream server, but with the SSL protocol set to TLSv1 which no longer works with newer Java 8 patch levels. - 8/12 2016, KR . Version 5.50 released. - 8/12 2016, KR . PP-503 JWT Token related changes. Added new method to PP Agent (Agent/IPTServer interface); String getSessionFromTicket(String ticket, int clusterId) - this method returns the session ID if a session has previously been created form a ticket, but returns null instead of creating the session if no session currently exists for the specified ticket. . Session Controller now uses old-style sessionid format also for session IDs created from tickets if configured to do so - but that now also means that the Dispatcher's setting "addedAuthorizationHeaderContainsBearerToken" no longer works if "old-style" session IDs are used. For this feature, you need to use the new style variable-length session IDs. . When validating JWT Tokens, audience "aud" is no longer required to be present if the list of valid audiences for a JWT token is empty. . PP-504 Added alternateserver.xxxx.basicAuthUserid and alternateserver.xxxx.basicAuthPassword to dispatcher configuration - if set, the configured userid or password is used instead of the users userid/password when sending basic authentication to the application server when user is authenticated. . When saving XML configuration to file, if property contains JSON, the value is now saved as CDATA so it can be edited directly. This will be used with configuration for the upcoming gateway (dispatcher replacement). - 7/12 2016, KR . PP-501 Missing timeout in ITPSSLSocket - added 5 seconds connect timeout to ITSSLSocket, used by HttpClient to e.g. retrieve federation metadata, JWT signing certificates etc. - 27/11 2016, KR . Version 5.49 released. - 26/11 2016, KR . PP-499 Dispatcher update: Added alternateserver.xxxx.pingDisabled (default false) - if set to true, ping is disabled no matter what the pingUrl is set to. - 25/11 2016, KR . PP-500 Added example authenticator plugin for registering new users by sending them an email with a userid and a registration code - they can then later activate their account using the codes. - 19/11 2016, KR . PP-498 HttpClient can now turn SSL server certificate validation off. For ADFS/WebSSO added properties: websso.idp..acceptedServerCertificates which is a list of accepted issuer certificates for SSL server certificate. websso.idp..verifyServerCert - set to false to disable SSL server cert validation. websso.idp..verifySSLHostname - set to false to disable SSL hostname verification. For JWT token, added these properties; oauth2.token..acceptedServerCertificates, oauth2.token..verifyServerCert and oauth2.token..verifySSLHostname For PID/CPR lookups/validations you can now specify these properties; ca.provider..pidcpr.verifysslcert and ca.provider..pidcpr.acceptedsslcerts For Nets Attribute service lookups you can now specify these properties; ca.provider..attr.verifysslcert and ca.provider..attr.acceptedsslcerts - 16/11 2016, KR . PP-279 Added support for using google and microsoft as OpenID Connect Identity Providers with support for automatically retrieving certificates published in their own proprietary formats. portalprotect-configuration.xml now contains sample configuration that works with both. The upcoming gateway (dispatcher replacement) is able to handle redirection to oauth2 identity providers, and authenticating with the result. Sample configuration included. - 14/11 2016, KR . ADFSSamlSSOAuthPlugin no longer clears previous state variables at login time. - 9/11 2016, KR . PP-490 Added gatewayDebug() for upcoming Gateway (Dispatcher replacement) to admin API. Admin API service list now also returns memory usage for each service. . PP-497: Dispatcher did not add an URL entry to the last 1000 URLs list when it failed because no servers were configured for a given target. . PP-495 Luna6Support changed, only a single thread is now allowed at a time to try to reconnect. - 23/10 2016, KR . PP-490 Admin API updates, add ability to view and change logback/log4j configuration. Events and server properties are now available when calling getServerStatus(); Removed AdminClient.getServerStatusByRouteNodeName() - functionality is available within getServerStatus() . PP-488 Configuration loader (default ConfigurationXMLImpl) now has the possibility to request reload of configuration in case it detects changes, e.g. when database or file is updated. This is done via a callback added to the IConfigurationHandler interface. . PP-491 Dispatcher ping now optional for alternateservers If alternateserver pingurl is blank, don't attempt to ping server . PP-492 ADFS/SAML WebSSO now support multiple signer certificates which has the same name in the certificate. This is used by Microsoft ADFS, where they have multiple different signer certificates with the same name. Bouncycastle JCE provider now always added by session controller to ensure it is available when loading authentication plugins. - 19/10 2016, KR . PP-488 The property "configuration.implclass" can be specified for the configuration server to replace the default class dk.itp.configuration.ConfigurationXMLImpl in order to place the configuration from something other than and XML file - using e.g. a json file, or a database instead. The class needs to implement the interface dk.itp.configuration.IConfigurationHandler. . PP-489 The dispatcher now allows up to 4096 rules to be defined instead of the old limit of 512. - 6/10 2016, KR . PP-486 Admin API now supports using server routenodename as well as servername e.g. when asking a server to stop or start. - 5/10 2016, KR . Version 5.48 released. - 05/10 2016, KR . PP-484 HttpClient used for fetching federation metadata was hit by a bug caused by PP-417 which added ability to change SSL protocol version - the default did not work, and should have been set to TLS. This is now fixed, and the hostname verifier in the HttpClient now supports subjectalternatenames in the SSL server certificate when verifying if the hostname is correct or not. . PP-485 Default logback.xml now separates output from different classloaders into different files so the services running in one classloader defined within pp_launch.xml get their own logfile. This ensures that two loaded instances of logback never open the same file, so they will never be able to interfere with rolling the files. Also, logging to file now goes via the ASYNC appender meaning performance will increase since logging is done asynchronously in the background. Please check the changes there, and compare to your current logback.xml and decide if you want to upgrade. Alternatively, you can settle for one classloader per JVM in pp_launch.xml (or use the flag -sharedclassloader when starting PP using the launcher) to ensure that one logfile is only used by one logback instanse so it can always be rolled when needed. - 03/10 2016, KR . Refactored response.getWriter() in WS-Security dispatcher plugin to use getOutputStream() instead. - 25/9 2016, KR . PP-483 Admin API now returns all running instance of services and not just the first one - status API can now query status based upon routenodename and not just server name to handle more than one running instance of the same server. - 22/9 2016, KR . PP-482 StringMatcher now has support for regular expressions and uri path matching - if pattersn are prefixed with {regex} they are treated as regular expressions, and if they are prefixed with {uripath} then wildcard does not match forward slashes. To match all characters including forward slashes, simply use two adjacent stars. e.g "{uripath}/a/*/b/*" matches /a/1/b/2 but not /a/1/z/4/b/2 - "{uripath}/a/**/b/*" matches both. Note that performance when using regular expressions is worse depending on the complexity. When using regular expressions, flags can also be passed, by using the prefix {regex:} where is one or more regular expression flags separated by comma, semicolon or pipe sign. The flags can be UNIX_LINES, CASE_INSENSITIVE, COMMENTS, LITERAL, MULTILINE, DOTALL, UNICODE_CASE, CANON_EQ,UNICODE_CHARACTER_CLASS - see javadoc for java.util.regex.Pattern for details - 4/9 2016, KR . Version 5.47 released. - 1/9 2016, KR . Embedded Jetty updated to 9.3.11 - ALPN jar updated, if you are running HTTP/2 and not updating PP via the installer, you need to adjust pp_launch.xml to use the new version. - 31/8 2016, KR . PP-477 Bundled JRE updated to 1.8.0_102, and pp_launch.xml now has -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError JVM options added. . PP-478 Added support for creating a heapdump for a connected agent or server from either the admin API or directly via the administration API or command-line client. Beware though that the entire process hangs while dumping the heap, so it might cause large delays lasting several minutes depending on heap size. - 31/8 2016, JN . PP-468 When configuration is replicated between config servers, previously config was saved for each server configuration that was updated, with hundreds of servers, this could take a while so no all config changes are made and only persisted once. - 10/8 2016, KR . PP-472 Extended admin API with support for checkPermission() and getResource so the client can check if the authenticated user has a specific permission or not - useful for hiding functionality from the user so he does not get to try and get an error if he hasn't access. getResource() allows download of logfiles from configserver and statistics reports from statserver and potentially other files exposed via the status/management interface. . PP-473 configserver refactored to download files using resource interface to support downloading files from remote configservers. . added ppadmin (remote admin API) ACL definitions to portalprotect-security.xml - you should add those to your own copy of portalprotect-security.xml if you do not have them already. - 14/7 2016, KR . PP-468 When changing remote.servers, configserver would restart itself - sometimes, the serversocket would not get enough time to shut down properly, so when starting again it got a BindException since the port was already in use. This BindException would cause the configserver to be in a half-started phase, where client could connect to it, but it wasn't fully running. Now, better error handling is added so it is either fully started or stopped, and we delay starting until the async server socket is fully closed. - 2/7 2016, KR . PP-209 Added SSL peer2peer (nios:// and tcps://) support to .NET Agent . PP-466 Managedservices stop/start did not work properly after PP-461 where configuration was cached so configUpdated() was not called after start - the cache is now cleared when stopping/starting. This prevented stop/start in the administration GUI of all PP server components from working properly. AbstractX509AuthenticationPlugin stopped and destroyed CA instances when stop was called, so they were not available after calling stop/start form the admin GUI. - 29/6 2016, KR . Version 5.46 released. - 29/6 2016, KR . PP-463 serialVersionUID of java1.4 version of SessionPrincipal changed from 1L to -7804819439437750747L to be compatible with previous version. . Removed weblogic 6 and weblogic8 folder from samples/integration - they are now only available within the jdk14 folder. - 28/6 2016, KR . PP-462 X509Helper.sortX509CertChain() changed so it returns a new array instead of sorting into the old one. It now also removes dublicate certificates to fix issues where (in elektronisk tinglysning) one bank send their own certificate twice in the certificate chain in the signed data. Duplicate certificates are now removed, meaning the sorted chain can change size. If you have plugins that call X509Helper.sortX509CertChain(), you will need to change the code so they use the returned certificate chain. - 26/6 2016, KR . Version 5.45 released. - 26/6 2016, KR . Ported PP-553, PP-429 and PP-461 (compares config to previous before calling setConfiguration) to the java 4 version of the agent. - 25/6 2016, KR . PP-461: ManagedService now compares any new configuration it receives to the old one, and no longer calls setConfiguration() if they have not changed. This means that an agent, authentication plugin etc. will no longer be called with the same configuration in case connection between config servers fluctuate. This compensates for the case where agents and clients was needlessly notified as a result of PP-446 which caused multiple calls with the same configuration where the agent or service might already have the updated config. - 21/6 2016, KR . PP-444 Removed ISocketCreater from peer - this means that the configuration property: useSSLForRestrictedPeer for the dispatcher and session controller is no longer used. Instead, set the listenurl's to tcps:// or nios:// to enable SSL, and to tcp:// or nio:// to disable SSL - same with the "sessioncontrollers" property in the dispatcher - prefix it with either nios:// or tcps:// for SSL and nio:// or tcp:// for unencrypted. periodic pings are no longer disabled for blocking SSL sockets, since the JDK bug that required us not to call setSoTimeout() on SSL sockets have been fixed years ago. Because of this change, you should update both the server and the dispatcher, and not run a new server with an older dispatcher. - 17/6 2016, KR . PP-445 request.getParameter() could be called after reading servletinputstream in a POST request when dispatcher handled and oauth2 requests. This caused weblogic to log a warning in its log for every request. - 10/6 2016, KR . Version 5.44 released. - 10/6 2016, KR . PP-458 Dispatcher did not discard transfer-encoding http request header, but forwarded it to backend server - this caused issues with some servers for POST requests, since both transfer-encoding: chunked and a content-length would be sent to the server - depending in its behavior it would either discard the transfer-encoding header in which case it would work, it it would ignore the content-length header and expect chunked data. Now, it discards both the te and transfer-encoding headers if present in the request. - 9/6 2016, KR . Version 5.43 released. - 9/6 2016, KR . PP-553 bugfix in v5.42 broke it since configserver resolved all config properties locally instead of sending the unresolved ones to the client. - 8/6 2016, KR . Version 5.42 released. - 8/6 2016, KR . PP-554 If alternateservername was not only lowercase letters, marking a server as unavailable in the admin GUI was ignored. . PP-456 Configserver did not resolve ${xxxxxx} properties in configuration for itself. - 7/6 2016, KR . PP-553 Fixed bug in useradmin access - if connection was broken, and relogin failed when using session ID, the ID was discarded and subsequent login attempts always failed with that ID. . PP-444 Fixed major bug in nios (nonblocking IO, SSL) handling in communication between PP servers.7 Depending on network drivers, OS, configuration certain types of fragmented packets broke SSL communication causing disconnects and reconnects. A workaround is to use tcps:// (blocking tcpip sockets) instead of nios:// but this is fixed now. PeerThread performance has improved slightly when adding new connections for JDK1.7 and above. Default PP configuration now uses nios:// instead of nio:// for all communication between components - it uses the same ports but now encrypts all traffic on them. If a peer times out waiting for IdentifyPeerCommand, a threaddump is now logged to help diagnose any eventual problems. Sample configuration has been updated with multiple config servers, and loadbalancing between them. You should create you own keypair and SSL certificate and replace classes/ptskeystore with it. An upcoming PortalProtect version will have an installer that can do this as part of the installation process. - 5/6 2016, KR . Version 5.41 released. - 5/6 2016, KR . PP-437 Added pingUser/pingPassword and alternateserver.XXXX.pingUser / alternateserver.XXXX.pingPassword properties If addauthorizationheader=true and addedAuthorizationHeaderContainsSessionID=false, then the userid/password is added instead as basicauth to the authorization header when the dispatcher sends it towards the application server. . PP-446 When a slave configuration server receives updated documentation from a master, it now reloads everything, notifying all connected agents about the new configuration to make sure they do not miss any changes. - 4/6 2016, KR . PP-448 Added useSSLClientCertAsTicket to dispatcher - if set to true, SSL client certificate can be used as a ticket to obtain a session, similar to an OAuth2 ticket. This is useful for API calls protected by SSL client certificates where a regular session is not used - in this case, the overhead of creating a new session and logging into it can be avoided since the same session is reused over and over for the same SSL client certificate. Note that in this case, multiple clients sharing the same SSL client certificate will also be sharing the same session. In order for this to work, an authentication plugin of type: AuthTypes.AUTHTYPE_SSLCLIENTCERT must be installed and supporting creating a new session from a ticket. - 2/6 2016, KR . PP-445 Removed all calls to response.getWriter() in dispatcher when sending errors - now solely uses response.getOutputStream() to hopefully avoid weblogic issue when dispatcher is running within weblogic. . PP-447 Added new configuration options; stickyserver and alternateserver.XXXX.stickyserver default is true. If set to false, servers are no longer sticky, and users will not get a XXXXselectedServer cookie set, also incoming XXXXselectedServer cookies are ignored. . PP-449 When all servers are down, and we need to pick a server in the hope it works, we now first sort through servers and discard any that we could not reach due to a ConnectException or UnknownHostException. . PP-451 Changed implementation of ConfigCommandHandler to only send systemconfiguration to remote configuration servers, this also adds compatibility with very old agents (10 years) which can now read configuration. . PP-452 Fixed bug in DNSCache - if refreshes DNS entries too often - now it cases them for 10 minutes like it should without trying to refresh. . -Djava.net.preferIPv4Stack=true is no longer set in default pp_launch.xml, since it causes problems in some windows versions/configurations - removing it seems to fix "Unrecognized Windows Sockets error: 0: recv failed" . PP-443 PP Service Launcher changes in the way it shuts down. We have see issues in one particular environment where the JVM's shutdown handler is called (meaning the JVM process is about to exit) when the service is stopped. But, the process never terminates although the shutdown handler completes normally - now we change it so we shuts down the TCPIP server listener nicely as part of the shutdown handling, and we start a timer that calls Runtime.getRuntime().halt() if the process does not terminate by itself within 5 seconds. Also, file handles (stdin/out/err) are now inherited instead of piped when starting child processes, this is also known to prevent bugs in windows where processes might not shut down properly. This should fix the issue where the process does not shut down properly but the next one cannot start up since the service launcher TCP port is already in use. - 23/5 2016, KR . Version 5.40 released. - 23/5 2016, JN . PP-441 Fixed logging in shutdown handler to have own log instance . Moved test useradmin databases away from distribution build - 23/5 2016, KR . PP-440 Fixed bug in bearer token validation - if token was invalid, HTTP 500 was returned instead of 401. This bug was introduced in v4.35 with PP-428. . PP-441 Fixed bug in usersearch/getuser validation of useradminaccess user having correct ACL to accesss user based upon organisation. - 18/5 2016, KR . PP-438 If urlAccessFailedRedirect (or alternateserver.xxxx.urlAccessFailedRedirect) is set to "403", the HTTP response code 403 is returned instead of redirecting to the URL - this can be used for e.g. alternateserver definitions which should be accessed as an API from clients where it does not makes sense to redirect to another page. - 10/5 2016, KR . Version 5.39 released. - 9/5 2016, KR . PP-417 Added ca.provider.xxxx.ssl.protocol (default TLS) where you can specify the SSL protocol to use when calling PIDCPR services for this provider - default is TLS, but when running java 7 you need to set it to TLSv1.2 to force use of TLSv1.2 - 5/5 2016, JN . PP-421 First version of rest services available in PP that supports status information and summarised statistics. See users guide for more information on how to enable and configure this. - 4/5 2016, KR . Version 5.38 released. - 4/5 2016, KR . PP-417 Changed reconnect in luna6support to avoid recursive calls in case reconnect fails. . PP-417 Added information about which private key alias was attempted if XMLDSIG decryption fails. - 2/5 2016, JN . PP-435 Fixed organisation ID's not filled out in quick-user fetch . Refactored Useradmin authentication plugins and moved some common code to UserAdminAuthenticationPluginHelper class for re-use by customer specific plugins. If the public static methods "fillUserGroupsAndState" or "fillUsername" is used in your own authentication plugin - please use the new method in the UserAdminAuthenticationPluginHelper class. The methods will stay in UAAuthenticationPlugin for a few releases, but is marked as deprecated. Same with the static method. - 2/5 2016, KR . Version 5.37 released. - 2/5 2016, KR . PP-417 Luna (v6) reconnect code simplified, it now always take same in the same thread, and only slotManager.reinitialize() is called to reconnect before doing a login. Also the configuration options luna.* added 28/4 have been removed again. . Updated to AbstractOAuth2AuthenticationPlugin so it also looks at jce.customproviders and ensures they are initialized. - 28/4 2016, KR . Version 5.36 released. - 28/4 2016, KR . PP-417 Added additional options to change the disconnect/reconnect behavior towards Luna API to avoid it hanging in certain API calls inside the luna API (version 6). luna.callFinalizeOnDisconnect, luna.callInitializeOnDisconnect, luna.callReinitializeOnDisconnect, and luna.callLogoffOnDisconnect can now be set to true or false to enable/disable the various calls on cleanup. - 27/4 2016, KR . PP-435 Renamed description of new sample ACLs in dastabase Updated sample authentication plugins with support for multiorg . PP Installer now checks for existing files in patches directory, and asks user to delete them as part of upgrading to a new PP version to avoid the risk of running with old outdated patches. - 25/4 2016, JN . PP-435 fixed user search bug on organisation with challenge in multiorg Fixed organisation not being available on user state in certain login scenarios Added possibility to list organisation users with challenges Fixed javadb and cloudscape statement issue with some ACL's Fixed a bug where sub orgs was not properly displayed in org list when they where alone. - 17/4 2016, KR . Version 5.35 released. - 17/4 2016, KR . PP-429 Added support for special state variable; pp_custom_expiresat - if it is set, it must contain a number of milliseconds since 1970 (System.currentTimeMillis()) - this is the time the session will expire. The session will be removed automatically after this time, if set. Please note that if you use this, you will need the time synched between agents and servers, since the agents will remove their references to it at the exact time. The session controller will, when checking for timed out sessions, respect this time too, and remove the session from all agents. Added oauth2.token.xxxx.expiresAtExactTime to JWT configuration options for JWT authentication plugin. If set to true, the session will expire at the exact time of an eventual expiration in the JWT token, if set to false, the expiration time of the JWT token will be checked at authentication time, but after authentication, the session will respect normal session timeout configuration. - 15/4 2016, KR . PP-428 Optimization in dispatcher for requests with bearer token, if the client does not send a cookie with information about the selected server, this is instead read from the session - if found, it will be used. This ensures that application servers are sticky even without cookies, which again enabled better performance since there will be fewer roundtrips to the session controller and fewer places to clear the sessions within if they change content. - 13/4 2016, KR . PP-432 consul support now also available in configclient and configserver this means that an agent can do a consul service lookup from the configserver, e.g. a dispatcher in a DMZ zone can ask a configserver in a secure network zone to do a service lookup. The configserver now has consul.servers and consul.pollinterval properties added to it. Additionally, it has consul.alloweduripattern (defaults to *) which can be used to restrict which services an agent can attempt to lookup - could e.g. be set to "/v1/catalog/service/app*" to lookup only services whose name start with app. If service URL in targetservers/targets starts with configserver: then the dispatcher will not ask consul directly, but ask the config server to do it on its behalf. . PP-428 Fixed incorrect double-logging of a request in dispatcher if an error occured during ntlm negotiation/checking. - 11/4 2016, KR . PP-434 Added support for registering and using FIDO U2F devices for authentication. See demoapp for examples, and https://www.yubico.com/applications/fido/ for more information on FIDO U2F. - 10/4 2016, KR . PP-432 New dispatcher feature: Added support for using consul to lookup list of target servers dynamically. Every "pingurlinterval" (default 30) seconds, when about to ping all application servers to see if they are alive, the dispatcher can now ask a consul service which services are currently active and should be added to or removed from the list. The new property; "consul.servers" contain one or many consul server URLs, separated by semicolon - each one will be queried in turn until a working one is found. targetservers and alternateserver.xxxx.targetservers can contain the macro ${consul:____url____} where ____url____ is the url including service name to call on consul to query the list of current available service instances. consul.pollinterval can be set to a number of seconds for which the result is cached - consul will for each service only be asked if the specified amount of seconds have passed since last query. Example: consul.servers=http://192.168.160.132:8500 - and targetservers=127.0.0.1:8080,server1;${consul:/v1/catalog/service/appservers} - 5/4 2016, KR . Embedded Jetty updated to v9.3.8 - 4/4 2016, KR . PP-430 When sending SMS using CPSMS, they now support using an apikey instead of a password - the SMS authentication plugin has been extended to support this. Also, the default PP authentication plugin has been extended to work with BCRYPT, SHA and PBKDF2 as well as PasswordUtils encoded passwords in the database. . PP-417 Added extra retry code to Luna6Support initialization so it handles exceptions checking that occur inside Luna provider when checking if it is initialized. . PP-426 Command-line admin API client can now delete specific statistics entries from the statistics server. . PP-428 Dispatcher could (depending on configuration) log invalid error message if a session was timed out, or not found. It would log something like this "Unable to verify if session was logged on before doing NTLM challenge" even though the request might have nothing at all to do with NTLM. This has been corrected. . PP-431 Added HTTP method to accesslog / list of 1000 last URLs in dispatcher. - 17/3 2016, KR . PP-427 Added addedAuthorizationHeaderContainsBearerToken and alternateserver.xxxx.addedAuthorizationHeaderContainsBearerToken configuration entries. If addedAuthorizationHeaderContainsBearerToken is set to true, and if the request contained an OAuth bearer token, then that token is forwarded to the backend application server instead of the session ID. If no OAuth2 bearer token is present, the default behavior of forwarding the session ID as basic auth is used instead unless that is turned off by setting addedAuthorizationHeaderContainsSessionID=false - 15/3 2016, KR . PP v5.34 released - 15/3 2016, KR . PP-426 When saving the list of recent/expensive SQL statements, each SQL parameter is now limited to 80 characters, and anything more is discarded to minimize memory impact for extremely large (multi-megabyte) SQL statements. Also the maximum number of expensive statements saved is reduced from 1000 to 300. As always, they are viewable by using the admin API and looking at the status for the useradmin/identitymanager module. . jose4j (used for OpenID Connect / JWT token parsing and generation) updated from snapshot version to released version 0.5.0. - 14/3 2016, KR . PP v5.33 released - 14/3 2016, KR . PP stdout/stderr for PP launcher service renamed to pp_launcher.stdout.log and pp_launcher.stderr.log . Fixed bug in installer for dispatcher component - it did not include the logback .jar files extlib - 13/3 2016, KR . PP-423 Added IAuthorizationPlugin2 interface which extends IAuthorizationPlugin - any plugins which extends this interface now gets their new methods called - it contains setStatistics(), initialize() and uninstall() methods. initialize() will pass in the session controller instance, from which configuration etc. can be retrieved. - 11/3 2016, KR . PP-417 Luna 6 support now works with luna 6.2 where Safenet in their wisdom moved the LunaCryptokiException to another package. - 10/3 2016, KR . PP-417 Luna 6 slot ID can now contain a slot label instead of the numeric ID. - 18/2 2016, KR . PP v5.32 released - 18/2 2016, KR . PP-420 When dispatcher calls isURLAllowed() in the Agent, and later the Validator, it now sends along the HTTP method being used as well as the URL - this allows the validator to differentiate access based on HTTP method. Also, to ensure CORS works, the default validator now allows all requests through when using the OPTIONS HTTP method. If you have you own implementation of IAgentValidator, and wish to use this feature in your own validator, you need to implement the IExtendedAgentValidator interface instead, which contains the new method. - 14/2 2016, KR . PP v5.31 released - 13/2 2016, KR . Updated to slf4j v1.7.16, and logback to 1.1.5 You need to update pp_launch.xml to point to the newer version, unless you use PP's installer which will upgrade it automatically in pp_launch.xml - 10/2 2016, KR . PP-406 Added JWT/OpenID Connect support - refer to users guide for details, and portalprotect-configuration.xml for sample configuration, also look into demoapp for integration into an application, prompting for a users consent etc. Note that depending on your PortalProtect license, this feature might require purchase of a separate module. - 8/2 2016, KR . DotNet Agent now has dependency on new log4net version, signed with the "new" key - this means that it now references log4net with publickeytoken 669e0ddf0bb1aa2a instead of 1b44e1d426115821 - log4net is also updated to 1.2.13 - 7/2 2016, KR . Bundled JRE updated to 1.8.0_74 - 6/2 2016, JN . PP-414 Added multi organisation support in user admin web app. The application will follow the settings of the useradmin server and only allow access to the multi organisation attachment to a user if this is enabled on the useradmin server. - 1/2 2016, KR . PP-417 Added support for Version 6 of the Luna JSP API. To use, set jce.customproviders to dk.itp.security.jce.luna.Luna6Support instead of dk.itp.security.jce.luna.LunaSupport. If you need to specify the luna user role when logging in, set luna.userrole to one of these values; USER, CRYPTO_OFFICER, LIMITED_USER, CRYPTO_USER, NONE. - 28/1 2016, JN . PP-414 Multi organisation support in user admin server through new property "users.multiorg" on the user admin server and a new table PP_ORG_USER (see bottom of create_tables.sql for your database). The new property will allow for multiple organisations per user in a new relational table - no data migration is done within PP when this is turned on, so make sure this is done before the new property is enabled. Also clear the old value of organisation_id in pp_user table - since it can create constraint issues in the databases where this has been chosen. As always setting up constraints towards foreign tables are optional and can be removed if performance dictates it! - 28/1 2016, KR . PP-419 UserAdminAgent removes cached credentials if reconnect/relogin fails, causing "java.lang.IllegalArgumentException: Session ID [null] is not a valid PP session ID" error e.g. after suspending the virtual machine PP runs in, and after resuming it. - 26/1 2016, KR . PP-416 Updated Bouncycastle JCE Provider to version 1.54 - please note that the API has unfortunately changed between versions so PortalProtect is no longer compatible with older versions, you will need to update to the jars bundled with PortalProtect. Also note that is now in 3 .jar files instead of 2 - the new one is called bcpkix-jdk15on-154.jar . PP-418 SLF4J updated to v1.7.14, and logback updated to version 1.1.3 You will need to update your launch.xml file to point to the new versions, or PortalProtect will not be able to startup. - 22/1 2016, KR . Bundled JRE updated to JRE8u72 - alpn jar files also updated, so you need to set the path to the jnlp jar file in pp_launch.xml to the new version -Xbootclasspath/p:"${portalprotect.home}/alpn/alpn-boot-8.1.7.v20160121.jar" If not done, you will get various SSL handshaking errors. . ptskeystore updated with new selfsigned cert using larger keysize to satisfy new JRE minimum requirements. . Windows installer without bundled JRE can no longer be downloaded, since it is important that JRE version and ALPN jars fit together. - 10/1 2016, KR . PP-413 Add support for looking at query pararameters in dispatcher rules - 9/1 2016, KR . PP-412 Add markdown support to PDF report generation . PP-411 Extend admin API to support reset of statistics, and pattern matching when looking up servers and functions - 5/1 2016, KR . PP-405 Base64 encoder/decoder now supports URLSafe encoding/decoding as specified in RFC4648 - 15/11 2015, KR . PP v5.30 released - 14/11 2015, KR . Installer now backs up all configuration files from config directory to config_installbackup when upgrading. - 09/11 2015, JN . PP-320: Support for JDBC4 isValid method on JDBC connection pooling for PP Server - 8/11 2015, KR . PP-388 Added example jetty-rewrite.xml which adds various HTTP security headers to all responses - you can include it by setting ${portalprotect.home}/dispatcher/jetty-rewrite.xml to the ws.jettyxml property in pp_launch.xml. Be sure you add it as the last entry in ws.jettyxml. - 7/11 2015, KR . PP-399 Fixed bug in error handling - NullPointerException in session controller might happen if an agent connected and disconnected without asking for any sessions. . PP-396 Added http2 support to embedded Jetty launcher - support is enabled between browser and dispatcher. ALPN support specifik to the java version included with PP is added to allow the client to specify the preferred protocol as part of the TLS protocol handshake. This is enabled in pp_launch.xml by setting http2="true" VERY IMPORTANT !!!! You need to add the JVM argument -Xbootclasspath/p:"${portalprotect.home}/alpn/alpn-boot-8.1.6.v20151105.jar" to starting the dispatcher in pp_launch.xml, or it will fail upon startup, or it will fail if http2=true in the launcher configuration. Also note that Java 8 is required, Java 7 is no longer supported with the builtin Jetty webserver. - 29/10 2015, KR . PP-398: Demoapp changed so it works with different context paths. Updated PortalProtect_Samples with new "dummy" authentication plugin, which allows login and set of state variables using any values without validation - only meant to be used for development and must never be used in production. To use it, compile it and place the .jar in /plugins and use e.g. the demoapp's dummylogin.jsp - 26/10 2015, KR . PP-397: Configuration macro handling needs to be able to read from environment as well as system properties. Instead of using ${systemproperty:name} or ${name} in the configuration to replace with the value of a system property, we now support using ${environment:name} to pick the name of the environment variable instead. . PP-396: Upgraded bundled Jetty to version 9.3.5 - please note that this requires Java 8, so PortalProtect is no longer supported with Java 7, but requires Java 8 when running with the embedded webserver. - 22/10 2015, KR . PP-394 Bugfix: Timeout on fetching CRL lists set to 1 minute. Previously no timeout was set, so theoretically the server could take forever to reply. . PP-393 Fixed classloader issue in GenericWebAppLauncher, which caused servlets within a war file to be unavailable. Added example configuration (pp_launch_demoapp.xml - it can be copied into pp_launch.xml to let PP service launcher startup the demo application as part of the PP service, using the GenericWebAppLauncher. Added support for setting SSL renegotiate flag in jetty, and changed default cipher suites to the ones currently considered as being secure. Note that it means that SSL with jetty no longer works with internet explorer 6 on XP if you use these cipher suites. Be sure to check your site with ssllabs.com to see if you are only using secure cipher suites. . JRE distributed with PP is now newest available version, 1.8.0_66 - 4/10 2015, KR . PP v5.29 released - 4/10 2015, KR . PP-391 shutdown fixes and extra logging added to service launcher. . PP-392 Dispatcher did not use value of urlInvalidIPRedirect as default for alternateserver.xxxx.urlInvalidIPRedirect . PP-376 Added the ability to parse federation metadata, e.g. from microsoft. Demonstration on how to use it can be found in the sample SAML/ADFS plugin provided in the PP distribution - 1/9 2015, KR . PP-388 Sample authentication plugins, as well as portalprotect default authentication plugins now store passwords in the database using BCRYPT hashing by default instead of using plain SHA hashing. Added dk.itp.security.utils.PasswordVerifier which recognizes a varied type of password hashes and verifies a hashed password against a real one. It supports the various encryption/obfuscation methods available in PasswordUtils as well as BCRYPT, SHA and PBKDF2 algorithms. Default useradmin/identity manager GUI now uses BCRYPT instead of SHA hashing when setting passwords. IMPORTANT: You should update any authentication plugins you have to use the new passwordvalidator that works with a wide array of types of hashes to handle both old SHA hashes, and newer BCRYPT hashes. Those of you who already uses more secure hashing algorithms might not need to change but you should evaluate current strategies to ensure they are still safe. - 1/9 2015, KR . PortalProtect services now appends to stdout/stderr logs instead of overwriting them on startup. - 29/8 2015, JN/KR . PP-387: Fix for searchOrganisation now using prepared statements to prevent possible SQL injection. Also fixes in searchUser method. Fixes in UserDAO, TransactionLogDAO, RevisionLogDAO, NonRepLogDAO, UserSearchPlugin - if you use these classes directly in any PP extensions, ensure to test properly. - 26/8 2015, KR . PP-385: Updated both default PP useradmin/password plugin and sample plugin code to lock user after x invalid password attempts. The property "useridpassword.maximuminvalidpasswordattempts" (default 5) controls the number of invalid attempts in a row accepted - set to 0 to disable and not lock the user automatically. If "useridpassword.autounlockminutes" (default 60) is set to > 0, the users challenge will automatically be unlocked when x minutes has expired since he was locked. - 9/7 2015, KR . PP v5.28 released - 9/7 2015, KR . PP-378: PP Installer now prompts for log file location - if entered, default location in logback files and dispatcher access logs as well as service stderr/stdout redirection files are changed to the new location. If you need to change the path for redirected files after installation, you can edit .install4j/response.varfile where you can set another directory - it takes effect at next service restart. . PP-377 Dispatcher UrlRewrite rules were not case-sensitive by default - this is now fixed. . PP-380 Added GetSessionsWhereUserIsAuthenticated() method to .NET agent. - 8/7 2015, KR . PP-381: SSL provider name can now be specified for CA providers for PIDCPR lookups. This is done using new configuration attribute; ca.provider.xxxx.ssl.providername and setting it to e.g. SunJSSE. . PP-380 Added new method to java agent; getSessionsWhereUserIsAuthenticated() - it can lookup sessions for which a specified user is currently authenticated. This can be used to find all sessions where a specific user is authenticated and then perform some action upon the session, such as logging the user out. - 29/6 2015, KR . PP-374: Added new options to dispatcher; http11.ssl.enabledCipherSuites and http11.ssl.enabledProtocols which can be used to restrict the default set of protocols/cipher suites used when establishing SSL connections to backend application servers. . PP-373: Bugfix: Async HTTP Proxy was not able to handle chunked POST input data. . PP-375: Bugfix: If no target server entries were specified, dispatcher sends a HTTP 503 response, but no urlmemory entry was created. - 18/6 2015, KR . PP v5.27 released - 16/6 2015, KR . PP-368: Removed REQUEST_ISSUER_ID from nemid parameters, since it is no longer needed with newest NemID JS implementation. . PP-370: Configuration changes on slave config servers are no longer replicated to master server, this means master configuration will always be the most current one and override and eventual changes made on the slave servers. This change was done to ensure that configuration is always consistent and always controlled by the "master" server. . PP-367: gzipResponse can now be specified per alternateserver. Added new properties disableGzipUrlFilter and disableGzipContentTypeFilter, also possible to specify these per alternateserver. They specify respectively the URL and contentType filters that if they match, the response is not zipped even if gzip is turned on and if the browser supports it. This is done to support primarily older MSIE versions which claim to support gzip, but does not work with it for certain file times and mime content types. Default values are: disableGzipUrlFilter: "*.js|*.css|*.wml|*.cab|*.pdf|*.zip|*.gz" and disableGzipContentTypeFilter: "image/*|binary/*|application/*" - 18/5 2015, KR . PP v5.26 released - 18/5 2015, KR . PP-363 SQL statement "acl_query_users" does not work with MS sqlserver . PP-364 Default authentication plugins as well as sample authentication plugins using useradmin database all expected both firstname and lastname to be filled out - if they were not filled out, the username would appear with "null" as part of the name. This is now fixed for all authentication plugins and samples so they handle it if either first, last or both names are missing. - 17/5 2015, KR . PP v5.25 released - 17/5 2015, JN . PP-362 Ability to add a user to an organisation in the WEB admin UI - 11/5 2015, KR . PP-359: WS-Security API now allows to specifify if mustUnderstand should be set to 1 or 0 when signing or signing and encrypting SOAP messages. . PP-361: Sample app now adds wtrealm when redirecting to ADFS using WebSSO . PP-360: Added support for using secondary classloader (thread context classloader) to Peer for loading command classes. This makes it possible to use the PP Agent in grails applications where it can be loaded by grails default classloader. - 9/5 2015, KR . Sample portalprotect-configuration.xml changed so "nios:" is used for SSL communication between dispatcher client and server. Also, tests with Windows Server 2012 and JRE 1.8_45 have shown periodic errors where we occasionally get "java.net.SocketException: Unrecognized Windows Sockets error: 0: recv failed" exceptions for both SSL and non SSL connections using blocking sockets (tcp: URLs) - using nio/nios nonblocking sockets avoids these problems. - 1/5 2015, KR . Bundled JRE updated to 1.8_45 - 1.8 is now bundled since 1.7 reaches end-of-life in April 2015 after which there will be no public updates made available by Oracle. - 1/5 2015, KR . PP-351: Dispatcher improvement; For requests with bearer-token, return 403 instead of redirecting with all kinds of access errors. - 19/2 2015, KR . PP-350 Bugfix: PP Dispatcher sent back status code in http response twice, so e.g. "400 Invalid request" got sent to the browser as "400 400 Invalid request". - 1/2 2015, KR . PP v5.24 released - 31/1 2015, KR . Changed Jettys default errorhandler for the dispatcher to remove the "Powered by jetty" text that was in there if PP was running in an embedded jetty server. - 31/1 2015, KR . PP-345: Added support new type of GeoIP checking, if allowgeoipswitching=COMPLEX, you can now have explicit rules for determining if the particular change in IP is allowed or not. Please refer to the users guide for details Look for allowgeoipswitching and complexgeoiprule.xxxx in the configuration reference section. New configuration entry, complexgeoiprule.xxxx allows detailed control over when IP change is allowed, e.g. [[[ country1="SE|DK"&country2="SE|DK" ]]] or [[[ isp1=isp2&country1=country2&country1="DK" ]]] - here the first rule allows switch between SE and DK countries, where the second allows switching between the same ISP and country but only for Denmark. Please refer to the users guide for full details. - 31/1 2015, KR . PP-245: New configuration setting for dispatcher - urlInvalidIPRedirect and alternateserver.xxxx.urlInvalidIPRedirect added - if this URL is set, and a client request comes in with an invalid IP address, then we will redirect to this URL. Since there is a risk that the user might switch IP addresses multiple times, the error page here should have embedded css, images etc. to avoid more than a single HTTP request. Before redirecting, the current session cookie is deleted, meaning the users session will be gone from the browser and a new anonymous one will be created on the request to the page. The originalUrl request parameter will be added to the URL, and the hadSessionID parameter will also be added with the previous session ID If the URL is set to "403", an HTTP error 403 will be sent back instead. Also, if the client request URL is one with an oauth2 bearer-token, then 403 will be sent back instead of redirect in case the request comes from an invalid IP address. In these cases, the session cookie will not be removed from the browser. If urlInvalidIPRedirect is set to an empty value or not defined, then the dispatcher will send back HTTP error 400. Please note that this is a change the the previous default where the dispatcher threw an IOException causing the servlet container to send an error 500 letting the client believe it was a server error that had occurred. - 30/1 2015, KR . PP-348: PP Agent. Fixed bug in errorhandling when all connections in a loadbalanced peer breaks at the same time, e.g. because of a network error. Depending on timing, the thread handling the disconnection might fail with a NullPointerException and then the connection would not be reestablished to the server. - 29/1 2015, KR . Improvement to HTTP proxy server for SSL requests. Now, SSLv3 is added to the list of disabled protocols by default and TLSv1 is added to the list of enabled protocols. Also, all the current methods in Jetty's SslContextFactory have been exposed to the configuration so they can be changed using configuration - this adds these 35 new configuration properties to the HTTP proxy; ssl.certAlias, ssl.crlPath, ssl.enableCRLDP, ssl.enableOCSP, ssl.endpointIdentificationAlgorithm, ssl.excludeCipherSuites, ssl.includeCipherSuites, ssl.includeProtocols, ssl.excludeProtocols, ssl.keyManagerPassword, ssl.keyStorePassword, ssl.keyStorePath, ssl.keyStoreProvider, ssl.keyStoreType, ssl.maxCertPathLength, ssl.needClientAuth, ssl.ocspResponderURL, ssl.protocol, ssl.provider, ssl.renegotiationAllowed, ssl.secureRandomAlgorithm, ssl.enableSessionCaching, ssl.sslKeyManagerFactoryAlgorithm, ssl.sslSessionCacheSize, ssl.sslSessionTimeout, ssl.stopTimeout, ssl.trustAll, ssl.trustManagerFactoryAlgorithm, ssl.trustStorePassword, ssl.trustStorePath, ssl.trustStoreProvider, ssl.trustStoreType, ssl.validateCerts, ssl.validatePeerCerts, ssl.wantClientAuth Please refer to Jetty HTTP Client's documentation for SslContextFactory for details. - 20/1 2015, KR . PP-347 For oauth2, if oauthrule's are defined and a request matches a rule where a bearer token is required we normally send back a 401 authentication required error, but now we allow HTTP OPTIONS method through, since the browser will automatically generate such a call before attempting methods other than GET, POST or HEAD (see http://www.w3.org/TR/cors/ ). - 7/12 2014, KR . PP v5.23 released. - 2/12 2014, KR . PP-340 Added forceConnectionClose to http proxy server settings - if set to true, a "Connection: close" header is added to all requests to ask the server to close the connection after each request. Also, fixed a bug where httpTimeoutSecs was used for maximum lifetime of the proxied connection instead of as an idle time allowing requests that keep sending data to take longer time. . PP-340: "User-Agent: Jetty" header was added to all outgoing requests in the http proxy server - it is now removed along with the accept-encoding header that Jetty client added. - 30/11 2014, KR . PP v5.22 released. - 27/11 2014, KR . PP-340 Added httpIdleTimeoutSecs to http proxy server settings - this specifies the idle timeout before an http client connection will be forced closed. Until this idle time expires, the socket connection can be reused for additional requests. . PP-340 Embedded Jetty updated to version 9.2.5 - 29/10 2014, KR . PP-333 Added new configuration property wss.singleCertInBST - if it is set to true (the default) then only the signer certificate will be included in the BinarySecurityToken in the signed/encrypted XML/SOAP. If set to false, the entire certificate chain if available from the original keystore will be included. - 07/10 2014, KR . PP v5.21 released. - 07/10 2014, KR . PP-326 BugFix: asyncproxyservlet did not work with SSL after upgrading to Jetty 9.2.1 - also, connect timeout was not set correctly and content-length header was not set on POST requests, sending chunked content which gave problems with some webservers. . PP-323 Now log GeoIP database info when loading GeoIP Databases. . PP-323 Updated maxmind API to allow reading both new (.mmdb) and old (legacy .dat format) - this adds required jackson .jar files to extlib - 29/9 2014, KR . PP-325 Updated embedded Jetty to version 9.2.3 - 27/9 2014, KR . PP-323 maximumIPAdresses added. If set to larger than 1, it specifies the maximum number of different IP adresses a client can switch between. - 02/7 2014, KR . PP-317: Config servers list of agent versions was blank for loadbalanced peer connections. - 24/6 2014, KR . PP v5.20 released. - 23/6 2014, KR . PP-315 The session ID format change had the sideeffect that when using old-style session IDs, only the session id part and not the transaction ID part was stored in the string User.sessionId - this is not normally a problem, but it broke one customer authentication plugin so now when using old-style session IDs, both the session id and the transaction ID part is stored within the session. - 21/6 2014, KR . PP-235 Updated embedded Jetty to version 9.2.1 - 3/6 2014, KR . PP-285 Updated session ID format - in 5.19 it was changed to contain base64 encoded characters - this gave problems with tomcat (bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44679) which removes = sign from the cookie value, so applications running in tomcat were essentially broken by this. So, we have now changed the format so it replaces the = sign in the value with a minus sign which does not appear to hit the tomcat bug. Unfortunately this means that when you upgrade, you will again need to update all agents or they will not be able to interpret the minus sign in the session ID. The agents now accept both variations, replacing any eventual - with = before attempting to base64 decode the value. . PP-235: Updated embedded Jetty to version 9.2.0 - this allows better performance and stability. This also means that PortalProtect server with embedded jetty no longer can run on java 6 and now requires Java 7 to run. For those customers who do not use the embedded jetty, but build a custom .war file itself they can still use java 6 for the server, since only the jetty specific parts of the code requires java 7. Note that the proxy server component heavily uses the new jetty httpclient, so it also requires java 7. As a consequence of upgrading Jetty, a number of options has changed; - nonblockingio option has been removed and is always true - blocking IO no longer supported in Jetty. - requestbuffersize/responsebuffersize no longer available - replaced with outputbuffersize - SSL options allowrenegotiate and handshaketimeout no longer available. - lowresourcesmaxidletime / lowresourcesconnections no longer available - configure a LowResourceMonitor using jetty.xml if you wish to use this feature. Added jetty-lowresources.xml example to default configuration. - 11/5 2014, KR . PP v5.19 released. - 10/5 2014, KR . PP-285 Experimental OAuth2 server support added. Please note that this is not yet complete. Added IAuthenticationPlugin.createFromTicket() method to allow an authentication plugin to create a new session from a ticket. Added cache of sessions based upon tickets to agents, and added OAuth token/ticket to request ID so it can be carried around in addition to the session ID. Added new state variable to session; pp_disable_ipchecking - if set to true, the dispatcher will not perform IP address checking for this particular session. Added oauthrule.* and oauth.realmname properties; if an URL matches one specified in the oauthrule.* properties, the dispatcher will expect and use a bearer token in either the HTTP Authorization header, or as an URL parameter. This bearer token will be used instead of a session ID to obtain or create a new session. The OAUTH2 plugin will be called with the new method createFromTicket() so it can create/fill the session with values related to the bearer token. The users guide is updated with a new section covering OAuth2 - note that OAuth2 support is still experimental and not yet complete - additional functionality will be provided soon. - 7/5 2014, KR . PP-306 Bug in dispatchers handling of HEAD requests when using HTTP 1.1 According to the HTTP specification, the dispatcher needs to ignore the HTTP1.1 Content-Length header and not attempt to read a response body, but the dispatcher attempted to read a response body for HEAD requests when using HTTP1.1 between dispatcher and application. . PP-307 Added spnegoAuthenticationPluginType and alternateserver.xxxx.spnegoAuthenticationPluginType where the ID of the SPNEGO authentication plugin can be changed per alternateserver definition so different plugins can be used for different application within the same dispatcher servlet. - 25/4 2014, KR . PP-301 Request/Session ID format changed. The old request ID was fixed length and consisted of 40 characters session ID and 20 characters transaction ID, this is no longer enough to communicate request specific information so it is replaced with a new dynamic length format. Unfortunately, this means that it is not backwards compatible with older agents, so you will need to upgrade all agents when you switch to PP v5.19. If you for some reason are not able to do that for the moment, you can set the property useOldStyleSessionID to true on the session controllers - this will cause them to use the old session ID format that is compatible with existing old agents. Note that the default for useOldStyleSessionID is false, so PP will by default use the new session ID format. Also note that when using the old format, you will not be able to gain the benefits of the new information available in the new format. Also, if you have any code using PortalProtect that relies on the old session ID length, e.g. by assuming a session ID is always 40 characters and a request ID is always 60, then you will need to update it to use UniqueId.isProperSessionID() instead. . PP-301 Added PPServletHelper.getSessionIDFromRequest utility method which can be used to read a session ID from a HttpServletRequest. . PP-300 The current source port number is now available in the transaction ID within the new session ID, and can be obtained by calling new UniqueId(requestID).getCurrentPort(). Added clientportheader property to the configuration, this can be used to specify which http header contains the client TCP source port in case a hardware SSL accelerator or equivalent is used which forward the information in an HTTP header. . PP-302 Fixed bug in default hours resolution for statistics, which used an incorrect default value for the number of hours timeslots to store statistics in. . PP-303 Added documentation on how to use NemID for Javascript, which is now supported by PortalProtect once Nets makes it publicly available. - 16/3 2014, KR . PP v5.18 released - 16/3 2014, KR . PP-270 Added ADFS/WebSSO support for the case where PortalProtect acts as an Identity Provider towards ADFS or third party using WebSSO. - 09/3 2014, KR . PP-294 Fixed performance regression when setting storeUserAgentInSession=true for dispatcher. . PP-293 Extended JBOSS server authentication modul with support for WildFly 8. - 19/2 2014, KR . PP-290 Added support for Unwire SMS provider when sending OTP codes via SMS. - 20/1 2014, KR . PP v5.17 released - 20/1 2014, KR . Updated applet signer and PIDCPR SSL client keys/certificates to newer ones issued by DanID - both are required since they accidentally revoked the old ones. . Changed installer prompt for users so users on non-local domains can be entered. - 14/1 2014, KR . PP-278 NemID JS bugfix. Fixed bugs in generated JSON, where some fields had = instead of : and signatureproperties was not base64 encoded. Both bugs were ignored by danids JS engine but the JSON request failed their validation. Please note that NemID JS will upen up for service providers in April 2014, it is currently only available for alpha testing by banks. - 5/1 2014, KR . PP v5.16 released - 3/1 2014, KR . PP-278 Added NemID Javascript support to both Java 1.6+ and .NET Agents. Note that this is experimental and still require more testing - in April 2014, Nets/DanID will open up for testing for service providers. - 11/12 2013, KR . Added Tomcat7 Realm, allowing integration with Tomcat 7. - 21/11 2013, KR . PP-284 Updated to slf4j v1.7.5 and logback v1.0.13 - you will need to update the version in your launcher xml files, see pp_launch.xml for an example. - 06/11 2013, KR . PP v5.15 released - 11/11 2013, KR . PP-272: New feature: SSO Integration with Microsoft ADFS using either WS-Federation or SAML WebSSO profile. Updated PortalProtect Users Guide with description on how to configure PortalProtect to use Microsoft ADFS as an identity provider. DotNet and Java applications have been updated with examples that demonstrate how to integrate ADFS into a login application, and prompt the user to select which identity provider to use. - 29/10 2013, JN . Fixed XSS possibilities on PortalProtect DemoApp - 08/10 2013, KR . PP-269: Added new option, integratedWindowsAuthenticationHostname and alternateserver.xxxx.integratedWindowsAuthenticationHostname - if specified, instead of using the host header, this name will be used as target for the kerberos tickets - this allows you to have one hostname exposed to the users in the browser, and another in Active Directory used for the server receiving the ticket. - 06/10 2013, KR . PP v5.14 released - 06/10 2013, KR . Replaced expired asseco test PIDCPR certificate with DanID's test certificate - 04/10 2013, KR . PP-267: Added new property to pp_launch.xml; If set, then dispatcher will not startup jetty - this can be used to run multiple dispatchers on the same jetty webservers but with different virtualhosts. Add this property to the first dispatcher so it doesn't start jetty - this is needed because once jetty is started, we cannot add more webapps to it. . PP-264: Added requestbuffersize, requestheadersize, responsebuffersize and responseheadersize to webservice parameters in pp_launch.xml - this allows you to specify these jetty parameters directly in the launcher xml file. This can be used to avoid the error "Jetty parser buffer full" if you have large (> 6k which is default) http headers. . PP-263: Password fields, including state variables where the key contains the string "password" are now hidden and will no longer be shown in the pp admin gui. - 15/09 2013, KR . PP-259: Added new properties to dispatcher; browserauth.ignoreurls and alternateserver.xxxx.browserauth.ignoreurls If the URL matches this pattern, the dispatcher will not attempt to authenticate requests using SSL client certificate, basic auth, NTLM or SPNEGO - instead the request will continue as anonymous. This can be useful for e.g. SPNEGO or NTLM for certain ping urls in case you do not want to prompt the user for authentication. - 05/09 2013, KR . Default sessionctrl restricted port changed from 8081 to 21242 to avoid conflict with other applications. . Dotnet sample application, SampleWwwRoot.zip did not contain the correct PP .Net Agent, it had an old version so it did not work without replacing the dlls inside it with the correct versions from PortalProtect_DotNet_Agent.zip . Default pp_launch.xml changed to add "-Djava.net.preferIPv4Stack=true" to JVM startup options to avoid IPv6 related issues with validing the IP address for localhost. - 08/08 2013, KR . PP v5.13 released - 15/08 2013, KR . PP-258: NIO bugfix - with jrockit 1.6.0.31, the optimizations done as part of PP-197 seems to have provoked a JVM bug. We have now removed the calls to Selector.wakeup, and the JVM bug is no longer reproducible. - 08/08 2013, KR . PP v5.12 released - 08/08 2013, KR . PP-254: Improvement: Added overflow threads to threadpool, which only a few commands are allowed to use. This is used by synchronization between session controller mirrors to avoid situations where all threads are full on both mirrors and they are blocked waiting for the other mirror to acknowledge changes to a session. This avoids the scenario where high load relative to the configured maximum number of threads can result in timeouts where 2 or more session controllers in a cluster wait on each other to acknowledge session changes. . PP-257: Fixed timing issue on linux with loadbalanced peer connections. - 31/07 2013, KR . PP-251: Bugfix: When peer server shuts down, it attempts to send a command to .net clients that ask them to switch to another server, but .net serialization is not implemented for that command. . PP-252: PDF report images not always read completely, causing distorted images. . PP-253: NTLM fallback on SPNEGO authentication only worked if dispatcher was configured with ntlmEnabled=true on dispatcher level, and not per individual server. - 29/06 2013, KR . PP v5.11 released - 29/06 2013, KR . PP-239: Apaches xmlsec DOM security provider is now added first in the path when verifying OCES logins, since it will fail otherwise if apache's XMLSecurity provider is first in the classpath, but not first in the security provider list. This depends on the JVM used. - 20/06 2013, KR . PP v5.10 released - 20/06 2013, KR . PP-243: PP configserver displays logback loglevel as DEBUG when set to TRACE - this is now fixed. . PP-241: SOAP encryption algorithm now changed to use rsa-1.5 for encrypting the symmetric key, and trippledes for the symmetric key itself - this enables SOAP encryption to work with SKAT's hentselv services. dk.itp.portalprotect.wss.PPCrypto class now outputs information about which certificates apache xmlsec's or wss4j's methods tries to lookup to help diagnosing cases where the correct certificate is not installed. To see this information, debug needs to be turned on in log4j or logback for this class. - 17/06 2013, KR . PP v5.09 released - 17/06 2013, KR . PP-239: WS-Security disabled the new version of xmlsec's truststore handling and replaced with our own, otherwise missing intermediate certificates would not have worked. Also, attributes id, Id, and ID no matter the case or namespace in a signed/validated xml documents are now considered as valid reference IDs, and set as identifiers in the xml parser so they can be found with the new apache xmlsec code which no longer does that itself. - 09/06 2013, KR . PP v5.08 released - 09/06 2013, KR . PP-224: The signSOAP/signAndEncryptSOAP methods in the WSSAgent which previously took a boolean value to specify if thumbprint should be used or not have been replaced with a keyIdentifier where you can specify either WSSAgent.KEYIDENTIFIER_BINARYSECURITYTOKEN, WSSAgent.KEYIDENTIFIER_THUMBPRINT or WSSAgent.KEYIDENTIFIER_BINARYSECURITYTOKEN_AND_THUMBPRINT - to either add the binarysecuritytoken as key identifier (which is the default), or to add a thumbprint, or as a special case for interfacing with one of Skat's systems which require both, both can be specified. . PP-240: After decrypting an encrypted SOAP message, the EncryptedKey element is removed from the WS-Security SOAP header to avoid problems later if attempting to reverify/decrypt the already decrypted message. . PP-239: WS-Security xmlsec/wss4j update broke signature verification in some cases so the correct certificate to verify the trust chain could not be found. This is now fixed and is working again. - 30/05 2013, KR . PP v5.07 released - 28/05 2013, KR . PP-224: Now calls LunaTokenManager.getInstance().SetSecretKeysExtractable(true); when initializing Luna JCE provider so luna box can be used for XML encryption. - 23/05 2013, JN . PP-208: Added PostGres/EnterpriseDB support to PortalProtect user administration server - 22/05 2013, KR . PP v5.06 released - 21/05 2013, KR . PP-237: Dispatcher now logs hexdump of request content (e.g. data in POST request) if debug log is enabled. . PP-224: SignatureMethod can now be specified in WSSAgent API calls when signing XML. . PP-227: Default dispatcher configuration changed to ask for SSL client certificate but not require it, this is done to enable optional SSL client certificate authentication. - 20/05 2013, KR . PP-231: Added nonce to OCSP request to bypass defect cache at DanID where they occasionally send an old cached ocsp response which is hours old. . PP-232 If SSL authentication fails in dispatcher when it tries to authenticate using SSL client certificate, session now continues anonymously to allow fallback authentication using another authentication method. . PP-234 Updated logo on website, and cleaned up CSS a little - 18/05 2013, JN . PP-233: Useradmin webapp error connecting to remote config servers - 14/05 2013, KR . PP v5.05 released - 13/05 2013, KR . PP-224: Added XML Encryption support for JDK 1.4 version of PP Agent, and added signSOAP/signAndEncryptSOAP methods that allows SOAP signing to include the thumbprint (SHA-1 hash) of the signers certificate instead of the full certificate itself. . Upgraded to newest WSS4J (1.6.10) which is a requirement for working properly with the new apache xmlsec. Note that it is important that you upgrade both wss4j and apache xmlsec as the API is not backwards compatible, so you will require the newest versions distributed with PortalProtect. . JCL-over-slf4j now included with PP by default, this causes application using jakarta commons logging to log to slf4j, which in turn logs to logback or log4j depending on configuration. - 12/05 2013, KR . PP v5.04 released - 12/05 2013, KR . PP-230 Support Java 1.7.0_21 changes to Runtime.exec() by using ProcessBuilder to start JVM - 12/05 2013, KR . PP-224: Added support for XML Encryption to WS-Security module - it allows encryption of XML content using a generated trippledes symmetric key encrypted with the receivers public key. For decryption, an alias of a private key for decrypting the message is required. Added the following new methods to WSSAgent: encryptXML, decryptXML, signAndEncryptXMLEnveloped and decryptAndValidateXMLSignature See the new section on XML encryption in the Users Guide for details of its use. . Also, signXML and signXMLEnveloped methods with support for specifying the digest method (default is sha1, but sha256 can also be specified). . Newest version of xmlsec (Apache XML security) now distributed with PP. - 05/05 2013, KR . Added cause to PTException - enables it to carry the causing exception. Beware of overusing this however, since if the exception is serialized, the receiver needs to be able to deserializing the causing exception too. - 01/05 2013, KR . PP-226 Added setStatistics method to DBPool. Also added setStatistics to IRevisionLog/IRevisionLog extended - the method is not in the interface to keep backwards compatibility, but if the method is present it is called when the object is constructed. - 09/04 2013, KR . PP-221 Error logged in SPNEGO authentication plugin when systemuser is not found changed to warning. - 11/03 2013, KR . PP-218: Dispatcher improvement: Statistics for HTTP methods only added for known methods, like "GET Requests" and "POST Requests" - not "ZYX Requests". - 10/03 2013, KR . Version 5.03 released. - 09/03 2013, KR . PP-215 Current IP address is not part of request ID and updated for each request. Added new interface, IRevisionLogExtended which can be used instead of IRevisionLog - if a revision log class implements this interface, it will be called with the current request ID - this allows it to log the users current IP address. Note that the ID will not always be available, since e.g. logoff might be called as a result of timeout. UniqueId class which parse the session ID has a new method, getCurrentIP() which will return the users current IP address. Note, if the information is not available, "0.0.0.0" is returned. UniqueId is updated for both JDK1.4, JDK1.6 and .NET agents. - 06/03 2013, JN . PP-206 Send email when user is created. Now supported through a user creation plugin for the user administartion server. Simple SMTP plugin is supported. Only plain text mails supported. One line message supported as well along with user information. See the new section in the Users Guide for information (search for SMTPNotifyUserCreationPlugin). - 04/03 2013, KR . Version 5.02 released. - 04/03 2013, KR . PP-215 Added logging when user switches IP to dispatcher, dispatcher now logs "Client switched IP from xxx to yyy". . PP-216 Fixed bug in DNSCache, where IP addresses with the value of the first byte > 127 were only resolved if reverse DNS lookup succeeded. . PP-212 Fixed bug in RemoteAddressRestricter where IPv6 hostnames which resolved to IPv6 addresses caused the check to fail. - 03/03 2013, KR . Version 5.01 released. - 02/03 2013, KR . PP-210 New feature, added support for GeoIP checking. new configuration properties for dispatcher: allowgeoipswitching, and maximumgeoipdistance. allowgoeipswitching defaults to NONE, and maximumgeoipdistance defaults to 100. allowgeoipswitching can be set to NONE, ISP, ORGANIZATION, COUNTRY, CITY and DISTANCE. If set to something other than NONE then the user is allowed to change IP address to other adresses within the same ISP, Organization, Country or City. If set to DISTANCE, the location is allowed to change up to kilometers from the initial IP location. Note that the database distributed with PP is limited in accuracy. You can purchase a yearly subscription to a more accurate database. Note that the organization database is rather large, so it is not by default distributed with PP, please contact support if you need it. Also, please note that GeoIP / GeoLite checking is a separate feature which you will need to purchase a license for in order to use. Asseco Denmark does not guarantee the accuracy of the database. New configuration options for session controller: geoip.database, geoip.ispdatabase and geoip.orgdatabase - they must point to the database files for each type of database, geoip.database points to city/country database, geoip.ispdatabase points to ISP database, and geoip.orgdatabase points to organization database. Note that for the GeoIP feature to work, you will need at least geoip.database setup, the others are optional and if they are not set, the corresponding data will not be available. - 01/03 2013, KR . PP-213 Added sample containing minimal nemid configuration. You can find it in samples/minimal_with_nemid - 25/02 2013, KR . PP-211 If a user switches IP addresses, also if IP checking is off, the new state variable within a session "clientipaddresslist" will contain the list of IP adresses the user has previously been using within the session (except for the address embedded within the session ID itself). If the list is > 1024 characters, no new IP addresses will be added to it for this session. - 23/02 2013, KR . PP-205 Added DNS Cache, DNS lookups are now alwasy done on seperate threads in the java agent and server. If a DNS lookup takes > 1 second, we give up and time out. If we have previously made a dnslookup for a given name, we will attempt to refresh it every 5 minutes, but if a refresh takes more than 0.1 second, we will use the old cached value. This will avoid problems/hangs caused by slow DNS servers. - 06/02 2013, KR . PP-202 LunaSupport looks for additional exception, and restarts luna connection if it occurs. - 03/02 2013, KR . Version 5.0 released. - 03/02 2013, KR . PP-115 Peer connections now support NIO SSL, meaning connection between all peers can optionally be encrypted. To use SSL, specify nios:// instead of nio:// in the listen and connect URLs. In addition, a number of parameters can be set that control the behaviour, for server the following parameters can be set: - keystore - keystorepassword - keystoretype - enabledciphersuites For clients, these parameters can be set: - enabledciphersuites - acceptedcerts - validateservercert Example for server: nios:1234/?keystore=/ptskeystore&keystorepassword=password&enabledciphersuites=SSL_RSA_WITH_RC4_128_SHA and for client: nios://localhost:1234?validateservercert=false&enabledciphersuites=SSL_RSA_WITH_RC4_128_SHA - 01/01 2013, JN . PP-191 Allow editing of user attributes in useradmin app, all defined attributes. Including support for attribute list plugin in the user admin server . Added support for exstra classpath in launcher to include system macros that can be expanded - 31/01 2013, JN . PP-191 Allow editing of user attributes in useradmin app (common attributes first) - 28/01 2013, KR . PP-17 Added windows event logging (log4jna based) logback appender example and documentation. - 27/01 2013, KR . PP-17 Note that PortalProtect Server now requires logback-classic and logback-core .jar files in its classpath, or the logserver will not be able to run. These .jar files are required no matter if you use log4j or logback for logging in the server itself. Because the logserver receives and processes log4j events from agents, log4j is also still required in the classpath even if you do not use it for logging. . Changes to audit logging: log4jaudit.properties is no longer used, instead the slf4j/logback/log4j logger "auditlog" is used when logging changes done through PP admin GUI. By default it is configured to be logged to a separate file, the same as log4jaudit.properties previously pointed to, but log4jaudit.properties is no longer used. . The logserver now accepts both log4j and logback logging events, and both log4j and logback logging levels can be configured for attached agents using the PP admin console. . The "logconfiguration" configuration section that previously could be used to replace log4jproperties using PP configuration is no longer supported. . When configuring the logserver, it will by default look for logback_server.xml in the classpath and use it to configure a logback appender - if this file is not found, it will look for log4jserver.properties and use it to load and configure a log4j. - 27/01 2013, JN . Fixed JDK 1.6 minor unicode build issues with WSSecurity . Added description of authentication methods to PortalProtect DemoApp - 25/01 2013, KR . PP-198 Cleanup socket connect code in dispatcher, now we require jdk1.6 old reflection code is no longer needed. - 24/01 2013, KR . PP-197 Speedup NIO performance when adding new sockets, makes PP react faster to connecting agents. This halves the startup time of PP server with the default configuration. - 22/01 2013, KR . PP-194 When sorting x509 certificate chain, we now no longer care about the order of the elements in the name, e.g. "CN=OCES CA, O=TDC, C=DK" is now considered the same as "C=DK, O=TDC, CN=OCES CA". This is now required since DanID apparently no longer always use the correct order when issuing VOCES certificates. - 14/01 2013, KR . PP-193 StringBuffer replaced with StringBuilder in most places where we do not expose it in API calls to increase performance. - 13/01 2013, KR . PP-17 Logging API changed from using log4j directly to using slf4j. This means that you will now need slf4j .jar files in your client instead of log4j. If you wish to continue using log4j, you can use the slf4j-log4j12x.y.z.jar file, it will send the log entries to log4j. Depending on which extra .jar file you add, you can direct log output to wherever you want, such as java.util.logging or logback. This allows for increased flexibility at the cost of adding one or more extra .jar files. See more information about slf4j here: http://www.slf4j.org and logback here: http://logback.qos.ch . As a result of this change, you will need to all the slf4j jar files to your pp_launch.xml launcherclasspath, add this to it: extlib/slf4j-api-1.7.2.jar;extlib/slf4j-log4j12-1.7.2.jar - 11/01 2013, JN . PP-188: OAuth LiveConnect sample authentication plugin in demoapp allowing users to login using their LiveConnect credentials. . Fixed demo app redirect port number issue when local testing - 09/01 2013, JN . PP-124: Fixed JDK 1.6 compilations issues due to UTF-8 characters in SCL Server - 03/01 2013, KR . PP-124: PortalProtect server and agent now requires JDK 1.6 - but an older agent compatible with JDK 1.4/1.5 is now included in the PP distribution in the directory samples/integration/jdk14. It contains the following .jar files: PortalProtectAgent_jdk14.jar PortalProtectUserAdminAccess_jdk14.jar PortalProtectUserAdminClient_jdk14.jar PortalProtectWSSecuritySupport_jdk14.jar Note that we no longer support JDK 1.4/1.5 unless you have a specific agreement with us for that, so you must check with us before using these files. They will be removed in a future release. - 18/11 2012, KR . Version 4.211 released - 16/11 2012, KR . PP-185: WS-Security verification of signed documents did not work with a certificate chain in the binarysecuritytoken it only supported the use of the enduser certificate and not the entire chain. . PP-186: When verifying certificates, if a certificate chain is not provided, but the user certificate contains an x509 extension with a reference to where the issuer certificate can be downloaded, the issuer certificate will now be downloaded and cached for further use. This works with OCES certificates for both WS-Security and xmldsig signon. - 12/11 2012, KR . PP-183: Added google authenticator support in authentication plugins and demo application. This requires minimum Java 1.6, earlier java versions are not supported. The new files zxing_21_core.jar, zxing21_javase.jar and qrgen-1.1.jar files have been added tp extlib. They are used for generating QR codes that Google Authenticator can scan to enable easy registration. . PP-184: NemID examples upgraded to support authentication with NemID Hardware. - 02/11 2012, JN . PP-139: First Radius server version with support for PAP authentication and accounting requests. Minimal status info. Next release will have two factor login with documentation for configuring Ubuntu to use it as well as more status info in the console. - 01/11 2012, KR . PP-179: When session controller displayes list of sessions where users are logged on, it only displays up to 2000, but now it shows the total number of sessions where users are logged in, in the title. - 29/10 2012, KR . PP-176: HTTP Proxy server can now log its access log the same way the dispatcher can, using the log4j logger name "accesslog". - 22/10 2012, KR . Version 4.210 released - 22/10 2012, KR . PP-174 Added pingRetryCount and alternateserver.xxxx.pingRetryCount - if nonzero, ping of a server will be retried the specified number of times in case of a failure to give the server a chance to reply. Also, statistics for when the server is down or up is now added. And the status change is added to the list of significant events for the dispatcher. Note that both statistics and events are only updated if the status changes. . PP-175 All HTTP responses from backend HTTP server are now required to start with "HTTP/" to guard against servers which break the HTTP protocol and sends invalid data after responses that should have been empty. - 17/10 2012, KR . Version 4.209 released - 17/10 2012, KR . PP-172 Workaround for bug in webserver that violates HTTP protocol by sending content along with HTTP 204 response code. In this case, the server sent both the 204, a Content-Length header, and a Transfer-Encoding: chunked header, but it also sent a size 0 chunk. This is not allowed for this type of responses according to the HTTP 1.1 specification. To avoid problems parsing the next response after this, HTTP keep-alive is no longer used for this type of response, and the socket is closed after reading the response. This is the only way to handle both the case where the server follows the HTTP protocol, and the case where it does not. . PP-173 Changed default http keepalive time (http11.maxIdleSeconds) from 60 seconds to 10 seconds. - 10/10 2012, KR . PP-165 Fix for verification of SSL client certificate with embedded crldistributionpoint, but without CRL, it would give a NullPointerException trying to verify it. - 28/09 2012, KR . PP-163: If PP the number of concurrent requests exceeded the limit, and if the serverBusyErrorPage property was not defined, the dispatcher would throw a NullPointerException attempting to send the error page to the browser. In reality this didn't affect the response, since the client would still get the "502 server busy" http error, but it generated a lot of noise in the logs. - 17/09 2012, KR . PP-161: Added new property to dispatcher: storeUserAgentInSession - if set to true, the dispatcher will look in the session, and if the state variable "httpUserAgent" does not exist, it will create it and set it to the value of the User-Agent HTTP header received from the client. If the User-Agent header exceeds 512 bytes, only the first 512 bytes will be saved. - 16/09 2012, KR . Version 4.208 released - 16/09 2012, KR . PP-159 Fixed bug introduced in v4.207 by PP-156 where redirect urls were changed to be all lowercase. . Also extended PP-155, as a consequence of rewriting the hostname, the domain set on cookies was changed to the newly modified domain - e.g. if rewriting from www.domain1.com to www.domain2.com, cookies domain was set to domain2.com, so they were not sent back by the browser which didn't know about the hostname change. - 13/09 2012, KR . Version 4.207 released - 12/09 2012, KR . PP-155 URLRewrite can now replace hostname when forwarding by setting the url to http://hostname/uri instead of just specifying an URI. . PP-156 Bugfix: Dispatcher modifyRedirectLocation was case-sensitive when matching a location in a redirect response against the hostname, this check is no longer case sensitive. . PP-157 Bugfix: Dispatcher did not parse certificates in HTTP header sent by SSL accelerator if the base64 encoded data contained whitespace, such as when sending multi-line http headers. - 10/09 2012, KR . Version 4.206 released - 10/09 2012, KR . PP-154 Dispatcher had switched spnego.login.conf and spnego.krb5.conf properties - 09/09 2012, KR . Version 4.205 released - 09/09 2012, KR . PP-148 Added new URL verifier which can check for maximum length on URLs and verify that the URL and any parameters are all legally encoded. Added the new configuration options: urlchecker.enabled=true/false urlchecker.urlencoding.verify=true/false urlchecker.url.maxlength=0 (0 = disable check) urlchecker.param.key.maxlength=0 (0 = disable check) urlchecker.param.value.maxlength=0 (0 = disable check) By default, it is enabled and URL encoding is checked on both URI path and query parameters, but length checks are disabled which does not restrict the length of either URI path or query parameters. - 05/09 2012, KR . PP-140 Fix for problem in loadbalanced peer where a rare race condition could occur which would cause the peer to disconnect without notifying its owner if all peers disconnected simultaneously. - 20/08 2012, JN . PP-139 Autentication support for Radius with PAP through a PP service and into an authentication plugin. Supports sending PP session ID into the Access-Accept package (according to section 5.1 in RFC 2865). This can be turned on/off. - 16/08 2012, KR . PP-145: AdminClient did not do macro expansion for the values of server.alias and config.servers system properties. - 11/08 2012, KR . PP-142: URL rewriter code now handles %{HTTP:xxxx} where xxxx is the name of any HTTP header in RewriteCond - this allows the rule to match any HTTP header in the request, and not just the presupported ones. - 09/08 2012, JN . PP-139: Add Radius server to PP. First cut Radius server code added to code base. Not yet builded and connected to the rest of PP . PP-143: Fixed WSSecurity builds to not include source jar files with duplicate files - 07/08 2012, KR . PP-140: Added defensive code in X509 certificate sorting - if the chain was incorrect, e.g. if certificates were missing, the sorting could loop forever. This happened with CA certificates loaded with Sun's JCE provider, and user certificate loaded with BouncyCastle - this caused the sorting of fields in subject/issuer to be different so they did not equal each other. . PP-140: AbstractX509Certificate.verifySSLClientCert() did not work with intermediate certificates - it now behaves like when verifying xmldsig certificates taking intermediate certificates into account. - 22/07 2012 , JN . Fixed build of webservices jar file to include future axis property files - 18/07 2012, KR . Version 4.204 released - 18/07 2012, KR . PP-137: Workaround for MSIE bug with downloading files and Cache-Control header. PP-71 caused the no-cache header to be added to the http response always for the selectedserver cookie. But, this should only have been done if the URL matched the configured nocachesetcookieforurls property. The bug is described here: http://support.microsoft.com/kb/323308 and covers both HTTP and HTTPS, MSIE 6,7 and 8. . nocachesetcookieforurls default changed to "^*.pdf|*.crl|*.js" . To avoid potential cache issues, dispatcher now always adds "Vary: Accept-Encoding" header whenever it gzip's the HTTP response. - 10/07 2012, KR . PP-134, Replaced expired nemid applet signing certificate in PP sample configuration with new unexpired version. . PP-135, If PP webservices were launched in their own separate classloader, it did not setup the agent name and configservers listed in pp_launch.xml, but required ptserver.properties in the classpath. - 01/07 2012, KR . Version 4.203 released - 26/06 2012, KR . PP-114, In PP admin GUI, for dispatcher you can now select "Dump embedded Jetty state" - this will dump Jettys information about its connections, sockets, state etc. and can be used to provide diagnostics information in case of problems. - 22/06 2012, KR . PP-127, PP Installer changed so it allows specification of a service account - the ownership of the files installed are changed to this user on unix systems, and on windows the user gets permissions added to the directory. On windows the installer unfortunately cannot remove permissions so you will need to remove permissions from any other administrator users if desired. . In addition, the default port the dispatcher listen on has been changed from 80 and 443 to 4080 and 4443 - but when installing you can within the installer change the ports if required. - 22/06 2012, KR . PP-129, DanID attribute service issuername was previously hardcoded to "TDC OCES CA" - this can now be configured by setting ca.provider.xxxx.attr.issuername to the desired value. The default is now "TRUST 2408" which work with both the old and the newest attribute service. - 15/06 2012, KR . PP-116, New feature: JBOSS 7 Application Server Integration. PortalProtect now provides a JBOSS module for security integration directly into the JBOSS application server. See the new document "PortalProtect JBOSS Integration" for details. - 12/06 2012, KR . Version 4.202 released - 11/06 2012, KR . PP-125, HTTP Proxy did not read/user server alias property, so no alias was shown in the PP config GUI for the proxy, making it impossible to seperate multiple JVMs with the same server name from each other in the GUI. - 08/06 2012, KR . PP-122, Tomcat Realm is now able to support basic authentication - it operates along with a valve (see PortalProtect Tomcat Integration for details), which picks the session ID out of the incoming request cookie. Also, the PPPrincipal is slightly changed from what it was before - now it returns the users userid if logged in, meaning request.getRemoteUser() no longer returns the session ID, but the userid of the authenticated user. For anonymous sessions, request.getRemoteUser() returns null. Because of the valve, the session ID is always available by calling dk.itp.security.sessionctrl.PPSecurityContext.getThreadContext(false).getSessionID(), and of course also as usual in the cookie in the request. - 07/06 2012, KR . PP-118, Added restrictAuthorizationHeaderToUrls - if set, Authorization: Basic header is only sent to the URLs matching the pattern in the setting, e.g. restrictAuthorizationHeaderToUrls=/secure/* - 06/06 2012, KR . PP-123: Added ldap.protocolVersion which can be set to 2 or 3, allows to specify which version of the LDAP protocol the LDAP authentication and authorization plugins use when connecting to the LDAP server. . Added ldap.stripdnfromuser - if true, the userid will not be the full dn, e.g. uid=somebody, ou=asseco, c=dk, but instead just "somebody". - 05/06 2012, KR . PP-118 New feature, dispatcher is now able to process basic authentication requests. Additionally, it can add HTTP Basic authorization header to request containing userid/password of authenticated user instead of the default which is adding sessionid:password to authorization header in request. Note that using basic auth of userid/password might conflict with certain security plugins on application servers which expect to receive the session ID in the authorization header. New configuration options added, basicAuthenticationEnabled, basicAuthenticationRealmName, basicAuthenticationPluginType and their alternateserver.xxxx.basicAuthentication* counterparts. These options control how the dispatcher reacts to basic authentication headers received from the browser. . PP-118: Added configuration options for sending authorization header to the application servers, addedAuthorizationHeaderContainsSessionID and alternateserver.xxxx.addedAuthorizationHeaderContainsSessionID. If addedAuthorizationHeaderContainsSessionID is set to false, the authorizationheader added to requests will not contain PP's session ID, but instead the real authenticated users userid and password if the user is authenticated. If the session does not contain a password, the password sent in the authorization header will be blank. . If basicauth fails, a set of rules can decide how the failures should be handled, the rules follow the same syntax as redirectrule.*, and if a match is found, the client is redirected to the target URL. If the target URL is 401 instead of redirecting, HTTP status code 401 is returned to the client to signify authentication did not complete. These rules are set using the basicauthrule.* configuration properties. . Added hidePasswordFromDispatcher option to session controller which default to true, if set to false the password within the session is not removed before the session is sent to the dispatcher. This must be set to false for basic auth between dispatcher and application servers to work, or the dispatcher will not have access to the users password. . Added a new section (Basic Authentication) to the PortalProtect Users Guide which explains these new options in details, as well as added the configuration parameters to the configuration reference section of the document. - 04/06 2012, KR . PP-117 Maximum size of request allowed in dispatcher was previously hardcoded to 64Mb - it is now configurable. Added maximumRequestSize which is the maximum request size in bytes, defaulting to 67108864 (64Mb). - 15/05 2012, KR . Version 4.201 released - 15/05 2012, KR . PP-108 Bugfix: PP Did not always sort X509 Certificates arriving from DanID into the correct order - it depended on which order they were sent in. Since DanID has documented that they do not guarantee the sort order, PP has to do the sorting properly in all cases, as it does now. . PP-109 Improvement: add lowresourcesidletime and lowresourcesconnections to webserver section in pp_launch.xml, see PortalProtect Getting Started.pdf for information - this can be used to lower the timeout of sockets when more than sockets are active at a time in Jetty, to get rid of idle sockets faster. - 14/05 2012, KR . PP-106 Dispatcher fix, an error is no longer logged if connection is broken by browser when trying to write the response / flush the zipped response stream. - 11/05 2012, KR . PP-102, PP Distribution can now be downloaded both with bundled JRE 1.7.0_04 or 1.6.0_32 Note that we do not require using PP with the newest Java, but generally recommend it. Currently PortalProtect Agent / UserAdmin Agent supports JDK 1.4 - this support is planned to end 1/1 2013. Note that JDK 1.4 went officially End-Of_Life in 2008, JDK 1.5 in 2009 and Java 6 will do so November 2012, see http://www.oracle.com/technetwork/java/eol-135779.html - 10/05 2012, JN . PP-101 Added compilation support of PortalProtect projects for JDK1.7 Including: DataSource interface changes, More strict UTF-8 checks, Package access changes Changes in spi LoginModule methods, Swing DefaultListCellRenderer changed implementation - 10/05 2012, KR . PP-100 Fixed bug introduced by PP-78 in v4.199, config server was unable to communicate with older agents, they disconnected every 30 seconds when sending their statistics to the config server. - 08/05 2012, KR . PP-98 Upgraded embedded Jetty to 7.6.3 to fix SSL bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=372457 . PP-92 New feature, support for Integrated Windows Authentication (SPNEGO) between Dispatcher and backend web server, e.g. Microsoft IIS. This allows users to authenticate using any method, e.g. NemID, and then if their AD userid and password is available in the PortalProtect Session it can be used to authenticate requests against IIS. Additionally, a technical userid/password can be used for anonymous sessions or sessions containing users without AD userid/password. See PortalProtect Users Guide for details and information about the new configuration options for the dispatcher to enable this functionality. - 03/05 2012, KR . Version 4.200 released - 03/05 2012, KR/JN . Experimental Useradmin web interface is now available - in the default distribution available at http://localhost:4343 and https://localhost:4344 - see "PortalProtect Getting Started" for more information. Note that not all features are implemented yet - e.g. new users can only be created with userid/password using the web interface, but it is usable now. - 02/05 2012, KR . PP-94 All available SSL options can now be configured directly on the webserver entry in pp_launch.xml Refer to "PortalProtect Getting Started" for the full list. This support now means that the launcher no longer supports Jetty 6, and requires Jetty 7.6.1 minimum. - 30/04 2012, KR . PP-91 - PP RemoteAddressRestrictor now caches negative DNS lookups. - 29/04 2012 KR . Sample cloudscape database delivered with PP now binds UserAdmUsers group to the created ACLs - 29/04 2012 JN . PP-28 Added documentation on experimental release of user administration web app . Added db2/z create scripts to user admin database samples . Added useradministration database sample configurations . Added more user administration documentation - 28/04 2012, JN . PP-90 Useradmin server, client and access API not compiled with debug . PP-28 Better errorhandling (now send to logserver), session handling now works better when user logs on/off, error page implemented that looks like the rest of the application. . PP-28 Fixed favicon for user admin app as well as misc HTML updates . PP-28 Added documentation on new useradmin web ACL - updated document to Asseco template - 27/04 2012, JN . PP-28 Added support logging into useradmin web app with useradmin users and added better ACL support in the application. - 26/04 2012, KR . PP-89 Added glassfish application server integration - this integration is using JSR196 specification, so in theory it should be compliant with other servers supporting JSR196. This excludes WebSpere 8 which claims to support JSR196, but in reality requires its own specific extensions and customizations. See the document "PortalProtect Glassfish Integration" for details, the required .jar files can be found in the PP distribution under samples/integration/glassfish - 24/04 2012, KR . PP-88 Documentation for service.window.begin / service.window.end / service.window.url in dispatcher was missing. - 23/04 2012, KR . PP-87 Sessioncontroller FileAuthorizationPlugin authorization plugin did not parse usergroups.txt file properly This bug was introduced in v4.195. - 20/04 2012, KR . Version 4.199 released - 20/04 2012, KR . PP-85 To help diagnose sizes, peer statistics have been extended so the sizes of read/write blocksize for each command is now available. . PP-86 Dispatcher now logs requests ID along with the other information in its access log. This ID is also visible in the "Show last 1000 requests" list in the dispatcher using the admin GUI. - 19/04 2012, KR . PP-85 SessionController now sends 500 sessions at a time between mirrors when synchronizing instead of sending all sessions not present at the remote in one block. This means that the mirroring takes slightly longer, but it uses less memory when having either many or extremely large sessions. Also, if string intern'ing is enabled then intern() is called once user at a time when reading it from the mirror instead of doing it after reading the whole block. This should all reduce the requirements of the amount of free memory when doing session resynch. - 15/04 2012, KR . PP-80 PP Dispatcher now assumes that if connection to backend webserver is closed while attemting to read the size of the next chunk, it means that it is probably a broken IIS server which forgot to send a last-chunk of size 0 as required by RFC2616 - 09/04 2012, KR . PP-81 - Dispatcher no longer attempts to gzip binary/* and application/* responses . PP-82 - Dispatcher now adds the Via: HTTP header to the response by default. Created 3 new configuration entries in the dispatcher; addviaheader=true/false, ppversioninviaheader=true/false and alternateserver.xxxx.addviaheader=true/false which can override the value specified in addviaheader for specific alternate servers. By default, addviaheader is set to true, and ppversioninviaheader is set to false. This means that PortalProtect now adds the Via: header as required in the HTTP protocol specification, but it can be turned off. Note that PP will reveal the dispatcher name in the Via: header. - 29/03 2012, JN . PP-28: Added first cut ACL support to user admin app (menu control) . PP-76: Fixed possibility to have special characters in portalprotect-configuration.xml Fixed it so special characters in configuration are now shown correctly in browser views Fixed it so browsers can now send special characters in configuration to the new Jetty which validates input - 29/03 2012, KR . PP-77: Fixed NullPointerException in statistics report generation if image is not found. . PP-78: Changed totalValue in statistics from float to double to get better precision when doing billions of small measurements. . PP-79 Added -systemclasspath to bootstrapper, mainly for testing use. - 28/03 2012, JN . Fixed build so only projects build in the script can make it fail (WAS6) . PP-75: Added new feature warnWhenAccessDenied used in DefaultValidator to turn off WARN logging - 28/03 2012, KR . Issue PP-73: Statistics showed max 2 billion in count field in webinterface, now correct value. - 27/03 2012, KR . Issue PP-71: Dispatcher now always add "Cache-Control: nocache="Set-Cookie" header to HTTP response whenever it adds one of its own cookies, to ensure no proxy caches the cookie - also not for selectedServer cookie. . Issue PP-72: Added dk.itp.security.utils.jdbc.ProxyDataSource, which can be used to proxy a normal datasource, and add statistics/SQL surveillance to all execute JDBC statements and methods on the JDBC driver. - 18/03 2012, KR . Version 4.198 released - 15/03 2012, KR . Issue PP-63: Dispatcher now logs the configuration it receives from the config server (debug level) - and config server now logs info level when it reads the configuration from the file, and the contents of the file with debug. - 14/03 2012, KR . Issue PP-67: AdminClient now sets server.alias correctly if specified in ptserver.properties or system property. - 12/03 2012, JN . Added PortalProtect_DemoApp as required project for builds . Fixed PortalProtect development launcher for Eclipse so it can now run with patched Jetty - 09/03 2012, KR . Issue PP-53: Tomcat Realm and new document "PortalProtect Tomcat Integration.pdf" now included in PP distribution. - 08/03 2012, KR . Issue PP-41: Embedded Jetty webserver upgraded to v7.6.1 - 04/03 2012, KR . Version 4.197 released. - 01/03 2012, KR . Issue PP-58: Authentication timeout default was 15 minutes, should have been 0 (disabled). - 28/02 2012, JN . Issue PP-55: Changed dispatcher detail text around "Do not allow new sessions" so it is not misunderstood in read only mode in the administration console . Issue PP-23: Added support for non serializable exceptions to be "thrown" through user administration interface. . New Feature PP-28: Added support for connecting an ACL directly to a user through the user administation interface . New Feature PP-28: Added new Web components supporting organisation listing and acl handling . Issue PP-56: Added .NET agent information in PP whitepaper - 27/02 2012, KR . Issue PP-57: .NET Agent: Added info level logging when connecting to config server to help diagnose configuration problems. Also made all exceptions thrown by PP Agent serializable so they work with .net remoting. - 14/02 2012, KR . Version 4.196 released. - 14/02 2012, KR . Issue PP-48, "No content received from client" - if client sends a POST request without a Content-Length header, we now only fail with an error 400 if the client is using HTTP 1.0 - if 1.1, we treat it as if content-length was present and set to 0. . Issue PP-49: Log warning instead of error if connection to browser is broken while we attempt to send a redirect to the browser. . Issue PP-50: Fix CPU spin in NIO thread on laptop running PP server after sleep/hibernate. This is caused by a JVM bug. - 13/02 2012, KR . Issue PP-47 Agent can now accept the same obfuscated session ID that the dispatcher generates. This is useful for testing where you can now hit the agent directly and get it to accept the same session cookie that the dispatcher accepts. Note that the request ID then only contains the session part, and no request ID, and no channel information. . PP-47: Added portalprotect.cookienames appsetting to .NET Agent. It defaults to "sclSessionID;ppSessionID,sslsessionid,sessionid" and contains a list of cookienames that the session ID cookie can be read from. - 08/02 2012, KR . Version 4.195 released. - 08/02 2012, KR . Issue PP-45: Jetty maximum size for POST requests now configurable though pp_launch.xml by using the parameter maxpostsize="" - 06/02 2012, KR . Issue PP-43: Add protocol and hostname checking to protected urls validation. If URL starts with http:// or https:// then the request needs to be either unencrypted or encrypted. If URL does not start with / or if it starts with http:// or https:// then it is assumed that the first part before the first / is a hostname. The hostname must then match the pattern specified in the url to check. Protocol (http/https) and hostname is still optional - if not specified, the request will match any protocol and host. See default portalprotect-configuration.xml (protectedurl.*) for examples on the use. . Because of the new capabilities, URLs that are checked are no longer sorted by length, but needs to be specified in the correct order - the first pattern found that matches the URL is now used. This means that you will need to check your rules carefully to ensure that the deepest pattern is specified first, and e.g. /* is the last one. - 05/02 2012, KR . Issue PP-42: Add "-debugclasspath" option to launcher, which prints out classpath to stdout when starting services. . Issue PP-40: Multiple calls to UserAdminAgent.login() now ignored if userid/credentials is the same on subsequent calls. This avoids 4 * logins visible in the logs if e.g. 4 authentication plugins all log in to useradmin agent on startup. - 01/02 2012, KR . Issue PP-38: Fixed performance when having serverrules containing patterns with long strings of | combined with * before and after a string. Also fixed performance issues with multiple repeated * in patterns, e.g. "***/servlet/***" will be treated as "*/servlet/*". . Issue PP-39: Default value for nonblockingio was false, should have been true. - 29/01 2012, KR . Version 4.194 released. - 28/01 2012, KR . Issue PP-18 Added "saveSelectedServerInSession" (default=true) to dispatcher - if set to false, information about selected backend application server will not be saved in the session to save a bit of memory. It needs to be set to true to enable the httpsession keepalive feature. If you have individual dispatchers groups where you do not wish to use http session keepalive, you can disable it on those dispatchers by setting saveSelectedServerInSession=false . Issue PP-34, Added new property to session controller "authenticationTimeout" which acts similar to sessiontimeout but does not destroy the session but instead keeps it alive and only logs the user out after the timeout. By setting a state variable, "pp_custom_authenticationtimeout" the timeout can be changed for individual sessions. - 27/01 2012, KR . PP-35 fixed graphs not being shown properly in MSIE 9, they were displayed overlapping caused by MSIE misinterpreting the style: "table-layout: fixed; word-break: break-all;" for tables with images within them. - 26/01 2012, KR . PP-30 DotNet Agent version changes - assembly version is now always 1.0.0.0 to avoid updating all web.config files when updating the assembly if located in the GAC. FileVersion instead reflects accurate version. . PP-25 If maxConcurrentSessions wasn't set, the session controller would log a warning every 30 seconds. . PP-31 PortalProtect Launcher service did not redirect stderr/stdout to a file. . PP-33 DotNet Agent now throws better exception (IOException with text "connection closed") if Peer.Send() is called on a closed connection, which happens e.g. if the PP server is configured not to allow connections from the client IP address the agent is calling from. . PP-22 Demonstration authentication plugins X509CertificatePlugin and SSLCertificatePlugin now implements modifyState so changes to the state that should be persisted to the useradmin database are indeed persisted. - 25/01 2012, KR . Issue PP-18: Added new feature to PP dispatcher and session controller; HTTP Session keepalive pinging. If enabled, the dispatchers will periodically ping the application servers on behalf of a user to keep the HTTP session alive on all servers while the user is still active even if just on a single server. See the new section "HTTP Session keepalive ping" in the users guide for details. . Added httpSessionKeepAlivePingInterval to session controller, set to 0 to disable, otherwise it is the number of seconds between pinging active servers for identified users. It should be set relatively high, e.g. to 600 seconds to avoid flooding the appservers with requests too often. Note that this feature requires the cookiesToHideFromBrowser to be set to catch session cookies from the application servers, otherwise it will not have the cookies needed to keep the http sessions on the backend servers alive. . Added "dispatchergroup" property - each group of dispatchers which knows a different end of backend servers should have their own unique value for this property. It is used for the HTTP session keepalive feature where the session controllers controlling when the ping occurs need to know which dispatchers belong to the same group so they can be expected to be able to ping the same servers. - 18/01 2012, KRl . Issue PP-18: Added new method to PP Agent interface: public NotificationReply sendNotificationWithReply(String serverNamePattern, String serverTypePattern, String notificationName, Serializable notificationObject) throws IOException; This new method can be used to notify other servers, but instead of doing it asynchronously the call is synchronous and the servers can return a reply. The NotificationReply object then contains replies for each server called. - 16/01 2012, JN . PP-23, UserAdminException could contain references to foreign exceptions, e.g. DB2SQLConnection which the client had to have in its classpath to deserialize the exception. - 12/01 2012, KR . Version 4.193 released. - 11/01 2012, KR . Bug PP-19, JDK xmldsig verification fails with xmldsig from old openoces applet, since it is not valid (it lacks target=xx in SignatureProperty). Now we attempt using the JVM buildin xmldsig verifier and reverts back to doing it manually if the xmldsig lacks a target attribute. - 09/01 2012, KR . Changed the "show last 1000 urls" option on the dispatcher, also changed the accesslog generated by the dispatcher. The list now also includes hostname, list of saved cookies added to the request and a seperate field for the selected server instead of having it as part of the URL. . When maxConcurrentSessions is reached, and not enough sessions can be freed, the algorithm now starts by lowering the timeout of anonymous sessions to free them down to a minimum of 5 minutes - if not enough sessions are released, it does the same again, but this time ignores the custom timeout specified in the state variable pp_custom_timeout for the anonymous sessions, and down to a minimum of 10 minutes. After this, it attempts the same again with identified sessions first respecting the pp_custom_timeout and then ignoring it to find enough sessions to time out. When looking at sessions with a custom timeout defined, it starts by doubling the configured default timeout to see if that will be enough to remove sessions and then lowers the timeout by 5 minutes until a minimum of 15 minutes is reached. - 08/01 2012, KR . Version 4.192 released. - 08/01 2012, KR . Modified dk.itp.security.authentication.x509useradm.X509CertificatePlugin and SSLCertificatePlugin to add support for creating a new user in the database with a CPR number - if present, the CPR is verified using CPR/PID verification CPR number prompt added to user creation form in demoapp when user is attempting to login using certificate. - 07/01 2012, KR . Added new option to intern all ACL strings within a session - if thousands of ACLs exist on a session it will require a lot of memory, but by intern'ing the strings, all references will end up pointing to the same string instance. The drawback is that intern'ed strings cannot be garbage collected. To enable it, set internAclStrings=true on the session controller. - 06/01 2012, KR . Launcher configuration webserver now has the option "nonblockingio" defaulting to true which can be used to select between blocking and nonblocking IO for jettys selector implementation. . When dispatcher rejects a connection with 503, it is now visible in the statistics. . Added jvmstartdelay to pp_launch.xml which can be used to place a delay between each client JVM process that is started by the launcher. . ItpByteArrayOutputStream which is the buffer used for writing commands to other servers will now attempt to grow less eagerly when multiple megabytes of memory is needed to keep memory requirements low. . Added log4jna sample configuration and documentation to "PortalProtect Getting Started" to describe how to do Windows Event Logging using the log4j JNA (Java Native Access) appender. - 05/01 2012, KR . In the dispatcher, when a server exceeds the limit on available concurrent connections the request is rejected with HTTP response code "503 Server Busy" - this was not visible in the "show last 1000 requests" log previously but has been added now. - 04/01 2012, KR . Change caching of protected URLs in the DefaultValidator in the agent, so cached URLs are timed out per alternate server and not sharing a single timeout. . Fixed HTML in admin GUI, Manage Configuration so tables with long configuration values wrap properly instead of forcing huge horizontal scrollable tables. Every other row is now shaded slightly to make long lists of configuration values more readable. - 03/01 2012, KR . Version 4.191 released. - 03/01 2012, KR . XMLParser now recognizes Byte Order Mark (BOM) properly in XML config files. BOM is added to some xml files when modifying them using .net programs. - 02/01 2012, KR . Version 4.190 released. - 02/01 2012, KR . If PageManager (PP Admin GUI) catches a Jetty EoFException, it now logs it as debug instead of info, since it is a result of the browser closing the connection before the entire response is received. . Added dk.itp.security.passticket.server.ConfigBasedAuthorizationPlugin - it reads protected URLs and ACLs from PortalProtect configuration instead of from a file - to use it, add configuration entries for protected URLs and ACLs that look like this: protectedurl.1=/*;group1;group2;group3 protectedurl.2=[alternateservername]/*;group1;group3 acl.1=sample.acl.name;read=group1,group2;write=group3,group4 . Added dk.itp.security.passticket.server.Log4jRevisionLog class which instead of writing revision log to a file, logs it using log4j to whatever appender is configured with the logger name "revisionlog". Sample configuration added to classes/log4j.properties which configures the appender. Note that this configuration does not have any limit on the number of files kept, so they need to be archived regularly. . Changed to bootstrapper/launcher - when running as a service that starts client JVM processes, it will not shutdown each process and wait until it has stopped before existing itself - this is to ensure that all client JVMs are indeed stopped when the launcher itself stops. Previously, restarting the windows service could cause the launcher to start again before the previous instance child JVMs were fully shut down, thus giving tcpip port conflicts. - 28/12 2011, KR . UserAdmin Client now back to working with JDK 1.4, support for JDK 1.4 in general for the PP Agent will expire 1/1 2013 after which we will no longer support JDK 1.4. The Useradmin Server still requires JDK 1.5 or newer. - 23/12 2011, KR . Workaround for DB2 bug in .NET Agent - no longer uses PerformanceCounter to query available memory since it crashes the process in DB2PERF.DLL when db2 v8 connect is installed on the same machine. . Switched to JDK 1.6.0_30 with the PP distribution, since it fixes an annoying SSL bug, and provides quite a few stability fixes. - 19/12 2011, KR . Version 4.189 released. - 19/12 2011, KR . Fixed bug in URLRewrite - RewriteCond regexp with prefixed ! sign did not work. . If multiple modules concurrently tried to cache the same configuration, one would occationally get a FileNotFoundException since another is busy writing the file on the disk, this was logged as a warning, now it is changed to debug. . Warning CFGSRVR00036 logged when configuration history file did not exist is now changed to info. . Fixed IndexOutOfBoundsException in StringMatcher if pattern matched was too short for the input and did not contain any wildcards. - 18/12 2011, KR . Version 4.188 released. - 18/12 2011, KR . Added new options for configuring jetty SSL connector using launcher .xml file. The following attributes can now be set on the tag: maxidletime, allowrenegotiate, excludeciphersuites, includeciphersuites, handshaketimeout, securerandomalgorithm, sslkeymanagerfactoryalgorithm, ssltrustmanagerfactoryalgorithm, trustpassword, truststore, truststoretype, wantclientauth, needclientauth. Previously, all this could only be configured by including a jetty .xml configuration file, now you can set it up directly in the launcher. - 16/12 2011, KR . Added dk.itp.security.utils.ConvertKeystore - a small utility which can read a keystore file in one format and write it in another, e.g. convert between pkcs12 and jks keystores, or it can cleanup a pkcs12 keystore by making sure the alias does not contain trailing whitespace characters that gives Jetty problems. . Jetty SSL certificate didn't work with pcks12 certificates. - 15/12 2011, KR . pingrule, forwardrule and serverrule.* matching in dispatcher extended with support for "scheme" - which can be used to match requests that are either "http" or "https" - meaning you can now direct requests to different alternate servers depending on whether they were secured or not. When matching http/https, the hardware SSL accelerator settings are taken into account, so if the hardware SSL config indicates the request is secure, we match against "https", and "http" if not - no matter how the request between the hardware SSL accelerator and the dispatcher is secured. - 14/12 2011, KR . Version 4.187 released. - 14/12 2011, KR . PortalProtect .NET Agent extended to support a "Dummy" implementation of the agent - which enables it to behave similar to the real agent in setups without an available PortalProtect Server, e.g. for testing or developing. . The .NET Agent is no longer considered to be experimental, but is now fully supported. - 07/12 2011, KR . Added URLRewrite support - can be specified in the configuration for the dispatcher in urlrewrite.* properties, syntax is similar to apache mod_rewrite module. See PortalProtect Users Guide for details and examples. . Dispatcher can now close access to a server for all requests, or just for new sessions from the PP admin GUI. Administration API and command-line admin client updated to support this. This means that the command-line administration client now requires an extra flag for changing the web server status to specify if the servers should be marked unavailable for new sessions. - 30/11 2011, KR . Changed the way dispatcher modifies redirect location headers slightly - now, if modifyRedirectLocation or modifyHostHeader is set, PP will look at the host header sent back from the server - if it matches the hostname:port defined in the targets for the server, it will be changed to what PP got in the host header. This e.g. modifies http://127.0.0.1/abc to http://servername/abc assuming targets contained 127.0.0:80 and the incoming host header contained servername. The same is now done for https too. - 28/11 2011, KR . DefaultValidator (which caches protected URLs) now invalidate the cache when the configuration changes, so it will force reloading the cache at first use after a configuration change. . Checks for protected URLs in the Dispatcher only worked for URLs that were not case sensitive, or if they were all lowercase. . Java DefaultValidator only cached protected URLs for a single identifier, and not for each identifier. The .Net agent validator cached them correctly. . Now uses StringMatcher to match URLs in DefaultValidator's isURLAllowed() method - previously, URLs had to end with * to match patterns, now e.g. /abc/*.jsp is allowed. . StringMatcher.match incorrectly did not match pattern for "a*|b" to input "abc", but pattern "b|a*" worked, so it failed matching a * just before the pipe sign. . Added http11.ssl.verifysslcert (defaults to true) - set it to false to disable verification of SSL server certificate in dispatcher - can be used if application server uses invalid SSL certificate and it for some reason cannot be changed. . Starting with this release, useradmin client and useradmin server now requires at least JDK 1.5 - JDK 1.4 is no longer supported by these components. - 25/11 2011, JN . Added JavaDB support for user admin and revision log databases - 24/11 2011, KR . FileAuthorization plugin modified to support reading protected URLs from multiple identifiers. If an URL starts with [xxx] then the identifier xxx is used, e.g. [xxx]/* means the URL /* for the identifier xxx. The dispatcher then uses the name of the alternateserver as identifier when looking up protected URLs, so they can be defined differently for each alternate server, and still allow all the urls to be listed in protectedurls.txt - 23/11 2011, KR . Replaced old homegrown xmldsig signature verifier with the one built into JDK 1.6, which is available in 1.5 via apache xmlsec. This is changed since we no longer need to support jdk 1.4, and we can now rely on standard sun / apache implementation instead. - 23/11 2011, JN . Added WSAudit log to SQLServer . Added WSAudit log to Oracle . Updates SQL test data insert data for useradmin to match new datamodel . Added SQLServer support to user admin and revision log databases - 22/11 2011, KR . Changed installer, so you now get the option of adding the PP server and dispatcher individually as single JVM services, or running the launcher service which starts all the services defined in the pp_launch.xml file in individual JVM processes. . Added PortalProtect_DotNet_Agent_Documentation.chm help file, and PortalProtect DotNet Agent.pdf to documentation directory. . No longer uses namespace on issuer, subjectSerialNumber and attributeId tags in soap sent to DanID attribute lookup service to be compatible with new service URL for DanID Preprod. . Dispatcher did not add an entry to the URL list if it got a request with a request method that was not allowed. - 20/11 2011, KR . Fixed serialVersionUID in dk.itp.statistics.StatisticsData, which caused statistics in v4.186 to be incompatible with version 4.185 and earlier. - 09/11 2011, KR . Version 4.186 released. - 09/11 2011, KR . Added experimental PortalProtect .NET Agent to distribution, it can be found in the samples/integration/dotnet directory along with a small test IIS wwwroot site which has a web.config that shows the configuration. Note that the documentation on how to use it is still not ready, and it does still lacks final stability and stress testing before it can be used for production. - 08/11 2011, KR . Fixed various html bugs in PP Admin GUI that occured with MSIE 9. Fixed bug in admin GUI that caused firefox and MSIE (it worked in Chrome) to open new frames when changing the collected statistics interval. . Added http.proxyUser and http.proxyPassword to CA provider configuration, if set it uses basic authentication (via the Proxy-authorization HTTP header) to the proxy server. This is used for PID Lookup, CRL list fetch, OCSP checks, and DanID Attribute service lookup. - 07/11 2011, KR . Added .NET support for log4net configuration . Added .NET support for receiving and processing statistics from a .NET Agent . Added .NET support for CreateUserCredentials class used by sample authentication plugins. . Added fix for NullPointerException which could occur in useradmin agent reconnecter if no connection could be obtained to the server. - 28/10 2011, KR . Added "discardCookies" to dispatcher, can be used to tell it to discard any cookies with one of the names specified. Also added alternateserver.xxxx.discardCookies which can override the specified list for individual alternate servers. - 26/10 2011, KR . Version 4.185 released. - 26/10 2011, KR . Http SSL Socket implementation changed to provide fake aliases to the SSL implementation when loading keys directly from keystores using aliases. This was required to get Luna box working properly with Sun's SSL client cert engine. . Added .NET support to remaining agent command classes so they can now be serialized to a .NET agent. . IP address checking can now be disabled in the SCL SSLserver. - 25/10 2011, KR . Launcher now waits 30 seconds for reconnect of the client JVM before restarting it if connection to it fails. This is done to avoid problems with software firewalls that migth kill the socket connection even on the loopback interface. . If a launched JVM looses the connection (after more than 2 minutes from the time of connect to guard against startup failures) it will reconnect to the launcher server. If the reconnect does not succeed, the client JVM will exit and will be restarted by the launcher. . Added hostname verification to ensure correct SSL server certificate is used to OCSP requester, CRL checker, PIDCPR lookup, and DanID Attribute Service lookup. . Added property ca.provider.xxxx.verifyhostname which can be set to true or false - if set to false, hostname verification is disabled. The default is true. . Changed sample SMS authentication plugin so you via configuration (sms.numbersonly and sms.otplength) can specify if the generated OTP should be numbers and letters or just numbers, and also set the length of the generated code. - 19/10 2011, JN . Added useradmin support for MySQL databases - both GA download version (5.1+) and Amazon RDS - 06/10 2011, KR . Version 4.184 released. - 05/10 2011, KR . Added dk.itp.security.utils.JCEUtils class with method for obtaining detailed info about all installed JCE providers and their algorithms. . Added new property to Safenet Luna support class - "luna.provideroffset" which defaults to 2. It is the offset at which the JCE providers are installed. The offset is 1-based, and should usually be 2. Set it to -1 to add Luna JCE providers at the end of the provider chain like previous versions did. . Once Luna JCE providers are installed, the current list of all JCE providers and all their supported algorithms is logged. . Added the option to specify private key alias and public certificate alias when loading SSL client keys from keystores. This can be used to get PIDCPR lookup working with Luna Keystores - specify the parameters "ca.provider.xxxx.clientcert.keystore.privatekeyalias" and "ca.provider.xxxx.clientcert.keystore.certificatealias" xxxx should be replaced by the installed CA provider name. If no alias is specified, it will behave like before, and the JDK's default SSLContext implementation will choose a certificate and private key to use. - 27/09 2011, KR . PortalProtect Admin GUI got a facelift. If you build your own webapp with PP server, you need to update the file main.css which can be found in the distribution at ppserver/webapp/css/main.css If you do not update this file, the admin GUI will look weird. You should also copy ppserver/webapp/img/assecobackground.png to your /img directory. . They new layout allows more services and their status to be visible in the service list, and it is also visually more appealing. In addition, many of the styles can be adjusted using the main.css stylesheet - not everything is there yet though. - 26/09 2011, KR . Added .NET support to BroadcastCommand . Properties shown in GUI are now sorted (e.g. the properties shown in the status-->properties view). - 22/09 2011, KR . Version 4.183 released. - 22/09 2011, KR . SpnegoAuthenticator.authenticate() method changes from package-private to public so it can be reused by other authentication plugins. - 17/09 2011, KR . Fixed installer codesign certificate so it includes certificate chain making windows validate the generate .exe files properly - 16/09 2011, KR . Version 4.182 released. - 15/09 2011, KR . Fixed NullPointerException in CA.java if appletparameter keystore password was not configured for luna JCE provider. . Added new method to WSSAgent API to validate XML signature and check if the certificate was valid at a given date, or bypass the check entirely. X509Certificate[] validateXMLSignature(String sessionID, String xml, Date timestamp, boolean checkValidity) If the timestamp parameter is given, it will check if the certificate vas valid and not revoked at the specified time. If checkValidity is false, only the signature itself will be checked, and any certificate can be used to sign the data. - 14/09 2011, KR . Added more debug logging in SpnegoAuthenticationPlugin. SpnegoAuthenticator is now public so it can be reused by other plugins. - 24/08 2011, KR . Version 4.181 released. - 24/08 2011, KR . Added extra code to dispatcher to compensate for weblogic weirdness. If the HTTP reply from the app server contained a message body on a 304, 204 or 100-199 request, the dispatcher would send it on, although the HTTP specification dictates that these reponse codes most not contain a message-body. Now, the dispatcher specifically checks these responses and ignores any eventual content that might be present, ensuring that it is never sent back to the requesting client. Not doing so, when running weblogic 10.3, results in an apache in front of the weblogic hanging and waiting for content that never arrives, since weblogic apparantly allows the content-header to be sent, but eats the response body itself. The apache server than reads the response header and hangs waiting for response content that never arrives. - 11/08 2011, KR . OCSP (Online Certificate Status Protocol) checker now logs which certificate is sent back in case it is invalid, e.g. expired to help diagnose when DanID sends invalid OCSP responses. - 10/08 2011, KR . Version 4.180 released. - 10/08 2011, KR . Created generic service launcher as part of installer, pplauncher_service which takes all its arguments as java system properties instead of just command-line arguments. The arguments can be modified by changing pplauncher_service.vmoptions. To install it as a service, run "pplauncher_service /install [service name]" - it also takes the options /uninstall /start /stop /status - each can optionally specify a service name. To have more than one service, copy the .exe and .vmoptions files to some other names, e.g. myservice.exe and myservice.vmoptions and modify the .vmoptions file for each service. - 10/08 2011, KR . Fixed bug in HTTP Proxy, if "noproxyfor" was changed runtime, it did not have effect until proxy was disabled and renabled or proxy was restarted. . If a http proxy plugin set the flag to disable use of a forwarding proxy, the non-proxy version of the http client did not work. . Added additional checks of the agent cluster configuration and logging to help diagnosing misconfigured setups. - 07/07 2011, KR . Added new Authentication Provider to handle NemID Single Signon from Bank to Service Provider - this SSO requires that the user is logged into the bank, and allows the bank to use a special NemID applet to get DanID to issue a SAML token containing the users CPR number in a SAML ticket sent to a service provider. Note that DanID has very tight restrictions on who is allowed to use this and for what purposes, so you will need permission from them to use it in production, as well as cooperation with your bank. The new authentication plug is named "dk.itp.portalprotect.saml.NemIDSamlSSOAuthPlugin" and source code is available upon request. . The demo application now has support for logging the user in using single signon with DanID's test bank. - 26/06 2011, KR . Version 4.179 released. - 25/06 2011, KR . Added bypassForwardingProxy flag to HTTP proxy plugin ModifyRequestResponse - this flag can be set by a plugin to disable use of any eventual forwarding proxy. It defaults to false, but if set to true the proxy configuration will not be used for this particular request. . Added "noproxyfor" configuration entry for HTTP Proxy - it can contains a list of hostnames or IP adresses for which the forwarding proxy will not be used. - 25/06 2011, JN . Fixed "NaN" value in statistics sylk export when timed functions had no counts (statistics cleared or rolled out) - 24/06 2011, KR . Added support for resolving ${systemproperty} to launcher xml file - this can be used in the following attributes within the launcher definition: configservers, vmargs, systemclasspath, extraclasspath, property-->value and all attributes on the webserver definition. - 22/06 2011, KR . Added support for specifying "extraclasspath" attribute on a classloader in the launcher configuration file. Any .jar files within are added to the classpath for this particular classloader, and any directories are scanned for additional .jar files which are recursively added too. The specified directory will also be added. If -sharedclassloader option is specified the single shared classloader will contain the extraclasspath entries defined on all classloaders in the JVM. . Updated PortalProtect Getting Started to describe the above. . Added extlib_additional which contains subdirectories for JSP and Wicket files. This directory is not included in the classpath by default, but will have to be added to a classloaders classpath specifically e.g. using the "extraclasspath" attribute in the launcher .xml file. - 11/06 2011, JN . Removed code warnings and added javadoc documentation to missing classes . Added logging of system properties during agent startup so the log will reflect the settings at server startup . Fixed support for statistics export to be a proper ".csv" filename instead of just "console" in IE9 and Chrome browsers . Changed default configuration to support 2 minimum threads for launched useradmin server - 08/06 2011, KR . DanID Attribute service lookup did not work for subjects with intermediate certificates. Now, the entire certificate chain is stored in the Subject class, and the proper root certificate is used to find the correct attribute service. - 07/06 2011, KR . Modified launcher xml file, added support for bindaddress, contextpath and virtualhosts. . WebServer section in launcher xml file is now reused if bindaddress, httpport and sslport matches another server already specified for the same classloader. . Updated "PortalProtect Getting Started" with the above changes. . Added dk.itp.managed.service.GenericWarLauncher which can be used to launch a generic webapp within the embedded jetty server. Note that contextpath, bindingaddress, virtualhosts etc. can all be defined on the webserver xml definition. . Added extraclasspath to webserver xml definition in launcher xml, it can be used to add additional files to the webapp classpath for just this particular webapp. Note that classes will be added to the webapp classpath, and not the jetty classpath, so e.g. jetty's JSP support .jar files cannot be added here. - 25/05 2011, KR . Version 4.178 released. - 25/05 2011, KR . Added generateWeblogicPluginHeaders and alternateserver.xxxx.generateWeblogicPluginHeaders - if set to true, the dispatcher will emulate the weblogic http server plugin, and create the HTTP headers "WL-Proxy-Client-IP" and "WL-Proxy-SSL" and put the appropriate values into them. Additionally, it will ignore the values of these headers if found in the request from the browser, regardless of the setting thus ensuring that the headers are only present in the request towards the backend servers if the dispatcher is configured to add them itself. - 23/05 2011, KR . Version 4.177 released. - 23/05 2011, KR . Added alternateserver.xxxx.customHttpHeaders and changed the behaviour of customHttpHeaders so if the header value starts with two underscores it is taken literally, and the HTTP header is then added to the request with the provided value (without the two leading underscore characters). . By using alternateserver.xxxx.customHttpHeaders, the headers can now be modified for each alternate server instead of setting it for all servers. - 16/05 2011, KR . Version 4.176 released. - 16/05 2011, KR . Luna reconnect code now calls Logoff after Finalize/Initialize since logon without logging off apparantly fails. . Added extra logging in statisticsserver if statistics directory does not exist (now logs the directory). - 03/05 2011, KR . Version 4.175 released. - 03/05 2011, KR . If luna password, slotid or usertype changes at runtime, the connection to the box will now be shut down and reestablished with the new settings immediately upon receiving the new configuration. . Fixed nemid signing in demoapp, javascript method was called onSignOK, but should have been onSignOk . NemID AppletGenerator generated applet tag with mayscript=mayscript, it should have been mayscript=true . useradm sample X509CertificatePlugin now allows digital signatures even if no user is logged in. - 02/05 2011, KR . PortalProtectDemoApp changed to include a sample of NemID login/signing based on DanIDs suggested layout. . Generation and verification of challenge to avoid replay-attack now part of demo app (was previously hardcoded for the demo). . Dispatcher fix: Extra checks for HTTP1.1 sockets being closed to avoid attempted reuse of closed sockets. . LunaSupport class now logs which slot ID it is logging in with. . Build-fixes: Resources needed for PDF report generation for default examples were not included in built .jar files. . Fixed startdemo.cmd and .sh samples to support updated jetty version. - 27/04 2011, KR . Version 4.174 released. - 20/04 2011, KR . Added IP Range Checking to dispatcher. Added the new configuration properties ipranges, ipranges.xxxx.rangefile, ipranges.xxxx.zzz, allowipswitchwithinranges and alternateserver.xxxx.allowipswitchwithinranges. If ranges are configured and allowipswitchwithinranges=true, the user is allowed to switch IP address to a new one within one of the specified ranges if both the new and old one are in the same range. The new state variable within a session "clientipaddresslist" will contain the list of IP adresses the user has previously been using within the session (except for the address embedded within the session ID itself). See the Users Guide for more information. - 19/04 2011, KR . Patched Jetty bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=298502 - which prevented SSL tunneling from within HTTP Proxy server from working. . Modified sample SMS plugin to not store database user object in PP session, since it could cause problems if agents did not have that object in their classpath. - 14/04 2011, KR . Version 4.173 released. - 13/04 2011, KR . Changes to sessioncontroller statuspage - viewing of session ID lists now require session.write access instead of session.read access. This is done to make sure that a readonly user by default does not have access to view the currently available sessions. To change the default, add these lines to portalprotect-security.xml in order to allow a "readonly" user access to view the sessions. . HTTP Proxy server URLs no longer show up double in the URL history when failing. . Changed binarydiff so it treats entries within .zip files with / or \\ as equal names. . Fixed bug in HTTP Proxy Server, if a relay proxy server was configured then it was used, but if it was then removed from the configuration, the proxy would still be used by the HTTP client. - 12/04 2011, KR . Updated Luna exception reconnect check reflection code to log more information if it fails. . Added URLs to HTTP Proxy server history if connection to server failed or timed out. . Added list of current executing requests to the proxy servers status page, so the current executing requests are visible instantly and not just when they are completed. - 02/04 2011, JN . Fixed Swing based user administration client to not hang in the JVM when the user has no access to the application - 30/03 2011, KR . Version 4.172 released. - 30/03 2011, KR Luna exception/reconnect check did not work on JRockit JVM which behaves different from Suns JVM when looking up methods via reflection. - 28/03 2011, KR . Fixed bug in BinaryDiff - ignorelist did not match filename if the contents of two directories were compared and not two .zip files. - 28/03 2011, KR . Version 4.171 released. - 28/03 2011, KR . Fixed build error - NTLM .jar files were dropped from the build by accident as part of the project changes done 6/3. - 21/03 2011, KR . Version 4.170 released. - 11/03 2011, JN . Fixed UserAdmin Server build to once again include statements.properties in correct jar file! - 06/03 2011, JN . Added PDF Java doc build of user administration client API . Fixed PDF Java doc titles to include updated year and company name . Fixed JavaDoc warnings in PortalProtect agent and utilities projects . Fixed JavaDoc warnings in PortalProtect user administration access API project . Added classpaths to Javadoc generations for proper linking - 06/03 2011, JN . Internal development changes; - Renamed all PortalProtect UserAdmin projects to be without spaces in their names - Removed old references to old "Utilities" project in launchers - Changed launchers to use execution environment instead of hardcoded JRE name - Renamed various path in text programs to match new project names - Removed various erroneous checkins (dist directories and generated java doc) - 22/02 2011, KR . Fixed bug in useradmin access API - if all PP servers were restarted so all session information was lost, the reconnect routine would not detect that the sessions were gone and would keep retrying to connect to the server every 10 seconds for each currently active session towards the useradmin server. - 18/02 2011, JN . Eliminated the use of old "Utilities" code base. Code refactored and used classes moved to relevant projects This means that itputils.jar is no longer used, and should be removed from all .war files etc. . Added compiler settings to support line numbers in user administration component builds . Added compiler settings to enable build of WSSecutiry classes using latest 1.6 compilers with package access restrictions . Added build checks to ensure that required projects are checked out before the build can properly be executed . Fixed build to work on clean checkout . Fixed build so individual projects are only build once . Changed "fast build" so no JavaDoc is created during this kind of build . Fixed a few javadoc errors - 16/02 2011, KR . HTTP 1.1 dispatcher fixes - when pinging a server, the dispatcher would send "GET /xxxx HTTP/1.0" even on an existing HTTP 1.1 connection, this might cause some application servers to complain. . HTTP 1.1 connections viewable from the dispatcher status GUI now displays more information such as the last URI requested on a given connection. . When the dispatcher pings a server, previously it would close the connection after reading just the HTTP reply header this could cause some application servers to log errors since the connection would then be closed before the client had read the whole response. Now the entire response is read (and discarded) both when using HTTP 1.0 and 1.1. . If the dispatcher was configured to use http 1.1, and if the connection to a backend server failed or timed out, the next request would sometimes not work properly. . Added diagnostics code - if the dispatcher reads a non-valid HTTP response code from the backend server, it will dump what it read, along with the contents of the previous couple of requests on the same connection for use in diagnostics. - 15/02 2011, KR . http11, once enabled could not be disabled runtime without restarting the dispatcher or removing/re-adding the alternate server. - 11/02 2011, KR . Added uninstall() method to authentication plugins - it gives the auth plugin a chance to release any resources. . Added reloadPrivateKeys() method to authentication plugin - called if the Luna JCE provider is reloaded/re-initialized so the auth plugin has a chance to reload its private keys from the box. AbstractX509CertificatePlugin implements this method, and calls setConfiguration() whenever it is called to force reload of the keys - so if your plugin extends this you do not need to do anything here. . Added dk.itp.security.jce.luna.Luna.checkExceptionForLunaReconnect(Throwable) method which can be called with an exception. It checks if the exception is an indication that the Lune JCE providers connection to the backend Luna box is gone, and it needs reconnect. This should ideally have been done internally in the JCE provider, but SafeNet does not wish to do this, so instead they force everyone to implement this hack to force it to reconnect. PP calls this method if an exception occurs during signature generation/verification in both AbstractX509CertificatePlugin, and the WS-Security support plugins. - 08/02 2011, KR . ITunnelPlugin.PluginRequestStateInformation.onlyCallThisPlugin added - it can be set to a particular plugin class, and if it is set, only this particular plugin will be called - others will be ignored. - 06/02 2011, KR . Added attempt to weave policies into WSDL documents when using the WS-Security dispatcher plugin. . Added new methods to WSSAgent to use for adding policies to a WSDL document. . Added properties to WSS plugin: wss.policy.policyfilenames, wss.policy.addressfilename, wss.policy.servercertfilename wss.policy.bindingpolicyname, wss.policy.inputpolicyname, wss.policy.outputpolicyname - 05/02 2011, KR . Fixed POST request handling for Jetty when no content-length was given and transfer-encoding was chunked. . Added extra capabilities of looking up WS-Security certificates by SKI bytes, thumbprints or issuer/serial number. . After Decrypting/verifying a WS-Security document, the SOAP Security header attribute "mustUnderstand" is set to "0" so a server who respects mustUnderstand and doesn't have a filter to handle the request is able to process it. . More debug logging added to dk.itp.portalprotect.wss.WSSAuthPluginSupport, so if log4j debug is enabled for it, it will log all xml being processed, both the input and output. - 20/01 2010, JN . Fixed issue where servers in application clusters had their extends attribute written even though the application cluster had a default extends overwriting it - 22/01 2011, KR . Version 4.169 released. - 19/01 2011, KR . WS-Security code now bundled with newest WSS4J and XMLSEC apache libraries to fix issues with being unable to verify certain signed WS-Security documents. . Added httpOnlyFilter which allows you to filter which hostnames httpOnly cookies are set for. See the users guide for more information. . Added ITunnelPlugin.PluginRequestStateInformation which represents state shared between dispatcher plugins for the current request. It can also be used to tell the dispatcher to stop calling plugins for this particular request, if the request is considered failing. Within the state, there is a properties object where additional information can be stored, and also a flag shared between plugins which indicate if the request is considered to be failed, but plugins should still be called. - 18/01 2011, KR . Added logging and a bit extra exception handling on HTTP request timeouts in the http proxy server, since jetty might throw an illegalstateexception when calling continuation.continue() - this would result in exceptions being logged to the console. . Dispatcher plugins were reloaded when dispatcher configuration changed, also if the plugins didn't need to. This caused them to drop their history, state etc. - 05/01 2011, AF . Fixed small bug in the binary diff tool, where comparing two jar files would report false positives. - 22/12 2010, KR . If UserAdminAgent.login() is called with a complete 60 character request ID, it now internally removes the request part of the ID, and replaces with the 40 character session ID. If login was called with a full request ID, and if login earlier had been called with a 40 character session ID, it would result in the exception: "dk.itp.pp.useradmin.client.UserAdminException: Session with useradmin server was terminated, please logon again" on subsequent usages. . UserAdminServer had a timing issue with login from an agent, where the login information could be lost on slower single-CPU systems depending on timing. This bug appeared back in august 2009 as part of the NIO peer changes. - 19/12 2010, KR . Version 4.168 released. - 16/12 2010, KR . Added modifyResponseHeaders() method to dispatcher plugin. It allows the plugin to view and/or modify the HTTP response statuscode and headers received from the webserver. It is passed the unparsed headers and can modify them before the dispatcher processes them. You should not change The connection or content-length headers since it will cause problems when the dispatcher processes them. - 4/12 2010, KR . Version 4.167 re-released. - 3/12 2010, KR . Modifed HTTP Proxy's use of continuations which gave problems when using tomcat. . Added specific handling of the case where connection to an endpoint server failed, now returns a more sensible error text to the clients instead of just "500 internal server error" if the problem really is with the endpoint server not accepting the connection. - 2/12 2010, KR . Version 4.167 released. - 30/11 2010, KR . Upgraded from Jetty 6.x to 7.2. This means that the HTTP proxy now needs newer jetty client .jars too. The following .jar files are needed: jetty-client, jetty-http, jetty-io, jetty-util, jetty-continuation. . Because of the new jetty, the HTTP proxy server (when run on Jetty) is now fully asynchronous, so it scales very well up to many hundreds or thousands of simultaneous connections. It can run on any 2.5 servlet container, but it will revert to blocking mode and not scale as well as when running on Jetty 7. On a servlet 2.5 container, you also need to enable the Jetty7 continuation filter. Note that HTTP tunnelening (using connect method) will only work on Jetty. . WS-Security bugfix, if request was encrypted, the key alias of the private key using to decrypt the encryption key was not discovered correctly when decrypting as part of login process. . Bugfix: HTTP response timeout wasn't used in HTTP proxy. - 29/11 2010, KR . The changes yesterday in the HTTP proxy introduced a bug in content-length handling, causing content not to be read in post requests. . All log entries were filtered if "categoryfilter" was not present in the configuration. . Proxy plugin custom status text now does not include the "generic" status text for the plugin. - 28/11 2010, KR . PP Launcher now does a deep scan on the directories containing .jar files, such as patches, lib and extlib finding all .jar files. - 28/11 2010, KR . Version 4.166 released. - 28/11 2010, KR . HTTP Proxy now supports calling plugins with response status and headers, and the plugins can now modify those. . A dispatcher plugin can now throw NoServersAvailableException from its overrideServerSelection() method. . logserver can now filter which categories are saved in memory, and thus are visible in the admin GUI. If the configuration property "categoryfilter" is present, it can contain a list of patters which are NOT kept in memory / shown in the admin console. e.g. "categoryfilter=historylog|accesslog|dk.xx.yy.*" will drop all matching categories. They will still be logged to disk depending on the configuration in log4jserver.properties. . If the dispatcher reads HTTP status code 500 or above from a server, it will now log it along with which server it was to make diagnostic easier. Additionally, if the server returns content-length: 0 and an HTTP error 500+ the dispatcher will log a warning. . HTTP Proxy servlet can now be initialized with systemproperty.file in the init params, like the rest of the components. - 21/11 2010, KR . Added changes to Peer2Peer to provide initial support for .net based agents. Also updated IdentifyPeerCommand and ServiceInfoCommand to support .net compatible serialization. - 16/11 2010, JN . Fixed nullpointer exception when creating new configuration through web administration UI - 12/11 2010, KR . Slight changes to customHttpHeaders in dispatcher - if users IP address is set up, the users current IP will be set in the header instead of the one in the PP session. Under normal use there is no difference, but when IP address checking is disabled in the dispatcher, the users currently used IP address will be sent to the application servers. - 11/11 2010, KR . Fixed dispatcher bug in service window handling. If a service window was defined and if the service window configuration properties was deleted while inside the window, it would not go out of the service window. - 9/11 2010, KR . Version 4.165 released. - 9/11 2010, KR . Changed dispatcher so it never calls HttpServletRequest.getCookies() to avoid more tomcat bugs, where "=" was stripped from the cookie values. This effectively broke server stickiness when dispatcher was running on tomcat. - 5/11 2010, KR . Version 4.164 released. - 5/11 2010, KR . Created workaround in dispatcher for cookie parsing bug in tomcat. Cookies with : or = characters in them are truncated, and apparantly the tomcat developers wish to keep it so. More information here: https://issues.apache.org/bugzilla/show_bug.cgi?id=44679 This bug in tomcat was triggered by the change 28/9 which added support for multiple cookie headers - apparently it is still better to do the parsing yourself than to rely on standard functionality in application servers. - 4/11 2010, KR . Clarified NemID section of the users guide slightly with information about keystores and authentication types. - 3/11 2010, KR . Updated JRE version that PortalProtect is shipped with to JDK 1.6.0_22 - 2/11 2010, KR . Version 4.163 released. - 29/10 2010, KR . Fixed dispatcher bug: "alternateserver.xxxx.service.window.end" did not use default from "service.window.end" for the entire dispatcher. - 28/10 2010, KR . Cleanup in PeerThread fixed - when shutting down, it would log NullPointerExceptions on machines with > 1 CPU. - 21/10 2010, KR . Support for one-time password sent using SMS added. The demonstration application now allows logging in with userid and password, and when that is done, an SMS with a newly generated one-time password is sent to the registered mobile phone, and when the OTP PIN is entered, the user is authenticated. Contact us for source code and information. Note that the demonstration application ships with a sample account and password, please only use it for limited testing. - 18/10 2010, KR . Version 4.162 released. - 18/10 2010, KR . The change 15/10 to show the expanded value of properties, e.g. ${applicationcluster:target:xxx} only worked for system properties, this was a bug. It is now changed so it actually works for applicationclusters, but it does NOT represent system properties correctly if the configuration property is resolved on a remote JVM, since they are shown as resolved on the server and it might differ on the remote JVM is the system properties are set differently. . Further changes to UserList - reworked some synchronization to speed up session changes on multiple CPUs. . If statistics server is not connected, config server will not attempt to show the overview charts on the status frontpage whenever a server is selected in the GUI. - 17/10 2010, KR . Version 4.161 released. - 17/10 2010, KR . Modified the way the dispatcher handles the situation where either no servers are configured for a given alternate server, or all servers are marked as unavailable. Previously it attempted to select a random server, now it will return HTTP status code "503 Service Unavailable" instead. Note that if ping fails, it will still try to select one of the servers that might be alive, this rule only applies for the special case where all servers are marked as unavailable. - 16/10 2010, KR . WSSAgent (used for WS-Security) now have dublicate methods - one set of methods uses the static agent instance on the JVM, while the other set uses a supplied instance. This way you can use it with multiple different agent instances. . Added dk.itp.portalprotect.wss.proxy.WSSPlugin - a sample plugin to the HTTP proxy that is able to add WS-Security signing to requests, and verify signatures on responses. - 15/10 2010, KR . Fixed bug in ThreadPool shutdown, which generated classcastexception/noise in the log upon shutdown. . Changed the way the dispatcher handles the coookie containing the name of the selected server. You specify a cookiename like this: "targetservers=server1_hostname:80,server1" - previously, "server1" was set as the value of the cookie to indicate which server in a cluster was chosen, now the value is SHA1 hashed before sending it to the browser to guard against customers putting internal information in the cookiename. . Fixed bug in StringMatcher class, used for URL pattern matching. If patter was "abc*|def" then it would not match "abc", but the "def|abc*" worked. . Added "Show last 1000 URLs" to alternate server entries on dispatcher, so you can choose to view the last 1000 URLs either in total, or for a specific alternateserver. . Configserver GUI now shows the parsed value of a property when editing it. This can be used to e.g. view the result of a ${applicationcluster:target:xxx} expanded macro. . Added HTTP Proxy Server component to PortalProtect. The HTTP Proxy can function both as a normal proxy, and as a forwarding webserver, which receives a request meant for another end-destination which it forwards it to. Request and response contents can be manipulated using plugins, e.g. to add WS-Security to webservice requests and/or verify the presense of WS-Security on the responses. More information is available in the PortalProtect Users Guide. . Addd new property to the WS-Security authentication plugin: wss.usergroups.xxxx where xxxx is an alias of a key within a keystore. If specified, the user needs to be member of one of the listed usergroups to use the private key. See Users Guide for more info. - 6/10 2010, KR . Version 4.160 released. - 6/10 2010, KR . Removed "htmlvalidate" option from dispatcher, and dependency on JTidy .jar file. . Added TunnelServlet.getAgent() method which can be used by dispatcher plugins to get the agent to use - in JVMs with multiple agents and different PP server clusters, the normal singleton "Agent.getInstance()" cannot be used since it is not possible to tell which dispatcher instance it belongs to. . PortalProtects display of its version originates from a file called ".version" in the classpath - now, PP will read another file called ".version.customer" and append any properties from there to the version tag displayed - in this way, a customer can create their own ".version.customer" file, and put e.g. "build.version=r4323" in it. When PP starts up, it will merge the contents of both files and for the version, "v4.160 (r4323)" will then be displayed. This represents an easy way of combining both PortalProtect's version, and the version of customer specific code/plugins and display both in the PP Admin GUI. - 5/10 2010, KR . Changed which charts are shown on the front page when selecting a service, now database calls are shown for useradmin, and logins/session fetches are shown for applications. . If an included applicationcluster server entry does not have a type specified, the type will now default to "application". . Added new configuration property to an agent, "clusterID" - which can be used to select a cluster other than the default to create new sessions in. Note that the cluster needs to exist and be configured in the "clusters" property. . Added alternateserver.xxxx.clusterID to the dispatcher, so the cluster to create sessions in can be overwritten for specific alternateservers. . Slight changes to the agent configuration - if you do not specify ptsservers/sessioncontrollers for an agent, but only a list of clusters and clusterID for the default one, then that will be enough. Previously ptsservers was always required and the clusters.xxxx.sessioncontrollers were just and addition to the default clusters ptsservers. . Agents will no longer wait for clusters with no connected servers, but instead fail immediately to avoid blocking threads when a single cluster has no connections, but other clusters work. . Refactored dispatcher so session ID is checked before the dispatcher plugins are called so if they need to modify the selected server they now have a guarantee of a valid session. - 4/10 2010, KR . Added SPNEGO authentication support to dispatcher and session controller authentication plugin. SPNEGO uses the JDK 1.6 built-in SPNEGO support, and only works with that version - at least 1.6.0_19 is required. Only Sun's JVM is tested and supported. The SPNEGO plugin can authenticate the user, and retrieve his name, group membership etc. using LDAP from the Active Directory server. Refer to the new section in the users guide for details on how to configure SPNEGO support. . Dispatcher previously used the agent singleton in the JVM for creating sessions etc. This led to incorrect statistics on the server of e.g. creating agent if many dispatchers were running in the same JVM. Now it has been refactored to use its own instance instead of the singleton. Note however that plugins etc. will still use the singleton instance in the JVM. . Dispatchers which use a restricted connection to the session controller are now able to modify state objects that are on the list of safe state variables. - 30/9 2010, KR . Optimized statistics timers a little, replaced internal hashtable with hashmap. - 29/9 2010, KR . PDF report generation now added to the statistics server - this means that PortalProtect Server now requires the file iText-1.2.7.jar in the classpath. . pdf.reports configuration entry for the statistics server added, it is used to specify which reports are available for generation from the server. See the section in the users guide for details. . PP Services can now add resource actions to the status details view, these can be used to download resources using the admin GUI - e.g. PDF files, but also any other resource, file, html page or otherwise. - 28/9 2010, KR . PortalProtect DemoApp updated with new web layout. Also placed on portalprotect.dk . Added getInstance() to UserAdminServer, since a customer was using it. . Added "channeltype" to customHttpHeaders in dispatcher, so the type of the channel (SSL, HTTP, SCL etc.) can be forwarded in the request header to the application. . Added support for multiple Cookie: headers to the dispatcher received from the client. A browser will not send multiple cookie headers, but applications might, such as the JIRA connector plugin to eclipse. . Updated the users guide with a new section about PDF report generation. - 27/9 2010, KR . PeerThread (NIO thread) now supports multiple threads - it will start one thread per detected CPU core, maximum 4. This will perform better than a single thread under heavy load on multi-CPU systems. - 26/9 2010, JN . First cut at charts being displayed on front page in the management console when a server is selected. - 24/9 2010, KR . Version 4.159 released. - 23/9 2010, KR . Added first attempt at PDF report generator - usable from the administration client. It uses an xml template to extract statistics from the statistics server and use it to generate a PDF file containing graphs based on the data. - 17/9 2010, KR . Changed threadpool maximum threads, it is now configureable for agents (including dispatchers and useradmin) and the session controller as well as from the system property "pp.threadpool.maxthreads". The name of the property in the configuration is "threadpool.maxthreads", and if set it changes the maximum of 128 to the specified value. . Previously, if more than 100 threads were active at a time, PP would start writing warnings to the log about many commands being active at a time. This has been changed from 100 to 85% of maximum threads, so it scales with whatever the maximum is set to. . Idle thread count reduced to 8, since it will dynamically be set higher if needed, but will not go below 8. . Deleted servlet engine from server project, since it is obsolete. . Added useradmin application to installer/launcher. . Newest version of log4j (1.2.16) now distributed with PP replacing older 1.2.8 version. . Interval now printed in charts generated from the statistics so it is easier to see which interval the count graph covers. - 16/9 2010, KR . When stopping session controller, it now asks all agents to switch to another server if loadbalancing is used, so the risk of the agents failing because of the server shutdown is significantly lowered. . Added workaround for the JVM bug described here: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6693490 to PeerThread, so NIO (non-blocking IO) sockets will not be affected if we run into this bug. The bug also exists on JRockit JVMs. - 14/9 2010, KR . Threadpool optimization: Under heavy use, there might be a need for more than 16 threads most of the time which is the default maximum number of idle threads. The threadpool now dynamically adjusts the number of idle threads to cut down on the number of thread creations/terminations since this can take comparatively long time. This can improve the throughput significantly on systems that periodically require more than 16 almost constantly active threads. . Configserver now adds information to its events list viewable from the admin GUI so it is easier to see when an agent has connected or disconnected from it. - 13/9 2010, KR . Javachart replaced with JFreeChart for creating graphs. This means that the previous applet is no longer used, and graphapplets.jar is no longer used. Intead, jfreechart-1.0.13.jar and jcommon-1.0.16.jar must both be in the classpath, or charting will not work. You can now view two kinds of charts based on the statistics in the admin GUI - one is very similar to the old static graphs, but the graphs are more detailed - especially if you zoom by clicking on them. The other shows a combined chart with 4 axis, with count, average, minimum and maximum values on the same chart. . Added SCL launcher to the launcher project to demonstrate SCL (Secure Communication Layer) functionality in the launcher and demo application. - 10/9 2010, JN . Updated documentation with cfg include and application cluster information. Also added generic information about the portalprotect-configuration.xml - 9/9 2010, KR . A Dispatcher plugin can now override the server selection, and select another server to forward the request to, e.g. another alternateserver, or another of the currently available servers. This allows the plugin to forward a particular request to another server, or create its own rules which selects which server to used for any given request. - 7/9 2010, KR . UserAdminService.configUpdated() no longer hides configuration updates for servers other than its own server. This bug would result in code which implemented IConfigListener would not get called when configuration for other servers than their own was updated. This only happened when the useradmin server was loaded and registred in the JVM as a singleton agent. - 6/9 2010, KR . Added "delayListenersOnStartup" option which defaults to true to session controller - if true, it will wait 20 seconds after startup before listening for connections from agents. This gives it time to connect to any mirror servers to ensure the sessions are property synchronized with other servers before letting agents loose on them. . Refactored WS-Security code to work with apache xmlsec 1.4.2 (and JDK 1.6 update 20). . Expanded dispatcher plugin functionality, so it can now modify both POST data, and HTTP response data. . Added WSSPlugin, a small sample WS-Security plugin that can verify/decrypt WS-Security protected XML requests within the dispatcher, and add signature/encryption to the response, essentially making the dispatcher work as a WS-Security proxy that makes it possible to add WS-Security support to an application which is unaware of WS-Security. . added "db.additionalproperties" to DBPool, if specified, it is a semicolon separated list of properties which is sent to the JDBC driver along with the JDBC URL: - 3/9 2010, KR . When a servers availability status is modified in the admin GUI, all other dispatchers are notified so they can mark the same server as available/unavailable. . Added statistics to peer, so it keeps track of each command received and sent. . Dispatcher limit for maximum size of POST requests increased from 32 to 64MB. - 2/9 2010, KR . Added small utility to do recursive binary diffs on either whole directories or individual war/ear/jar files. This diff utility will recursively dig into zip files within zipfiles (no matter the file extension) and print out the difference between an old an new version. To use it, run "java -classpath PortalProtectAgent.jar dk.itp.util.diff.binary.BinaryDiff" . PingServices which is invoked from the administration client failed to ping all servers if a server timed out. Now it will continue with the remaining servers. . Changed ProxyCommand timeout to match the timeout for the command being sent + 2 seconds, instead of the default 30 seconds. . Fixed RouteTableUpdater - it could risk stopping shortly after starting on systems with multiple CPU cores depending on the timing. If it stopped too early, all servers except the configserver itself went "white" in the admin status GUI although they were connected. . Removed stacktrace from log of: HTTPTNL00005, SCSRVR00014 and SERVER00009 to lessen the log clutter - all are logged when a component is unable to connect to another component, most likely because it isn't running. to a mirror server. . Performance optimization in session controller: If an agent has been notified that a session has changed so it should delete it from its cache at least once, then the next notification is asynchronous so we do not have to wait for a re-confirmation. Whenever the agent again retrieves a copy of the session the counter is reset so on the next notification we have to wait for it to confirm the deletion of its cache. . RouteTableUpdater reworked slightly so it pings connected servers more agressively if a server has just connected or disconnected to reflect changes faster. This should result in a more speedy update of the green/red/white icons in the server list in the admin GUI. - 1/9 2010, KR . Added minthreads/maxthreads/bindaddress to launcher XML, and updated Getting Started.pdf with more information about this and how to further configure the embedded Jetty webserver. - 30/8 2010, KR . "Creating new session for client" log message in agent changed to debug loglevel instead of info to keep clutter on high volume traffic systems down. . Added more defensive code to PeerThread to guard against write on nonblocking sockets continually failing. - 25/8 2010, KR . ICustomJCESupport extended with reconnect() method - LunaSupport can be used to attempt to reconnect to the Luna SA HSM box in case of network problems. Each sessioncontroller has an link/action (under Status-->Details) which can be triggered from the administration GUI to force the reconnect. Note that it has no effect unless the property jce.customproviders includes the class dk.itp.security.jce.luna.LunaSupport. - 24/8 2010, KR . RemoteLogAppender threads were not marked as daemon threads. - 20/8 2010, KR . Launcher changed so it operates on an .xml file, and supports launching multiple JVMs - 5/8 2010, KR . Improved configservers list of agent versions, so it now shows how many instances of each version/build timestamp exists. . Fixed a bug in sessioncontroller, where mirrored servers would notify all agents about changes to a session if exactly 0 agents connected to this sessioncontroller had an interest in the session. This could cause timeout in case of extremely heavy load. . Stack dumps/JVM dumps can now be refreshed every 5 seconds instead of every 30. . Changed FlushCacheEntryCommand timeout from 5 to 3 seconds. This is the timeout from a mirror to an agent. . Changed UserChangedCommand timeout from 15 to 4 seconds - this is the timeout between mirror sessioncontrollers. . Fixed errormessage spam, if many (tens or hundreds) threads were waiting to notify an agent, and the connection to it was closed between sending the notify request, and retrieving the response. . Default value of agentfailureshardlimit changed from 100 to 300, and default value of mirrorfailureshardlimit changed from 100 to 300 to compensate for the lower timeout values. . Added statistics with information about which agent or which mirror timed out when we tried to send a notification about a session change to it. . Added IManagedService.getSignificantEvents(). Added events to the GUI. This is a history of important events, that might otherwise be lost in the logs, such as connects/disconnects, start/stop etc. . Added webservices launcher, so they can be launched in the embedded webserver. - 1/8 2010, KR . Added new launcher, so PP server and Dispatchers can be started with an embedded webserver instead of requiring a web server. This enables PP to run in a self-contained server environment, requiring nothing but a JVM. . Added more checks in Peer2Peer thread handling when processing errors to ensure threads are not created if not needed. . Local Peers which did not have a connect listener initially did not work properly. - 28/7 2010, KR . Removed static UserAdminServer.getInstance() method to support multiple useradmin instances in the same JVM. . Removed dk.itp.peer2peer.server.PeerServer class, it has been replaced with dk.itp.peer2peer.wrapper.PeerServer. - 13/7 2010, KR . Version 4.158 released. - 13/7 2010, KR . Workaround in ConfigCommand to send old format to old PP Agents, so v4.104 (which hasn't the workaround for the JVM bug/feature implemented in the agent may 2009) will still work. - 12/7 2010, KR . Version 4.157 released. - 11/7 2010, JN . Added agent version/buildtime list based on route table in config server detailed status view . Refactored XMLDSIG code so be self contained in X509Helper - 9/7 2010, KR . Added support for "xml" encoding in signature parameters in xmldsig, required for new NemID / DanID release on test environment, will go into production early august. Added more debug info in OCSP responder code to help diagnose DanID extern test bugs. - 3/7 2010, KR . CRL verification now also checks intermediate certificate CRL, if an intermediate certificate is used. . Added new parameter, "ca.provider.xxxx.crl.verifysignature" - xxxx is the provider name. It defaults to true, but if turned off the CRL list signature will not be verified. This can be set to false as a workaround for a bug in DanIDs production CRL which is not signed with the correct issuer certificate. . Added "ca.provider.xxxx.ocsp.timedifference", which defaults to 2. It specifies the maximum time difference allowed between the current time and the timestamp in the signed OCSP response. DanID still hasn't confirmed the best value yet, but in the current prod setup, at least 60 minutes is required. - 1/7 2010, KR . Fixed a bug in session controller synchronization with mirrors. For light session sync, the first session in the list would not get synced with the remote mirror. . Optimized session list, synchronization is changed so for system with hundreds of thousands of sessions and many CPUs, it will perform at least 10 times faster when retrieving sessions from the list while another thread is scanning for timed out sessions, or for sessions needing delayed logoff to be activated. . Added support for notifications - a notification can be sent between servers, and use to report events from one server to another, e.g. from a plugin within a dispatcher to all plugins on any other dispatcher, or from an agent within an application to similar agents running other instances of the application on other servers. These new methods in IAgent/IPTServer interface support notifications: sendNotificaion, addNotificationListener, removeNotificationListener. - 30/6 2010, KR . Session Controllers authentication and authorization plugins were not unloaded if they were removed from the runtime configuration after startup. Now they are uninstalled if deleted from the configuration. . If setConfiguration() on an authentication or authorization plugin threw an Error and not an Exception, it would kill the session controllers which would fail and not be able to parse the entire configuration. Now this error is catched and logged, and the session controller will continue loading its configuration. - 29/6 2010, JN . Added support for the configuration client to replace macros in the configuration before calling the agent owner . Fixed a bug in the system property macro replacement where the new length of the text was not taken into account if multiple macros where in the same text. . Changed system property configuration macro handler to support old style system property macros without maco name in front . Cleaned up from using old Environment.replaceWithMacro calls with new ConfigurationMacroHandler.expandSystemMacro . Fixed it so agents failing while their configuration is updated, will not result in the connection being dumped by the configuration server - 25/6 2010, KR . Fixed bug in Config Server where routetable updater thread was stopped if the config server was stopped, but it was not restarted again when the config server was started once more. The config server restarted itself if e.g. remote.servers was changed, so that also provoked the error.. - 24/6 2010, KR . Version 4.156 released. - 24/6 2010, KR . If garbagecollect.waitseconds was set to 0, the session controller would fail in its setconfiguration method, causing it not to be initialized properly - this bug was introduced by the change 30/3 2010, v4.152 . If a session controller mirror was specified in the configuration as servername:port, and not tcp://servername:port or nio://servername:port then the session controller would convert the name to tcp://servername:port internally, but when if it needed to reconnect because the connection went down previously then it would compare against the configured servers and not find a match and thus it would abort the reconnect. - 23/6 2010, KR . Added total DNS time warning for the time it took to check all DNS names in a remote address restricter, if the total time took beyond 3 seconds. - 22/6 2010, KR . Changed NemIDAppletElementGenerator's default URL to https://applet.danid.dk which is the production URL. - 22/6 2010, JN . Added application cluster support in PortalProtect administration console. It is now possible to see the servers sorted by application cluster definitions. . Added getApplicationClusters method to the PortalProtect administration client interface. . Fixed issue in manage UI where server sort was reset to name sort after selecting a server without connection - 21/6 2010, KR . Fixed but in statistics search - if start date was specified, we would not always display data from the correct "box" e.g. hours might be searched instead of days depending on the interval selected. Now, the first box (seconds, minutes, hours, days) that includes the from date, and that has data for the specified interval will be shown. - 15/6 2010, KR . Version 4.151A patch to 4.151 released, containing only new LunaSupport class. - 15/6 2010, KR . Added luna.slot and luna.usertype to LunaSupport class - if specified, login is done with both usertype and slot ID. - 12/6 2010, JN . ConfigDiff tool now has support for checking include statements in the configuration files . Fixed it so when server types and group names are set to a blank in the UI, they are shown as "[unknown]" . Implemented macro support for ${systemproperty:XXXXXX} in agent configurations . Fixed a configuration macro error where incorrectly spelled macros resulted in the rest being skipped - 11/6 2010, AF . AdminClientImpl now understands ${} in server.name resolution . Included files can now be referred to with ${} system properties in path name - 10/6 2010, KR . Added getNemIDLoginAppletTag / getNemIDSignAppletTag methods to PP Agent webservice interface. - 09/6 2010, KR . Added new options that can be specified seperately for specific alternateservers in the dispatcher. . urlAuthRequired . modifyRedirectLocation . service.window.url / service.window.begin / service.window.end . pingUsingSession . Modified ConfigDiff slightly to display new/old changes instead of the full filename. - 03/6 2010, JN . Fixed it so servers and groups in configuration with empty types and names are loaded with [unknown] instead . Added macro replacement support for application clusters in configuration server. The following is supported: - ${applicationcluster:target:xxx} -> hostname:port,name;hostname:port,name .... - ${applicationcluster:hostname:xxx} -> hostname;hostname .... - ${applicationcluster:servername:xxx} -> name;name .... In all cases xxx means a name of an application cluster. Each replacement made in the properties send out to the clients is logged as debug information if needed. - 03/6 2010, KR . Added isStarted() to PeerServer. . CA_NEMID class now contains a default name of the issuer DN so it no longer needs to be in the configuration. - 28/5 2010, JN . Added first cut application clusters in configuration .xml file. - 28/5 2010, KR . If more than one server has the same number of active connections, the loadbalancing client will pick a random one instead of the first one in the list. - 28/5 2010, JN . Added support for server includes in the PortalProtect configuration file (no UI support yet) . Added support for directory includes in the PortalProtect configuration file (no UI support yet) . Configuration servers needs to be updated through out clusters after this version, since the config server will not be able to synchronize configuration with older versions. - 27/5 2010, KR . Version 4.155 released. - 26/5 2010, KR . Added setSize() to NemIDAppletGenerator so the applet size can be changed from the default. - 21/5 2010, KR . Dynamic loadbalancing added to config client, session controller agent, log client and useradmin agent. If list of server URLs starts with "loadbalance:" then load will automatically be shared between available servers. The client will connect to all available servers, but only one connection at a time will be active, the rest will be passive. The client will periodically (every 10 minutes) check if a server other than the currently active one has more than 3 connections fewer than the current one, and if so it will switch active server to that one. - 19/5 2010, KR . NemID applet parameter signing changed to support multiple simultaneous certificates. Regrettably the format of the configuration parameter had to change a little. Now, ca.provider.xxxx.providerid can contain a list of providers, e.g. "10,11" and the settings for each provider now contains the provider ID, e.g. ca.provider.xxxx.nemid.appletparam.10.keystore.file=xxxx/yyyy/zzzzz ca.provider.xxxx.nemid.appletparam.11.keystore.file=xxxx/yyyy/zzzzz The old format is no longer recognized, so you will need to update the configuration for PP to load the keystores. - 18/5 2010, KR . CRL Updater now handles intermediate certificates - if the CRL was issued by an intermediate certificate, verification of the CRL signature is delayed until the first CRL check since we only have the root certificate and not the intermediate certificate present at load time. . CA_NEMID updates with name of production root certificate: "CN=TRUST2408 OCES Primary CA,O=TRUST2408,C=DK" . Changed DBPool, so datasourcename is ignored if it is blank. . Refactored configuration parsing code in AbstractX509CertificatePlugin to make it easier to add new properties to CA_* classes. . Added sorting of X.509 certificates before verifying them to fix NemID "feature" where certificates are not sorted properly. - 13/5 2010, JN . dk.itp.util.diff.ConfigDiff now supports comparing server extensions . Added support for server group includes in the PortalProtect configuration file (no UI support yet) - 10/5 2010, KR . Added additional characters to HTMLEncoder, so e.g. single quote ' is also HTML escaped. - 5/5 2010, KR . Version 4.154 released. - 5/5 2010, KR . Fixed bug in diff tool where it didn't close the files causing temporary copies of the configuration to be left on disk during save. . Added new property for dispatchers: nocachesetcookieforurls which defaults to "^*.crl|*.pdf". . If the servername in alternateservers.xxxx.targets or in targetservers starts with either [unavailable] or [disabled] then that particular server is marked unavailable by all tunnels, but it is still kept in. This amounts to the same as clicking "Close access to this server" in the dispatchers status, but it happens based on the configuration. . Added lb.changeactive.differenceinconnections, lb.reconnectinterval and lb.switchactiveinterval to Agent and session controller configuration. They are used to change the way dynamic loadbalancing works (Note: It is not yet completely implemented). lb.changeactive.differenceinconnections defaults to 3 and is used to modify the minimum number of connections a passive server has to have less than the current one in order for a client to switch to the less loaded server. lb.reconnectinterval (default 30) is the number of seconds between attempting to reconnect to any non-connected servers, and lb.switchactiveinterval (default 600) is the number of seconds between checking if we need to change the active server. - 4/5 2010, KR . Changed order that GenericCA initializes in to avoid problem with CRL lists. - 4/5 2010, JN . Removed dependency from common utility code to ecs and cloudscape so it only depends on log4j in certain places - 2/5 2010, JN . Refactored configuration parsing code and moved it to be available for common utilities . Added simple utility to compare PortalProtect configuration XML files. dk.itp.util.diff.ConfigDiff - 29/4 2010, KR . Refactored StatToDB slightly so it doesn't attempt to update the servers table to acquire a lock, instead it selects and locks it in one SQL. Also changed the transaction level from REPEATABLE_READ to READ_COMMITTET which will be enough now the lock is taken. This is done so it can work with page-level locking instead of row-level locking. - 27/4 2010, KR Version 4.153 released. - 23/4 2010, KR Changed X509Helper and RFC3275 parser to support X509 certificate chains arriving out-of-order. CA_NEMID_TEST also updated to reflect the name of the new test root certificate. - 22/4 2010, KR First cut at dynamic loadbalancing support in peer2peer committed - it is not used actively yet. Refactored Peer2Peer - Peer is now an interface instead of a class. This change is not noticeable from outside PP's code. - 21/4 2010, KR Added support for reloading the configuration via the administration API as well as the administration client. - 14/4 2010, KR Version 4.152 released. - 13/4 2010, KR Changed NetbankListFetcher, CRLUpdater, PID lookup and attribute service to disable use of gzipped replies when using HTTP requests. CA providers can now have OCSP enabled, but the OCSP URL set to blank to instead pick out the OCSP URL from the certificate contents. CRL Updater is per default assumed to be up, to support waiting up to 15 seconds for the first time a CRL is fetched. Added a lot of debug to PIDCPR - if log4j debugging is enabled, it will log hexdumps of the requests and responses - 8/4 2010, KR Moved dk.itp.manage.service.Environment to dk.itp.security.utils so it is accessible by the agent. portalprotect.server.name, portalprotect.server.alias and portalprotect.config.servers system properties and their corresponding properties in the file ptserver.properties can now refer to the value of other system properties. E.g. if "portalprotect.server.name=${weblogic.Name}" then ${weblogic.Name} will be mapped to the value of the corresponding system property - this can be used to e.g. make the name of the agent the same as the weblogic server name. - 3/4 2010, KR Expanded the logfile downloading to support subdirectories, and check if the parameters given are indeed valid subdirectories of the configured log directories. - 31/3 2010, JN Added log (and file) downloading through the config servers. The downloading is configured through a list of directories added to the individual config server. After this the directories and the files they contain will be available through the management console. The feature requires the management console so have access to the configured directories. The list of log directories is configured using the property "list.log.directories". - 30/3 2010, KR If UserAdminAgent login to the server failed, the failing connection was left to the garbage collector to close. Now this is done immediately upon detecting the failure. Replaced most of the "periodic task" threads with java.util.Timer tasks - this significantly reduces the number of active threads in a typical PP server - they now share the same timer thread. Peer2Peer connection reworked in preparation for adding dynamic loadbalancing. Now a connection is not considered to be established, and listeners are not notified until an IdentifyPeerCommand is received from the remote entity. This has the added benefit that if a non-peer client connects to a socket, the application is unaware of this until the remote has identified successfully as a valid Peer component. Later, it allows us to have an open socket that is not considered by the application to be active, but part of loadbalancing. - 29/3 2010, KR Fixed a very rare race-condition in PeerThread that could give NullPointerException. Changed the conditions for when a JVM stackdump would be logged in the peer ThreadPool - now it only happens if the thread pool is full, max. every 30 seconds. Added a limit for the maximum number of simultaneous sockets being open from a useradmin access client to the server. If more than 100 (changeable by setting cache.maxagents) sockets where a session ID is used as authenticator are opened then the oldest one will be closed. If the application later calls getInstance() with the old session ID a new connection will be opened so the application should not notice this. Changed ConfigurationManager - if a server configuration was configured to extend from another server configuration and that configuration was not found then the entire configuration was assumed to be invalid. Now it is logged that the error occured, but we continue with the part of the configuration that could be found. - 26/3 2010, KR Added support for encrypting passwords with RSA, 3DES or AES keys. When running dk.itp.security.utils.PasswordUtils, it generates a Tripple DES key, an AES key and an RSA private/public key pair. It will then encrypt the password given as argument with the 3DES, AES and RSA public key. The generated keys are saved as passwordUtils.3deskey, passwordUtils.aeskey, passwordUtils.publickey and passwordUtils.privateKey. If the keys are available (in the current working directory) for decrypt upon startup (the passwordUtils.privateKey, passwordUtils.aesKey and passwordUtils.3deskey) then the corresponding password can be decrypted. This can be used to make the passwords in the configuration unusable unless you also are in possession of the required corresponding key. Note that you are not required to have all keys present for decrypting, only the ones you actually use. Updated the Users Guide with thorough description of how to obfuscate / encrypt passwords. The system property "passwordUtils.keyfiledirectory" controls where PP looks for the key files if it needs to decrypt a password. - 25/3 2010, KR Changed exception handling in NIO Peer, so if an error occurs during write, the writer will get the exception instead of the error being handled internally. This makes it more consistent with the way the blocking TCP Peer is handling errors when writing. Improved handling of errors while establishing the connection - e.g. with most antivirus programs the connection is accepted at first, before the request is sent to the foreign host. If the real connection later fails, the socket is reset. Previously, the Peer might report this as a timeout, now it detects this being the case and fails properly. - 23/3 2010, Rolf Thunbo Changed ClientSecurityHandler to reset the sign/encrypt info when a fault is thrown by a subsequent handler. - 16/3 2010, KR Fixed NPE in SocketPeer.getRemoteAddress / getRemoteHost on JDK 1.6 if socket is closed. Fix in ManagedService.getConfiguration() if configuration was null, it got an NPE while attempting to cache the results. - 15/3 2010, KR NTLMHandler is now a singleton, and used as such by NTLMAuthenticationPlugin to avoid problems where different instances were used by different NTLM plugins / session controllers running in the same JVM. JCIFS loadbalancing is now supported, if specifying ntlm.xxxx.smb.client.domain, and NOT specifying ntlm.xxxx.http.domainController, we can support loadbalancing between multiple domain servers. - 14/3 2010, KR Updated NTLM authentication plugin and NTLM handler to have better error handling. Added more info to log if NTLM login fails (username and domain). Added option of using new or old JCIFS version. "ntlm.xxxx.jcifs.oldversion" (xxxx is segment ID) which defaults to false. By default the newest jcifs version (1.3.14 from 2010) is used, but if set to true, then the older version (from 2005) is used. - 10/3 2010, KR Version 4.151 released. - 10/3 2010, KR Changed NTLMHandler, the change done 27/2 where NTLM state information was moved from stateVariables to stateObjects was unfortunately not complete - if logon failed and ntlmAllowAnonymousAccess was set to true, then the state information which should allow this to work was still in stateVariables and not stateObjects. The result was that if NTLM login failed, the request would not be forwarded to the application even if ntlmAllowAnonymousAccess was set to true. - 9/3 2010, KR Fix in PeerThread - if NIO peers got an IO exception while reading a command, it could risk looping re-reading the same bytes. - 5/3 2010, JN Added backup of configuration files when changes are made in the administration GUI. Added support for showing backup of configuration files. Also allows for simple showing of diff's between the backed up versions. Diff to latest version coming soon. Automatic backup of configuration when loaded coming soon as well. Refactored some code in the configuration management GUI to utilize constants instead of hardcoded values for commands. - 5/3 2010, KR Version 4.150 released. - 5/3 2010, Rolf Thunbo Changed XMLDSIG signing code to work with recent changes in eFPI.dk signature functionality. A canonicalization method transform is now added to all references within a signature element. The change affects the signXML and signXMLEnveloped methods. - 4/3 2010, KR Version 4.149 released. - 3/3 2010, KR Pattern matching in serverrule.*, redirectrule.* and forwardrule.* properties can now be inverted to create rules that have effect when NOT matching a pattern. E.g. "/images/*" matches "/images/abc.gif", and "^/images/*" matches "/abc.gif" UserAdmin Access Client now sends the stacktrace of the code creating each instance to the server so it can display it to help diagnose applications which create numerous instances. The UserAdmin Server can now display the details for all current connections from useradmin access clients in the admin GUI. - 2/3 2010, KR Added new option, "accessloggingenabled" to dispatcher, which defaults to false. If set to true, it will log all requests to a log4j appender called "accesslog", with the same format as displayed in the PP admin GUI, "UserId IP-Address URL ResponseCode ContentLength ReplySize zippedReplySize TimeInMiliseconds". If an exception occured, it will also be logged, just like it is shown in the admin GUI. This can be really useful to diagnose problems, although it does add a small amount of overhead to the tunnel logs. When using it, it is recommended to configure log4j to dump those log entries to different appender - preferably a dk.itp.peer2peer.log.BufferedRollingFileAppender since it performs quite better than log4j's default file appenders. Make sure that you do not forward the access log to the log server, or the interesting log events will be drowned in the access logs. - 28/2 2010, KR By default, the CRL and OCSP URLs which certificate checks are made against are now extracted from the X.509 certificate. This is a requirement for OCES II which uses intermediate CA certificate and different URLs for CRL/OCSP checks for each intermediate CA. These CA's and URLs can change without notice since a specific number of certificates are issued with each intermediate CA. Added 2 new properties, "ca.provider.xxxx.ocsp.prefercertificateurl" and "ca.provider.xxxx.crl.prefercertificateurl", both default to true. If false, the configured URL for OCSP or CRL checks will NOT be extracted from the certificate and used for OCSP / CRL checks, and only the configured URLs will be used. CRL list signature verification was previously done while checking the certificates - this is now moved to be done only when updating the CRL list to increase performance while checking. Additional signature properties are now available to authentication plugins after calling AbstractX509Certificate.verifyCertificate() to verify XMLDSIG it returns a Subject. The Subject now has a getSignatureProperties that returns the value of all sign properties available from the applet, such as signtext and challenge. This is especially useful for using the new information available with NemID authentication. - 27/2 2010, KR Moved all NTLM state from stateVariables within the session to stateObjects to makes sure that plugins/applications do not accidentally delete the NTLM state, which then can cause problems with users being locked. Note that NTLM authentication plugins which have previously used state from stateVariables now have to use read/write state to stateObjects within the session instead. - 24/2 2010, KR Changed NTLM login in dispatcher to ignore requests with NTLM type 3 authentication headers which arrive after login has completed to prevent additional login attempts on an already authenticated session. This can happen with MSIE on POST requests, but is only a problem if PPs session has been cleared by an auth plugin. If the authentication plugin has left the state alone, this was handled correctly using the state variables. added alternateserver.xxxx.ntlmEnabled, alternateserver.xxxx.ntlmAllowAnonymous and alternateserver.xxxx.ntlmRedirectURL properties which can override the corresponding values for specific alternateservers. - 19/2 2010, KR Changed WS-Security client to look at additional axis properties to determine webservice name within XML handler. Now it looks at the MesasgeContext for the properties "wsdl.portName", "transport.http.plugin.serviceName" and "className" using the first one it finds (if className, the package name is stripped). - 18/2 2010, KR Version 4.148 released. - 18/2 2010, KR First cut at NemID / OCES2 support - added applet parameter signing and support for SHA256 in XMLDSIG validation. - 18/2 2010, KR Changed the way configuration updates are sent to config clients / agents - previously if the configuration was reloaded from the admin console, it would send events about all config server entries to all clients - so with e.g. 10 clients and 50 configuration server entries, 500 events would be fired. If all those agents/clients were within one JVM then they would spawn hundreds of threads to handle it. Now, config changes are bundled up so the complete list of changes are sent to each client, so in the above example 10 events instead of 500. Agents older than v4.148 will still receive events the old way. Fixed a bug in the TunnelServlet - if the case of a target server for an alternate server was changed, e.g. from "appserver" to "APPSERVER" then it was removed from the list of active servers until the configuration was reloaded or changed again. - 17/2 2010, KR Version 4.147 released. - 17/2 2010, KR Fixed a problem with HTTP 1.1 handling if a server closed the connection too soon without sending proper Connection: close headers - then requests would not be retried on new socket connections. This was only occuring if http11 was turned on, and if the application server did not send the proper Connection / Keep-Alive HTTP headers, or if the application server sent a Keep-Alive header, but closed the connection before "http11.maxIdleSeconds" elapsed. - 17/2 2010, KR Fixed NullPointerException in dispatcher connection-retry code, which occured if the connectexception did not have a message text on it. - 16/2 2010, KR Version 4.147 released. - 16/2 2010, KR If the Peer2Peer thread pool detects that more than 100 threads/command is simultaneously being executed, then it will attempt to log a stack dump to help diagnose what is hanging. This requires JDK 1.5 to work, with earlier JDKs no stack dump will be made. - 15/2 2010, KR Version 4.146 released. - 12/2 2010, KR Additional NTLM logging of HTTP headers added, and log4j category moved to separate name so the NTML log can easier be split into a separate file, or turned off. The category is named: "dk.itp.tunnel.TunnelServlet.ntlm". Added "ntlmAuthenticationPluginType" and "alternateserver.xxxx.ntlmAuthenticationPluginType" so the ID of the NTLM authentication plugin can be changed - enabling different alternateservers to use seperate NTLM authentication plugins. Added AuthTypes.AUTHTYPE_NK_NTLM_XPORTAL constant for alternate NTLM plugin. - 21/1 2010, KR Fixed statistics server so if configuration is delayed at the startup, it waits with initializing itself until the statistics has arrived. Also added additional logging when loading statistics from disk. - 20/1 2010, KR Version 4.145 released. - 19/1 2010, KR If anything delays the NIO thread for more than 5 seconds, a warning is now logged that something is wrong. Added additional logging of NTLM logins to the dispatcher - URLs and authorization header contents are logged to help diagnose problems. - 18/1 2010, KR Added fix for Apache ECS (used for building HTML tables in PP admin GUI), which relies on the hashcode to sort elements. This malfunctions badly on non-sun JVMs, and is quite dodgy on even Suns JVM resulting in weird sorting of menus and e.g. statistics details list. Peer2Peer code previously tried to hexdump the contents of a failed command block - the size is now restricted to 1MB. - 31/12 2009, KR WS-Security: Added support for signature properties when signing XML. - 22/12 2009, KR Version 4.144 released. - 22/12 2009, KR Exception stacktraces in the logserver status text are now shown HTML encoded, since the "Caused by:" message can contain HTML characters. Added extra logging if DNS lookups are slow (> 2 seconds) when checking against configured remote addresses. Better cleanup of NIO serversockets when closing a listener. - 18/12 2009, JBF Added CDF and Histogram graphs to statistics. - 14/12 2009, KR When shutting the agent down, all listeners and statustext providers are now removed to aid class garbage collection. - 03/12 2009, KR Version 4.143 released. - 03/12 2009, KR Better cleanup code when shutting TcpipThread down, to compensate for concurrentmodificationexception bug in the JDK's NIO code. - 01/12 2009, KR Fixed Listed.toString() which could cause confusing log messages when an agent was unable to connect to the server. Added additional logging of authtype when logging a user in. Extra logging when doing NTLM logins. - 19/11 2009, KR Small changes to CA, ETicket, sessionctrl code so it can use file paths which are derived from system properties, e.g. ${portalprotect.home}/cfg/abc.def. Added a minimum requirement for SQL statements to show up in the list of slow SQL statements - anything that is faster than 100 msecs is ignored and not added to the list. - 04/11 2009, KR Version 4.142 released. - 03/11 2009, Rolf Thunbo Updated ActivityMonitor to properly keep a fixed size list of SQL statements (currently 1000 entries). - 19/10 2009, KR Version 4.141 released. - 19/10 2009, KR Size of XMLDSIG/SOAP signing/validation XML strings now added to the statistics. DBPool status text (visible for the useradmin servers now dumps the list of slowest SQL statements.) - 17/10 2009, Rolf Thunbo Extended ActivityMonitor to be able to keep track of the slowest SQL statements recently executed. - 10/10 2009, KR Major performance improvements for clusters of session controllers with more than 2 servers. Previously, one session controller would notify each agent and mirror about session changes in turn, waiting for them to complete their job before notifying the next mirror. Now, all mirrors and all agents are notified immediately at the same time, and after that the session controller waits for all of them to acknowledge before continuing. In a setup with e.g. 4 session controllers which all mirror sessions to each other the waiting time should be reduced by 66% in average. - 09/10 2009, KR Changed to Peer2Peer - it is now possible to sendAndWait() commands asynchronously, allowing e.g. a command to be sent to 10 servers, and after sending all of them the 10 replies could be read and processed, allowing the 10 servers to all process their command at the same time. - 06/10 2009, KR Fixed bug in statistics resolution - if no statistics file existed upon startup, the configured changes to the resolution of the statistics file would not have any effect and the default values would be used instead. A workaround is to make sure not to delete the statistics file. - 02/10 2009, KR Version 4.140 released. - 02/10 2009, KR Changed WS-Security implementation - reimplemented XMLDSIG signer to support custom JCE providers - the one in JDK1.6 and in Apache's XMLSEC is hardcoded to only use the default JDK provider. This fixes it so XMLDSIG signing works with the Luna HSM box. - 20/09 2009, KR Version 4.139 released. - 16/09 2009, KR Removed a lot of errors that were getting logged upon shutdown, which were caused by the contents of static variables suddenly disappearing since the classes were garbage collected. Note that adding -Xnoclassgc to the JVM options is very important too, since it keeps the static class variables from getting garbage collected. - 09/09 2009, KR Better handling of the TCPIP subsystem being shut down on zOS / OS390 in PeerThread, so it will not loop endlessly retrying the select calls - it now delays 5 seconds if it gets the exception "IOException: EDC5122I Input/Output error". - 04/09 2009, KR Added support for reading files relative to system properties e.g. ${pp.home}/keystore.pfx to CA_TDC_OCES, FileLogin, CertificateTools and TunnelServlet. ${pp.home} will be replaced with the value of the system property pp.home - 31/08 2009, KR Version 4.138 released. - 28/08 2009, KR Fixed bug where html comments in service status text was treated as action entries. - 27/08 2009, KR Fixed bug in statistics IntervalArray. where it would sometimes incorrectly dump old statistics values. - 13/08 2009, KR Fixed shutdown in configclient so it no longer relies solely on the state which can be timing dependant, but checks if the shutdown method has been called. Also added additional logging when services are shut down. - 10/08 2009, KR Version 4.137 released. - 10/08 2009, KR Config nowait changes for sessioncontroller and logserver - if configuration is not available upon startup, they will delay starting until it is, if nowait option is set, instead of attempting to start with the default settings. - 06/08 2009, KR Changes to WS-Security support, added new property: "wss.xmlsigjceprovider" which must be set to "LunaJCAProvider" for WSS to work with the Luna SA box - it is the name of the JCE provider that will be used by the apache xmlsec libraries which PP uses for WS-Security signature generation and checking. - 04/08 2009, KR Version 4.136 released. - 04/08 2009, KR Redeployment changes, removed finalize() method on StatisticsService which gave problems when undeploying it. - 29/07 2009, KR Added "export configuration" to config server status page, so the current XML configuration can be viewed. It is accessible in the PP admin GUI by selecting the configuration server --> Details --> Export Configuration. - 17/07 2009, Rolf Thunbo Modified the server side security handler to provide better handling of axis messages holding raw xml strings, as is the case for server requests where no handlers prior to the security handlers has made any calls to getSOAPHeader/getSOAPBody/getSOAPEnvelope. - 06/07 2009, KR Version 4.135 released. - 06/07 2009, KR PageManager.getSecurityContext() made public and PageManager.getAccessController() added so JSP pages added to the menu are able to do their own authorization checking. - 02/07 2009, Rolf Thunbo Extended ClientSecurityHandler so that it can add an enveloped XMLDSIG signature as part of handleRequest. - 02/07 2009, KR Added "customMenuItems" to configserver configuration - if specified, the server list will get an additional section that contains a list of custom URLs that can be shown. This is an easy way to extend the administration interface with additional functionality. - 25/06 2009, KR Version 4.134 released. - 24/06 2009, Rolf Thunbo Added an additional signXML method to WSSAgent that has an excludeTransformOnNamedReferences parameter to specify whether the transform node for the canonicalization method used with the signature should be excluded from the named references. This is introduced as some parties does not recognize the signature if the transform is part of these references. Please note that one side-effect of setting excludeTransformOnNamedReferences to true is that the validateXMLSignature method will fail on an xml in which the signed xml is embedded. - 14/06 2009, KR Peer TCP write threads now properly marked as daemon threads. Session Controller metrics (viewable in the PP Admin GUI) now includes current info about the peer thread pool, including info on current number of threads, number of commands waiting in the queue etc. Added "db.delaygetconnection" to the useradmin database pool configuration - it can be used to simulate slow database connections, by delaying all getConnection() calls with the number of milliseconds specified. This is useful for testing stress situations and bottlenecks. - 08/06 2009, KR Version 4.133 released. - 08/06 2009, KR Authentication plugins persistedSessionRestored() modified so it has the session ID/session record of the user who restored the session. Persisted sessions are now encrypted/decrypted with a password, specified by the parameter "sessionpersistpassword". - 02/06 2009, KR Added isDisposable() to peer commands - if an agent disconnects, all its commands that may be in the peer queue are by default thrown out, since the reply will not reach the agent anyway. A few exceptions have been made for commands that modify the state, remove sessions etc. - 01/06 2009, KR Better exception handling in config server, if a configuration listener throws an exception to avoid risk of not restarting properly if the configuration is changed. If connection is closed, added additional checks before starting threads to handle the connection being gone, since it could result in problems in JRockit JVMs to start many thread which exists fast without doing much. NIO changes - adding an acceptor while a selector thread is blocked in the select() call could block adding the acceptor channel due to poor implementation in Sun JVM - now registering the acceptor to the selector is delayed until the thread is out of the select() call. Refactored synchronized handling of writing to NIO peers to reduce risk of blocking. If many hundreds of commands were queued up on a single peer, and the connection to the agent/client was closed then for each failed write a new thread to handle the disconnect was spawned only to just find out the error was already handled earlier causing unneeded performance overhead. - 01/06/2009, JN Added support for system commands to run outside the thread pool Fixed nullpointer issue in the dashboard, when configuration changed but the server was not property started - 27/05 2009, KR If a previously established connection to a session controller mirror server went down, the session controller would not attempt to reestablish it if there was no URL prefix in the configuration, e.g. if it said mirror.servers=host:port and not mirror.servers=tcp://host:port - 26/05 2009, KR Version 4.132 released. - 26/05 2009, KR Default for config.cachedir.disable changed back to false. Fixed a bug in the session controller - if a connection to a mirror server failed upon startup, it would not retry connecting to it. This bug was introduced as part of the nonblocking IO support back in v4.118 - 20/05 2009, KR Version 4.131 released. - 20/05 2009, KR Default for config.cachedir.disable changed to true. - 18/05 2009, KR Version 4.130 released. - 15/05 2009, KR Fixed a bug in the agent introduced in v4.118, in some cases it would only connect to the first configured session controller instead of trying all of them in case the first one was unavailable. - 12/05 2009, JN Added simple Dashboard functionality through the config server(s). See documentation for more information - 11/05 2009, KR Version 4.129 released. - 11/05 2009, KR LogonRequestInformation (eticket) now converts signtext to UTF8 before sending it to the server. Added minor hotdeploy changes so configclient shuts down properly in more cases. If server.name or portalprotect.server.name properties are not set, the PP agent will now continue instead of blocking the current thread forever. Additionally it will try with the system property "portalprotect.server.name" and then "server.name" before giving up. Added call to super.destroy() in statistics servlet shutdown method to get better hotdeploy in WAS. DBPool now calls setMaxRows(0) on cached prepared statements to ensure the count is reset. Workaround for bug in ObjectInputStream.available() in Peer.read() which caused versioning conflicts between different versions of agents and servers in rare cases. - 04/05 2009, KR Version 4.128 released. - 04/05 2009, KR Changed timeout for ConfigCommand to 10 seconds instead of 30 to enable the admin GUI to be more responsive even if agents are slow in responding. ConfigurationService now keeps server status cached for 120 seconds instead of 60 - this should fix the periods where server status goes "white" in the admin GUI if too many agents are slow in responding. - 27/04 2009, KR Added more thorough checks for session ID validity in UniqueId.isProperSessionID. DNS Lookups when a peer is created is now done in a separate thread from the normal NIO thread. Session controller userUpdated changed so it checks if it is connected to itself before sending notifications. If it detects that it is connected to itself, a warning is logged asking the configuration to be fixed. Changed useradmin access login so it no longer attempts LDAP logins if the client ID resembles a session ID. Changed LoginHandlerLdapImpl so it no longer attempts to login using the systemuser if ldap.bindusers=true Fixed a synchronization issue which would cause huge delays in the configuration server if the servers were slow in responding. This could happen during restart when servers were very busy, and could cause the config servers to be very slow (minutes) in detecting new connections to itself. This was worsened if the PP Agent was used from within the PP server itself during startup, since the agent would hang waiting for its configuration from the server. - 19/04 2009, KR Version 4.127 released. - 18/04 2009, KR Fixed bug in Base64.isBase64() where characters > 128 caused ArrayIndexOutOfBoundsException. It caused trouble for decoding signtext when checking signatures where the first character in the text was an international character. This problem was introduced in v4.111 which started using it to avoid double base64 decoding if signtext was already decoded when passed to the validate method. - 15/03 2009, KR When a session is restored from a previously persisted version, if a user was authenticated in this session, the new method IAuthenticationPlugin.persistedSessionRestored(User user) is called - it can then reestablish the session on any eventual backend systems. Configuration read by the configuration clients are now cached - by default the current directory is used - if the system property "config.cachedir" is set to another directory, it will be used for the cache. In the cache directory the files with "xxxxxx-cachedconfig.properties" will be placed whenever the configuration is read/updated from the server, and these files will be read and used until a connection is available to the config server on startup. If the system property "config.cachedir.disable" is set to "true", then the cache will not be used, otherwise it will be used by default. The default value of "config.cachedir" is "." to use the current directory. Server name alias added to PP Agent - if ptserver.properties contains server.alias, or if the system property portalprotect.server.alias is set, then the alias will be displayed next to the name in the PP admin GUI so it can be used to distinguish different servers with the same name. The alias can also be changed programmatically by calling Agent.getInstance().setAlias(alias), and it is also available via the administration API. - 31/03 2009, KR Version 4.126 released. - 31/03 2009, KR When resync'ing sessions, previously all peers would be marked as being interested in all new sessions - now if "disableNotifyAgentsByDefault" is set to true, none are marked, since the agent will be clearing its cache when disconnecting/reconnecting anyway. - 30/03 2009, KR peer.socket.recvbuffersize and peer.socket.sendbuffersize added to sessioncontroller configuration. Can also be set as a system property. When > 0, the send/recv buffers are set on all tcpip peer sockets. Default is 0 so no changes to the default size of 64k. Added mirrorfailureshardlimit to configuration for session controller (defaults to 100) - contains the number of times a connection to a mirror can timeout before it is considered dead and will be disconnected. Fixed a performance issue where creating new sessions was synchronized (including notifying mirrors about the new session) so only one was created at a time. Default maximum number of threads in threadpool increased to 256 - 28/03 2009, JN Added construction timestamps to Peer information texts (toString) Added Peer construction timestamps to config server status page - 28/03 2009, KR Added persistSession() and restorePersistedSession() to IPTServer - sessions can now be persisted and restored. Also added "server.sessionpersistcheckerclass" to the session controllers configuration - it can specify a class which implements the interface "dk.itp.security.passticket.server.ISessionPersistChecker" which can be used to check if a particular user is allowed to persist/restore a session. - 23/03 2009, KR Refresh timeout changed from 15 to 30 seconds in services list in PP admin GUI. - 15/03 2009, KR Fixed synchronization problem in DBPool where waiting for a connection to be available when the pool is exhausted would block freeing a connection for 5 seconds. - 10/03 2009, KR Changed DBPool prepared statement cache - if we fail to call clearParameters() on a cached statement, assume it is closed and created a new one. - 04/03 2009, KR Fixed bug in WSSignature where signing XML with an empty reference ID list, and a valid xpath filter was not allowed. - 04/03 2009, KR Version 4.125 released. - 28/02 2009, KR Fixed a rare timing issue - if a socket connected to the session controller and then immediately disconnected before the socket timeout was set on the connection, the session controller might think it was still connected and a valid agent. Now, until an agent has identified itself as a real agent we will ignore it to avoid problems caused by non-agent sockets connecting to the session controller. When send() or sendAndWait() is called on a peer, it will now throw an exception immediately if it knows it is not connected. ExecuteCommandHandler can now handle changes that have the modeluser session ID (which is not replicated across servers) - 19/02 2009, KR Version 4.124 released. - 19/02 2009, KR Fixed a bug in EmailPSWDAO where it would add "FOR FETCH ONLY" to an insert statement, if the property "db.addforfetchonly" was set to true. Added yet another set of hotdeploy updates, the JDBC connection monitor thread can now be shut down when redeploying. - 02/02 2009, KR Version 4.123 released. - 31/01 2009, KR Additional hotdeploy changes - agent now close log appenders, garbage collect thread and thread pool when shut down. SCL servers now shut down all their threads, useradmin server shuts down properly too. - 29/01 2009, KR disableHttpOnlyCookies default value changes to true. - 23/01 2009, KR Version 4.122 released. - 23/01 2009, KR All calls to Peer now specify which classloader to use when loading classes - fixed to allow more cases where the agent is loaded from classpath different from the servers. DBPool: If a database connection is taken from a datasource, the connections are now tested. - 20/01 2009, KR Changed the statistics server so it works if the agent .jar is loaded from one classpath and the server from another. - 19/01 2008, KR Version 4.121 released. - 19/01 2009, KR Fixed a bug in the dispatcher where it would remove the soapaction HTTP header from the request and not forward it to the application server. This bug was introduced in v4.119, along with the http1.1 changes. Added start/stop of a server to admin API and command-line admin client. - 14/01 2009, KR PP is now more hot-redeploy friendly, meaning the servlets shut down the running threads and attempt to clean up after after them when destroyed. Added support for all HTTP methods - the allowed ones are defined by the property "allowedHttpMethods" which can be overwritten by alternateserver.xxxx.allowedHttpMethods - the default is GET;HEAD;POST which are the only HTTP methods allowed. - 13/01 2009, KR All dispatchers webservers and their status can now be displayed from the admin API, and the isUnavailable status can be changed for each individual server both from the admin API and from the command-line admin client. - 12/01 2009, KR Refactored AuthenticationManager/AuthorizationManager so they are no longer singletons - previously you could not have 2 different session controllers with differerent set of plugins working in the same JVM - they would have shared the same plugins. - 10/01 2009, KR Added support for using a DataSource in the generic DBPool database pool/statistics wrapper. Debug / Stub agent can now be used by defining the system property "portalprotect.agentimpl" and setting it to another class to load that implements the IPTServer interface. - 08/01 2009, KR Version 4.119 released. - 07/01 2009, KR Dispacher changes: Modified HTTP 1.1 code so it reacts to the semi-standard Keep-Alive header sent by Apache where it lowers the keep-alive timeout. Added retry if the server closes the connection within the first few seconds after transmitting the request, since it could be a misinterpretation of the timeout on keep-alive on HTTP 1.1 connections between us and the server. - 02/01 2009, KR Changed interval between route table updates in config server from 10 seconds to 30 seconds. Previously remote servers were pinged twice by the config server on each run (every 10 seconds) - this is now fixed so they are only pinged once every 30 seconds. Additionally only a single thread is now used to ping the servers one at a time instead of one thread per connected agent which could potentially start hundreds of threads simultaneously. If the dispatcher gets a "Connection reset" socket exception while trying to read the HTTP header from a server, it no longer logs the stacktrace of the exception to avoid cluttering the log. Peer command threadpool changed so a maximum of 128 (configurable) threads are simultaneously executing commands - any commands above that limit will be queued up and processed when one of the currently running commands complete. The default value of 128 can be changed by setting the system property: pp.threadpool.maxthreads to a specific number of threads, or 0 to disable the maximum. - 29/12 2008, KR Added resolution.secondinterval, resolution.secondcount, resolution.minuteinterval, resolution.minutecount, resolution.hoursinterval, resolution.hourscount, resolution.daysinterval, resolution.dayscount configuration properties to the statistics server. They specify the size and number of timeslots the statistics server has for saved statistics. It can be used to change the resolution from the default to a size that uses less memory at the cost of getting lower resolution - e.g. resolution.secondcount=900, resolution.secondinterval=2 gives you 900 timeslots each of 2 seconds in length meaning you can view the statistics in 2-second resolution within 900 slots for half an hour (900*2 = 1800 seconds = 30 minutes). Setting the count to 0 disables it - e.g. setting resolution.secondcount=0 means you are left with statistics per minute/hour/day and not per second, but it does save you about 25% memory. A good mix between memory usage and availability is to disable the per-second statistics, and set following: resolution.minuteinterval=5, resolution.minutecount=288 - this allows you to see statistics in 5-minute intervals for the last 24 hours (5 * 288 = 1440 minutes = 24 hours). Additionally the statistics.data format has changed slightly to allow saving these new parameters along with the file. When the statistics.data file is loaded into memory, all obsolete entires (e.g. minute-level statistics more than 1 day old or per-hour statistics more than 3 months old) are destroyed. This further saves memory. - 17/12 2008, KR The name of the agent creating a session is stored in the session itself, and the session controllers can show which sessions are created by which agents (in details for each session) and it can display the current number of active sessions by each agent. New Agent.getNameOfCreatingAgent() method added so an agent can check which agent created a particular session. - 15/12 2008, KR Added new option to session controller "disableNotifyAgentsByDefault" (default is true). If false, when an agent connects to the session controller, it will be notified of changes to all existing sessions. If this option is set to true, agents which disconnect and later reconnect to the session controller will not be notified of changes to old/existing sessions. Note that this may break the PTListener interface where applications will not be called when a session is removed, if the agent has disconnected/reconnected to the session controller and if the agent has not retrieved the session after that point in time. Whenever an agent connects to the session controller, its session cache is now cleared. If a timeout occurs sending UserChangedCommand between session controller mirrors, the connection is no longer closed, since timeouts are mostly caused by agents taking a long time to reply. - 10/12 2008, KR Changed format of statistics.data file to reduce disk space requirements - saves between 30 and 60% space depending on number of statistics records. - 08/12 2008, KR Version 4.118 released. - 04/12 2008, KR Admin API implementation changed, so if the receiving configuration server is part of a cluster, and connected to the master server, then all commands (except shutdown) are forwarded to it, since only the master config server has the complete picture of all connected servers. - 02/12 2008, KR Dispatcher HTTP 1.1 support added - it can now keep persistent connections open to web/app servers, and reuse them for all connected users. Additionally, connections can be SSL encrypted, SSL client certificates can be used, and traffic can be routed through HTTP or SOCKS proxy servers. HTTP proxy userid/password authentication is also supported. The following new configuration properties are added. http11, http11.httpProxyHost, http11.httpProxyPassword, http11.httpProxyPort, http11.httpProxyUser, http11.maxIdleSeconds, http11.maxUseCount, http11.maxUseSeconds, http11.responseTimeout, http11.socksGatewayHost, http11.socksGatewayPort, http11.ssl, http11.ssl.acceptedIssuerCertificates, http11.ssl.clientcert.file, http11.ssl.clientcert.keymanagerprovider, http11.ssl.clientcert.password, http11.ssl.clientcert.provider, http11.ssl.clientcert.provider.type, http11.ssl.useclientcert All these properties can be specified either globally, or per alternate server definition. If "http11" is not set to "true" (or "alternateserver.xxxx.http11"), then the older HTTP 1.0 method where a socket is created on each request is still used for compatibility, and none of the other options are used. - 25/11 2008, KR Peer2Peer communication reworked. It is now possible to use other types of communication than blocking TCP/IP sockets. Currently there are 3 types supported, Normal blocking TCP/IP sockets, Nonblocking IO (TCP/IP), and local inter-jvm queues. The old server.port and similar properties can still be used, but is overwritten by server.listenurls if it is defined. The URLs have this format: "protocol://port" where protocol is tcp, nio or local - in case of local peers, in-memory queues are used and the port number is just a handle to identify it. If old setting was server.port=21233 it is equivalent to server.listenurl=tcp://21233 server.listenurl=nio://21233 Multiple entries are supported, e.g. "server.port=nio://21233;local://21233" where the server listens for both local connections, and connections from other servers. The reason to replace tcp: with nio: is a reduced number of threads - a single thread handles all the connected sockets, removing the requirements for 2 threads per socket (1 reader and 1 writer) thus lightening the resource usage when under heavy load. Properties containing addresses of other PP server components, such as "ptsservers=localhost:21343;anotherhost:21343" can now be specified as URLS, e.g. "ptsservers=local://21343;nio://anotherhost:21343" BE VERY CAREFUL about using these since they require a new version of the agent as well - older agents will not be able to parse the URL, and expect a "server:port" value. Removed configserver broadcasting since it is not used anywhere in production, and it conflicts with the new peer. These are the new configuration properties: Config server: server.listenurls, statistics.server.listenurls Logserver: server.listenurls Sessionctrl: server.listenurls, server.restrictedlistenurls, mirror.listenurls - 24/11 2008, KR LruCache refactored, so they share a single cleanup-thread no matter how many instances are created. - 18/11 2008, KR Version 4.117 released. - 18/11 2008, KR Default maximum size of statistics queue in configserver changed from 5000 to 1500 to minimize memory usage if statistics server is not available. The maximum can be changed by setting the property "maxStatisticsBufferSize". - 14/11 2008, KR Luna SA HSM Module initialization reordered so login to the box is the first thing being done, since querying it before logging in would fail depending on the security configuration of the box. - 7/11 2008, KR Version 4.116 released. - 5/11 2008, JN Fixed/removed non-existing columns in transaction log search. - 3/11 2008, KR Version 4.115 released. - 3/11 2008, KR Added ds: namespace prefix to XML signatures to make BEA's xmlbean implementation happy. Added extra info if a restricted agent sends commands it shouldn't - 1/11 2008, KR "Concurrent connections" statistics added to dispatcher so it keeps statistics about how many concurrent connections are established. - 31/10 2008, KR Added getLoginPeer() method to PTSServer - an authentication plugin can call sessionController.getLoginPeer() to get the Peer instance that called login - on that it can call peer.getRemoteName, Port, Hostname etc. to get the identity of the calling application - this can be used to e.g. log the application which is calling login. 31/10 2008, JN Added handshake timeout on SSL connections. There was a possibility they could hang on network failures. Fixed SQL statements after performance tuning Removed unused column statements from dynamic SQL generation in TransLog search - 23/10 2008, KR Refactored RemoteAddress code, moved to utils project. Performance improvement in statistics, by using custom table instead of hashtable for storing temporary values per second in. Added executeRequestInSeperateThread() and executeRequestInSeperateThread() to ICommsCommand - per default commands will be executed in seperate threads, but this can be overwritten so specific commands now execute in the reader thread - note that while it performs faster it slows reading down, so it is extremely important only to use it for very fast code that never blocks waiting for external events. First cut at peer server/client which can use the existing tcp blocking socket protocol, but also NIO nonblocking and networkless local peers added. - 21/10 2008, KR Version 4.114 released. - 20/10 2008, KR Session controller timeout handling overhauled... Previously, when a session timed out, all agents were notified about each individual session, no matter if the agent had previously expressed in interest in the session or not. Now, only agents who previously were interested in a session will get the timeout notification. For older agent versions (pre v4.114) it will still send individual timeout commands for each session, but for newer agent versions it will batch up all the sessions that have timed out, and send a list of them in one command - this will significantly reduce the overhead when many (thousands) of sessions time out simultaneously. Additionally, each session now has an owner which is the session controller that created it. Only that session controller will be able to timeout that particular session. This prevents a problem where multiple session controllers simultaneously timed out and logged off sessions causing multiple logoffs for the same session. If a session is owned by a nonexisting (crashed or offline) session controller then the owner will be changed to one of the active session controllers and in the next pass the new owner will handle the timeout. - 20/10 2008, JBF Config server audit logging updated so it logs what is going on, who changes what etc. including which configuration entry is changed and what is is changed to and from. - 20/10 2008, KR ETicketClient cache in the Agent was broken - it cached list of netbanks forever if it was more than 5 minutes since last retrieval instead of refreshing it. - 7/10 2008, KR Fixed JVM dumping so it is no longer possible for more than one thread at a time to attempt to dump the JVM. - 6/10 2008, KR Version 4.113 released. - 3/10 2008, KR RevisionLog search did not work in DB2 - this bug was introduced in v4.91 when Oracle support was added. XML signing now works with references null or empty - in that case only xpath filters are used. - 30/9 2008, KR Refactored statistics addon DB pool so DBPool is moved to a generic reusable class which can be reused by others. Status for a request in the TunnelServlet set to "Writing response to browser" to make it more visible if the write is blocked waiting for the browser / frontend webserver to read the request. - 30/9 2008, JN Fixed wrong user_id column name introduced by the change at 15/9, version 4.112 - 26/9 2008, KR Launcher servlet now spits out more info when loading services. - 15/9 2008, KR Version 4.112 released. - 15/9 2008, KR Added WSSAgent.signXMLEnveloped() which can be used to create enveloped XMLDSIG signatures - signing the entire XML. - 15/9 2008, JN FOR FETCH ONLY can be added to select only SQL's if the property db.addforfetchonly is set All select SQL's are now with column names instead of * Added multi organisation method for attaching a profile to all members who has another profile already (via the access api) Changed profile select to match SQL delivered from DBA Added method for assigning a profile to multiple logon id's and method id's Updated users guide with new database option Updated user admin API documentation with new API method - 8/9 2008, KR Added XPath transformation to WSSAgent.signXML() so XPath transformation compatible with ETL (elektronisk tinglysning) can be done. InclusiveNamespaces PrefixList can now be specified on WSSAgent.signXML() Updated users guide with the new options on the XML methods. - 31/8 2008, KR Added HttpOnly to PP session cookies - this will (on some newer browsers) hide the cookie from javascript so it is not as easily available to the client code. A new option "disableHttpOnlyCookies" (with default false) can remove this flag. - 29/8 2008, KR Added additional logging and statistics when a user/browser switches IP address. - 28/8 2008, KR Version 4.111 released. - 27/8 2008, KR OCES CA's now keeps track of PID/CPR lookups being performed, and keeps statistics of the time taken/number of lookups done. Additionally the information about the last error/success and time of last lookup is available in the status for the session controller. Authentication plugins can now be reinstalled / mapped to other classes when configuration changes at runtime. Logoff was not always called on the authentication plugin when a session timed out before the session was removed. - 26/8 2008, JN Added * search support in TransactionLogDAO and direct search on user_id if no * is given Fixed profile search from ProfileDAO so only needed data is fetched from the table when search for a specific user - 22/8 2008, KR PTSServer now handles revision logging of confirm (signatures) where the input is not just the xmldsig signature, but a string array of the signature and other arguments. Fixed bug in X509SignHelper where signtext was base64 decoded twice, resulting in invalid comparison of signtext Fixed NPE in ConfServlet if configfile was not specified - 15/8 2008, KR LoginHandlerLdapImpl fixed to accept empty user RDN when logging users in and ldap.bindUsers is set to true. - 1/8 2008, KR Version 4.110 released. - 1/8 2008, KR / JBF LDAP code update with new pools and methods for fetching groups. - 31/7 2008, KR Default value for garbagecollect.waitseconds changed from 30 seconds to 5 minutes. It can be overwritten by either specifying the number as a system property for each JVM, or as a configuration parameter for the session controller or an agent. Agent.newSession() did not work when called with a specific cluster ID - it would always use the default configured cluster ID for creating new sessions. - 1/7 2008, KR Version 4.109 released. - 1/7 2008, KR Added additional JDBC surveillance to useradmin. The currently open connections and executing database statements can now be viewed from the PP admin GUI (select useradmin1 and details, then scroll down and click on "List active connections and statements"). If PP runs out of connections to the database, it will log all the info it has about current connections and currently executing SQL on these connections. Each 10 seconds, PP will check if a connection has been active for more than 30 seconds, and then log it every 2 minutes if it is still active and hanging - it will also log the currently executing SQL statement. Connection/statement info is logged at most every 30 seconds to avoid spamming the log in case the connection pool is empty repeatedly - this fixes an OutOfMemoryError where the log spamming simply takes up too much memory. - 24/6 2008, KR Fixed cosmetic bug in ETicketHandler where it would log a NullPointerException to the log if no cache directory was specified. The exception was handled properly so it did not have any effect. - 20/6 2008, KR Fixed rare timing issue in UAAuthorizationPlugin and UAAuthenticationPlugin that could cause server startup to take between 30 and 60 seconds extra. - 26/5 2008, KR Version 4.108 released. - 26/5 2008, KR Fixed classloader related problem in ConnectionInvocationHandler that caused IllegalAccessErrors when using Oracle JDBC 1.4 drivers. It didn't cause problems for either DB2 nor Cloudscape. - 9/5 2008, KR Version 4.107 released. - 7/5 2008, KR Added ip, hostname to PingResult in adminclient. Fixed bugs in ping which caused it not to work remote.servers changed so 255 can be used as a wildcard to match all IPs - e.g. 192.168.255.255 matches any IP addresses starting with 192.168. - 5/5 2008, KR Version 4.106 released. - 28/4 2008, KR Fixed a bug in WS-Security XMLDSIG signing where the destination for the signature was not parsed correctly if the root element was included in the destination pattern. Added "groups" to customHttpHeaders so you can now get a comma separated list of all the users group memberships in the HTTP header. - 25/4 2008, KR Added "eticket.test.regnr" to TestPBSProviderListFetcher so regnr can be changed from the default 0001 Added type to Peer2Peer communication so a remote peer is always able to query the type of the other end. A type is a string identifying the type of peer connection, such as "configclient" or "logserver". All ManagedServers now identify themselves with a service type so e.g. the configserver can tell if it is talking to a logserver, an agent or a sessioncontroller etc. no matter what name it has. Added "ping" to administration client interface - it is now possible for an application to ping the system, getting a list of servers and their status back. Additionally, the ping requests goes to all installed authentication plugins which can ping their own backend systems (such as database, ldap, cics servers etc.) and provide information that will help the application determine if they are running or not. Fixed bug with date searches in TransactionLogDAO, where date searches did not work - this bug was introduced in v4.101 - 15/4 2008, KR Version 4.105 released. - 15/4 2008, KR TestPBSProviderListFetcher refactored to support eticket simulator - it now takes 2 configuration parameters, "eticket.test.url" which defaults to "http://localhost:7080/nbsim/NBSimServlet" (URL for netbank simulator) and "eticket.test.certificate" which must point to a .pem file containing the simulator netbanks certificate. - 9/4 2008, KR Version 4.104 released. - 8/4 2008, KR Changed caching of Login providers (netbanks) in eticket code so if an empty list is received from PBS, then the request is considered to be failed and the response is not cached, the server will (as usual) cache it for "eticket.provider.listfetcher.timeout" minutes which defaults to one hour. If retrieving the list from PBS fails and there exists an earlier cached version of it, that one will be returned to the agent. Additionally, the Agent will retrieve the list from PP server every 5 minutes. Added "eticket.cache.directory" - if specified, the PP server will cache the list of netbanks in that directory (in a file called "eticket_netbank.cache") and re-read it upon startup. That way the list will be available in case PBS does not provide a valid list. - 7/4 2008, KR First cut at local Peer2Peer implementation which bypasses sockets when agent and server is running in the same JVM. SocketPeer IO buffer increased from 8k default to 64k - 5/4 2008, KR Version 4.103 released. - 5/4 2008, KR Added getPPSessionInfo method to PPSessionController webservices interface to PP session controller. It returns the most commonly used information from a session in a single webservice call to use by applications that otherwise would have to issue multiple webservice calls. - 2/4 2008, KR pp_login_timestamp added to statevariables upon login - it contains the number of milliseconds since 1/1 1970 (from System.currentTimeMillis()) and can be used from application to see exactly when the user logged in. - 31/3 2008, KR Version 4.102 released. - 31/3 2008, KR WS-Security support: xmldsig verify now detects and skips verification of ws-security signatures - previously they would cause an error since they are not 100% compatible with the xmldsig signatures. xmldsig signer now forces exclusive c14n canonicalization on all references. - 18/3 2008, KR Version 4.101 released. - 18/3 2008, KR Added statistics to ClientSecurityHandler and ClientSecurityHandler WS-Security handlers to show time used. Added statistics to all WSSAgent remote calls. - 14/3 2008, JN Added support for updating profiles in multiple organisations Fixed Oracle timestamp error when searching in transactions log, nonrep log and revision log - 14/3 2008, KR Fixed a synchronization bug where modifying a session while it was being serialized e.g. to send to an agent resulted in the agent getting invalid data which it couldn't read - causing a PEER00006/PEER00007 error. - 9/3 2008, KR Workaround for broken webservers (stokerbot) which gzips responses even if client does not accept gzip, and even for http 1.0. Now the dispatcher detects that and avoids gzipping the response again. - 26/2 2008, KR Version 4.99 released. - 26/2 2008, KR Added extra validation of certificates in WSSAuthPluginSupport when verifying XMLDSIG signed documents so the caller always has a validated list of certificates showing who signed the document. The validation fails if any certificate is not issued by one of the configured providers, just like SOAP WSS-Security validation. - 15/2 2008, KR WSS auditlog split into two tables to better suit Nykredits database tools. DBPool's DBConnection and DBStatement replaced with proxy classes (dk.itp.security.utils.jdbc.*) which monitors all SQL calls and open connections. - 11/2 2008, KR Added WebService Security Audit log to useradmin database - it can store XML which is generated/received by the server for audit logging. Added wss.auditlog configuration for webservice security auditlog - it must be set to a classname which implements the dk.itp.portalprotect.wss.IAuditLog interface, currently AuditLogStdout and AuditLogUserAdminDatabase classes in the same package can be used. Added support for retrieving certificates from LDAP, and for parsing certificates file (currently usable by PVS only). IAuthenticationPlugin implementors must now implement getStatusText(String action) method - it allows them to add actions to their interface in the PP admin GUI. Added DefaultAuthenticationPlugin.getAction() method for the plugins to use. - 26/1 2008, JN Added support for changed Peer2Peer version in User Administration part of PortalProtect. - 25/1 2008, KR Peer2Peer protocol now includes version number of the remote - this is used for e.g. only transmitting stuff to the remote that the version indicates it can handle. The constructor for SocketPeer now requires a version number. State variables were previously limited to 64k because writeUTF() was used to send them - this limit no longer exists, but requires a new agent for it to be able to read the changes. The PP admin GUI is now extended with a Log4j section, where you can dynamically view/adjust loglevels on the running system - no matter how it is configured. These loglevels are only changed runtime, and not kept across server restarts. - 13/1 2008, KR Version 4.98 released. - 19/12 2007, KR Version 4.98 released. - 18/12 2007, KR Added "eticket" usergroup to users logging in using eticket/netid when using the default ETicketUserHandler. Handling of URLs ending with .PinG now works for HEAD requests too. Added wss.ws.xxxx.allowanonymouscalls to webservice security handling - if set to true, a session ID is not needed when calling PP to sign webservice requests - read users guide for details. - 13/11 2007, KR Version 4.97 released. - 13/11 2007, KR If "addauthorizationheaderonlyforidentified" was set to true, the header did not get appended if a dispatcher plugin (such as an eticket login plugin) logged the user in. Now the dispatcher rechecks if the user is logged in after calling the plugins, and adds the header if required. - 07/11 2007, KR First cut at "Service Information" - a way to collect all known information (thread dumps, logs, server status etc.) in one page which can then be sent to ITP support. - 21/10 2007, KR Version 4.96 released. - 29/10 2007, JN Fixed HTML encoding issue with > < signs Fixed Hashtable support in the WebService interface. It is now possible to send Hashtables from anything to PP. - 21/10 2007, KR Version 4.95 released. - 21/10 2007, KR Added "urlSSLAuthFailedRedirect" and "alternateserver.xxxx.urlSSLAuthFailedRedirect" which the user is redirected to if SSL authentication fails. Added "sslRequired" and "alternateserver.xxxx.sslRequired" which requires the user to access the server using SSL - if the option is enabled, and he is using normal http he will be redirected to the same URL with https. - 18/10 2007, KR Added "jce.customproviders" and support for the Luna Hardware Security Module (HSM) box which can be used as a keystore now. The custom provider is able to log in to the box with the password specified in "luna.password" so we do not need to run salogin.exe to log into the box from an external process. It can also load other "regular" JCE providers which just implements java.security.Provider interface. - 16/10 2007, KR Version 4.94 released. - 16/10 2007, KR Reordered NTLM login in the dispatcher so NTLM login is done before constructing the request and calling Tunnel Plugins. The change in 1/6 where "addauthorizationheaderonlyforidentified" was introduced as workaround for weblogic 8.1SP6 bug had the sideeffect that the authorization header was not added on the first request where NTLM authentication succeeded because the check was done before doing NTLM login - this is now reordered so it should work again. Added wss.cryptoproviders property. - 15/10 2007, KR Added WS-Security checks on who is able to use the private key. Added hardware JCE support for Luna provider. - 3/10 2007, KR Version 4.93 released. - 8/10 2007, KR Fixed bug in CA_TDC_OCESTEST2 code - PID lookup will no longer fail if URL is not configured. - 3/10 2007, KR Version 4.92 released. - 3/10 2007, KR UAAuthentication plugin no longer inserts blank attributes from the database into the session. Performance optimization when executing authentication plugin commands - modified session is now transmitted back to the agent which performed the command. Changed DefaultValidator to log debug instead of warning if an ACL was not found. - 24/9 2007, KR Added PPSecurityContext which can contain a session ID on the thread - additionally the servlet filter dk.itp.security.sessionctrl.http.PPSecurityContextServletFilter is added which can be added to a webapp. If present, it will place the users session ID in the PPSecurityContext so it is available for later use. - 17/9 2007, KR RemoteLogAppender will retry more often when starting up to avoid delay of log being available upon startup. - 13/9 2007, JN Fixed user audit log to work with Oracle Added user audit log search to the .NET test application Corrected user audit log to use timestamps when searching - 13/9 2007, KR Changed revision logging when doing logoff - it is now called before the authentication plugin's logoff method since the auth plugin usually changes the data in the session on logoff, and it gives the revision log a chance to look at the data as they were. Changed useradmin code so it calls getTimestamp() instead of getDate() on resultset to make sure it gets the time too on all database implementations - with getDate() some returns only the date ignoring the time, and others return both the date and time. - 10/9 2007, KR Added new option "loginWithSSLClientCert" to dispatcher - if true, it will attempt to log the user in using an SSL client certificate if such was was found on the request and if the user was not already authenticated. Note that if the login fails, the user will still get access (depending on access checks) but he will be anonymous. This option was added as a convenience method of avoiding to have a specific dispatcher plugin just for this. Added customerid and agreementid to custom http headers. - 5/9 2007, KR Version 4.91 released. - 3/9 2007, KR Changed UserAdmin DBPool connection pool so it will attempt to close database connections that have not been used for x seconds more often than previously. Previously it was closed if too old only when we attempted to allocate it from the pool, but now we check on all accesses to the connection pool to workaround a but that occurs in DB2 drivers if a firewall between the client and the DB2 server closes the socket after e.g. 1 hour. - 28/8 2007, JN Added documentation on the order of the Oracle scripts to run and which jar files to add to the server classpath Added support for nested SQLException's through the WebServices API Fixed search support that previously used Hashtables in the WebServices API - 18/8 2007, JN Added User administration Acess WebService support for most commonly used methods Added .NET test application to test WebService API's Added tomcat test setup for WebServices API - 10/8 2007, JN Added Oracle 10.0.2.0 support for the user administration server - 15/8 2007, KR Added 4 new options to dispatcher, "httpStatusUnableToConnect", "httpStatusTimeout", "httpStatusServerError" and "httpStatusUnknownError" which can be used to change the default http status code of 500 to another value when sending an error page because of a connnect failure, timeout, server IO error or an unknown error respectively. - 13/8 2007, KR New option for dispatcher: "cookiesAreAlternateServerBased" - if "cookiesToHideFromBrowser" is set, it will by default save cookies on a per-hostname basis. With this option set to true, it will save them both by hostname and alternate server name, so they are kept separate per alternate server. - 4/7 2007, KR Fixed deadlock in ConfigClient which could occur if an agent tried to ask for a configuration server entry which did not exist (and if the timing was unlucky), resulting in connection threads being stuck. - 1/8 2007, KR Added CPU usage per thread to JVM Dump - available if running with JDK 1.5 or newer. - 25/6 2007, KR Added alternateserver.xxxx.invalidSessionidURL which can be used to override the invalidSessionidURL property for specific alternate servers. - 20/6 2007, KR Version 4.90 released. - 20/6 2007, KR FlushCacheEntryCommandHandler changed so it only returns a reply if the reason is not timeout or resync. This is done because the server sends the command asynchronously so it no longer expects a reply. Fixed deadlock in RemoteLogAppender.cleanup() which could cause a deadlock if debug logging was enabled and the appender was closed, e.g. because the appender configuration changed. This was highly timing dependant. - 1/6 2007, KR Version 4.89 released. - 1/6 2007, KR Updated "PortalProtect WebLogic Integration" document with info about WebLogic SP6 bug and workaround. Added "addauthorizationheaderonlyforidentified" and "alternateserver.xxxx.addauthorizationheaderonlyforidentified" configuration entries to dispatcher. If set to true (defaults are false) then the "Authorization:" header will only be added to the request for authenticated sessions - this is to work around a nasty bug in WebLogic 8.1 SP6 where anonymous access no longer works if the request contain an authentication token, and if no authentication plugin logs the user in. - 31/5 2007, KR Changing which servers to view statistics for in the GUI no longer requires write access to update the selected server list. - 14/5 2007, KR Version 4.88 released. - 14/5 2007, KR Changed cleanup SQL in statistics database to avoid tablescan on DB2/390 - now deletes using function_id/slot_id instead of just slot_id - this means multiple delete commands will be issued, but since it avoids table-scan on the host, it is still better. Added statdb.cleanupinterval to specify interval in minutes between cleanup runs - default is 240 (4 hours). - 11/5 2007, KR Version 4.88 released. - 11/5 2007, KR Changed locking in statistics database, so it updates/locks the server record to use it as a "semaphore" instead of locking the entire server table. Added "statdb.serverprefix" - which can contain a name that will be added in front of all server names in the database to seperate servers with the same name running on multiple computers from eachother. DB Cleanup now done every 10 minutes instead of after each run. - 11/5 2007, KR Version 4.87 released. - 11/5 2007, KR Added new config entry for statistics database, "statdb.enabled" which can be set to false to disable usage of the database. - 9/5 2007, KR Version 4.87 released. - 9/5 2007, KR Added better cleanup in StatToDB pool, so it can handle changing configuration on the fly - previously if a connection was in use while the configuration changed, that connection would not be close again when returned to the pool. Accept-Encoding HTTP header is no longer swallowed by the dispatcher, but forwarded to the server. - 7/5 2007, KR Version 4.86 released. - 7/5 2007, KR Segment ID was broken when tunnel created a session, it ended up having segment 0. This bug was introduced when adding cluster support 24/4 -06. - 1/5 2007, KR / JBF Fixed bug where if a mirror sessionctrl updated a session, its old list of interested agents would not be saved. - 30/3 2007, KR Version 4.85 released. - 30/3 2007, KR Agent multiple sessionctrl cluster support did not initially connect to the clusters when starting up. - 28/3 2007, KR Added support for alternateserver.xxxx.urlAccessFailedRedirect to Dispatcher. Removed alternateserver.xxxx.urlAuthenticationFailedRedirect and alternateserver.xxxx.urlLoginRequiredRedirect from the documentation since they are customer specific and do now work without a special dispatcher plugin. - 27/3 2007, KR Version 4.84 released. - 27/3 2007, KR Dispatcher now removes "expect" header from request to get around bug in certain WAS versions that send http response code 100 Continue even on HTTP 1.0 connections. The specific problem occured when a proxy server added the "Expect" header to all post requests. - 21/3 2007, KR Changed StatToDB yet again so it now works with the DB2 8.2 type 4 driver against DB2 on OS/390 with transactions enabled. - 20/3 2007, KR Version 4.83 released. - 20/3 2007, KR Added additional logic to attempt to recover if closing of a DB connection in StatToDB failed, by rolling back and attempting to reclose the connection. List of authenticated users/sessions in the session controller can now be sorted by access timestamp or by user id - in addition, the list now also shows the users name. - 19/3 2007, KR Added locking of all related DB tables to StatToDB plugin for increased performance on OS/390. - 15/3 2007, KR Version 4.83 released. - 14/3 2007, KR Added support for newer opensign clients which modified the format of the XMLDSIG logon/sign messages. - 13/3 2007, KR StatToDB plugin can now be disabled from external code at runtime. stat_statements.properties now put in PortalProtectServer.jar - 8/3 2007, KR Version 4.82 released. - 8/3 2007, KR Fixed bug where JDBC Statement invocation handler did not create statistics with the performance. Added dk.itp.portalprotect.admin.Admin which can be executed from the command line to do things like creating a JVM dump on the server, get the list of recently accessed URLs from the dispatchers, or shutting down the server. Prepared statements are now cached in the statistics addon for better DB2 performance. - 28/2 2007, KR Fixed bug with CRL Interval where the configuration would fail with a NPE if crl.interval was not specified. If login fails in an authentication plugin, the userid is now "rolled back" to what it was before even if the plugin modified it erroneously. Fixed PIDCPR code so PID lookup/verification fails if invalid URL is used. - 19/2 2007, KR Version 4.81 released. - 16/2 2007, KR CRL Interval option added to X509 configuration, decides how many minutes should pass between updates. Fixed misleading error message if CRL updater was unable to retrieve the CRL list while being behind a proxy server, also fixed error message when user was trying to logon but CRL was not retreived (previously said not-configured), and added better error-handling/error message if OCSP check failed when being behind a proxy server. Statistics to DB addon changed so it can use CHAR as well as VARCHAR columns. Added "statdb.tablequalifier" option to statistics DB - if specified, it is prepended to all table names - 15/2 2007, KR Version 4.81 released. - 13/2 2007, KR Added dk.itp.security.utils.jdbc package which can act as a proxy class monitoring JDBC calls and logging any SQLs that exceed 5 seconds, along with keeping track of any connections that are not released. Works with any JDBC version. If JDK 1.5 management classes are available, the JVM dump will contain all relevant information they provide, like CPU time time used for thread, monitors threads are blocked on etc. Fixed a bug where exporting statistics to Excel sometimes generated invalid .slk format files where the 98% columns were not numeric. Refactored some of the Peer classes to provide support for an upcoming non-blocking IO version of the Peer to cut down on the number of concurrent threads used. Added ping URL to the dispatcher - if an URL ends with ".PinG" (without the quotes) then the dispatcher will just respond with "PONG" - implemented to support loadbalancers to check if both Apache and Tomcat servers are alive. Fixed a bug where a "readonly" user was not able to view statistics because he could not select which interval or functions to view statistics for in the admin GUI. In X509 certificate verification code, we now add the CN of the certificate causing problems where applicable to all exception/error messages to make it easier to diagnose problems. Modified dk.itp.managed.server.StatisticsListener interface so listeners now also get the statistics object (to write their own stat) and the configuration for the statistics server they run within - they can also provide their status text to the Admin GUI. Added dk.itp.statistics.addon.StatToDB plugin which is able to save statistics passing through it to a database which can then later be used with e.g. report generating tools to create more advanced reporting than the PP Admin GUI supports. - 25/1 2007, KR Version 4.80 released. - 24/12 2007, KR Surveillance status text added to the agent's details page, so you can view the list of currently active tasks. Added extra debug stuff to surveillance class. New method, getAttrs() added to TDC Attribute service which will return both attribute value and status fields. - 12/1 2007, KR Version 4.79 released. - 11/1 2007, KR Performance optimization in handling CRLs - size is now only calculated and cached once per update instead of every time we need to show it, since it can take several seconds to do for > 100000 entries in the CRL list. Logging of "Login failed" exceptions changed, so loglevel is changed to info and stacktrace isn't logged for errors such as invalid credentials, or certificate expired. Cosmetic change: Changed "mean" to "avg" (average) when displaying statistics. Flag "allow obsolete CRLs" did not work properly - it was only allowed if the flag was set to false. Fixed bug, where the CRL update thread could get stopped when running multiple providers who use the same CRL in the same JVM, causing CRLs to not get updated. - 9/1 2007, KR Version 4.78 released. - 8/1 2007, KR doModifyHostHeader/modifyRedirectLocation now also modifies redirect location header for URLs starting with https. Changed names of sessionctrl mirror peers to be a little more readable on the status screens. Fixed a timing bug in sessionctrl mirrors, where multiple connections could be setup to a different mirror server if the configuration (mirrorServers property) was changed. Added OCSP cache, and new property "ca.provider.xxxx.ocsp.cachetimeout" which is the timeout in minutes. If a certificate is in the cache and have been checked within the last xxxx minutes, then the check is not being done until the timeout expires. It can be set to 0 to disable, and default is 5 minutes. - 3/1 2007, KR Fixed but where peer write-thread did not have the correct thread name (made it harder to debug). Changed to log4j 1.2.8, although PP can still function with both the new and the old version - also mixed where agents run with the older version, and logserver runs with the new one. - 11/12 2006, KR Version 4.77 released. - 7/12 2006, KR Added auth commands to authentication plugins - they provide a way to send serializable objects between an application and an authentication plugin to easily extend the functionality of the plugin - uses e.g. to let it encrypt/sign SOAP messages. Added new NetID / eticket configuration parameter: "eticket.contentprovider.protocolversion" can be either 1004 or 1005. Timesync will now not try to set the time if the time difference is less than one second. - 03/12 2006, JN Cleaned up remaining classes using the Peer class that is now called SocketPeer Added eTicket documentation to the user administration document - 27/11 2006, KR Version 4.76 released. - 27/11 2006, KR Added Surveillance component to the Agent. Using this (dk.itp.portalprotect.survillance.Surveillance), we can help diagnose problems with slow applications, by monitoring running tasks and taking a JVM dump on either the local running JVM, or on all connected JVMs simultaneously in order to help debug slow responses that involve multiple servers. New configuration properties "surveillance.warningseconds" and "surveillance.action.==" added. - 24/11 2006, KR Added support for creating JVM Dumps - on IBM JVMs > 1.3, we will create a javacore and use that, and on 1.5 or newer JVMs, we will use the new methods available to get stack traces for all running threads. Older JVMs are not currently supported since they require native code to get the stacktrace. You can view the dumps from the Administration Client API, or in the PP Admin GUI. - 22/11 2006, KR Added TDCOCESCertLookup to the server, which can lookup OCES certifikates in TDC's LDAP server based on cn, email or serial (PID/RID/CVR). Har 2 config parametre: "tdc.oces.ldap.servers" med default "dir.certifikat.dk:389" og "tdc.oces.ldap.basedn" med default "c=DK", ingen af dem bør ændres fra deres default. - 21/11 2006, KR Added statistics to CRL updater so we can see how long time it takes to read and parse the CRL list - 20/11 2006, KR Refactored Peer code to allow for multiple Peer types, such as SocketPeer and LocalPeer so not all Peer2Peer implementations has to use sockets to connect to eachother. - 10/11 2006, KR Version 4.75 released. - 10/11 2006, KR Sessioncontroller can now accept mirror connections between different sessioncontrollers with the same name, e.g. sessionctrl1 on computer A can now mirror sessions with sessionctrl1 on computer B. Sessionctrl now resets cics userid/password when cleaning up the session after logoff RemoteLogAppender now trims option strings parsed to it from log4j to strip leading/trailing spaces. - 1/11 2006, KR Changed default retry limit to 1 in PeerClient. - 24/10 2006, JN Fixed super slow file copy routine in statistics server/manager to perform like it should Added useradmin support for creating, changing, updating and deleting ACL's Fixed bug in IntVector in the utility class Added useradmin support for attaching groups to ACL's There is now support for searching groups and users from an ACL Changed useradmin peer client to utilize the Peer socket timeout just as the Agent implementation Cleaned out warnings from DAO's Added functionality in useradmin webapp for ACL handling It is now possible to ask the useradmin agent if your session is based on the super user - 12/10 2006, KR When viewing logs in PP Admin GUI, entries are now sorted using bubblesort instead of quicksort even though it is slower, since quicksort messed around with entries that had the same timestamp. Now the log can be viewed in both ascending and descending order. Added "ppagent.synctimewithserver" property to the agent - if true, the agent will retrieve the system time from the config server upon connecting to it, and attempt to set it on its own computer, this can be useful for synchronizing time between servers if NTP or similar protocol cannot be used. The sync will occur on every connect to the config server. - 11/10 2006, KR Version 4.74 released. - 11/10 2006, KR Added new property: eticket.pbs.batchserver.cacerts - it can contain a list of files containing PEM encoded certificates which are used as CA certificates, meaning the batchservers SSL server certificate must be issued by one of these certificates. Fixed HttpClient, so if IBM's JVM is used, setSoTimeout() is no longer called when reading the http response, since it apparantly can throw a "socket closed" exception if the reply is short, and the timing is wrong. - 10/10 2006, KR Fixed ITPSSLSocket so trustmanager works with IBM's JVM. Fixed issue where BouncyCastle provider was not always loaded when eticket plugins was called. - 10/10 2006, KR Version 4.73 released. - 9/10 2006, JN & KR Implemented eTicket support for logins with PBS Net-ID. The support does not use PBS' loginprovider APIs, since they require an old buggy version of IAIK, and an abnormal set of configuration files to work. - 28/9 2006, JN Added System property pp.peer.timeout that will overwrite the 30000 default timeout on the Peer's - 27/9 2006, KR Version 4.72 released. - 26/9 2006, KR Added ca.provider.xxxx.ocsp.ignoretimechecks - to disable checks on server response timestamp - very usable if your servers clock is not synchronized with the OCSP server - Fixed a bug in AbstractC509CertificatePlugin, where the x509cert stored in the session was not base64 encoded before being converted to a string. - 14/9 2006, KR In PTSServer.userUpdated(), we can now handle if an Agent or Mirror disconnects while we are trawling through the list. - 24/8 2006, KR Version 4.71 released. - 24/8 2006, KR Logserver now sorts the log records shown in PP's admin GUI by creation timestamp. Session Controller now shows user ACL's when displaying details for a session in the admin GUI. - 17/8 2006, KR Version 4.70 released. - 17/8 2006, KR Added ldap.userattributes property - which specifies the attributes to read from LDAP when looking up a user record. - 8/8 2006, KR Version 4.68 released. - 7/8 2006, KR The session controller no longer notifies agents when a mirror creates a new session - this speeds up sessions created on remote mirrors if there are many agents connected. - 3/8 2006, KR Dispatcher now only reloads dispatcher plugins, if they have actually changed instead of reloading them every time another property changes. - 28/6 2006, KR Version 4.67 released. - 28/6 2006, KR Updated users guide with documentation for modifyRedirectLocation property in the dispatcher. - 27/6 2006, KR OCSP certificate provider did not use proxy settings for http, only for https URLs - this is now fixed. - 21/6 2006, KR Version 4.66 released. - 21/6 2006, KR Properties in portalprotect-configuration.xml are now sorted alphabetically when saved - this makes it much easier to check differences between two versions with a normal diff tool. Also, Apache's XML stuff is no longer used to generate the XML (a simple StringBuffer is now) since we need control over the sequence tags occur in. Fixed OutOfMemoryError that could occur if the session controller tried to connect to a mirror which did not have the caller on the list of allowed IPs, the disconnect could then happen before the sync started causing cleanup to fail. - 19/6 2006, KR Version 4.65 released. - 15/6 2006, KR Removed leading % from user search in transactionlog to increase performance when >30 million rows are present. - 14/6 2006, KR Added support for retrieving multiple attributes in one call from TDC's attribute service. - 12/6 2006, KR Version 4.64 released. - 12/6 2006, KR Dispatcher plugin can now support actions in the admin GUI - if a plugin implements getStatusText(String) then it will be called with the name of the selected action. Added support for OCSP (Online Certificate Status Protocol) and tested it with TDC OCES certificates. The two new properties "ca.provider.xxxx.check.ocsp=true" and "ca.provider.xxxx.ocsp=xxxxxx" has been added. - 10/6 2006, JN Added support for allowing URL's through a tunnel that is NTLM protected. Changed NTLM authentication so it's only done once in a session life time. - 9/6 2006, KR Added "portalprotect.config.server.nowait" system property to agent - if set, the agent will not wait for a config server to be present before starting up. Note that the same property "config.server.nowait" in ptserver.properties can be used - set it to true to disable the waiting. Removed dependency on com.sun.net.* classes for SSL communication - this also means that the server will no longer run under JDK 1.3.1 - nor will the dispatcher be able to run under 1.3.1 - the agent will still work though. - 6/6 2006, KR Version 4.63 released. - 6/6 2006, KR Updated Users Guide with new section on having multiple clusters of session controllers. All log events going through logserver now have their origin server added in front of thread name so its easier to tell log entries apart. Fixed a small bug in the dispatcher which caused it to fail if it received an invalid session ID where the bits in the segment ID was not numeric (hex). - 29/5 2006, KR Version 4.62 released. - 26/5 2006, KR Added "cookiesToHideFromBrowser" property to dispatcher. It can contain a list of cookies, such as "JSESSIONID" which will be hidden from the browser - they will instead be placed in the PP session, and removed from the response to the browser, and added to future requests to the web server. One advantage of hiding the cookies from the browser, is that the HTTP session will then follow PP's session 100%. This fixes the problem where data from a previous session might be stored within the HTTP session on a webserver. The cookies are saved in the session per host, so domain-wide cookies are not supported with this option. The "Secure" flag on the cookie is ignored, since the cookie never reaches the browser anyway. Expiration dates etc. are also not supported, it should only be used for session cookies. If a webserver sets max-age=0 then the cookie is deleted from the session. - 24/4 2006, KR Version 4.61 released. - 24/4 2006, KR Added support an Agent to communicate with different sets for session controller clusters simultaneously. A sessionctrl will look at the cluster ID in the session ID, and if there is a specific cluster of session controllers configured for that cluster ID, it will use one of them to communicate with when doing anything to that session. This can mainly be used for separating sessioncontrollers between internal and external usage, but will allow applications that are accessed by both internal and external users simultaneously to work with both clusters. At the same time, if e.g. the internal cluster breaks down, external users will still work. Added the following new entries to the configuration for all agents: clusters=1,2,4,5 cluster.xxx.sessioncontrollers=server1:port;server2:port where xxx is the cluster ID - 3/4 2006, KR The property "sessioncontrollers" can now be used instead of "ptsserver" to tell the agent which session controllers to connect to - if a property with the new name is found, it will be used - if not, the old one will be used as before. - 29/3 2006, KR Added support for quarantined agents in the Session Controller. If an agent is slow in responding for a given number of session update requests, the timeout is first lowered from the default 5 seconds to 0.5 seconds - this is done to ensure that a slow agent cannot cause the whole system to behave slowly. If the agent continues to respond slowly, it will be disconnected. After 3 disconnects the agent will be quarantined for a while (default 10 minutes) and will not be allowed to connect to the server for that period. A couple of new configuration properties was added to handle this: "agentquarantinetime" default 600 - the number of seconds to quarantine a misbehaving agent. "agentfailuressoftlimit" default 10 - the number of times an agent has to fail in order to have its timeout lowered. "agentfailureshardlimit" default 100 - If an agent fails this number of times, it will be disconnected - after 3 disconnects because of failures, the agent will be quarantined until agentquarantinetime expires. Setting the soft or hard limit to 0 disables them. Added the parameter "exitOnOutOfMemory" to all agents - if true, the agent will attempt to exit the JVM if the JVM runs out of memory. - 23/3 2006, KR Version 4.60 released. - 19/3 2006, JN Refactured NTLM remote session controller function to get around mirroring issue Extra checks in dispatcher to handle invalid access to technical error pages - 5/3 2006, JN Easy access to assigning user groups by extending the NTLMAuthenticationPlugin::setUserGroups Added easy mechanism for sending commands to connected mirrors of a session controller The NTLM authentication plugin now handles logon done on different mirror controllers Added support for showing build in error when user has no access to error pages - 2/3 2006, KR Version 4.58 released. - 2/3 2006, KR Authentication plugins now have access to the session controller instance. - 27/2 2006, JN Updated links which are ignored through NTLM - 25/2 2006, JN Updated logging on cross domain errors Catched annoying "once-in-a-while" NoSuchElementException from JRockIt native StringTokenizer code Fixed a looping issue for when the urlAccessFailedUrl was protected by NTLM (it never is now) - 20/2 2006, KR Version 4.57 released. - 20/2 2006, KR Fixed bug where statistics would not always show all available data when viewing from 1/1 1970 to current date. - 17/2 2006, JN Optimized cross domain session size - 9/2 2006, KR Version 4.56 released. - 8/2 2006, JN NTLM fixes for segments other than 0 - 6/2 2006, KR Version 4.55 released. - 29/1 2006, JN Added support for cross session controller cluster login Extended support for failed NTLM session allowed through dispatcher to login pages - 24/1 2006, JN Added state information on failed NTLM logon when domain controller is unavailable - 18/1 2006, KR Version 4.54 released. - 18/1 2006, KR Removed NTLM options for cache from session controller, since it doesn't hurt to always enable caching in the session controller - the options are instead controlled by the dispatcher. - 16/1 2006, JN Added options to cache and allow failed NTLM logins to be parsed through to pages with anonymous access - 12/1 2006, JN Fixed NTLM Cache so the object is cached as a String instead of an Agent required Object - 9/1 2006, KR Version 4.53 released. - 8/1 2006, KR Added configuration.remote.servers property, if present in any server configuration, only clients/agents from one of the IPs listed there can read from the configuration. Session controller now displays segment ID when viewing a sessions details. Code cleaned up, enum renamed to enumeration etc. to make sure it can compile with for JDK 1.5 - 5/1 2006, JN Seperate classloading for NTLM authentication segments now in place. - 2/1 2006, JN Added support for NTLM Smb authentication through the Dispatcher. Added Smb message cache support for crappy Internet Explorer re-authentications on POST messages Removed a few warnings - 2/1 2006, KR Added checks for shutdown state in agent - if shutdown is in progress, we no longer try to reconnect to a server. Added segmentID to dispatcher - all sessions created will contain the segment ID configured - all incoming requests will be checked, and the session ID will only be considered valid if the segment ID matches. Nonmatching segment IDs will follow the same rules as a timed out session - ie. either a new session will be created, or the request will be redirected to a specified URL. The session controller can now restrict access to authentication plugins based on segment ID, just like it can do with environment IDs. - 22/12 2005, KR Fixed bug in the previous change (not notifying mirrors on every single access) where the check was wrong. If a mirror updated a session just because its access timestamp was changed, the agents connected to this mirror are no longer needlessly told to flush their cache - this significantly reduces overhead if agents are connected to different mirrors. - 13/12 2005, KR Session Controller Mirrors are no longer notified on session access on every single access, but only if there haven't been other changes to the session within the last 15 seconds. - 6/12 2005, JBF, Version 4.52 released. - 24/11 2005, KR Version 4.51 released. - 24/11 2005, KR Delete group from the admin client interface did not work. Form based login to PP admin console did not work in all servers because the j_security_check parameter was incorrectly specified in the form. - 14/11 2005, JBF Fixed init settings which makes it possible to mix load of server.name and config.servers from mixed locations e.g. server.name can be set in the web.xml descriptor and the config.servers can be set in a file defined by the systemproperty.file property. Added ping response time to tunnel logical server name. - 13/11 2005, KR Fixed synchronization issue, where the server that was not initiating the mirror connection could end up not having all the sesions from the other server. Workaround was to let all servers connect to eachother. garbagecollect.waitseconds property now available in configuration for session controller. In the dispatcher, serverrules, redirectrules and forwardrules can now have their status changed properly even if they are not affected by a ping rule. Previously their current state would not be updated if the configuration changed. - 1/11 2005, JBF Fixed nullpointerexception in sessioncontroller occurring when restrictedport was changed and no prev. port was defined. - 28/10 2005, JN Splitted PortalProtect Agent into Agent and common utilities that can be used in other projects Goal for now is statistics and peer classes - 27/10 2005, KR Added memoryCacheSize to logserver configuration so the default of 1000 log entries cached in memory can be changed. When getting log records from an administration client, updates are now always forced (it will ask all connected appenders for the newest log records) before returning. - 24/10 2005, JN By request, added support for 90 and 99 fractiles in the statistics. - 21/10 2005, JBF Bugfix: race-condition when stats was fetched and flushed at the same time Added FORM based logon to admin console. Now uses HTTP session. Added logoff functionality to admin console. Added multi-dynamic graphing. Now shows all selected graphs as dynamic graphs, just like the static graphs. Updated graphapplet. This must be updated on all installations, required by new admin console Added better support for Counters over time. Deprecated SimpleTimers and Counters. Use Timers instead. Added JAAS authentication plugin. Works the same way as the Tomcat JAAS auth plugins. Works with SALTED-HASH password login module and SPNEGO login module. Added detaultAuthenticatorType to DefaultValidator. Now supports the use of the default validator with any type of authentication plugin using the logon(userid,password) method. Bugfix: fixed bug in statistics data lookup which sometimes resulted in wierd looking graphs lines going back in time. - 19/10 2005, JBF Bugfix: extends is sometimes gets lost when running with multiple configuration server. Bugfix: not using macros in launcher.properties correctly Feature: added support for macro subst in managed service configuration properties. - 16/10 2005, KR Version 4.50 released. - 14/10 2005, KR Added support for retrieving statistics and server status from the AdminClient API. - 10/10 2005, KR AdminClient now requires either userid/credentials (userid/password that matches portalprotect-security.xml) or a valid session with an identified user. If the sessionid is used, ACLs are checked, and the contents of portalprotect-security.xml is not used for checking, otherwise the ACLs in there are used. - 5/10 2005, KR Added ca.provider.xxxx.allow.obsolete.crl which (if true) allows logon even if the CRL is obsolete. - 4/10 2005, KR Fixed bug in dispatcher, where the last matching server rule was used instead of the first matching one. Added initial (somewhat incomplete) implementation of AdminClient - an API for administration that will eventually provide the same functionality as the PP Admin GUI currently does. PP Agent now waits up to 60 seconds for a connection to the session controller before giving up - the previous value was set to 15 seconds. - 3/10 2005, KR Methods in LDAP classes made protected to support inheritance. - 25/9 2005, KR A session can now be created with a segment ID - the segment can be used to e.g. seperate internal and external applications. Added pingrules to dispatcher - A pingrule can ping a certain URL, and enable/disable a redirect- / forward- or server rule if the ping fails. Dispatcher status page extended so it can show the configured server,redirect,forward and ping rules and their relationship to eachother. - 22/9 2005, JBF Fixed bug with PP config agent reconnection when configuration error occurs, like when the server connection does not exist. This caused the reconnect threads to not to be cleaned up correctly. - 23/8 2005, KR BufferedRollingFileAppender previously threw events away if the buffer ran full - now it flushes them to disk if the buffer runs full. Added redirectrule and forwardrule to dispather - works much like serverrule, but can either redirect to another URL or it can forward (which in this case means return the contents of a file as the reply). - 31/7 2005, JBF, Fixed small bug when cleaning up and destroying all connected peers to a configuration server which resulted in an error when trying to stop. Version 4.49 released. - 27/7 2005, JBF, Version 4.48 released. - 28/6 2005, KR Version 4.47 released. - 23/6 2005, KR Dispatcher now switches to another server, if we chose one that we cannot connect to,This can happen if you have a cluster setup where one of the servers go down, and a new request arrives before the dispatcher has had time to ping the server and discover that it is down. The ptsservers property can now be changed without restarting agents. When changed, the agent will close the current connection to the sessioncontroller and reconnect immediately to the new servers. - 20/6 2005, KR Version 4.46 released. - 20/6 2005, KR Added disableStatistics option to all client and server components. If set to true, statistics details will not be created. - 17/6 2005, KR Fixed classcast exception in CancelLogoffCommandHandler that occured if someone tried to cancel a logoff on a session that is not logged on. - 17/6 2005, JBF Major change to statistics propagation and handling. If PP Agents are update to the new version, agents will no longer store and send raw uncompressed statistics data to the servers. Instead, statistics will be preprocessed into small 1-second duration statistics time slots. This reduces the memory consumption on PP clients that uses the agents, on PP servers and network bandwidth, which results in an over all better performance and stability. This is most noticeable in heavy load setups. - 12/6 2005, KR Added periodic garbage collection - can be defined in the agent settings, with the value "garbagecollect.waitseconds", and can also be set using the system property "garbagecollect.waitseconds" if an Agent is not running - it is initialized from the Peer class, so everyone using Peer2Peer (which includes all agents and servers) can now have periodic garbage collection enabled. This improves memory usage with many JVMs. The default interval is 30 seconds. Values are rounded up to 5 second intervals. Added a couple of sections to the PortalProtect Users Guide which explains how loadbalancing and multiple applications, as well as protecting URLs in the dispatcher takes place. - 10/6 2005, KR Removed a bit of debugging code in WebLogic SSPI, and fixed a NullPointerException that occured when viewing groups in WebLogic's console if the authorization provider did not return any users. Changed the LogonCommandHandler log category to use the one specific for the class instead of its parent - this means that logging of user logins can specifically be disabled if not desired in the normal log. The identifier given as argument to isURLAccessAllowed() is now either "default" or the name of the alternate server that the request is about the be sent to. Statistics interval changed to reduce memory usage (by up to 60%) - this means that the level of detail has changed so we store statistics in 2-second intervals for 30 minutes, 2 minute intervals for 1 day, 1 hour interval for 1 month, and finally 1 day interval for 1 year. Note that it only takes effect if the old statistics.data is deleted. Increased thread priority for Agent peer threads by 1 to make sure that they get priority if application is using 100% CPU. This ensures that the server gets fast responses on cache flushes. - 6/6 2005, KR Version 4.45 released. - 6/6 2005, JN Synchronized acl and group cache in useradmin server, to fix problem where 2 simultaneous queries could cause problems, especially with slow DB2 response time. - 1/6 2005, KR Version 4.44 released. - 1/6 2005, KR reconnectToPrimarySessionCtrl added to PP Agent, if specified the agent will attempt to reconnect to the primary session controller each minute after the first 5 minutes of being connected to a secondary session controller. This can be used to even out the load in a clustered environment. - 1/6 2005, JN Added "customHttpHeaders" to dispatcher, which allows the dispatcher to add values from the users session to the HTTP headers sent to the application. This can be used if an application doesn't want to use a PP Agent, but needs access to the information from the users session. - 31/5 2005, KR Sessioncontroller now allows the dispatcher to remove sessions. UserAdminAgent and PP Agent (SessionController) now supports reconnecting to the primary server, to rebalance load in cluster setups. This happens automatically for the UserAdminAgent - after 5 minutes of being connected to a secondary server, it will attempt to reconnect to the primary server every 60 seconds. PP Agent will try the same towards the session controller, if the property "reconnectToPrimarySessionCtrl" is set to true (default is false). - 29/5 2005, KR Version 4.43 released. - 23/5 2005, KR Added currently executing command to thread name in command processor. Fixed CA / CRLUpdator so only one instance of the CRLUpdater is running per URL per JVM, previously if more than one authplugin was using the CRLUpdater, the CRL was loaded multiple times. - 20/5 2005, JBF Changed statistics read/write code to stream data from/to the disk, allocating only 1Mb. buffers instead of byte arrays the size of the complete statistics file. - 19/5 2005, KR Added allowRemoveAllSessions option to session controller - if true, an action gets added to the GUI that allows the user to remove all sessions (mostly useful for test). Removed finalize() methods from a few classes to ensure faster garbage collection. - 18/5 2005, KR Added BufferedRollingFileAppender that buffers log4j events up in a queue, and writes them to disk from a separate thread. - 20/4 2005, JBF Fixed reconnection problems with the PeerClient that could over time lead to out-of-memory problems. Version 4.42 released. - 18/3 2005, JBF Fixed a couple of minor bugs with relation to startup. Added support for Generic OCES X.509 provider Version 4.41 released. - 17/3 2005, JBF Version 4.40 released. - 14/3 2005, KR Version 4.40 released. - 14/3 2005, KR Added support for WebLogic clustering failover, added properties supportWeblogicClustering, weblogicCookieName, alternateserver.xxxx.supportWeblogicClustering and alternateserver.xxxx.weblogicCookieName. Added support for closing and reopening access to individual running servers without removing them from the configuration. - 8/3 2005, KR Fixed a problem with pingurl - when the url was http://server/url then the server being pinged was "server" and not the real server that it should have been. - 27/2 2005, KR Added extra debug in peer exception logging so we can see the port numbers and IP adresses of the involved servers. Minor performance improvements in UniqueId.equals() - makes lookup of sessions in hashtables faster. Simple data-based / context based authorization is now supported. Proxy classes invoked via the Agent can now have access to the session controller directly. alternateserver.xxxx.ignore401 can be used in the tunnel to ignore 401 responses for specific alternate servers. alternateserver.xxxx.addauthorizationheader can be used it the tunnel to turn add authorization header off for specifc servers. Updated PP Users Guide with the two new entries. - 21/2 2005, JBF Fixed bug in tunnel with session obfuscation getting mixed up when HTTP and userDefileChannelHeader was defined. Version 4.38.8 released. - 18/2 2005, KR Version 4.39 released. - 18/2 2005, JBF Fixed bug in tunnel, if the selected server did not contain any targets - 18/2 2005, JBF Version 4.38 released. - 17/2 2005, JN Nykredits transactionlog expanded with organisation ID, and appropriate ACLs - 10/2 2005, JBF Fixed minor bug with peerclient reconnect creating too many reconnector threads. Version 4.37 released. - 8/2 2005, KR Version 4.36 released. - 8/2 2005, JBF Bug fixed with peer connection cleanup between the statistics server and config servers. - 7/2 2005, JBF Bug fixed with the collected statistics not returning the complete list of servers to the admin console. - 31/1 2005, JBF Minor cosmetic changes to admin console Changed error handling when remote nodes and peers gets disconnected. - 27/1 2005, JBF Added collapsable/expandable server view based on server type to admin console. Added support for externalization of server.name and config.servers properties used by launcer. This adds support for generation of general ROOT.war and PP.war files. These properties are now stored in property files specified in the .war deployment descriptors. Added support Tunnel and Server deployment in WSAD test environment. - 26/1 2005, JBF Added group by name and online to server view in admin console. - 18/1 2005, JBF Minor changes related to Admin console and viewing of peer connections Added start/stop support to peer connections between startistics and config servers. This can be used to do recovery of broken connections. - 16/1 2005, KR Added statistics for logging size of blocks send and received in the peer. Peer changed radically, to spawn a new thread used only for writing to the socket - this is a workaround to ensure that no thread will block for obscene amounts of time trying to write to the socket. It also ensures that the read thread is never blocked, which would kill timeout handling. Added warning in the log, if number of concurrently executing commands goes beyond 32, which could be an indication of something hanging. Authentication and Authorization plugins can now implement start() / stop() methods to be notified when a server is started or stopped from the admin GUI. It gives it a chance to cleanup and close connections to backend servers. - 15/1 2005, JBF Enhanced the logging of the statistics server connections to config servers (peerclient and peerserver). Added more recovery code to config server, statistics server Added more info to config server admin GUI. Added support for PortalProtect packaged as an EAR that can be deployed in WAS and WSAD. Removed SNMP trap send queue. If no SNMP has been initialized, no traps will be queued for later sending. Added serialUID to RouteNode. Fixes a bug with the rolling upgrade of config servers sending route tables between config servers. Added RouteNode and peer cleanup code to RouteTable and config server. - 14/1 2005, KR Version 4.34 released. Updated Users Guide with maxConcurrentSessions and maxConcurrentSessionsHardLimit. - 14/1 2005, KR Improved session controller resync performance and memory usage. Instead of sending all sessions to the mirrored server upon connect, now a list of session ids and timestamps are sent instead - the receiver then compares to his own sessions and requests the sessions where the timestamps differs - this means that the initial overhead is much smaller. Added a warning to the log, if the receiving mirror takes more than 5 seconds to process a UserChangedCommand from the mirror (to help pinpoint problem where communication between mirrors timeout). Added maxConcurrentSessionsHardLimit - if the number of sessions go beyond this limit, new sessions will not be created. - 13/1 2005, KR Added maxConcurrentSessions to session controller. If number of sessions grow beyond this soft limit, idle timeout will be decreased until some sessions can be freed. Added notifyAllAgentsOnSessionChanges - if true (NOT the default), behaviour will be like before, otherwise changes to a session (flush cache commands) will only be sent to agents which have previously used the session. This improves performance a lot, especially with a large number of agents. Added agent list, usergroups and state variables to detailed session information viewable from the console. - 12/1 2005, KR Added metrics to session controller statustext, so we can see size of internal variables. Added cache sizes to statustext in agent. Fixed bug in statistics introduced by me 28/12 (Summary didn't work). Sending a session to a mirror no longer means that the mirror touches the sessions timestamp, so it has to be sync'ed again on next reconnect - this makes reconnects much faster. Garbage collect action added to session controllers status Small memory leak fixed - mirror peer wasn't removed on disconnect in sessionctrl if it was listenening for mirror connections server. ItpByteArrayOutputStream now resets the byte array when reset() is called, to lower idle memory usage. If WGET sends invalid cookie, we now handle it in the dispatcher. If userUpdated in sessionController is called because of a session timeout, or a resync, it no longer waits for peers to reply, but sends the command async. - 10/1 2005, KR If userUpdated() in the session controller fails with a SocketException trying to send a flush-cache request to an agent, it will now kill the connection. Note that IOExceptions (such as timeouts) does not cause it to be closed by the server. - 5/1 2005, KR Removed most synchronized from LruCache.get() since hashtable itself synchronizes it won't matter, and it will speed up the performance of it a little. UserList.resyncUsers changed to put stuff in a hashtable before looking at it, previously it had loops within loops, so if it synchronized e.g. 40000 sessions with another 40000 sessions on the remote, it would loop through up to 1.6 billion sessions, simply taking too long time - now the inner loop looks up the entry in a hashtable so it is much faster. Agent failover always started with trying the first session controller - even though it was the one that failed - now it will do a round-robin selection on the servers it retries connect to. - 28/12 2004, KR Reworked statistics code, improved performance a little, ran checkPermission through a profiler and improved performance there as well. Also removed statistics from LruCache.get() Replaces statistics counters with timers. Fixed bug in log4j appender, where log records would be lost if log configuration was updated before they were sent to the server. - 21/12 2004, KR Upgraded bouncycastle, changed crypto SCL diffiehelman key exchange to work with newest version. Fixed SSL Tunnel code to report error if SCL server cannot connect to the socket server. - 16/12 2004, KR Added sessionCacheSize, sessionCacheTimeout, groupCacheSize, groupCacheTimeout, aclCacheSize and aclCacheTimeout to Agent's configuration. The default for the ACL cache has been increased from 1000 to 10000 to avoid problem where WebLogic Portal has thousands of ACLs per page. - 13/12 2004, KR In UserAdmin server, The SQL "acl_query_users" is optimized for both cloudscape and DB2. Also, SQLs can be configured per database type. - 9/12 2004, KR PortalProtect Users Guide updated with information on how to configure clustering. Version 4.30 released. - 6/12 2004, KR LogonCommandHandler changed, user name also logged along with userid. Added support for multiple mirror connections to the session controller - this is useful if you have e.g. 3 session controllers, each listening for connections from the two others, and each receiving connections from the two others. Now, only one update is sent to each mirror, no matter how many connections there are to it. - 3/12 2004, KR Added environment check as part of group name in DefaultValidator - environment can be added as "groupname[.authlevel][@environment]" DefaultValidator also adds the "disableEnvironmentCheck" property, and "environmentAliasList" - the alias list can be used to specify aliases for environment, e.g. intern=1;extern=2, so group name can be "useradmin@intern" - 30/11 2004, KR Changed IAuthenticationPlugin, added support for specifying which environment ID is required to access a specific authentication plugin. Also added checks to PTSServer to ensure only valid environments are allowed access. The configuration property authenticationplugin.restrictenvironment added, with the format: authType=envId1,envId2,envId3;authType2=envId1;.... - 29/11 2004, KR Fixed possible log4j deadlock, removed all synchronized statements in toString() on objects, to avoid log4j error 24159 which might cause deadlock. Also cached toString on Peer, and added extra information to exceptions thrown by the Peer class. - 23/11 2004, KR Removed alternateserver.xxxx.serverBusyErrorPage, and replaced with serverBusyAlternateErrorPages that has the same format as alternateErrorPages (based on the hostname). Also, hostname in pingurl can now be specified, by changing the url to http://hostname/stuff instead of /stuff - 22/11 2004, KR Added serverBusyErrorPage (and alternateserver.xxxx.serverBusyErrorPage) that is shown if the number of concurrent connections is exceeded. - 21/11 2004, KR Environment ID added to UniqueId, and dispatcher now sets the environment ID on the session ID. environmentID added to dispatcher configuration. - 20/11 2004, KR Dispatcher changed, so a maximum number of concurrent connections can be specified per application - the total number of available simultaneous connections can also be specified, so if the number of connection goes beyond e.g. 80%, the dispatcher will start returning "502 Service Temporarily Unavailable" for requests to applications that there are too many connections to already. This is done, to ensure that a single slow-responding application is not able to eat all available execute threads, and thus disable access to the other working applications. Added to configuration: dispatcherThreads, limitTriggerLevel, concurrentConnectionsWarning, concurrentConnectionsLimit, and alternateserver.xxxx.concurrentConnectionsWarning and alternateserver.xxxx.concurrentConnectionsLimit. - 18/11 2004, JBF PID and Subject in Agent updated to support newest TDC company issued certificates with both CVR and CPR inside.