Bot releases are visible (Hide)
Published by sreetummidi almost 8 years ago
Starting with this release UAA no longer provides default values for the SAML Service Provider Certificate and JWT Signing Key as a security best practice. These need to be generated explicitly per deployment of UAA and required for proper start-up and functioning of UAA.
These are standard artifacts which can be generated using openssl. Please refer the topic here on how to generate a self signed cert.
The following required SAML Properties need to be set in login.yml
serviceProviderKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
serviceProviderCertificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
serviceProviderKeyPassword:
The following required UAA JWT signing properties need to be set.
Please note that the following properties have been deprecated in UAA. You are advised to use the new format for specifying the JWT Signing key which allows for rotation of keys.
jwt:
token:
verification-key: |
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
signing-key: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
jwt:
policy:
activeKeyId: key-id-1
keys:
key-id-1:
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Please note that starting with this this release, UAA can no longer be started with a ./gradlew run.
You need to pass a default profile to set values for the SAML and UAA Signing keys. Please use the new command as a single execution. Make sure your path to the workspace is set properly in the command below
LOGIN_CONFIG_URL=file://$HOME/workspace/uaa/uaa/src/main/resources/required_configuration.yml ./gradlew -Dspring.profiles.active=default,hsqldb run
Published by sreetummidi almost 8 years ago
This release fixes a backwards compatibility issue with Client Authentication to the /token endpoint.
We have the fixed the endpoint to prompt for basic auth header if client credentials are not provided. Many HTTP Clients rely on this trigger mechanism for passing the credentials for authentication. More details can be found here
Published by sreetummidi almost 8 years ago
Published by sreetummidi about 8 years ago
self
for /oauth/token/list
Published by sreetummidi about 8 years ago
Published by sreetummidi about 8 years ago
Please use this security release to patch the following CVEs on top UAA Release 3.6.0
Published by sreetummidi about 8 years ago
This release fixes a bug with autologin flow in UAA
Fix /autologin to support application/x-www-form-urlencoded again
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-6651 Privilege Escalation in UAA
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
This is a security release which addresses
Published by sreetummidi about 8 years ago
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates
Published by sreetummidi about 8 years ago
Please use UAA 2.7.4.6 instead for CVE-2016-5016 UAA Accepts Expired Certificates
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates
Published by sreetummidi about 8 years ago
This is a security release which addresses CVE-2016-5016 UAA Accepts Expired Certificates
Published by sreetummidi about 8 years ago
This releases marks the deprecation of the UAA properties listed here
Please make sure that you have update your UAA & LOGIN YAML configurations accordingly.