Bot releases are hidden (Show)
Published by cf-identity almost 5 years ago
IMPORTANT This release contains a new index creation that requires Postgres v9.5 or higher.
[Standalone only] Added some additional configuration options to the tomcat jdbc connection pool, allowing operators deploying UAA to tweak maxWait, validationInterval, testWhileIdle, and minEvictableIdleTimeMillis.
Added a database index on revocable tokens table submitted via PR #1154
Data-source configuration - add more properties to dynamic configuration submitted via PR #1161
Add ability to set portHeader in tomcat's server.xml submitted via PR #128
Reenable wildcarding of ports when UAA is in legacy redirect matching mode.
Bump spring-framework-bom from 5.2.1.RELEASE to 5.2.2.RELEASE
Bump spring-boot from 2.2.1.RELEASE to 2.2.2.RELEASE
Bump guava from 28.1-jre to 28.2-jre
Published by cf-identity almost 5 years ago
Purge expired session from in memory map Configuring the UAA to manage sessions in memory resulted in the use of MapSessionRepository to manage sessions. MapSessionRepository does not automatically remove expired sessions from its backing map and neither did the UAA, resulting in a memory leak. The fix registers a scheduled task to remove expired sessions.
Published by cf-identity almost 5 years ago
Merged a github pull request that allows UAA to report health to bosh-dns, matching UAA’s health reporting to route_registrar.
Published by cf-identity almost 5 years ago
Improved logging when credentials are provided via URL params and log_level
is set to DEBUG
.
Published by cf-identity almost 5 years ago
Fixes a bug that made a database query crash when a user had too many SCIM group memberships.
Bump spring-security-oauth2 from 2.3.7.RELEASE to 2.4.0.RELEASE
Bump spring-security-jwt from 1.0.11.RELEASE to 1.1.0.RELEASE
Published by cf-identity almost 5 years ago
UAA should set a no-sniff header on the login page to prevent MIME-type sniffing.
Improved logging when credentials are directly submitted via a browser URL.
Bump spring-framework-bom from 5.2.0.RELEASE to 5.2.1.RELEASE
Bump spring-boot from 2.2.0.RELEASE to 2.2.1.RELEASE
Bump spring-security-saml2-core from 1.0.9.RELEASE to 1.0.10.RELEASE
Bump New Relic java agent from 3.48.0 to 5.8.0
Published by cf-identity almost 5 years ago
Fixes a bug that made the UAA only able to start if it was connected to the internet.
Published by cf-identity almost 5 years ago
This version of UAA will not start unless the UAA has internet access. This bug will be fixed in our next release.
Fixes a bug that made the UAA fail to start up successfully any time the env.no_proxy
property was set.
Bump hamcrest from 2.1 to 2.2
Bump googleauth from 1.2.0 to 1.4.0
Bump jackson from 2.9.9.3 to 2.10.0
Bump spring-security-oauth2 from 2.3.6.RELEASE to 2.3.7.RELEASE
Bump Spring Boot from 2.1.9.RELEASE to 2.2.0.RELEASE
Published by cf-identity about 5 years ago
Added option to enable basic auth uri encoding compatibility mode: This feature is meant to complement functionality released as a breaking change in UAA v74.0.0 wherein we enabled the Correct handling of special characters within the client secret. The added feature in this release provides optionality as to whether encoding of client secrets is enabled by introducing ‘uaa.authentication.enable_uri_encoding_compatibility_mode’. When enabled (set to true) basic auth credentials will only be URI decoded when the X-CF-ENCODED-CREDENTIALS
header is set to true
. The default continues to operate in the same manner as v74.0.0 introduced.
Bump reflections from 0.9.10 to 0.9.11
Bump org.eclipse.jgit from 3.4.1.201406201815-r to 5.5.1.201910021850-r
Bump bouncycastle from 1.63 to 1.64
Bump cglib from 3.2.5 to 3.3.0
Bump apacheds-core from 1.5.5 to 2.0.0.AM25
Bump apacheds-protocol-ldap from 1.5.5 to 2.0.0.AM25
Bump httpclient from 4.5.3 to 4.5.10
Bump spring-security-jwt from 1.0.10.RELEASE to 1.0.11.RELEASE
Published by cf-identity about 5 years ago
Session configuration options have been simplified.
uaa.servlet.session-cookie
configuration now only supports the max-age
property.secure
, http-only
, name
, comment
, path
, and domain
.Session management has been migrated to Spring Session. As a result, please consider the following changes before upgrading to this version:
uaa.servlet.session-store
configuration is used to determine the backend where sessions will be stored.memory
and database
.
memory
option uses an in memory map structure on a per UAA basis. This is suitable for a single UAA or multiple UAAs if a session affinity strategy is employed at the routing layer. Sessions are destroyed if the UAA goes down for any reason. This is the same behavior the UAA had before this release.database
option uses the configured database as a session store. This will allow horizontal scaling by externalizing the session, but will increase the volume of database reads/writes. Sessions will be maintained in the event of UAA downtime.Bump spring-framework-bom from 5.1.9.RELEASE to 5.2.0.RELEASE
Published by cf-identity about 5 years ago
Remove the previously deprecated "/password/score" endpoint
Set UAA's Current-User cookie to use secure attribute
Regain ability to cf push the UAA
Bump Spring Boot from 2.1.8.RELEASE to 2.1.9.RELEASE
Published by cf-identity about 5 years ago
UAA source and runtime target has been changed to Java version 11. Consumers of this release need to account for the Java version upgrade within their environment before upgrading.
Mark /check_token
endpoint as deprecated; recommend use of /introspect instead
Endpoint /introspect
allow a bearer token authentication
Bump postgresql from 42.2.6 to 42.2.8
Bump lombok from 1.18.8 to 1.18.10
Bump jackson from 2.9.9 to 2.9.10
Bump bouncycastle from 1.62 to 1.63
Bump nokogiri from 1.8.5 to 1.10.4
Published by cf-identity about 5 years ago
Added the ability to forward the IP address of the caller to the IdP when using OIDC password grant
CVE-2019-11279: Addressed a privilege escalation via scope manipulation in UAA
CVE-2019-11278: Addressed a privilege escalation via blind SCIM injection in UAA
Fixed a bug that could potentially cause unnecessary and failing requests to the database
Bump Spring Boot from 2.1.6.RELEASE to 2.1.7.RELEASE
Bump log4j2 from 2.12.0 to 2.12.1
Bump slf4j-api from 1.7.27 to 1.7.28
Bump groovy from 2.5.7 to 2.5.8
Bump scim-sdk from 1.8.21 to 1.8.22
Bump snakeyaml from 1.24 to 1.25
Bump tomcat from 9.0.22 to 9.0.24
Bump api-ldap-model from 1.0.0 to 1.0.3 [Security CVE-2019-0231]
Bump mockito from 2.13.0 to 3.0.0
Bump flyway-core from 5.2.4 to 6.0.0
Bump guava from 28.0-jre to 28.1-jre
Published by cf-identity about 5 years ago
bosh.io releases Stories included in this release are prepared by @dbeneke
Removed uaa_postgres job from uaa-release and recommend migration to postgres-release.
Update bbr-uaadb job to use bosh-properties first, then bosh-links to ensure more consistent backup/restore experience; expanding backup coverage to the bosh director.
Correct handling of special characters within the client secret - UAA can now understand client credentials that contain special characters within the secret when provided via basic authentication. However, this change means that any consumers of the UAA’s APIs who provide client credentials via basic authorization will need to change their implementation such that both the client id and client secret are url encoded.
The UAAC has been updated and is required to remain compatible with this fix. Version 4.2.0
The full header would be constructed like this:
Users can now regenerate client secrets.
Deprecate uaa-utils
package from `uaa-release.
Bump Tomcat to version 9.0.22.
Bump Spring Security to version 5.1.6.
Bump Spring to version 5.1.9.
Fixed a bug that caused the /info endpoint to communicate the incorrect UAA version.
Login success and error messaging on the UAA login page can no longer be manipulated via query.
Sanitize scim filters to prevent XSS attacks in older versions of internet browsers; preventing the browser from potentially executing Javascript.
Published by cf-identity about 5 years ago
bosh.io releases Stories included in this release are prepared by @wc22222
The version(ing) applied to uaa has been synchronized with the version(ing) applied to uaa-release. Uaa-release moved to semantic versioning with version 73.0.0. Both uaa-release and uaa will now follow semantic versioning guidelines.
This release introduces a bug that causes the /info endpoint to communicate the incorrect version.
Reverted the unexpected backward incompatible change introduced in Spring Security 5:
Published by andrewedstrom over 5 years ago
Published by cf-identity over 5 years ago
Please use the next version of UAA as we identified a backward incompatibility issue in upgrading to Spring Security 5 on 7/19/2019, the next release would revert this unexpected breaking change.
uaa.admin
or tokens.revoke
expireInMonths
Stories included in this release are prepared by @wc22222
Published by cf-identity over 5 years ago
Published by cf-identity over 5 years ago
UAA BOSH Release should stop accepting http traffic from the public
As a Platform Operator, I want to use only BPM to manage the UAA process
Uaa-release sometimes fails to deploy with an error about /etc/ssl/certs/ca-certificates.crt
uaa.ca_certs
used to be loaded into the vm's trust store. This no longer happens. They also used to be loaded into the UAA's Java JVM's truststore, which still happens.Upgrade to Log4j2 logging framework
Published by cf-identity over 5 years ago
Stories included in this release are prepared by @wc22222