What’s new

We’ve made changes to the Java Agent to improve the security of handling incoming request URLs.

By default, the agent will now reject an incoming request URL with an HTTP 400 in the following scenarios:

Learn more in Path traversal attempts.

Corresponding new properties are available to control this behavior if you need to make any changes:

Additionally, a new Control Handling of Path Traversal Attempts property lets you reject incoming URLs that contain .., or combinations of . and %2E as a path segment. By default, this property is set to false and the agent doesn’t reject URLs with these path segments.

A new Enable internal checking of JWT signature property controls how the JWT signature is validated. By default, the property is set to false, which doesn’t change JWT signature validation.

Set this property to true to validate the JWT signature internally.

The agent caches the AM public keys used for JWT signing when the JWT signature is validated internally. Configure this cache using the following new properties:

We’ve made changes to let you update list properties in bulk rather than individually. You do this by specifying @ in the index location and entering the value as comma-separated values.

For example, property[@]=one,two,three is the equivalent of setting the following properties individually:

Learn more in List properties.

Raw URL path invalidation regex list is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation.

Incoming URLs are evaluated against this property before path normalization and rejected with an HTTP 400 if a match is found.

Additionally, %5C is no longer converted to / during path normalization. If required, %5C can be added to the new property as an invalid string.

A new temporary files directory (/tmp) has been created in /path/to/java_agents/agent_type/Agent_n.

This /tmp directory is used by Prometheus monitoring for any temporary files.

Additionally, the /pdp directory used by default for POST data preservation (PDP) data when POST data is saved to files has moved to this /tmp directory. You can change the default directory using the existing POST Data Preservation File Directory property.

Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated:

The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum.

Learn more in Monitor services.

To improve security, the audit handling code is deprecated and replaced by the Commons Audit Framework. Sensitive information, such as cookies and some headers, is no longer audited by default.

New properties are available to define the audit log directory and include or exclude elements from audit logs. Learn more from Deprecated and Incompatible changes.

A new option, --raw-encrypt, is available in agentadmin to encrypt the agent password before agent installation.

With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider’s secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password.

Learn more from Create agent profiles in AM and Create an agent profile in PingOne Advanced Identity Cloud.

Installation of Java Agent with Jetty 12 is supported.

For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time.

Java Agent on Jetty 12 runs on Java 17.

Learn more from Install Jetty Java Agent.

We’ve made changes to the Java Agent to improve the security of handling incoming request URLs.

By default, the agent will now reject an incoming request URL with an HTTP 400 in the following scenarios:

Learn more in Path traversal attempts.

Corresponding new properties are available to control this behavior if you need to make any changes:

Additionally, a new Control Handling of Path Traversal Attempts property lets you reject incoming URLs that contain .., or combinations of . and %2E as a path segment. By default, this property is set to false and the agent doesn’t reject URLs with these path segments.

Raw URL path invalidation regex list is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation.

Incoming URLs are evaluated against this property before path normalization and rejected with an HTTP 400 if a match is found.

Additionally, %5C is no longer converted to / during path normalization. If required, %5C can be added to the new property as an invalid string.

Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated:

The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum.

Learn more in Monitor services.

The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn’t contain a required one-time code, the agent now logs a message to describe the failure.

When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level.

If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate.

The following new properties are available to manage infinite authentication loops:

A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to Deploy Java Agent with Docker.

Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to Integrate with Bouncy Castle FIPS provider.

Procedures for drop-in software update are simplified and testing is now automated. For information about changes to drop-in software update, refer to Incompatible changes.

Java Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys.

You can now authenticate Java Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release.

For more information, refer to Authenticate agents to PingOne Advanced Identity Cloud and Authenticate agents to AM.

Retain previous override behavior is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation:

For backward compatibility, the property is true by default; the override properties are not used to construct URLs.

Query parameters can now be used in the property OAuth Login URL List to create rules that evaluate request URLs for login redirect. Previously, the rules were based only on the request domain, path, and header.

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so the agent additionally invokes the AM REST logout endpoint to invalidate the session.

The new DENY keyword immediately denies access to matching resources. Access is always denied. A not-enforced rule with the DENY keyword is not inverted by the NOT keyword or by the following properties Invert Not-Enforced IPs or Invert Not-Enforced URIs.

For information, refer to Deny access.

Support for JDK 8 is removed in this release.

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, refer to Jakarta EE platform requirements.

A file globbing pattern (containing * and ?) can now be used to match a hostname, in FQDN Map. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, refer to Detect the path of a resource loaded by classloader.

Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to Logging.

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

For more information, refer to POST data preservation.

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

For more information, refer to Not-enforced rules.

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

The signing value is stored in the AgentKey.properties file.

A new option is available in agentadmin to reveal the agent profile password.