--- title: New in Java Agent 2023.x description: Java Agent 2023.11.2 is a maintenance release that introduces security enhancements and fixes. component: java-agents version: release-notes page_id: java-agents::whats-new-2023 canonical_url: https://docs.pingidentity.com/java-agents/release-notes/whats-new-2023.html section_ids: java_agent_2023_11_x: Java Agent 2023.11.x whats-new-2023.11.2: Java Agent 2023.11.2 url-handling-2023112: URL handling url-validation-path-normalization-2023112: URL validation and path normalization changes-prometheus-endpoint-2023112: Changes to Prometheus metrics whats-new-2023.11.1: Java Agent 2023.11.1 whats-new-2023.11: Java Agent 2023.11 improved_error_reporting_for_authentication_failures: Improved error reporting for authentication failures improved_management_of_infinite_authentication_loops: Improved management of infinite authentication loops deployment_with_docker: Deployment with Docker integration_with_bouncy_castle_fips_provider: Integration with Bouncy Castle FIPS provider whats-new-2023.9: Java Agent 2023.9 continued_improvement_to_drop_in_software_update: Continued improvement to drop-in software update whats-new-2023.6: Java Agent 2023.6 authentication_of_java_agent_to_pingone_advanced_identity_cloud_and_am: Authentication of Java Agent to PingOne Advanced Identity Cloud and AM override_alternate_host_port_and_protocol_in_constructed_urls: Override alternate host, port, and protocol in constructed URLs whats-new-2023.3: Java Agent 2023.3 conditional_redirect_of_unauthenticated_requests_based_on_request_query_parameters: Conditional redirect of unauthenticated requests based on request query parameters invalidation_of_sessions_on_logout: Invalidation of sessions on logout deny_keyword_for_not_enforced_rules: DENY keyword for not-enforced rules jdk_8: JDK 8 --- # New in Java Agent 2023.x ## Java Agent 2023.11.x ### Java Agent 2023.11.2 Java Agent 2023.11.2 is a maintenance release that introduces security enhancements and fixes. #### URL handling We've made changes to the Java Agent to improve the security of handling incoming request URLs. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These changes may affect the agent's behavior in your environment. You should review these settings and make sure they are suitable for your requirements.In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed. | By default, the agent will now reject an incoming request URL with an `HTTP 400` in the following scenarios: * One or more of the following characters exist in the URL path or path parameters: * `%2E` (encoded period character) * `%2F` (encoded forward slash) * `%3B` (encoded semicolon) * `%5C` (encoded backslash) * `\` (unencoded backslash) * The incoming URL path contains encoded control characters. These are characters in the range `%00` to `%1F` inclusive, and `%7F`. * The incoming URL path contains invalid encodings, such as `%G1`. * The incoming URL path doesn't conform with the rules in the Jakarta Servlet Specification [Request URI Path Processing](https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1#request-uri-path-processing) section. | | | | - | -------------------------------------------------------------------------------------------------- | | | Encoded characters are case-insensitive. For example, `%2E` and `%2e` are handled in the same way. | Learn more in [Path traversal attempts](https://docs.pingidentity.com/java-agents/2023.11/security-guide/threats.html#path-traversal-attempts). Corresponding new properties are available to control this behavior if you need to make any changes: * [Control Handling of the URL Encoded Sequence %2e](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.percent.2e.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %2f](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.percent.2f.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %3b](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.percent.3b.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %5c](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.percent.5c.handling.strategy.html) * [Control Handling of the Backslash Character](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.backslash.handling.strategy.html) * [Handle Invalid Escape Sequences](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.reject.invalid.escape.sequences.enabled.html) * [Strictly enforce the Java Servlet Specification](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.rigourously.enforce.jakarta.servlet.specification.enabled.html) Additionally, a new [Control Handling of Path Traversal Attempts](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.reject.path.traversal.attempts.enabled.html) property lets you reject incoming URLs that contain `..`, or combinations of `.` and `%2E` as a path segment. By default, this property is set to `false` and the agent doesn't reject URLs with these path segments. #### URL validation and path normalization [Raw URL path invalidation regex list](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.raw.url.path.invalidation.regex.list.html) is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation. Incoming URLs are evaluated against this property before path normalization and rejected with an `HTTP 400` if a match is found. Additionally, `%5C` is no longer converted to `/` during path normalization. If required, `%5C` can be added to the new property as an invalid string. #### Changes to Prometheus metrics Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated: * Metric names ending `_total` now end `_sum`. * `ja_jvm_thread_state` metrics ending `_count` now end `_result`. * Other metric names ending `_count` no longer include the `_count` suffix. * The `agent-exception` decision for denied `ja_request` metrics has been replaced by `bad-request` and `unexpected-exception` decisions depending on the reason. * The following WebSocket metric names have been updated to include a `_total` suffix: * `ja_websocket_config_change_processed` * `ja_websocket_config_change_received` * `ja_websocket_policy_change_processed` * `ja_websocket_policy_change_received` * `ja_websocket_session_logout_processed` * `ja_websocket_session_logout_received` The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum. Learn more in [Monitor services](https://docs.pingidentity.com/java-agents/2023.11/maintenance-guide/monitoring.html). ### Java Agent 2023.11.1 Java Agent 2023.11.1 is a maintenance release. It contains no new features. ### Java Agent 2023.11 Java Agent 2023.11 is a minor release that introduces new features, functional enhancements, and fixes. #### Improved error reporting for authentication failures The agent uses pre-authentication cookies to track authentication requests to AM. During authentication, if the pre-authentication cookie has expired or doesn't contain a required one-time code, the agent now logs a message to describe the failure. #### Improved management of infinite authentication loops When a user has insufficient credentials to access a requested resource, AM can return policy advice requiring the user to authenticate at a higher level. If there is an error in the AM configuration, an infinite authentication loop can occur, where the user is repeatedly asked to authenticate. The following new properties are available to manage infinite authentication loops: * [Bad advice loop termination counter](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.bad.advice.loop.termination.counter.html) * [Bad advice loop termination HTTP status](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.bad.advice.loop.termination.http.code.html) * [Bad advice loop termination URL](https://docs.pingidentity.com/java-agents/2023.11/properties-reference/org.forgerock.agents.bad.advice.loop.termination.url.html) #### Deployment with Docker A Dockerfile is now provided to deploy Tomcat Java Agent to extend and protect an application. For more information, refer to [Deploy Java Agent with Docker](https://docs.pingidentity.com/java-agents/2023.11/installation-guide/docker.html). #### Integration with Bouncy Castle FIPS provider Use of the FIPS Java API module from the Legion of the Bouncy Castle Inc is now supported. For more information, refer to [Integrate with Bouncy Castle FIPS provider](https://docs.pingidentity.com/java-agents/2023.11/installation-guide/secure-connections.html#fips). ## Java Agent 2023.9 Java Agent 2023.9 is a minor release that introduces new features, functional enhancements, and fixes. ### Continued improvement to drop-in software update Procedures for *drop-in software update* are simplified and testing is now automated. For information about changes to drop-in software update, refer to [Incompatible changes](changes.html). ## Java Agent 2023.6 Java Agent 2023.6 is a minor release that introduces new features, functional enhancements, and fixes. ### Authentication of Java Agent to PingOne Advanced Identity Cloud and AM Java Agent agents are automatically authenticated to PingOne Advanced Identity Cloud and AM by a non-configurable authentication module. Authentication chains and modules are deprecated and replaced by nodes, trees, and journeys. You can now authenticate Java Agent to PingOne Advanced Identity Cloud and AM 7.3 with a journey. The procedure is currently optional, but will be required when authentication chains and modules are removed in a future release. For more information, refer to *Authenticate agents to PingOne Advanced Identity Cloud* and *Authenticate agents to AM*. ### Override alternate host, port, and protocol in constructed URLs `Retain previous override behavior` is a new property to force use of the following properties when constructing URLs for not-enforced rule evaluation, or policy evaluation: * `Alternative Agent Host Name` * `Alternative Agent Port Number` * `Alternative Agent Protocol` For backward compatibility, the property is `true` by default; the override properties are not used to construct URLs. ## Java Agent 2023.3 Java Agent 2023.3 is a major release that introduces new features, functional enhancements, and fixes. ### Conditional redirect of unauthenticated requests based on request query parameters Query parameters can now be used in the property `OAuth Login URL List` to create rules that evaluate request URLs for login redirect. Previously, the rules were based only on the request domain, path, and header. ### Invalidation of sessions on logout `Always invalidate sessions` is a new property to invoke the AM REST logout endpoint. If `Conditional Logout URL List` is set to a URL that does not perform a REST logout to AM, set `Always invalidate sessions` to `true` so the agent additionally invokes the AM REST logout endpoint to invalidate the session. ### `DENY` keyword for not-enforced rules The new `DENY` keyword immediately denies access to matching resources. Access is *always* denied. A not-enforced rule with the `DENY` keyword is not inverted by the `NOT` keyword or by the following properties `Invert Not-Enforced IPs` or `Invert Not-Enforced URIs`. For information, refer to *Deny access*. ### JDK 8 Support for JDK 8 is removed in this release.