--- title: New in Java Agent 2024.x description: Java Agent 2024.11.1 is a maintenance release. It contains no new features. component: java-agents version: release-notes page_id: java-agents::whats-new-2024 canonical_url: https://docs.pingidentity.com/java-agents/release-notes/whats-new-2024.html section_ids: java_agent_2024_11_x: Java Agent 2024.11.x whats-new-2024.11.1: Java Agent 2024.11.1 whats-new-2024.11: Java Agent 2024.11 url-handling: URL handling jwt-signature-validation: JWT signature validation list_properties: List properties whats-new-2024.9: Java Agent 2024.9 url-validation-path-normalization: URL validation and path normalization temporary-files: Temporary files changes-prometheus-endpoint: Changes to Prometheus metrics whats-new-2024.6: Java Agent 2024.6 commons-audit-framework: Commons Audit Framework offline-agent-password-encryption: Offline agent password encryption whats-new-2024.3: Java Agent 2024.3 hardened-security: Hardened security jetty-agent-12: Jetty Java Agent 12 --- # New in Java Agent 2024.x ## Java Agent 2024.11.x ### Java Agent 2024.11.1 Java Agent 2024.11.1 is a maintenance release. It contains no new features. ### Java Agent 2024.11 Java Agent 2024.11 is a minor release that introduces new features, functional enhancements, and fixes. #### URL handling We've made changes to the Java Agent to improve the security of handling incoming request URLs. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These changes may affect the agent's behavior in your environment. You should review these settings and make sure they are suitable for your requirements.In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed. | By default, the agent will now reject an incoming request URL with an `HTTP 400` in the following scenarios: * One or more of the following characters exist in the URL path or path parameters: * `%2E` (encoded period character) * `%2F` (encoded forward slash) * `%3B` (encoded semicolon) * `%5C` (encoded backslash) * `\` (unencoded backslash) * The incoming URL path contains encoded control characters. These are characters in the range `%00` to `%1F` inclusive, and `%7F`. * The incoming URL path contains invalid encodings, such as `%G1`. * The incoming URL path doesn't conform with the rules in the Jakarta Servlet Specification [Request URI Path Processing](https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1#request-uri-path-processing) section. | | | | - | -------------------------------------------------------------------------------------------------- | | | Encoded characters are case-insensitive. For example, `%2E` and `%2e` are handled in the same way. | Learn more in [Path traversal attempts](https://docs.pingidentity.com/java-agents/2024.11/security-guide/threats.html#path-traversal-attempts). Corresponding new properties are available to control this behavior if you need to make any changes: * [Control Handling of the URL Encoded Sequence %2e](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.percent.2e.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %2f](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.percent.2f.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %3b](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.percent.3b.handling.strategy.html) * [Control Handling of the URL Encoded Sequence %5c](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.percent.5c.handling.strategy.html) * [Control Handling of the Backslash Character](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.backslash.handling.strategy.html) * [Handle Invalid Escape Sequences](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.reject.invalid.escape.sequences.enabled.html) * [Strictly enforce the Java Servlet Specification](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.rigourously.enforce.jakarta.servlet.specification.enabled.html) Additionally, a new [Control Handling of Path Traversal Attempts](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.reject.path.traversal.attempts.enabled.html) property lets you reject incoming URLs that contain `..`, or combinations of `.` and `%2E` as a path segment. By default, this property is set to `false` and the agent doesn't reject URLs with these path segments. #### JWT signature validation A new [Enable internal checking of JWT signature](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.internal.check.jwt.signature.enabled.html) property controls how the JWT signature is validated. By default, the property is set to `false`, which doesn't change JWT signature validation. Set this property to `true` to validate the JWT signature internally. The agent caches the AM public keys used for JWT signing when the JWT signature is validated internally. Configure this cache using the following new properties: * [TTL for the entire public key cache in seconds](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.public.key.cache.ttl.seconds.html) * [Public Key Cache Non-Refresh Interval in seconds](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/org.forgerock.agents.public.key.non.refresh.interval.seconds.html) | | | | - | ---------------------------------------------------------------------------------------- | | | When the JWT signature is validated internally, there is an expected performance impact. | #### List properties We've made changes to let you update list properties in bulk rather than individually. You do this by specifying `@` in the index location and entering the value as comma-separated values. For example, `property[@]=one,two,three` is the equivalent of setting the following properties individually: ```none property[]=one property[]=two property[]=three ``` Learn more in [List properties](https://docs.pingidentity.com/java-agents/2024.11/properties-reference/preface.html#list-properties). ## Java Agent 2024.9 Java Agent 2024.9 is a minor release that introduces new features, functional enhancements, and fixes. ### URL validation and path normalization `Raw URL path invalidation regex list` is a new property that lets you define regular expressions to match invalid or undesired characters or strings during URL validation. Incoming URLs are evaluated against this property before path normalization and rejected with an `HTTP 400` if a match is found. Additionally, `%5C` is no longer converted to `/` during path normalization. If required, `%5C` can be added to the new property as an invalid string. ### Temporary files A new temporary files directory (`/tmp`) has been created in `/path/to/java_agents/agent_type/Agent_n`. This `/tmp` directory is used by Prometheus monitoring for any temporary files. Additionally, the `/pdp` directory used by default for POST data preservation (PDP) data when POST data is saved to files has moved to this `/tmp` directory. You can change the default directory using the existing `POST Data Preservation File Directory` property. ### Changes to Prometheus metrics Metrics output from the Prometheus endpoint now uses the Prometheus 0.0.4 format. As a result, some metric names have been updated: * Metric names ending `_total` now end `_sum`. * `ja_jvm_thread_state` metrics ending `_count` now end `_result`. * Other metric names ending `_count` no longer include the `_count` suffix. * The `agent-exception` decision for denied `ja_request` metrics has been replaced by `bad-request` and `unexpected-exception` decisions depending on the reason. * The following WebSocket metric names have been updated to include a `_total` suffix: * `ja_websocket_config_change_processed` * `ja_websocket_config_change_received` * `ja_websocket_policy_change_processed` * `ja_websocket_policy_change_received` * `ja_websocket_session_logout_processed` * `ja_websocket_session_logout_received` The sort order has also changed, and metrics are now ordered by sum and then count. Previously, they were ordered by count and then sum. Learn more in *Monitor services*. ## Java Agent 2024.6 Java Agent 2024.6 is a minor release that introduces new features, functional enhancements, and fixes. ### Commons Audit Framework To improve security, the audit handling code is deprecated and replaced by the Commons Audit Framework. Sensitive information, such as cookies and some headers, is no longer audited by default. New properties are available to define the audit log directory and include or exclude elements from audit logs. Learn more from [Deprecated](deprecated.html) and [Incompatible changes](changes.html). ### Offline agent password encryption A new option, `--raw-encrypt`, is available in `agentadmin` to encrypt the agent password before agent installation. ## Java Agent 2024.3 Java Agent 2024.3 is a major release that introduces new features, functional enhancements, and fixes. ### Hardened security With PingOne Advanced Identity Cloud and from AM 7.5, the agent profile password can optionally be managed through the identity provider's secret service. If the identity provider finds a matching secret in a secret store, it uses that secret instead of the hard-coded agent password. Learn more from *Create agent profiles* in AM and *Create an agent profile in PingOne Advanced Identity Cloud*. ### Jetty Java Agent 12 Installation of Java Agent with Jetty 12 is supported. For installation on Jetty 12, you can use Javax EE8, Jakarta EE9, or Jakarta EE10. However, Java Agent can protect applications in only one EE environment at a time. Java Agent on Jetty 12 runs on Java 17. Learn more from *Install Jetty Java Agent*.