Java Agents

New in Java Agent 5.10.x

Java Agent 5.10.4

Java Agent 5.10.4 is a maintenance release that introduces security enhancements.

URL handling

We’ve made changes to the Java Agent to improve the security of handling incoming request URLs.

These changes may affect the agent’s behavior in your environment. You should review these settings and make sure they are suitable for your requirements.

In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed.

By default, the agent will now reject an incoming request URL with an HTTP 400 in the following scenarios:

  • One or more of the following characters exist in the URL path or path parameters:

    • %2E (encoded period character)

    • %2F (encoded forward slash)

    • %3B (encoded semicolon)

    • %5C (encoded backslash)

    • \ (unencoded backslash)

  • The incoming URL path contains encoded control characters. These are characters in the range %00 to %1F inclusive, and %7F.

  • The incoming URL path contains invalid encodings, such as %G1.

  • The incoming URL path doesn’t conform with the rules in the Jakarta Servlet Specification Request URI Path Processing section.

Encoded characters are case-insensitive. For example, %2E and %2e are handled in the same way.

Learn more in Path traversal attempts.

Corresponding new properties are available to control this behavior if you need to make any changes:

  • Control Handling of the URL Encoded Sequence %2e

  • Control Handling of the URL Encoded Sequence %2f

  • Control Handling of the URL Encoded Sequence %3b

  • Control Handling of the URL Encoded Sequence %5c

  • Control Handling of the Backslash Character

  • Handle Invalid Escape Sequences

  • Strictly enforce the Java Servlet Specification

Additionally, a new Control Handling of Path Traversal Attempts property lets you reject incoming URLs that contain .., or combinations of . and %2E as a path segment. By default, this property is set to false and the agent doesn’t reject URLs with these path segments.

Java Agent 5.10.3

Java Agent 5.10.3 is a maintenance release. It contains no new features.

Java Agent 5.10.2

Java Agent 5.10.2 is a maintenance release. It contains no new features.

Java Agent 5.10.1

Invalidation of sessions on logout

Always invalidate sessions is a new property to invoke the AM REST logout endpoint.

If Conditional Logout URL List is set to a URL that does not perform a REST logout to AM, set Always invalidate sessions to true so that the agent additionally invokes the AM REST logout endpoint to invalidate the session.

Java Agent 5.10

Support for Jakarta EE standard

Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, refer to Jakarta EE platform requirements.

Matching FQDNs to URL patterns

A file globbing pattern (containing * and ?) can now be used to match a hostname, in FQDN Map. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN.

Detect the path of a resource loaded by classloader

To help with troubleshooting, a new property -Ddisplay.classpath.mode.enabled=true is available to help locate .jar files that contain outdated classes. For more information and an example, refer to Detect the path of a resource loaded by classloader.

Logback

Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to Logging.

POST data can be preserved in files

The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache:

  • POST Data Preservation in Files or Cache

  • POST Data Preservation File Directory

  • POST Data Preservation Directory Sweep Interval

For more information, refer to POST data preservation.

Encoding for extended characters in not-enforced rules

By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules.

The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules:

  • Container Character Encoding

  • Container Parameter Encoding

For more information, refer to Not-enforced rules.

Limitation on the size to which a JWT can be decompressed

Maximum Decompression Size is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory.

Signing of pre-authentication cookies

To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of Pre-Authn and Post Data Preservation Cookie Signing Value is a non-zero length, its value is used to generate a signing key.

During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if:

  • The path is not provided

  • The path to an empty file is provided

  • The value found in the file is too short

The signing value is stored in the AgentKey.properties file.

Retrieval of agent password

A new option is available in agentadmin to reveal the agent profile password.