--- title: New in Java Agent 5.10.x description: Java Agent 5.10.4 is a maintenance release that introduces security enhancements. component: java-agents version: release-notes page_id: java-agents::whats-new-510 canonical_url: https://docs.pingidentity.com/java-agents/release-notes/whats-new-510.html section_ids: whats-new-5.10.4: Java Agent 5.10.4 url-handling-5104: URL handling whats-new-5103: Java Agent 5.10.3 whats-new-5102: Java Agent 5.10.2 whats-new-5101: Java Agent 5.10.1 invalidation_of_sessions_on_logout: Invalidation of sessions on logout whats-new-5100: Java Agent 5.10 support_for_jakarta_ee_standard: Support for Jakarta EE standard matching_fqdns_to_url_patterns: Matching FQDNs to URL patterns detect_the_path_of_a_resource_loaded_by_classloader: Detect the path of a resource loaded by classloader logback: Logback post_data_can_be_preserved_in_files: POST data can be preserved in files encoding_for_extended_characters_in_not_enforced_rules: Encoding for extended characters in not-enforced rules limitation_on_the_size_to_which_a_jwt_can_be_decompressed: Limitation on the size to which a JWT can be decompressed signing_of_pre_authentication_cookies: Signing of pre-authentication cookies retrieval_of_agent_password: Retrieval of agent password --- # New in Java Agent 5.10.x ## Java Agent 5.10.4 Java Agent 5.10.4 is a maintenance release that introduces security enhancements. ### URL handling We've made changes to the Java Agent to improve the security of handling incoming request URLs. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | These changes may affect the agent's behavior in your environment. You should review these settings and make sure they are suitable for your requirements.In particular, consider that not-enforced rules and AM policies are evaluated against normalized paths with the path parameters removed. | By default, the agent will now reject an incoming request URL with an `HTTP 400` in the following scenarios: * One or more of the following characters exist in the URL path or path parameters: * `%2E` (encoded period character) * `%2F` (encoded forward slash) * `%3B` (encoded semicolon) * `%5C` (encoded backslash) * `\` (unencoded backslash) * The incoming URL path contains encoded control characters. These are characters in the range `%00` to `%1F` inclusive, and `%7F`. * The incoming URL path contains invalid encodings, such as `%G1`. * The incoming URL path doesn't conform with the rules in the Jakarta Servlet Specification [Request URI Path Processing](https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1#request-uri-path-processing) section. | | | | - | -------------------------------------------------------------------------------------------------- | | | Encoded characters are case-insensitive. For example, `%2E` and `%2e` are handled in the same way. | Learn more in *Path traversal attempts*. Corresponding new properties are available to control this behavior if you need to make any changes: * `Control Handling of the URL Encoded Sequence %2e` * `Control Handling of the URL Encoded Sequence %2f` * `Control Handling of the URL Encoded Sequence %3b` * `Control Handling of the URL Encoded Sequence %5c` * `Control Handling of the Backslash Character` * `Handle Invalid Escape Sequences` * `Strictly enforce the Java Servlet Specification` Additionally, a new `Control Handling of Path Traversal Attempts` property lets you reject incoming URLs that contain `..`, or combinations of `.` and `%2E` as a path segment. By default, this property is set to `false` and the agent doesn't reject URLs with these path segments. ## Java Agent 5.10.3 Java Agent 5.10.3 is a maintenance release. It contains no new features. ## Java Agent 5.10.2 Java Agent 5.10.2 is a maintenance release. It contains no new features. ## Java Agent 5.10.1 ### Invalidation of sessions on logout `Always invalidate sessions` is a new property to invoke the AM REST logout endpoint. If `Conditional Logout URL List` is set to a URL that does not perform a REST logout to AM, set `Always invalidate sessions` to `true` so that the agent additionally invokes the AM REST logout endpoint to invalidate the session. ## Java Agent 5.10 ### Support for Jakarta EE standard Java Agent now supports the Jakarta EE 9+ standard, with JDK 11. For information about supported operating systems Jakarta, refer to [Jakarta EE platform requirements](requirements.html#jakarta-requirements-510). ### Matching FQDNs to URL patterns A file globbing pattern (containing `*` and `?`) can now be used to match a hostname, in `FQDN Map`. Use this feature to map requests with virtual, invalid, or partial hostnames to URLs that contain a correct FQDN. ### Detect the path of a resource loaded by classloader To help with troubleshooting, a new property `-Ddisplay.classpath.mode.enabled=true` is available to help locate .jar files that contain outdated classes. For more information and an example, refer to *Detect the path of a resource loaded by classloader*. ### Logback Log messages in Java Agent and third-party dependencies are now recorded using the Logback implementation of the Simple Logging Facade for Java (SLF4J) API. For more information, refer to *Logging*. ### POST data can be preserved in files The following new properties are available to configure the storage of POST data to files instead of to the in-memory cache: * `POST Data Preservation in Files or Cache` * `POST Data Preservation File Directory` * `POST Data Preservation Directory Sweep Interval` For more information, refer to *POST data preservation*. ### Encoding for extended characters in not-enforced rules By default, Java Agent uses UTF-8 to encode extended characters in the resource paths of not-enforced rules. The following new properties are available to change the character encoding in the resource paths and HTTP query parameters of not-enforced rules: * `Container Character Encoding` * `Container Parameter Encoding` For more information, refer to *Not-enforced rules*. ### Limitation on the size to which a JWT can be decompressed `Maximum Decompression Size` is a new property to limit the maximum size to which a compressed JWT can be decompressed. This property reduces the risk of memory exhaustion DOS attacks by reducing the risk of a decompressed JWT consuming too much available memory. ### Signing of pre-authentication cookies To improve protection against tampering, pre-authentication and POST data preservation cookies can now be signed. When the value of `Pre-Authn and Post Data Preservation Cookie Signing Value` is a non-zero length, its value is used to generate a signing key. During installation, the path to a file that contains the signing value can be provided interactively or in the installation response file. Cookies are not signed if: * The path is not provided * The path to an empty file is provided * The value found in the file is too short The signing value is stored in the `AgentKey.properties` file. ### Retrieval of agent password A new option is available in `agentadmin` to reveal the agent profile password.