Changes in AM 7.3.x
AM 7.3.2
Change in behavior for journeys containing a Certificate Collector node
Previously, for journeys containing a Certificate Collector node, AM would throw an exception in the following scenario:
-
You set the node’s Certificate Collection Method property to
Either
orHeader
-
You specified an HTTP header name
-
The certificate was missing from the browser (and from the request if
Either
was selected)
Now, in this scenario, the journey continues down the Not Collected
path.
AM 7.3
Artifact updates
If your custom code uses the following supported Java classes, you must update your build dependencies to include these modules:
Class / interface | Module |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AMIdentity
constructor
The supported constructor, public AMIdentity(SSOToken token, String universalId) throws IdRepoException
,
no longer throws an IllegalArgumentException
if the provided string is not a valid representation of a DN.
Instead, these exceptions are now converted to instances of IdRepoException
.
Deletion of site data on logout
For security reasons, AM now instructs the browser to clear site data such as locally cached data and cookies when a user successfully logs out. This behavior can be disabled for compatibility purposes. Refer to the Add clear-site-data Header on Logout property in the Core authentication attributes for more information.
Session condition advice behavior
Previously, a Session
condition failure resulted in a No configuration found
error. This behavior has been changed
as follows:
-
If
terminateSession
istrue
and policy evaluation is requested, AM sends the session advice to the Java, Web, or Identity Gateway agent when themaxSessionTime
elapses and the user is required to reauthenticate. -
If
terminateSession
isfalse
and policy evaluation is requested, AM does not send the session advice to the Java, Web, or Identity Gateway agent when themaxSessionTime
elapses. Instead of being redirected to the login page, the user receives a 403 Forbidden response for the protected resource.
Password change messages can now be returned in sentence case
Previously, all password change and password reset messages were transformed to upper case; for example,
YOU MUST RESET YOUR PASSWORD
. The LDAP Decision node now provide an option
to disable this transformation, letting messages be returned in the case in which they are configured; for example
You must reset your password
.
This option is disabled by default.
Base URL X-Forwarded-*
headers
-
Previously, if you set the Base URL source to
X-Forwarded-* headers
and noX-Forwarded-Proto
header was provided, the generated URL would have a protocol ofnull
, for examplenull://host
, which would result in a broken URL.From this release, if no
X-Forwarded-Proto
header is provided, a fallback scheme is used, based on the URI of the request. -
You can now specify a port in the Base URL, using the
X-Forwarded-Port
header. -
If multiple
X-Forwarded-Host
headers are specified, the outermost proxy host is used.
org.forgerock.openam.services.email.MailServer
interface
The supported interface, org.forgerock.openam.services.email.MailServer
has moved from the openam-core
module to mail-api
.
You need to update the dependencies to recompile your implementation of this interface.
Removal of CTS worker thread pool
To simplify AM behavior, CTS operations are now performed as part of the HTTP worker thread created by the HTTP container. This refactoring introduces the following changes:
-
The
org.forgerock.services.cts.async.queue.size
andorg.forgerock.services.cts.async.queue.timeout
advanced configuration properties are no longer used. -
The following monitoring metrics have been replaced:
-
Old:
cts.task.queue
andcts.task.queue.size
-
New:
cts.connection.state.out
andcts.connection.state.pending
For details, refer to CTS metrics.
-
-
The primary way to tune the CTS connection pool is to use the
org.forgerock.services.cts.store.max.connections
property. The default value has been increased from10
to100
. Existing deployments will be upgraded to whichever is greater:100
or the original value. -
In previous AM releases, calls to the
/json/health/ready
endpoint returned anHTTP 200 OK
response if the CTS queue was below the configured threshold, even if the CTS data store was unavailable.The CTS queue has been removed in AM 7.3 as part of optimizing connections to the CTS store. If the CTS data store is unavailable, calls to the
/json/health/ready
endpoint now return anHTTP 503 Service Unavailable
error.