New in Web Agent 5.10.x

We’ve made changes to the Web Agent to improve the security of handling requests from upstream Java servers.

The agent now rejects unsafe uses of path parameters with an HTTP 400 in the following scenarios:

Learn more in Path traversal attempts.

In IIS, the agent can now remove the Server header from all responses. To enable the feature, set the Remove IIS HTTP Server Header property (org.forgerock.agents.config.iis.headers.server.disable) to true.

To help manage the amount of stored data, the new property Maximum Number of Debug Log Files is now available to limit the number of debug log files that the agent stores after file rotation.

The wildcard * can now be used in FQDN Virtual Host Map. to match a domain name. Use this feature to pass requests with dynamically allocated hostnames, for example, in Kubernetes deployments, without redirecting them to another domain.

For more information, see FQDN checking.

Authorization flow for applications using Javascript is a new property to enable callbacks into JavaScript applications, after an authentication or transactional authorization journey.

The property provides support for single page applications (SPAs) that use embedded login or authorization dialogs within iframes or embedded tags.

This feature is in Technology Preview, as defined in Release levels and interface stability, for use only with assistance from Ping Identity.

Current limitations:

Use Built-in Apache HTTPD Authentication Directives is a new property to enable Apache Web Agent to use built-in Apache authentication directives, such as AuthName, FilesMatch, and Require for specified not-enforced URLs.

In previous releases, use of built-in Apache authentication directives was not supported. The agent replaced authentication functionality provided by Apache.

In previous releases, to correctly configure POST data preservation, a separate agent profile was required in AM for each agent instance. From this release, a single agent profile can be used for multiple agent instance.

Use this feature for scalable deployments, where resources are dynamically created or destroyed.

For more information, see Create an agent profile for multiple agent instances when POST data preservation is enabled and Map one agent profile to multiple agent instances when POST data preservation is enabled.

When the value of Enable Custom Login Mode is 2, URI fragments were previously lost during login. From this release, URI fragments in the browser are not lost after the custom login procedure.

In previous releases, the pre-authentication cookie, agent-authn-tx, expired when it reached the age configured by Profile Attributes Cookie Maxage. From this release, the pre-authentication cookie expires when the first of the following events occur:

Expiring the cookie immediately after authentication reduces the amount of used header space, and prevents authentication errors and errors in applications that set headers.

The maximum size to which a compressed JWT can be decompressed is now limited to 1 MB, and is not configurable. This change reduces the risk of memory exhaustion DOS by reducing the risk of a decompressed JWT consuming too much available memory.