OpenAM 14.4.2 Released

Download

What’s new

• Prevented errors when getting group DN while using multiple Data Stores in Realm

• Ability to authenticate without initiating authentication process for any authentication chain, not only default

• Enable openam-auth-radius module to be extended and do additional parsing and validation of the radius response packet (namely Access-Accept packet). The changes are introducing a new protected method ‘readAttributesFromResponsePacket(Packet response)’ that is called after successful authentication against the RADIUS server. The method by default is a no-op. In an extension class the developer can override the method and either read and store attributes or throw an AuthLoginException if login failure should result from additional parsing.

• Updated Apache Santuario XML for java to prevent CVE-2019-12400 security issue

• Implemented special filter for KBA(Knowledge based authentication) which ensures that only users with an SSO Token which has Administrator-level access or the owner of the resource are allowed to access the resources protected. ^[1]

• Use request locale for authentication error messages ^[1]

• Added OAuth2 endpoint validation to prevent user redirection to a phishing site ^[1]

• Prevented deleting authentication module instances of the same type. ^[1]

• Fixed error that user remains on ‘Loading’ page if using ‘OAuth2.0/OIDC’ auth module and authId token expires^[1]

• Fixed error when JWKS endpoint returns extra null byte in modulus

• Fixed bad link for OAuth 2.0 in Realm > Applications menu

• Updated How to Run After Build chapter in README.md

• Enabled maven caching while build in Travis CI

• Fixed other issues (more details)

References

1. Thanks to https://github.com/openam-jp community for these changes