Release 0.6.3: Removed broken http to https redirection.

Merge pull request #151 from The-OAG-Development-Project/fix/149-Http…

…RedirectFilter-not-working

[149] removed http to https redirect as this was never functional and…

Release 0.6.2: Version Updates for OAG

We just updated dependencies that had vulnerabilities.

Release V.0.6.1

We've updated a few dependencies and the docker image to close a few vulnerabilities.

Release V.0.6.0

We now require Java 17 to run because we updated SpringBoot and the Spring Cloud Gateway to current versions:

• Requires Java 17
• Updated To Spring-Cloud 2023.0.0
• Updated To Spring Boot 3.2.1
• dependency Updates to fix security issues
• Fixed an issue with Secondary Trace-Header (where in the simple trace case an invalid header of "n/a" was tried to be added to downstream requests.
• Minor Documentation Updates

Note: There are new WARN log entries of Type: "...is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected into a currently created BeanPostProcessor...". These are related to SpringBoot 3.2.1 and a known issue (spring-cloud/spring-cloud-commons#1315)

Release V.0.5.2

What's Changed

Just upgraded some dependencies to reduce vulnerabilities.

• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.21 to 9.31 by @snyk-bot in #127
• [Snyk] Upgrade io.netty:netty-codec from 4.1.86.Final to 4.1.91.Final by @snyk-bot in #129

Full Changelog: v0.5.1...v0.5.2

Release V.0.5.1

Upgraded dependencies for vulnerability mitigation.
Improved Key-Rotation and made some configuration changes

What's Changed

• Making Rotation test more robust by @Padi-owasp in #93
• Added support for configuration file via https by @gianlucafrei in #95
• renamed enableUnsafeHttps -> enableUnsafeHttp. by @Padi-owasp in #96
• Adjust container runtime by @bt-nia in #98
• Fix/dependencies by @Padi-owasp in #101
• Fix/dependencies by @Padi-owasp in #107
• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.20 to 9.21 by @snyk-bot in #108
• moved to in mem only random key for cookie encryption by @Padi-owasp in #109
• [Snyk] Upgrade com.github.ben-manes.caffeine:caffeine from 3.0.5 to 3.0.6 by @snyk-bot in #110
• [Snyk] Upgrade com.nimbusds:oauth2-oidc-sdk from 9.27.1 to 9.31 by @snyk-bot in #111
• updated spring boot/cloud by @Padi-owasp in #116
• fix dependencies in pom and update docker image. by @Padi-owasp in #118
• [Snyk] Upgrade com.github.ben-manes.caffeine:caffeine from 3.0.6 to 3.1.3 by @snyk-bot in #120
• [Snyk] Upgrade com.nimbusds:nimbus-jose-jwt from 9.21 to 9.22 by @gianlucafrei in #115
• [Snyk] Upgrade com.nimbusds:oauth2-oidc-sdk from 9.31 to 9.43.1 by @snyk-bot in #119
• Updated pom and container by @Padi-owasp in #125
• Fixing dependencies / vulnerabilities by @Padi-owasp in #126

New Contributors

• @bt-nia made their first contribution in #98

Full Changelog: v0.5.0...v0.5.1

Release v0.5.0

New Functionality 🎉:

OAG can now be used as Spring library with the @EnableOWASPApplicationGateway annotation
Added possibility for federated logout
Updated default user-mapping configuraion
Added additional mappings to the GitHub login provider

Minor Improvements:

Implemented check if hostUri from config is a valid uri
Added missing log when ResponseStatusException is thrown
Added origin header validation as a defense-in-depth measure for csrf-samesite-cookie validation
Changed log level of some log messages to debug to have cleaner logs

Fixes:

Fixed a open-redirect vulnerability during login

Internal:

Added caffein ache to classpath (Spring Cloud Gateway asked for it in a warn log)
Added kotlin support for jackson (Not really used, but removes the warn message during startup)
Moved main configuration validation to spring main method to reduce problems with circular bean dependencies
Upgraded dependencies to newest version

Release v0.5.0-alpha

New Functionality:

• OAG can now be used as Spring library with the @EnableOWASPApplicationGateway annotation
• Added possibility for federated logout
• Updated default user-mapping configuraion
• Added additional mappings to the GitHub login provider

Minor Improvements:

• Implemented check if hostUri from config is a valid uri
• Added missing log when ResponseStatusException is thrown
• Added origin header validation as a defense-in-depth measure for csrf-samesite-cookie validation
• Changed log level of some log messages to debug to have cleaner logs

Fixes:

• Fixed a open-redirect vulnerability during login

Internal:

• Added caffein ache to classpath (Spring Cloud Gateway asked for it in a warn log)
• Added kotlin support for jackson (Not really used, but removes the warn message during startup)
• Moved main configuration validation to spring main method to reduce problems with circular bean dependencies
• Upgraded dependencies to newest version

Release v0.4

• Event-Driven Networking With the v0.4 release, we replaced the underlying proxy library from Netflix Zuul 1 to Spring Cloud Gateway. The main reason is the event-driven networking model based on non-blocking IO, which drastically improves the OAG performance when serving many requests. This also enables support for WebSockets (Not tested yet)

• Request Tracing OAG can now generate request trace ids or load them from a request header. We support the w3c tracing specification and simple UUID based tracing. Trace-Ids are written in each log statement to facilitate log correlation and can also be sent to the downstream request. See: https://github.com/gianlucafrei/Application-Gateway/wiki/Tracing,-Log-Correlation,-Correlation-Logging

Release v0.4-alpha

Fixed release pipeline