v5.4.1

Improvements:

• added option <openapi validateSecurity="yes"> to be able to selectively disable OpenAPI security validation (not advised ;-)
• added support for OpenID Connect RP-Initiated Logout 1.0, which will log the user out at the Authorization Server, if the server supports it

Fixes:

• upgraded dependencies

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.1 is therefore not working at the moment. Please build your own Docker image in the mean time.

v5.4.0

Changes since 5.3.5:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

Features:

• added <apiDocs/> aggregating API documentation from OpenAPI definitions across service proxies
• <openapi/> now validates scopes from various sources (e.g. API keys, JWT tokens, OAuth2 (also using JWT tokens))

Fixes:

• OpenAPI Validation: use most specific body schema for validation
• fixed <requireAuth errorStatus="..."/> by adding Content-Length: 0 to the response
• OAuth2: avoid session creation where none is needed
• minor access log fixes
• upgraded dependencies
• test fixes

Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.0 is therefore not working at the moment. Please build your own Docker image in the mean time.

v5.3.5

Fixes since 5.3.4:

• fixed combination of B2C and refreshing access tokens
• upgraded dependencies

v5.3.4

Changes since 5.3.3:

• improved OpenTelemetry reporting (changes in <openTelemetry> configuration)
• improved several problem URIs

Fixes:

• upgraded dependencies
• OpenAPI: support nested types
• added prometheus example
• support <requireAuth required="false" .../> to skip authentication, if no token is present
• support <requireAuth errorStatus="401" .../> to return specific error code on authentication failure
• support <oAuth2Resource2 afterErrorUrl="/foo" .../> to send user to error page after error during login
• support <oAuth2Resource2 onlyRefreshToken="true" .../> to allow Authorization Server to return no access token (only a refresh token)
• support <requireAuth scope="foo" oauth2="oauth2"/> and <requireAuth scope="bar" oauth2="oauth2"/> to request multiple access tokens from Authorization Server

v5.3.3

Changes:

• <oauth2Resource2/> and <jwtAuth/> now fully support using a HTTP proxy to access the OAuth2 authorization server
• <oauth2Resource2/> now prefers the form code POST, is offered by the OAuth2 authorization server
• <loginParameter/>s can be specified per-<requireAuth/>
• added workaround for Microsoft B2C not adhering to OIDC standard

Improvements:

• several test fixes
• upgraded several dependencies and Docker base image

v5.3.2

Improvements:

• APIKey example tests

Bug fixes:

• Fixed #852

v5.3.1

Changes:

• Memcached as Session and OriginalRequest Storage
• OAuth2Resource2Interceptor
  • Changes in Attribute/Child Element Configuration
  • Support additional Parameters
  • Support B2C UserFlows
  • Support Logout Endpoint

Fixes:

• SessionManagers handles multiple Cookies

v5.2.1

Changes:

• OpenAPI: added parameter validation (query parameters, HTTP headers)
• OpenAPI: added a JSON:API compatible endpoint returning the list of APIs
• OpenAPI: allow trailing slashes
• added OpenTelemetry support
• <accessControl>: RegEx & CIDR support
• <log>: also log ABORTed exchanges
• default variables for scripting contexts (Groovy, Javascript) are now standardized and documented on http://membrane-api.io/plugins/scripting.html
• migrated JKS keystores to PKCS12

Fixes:

• <prometheus>: added code="200" label, making metrics unique
• made rest2soap work with HTTPS
• several fixes from automated code analysis
• improved examples
• smaller fixes
• code cleanup
• dependency upgrade: logback-classic to 1.3.12, Spring to 6.0.16

v5.2.0

New Features:

• Access logging plugin
• Security header padding plugin

Improvements:

• Synchronization in rate limiter plugin
• Reduced TLS logging
• Updated dependencies
• Documentation: Rewritting, JSON Protection, OAuth
• Changed error messages to Problem Details for JSONProtection
• Return JSON error messages instead of HTML
• Logging for "No route to host"
• OpenAPI Validator: Warning if the path is shared between specs
• OpenAPI Validator: Support for wildcard response codes
• Samples for new features - Make OpenAPI docs also available under /api-docs

Bugfixes:

• Fixed SSL AEAD issue by using Java 17 for docker

v5.1.0

Changes since 5.0.1

• Important: renamed distribution from membrane-service-proxy to membrane-api-gateway

• Breaking: default connection limit is changed from 60 to -1 (unlimited) #452

• Known Issue: <redis/> does not work with redis/sentinel failover #509

• enhanced capabilities of <jsonProtection />

• added text search in <adminConsole />

• fixed regexReplacer corrupting binary data) #437

• added SpEL Keys to <rateLimiter /> #448

• added X-Forwarded-For handling in <rateLimiter /> #406

• HTTP/2: detach Message from StreamInfo when CLOSED (freeing memory not used anymore, while TCP connection is still open) #468

• handle Error in socket acceptor loop by termination (an OutOfMemoryError causes Membrane to terminate with this fix, which improves availability with external (containerD/SystemD) job control)

• added CycloneDX SBOM to distribution

• added rewriting support for Swagger 2 #485

• improved scripting plugins #420 #440

• improved error message of OpenApiPublisher #441

• improved example tests

• improved documentation, tutorials

• bumped dependencies

• smaller improvements

• source code improvements (made possible by Java 17)