Releases: web-eid/web-eid-authtoken-validation-java
v3.0.1
v3.0.1 is a minor maintenance release that includes several dependency upgrades, most importantly BouncyCastle and jackson-databind. Additionally, it features adjustment of the OCSP nonce length to 32 bytes, enhancements in the build process to generate source and Javadoc JARs alongside the library JAR and a fix to an expired certificate in tests.
Full changelog: v3.0.0...v3.0.1.
Packages
The release Maven package along with source and Javadoc JARs is available in the GitLab Package Repository.
v3.0.0
Changes
v3.0.0 is a major release that requires Java 11. It uses the built-in HttpClient instead of OkHttpClient for OCSP requests, OkHttpClient dependency is no longer included. The public API has not changed.
If needed, you can continue using OkHttpClient by implementing the OcspClient
interface with OkHttpClient and inject the implementation using the AuthTokenValidatorBuilder.withOcspClient()
method.
Full changelog: v2.1.2...v3.0.0.
Packages
The release Maven package is available in the GitLab Package Repository.
v2.1.2
Changes
v2.1.2 is a minor maintenance release, bumping jackson-databind from 2.13.4.1 to 2.13.4.2 and adding other minor changes.
Full changelog: v2.1.1...v2.1.2.
Packages
The release Maven package is available in the GitLab Package Repository.
v2.1.1
Changes
Bump jackson-databind from 2.13.4 to 2.13.4.1.
Packages
The release Maven package is available in the GitLab Package Repository.
v2.1.0
Changes
- Allow overriding the OCSP client with
AuthTokenValidatorBuilder.withOcspClient()
. This gives the possibility to either configure the request timeouts, proxies etc of theOkHttpClient
instance used byOkHttpOcspClient
or provide an implementation that uses an altogether different HTTP client, for example the built-inHttpClient
provided by Java 9+. - Remove the Guava dependency that was used in only a few places.
Full list of changes is in the v2.1.0 milestone.
Packages
Maven package is available in the GitLab Package Repository.
v2.0.1
Changes
- allow more than one responder certificate in the OCSP response.
Full list of changes is in the v2.0.1 milestone.
Packages
Maven package is available in the GitLab Package Repository.
v2.0.0
v2.0.0 is a major backwards incompatible release.
In version 1, the generated challenge nonces were stored in a JSR107 compatible cache. However, in case the website had a CSRF vulnerability, this made the solution vulnerable to forged login attacks. In version 2, a session-backed challenge nonce store must be used instead to mitigate this attack.
The Web eID authentication token format changed in version 2. In version 1, the authentication token was in the OpenID X509 ID Token (JWT) format in order to be compatible with the standard OpenID Connect ID Token specification. The JWT format was found out to be undesirable, as it implies that the claims presented in the Web eID authentication token can be trusted and processed, while they actually cannot be trusted. Therefore a custom JSON-based format was adopted for the Web eID authentication token in version 2.
Detailed overview of the changes and upgrade instructions are available here.
Changes
See the list of changes in the v2.0.0 milestone.
Backwards incompatible changes
- the Maven group ID and package namespace changed from
org.webeid
toeu.webeid
, - a session-backed challenge nonce store that implements the
ChallengeNonceStore
interface is required instead of a JSR107 cache, - usages of the
withNonceCache()
method should be removed, - authentication token validation method signature has changed,
CertUtil
is renamed intoCertificateData
.
See upgrade instructions for details.
Packages
The v2.0.0 Maven package is available in the GitLab Package Repository.
v2.0.0-rc1
refactor(challenge): change ChallengeNonceStore type from abstract cl… …ass to interface WE2-608 Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
v1.2.0
Changes
- make OCSP service configurable, verify OCSP responder certificate and response signature.
Full list of changes is in the v1.2.0 milestone.
Backwards incompatible changes
org.webeid.security.util.CertUtil
has been renamed toorg.webeid.security.certificate.CertificateData
.
Packages
Maven package is available in GitLab Package Repository.
v1.1.0
Changes:
- use
ZonedDateTime
instead ofLocalDateTime
to avoid unexpected results nearby daylight saving clock change times, - add more tests.
Full list of changes is in the v1.1.0 milestone.
Maven package is available in GitLab Package Repository.