Releases: networknt/light-4j
2.1.3
2.1.3 (2022-11-10)
Merged pull requests:
- fixes #1466 recreate RateLimiter object after the config reload #1467 (stevehu)
- fixes #1464 update path handlers to allow the mapping to be empty #1465 (stevehu)
- fixes #1460 do not skip PathPrefixServiceHandler if server_url is in … #1463 (stevehu)
- fixes #1461 mask bootstrapStorePass in the server config during regis… #1462 (stevehu)
- fixes #1458 implement the password grant_type for salesforce handler #1459 (stevehu)
- fixes #1454 standardize the built-in config files for some modules #1455 (stevehu)
- fixes #1451 add api-key module and dummy OAuth server #1452 (stevehu)
- fixes #1449 udpate the BasicAuthHandler to make the config an instanc… #1450 (stevehu)
- Added shutdownApp method #1447 (fortunadoralph)
- fixes #1445 support multiple rules in the response transformer interc… #1446 (stevehu)
- Fixed Chunked Encoding When writing transformed Payload to SinkConduit (+ some refactor) #1444 (KalevGonvick)
- fixes #1442 resolve NPE in TokenHandler is appliedPathPrefixes missin… #1443 (stevehu)
- fixes #1439 request and response transform interceptors though NPE if… #1440 (stevehu)
- ResponseBodyInterceptor Update #1437 (KalevGonvick)
- fixes #1435 checked content encoding in the response interceptor inje… #1436 (stevehu)
- fixes #1433 update the ModifiableContentSinkConduit to add some trace… #1434 (stevehu)
- fixes #1431 add debug and trace to the ProxyHandler to confirm retry #1432 (stevehu)
- fixes #1429 check the response headers to identify if the response co… #1430 (stevehu)
- fixes #1426 call the interceptors directly if there is no request body #1427 (stevehu)
- fixes #1424 add requestHeaders and responseHeaders to the request res… #1425 (stevehu)
1.6.43
2.1.2
2.1.2 (2022-10-22)
Merged pull requests:
- Fix flaky test in URLNormalizerTest.java #1419 (yannizhou05)
- fixes #1418 enhance the token handler to add applied path prefixes #1422 (stevehu)
- fixes #1420 check the appliedPathPrefixes for the RequestTransformInt… #1421 (stevehu)
- fixes #1415 add a new external handler for conquest planning API access #1416 (stevehu)
- Updated ModifiableSinkConduit + RequestInterceptInjectionHandler #1414 (KalevGonvick)
- fixes #1412 move the rewrite rules to inside the match condition for … #1413 (stevehu)
- fixes #1407 Add a new config property to control the size of the requ… #1410 (stevehu)
- Update RequestInterceptorInjectionHandler.java #1409 (KalevGonvick)
- fixes #1406 adding config reload for router.yml and others used by th… #1408 (stevehu)
- fixes #1402 add skip list for the security.yml to allow some prefix t… #1404 (stevehu)
- fixes #1401 add url rewrite rules for the salesforce handler for exte… #1403 (stevehu)
- Issue1399 #1400 (stevehu)
- fixes #1396 remove the stream body get as start blocking is remove #1397 (stevehu)
- fixes #1394 add properties to allow connect and host update in header #1395 (stevehu)
- fixes #1392 remove blocking as it causes the ModifiableContentSinkCon… #1393 (stevehu)
- fixes #1390 update response headers for external service handler to r… #1391 (stevehu)
- fix for RequestTransformer plus debug logging for ResponseTransformer #1389 (DiogoFKT)
- Update RequestInterceptorInjectionHandler.java #1387 (KalevGonvick)
- fixes #1384 fix a bug in the AuditConfig for the enabled flag #1385 (stevehu)
- fixes #1382 stop calling next middleware handler in request andd resp… #1383 (stevehu)
- fixes #1380 external salesforce and mras reponse header missing #1381 (stevehu)
- fixes #1378 add a config property to pre-resolve the host in egress-r… #1379 (stevehu)
- fixes #1376 allow the empty body for RequestBodyInterceptor and all e… #1377 (stevehu)
- Feature/body handler trace enhancement #1374 (KalevGonvick)
- fixes #1372 ExternalService handler cannot handle empty body #1375 (stevehu)
- fixes #1371 add url rewrite to the external service handler in egress… #1373 (stevehu)
- fixes #1369 update header handler to support header manipulation per … #1370 (stevehu)
- Changes made to the code as required. Mentioned in issue #1274 & #1287 #1357 (AkashWorkGit)
- fixes #1367 handle the null content type for the mras request #1368 (stevehu)
- fixes #1363 add url rewrite rules in the mras handler #1366 (stevehu)
- fixes #1364 update the logic to copy the same hosts configuration to … #1365 (stevehu)
- Issue1361 #1362 (stevehu)
- fixes #1359 update MRAS handler to load the certificate from the keys… #1360 (stevehu)
- h2c config option #1358 (KalevGonvick)
- fixes #1355 Donot run response body interceptor if the response is st… #1356 (stevehu)
- fixes #1352 disable all test cases for the request body interceptor #1353 (stevehu)
- fixes #1350 do not call the next handler in the chain from request bo… #1351 (stevehu)
- fixes #1348 A typo in the proxy.yml in ingress-proxy resources/config #1349 (stevehu)
- fixes #1346 fix typos in the Salesforce and MRAS handlers to set the … #1347 (stevehu)
- fixes #1344 update salesforce handler to support multiple APIs with d… #1345 (stevehu)
- fix typo for ExternalService response headers #1343 (DiogoFKT)
- Fix for 1339 #1340 (KalevGonvick)
- fixes #1337 disable several test cases in client module that only wor… #1338 (stevehu)
- fixes #1335 check the request path with the key set in MRAS and Sales… #1336 (stevehu)
- fixes #1332 refactor salesforce handle to support multiple configurat… #1333 (stevehu)
- fixes #1330 update MRAS config to add resource to the Microsoft token… #1331 (stevehu)
- fixes #1328 Handle non-JSON request body in the AuditHandler #1329 (stevehu)
- fixes #1326 refactor the MRAS handler to resolve multiple use cases w… #1327 (stevehu)
- fixes #1324 support xml request body parsing in the RequestBodyInterc… #1325 (stevehu)
- Bump postgresql from 42.3.3 to 42.4.1 #1321 (dependabot)
- fixes #1319 remove the status from the audit list #1320 (stevehu)
- fixes #1317 convert the audit handler to interceptor for logging requ… #1318 (stevehu)
- fixes #1314 upgrade yaml-rule to 1.0.1 in pom.xml #1315 (stevehu)
- Issue1308 #1312 (stevehu)
- fixes #1302 Do an iteration to get the serviceId from the request path #1303 (stevehu)
- fixes #1300 update ServiceConfig to allow the singletons to be null #1301 (stevehu)
- fixes #1298 cache the jwk with all kids in the jwk result #1299 (stevehu)
- fixes #1294 update BasicAuthConfig to support JSON string for the users #1295 (stevehu)
- fixes #1292 upload ServiceConfig to support load singletons as JSON s… #1293 (stevehu)
- fixes #1290 update GatewayRouterHandler to add the caller_id to the r… #1291 (stevehu)
- fixes #1288 change the ProxyConfig to remove httpsEnabled [#1289](https://github.com/net...
1.6.42
1.6.41
1.6.40
2.1.1
2.1.1 (2022-04-26)
Merged pull requests:
- fix for NPE if input is null for Mask methods (issue 1208) #1222 (miklish)
- fixes #1220 update the rate-limit config to ensure backward compatibi… #1221 (stevehu)
- fixes #1216 add query parameter and header rewrite in the ProxyHandler #1217 (stevehu)
- fixes #1218 handle the case that clientId and userId resolver failed … #1219 (stevehu)
- Issue1211 #1212 (stevehu)
- fixes #1213 move the tableau authentication handler to the light-4j i… #1214 (stevehu)
- fixes #1209 NPE is thrown when the server is selected as key without … #1210 (stevehu)
- fixes #1206 update the default rate limit handle configuration after … #1207 (stevehu)
- fixes #1204 update rate-limit to add an overloaded constructor with c… #1205 (stevehu)
- fixes #1202 remove the 500 sleep and enable multiple requests test #1203 (stevehu)
- Rate limit handler fix #1201 (GavinChenYan)
- Issue1178 #1200 (stevehu)
- fixes #1198 return an status object for generic exception from the Pr… #1199 (stevehu)
- Feature/content length error message #1197 (KalevGonvick)
- ProxyBodyHandler Rework #1196 (KalevGonvick)
- add DefaultConfigLoaderTest.java #1192 (wswjwjccjlu)
- fixes #1191 We have ProxyHandler in both egress-router and ingress-pr… #1194 (stevehu)
- Issue1188 #1189 (stevehu)
- ProxyBodyHandler rework #1187 (KalevGonvick)
- fixes #1183 add the Transfer-Encoding of http header into the client.yml #1185 (stevehu)
- fixes #1181 Update the config class to output the config file name wh… #1182 (stevehu)
- fixes #1179 remove a trace statement that can cause NPE #1180 (stevehu)
- fixes #1176 add a status code for OBJECT_NOT_UNIQUE #1177 (stevehu)
- fixes #1174 #1175 (GavinChenYan)
- fixes #1172 output the status in log if get service from portal fails #1173 (stevehu)
- fixes #1170 add enabled flag to the rule-loader.yml to bypass the rul… #1171 (stevehu)
- Update on config loader for nested values.yml #1168 (wswjwjccjlu)
- fixes #1166 Handle the LoadBalancingRouterProxyClient has empty host … #1167 (stevehu)
- fixes #1126 update the config.yml and router.yml with templates #1165 (stevehu)
- fixes #1162 Add a new error code for Startup Hook not loaded correctly #1163 (stevehu)
- fixes #1160 Update a typo in a test case comment #1161 (stevehu)
- fixes #1158 update default client.yml to enable the token serverUrl a… #1159 (stevehu)
- fixes #1156 add more tracing statements in OauthHelper #1157 (stevehu)
- fixes #1154 adding logging statements in AbstractRegistry #1155 (stevehu)
- fix the empty body issue for config reload handler #1153 (GavinChenYan)
- fixes #1151 add a default constructor for ClientCredentialsRequest #1152 (stevehu)
- fixes #1149 make the sanitizer.yml backward compatible #1150 (stevehu)
- fixes #1147 remove the serviceId from the header in the router client #1148 (stevehu)
- fixes #1140 Update client module to verify JWT tokens from many OAuth… #1146 (stevehu)
- Issue1139 #1145 (stevehu)
- Issue1143 #1144 (GavinChenYan)
- fixes #1141 update logging statements in OauthHelper and ProxyHandler #1142 (stevehu)
- fixes #1137 update the rule-loader startup to avoid loading the same … #1138 (stevehu)
- fixes #1135 add a new status code to indicate the access control rule… #1136 (stevehu)
- fixes #1133 Add method rewrite in the gateway use case to support leg… #1134 (stevehu)
- fixes #1131 update sanitizer handler to support all owasp encoders #1132 (stevehu)
- fixes #1129 update RuleLoaderStartupHook to only get the ruleId and i… #1130 (stevehu)
- fixes #1127 upgrade jaeger-client to 1.8.0 from 1.6.0 to resolve depe… #1128 (stevehu)
Upgrade Guidelines:
This is a release with some bug fixes and enhancements. It is backward compatible with the 2.1.0 release.
1.6.39
2.1.0
2.1.0 (2022-02-27)
Merged pull requests:
- fixes #1124 enhance the sanitizer to make the configuration separated… #1125 (stevehu)
- fixes #1122 log the stacktrace if a middleware handler is not loaded … #1123 (stevehu)
- Issue1120 #1121 (stevehu)
- fixes #1118 allow router to support serviceId from query parameters a… #1119 (stevehu)
- fixes #1116 Update the rate-limit to allow customzied the error code … #1117 (stevehu)
- fixes #1112 add Jdk8Module to the ObjectMappers in config module to h… #1113 (stevehu)
- fixes #1108 update the rule-loader to add another rule action to tran… #1109 (stevehu)
- Bump postgresql from 42.2.25 to 42.3.3 #1107 (dependabot)
- fixes #1105 disable a test case in the body handler as it is not stable #1106 (stevehu)
- Truncated Exception Fix #1104 (KalevGonvick)
- fixes #1102 update the LoggerGetLogContentHandler to return map and h… #1103 (stevehu)
- fixes #1100 remove a logging statement in the DefaultConfigLoader as … #1101 (stevehu)
- fixes #1097 add isNumeric to StringUtils in the utility #1098 (stevehu)
- Bump postgresql from 9.4.1211 to 42.2.25 #1095 (dependabot)
- Issue1093 #1094 (stevehu)
- fixes #1091 update the default rate limit concurrent requests to 2 fr… #1092 (stevehu)
- fixes #1089 update audit status key from Status to status #1090 (stevehu)
- fixes #1087 externalize rate-limit, header and whitelist-ip config files #1088 (stevehu)
- Bump h2 from 2.0.206 to 2.1.210 #1086 (dependabot)
- fixes #1084 update the DefaultConfigLoader to get the values.yml from… #1085 (stevehu)
- Bump httpclient from 4.5.6 to 4.5.13 #1077 (dependabot)
- Bump h2 from 1.4.196 to 2.0.206 #1083 (dependabot)
- fixes #1081 update the ClaimsUtil to name the service id claim with s… #1082 (stevehu)
- fixes #1079 add method and path to the method not found error message #1080 (stevehu)
- fixes #1075 Add rule-loader module to support fine-grained access con… #1076 (stevehu)
- fixes #1073 update the sanitizer.yml to externalize properties for va… #1074 (stevehu)
- fixes #1071 externalize jaeger-tracing configuration properties #1072 (stevehu)
- fixes #1069 update server.yml to externalize server.ip #1070 (stevehu)
- fixes #1067 update the SignKeyRequest to get the proxy info from the … #1068 (stevehu)
- fixes #1065 Turn off hostname verification for OAuthHelper based on t… #1066 (stevehu)
- change promethus config to be extendable #1064 (GavinChenYan)
- fixes #1061 #1062 (GavinChenYan)
- Issue1059 #1060 (stevehu)
- fixes #1057 add ProxyHealthGetHandler in ingress-proxy for the http-s… #1058 (stevehu)
- fixes #1053 update the pom.xml and jaeger-client dependency to avoid … #1054 (stevehu)
- Issue 1048 #1051 (stevehu)
- max json payload for proxy which using buffer stream #1050 (GavinChenYan)
- fixes #1048 update ProxyBodyHandler to handle the data form and add t… #1049 (stevehu)
- add other contentType for proxy body handler #1047 (GavinChenYan)
Upgrade Guidelines:
The following middleware handlers have been changed in this release and the config file needs to be updated to leverage the new features.
- config.yml
For this release, we have set the default value to true for allowDefaultValueEmpty so that an empty value can be used in the template for other config files.
# For some configuration files, we have left some properties without default values as there
# would be a negative impact on the application security. The following config will ensure that
# null will be used when the default value is empty without stopping the server during the start.
allowDefaultValueEmpty: true
- limit.yml
The errorCode is newly added to allow the users to customize the error response if the request is dropped. By default, code 503 is returned.
# If the rate limit is exposed to the Internet to prevent DDoS attacks, it will return 503
# error code to trick the DDoS client/tool to stop the attacks as it considers the server
# is down. However, if the rate limit is used internally to throttle the client requests to
# protect a slow backend API, it will return 429 error code to indicate too many requests
# for the client to wait a grace period to resent the request. By default, 503 is returned.
errorCode: ${limit.errorCode:503}
- sanitizer.yml
This file is changed a lot so that we can set up the encoders for both body and header separately.
---
# Sanitize request for cross-site scripting during runtime
# indicate if sanitizer is enabled or not
enabled: ${sanitizer.enabled:false}
# if it is enabled, the body needs to be sanitized
bodyEnabled: ${sanitizer.bodyEnabled:true}
# the encoder for the body. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
bodyEncoder: ${sanitizer.bodyEncoder:javascript-source}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the bodyAttributesToIgnore list.
bodyAttributesToEncode: ${sanitizer.bodyAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# bodyAttributesToEncode list.
bodyAttributesToIgnore: ${sanitizer.bodyAttributesToIgnore:}
# if it is enabled, the header needs to be sanitized
headerEnabled: ${sanitizer.headerEnabled:true}
# the encoder for the header. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
headerEncoder: ${sanitizer.headerEncoder:javascript-attribute}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the headerAttributesToIgnore list.
headerAttributesToEncode: ${sanitizer.headerAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values w...