v6.2.4

Changes since 6.2.3:

Improvements:

• improved <cors>: normalizing origin
• migrate other shell scripts to new MEMBRANE_HOME discovery logic
• added <lbClusterHealthMonitor> to schedule periodic health checks for load balancer clusters
• added <priorityStrategy> to prioritize certain load balancer nodes over others
• added extending-membrane/configuration-properties example demonstrating how to use secrets from environment variables
• scripting documentation

Fixes:

• fixed OPTIONS request with no body causing thread to hang
• upgraded dependencies (commons-lang3 to 3.18.0, bcpkix-jdk18on to 1.81, opentelemetry-exporter-otlp to 1.51.0)
• RPM package: fixed classpath computation logic to include /etc/membrane

v6.2.3

Changes since 6.2.2:

Features:

• Support OpenAPI 3 discriminator with a mapping.

Improvements:

• Do not log Exceptions for unroutable HTTP requests avoiding log spam.
• Do not log empty Exceptions.
• Added a few missing JavaDoc comments.
• Improved JavaDoc syntax description (describing what the annot submodule does to auto generate the documentation).
• Upgraded dependencies (jackson-core to 2.19.1, opentelemetry-sdk to 1.51.0, log4j-core to 2.25.0)

Fixes:

• Fixed #1951: Load Balancer API now supports case insensitive cluster names.

v6.2.2

Changes since 6.2.1:

Fixes:

• Fixed membrane.sh to support RPM deployment (where file system layout is not the extracted ZIP file, but references /etc/membrane/proxies.xml).

Features:

• added command to extract a public JWK from a private JWK file: membrane.sh private-jwk-to-public -i private.jwk -o public.jwk

v6.2.1

Changes since 6.2.0:

Changes:

• <jsonProtection/> now blocks JSON objects with a key "__proto__" by default. (Set <jsonProtection blockProto="false"/> to get back the old behavior.)
• Set showSSLExceptions default to false to avoid log spam. (Documented the suggestion that users should set it to true when debugging SSL/TLS setup problems.)

Improvements:

• Added a few missing Javadoc comments.
• Upgraded dependencies (maven-plugin-api)

v6.2.0

Changes since 6.1.0:

Features:

• publish JSON Schema for YAML-based configuration (@christiangoerdes)
• added <setCookies ...> which can compute cookie expiration times (@christiangoerdes)

Improvements:

• made some OpenAPI validation corner cases spec-compliant
  • avoid NullPointerException during validation for certain schemas
  • support "type": "null"
  • support missing "type" while still enforcing constraints
  • do not allow "5.3" as a "type": "number" because it is only a "string"
  • patterns are not anchored (use ^...$ to anchor them)
  • support patternProperties
• improved lock contention in LimitedMemoryExchangeStore and HttpEndpointListener (thanks, @Lucamadio!)
• <databaseApiKeyStore>: avoid error when table already exists
• <oauth2Resource2>: issue new session id after login (preventing possible session fixation attacks) (@rrayst)
• <oauth2Resource2>: convert error reconstructing the exchange (e.g. when clicking Back after the login) to an OAuth2Exception, which can be handled by a custom afterErrorUrl. (@rrayst)
• upgrade dependencies (spring-web to 6.2.8, commons-fileupload to 1.6.0, bcpkix-jdk18on to 1.81 and others)
• improved examples

v6.1.0

Since 6.0.4:

Breaks:

• Default scripting language is now SpEL. You can still use language="GROOVY" to switch back.

Fixes:

• remove RFC7540-based protocol upgrade headers
• fixed <acme><fileStorage> locking
• use 302 for OAuth2 redirects
• fixed OAuth2 state encoding

Improvements:

• added membrane.sh generate-jwk to generate an RSA key (e.g. to encrypt session data)
• introduced <idempotency>
• introduced <chain>, <global>
• added <cors>
• added <mongoDBExchangeStore>
• support expressions in <target/> (see examples/routing-traffic/dynamic-routing)
• improved examples examples/orchestration/call-authentication and examples/orchestration/for-loop
• bumped libraries (e.g. json-smart to 2.5.2, soa-model to 2.2.0)
• improvements for <call/>
• improvements for <adminApi/>
• test: added tests for OAuth2 Client using form_post
• improved OAuth2 Client: added PKCE
• refactor: SSLContext
• refactor: OAuth2 B2C tests
• refactor: OAuth2 Client
• refactor: HTTP Header class
• improved examples
• introduced optional byte stream logging
• support loading configuration from proxies.yaml instead of proxies.xml
• reduced flakiness of Loadbalancing4XmlSessionExampleTest

v5.8.8

Change:

• <oauth2Resource2>: In case of 'CSRF token mismatch.', log both tokens being compared to aid in analysis of root cause
• <oauth2Resource2>: Log if stored token gets overwritten after successful login

v5.5.14

Change:

• <oauth2Resource2>: In case of 'CSRF token mismatch.', log both tokens being compared to aid in analysis of root cause
• <oauth2Resource2>: Log if stored token gets overwritten after successful login

v5.8.6

Change:

• <oauth2Resource2>: Split 'CSRF token mismatch.' into 3 separate error cases. Enable usage of afterErrorUrl also for these 3 error cases.

v5.5.13

Change:

• <oauth2Resource2>: Split 'CSRF token mismatch.' into 3 separate error cases. Enable usage of afterErrorUrl also for these 3 error cases.