2.0.0
Changes
The API PUT
/admin/session
enables to renew a JWT token. This enables to implement in the frontend a behavior where the JWT token has a small validity and is renewed frequently: so when it stopped being renewed, then users will be disconnected.
Guidelines from https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html have been implemented. That means that there is now a companion cookie for the session that ensure that even in case of a XSS attack, a user session cannot be hijacked.
This can be configured with these parameters:
admin.session.use-fingerprint-cookie = true
admin.session.fingerprint-cookie-https-only = true # should be set to false on non-HTTPS environments
The internals of how security is implemented has been simplified.
Upgrade instructions
- Configuration: If you overrode the configuration value
admin.session-duration
, you should rename it toadmin.session.expire-duration
. Moreover, beware that there are new configuration values for the session management:admin.session.refresh-duration
andadmin.session.inative-duration
⚠️ There is a typo issue in this config name (inative
instead ofinactive
) in this version that is fixed in Plume Admin 2.0.2 - On local environments, the configuration value
admin.session.fingerprint-cookie-https-only
should be set to false AdminConfigurationService.sessionDurationInMillis()
has been renamedAdminConfigurationService.sessionExpireDurationInMillis()
- API: The
/admin/session
is now returning an object instead of the raw JWT token. The JWT token is in the fieldwebSessionToken
of the returned object WebSessionProvider
,WebSessionClassProvider
andWebSessionAdminProvider
has been removedJerseyJwtSessionParser
has been renamed toJerseySessionParser
and all accesses are now staticWebSessionAdminFactory
andWebSessionAdmin
have been moved toplume-admin-security
module: imports must be reorganized by IDE in the Jersey configuration- The API
POST
/admin/session
is now returning a JSON object instead of a string with the JWT token. The returned object by the API isAdminSession
. - If using
GuiceAdminWsModule
instead ofGuiceAdminWsWithDefaultsModule
, these bindings:
bind(WebSessionProvider.class).to(WebSessionAdminProvider.class);
bind(WebSessionClassProvider.class).to(WebSessionAdminProvider.class);
must be replaced by:
bind(WebSessionSigner.class).toProvider(JwtSessionSignerProvider.class);
bind(JwtSessionSigner.class).toProvider(JwtSessionSignerProvider.class);