Skip to content

2.0.0

Compare
Choose a tag to compare
@amanteaux amanteaux released this 19 Apr 16:40
· 126 commits to master since this release

Changes

The API PUT /admin/session enables to renew a JWT token. This enables to implement in the frontend a behavior where the JWT token has a small validity and is renewed frequently: so when it stopped being renewed, then users will be disconnected.

Guidelines from https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html have been implemented. That means that there is now a companion cookie for the session that ensure that even in case of a XSS attack, a user session cannot be hijacked.
This can be configured with these parameters:

  • admin.session.use-fingerprint-cookie = true
  • admin.session.fingerprint-cookie-https-only = true # should be set to false on non-HTTPS environments

The internals of how security is implemented has been simplified.

Upgrade instructions

  • Configuration: If you overrode the configuration value admin.session-duration, you should rename it to admin.session.expire-duration. Moreover, beware that there are new configuration values for the session management: admin.session.refresh-duration and admin.session.inative-duration ⚠️ There is a typo issue in this config name (inative instead of inactive) in this version that is fixed in Plume Admin 2.0.2
  • On local environments, the configuration value admin.session.fingerprint-cookie-https-only should be set to false
  • AdminConfigurationService.sessionDurationInMillis() has been renamed AdminConfigurationService.sessionExpireDurationInMillis()
  • API: The /admin/session is now returning an object instead of the raw JWT token. The JWT token is in the field webSessionToken of the returned object
  • WebSessionProvider, WebSessionClassProvider and WebSessionAdminProvider has been removed
  • JerseyJwtSessionParser has been renamed to JerseySessionParser and all accesses are now static
  • WebSessionAdminFactory and WebSessionAdmin have been moved to plume-admin-security module: imports must be reorganized by IDE in the Jersey configuration
  • The API POST /admin/session is now returning a JSON object instead of a string with the JWT token. The returned object by the API is AdminSession.
  • If using GuiceAdminWsModule instead of GuiceAdminWsWithDefaultsModule, these bindings:
bind(WebSessionProvider.class).to(WebSessionAdminProvider.class);
bind(WebSessionClassProvider.class).to(WebSessionAdminProvider.class);

must be replaced by:

bind(WebSessionSigner.class).toProvider(JwtSessionSignerProvider.class);
bind(JwtSessionSigner.class).toProvider(JwtSessionSignerProvider.class);