Versions Compared

Old Version 4

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 5

changes.mady.by.user Francesco Chicchiriccò

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
styledecimal

SSO header change for RESTful services

In Apache Syncope 2.0.3, SSO support was added (

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keySYNCOPE-1035
) for RESTful services by sending a JWT Token using the X-Syncope-Token header, e.g.:

curl -H "X-Syncope-Token: eyJ0e..." http://localhost:8080/syncope/rest/users/self

From Syncope 2.0.4 onwards (

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keySYNCOPE-1120
), this header value is no longer supported. Instead, you must use the standard Authorization Bearer header, e.g.:

curl -H "Authorization: Bearer eyJ0e..." http://localhost:8080/syncope/rest/users/self

 

JWS signing key reference

In Apache Syncope 2.0.3, the default signing JWS key was referenced in securityContext.xml as follows: "${jwsKey}.bytes". However, this was incorrect and results in the key value with ".bytes" appended to it. In Syncope 2.0.4, the following value should be used instead "#{jwsKey.getBytes()}".

 

Default key and password checking

In Apache Syncope 2.0.4, a warning is logged if the default JWS key is used to either create/update an access token, or is used to invoke on a RESTful service. A similar warning is logged if the default anonymous key is used to invoke on a RESTful service.

...

Before starting

Due to the changes occurred in JWT management, execute the SQL query below on your internal storage:

 

Code Block
languagesql
DELETE FROM AccessToken;

Please beware that the statement above will invalidate any existing session.

Source changes

POM

In the root pom.xml:

  • change parent/version from 2.0.3 to 2.0.4

  • change properties/syncope.version from 2.0.3 to 2.0.4