Table of Contents | ||||
---|---|---|---|---|
|
SSO header change for RESTful services
In Apache Syncope 2.0.3, SSO support was added (
Jira | ||||||
---|---|---|---|---|---|---|
|
curl -H "X-Syncope-Token: eyJ0e..." http://localhost:8080/syncope/rest/users/self
From Syncope 2.0.4 onwards (
Jira | ||||||
---|---|---|---|---|---|---|
|
curl -H "Authorization: Bearer eyJ0e..." http://localhost:8080/syncope/rest/users/self
JWS signing key reference
In Apache Syncope 2.0.3, the default signing JWS key was referenced in securityContext.xml as follows: "${jwsKey}.bytes". However, this was incorrect and results in the key value with ".bytes" appended to it. In Syncope 2.0.4, the following value should be used instead "#{jwsKey.getBytes()}".
Default key and password checking
In Apache Syncope 2.0.4, a warning is logged if the default JWS key is used to either create/update an access token, or is used to invoke on a RESTful service. Similarly, a warning is logged if the default admin password is detected. If you see these warnings in the logs then it is critical to change the default values.