Versions Compared

Old Version 2

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 3

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
styledecimal

SSO header change for RESTful services

In Apache Syncope 2.0.3, SSO support was added (

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keySYNCOPE-1035
) for RESTful services by sending a JWT Token using the X-Syncope-Token header, e.g.:

curl -H "X-Syncope-Token: eyJ0e..." http://localhost:8080/syncope/rest/users/self

From Syncope 2.0.4 onwards (

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keySYNCOPE-1120
), this header value is no longer supported. Instead, you must use the standard Authorization Bearer header, e.g.:

curl -H "Authorization: Bearer eyJ0e..." http://localhost:8080/syncope/rest/users/self

 

JWS signing key reference

In Apache Syncope 2.0.3, the default signing JWS key was referenced in securityContext.xml as follows: "${jwsKey}.bytes". However, this was incorrect and results in the key value with ".bytes" appended to it. In Syncope 2.0.4, the following value should be used instead "#{jwsKey.getBytes()}".

 

Default key and password checking

In Apache Syncope 2.0.4, a warning is logged if the default JWS key is used to either create/update an access token, or is used to invoke on a RESTful service. Similarly, a warning is logged if the default admin password is detected. If you see these warnings in the logs then it is critical to change the default values.