v6.3.1

Changes since 6.2.7:

Breaking Changes:

• removed the Load Balancer feature <nodeOnlineChecker> in favor of the new <balancerHealthMonitor>. See examples/loadbalancing/6-health-monitor on how to use it.

Fixes:

• <oauth2authserver>...<bearerJwtToken/>: Fixed JWT claim sub in access tokens after using the refresh token in the password flow at least once.

Improvements:

• Upgraded dependencies (commons-cli to 1.10.0, json-smart to 2.6.0, spotbugs-annotations to 4.9.4, google-api-client to 2.8.1)
• Add support for IPv6 addresses in URLs while using <uriFactory allowIllegalCharacters="true">.
• LoadBalancer Examples
• Improved Linux and Windows startup scripts
• Improved HTTP request retry logic. See documentation for details.
• Renewed the demo certificate, since the last one had expired.

Version 6.3.1 is identical in code to version 6.3.0. Version 6.3.0 was not officially released.

v6.2.7

Changes since 6.2.6:

Fixes:

• log opentelemetry log also via slf4j (meaning the otel log appears where you'd expect it)

Improvements:

• added optional setting <oauth2resource2 clientAuthentication="client_secret_post"> to transmit the client credentials in the Token Endpoint request body instead of using Basic Authentication
• upgraded various dependencies

v6.2.6

Changes since 6.2.5:

Fixes:

• fixed JDBCApiKeyStore connection leak (#2026) (@predic8)
• fixed B2C user flow handling: only switch to a new flow, once a new refresh token has been obtained by it (@rrayst)
• SessionFinder memory leak by removing already time-outed session references during the cleanup (#2054) (@precoder)

Improvements:

• improved logging of ProblemInfo internal details
• refactoring
• minor improvements to examples (@predic8, @russelmrcl)
• improved startup scripts
• added examples/routing-traffic/outgoing-api-gateway
• expose Load Balancer Node status to Prometheus (@christiangoerdes)
• upgraded dependencies (swagger-parser to 2.1.31, maven-plugin-api to 3.9.11, opentelemetry to 1.52.0 @t-burch, spring-beans to 6.2.9, jackson-core to 2.19.2)
• added httpOnly and sameSite to sessionManager (affecting LoginDialog which is in all login handling components except oauth2resource2)

v6.2.5

Changes since 6.2.4:

Security Fix:

• <oauth2resource2>: make cookie invalid after logout (previously, the cookie was deleted from the browser, but still valid)

Improvements:

• <oauth2resource2><membrane responseModesSupported="form_post query"> can now be used to select/prioritize one response mode over another. (Setting this to query might allow you to use a sameSite session cookie, in case you Authorization Server uses another domain and supports form_post, which is the default choice if available.)
• <httpClient> now logs requests and responses of all retries on the TRACE log level.
• <openTelemetry> does not log an exception anymore, if the frontend/backend connection breaks while reporting the HTTP message body.

Fixes:

• upgraded dependencies (log4j-layout-template-json to 2.25.1)

v6.2.4

Changes since 6.2.3:

Improvements:

• improved <cors>: normalizing origin
• migrate other shell scripts to new MEMBRANE_HOME discovery logic
• added <lbClusterHealthMonitor> to schedule periodic health checks for load balancer clusters
• added <priorityStrategy> to prioritize certain load balancer nodes over others
• added extending-membrane/configuration-properties example demonstrating how to use secrets from environment variables
• scripting documentation

Fixes:

• fixed OPTIONS request with no body causing thread to hang
• upgraded dependencies (commons-lang3 to 3.18.0, bcpkix-jdk18on to 1.81, opentelemetry-exporter-otlp to 1.51.0)
• RPM package: fixed classpath computation logic to include /etc/membrane

v6.2.3

Changes since 6.2.2:

Features:

• Support OpenAPI 3 discriminator with a mapping.

Improvements:

• Do not log Exceptions for unroutable HTTP requests avoiding log spam.
• Do not log empty Exceptions.
• Added a few missing JavaDoc comments.
• Improved JavaDoc syntax description (describing what the annot submodule does to auto generate the documentation).
• Upgraded dependencies (jackson-core to 2.19.1, opentelemetry-sdk to 1.51.0, log4j-core to 2.25.0)

Fixes:

• Fixed #1951: Load Balancer API now supports case insensitive cluster names.

v6.2.2

Changes since 6.2.1:

Fixes:

• Fixed membrane.sh to support RPM deployment (where file system layout is not the extracted ZIP file, but references /etc/membrane/proxies.xml).

Features:

• added command to extract a public JWK from a private JWK file: membrane.sh private-jwk-to-public -i private.jwk -o public.jwk

v6.2.1

Changes since 6.2.0:

Changes:

• <jsonProtection/> now blocks JSON objects with a key "__proto__" by default. (Set <jsonProtection blockProto="false"/> to get back the old behavior.)
• Set showSSLExceptions default to false to avoid log spam. (Documented the suggestion that users should set it to true when debugging SSL/TLS setup problems.)

Improvements:

• Added a few missing Javadoc comments.
• Upgraded dependencies (maven-plugin-api)

v6.2.0

Changes since 6.1.0:

Features:

• publish JSON Schema for YAML-based configuration (@christiangoerdes)
• added <setCookies ...> which can compute cookie expiration times (@christiangoerdes)

Improvements:

• made some OpenAPI validation corner cases spec-compliant
  • avoid NullPointerException during validation for certain schemas
  • support "type": "null"
  • support missing "type" while still enforcing constraints
  • do not allow "5.3" as a "type": "number" because it is only a "string"
  • patterns are not anchored (use ^...$ to anchor them)
  • support patternProperties
• improved lock contention in LimitedMemoryExchangeStore and HttpEndpointListener (thanks, @Lucamadio!)
• <databaseApiKeyStore>: avoid error when table already exists
• <oauth2Resource2>: issue new session id after login (preventing possible session fixation attacks) (@rrayst)
• <oauth2Resource2>: convert error reconstructing the exchange (e.g. when clicking Back after the login) to an OAuth2Exception, which can be handled by a custom afterErrorUrl. (@rrayst)
• upgrade dependencies (spring-web to 6.2.8, commons-fileupload to 1.6.0, bcpkix-jdk18on to 1.81 and others)
• improved examples

v6.1.0

Since 6.0.4:

Breaks:

• Default scripting language is now SpEL. You can still use language="GROOVY" to switch back.

Fixes:

• remove RFC7540-based protocol upgrade headers
• fixed <acme><fileStorage> locking
• use 302 for OAuth2 redirects
• fixed OAuth2 state encoding

Improvements:

• added membrane.sh generate-jwk to generate an RSA key (e.g. to encrypt session data)
• introduced <idempotency>
• introduced <chain>, <global>
• added <cors>
• added <mongoDBExchangeStore>
• support expressions in <target/> (see examples/routing-traffic/dynamic-routing)
• improved examples examples/orchestration/call-authentication and examples/orchestration/for-loop
• bumped libraries (e.g. json-smart to 2.5.2, soa-model to 2.2.0)
• improvements for <call/>
• improvements for <adminApi/>
• test: added tests for OAuth2 Client using form_post
• improved OAuth2 Client: added PKCE
• refactor: SSLContext
• refactor: OAuth2 B2C tests
• refactor: OAuth2 Client
• refactor: HTTP Header class
• improved examples
• introduced optional byte stream logging
• support loading configuration from proxies.yaml instead of proxies.xml
• reduced flakiness of Loadbalancing4XmlSessionExampleTest