Blog »

Connect2id server 15.3

2024-03-07

This Connect2id server release ships an update to the user sessions web API, to enable an individual session to be checked or retrieved without disturbing the session's max idle time expiration. To do this use the skip_last_used_update query parameter as shown in the example below:

GET /session-store/rest/v2/sessions?skip_last_used_update=true HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: WYqFXK7Q4HFnJv0hiT3Fgw.-oVkvSXgalUuMQDfEsh1lw

This feature comes with a caveat. It is supported only in Connect2id server deployments that persist the sessions to a database or Redis. The query parameter will be ignored and have no effect in deployments configured for in-memory session storage and replication clustering.

A session related fix and improvements under the hood also took place.

About 20 dependencies across the board were bumped. The PostgreSQL JDBC driver was bumped to clear a critical CVE-2024-1597 that has been reported for the driver. The Connect2id server is not using the vulnerable JDBC configuration parameter, so deployments have not been affected.

Detailed information about the new release can be found in the notes below.

Download 15.3

For the signature validation: Public GPG key

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 15.3: Connect2id-server.zip

GPG signature: Connect2id-server.zip.asc

SHA-256: 8b88a8ece68a9974c52d01fbbfb279c1ac4b01e9f7fc2eb3e4ce2c3c630f2801

Connect2id server 15.3 WAR package: c2id.war

GPG signature: c2id.war.asc

SHA-256: f7df8e8523d489e0d321e7c8510b5daf370b86c5779ac26e8864223cf8241ce1

Multi-tenant edition

Apache Tomcat package with Connect2id server 15.3: Connect2id-server-mt.zip

GPG signature: Connect2id-server-mt.zip.asc

SHA-256: 247207bef28058874ab8cf705fad3b668953d4848416e74f0082d897dc3b0f74

Connect2id server 15.3 WAR package: c2id-mt.war

GPG signature: c2id-mt.war.asc

SHA-256: dd81b293433e65df9f9db83bcafdbbeb6964187025ee454915be2938493885f3

Questions?

For technical questions about this new release contact Connect2id support. To purchase a production license for the Connect2id server, renew or upgrade your support and updates subscription, email our sales.

Release notes

15.3 (2024-03-05)

Web API

  • /session-store/rest/v2/

    • The sessions resource receives a new optional skip_last_used_update query parameter for GET requests for individual subject sessions. When true the internal timestamp that records the last session use will not be updated, leaving the session maximum idle time expiration unaffected. When false the last used timestamp of the session will be updated. The default value is false. Only Connect2id server deployments that persist the subject sessions to a database or Redis can skip the update of the session last used timestamp. In deployments using Infinispan in-memory replication clustering the query parameter will be disregarded and have no effect.

Resolved issues

  • Updates the SQL store connector to log the SQL transaction isolation level at INFO level at Connect2id server startup. The log message receives the IS0143 identifier (issue sql-store/38).

  • Removes a redundant ConcurrentMap.remove call in the subject session store when updating the last used timestamp of a retrieved persisted subject session with a positive max_idle value (issue session-store/97).

  • Improves the performance of the authorisation session web API, the authorisation code grant processing, the refresh token grant processing and the token introspection processing by skipping the last used timestamp update of retrieved subject sessions where appropriate (issue server/975).

  • Adds a org.apache.logging.log4j:log4j-slf4j-impl dependency to enable jOOQ query logging at DEBUG level (issue server/976).

Dependency changes

  • Updates to com.nimbusds:oauth2-oidc-sdk:11.10.1

  • Updates to com.nimbusds:oauth2-authz-store:26.2.2

  • Updates to com.nimbusds:oidc-session-store:17.3

  • Updates to Infinispan 14.0.24.Final

  • Updates to Jersey JAX-RS 3.1.5

  • Updates to com.google.guava:guava:32.1.3-jre

  • Updates to commons-io:commons-io:2.15.1

  • Updates to commons-codec:commons-codec:1.16.0

  • Updates to Dropwizard Metric 4.2.25

  • Updates to Log4j 2.23.0

  • Updates to org.kohsuke.metainf-services:metainf-services:1.11

  • Updates to com.nimbusds:infinispan-cachestore-sql:8.2

  • Updates to com.h2database:h2:2.2.224

  • Updates to org.postgresql:postgresql:42.7.2

  • Updates to org.mariadb.jdbc:mariadb-java-client:2.7.12

  • Updates to com.microsoft.sqlserver:mssql-jdbc:12.6.1.jre11

  • Updates to com.oracle.database.jdbc:ojdbc11:21.13.0.0

  • Adds org.apache.logging.log4j:log4j-slf4j-impl:2.23.0

  • Removes org.apache.commons:commons-compress:1.24.0