4.3.0

Changes

• New Log API features :
  • Hide a JSON field in either a response body and a request body using LogEntryTransformer.hideJsonFields
  • Hide either a response body and a request body using LogEntryTransformer.emptyBody
  • Filter request URL with regexp using RequestPredicate.filterUrlRegex
• Add SQL init file for Oracle

4.2.0

Changes

• Enable fingerprint cookie name customization, fixes #12

4.1.0

Changes

• Upgrade to Plume 4.1.0
• Other minor library upgrades, see 3e81e4d

4.0.0

Changes

• Upgrade to Plume 4.0.0

3.0.0

Changes

• Upgrade to Plume 3.0.0
• Update code to be compatible to OpenAPI instead of Swagger

Upgrade instructions

• ApiLogAdminPermissions has been deleted after deprecation, see release 2.1.1
• configuration value admin.session.inative-duration is not read anymore after deprecation, see release 2.0.2

2.1.2

Changes

• Fix nullpointer in log API limitBodySizeTransformer (#11)

2.1.1

Changes

• Add API logs filtering and transforming feature
• Upgrade dependencies and especially Plume Framework to version 2.1.0

Upgrade instructions

• ApiLogAdminPermissions has been deprecated in favor of LogApiAdminPermissions. ApiLogAdminPermissions will be removed in the 3.0.0 Plume Admin version.

2.0.2

Changes

• For the logs API, set a limit of the number of logs fetched and enable filtering
• Fix typo in the configuration key admin.session.inactive-duration

Upgrade instructions

• Configuration : if used, rename admin.session.inative-duration to admin.session.inactive-duration => The old configuration key will be valid until the release of plume-admin 3.0.0

2.0.1

Changes

• For the session API, set fingerprint cookie path to /

2.0.0

Changes

The API PUT /admin/session enables to renew a JWT token. This enables to implement in the frontend a behavior where the JWT token has a small validity and is renewed frequently: so when it stopped being renewed, then users will be disconnected.

Guidelines from https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html have been implemented. That means that there is now a companion cookie for the session that ensure that even in case of a XSS attack, a user session cannot be hijacked.
This can be configured with these parameters:

• admin.session.use-fingerprint-cookie = true
• admin.session.fingerprint-cookie-https-only = true # should be set to false on non-HTTPS environments

The internals of how security is implemented has been simplified.

Upgrade instructions

• Configuration: If you overrode the configuration value admin.session-duration, you should rename it to admin.session.expire-duration. Moreover, beware that there are new configuration values for the session management: admin.session.refresh-duration and admin.session.inative-duration
• On local environments, the configuration value admin.session.fingerprint-cookie-https-only should be set to false
• AdminConfigurationService.sessionDurationInMillis() has been renamed AdminConfigurationService.sessionExpireDurationInMillis()
• API: The /admin/session is now returning an object instead of the raw JWT token. The JWT token is in the field webSessionToken of the returned object
• WebSessionProvider, WebSessionClassProvider and WebSessionAdminProvider has been removed
• JerseyJwtSessionParser has been renamed to JerseySessionParser and all accesses are now static
• WebSessionAdminFactory and WebSessionAdmin have been moved to plume-admin-security module: imports must be reorganized by IDE in the Jersey configuration
• The API POST /admin/session is now returning a JSON object instead of a string with the JWT token. The returned object by the API is AdminSession.
• If using GuiceAdminWsModule instead of GuiceAdminWsWithDefaultsModule, these bindings:

bind(WebSessionProvider.class).to(WebSessionAdminProvider.class);
bind(WebSessionClassProvider.class).to(WebSessionAdminProvider.class);

must be replaced by:

bind(WebSessionSigner.class).toProvider(JwtSessionSignerProvider.class);
bind(JwtSessionSigner.class).toProvider(JwtSessionSignerProvider.class);