74.0.0
bosh.io releases Stories included in this release are prepared by @dbeneke
Breaking Changes
Removed uaa_postgres job from uaa-release and recommend migration to postgres-release.
- If you relied on uaa_postgres, you will need to follow these steps to migrate your data when you upgrade to UAA version 74.0.0. Note that you will incur downtime during this migration:
- $ mkdir -p /var/vcap/store/postgres/postgres-11.1
- $ chmod 0700 /var/vcap/store/postgres/postgres-11.1
- $ cp -r /var/vcap/store/uaa_postgres-11.1/* /var/vcap/store/postgres/postgres-11.1
- Migrating from uaa_postgres to postgres-release can be done without incurring a postgres upgrade by pinning the postgres-release version to v35
Update bbr-uaadb job to use bosh-properties first, then bosh-links to ensure more consistent backup/restore experience; expanding backup coverage to the bosh director.
- It’s expected that consumers will need to remove release_level_backup property from the the uaa job and add it to the bbr-uaadb job.
- If these steps are not followed, bosh create-release will fail.
- In the uaa job: The release_level_backup BOSH property in the uaa job's spec file has been marked as deprecated.
- In the bbr-uaadb job: A new property called release_level_backup has been added to the bbr-uaadb job; defaulting false.
Correct handling of special characters within the client secret - UAA can now understand client credentials that contain special characters within the secret when provided via basic authentication. However, this change means that any consumers of the UAA’s APIs who provide client credentials via basic authorization will need to change their implementation such that both the client id and client secret are url encoded.
The UAAC has been updated and is required to remain compatible with this fix. Version 4.2.0
The full header would be constructed like this:
- “Authorization: Basic “ + base64encode(urlEncode(clientId):urlEncode(clientSecret))
Features
Users can now regenerate client secrets.
Updates
Deprecate uaa-utils
package from `uaa-release.
Bump Tomcat to version 9.0.22.
Bump Spring Security to version 5.1.6.
Bump Spring to version 5.1.9.
Bug Fixes
Fixed a bug that caused the /info endpoint to communicate the incorrect UAA version.
Login success and error messaging on the UAA login page can no longer be manipulated via query.
Sanitize scim filters to prevent XSS attacks in older versions of internet browsers; preventing the browser from potentially executing Javascript.