In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.
For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.
Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.
By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:
Log in to the OpenSSO Administration Console.
Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.
Add com.sun.identity.cookie.httponly with a value of true.
Click Save and log out of the Console.
Restart the OpenSSO Enterprise web container.
You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.
In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:
http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeit http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3Dsun http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=service%3DldapService http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore http://host.example.com/opensso/identity/authenticate?username=user1 ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore
In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:
public boolean isSessionQuotaReached(String userName)
This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.
Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.
If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.
Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:
If this argument is not specified, the configuration folder is user.home by default.
In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.
Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.