New Features in OpenSSO Enterprise 8.0 Update 1 Patch 3

• Message Queue is upgraded from 4.3 to 4.4 (CR 6900482)

• OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)

• Support is added for module-based, realm-based, and service-based authentication (CR 6893507)

• AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)

• OpenSSO provides new property to specify client configuration folder (CR 6903279)

• OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)

• OpenSSO Diagnostic Tool is available (CR 6900820)

Message Queue is upgraded from 4.3 to 4.4 (CR 6900482)

In Patch 3, Message Queue 4.3 has been upgraded to GlassFish Message Queue 4.4. This upgrade improves OpenSSO Enterprise performance and addresses several issues with session failover deployments.

For the Message Queue documentation, see http://docs.sun.com/coll/1307.7.

OpenSSO Enterprise session cookies can be marked as HTTPOnly (CR 6843487)

Patch 3 includes the new com.sun.identity.cookie.httponly property to allow OpenSSO Enterprise session cookies to be marked as HTTPOnly, in order to prevent scripts or third-party programs from accessing the cookies. Specifically, session cookies marked as HTTPOnly can help to prevent cross-site scripting (XSS) attacks.

By default, the value for com.sun.identity.cookie.httponly is false. To set this new property, use the OpenSSO Administration Console:

1. Log in to the OpenSSO Administration Console.

2. Click Configuration, Servers and Sites, opensso-instance-name, and then Advanced.

3. Add com.sun.identity.cookie.httponly with a value of true.

4. Click Save and log out of the Console.

5. Restart the OpenSSO Enterprise web container.

You also need to set this property on the client side. For example, for a Distributed Authentication UI server deployment, set it to true in the AMDistAuthConfig.properties file.

Support is added for module-based, realm-based, and service-based authentication (CR 6893507)

In Patch 3, the OpenSSO REST-based authentication web service now supports module-based, realm-based, or service-based authentication. You can pass module, realm, and service as query parameters. For example, here are some sample REST commands:

http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeit
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3Dsun
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=service%3DldapService
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=changeitANDAMPuri=realm%3D/sun%26module%3DDataStore
http://host.example.com/opensso/identity/authenticate?username=user1
ANDAMPpassword=passwordANDAMPuri=realm%3D/iplanet%26module%3DdataStore

AMLoginModule class includes new method to determine user?s current session quota level (CR 6667760)

In Patch 3, the AMLoginModule class includes the new isSessionQuotaReached() method to determine a user?s current session quota level:

public boolean isSessionQuotaReached(String userName)

This new method checks if the sessionCount is greater than or equal to the sessionQuota and returns true or false, depending the result.

Thus, a custom authentication module can check a user?s current session quota level and then if the user is about to exceed the session quota, ask whether that user wants to continue the session. This feature is normally be more useful when session constraints are enabled.

OpenSSO provides new property to specify client configuration folder (CR 6903279)

If a new administrator user logs into OpenSSO Enterprise server and tries to access the OpenSSO client website (for example, as deployed from the opensso-client-jdk15.war file), the new administrator user is asked to perform the client reconfiguration even though the configuration has already been done by the previous administrator.

Patch 3 provides the new openssoclient.config.folder property as a JVM argument in the container's configuration file (server.xml or domain.xml) to specify the configuration folder. For example:

<jvm-options>-Dopenssoclient.config.folder=C:/Sun/opensso-client-config</jvm-options>

If this argument is not specified, the configuration folder is user.home by default.

OpenSSO Console checks for minimum password length of 8 characters (CR 6888785)

In Patch 3, the OpenSSO Console checks for a minimum password length of 8 characters for new users and for existing users who are changing a password.

OpenSSO Diagnostic Tool is available (CR 6900820)

Patch 3 includes the OpenSSO Diagnostic Tool, which allows you to run a number of diagnostic tests to verify configuration settings and to identify potential installation or deployment problems. For information, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.