One Identity Single Sign-on for Java 3.3.2
One Identity Single Sign-on for Java 3.3.2
These release notes provide information about the One Identity Single Sign-on for Java 3.3.2 release.
Welcome to One Identity Single Sign-on for Java
One Identity Single Sign-on for Java is a suite of components providing Kerberos single sign-on for Java SE and for Java web applications, running on any operating system, in enterprise environments that use Microsoft Active Directory.
Single Sign-on for Java includes:
- A pure Java implementation of Kerberos, GSSAPI and SPNEGO with tight integration to Active Directory, including support for cross-domain and cross-forest authentication, and Active Directory Site auto-discovery for scalability.
- Active Directory group membership information that can be used as a basis for Java EE roles.
- Optional integration with One Identity Authentication Services for simplified configuration on Unix and Linux.
- Development libraries, examples and documentation for creating your own Java Kerberos / GSSAPI and single sign-on applications.
- For Java fat clients on Windows that expect to automatically use the Active Directory credentials of the logged-in user (without requiring any registry modifications), the WinSSPIProvider class and its accompanying winSSPI.dll
- Java command line utilities for managing Kerberos credentials.
Single Sign-on for Java was previously named VSJ (Vintela Single Sign-on for Java) and this name is still reflected in Java class names and package names, in JAR files, and in other filenames.
One Identity Single Sign-on for Java supports Java Servlet Specification 2.4 or higher on any operating system.
New features in Single Sign-on for Java 3.3.2:
- Support for Windows Server 2012 resource-based constrained delegation. Previous releases supported the original "account-based" constrained delegation that was introduced in Windows Server 2003; this release automatically supports both. Whereas account-based constrained delegation is restricted to a single domain, resource-based constrained delegation supports cross-realm and cross-forest delegation. In order for Single Sign-on for Java to use resource-based constrained delegation, all domain controllers in the relevant domain(s) must run Windows Server 2012 or above.
- Support for Windows Server 2012 User Claims in the service ticket. This can be an alternative to LDAP lookups for User attributes. The domain(s) must have Claims enabled and configured. This is implemented by an optional plugin in the plugin/ad-claims directory.
- JASPIC (JSR 196) ServerAuthModule. This is an optional alternative to using the servlet filter. The Java application server must implement JASPIC and support the deployment / configuration of a ServerAuthModule. Please see the Javadoc (in doc/VSJ/apidocs) for the com.wedgetail.idm.sso.jaspic package.
- JGSS provider support for the JDK 1.7 com.sun.security.jgss.ExtendedGSSContext and JDK 1.8 com.sun.security.jgss.ExtendedGSSCredential API. For details please see the class Javadoc (in doc/VSJ-Kerberos/apidocs) for the com.dstc.security.kerberos.provider.WedgetailGSSProvider and the com.dstc.security.kerberos.winSSPI.WinSSPIProvider.
- vsj-kerberos.properties resource. Settings such as jcsi.kerberos.* that previously could only be specified as Java system properties may now also be specified in an optional /vsj-kerberos.properties resource on the classpath. A setting from vsj-kerberos.properties has lower precendence than a corresponding system-property setting.
The following is a list of enhancements implemented in Single Sign-on for Java 3.3.2.
Table 1: General enhancements
|Commons Logging is now optional. Previously the Apache Commons Logging library was required on the classpath; now, if it is not present, this release defaults to using java.util.logging directly. You can use -Djcsi.kerberos.skipCommonsLogging=true to explicitly ignore Commons Logging.
|Active Directory Site auto-discovery for the VSJ Kerberos layer. Previously this was automatically enabled for VSJ (the servlet filter) but not for applications that used only VSJ Kerberos; it is now automatically enabled even for VSJ Kerberos.
|JGSS provider: improved support in com.dstc.security.kerberos.provider.WedgetailGSSProvider for some non-fat-client use cases, including the Microsoft JDBC Driver for SQL Server.