Anypoint Enterprise Security Release Notes - Mule 3

Security fixes

Security fixes

ClientCredential grant provided inconsistent error codes. (SEC-333)

OAuth2Provider failed to create an HTTP endpoint when the Listener was in a domain. (SEC-335)

OAuth Provider: The token request for clientCredentials with encoded credentials fails. (EE-6223)

OAuth Provider: The token response body is JSON, but the content-type header is application/x-www-form-urlencoded. (EE-6224)

Fixed OAuth2ProviderModuleCoreTestCase tests after a Jetty upgrade. (SEC-332)

PGPEncrypter not adding Armor-ASCII output for string payloads. (EE-6206)

TokenStore should remove expired tokens. (SEC-330)

Security fixes

ClientCredential grant inconsistent error codes. (SEC-333)

Fix OAuth2ProviderModuleCoreTestCase tests after a Jetty upgrade. (SEC-332)

TokenStore should remove expired tokens. (SEC-330)

Upgraded BouncyCastle to 1.60. (MULE-15332)

OAuth Provider: The token request for clientCredentials with encoded credentials fails. (EE-6223)

OAuth Provider: The token response body is JSON, but content-type header is application/x-www-form-urlencoded. (EE-6224)

Upgraded BouncyCastle to 1.59. (MULE-14382)

Race condition when concurrent requests use the same refresh. (SEC-319)

It is not possible to encrypt using a public key from a certificate in a keystore. (SEC-322)

In JCE signature verification, key password is mandatory. Add extra validation for avoiding NPE. (SEC-317)

Bug when sending String type payload to encrypt with PGP. (SEC-318)

Unsigned content warning when installing Anypoint Studio Properties File Editor. (SEC-313)

Users must be able to set the name of a stream inside encrypted file of PGP. (MULE-13825)

Make PGP encryption cipher configurable. Set AES-256 as default algorithm in PGP Encryption. (MULE-11161)

Add support for PGP Binary Encryption. (MULE-13305)

Improve PGP Encrypter. (MULE-11246)

Add support for PGP in the signature module. (SEC-236)

Improvements in XML Signature. (SEC-309)

Security fixes

It is not possible to encrypt using a public key from a certificate in a keystore. (SEC-322)

Race condition when concurrent request use the same refresh token for requesting a new access token. (SEC-319)

In JCE signature verification, key password is mandatory. Add extra validation for avoiding NPE. (SEC-317)

Bug when sending String type payload to encrypt with PGP. (SEC-318)

Unsigned content warning when installing Mule Studio Properties File Editor. (SEC-313)

Users must be able to set the name of a stream inside encrypted file of PGP. (MULE-13825)

SEC-309: Improvements in XML Signature

SEC-298: Incorrect logs when deploying the Mule OAuth provider.

SEC-304: LazyTransformedInputStream is not being closed, which causes a memory leak.

SEC-305: Wrong grant type with special characters that should be escaped.

MULE-12273: Add validations in PGP Module to avoid NPE.

MULE-12068: add TransformerFactory to XMLSecureFactories, and update existing providers.

SEC-301: Xml decrypter only decrypts the first node when XPath is used.

SEC-294: Inconsistent behavior of FilterModule, when the IP/expiration is filtered.

MULE-11075: Upgrade BouncyCastle to 1.56

SEC-297: Avoid including mule dependencies inside the app when using a Maven project app.

SEC-293: Location in secure-property-placeholder does not escape environment on Windows

SEC-294: Inconsistent behavior of FilterModule, when the IP/expiration is filtered

SEC-288: Refresh tokens expiration new features: Support expiration of refresh tokens and when refreshing an access token whether to provide a new refresh token or not should be configurable.

SEC-277: Allow URL encoded passwords in OAuth (characters like '+' and '%')

SEC-290: Exception handling not reporting correct exception.

SEC-289: Fix OAuth2 test assertions to compare JSON Objects instead o

SEC-286: Encrypt/decrypt operations should support OutputHandler

SEC-223: Update commons-net to 3.5

SEC-285: Add SHA512withRSA algorithm to Signature module

SEC-283: Adding a Token Generator Strategy pattern

SEC-282: Custom flow in auto-generated endpoints is not stopping further processing.

SEC-279: Change scope of security-api dependency

SEC-271: Configure secure XML parsers

SEC-223: Update Bouncy-Castle to bcpg-jdk15on version 1.54.

SEC-257: OAuth2 provider: Invalid request/token return wrong status codes

SEC-262: Mule Properties Editor is not preserving the order of key/value pairs from file to editor and back to file

SEC-261 PGPEncrypterModule should validate if publicKey/privateKeyFile and all the attributes needed by PGPKeyRingImpl

SEC-256 IP Filter should use x-forwarded-for if present instead of http.remote.address or MULE_REMOTE_CLIENT_ADDRESS

SEC-223: Update Bouncy-Castle to bcpg-jdk15on version 1.50.

Security fixes

SEC-292: Update JUnit to 4.12 (#104)

SEC-293: Location in secure-property-placeholder does not escape environment on Windows

SEC-294: Inconsistent behavior of FilterModule, when the IP/expiration is filtered

MULE-12068: add TransformerFactory to XMLSecureFactories, and update existing providers

SEC-301: Xml decrypter only decrypts the first node when XPath is used

MULE-11075: Upgrade BouncyCastle to 1.56

SEC-297: Avoid including mule dependencies inside the app when using a Maven project app.

SEC-277: allow url encoded passwords in oauth (characters like '+' and '%')

SEC-289: Fix OAuth2 test assertions to compare JSON Objects instead o

SEC-290: Exception handling not reporting correct exception.

SEC-286: Encrypt/decrypt operations should support OutputHandler

SEC-223: Update commons-net to 3.5

SEC-285: Add SHA512withRSA algorithm to Signature module

SEC-282: Custom flow in auto-generated endpoints is not stopping further processing.

SEC-279: Change scope of security-api dependency

SEC-271: Configure secure XML parsers

SEC-256 IP Filter should use x-forwarded-for if present instead of http.remote.address or MULE_REMOTE_CLIENT_ADDRESS

Security fixes

SEC-277: allow url encoded passwords in oauth (characters like '+' and '%')

SEC-289: Fix OAuth2 test assertions to compare JSON Objects instead o

SEC-290: Exception handling not reporting correct exception.

SEC-286: Encrypt/decrypt operations should support OutputHandler

SEC-223: Update commons-net to 3.5

SEC-279: Change scope of security-api dependency

SEC-271: Configure secure XML parsers

SEC-256 IP Filter should use x-forwarded-for if present instead of http.remote.address or MULE_REMOTE_CLIENT_ADDRESS

SEC-241: Fixing Access Token flow when HTTP method is GET

SEC-239: Decrypting from file InputStream leaks thread

Security fixes

Security fixes

Support multiple files in "location" of secure-property-placeholder:config

Delete Client – A message processor which removes clientIDs from the clientStore.

Revoke Token – A message processor which revokes access or refresh tokens, invalidating the corresponding pair as well (that is, if the message processor revokes the access token, it automatically revokes any refresh token associated with it, and vice versa).

Use with Mule ESB Standalone and Maven – beyond Mule Studio, Anypoint Enterprise Security is now available for use with Mule Standalone and Maven.