What's New in the August 2021 Payara Platform Release?

The August 2021 Payara Platform release is here!  Payara Platform Enterprise 5.30.0 includes 8 bug fixes, 2 component upgrades, 2 security fixes and 4 new features. The Payara Platform Community 5.2021.6 release offers 7 bug fixes, 1 component upgrade, 2 security fixes, and 3 new features. 

You can download Payara Platform Community 5.2021.6here and request Payara Platform Enterprise 5.30.0 here. 

And don't forget to join the 'August Release Overview + OAuth2 & OpenIdConnect Authentication & Authorization' webinar with Rudy De Busscher on Tuesday, the 24th of August at 3PM BST - find out more & register here.

Read more below to learn more about the highlights of this release.

Support for Multi-Tenant Control for OIDC Security in an Application

A Payara Enterprise Customer requested an update to the OIDC Security integration and the Payara development team decided to make the feature available to all Payara Platform users.

Until this release, there was no way to define multi-tenant control for the integration of OIDC security in your application. But when your application is used by different groups of people, belonging to different customers, a different OpenId Connect provider should be contacted depending on how a user accesses the application. With this feature, you can determine which OIDC configuration is used based on the URL called, for example.

Fixed a Security Vulnerability in Jackson-Databind Dependency 2.10.2

A flaw discovered in FasterXML Jackson Databind meant it did not have entity expansion secured properly. This flaw opened the door to potential XML external entity (XXE) attacks that could involve a loss of data integrity.

This security vulnerability is not a problem when you use Jackson-Databind with this month's release of the Payara Platform as the team upgraded the version of the library within Payara to the fixed Jackson-Databind version to eliminate security concern related to this vulnerability.

Ability to Use the OpenID Connect Protocol with Any Client and Browser

In the August 2021 release, we've updated the OpenID Connection 'bearer support' so the OpenID Connect protocol can not only be used with browsers, but can now also be used by any client. OpenID Connect allows clients of all types, such as mobile, JavaScript clients, and web-based clients, to request and receive information about authenticated sessions and end-users.

OpenID Connect adds an identity layer on top of the 0Auth 2.0 protocol so clients can verify the identity of end users from authentication performed by the authorization server. The OpenID Connect presents the signed JWT Access token in the request for server validation. If the server validates and accepts the request, it can proceed with the authentication and authorization info present in the token.