Skip to main content
Version: 1.13

Release notes

Access Decision Service (ADS) features, bug fixes, and known issues by release.

Version 1.13.0

What's new

  • ADS supports distributed caching

    ADS now supports distributed cache library that support in-process cache replication. This features allows ADS to replicate data across all instances of the service. The in process caching feature is only supported for environments using Java 11 or later.

  • Enhanced JWT token verification

    The JWT authentication is now enhanced with the use of the optional clockSkew property that calibrates the validation time window.

  • Updated Helm charts configuration

    ADS Kubernetes deployment has now a more dynamic approach. You can further customize ADS installation, during runtime, using configuration files located under adscharts/configuration and adscharts folders and apply your changes by running a Helm upgrade command.

Fixed Issues

  • Readiness probe issue has been fixed Readiness probe that entered in fail state did not recover after a successful domain update in case the domain content was unchanged. This has been fixed.

  • XXE vulnerability to perform an SSRF attack XXE injection is blocked by ADS in general. Though a fix is delivered to fortify ADS against SSRF - Server-Side Request Forgery attacks.

  • Domain polling logging improvements Updates regarding the domain logging information:

    • Fixed message when domain is not retrievable

      Updated the notification message displayed when a domain refresh is impossible due to the unavailability of the domain.

    • Display message when ADS successfully fetches a domain

      ADS now generates log information when the service successfully retrieves a domain from a local file, regardless of whether a valid or invalid change occurs to the domain.

  • Tokens with multiple audiences now work as expected

    In token authentication (JWT), ADS was incorrectly rejecting tokens with more than one audiences. This has been fixed.

Version 1.12.0

What's new

  • ADS retries fetching its authorization domain at startup

    ADS now supports changing the default behavior of attempting to retrieve a valid authorization domain only once. This can be configured using the domainStartup property by setting the maximum number of retries and the polling duration for retrieving a valid domain.

  • Kubernetes deployment improvements

    Updates regarding the Kubernetes deployment:

    • Domain retrieval retry mechanism during startup

      ADS Kubernetes deployment now supports retrying domain retrieval during startup configuration.

    • Log level configuration is supported in Kubernetes deployment

      ADS Kubernetes deployment now supports ADS logging level configuration.

    • Domain polling is supported in Kubernetes deployment

      ADS Kubernetes deployment now supports domain polling configuration.

    • Probes added to the Kubernetes deployment

      ADS Kubernetes deployment supports health endpoints for Liveness, Readiness and Startup Probes.

  • Online documentation updates

    Documentation updates regarding the following:

    • Vulnerabilities report instructions

      ADS documentation is now updated with instructions on how to download vulnerabilities report from S3.

    • ASM-ADS reference section

      ADS documentation is now updated with a new section about ASM-ADS integration under Additional Resources.

  • Snyk for vulnerabilities check

    ADS 1.12.0 supports vulnerabilities scanning based on Snyk, an industry-leading security intelligence management solution that helps protect codes from open source risks.

  • ADS authorization domain retrieval and validation is separated from service initialization

    The startup and readiness health endpoints have updated functionality. Authorization domain retrieval is separated from service initialization.

Fixed Issues

  • Ports are configurable on ADS Kubernetes deployment

    ADS Kubernetes deployment now supports configuring the default ports.

Version 1.11.0

What's new

  • Attribute Connectors in Kubernetes deployment

    ADS now supports using Attribute Connectors for deployments with Kubernetes (K8s).

  • Support for JSON Web Token (JWT) authentication

    ADS now offers enhanced authentication using token based JWT. This can be configured under the authentication section in the sample deployment configuration file.

  • Support for startup probe

    ADS now supports a startup endpoint to report service health during ADS startup, to ensure robustness in an orchestrated deployment.

  • Support for liveness probe

    ADS now supports a liveness endpoint to report if ADS service is in healthy state when running.

  • Support for readiness probe

    ADS now supports a readiness endpoint to report if ADS service can serve traffic when running.

    • A new reportNotReadyOnDomainRefreshError property controls whether an unsuccessful domain refresh should fail the readiness probe.
    • The reportNotReadyOnDomainRefreshError property replaced the deprecated reportUnhealthyOnDomainRefreshError property.

Fixed issues

  • One-way TLS works as expected

    One-way TLS is now working efficiently without expecting the truststore.

  • Attribute cache can work with multiple attribute connector mappings

    A bug about the attribute cache not being able to work properly when provided with 2 or more mappings in the same attribute connector configuration, has been fixed.

Version 1.10.2

What's new

  • Kubernetes deployment

    ADS offers enhanced support for deployments with Kubernetes (K8s) that achieve improved stability, availability, and efficiency. K8s allows you to easily scale your application and provides self-healing capabilities to restart or replace a container when it fails or crashes. This results in high uptime and performance while reducing costs and administration requirements.

    Kubernetes deployment does not support Attribute Connectors for now.

Fixed issues

  • Domain yaml capacity

    ADS 1.10.2 now accepts domain.yaml files larger than 3 Megabyte.

Version 1.10.1

Fixed issues

  • Soap legacy endpoint can provide logs when error occurs

    ADS legacy SOAP endpoint /asm-pdp/pdpOpens in a new tab didn't handle error messages properly. This has been fixed.

  • ADS metrics are now supported when a domain is rolled-back to a previous version

    A domain roll-back to a previous version caused metrics to stop working. This has been fixed.

    Fix includes a new tag (domain_sequence) which is a counter that represents how many domain changes the current instance of ADS has gone through since its startup.

Known issues

  • Domain yaml capacity

    ADS 1.10.1 does not accept domain.yaml file larger than 3 Megabyte.

Version 1.10.0

What's new

  • Changes in Java support

    ADS now supports 64-bit Java SE 8, Java SE 11 or Java SE 17.

  • Support for ADS publishing metrics data to ASM

    ADS now supports using ASM as a metrics backend. This configuration is used to publish key metrics for the authorization performance of ADS as data for the graph displays of the Dashboard feature of ASM.

  • Support for ADS instance identity

    ADS now generates an instance identity that uniquely defines an ADS instance. By default, ADS automatically generates a random identity with constant prefix 'default'.

    However, users can define these instance identities by configuring a constant identity or a randomly generated identity with a constant prefix.

  • ADS tags metrics with authorization domain data

    ADS tags metrics with authorization domain identification data. By default, metrics are only tagged with the authorization domain id.

    However, when the RetrieveByName endpoint is used to retrieve domain data in connectivity with ASM/ADM, users can also add domain tag data (namespace and domain name).

Known issues

  • ADS metrics are not supported when a domain is rolled-back to a previous version

    When ADS is configured to collect metrics (metrics backends are enabled) and the authorization domain is rolled back to a previous domain the ADS metrics are zero.

  • Disabled attribute cache causes ADS initialization failure

    Attribute caching configuration is optional for ADS. If attribute caching configuration is enabled, then the minimum accepted attribute cache parameter value is 1. In the ASM Attribute Connector Management UI, the attributes cache is disabled by default ("Default" = Time to live (seconds)=0, Max cache size=0). The same values apply for the "NoCache" attribute cache configuration ("NoCache" = Time to live (seconds)=0, Max cache size=0).

    ADS cannot be initialized when ADS tries to retrieve a domain with zero attribute configuration settings. The issue exists only in the case when ADS is configured to retrieve its authorization domain from ASM. As a workaround the ASM users must navigate to the attribute connectors management UI in the Cache Configuration tab and update the "Default" cache settings (Time to live (seconds), Max cache size) from (0,0) to (1,1). On top the "NoCache" attribute cache configuration should not be used.

Version 1.9.0

What's new

  • Simplified installation of ADS

    This release introduces a simplified way to install and run ADS based on Docker. The new installation process makes it even quicker and easier to get ADS up and running.

  • Online documentation

    The documentation for ADS has been converted to an online format, and is now available at https://docs.axiomatics.comOpens in a new tab. PDFs are no longer included in the distribution. The online distribution model will improve availability and ensure that users always have easy access to the latest version of the documentation.

  • Support for InfluxDB for metrics data processing

    ADS now supports the time series database Influxdata InfluxDB OSS 2.x as a metrics backend.

  • Support for authentication using client credentials

    ADS can now be configured to authenticate itself against Axiomatics Services Manager (ASM), and send client credentials when requesting a domain configuration file from ASM.

  • Using Azure Monitor Application Insights for tracing and metrics

    When Azure Monitor Application Insights is used for monitoring and analytics, the Application Insights Java agent should be used for both tracing and metrics.

    note

    The option of configuring Azure Monitor as a metrics backend in ADS is no longer recommended, and its use is deprecated. This configuration option will be removed in a future release.

Version 1.8.0

What's new

  • Metrics data collection and processing

    ADS now collects the following metrics for requests, to provide performance data that can be useful to identify patterns and understand trends:

    • Rate - the number of access requests ADS has served

    • Errors - the number of failed access requests

    • Duration - distribution of the amount of time each access request takes

    • Rate of successful evaluations - the rate of successful access requests that evaluated to Permit, Deny, Indeterminate, or Not Applicable, respectively

    The sampling rate for these metrics is configurable.

    This data can be accessed by metrics backends using either a (client) pull or a (server) push model. The currently supported metrics backends are Prometheus and Azure Monitor.

  • Separation of event types in the audit log stream

    The audit logs produced by ADS contain two types of events, evaluation events and administrative events. To simplify analysis of the log data, the log stream can now be configured to separate the two types of events, for output to console and/or file. Which type of event to include in the log output is controlled by the use of different loggers, so that the output contains either evaluation events only, administrative events only, both types together, or one output item for each type.

  • Domain format conversion removed

    The domain format conversion feature introduced in version 1.6.4 has been removed.

    Customers wanting to convert legacy XML-format (or version 1) authorization domain configuration files to YAML-format (or version 2) authorization domain configuration files are instead requested to contact Customer Support, who will assist with conversion services.

Fixed issues

  • Environment variable substitution not working

    A change to the domain validation operation caused environment variable substitution to stop working. This has been fixed.

Version 1.7.0

What's new

  • Tracing using OpenTelemetry

    Tracing can now be enabled in ADS, providing the option to track key events that relate to access requests. The tracing functionality in ADS is based on OpenTelemetry (OT), relying on the OpenTelemetry Java agent to orchestrate the feature, but any agent that conforms to or implements the OpenTelemetry API version 1.3 could be used. For visualization and monitoring assistance, the tracing information produced by ADS can be published to other tools, for example, Jaeger or Prometheus.

    For each request, the following spans are defined in the trace:

    • A span for the whole request.

    • A span per call to an attribute connector. Spans are also produced when a call to fetch an attribute may result in fetching it from the cache or involving an operation from the attribute connector itself.

      If the access request includes a W3C trace context, ADS does not define a new trace. Instead, all spans are created within that context. If the access request contains a header with a correlation information, that information is attached to the span associated with the single request.

  • Logging enhanced with tracing information in MDC

    Log entries emitted by ADS can be enhanced with trace and span identifiers as attributes in the Mapped Diagnostic Context (MDC). However, this requires that the OpenTelemetry Java agent that ADS relies on for the tracing functionality is enabled. When that is the case, the OpenTelemetry Java agent will inject information about the current span into the MDC copy of each logging event.

  • Support for conditional requests when polling a domain name using HTTP(S)

    ADS now supports conditional requests when polling a domain name from an authorization domain server using GET on an HTTP(S) endpoint. This means that ADS will recognize an "ETag" header if present in the response from the server, and consequently include an "If-None-Match" header field in its future requests, as well as correctly handle the "304 (Not Modified)" status code and header information the authorization domain server will use in its response if the representation has not changed since the previous request.

    The implementation is compliant with IETF RFC 7232, §3.2, which delineates the name and semantics of the header information that clients must use for an "If-None-Match" header field, and IETF RFC 7232, §4.1, which describes the definition of the "304 (Not Modified)" status code and header information.

  • Version information published by ADS

    Users can now access version information published by ADS in two ways: By looking at the log, as ADS will log information about the application and the operating system during start-up, or by querying an administration endpoint. The information presented is the same for both methods. Refer to the ADS User's Guide for more information.

  • Check command will detect mismatch between declared and provided attributes

    The check command functionality has been extended with another validation item. It will now also detect any mismatch between declared and provided attributes in the domain configuration.

  • Configuration to stop ADS from starting if a declared attribute is not provided

    There is an optional property, failOnDeclaredAttributeNotProvided, that can be used to configure ADS not to start or reconfigure with a domain that does not provide an attribute that has been declared in the configuration.

  • Concise format default for audit logging output

    A concise format is now the default for the audit logging output. To improve processing efficiency, information not essential to auditing is excluded from the evaluation events. If the full, or verbose, logging information is required, this can be set via an audit mode property in the deployment configuration file.

Fixed issues

  • XACML function string-regexp-match conforms to the specification

    Previously, the string-regexp-match function returned incorrect results for some regular expressions that use the alternation operator. This has been fixed and the function now conforms to the XACML 3.0 specification.

  • MDP requests not failing fast if one access decision fails

    When the authorization engine receives an MDP (Multiple Decision Profile) request, the execution is parallelized.

    Previously, if an individual access decision failed, perhaps by an exception raised by an attribute connector, the engine did not abort the execution or fail fast, allowing other parallel processes to continue to execute. This could result in unnecessary resource use.

    This has been fixed. Now, if one individual access decision fails, the engine fails fast and cancels all active parallel processes so as to not consume unnecessary resources.

Known issues

  • Running an ADS command may create audit log output

    Running an ADS command may create audit log output depending on the configuration that is being used. This is because running any command starts a JVM with the full functionality of the current configuration enabled. This is unavoidable due to the design of the commands. As a consequence, it is not possible to avoid producing audit logs for operations that are triggered by running a command, if audit logging is enabled in the configuration.

  • Warning of illegal reflective access operation when running ADS on Java 11

    Running ADS on Java 11 may trigger warnings concerning illegal reflective access operations. These warnings are not a consequence of any malfunctioning, and can therefore be ignored and do not need to be reported.

  • Domain conversion command may produce invalid domains

    Running the authorization domain format conversion command may result in invalid domain configuration files. Use of the command is deprecated and the functionality will be removed in a later release of ADS.

Version 1.6.4

What's new

  • Runtime updating of domain configurations

    There is now an optional property, domainRefreshInterval, that can be used to configure ADS to update the domain configuration during runtime by polling its source at regular intervals. This allows for updating of policies or attribute connectors without having to stop and redeploy ADS.

    note

    The refresh feature only reloads the domain if it has been modified. When that happens, ADS clears the attribute cache and creates new instances of the attribute connectors.

  • Authorization domain format conversion

    A conversion command has been added that will convert an XML-format authorization domain configuration file to a YAML-format authorization domain configuration file.

  • ADS can send user credentials for retrieval of domains

    ADS can now present user credentials when requesting a domain configuration file from remote locations that support Basic Authentication.

  • Connection pooling enabled by default for LDAP

    Previously, connection pooling was only enabled for unencrypted connections, that is plain text connections. Now connection pooling is enabled by default for both LDAP and LDAPS connections.

    As part of the update, the property com.sun.jndi.ldap.connect.pool.protocol has been superseded by the property com.axiomatics.jndi.ldap.connect.pool.protocol. Existing configurations using this property should be updated to reflect this.

  • Attribute connectors no longer included in ADS distribution

    Standard attribute connectors for connection to SQL and LDAP data sources are no longer included in the ADS distribution. Instead, each attribute connector must be downloaded and installed separately.

  • License expiration warning configurable

    A configuration property has been added to let you override the default 30 day duration for when the warning of an impending license expiration is triggered.

Fixed issues

  • Invalid PolicyIdentifierList field in response

    Previously, the PolicyIdentifierList field that may appear in XACML JSON profile 1.1 responses was invalid. This has been fixed. The values of the PolicyIdentifierList field in an XACML JSON profile 1.1 response now comply with the JSON Profile of XACML 3.0 Version 1.1 specification.

Version 1.5.0

What's new

  • Support for metadata in the domain document

    ADS now supports storing metadata in the domain document for tooling and domain management workflow processes.

  • Sensitive data provided through environment variables

    ADS now allows for sensitive data in attribute connector configurations, such as user names and passwords, to be provided through environment variables.

Fixed issues

  • Number of connections opened when using connection pooling

    On startup, ADS incorrectly opened twice the number of database connections per instance as the value specified by the minimumSize key of the connectionPool property. This has been fixed.

  • Non-UTC time zones in a request incorrectly reported in the audit log

    Time attribute values with non-UTC time zones received in a request were incorrectly reported in the audit log; the values were converted to UTC time and lost the supplied time-zone information. This has been fixed, the time-zone information is now retained in the audit log. The issue did not affect the authorization responses, just the way the requests were reported in the audit log.

  • Loss of non-UTC time-zone information when using a JSON format request

    Time attribute values with non-UTC time zones received in a JSON request were converted to UTC time and lost the supplied time-zone information. Depending on the policy, this could affect correctness of the authorization response. The issue has been fixed, the time-zone information is now retained during the authorization process. The problem did not affect XML format requests.

Version 1.4.0

What's new

  • New authorization domain document format

    This release introduces a new YAML document format for the representation of authorization domains. The new document format has a number of benefits, for example:

    • The document is human-readable, which makes it easy to analyze and maintain.

    • Specialized software tools are not required to create the document; editing can be done using a regular text editor.

    • The document structure follows a concise syntax, and it is easy to embed other text-format data inline in the domain configuration.

    • The format is well-suited to source control.

  • ADS starts with Table or SQL attribute connector even if database is down

    ADS would not start if a Table or SQL attribute connector was used in the policy and the source database was down during the start-up of the application. The initialization functionality has been changed so that transient database connection issues will not cause ADS to fail on start-up.

Fixed issues

  • ADS could fail to start due to dependency conflicts with attribute connectors

    ADS could fail to start when the ADS application .jar file is not the first one in the classpath when used along with attribute connector .jar files. This has been fixed.

Version 1.3.0

What's new

  • Support for legacy PDP SOAP endpoint

    To make migration easier, clients using the legacy PDP SOAP endpoint can now point directly to ADS.

  • License file retrieval from classpath

    Support for license file retrieval from the classpath has been added.

Fixed issues

  • ADS failed to start with ARQ capabilities enabled in domain configuration

    ADS failed to start when the deployment configuration file pointed to a legacy domain configuration that was exported with the ARQ RAW or ARQ SQL capabilities enabled. This has been fixed.

Known issues

  • Legacy PDP SOAP endpoint limitation

    There is the possibility of a log warning unrelated to Access Decision Service. If ADS is configured to use Basic authentication, and the legacy PDP SOAP endpoint is used, a request to ADS sent without user credentials will cause ADS to return HTTP error code 500 (Server error). In this case, ADS logs at WARN level has a stacktrace about a NullPointerException. This log message can be ignored, it is due to a third-party library and has no relevance for the functionality of Access Decision Service.

Version 1.2.0

What's new

  • JSON Profile of XACML 3.0 Version 1.1 conformance

    This release of Access Decision Service conforms with the JSON Profile of XACML 3.0 Version 1.1.

  • REST Profile of XACML 3.0 Version 1.1 conformance

    This release of Access Decision Service conforms with the REST Profile of XACML 3.0 Version 1.1.

  • Legacy PDP support

    To make migration easier, clients using the legacy PDP REST endpoint can now point directly to ADS.

  • configStrategy property removed

    The property configStrategy has been removed. If this property is present in the deployment configuration file used to run ADS, the application will not start. The sample deployment configuration file supplied with ADS has been updated to reflect this change.

Known issues

  • ADS may fail to start due to order of jar files

    ADS may fail to start when the ADS application .jar file is not the first one in the classpath argument. Suggested workaround: When starting ADS, make sure the ADS application .jar file comes first in the classpath argument, followed by the other dependencies. This will be fixed in a future release.

Version 1.1.3

What's new

  • Extended Java support

    Oracle 64-bit Java 11 and OpenJDK 64-bit Java 11 are now supported.

  • Authorization domain limitation removed

    A previous limitation, that only authorization domain configuration files exported from ASM using the GUI would be be accepted, has been removed. Updates to the Developer Resources now makes it possible to use authorization domain configuration files retrieved programmatically using the Admin API.

  • Transaction ID correlation

    There is an optional header, x-xacml-transaction-id, that can be used for correlation purposes. If audit logging is enabled in the deployment configuration file, the value of the x-xacml-transaction-id that is supplied in the header will appear in the audit log as a transaction ID element.

  • Concurrent evaluation of Multiple Decision Profile requests

    Concurrent, or multi-threaded, evaluation of Multiple Decision Profile requests is now a configurable property.

  • File retrieval support

    The license property in the deployment.yml file supports the following ways of retrieving files:

    • file:dir/file.xml - relative file on file system via URL

    • file:/dir/file.xml - absolute file on file system via URL

    • dir/file.xml - relative file on file system

    • /dir/file.xml - absolute file on file system

    • http://<host:port>/<path/to/file> - URL to the file

    • https://<host:port>/<path/to/file> - URL to the file

    The authorization domain property in the deployment.yml file supports the following ways of retrieving files:

    • classpath:/file.xml - file on classpath

    • file:dir/file.xml - relative file on file system via URL

    • file:/dir/file.xml - absolute file on file system via URL

    • dir/file.xml - relative file on file system

    • /dir/file.xml - absolute file on file system

    • http://<host:port>/<path/to/file> - URL to the file

    • https://<host:port>/<path/to/file> - URL to the file

Version 1.0.0

What's new

  • File retrieval support

    The authorization domain property in the deployment.yml file supports the following ways of retrieving files:

    • classpath:/file.xml - file on classpath

    • file:dir/file.xml - relative file on file system via URL

    • file:/dir/file.xml - absolute file on file system via URL

    • dir/file.xml - relative file on file system

    • /dir/file.xml - absolute file on file system

  • Attribute Connectors packaged separately

    There are no default attribute connectors in ADS version 1.0.0. The LDAP, SQL, and Table Attribute Connectors are packaged as independent entities in a separate subfolder of the software deliverable. The attribute connectors must be extracted and installed separately for use.

  • Authorization endpoint

    The authorization endpoint for ADS is /authorize.

  • Deprecated endpoints

    The /asm-pdp/authorize endpoint is deprecated in ADS v1.0 and only available to provide compatibility with legacy PDP installations.

Known issues

  • Authorization domains must be created using the ASM GUI

    Authorization domain configuration files exported from Axiomatics Services Manager (ASM) using the Admin API cannot be used to configure the Access Decision Service. Only authorization configuration files exported from ASM using the GUI will be accepted.

  • Transaction ID not available

    In the PDP web application included in the current Axiomatics Policy Server (APS) release, the client could specify a transaction ID together with the request.

    The transaction ID would then be written to the audit log of the PDP. This functionality is not available in ADS 1.0.0 and the transaction ID will be ignored. The functionality will be available in a later version of ADS.