Release notes
Access Decision Service (ADS) features, bug fixes, and known issues by release.
Version 26.1.1
Improvements
- ADS API security hardening Implemented additional response headers to protect against common web-based attack vectors.
Fixed issues
Attribute connector exception messages missing diagnostic details
Fixed an issue where error parameters were lost when an error code's message template lacked the necessary placeholders, causing exception messages to omit important diagnostic information.
Parser Attribute Connector build failure
Resolved a thread-safety issue in Parser Attribute Connector that could cause build failures when multiple connectors were initialized concurrently.
XML schema inconsistencies in attribute connectors
Corrected typos in the XML schema element names (
connnection/connnectionMap) for Table, LDAP, and SQL Attribute Connector configurations. Backward compatibility with existing configurations is maintained.Security fixes
Several third-party libraries were updated to address the following security vulnerabilities:
Version 26.1.0
ADS 2.x has been renamed to ADS 26.1 to align with our new versioning strategy, which introduces annual major releases for our products. ADS 26.1 is a fully backwards-compatible continuation of ADS 2.2, incorporating bug fixes and new features. Upgrading from ADS 2.2 is straightforward: upgrade effort is minimal and no migration effort is required.
What's new
Contextual Authorization Query (CAQ) functionality
ADS now features built-in CAQ functionality for performing reverse queries. Bundling CAQ with ADS ensures a more consistent runtime experience while reducing the number of components required for configuration and monitoring. CAQ functionality is available only when ADS is running in
caqorads_caqmode. For details on available modes, see Available modes and Migrating to ADS 26.1.Attribute Connectors integrated into ADS
Attribute Connectors are now fully integrated into ADS. This integration simplifies the system architecture by eliminating separate service hops for attribute retrieval, resulting in more efficient monitoring and configuration of attribute retrieval.
Spring Boot 4
ADS 26.1 runs on Spring Boot 4, offering improved runtime performance and alignment with the latest security patches and framework enhancements.
OpenTelemetry (OTEL) tracing
ADS now generates OpenTelemetry (OTEL) spans for all Attribute Connector calls, using clear, consistent naming conventions to capture start times, end times, and durations. While span content is curated to prevent the exposure of sensitive data, these traces provide full visibility into Attribute Connector cache performance and call success or failure rates.
Improved Kubernetes deployment
Helm charts now support JDBC connection pool configuration for Kubernetes deployments, allowing you to define minimum and maximum pool sizes directly in
values.yaml. This eliminates the need to modify Helm templates or hardcode values within the chart to tune JDBC performance.
Fixed issues
ADS 26.1 includes fixes for the following issues identified in ADS 2.2:
- Clean startup without misleading WARN logs ADS now starts without erroneous WARN-level messages for valid, out‑of‑the‑box configurations.
- Invalid JSON in audit logs for obligations/advice with quotes Fixed an issue where ADS 2.2 evaluation audit logs could emit invalid JSON when obligation/advice values contained double quotes, causing downstream parsing and ingestion to fail.
- Invalid JSON in audit logs for embedded JSON attributes
Fixed an issue where authorization requests containing attribute values that were themselves JSON strings resulted in invalid JSON in the
requestsection of evaluation audit logs. Such values are now correctly escaped/encoded. - Documented JVM truststore configuration for outbound TLS Updated documentation to describe configuring outbound TLS trust through the JVM truststore as a supported global trust option alongside ADS TLS bundle configuration.