Skip to main content

The most recent patch for this version is 1.0.3.  Learn more  

Release notes

Contextual Authorization Query (CAQ) features, bug fixes, and known issues by release.

Version 1.0.3

What's new

  • Vulnerability fixes

    Internal libraries were updated to address vulnerabilities.

Fixed issues

  • Enhanced error handling for malformed requests

    CAQ service now throws a 'malformed request' error whenever a request attribute maps to a dictionary attribute with a non-null issuer, ensuring reliable request validation.

Version 1.0.2

What's new

  • Online documentation updates

    Documentation updates regarding the following:

    • Vulnerabilities report instructions

      ADS documentation is now updated with instructions on how to download vulnerabilities report from S3.

  • Snyk for vulnerabilities check

    CAQ 1.0.2 supports vulnerabilities scanning based on Snyk, an industry-leading security intelligence management solution that helps protect codes from open source risks.

Fixed issues

  • Runtime changes in the attributes' section of the domain issue is fixed

    Changes during runtime in the dictionary of the previous version of CAQ were not taken into account. This has been fixed in CAQ 1.0.2.

  • CAQ returns correct attribute id in response

    CAQ response was mapping an attribute identifier in the domain dictionary using the issuer value of the attribute designator. This issue is now fixed and CAQ response maps to an attribute identifier with null issuer.

  • Optimized Response Time

    When Basic authentication was enabled, CAQ response time was slow. This issue is now resolved.

  • Attribute cache works for multiple attribute connector mappings

    If an attribute was provided by two mappings (regions) in an attribute connector, caching only took effect for one of the mappings. This is issue is now fixed.

  • Improved attribute handling in requests

    Fixed an issue where missing attributes in the dictionary were not being ignored during request processing, leading to inaccurate results.

  • Attribute Mapping Error Fix

    Resolved an issue causing a 500 internal error and a null pointer exception in the logs when CAQ received a request with an attribute name that existed in the dictionary but couldn't be mapped to an XACML attribute in the policy.

Version 1.0.1

Fixed issues

  • CAQ domain validation no longer rejects as duplicates attributes with no issuer or empty issuer

    CAQ 1.0.0 used to reject domains with attribute dictionary that contains both an attribute with no issuer and the same attribute with an issuer set to an empty string. This has been fixed in CAQ 1.0.1.

Known issues

  • Runtime changes in the attributes' section of the domain will not be taken into account

    When CAQ service is running, changes in the dictionary will not be taken into account. So, if a missing attribute is added in the dictionary, the change will be traced but it will not affect the request and response. The added attribute will still be ignored in the request and generated in the response.

Version 1.0.0

What's new

  • Cloud-native Web Service

    CAQ is a web-based standalone cloud-native application that provides reverse query evaluation functionality.

  • Contextual authorization REST API

    Contextual authorization REST API allows users to POST reverse queries in JSON format for evaluation.

    The response provides information on what constraints need to be satisfied to get an expected PDP decision (as defined in the request).

    The CAQ supports two endpoints for reverse query evaluation that define the type of response that is sent back by the service's API. According to the Endpoint used during the request, the API's response can be one of the following:

    • Programmatic response

      A response that uses the AST (Abstract Syntax Tree) representation to display the response in a simplified way.

  • Human-readable response

    A response type that can be easily understood by a user that is not familiar with logical and mathematical terms.

  • Sensitive data provided through environment variables

    CAQ now allows for sensitive data in attribute connector configurations, such as user names and passwords, to be provided through environment variables.

  • Java support

    CAQ supports Java SE 11.

  • Basic authentication

    By default, CAQ uses basic authentication by defining a username and a password in the authentication section of the deployment configuration file.

  • Swagger UI

    The service includes a Swagger UI that provides neatly categorized documentation and a simple way to interact with the Reverse Query API’s resources and endpoints.

  • Authorization domain support

    Contextual Authorization Query only supports authorization domain configuration files format version 2, based on a YAML representation.

  • Authorization domain configuration file retrieval

    The authorization domain property in the deployment file supports the following ways of retrieving the authorization domain:

    • Relative or absolute file path on file system

    • HTTP(s) endpoint

    • Standalone ADM

  • Update of the authorization domain during runtime

    The service of CAQ allows users to configure automatic update of the domain configuration during runtime by polling its source at regular intervals. This allows for the updating of policies or attribute connectors without having to stop and redeploy the service each time the domain configuration is updated.

  • Conditional requests when polling a domain name using HTTP(S)

    When CAQ retrieves a domain by name from ADM using an HTTP(S) endpoint, it sends conditional requests to indicate to the authorization domain server which authorization domain(s) it is already in possession of.

  • Support for version 2 yaml based format authorization domains

    CAQ supports using version 2 yaml based format authorization domains, like for example produced from ASM 7.x., that might not include a fully populated dictionary.

  • CAQ service and ASM 6.2.x integration

    Integration with ASM 6.2.x is supported with the use of the Authorization Domain Converter (DOMCONV) tool to convert authorization domains version 1 to version 2.

Known issues

  • Memory-intensive operations

    Requests sent to CAQ are by default memory-intensive operations. So, when using very large policies or when there are too many undefined attributes (not provided or mocked) in a request, this may result in memory related errors such as java.lang.StackOverflowError. User should define more attributes in the request or largely increase the memory, in order to avoid such memory-related issues.