13 Jan, 2015

2 commits


12 Jan, 2015

2 commits


10 Jan, 2015

1 commit

  • Yesterday we transferred the openid repo to the ForgeRock community space.
    The old link technically still works, as GitHub uses a redirect.
    The link used here is now the direct link, however.
    
    git-svn-id: https://svn.forgerock.org/openam/trunk@12038 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    mark
     

06 Jan, 2015

1 commit


05 Jan, 2015

5 commits


01 Jan, 2015

1 commit

  • SAML session synchronization now no longer fails if one of the remote
    entities does not have SOAP SLO endpoint. Such entities are now just simply
    ignored; all other entities that supports SOAP SLO will be notified of the
    session invalidation.
    
    git-svn-id: https://svn.forgerock.org/openam/trunk@12016 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    peter.major
     

24 Dec, 2014

1 commit


23 Dec, 2014

1 commit


22 Dec, 2014

3 commits


19 Dec, 2014

5 commits


18 Dec, 2014

6 commits


17 Dec, 2014

9 commits

  • git-svn-id: https://svn.forgerock.org/openam/trunk@11957 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    bthalmayr
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11956 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    bthalmayr
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11952 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    bthalmayr
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11951 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    bthalmayr
     
  • <!--
      ! CCPL HEADER START
      !
      ! This work is licensed under the Creative Commons
      ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
      ! To view a copy of this license, visit
      ! http://creativecommons.org/licenses/by-nc-nd/3.0/
      ! or send a letter to Creative Commons, 444 Castro Street,
      ! Suite 900, Mountain View, California, 94041, USA.
      !
      ! You can also obtain a copy of the license at
      ! src/main/resources/legal-notices/CC-BY-NC-ND.txt.
      ! See the License for the specific language governing permissions
      ! and limitations under the License.
      !
      ! If applicable, add the following below this CCPL HEADER, with the fields
      ! enclosed by brackets "[]" replaced with your own identifying information:
      !      Portions Copyright [yyyy] [name of copyright owner]
      !
      ! CCPL HEADER END
      !
      !      Copyright 2011-2014 ForgeRock AS
      !    
    -->
    <chapter xml:id='chap-compatibility'
     xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
     xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
     xsi:schemaLocation='http://docbook.org/ns/docbook
                         http://docbook.org/xml/5.0/xsd/docbook.xsd'
     xmlns:xlink='http://www.w3.org/1999/xlink'>
     <title>OpenAM Changes & Deprecated Functionality</title>
    
     <para>This chapter covers both major changes to existing functionality, and
     also deprecated and removed functionality.</para>
    
     <section xml:id="changes">
      <title>Important Changes to Existing Functionality</title>
    
      <itemizedlist>
    
       <!-- Update docs for click-through license acceptance KEEP THIS AT TOP -->
       <listitem>
           <para>All OpenAM core server, tools, and agent installers now display a
            software license acceptance screen prior to configuration.
            You must agree to the license to continue the configuration. </para>
           <para>For users implementing scripted or silent installs, the installers
           and upgrader tools provide a <option>--acceptLicense</option> command-line
           option, indicating that you have read and accepted the terms of the
           license. If the option is not present on the command-line invocation,
           the installer or upgrader will interactively present a license agreement
           screen to the user.</para>
       </listitem>
    
       <!-- AME-4013, AME-2766, etc. -->
       <listitem>
        <para>
         When you visit the Policies tab for a realm in OpenAM console,
         OpenAM now directs you to the new policy editor.
         For instructions on using the new policy editor,
         see the <citetitle>Administration Guide</citetitle> chapter,
         <link
          xlink:href="admin-guide#chap-authz-policy"
          xlink:show="new"
          xlink:role="http://docbook.org/xlink/role/olink"
         ><citetitle>Defining Authorization Policies</citetitle></link>.
         Notice that policies now belong to applications
         as described in that chapter.
        </para>
    
        <itemizedlist>
         <para>
          OpenAM has changed its internal representation for policies
          to better fit the underlying implementation,
          which is based on a new engine
          designed for higher performance and finer grained policies.
          When you upgrade to this version,
          OpenAM migrates your policies to the new representation.
         </para>
    
         <para>
          Depending on your existing policies before upgrade,
          you can see the following differences:
         </para>
    
         <listitem>
          <para>
           Existing policies with multiple resource rules
           map to multiple new policies.
          </para>
    
          <para>
           When a single policy maps to multiple policies during migration,
           OpenAM appends a number to the existing name for each new policy.
           This allows you to recognize the set of policies
           when you must manage them together,
           for example to change them all in the same way.
          </para>
    
          <para>
           This behavior is to optimize policy evaluation performance.
           The newer policy engine matches resources to policies during evaluation
           with indexing that proves very efficient
           as long as each policy specifies one resource pattern.
           OpenAM processes the list of resources in policies in linear fashion,
           so long lists of resources can slow policy evaluation.
          </para>
         </listitem>
    
         <listitem>
          <para>
           Conditions in existing policies map to newer representations.
          </para>
    
          <para>
           New representations exist for all existing conditions
           provided in OpenAM out of the box.
           Custom conditions developed for your deployment
           do not map to any of the newer conditions provided.
           In that case you must implement your custom conditions
           by implementing the newer service provider interfaces,
           and then replace your existing policies to use them.
          </para>
    
          <para>
           To see how to implement a custom policy plugin,
           see the <citetitle>Developer's Guide</citetitle> chapter,
           <link
            xlink:href="dev-guide#chap-policy-spi"
            xlink:show="new"
            xlink:role="http://docbook.org/xlink/role/olink"
           ><citetitle>Customizing Policy Evaluation</citetitle></link>.
          </para>
         </listitem>
    
         <listitem>
          <para>
           When OpenAM encounters issues migrating policies during upgrade,
           it writes messages about the problems in the upgrade log.
           When you open a policy in the policy editor
           that caused problems during the upgrade process
           the policy editor shows the issues,
           but does not let you fix them directly.
           Instead you must create equivalent, corrected policies
           in order to use them in OpenAM.
          </para>
         </listitem>
         <listitem>
          <para>
           It is strongly recommended <emphasis>not</emphasis> to use the
           forward slash character
           in policy names. Users running OpenAM servers on Tomcat
           and JBoss web containers will not be able to manipulate policies
           with the forward slash character in their names without setting the
           <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
           argument in the <literal>CATALINA_OPTS</literal> environment variable
           before starting the OpenAM web container.
          </para>
          <para>
           It is also strongly recommended not to enable
           the <literal>ALLOW_ENCODED_SLASH=true</literal> setting while running
           OpenAM in production. Using this option introduces a security risk.
           See
           <link
            xlink:href="http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
            ">Apache Tomcat 6.x Vulnerabilities</link>
           and
           <link
            xlink:href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
            ">the related CVE</link>
           for more information.
          </para>
          <para>
           If you have policy names with forward slashes after
           migration to OpenAM 12, rename the policies so that they
           do not have forward slashes. Perform the following steps
           if you use Tomcat or JBoss as your OpenAM web container:
           <orderedlist>
            <listitem>
             <para>
               Stop the OpenAM web container.
             </para>
            </listitem>
            <listitem>
             <para>
              Add the
              <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
              setting to the <literal>CATALINA_OPTS</literal> environment variable.
             </para>
            </listitem>
            <listitem>
             <para>
              Restart the OpenAM web container.
             </para>
            </listitem>
            <listitem>
             <para>
              Rename any policies with forward slashes in their names.
             </para>
            </listitem>
            <listitem>
             <para>
              Stop the OpenAM web container.
             </para>
            </listitem>
            <listitem>
             <para>
              Remove the
              <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
              setting from the <literal>CATALINA_OPTS</literal> environment variable.
             </para>
            </listitem>
            <listitem>
             <para>
              Restart the OpenAM web container.
             </para>
            </listitem>
           </orderedlist>
          </para>
         </listitem>
        </itemizedlist>
    
        <itemizedlist>
         <para>
          OpenAM configuration has changed in several ways to accommodate
          the changes to the way policies are managed:
         </para>
    
         <listitem>
          <para>
           The Policy Configuration Service is simplified.
           For details see the <citetitle>Reference</citetitle> section,
           <link
            xlink:href="reference#policy-configuration"
            xlink:show="new"
            xlink:role="http://docbook.org/xlink/role/olink"
           ><citetitle>Policy Configuration</citetitle></link>.
          </para>
         </listitem>
    
         <listitem>
          <para>
           OpenAM now requires policy referrals only when an application
           is administered across multiple realms,
           as can be the case when one policy agent protects multiple applications.
           Otherwise, OpenAM can use new settings in policy agent profiles
           to direct policy agent requests to the appropriate realm and application.
          </para>
    
          <!-- AME-5055 -->
          <note><para>Referrals are not shown by default in the policy
           editor. To enable them, in the OpenAM console, select Configuration >
           Global > Policy Configuration, set Activate Referrals to Enabled, and
           then click Save.</para></note>
    
          <para>
           The web and Java EE policy agent profiles includes the new settings
           under OpenAM Services > Policy Client Service in OpenAM console.
           These new settings allow you to set the realm and application
           for a policy agent.
           The settings are compatible with existing policy agents,
           as they are not used by the policy agents themselves,
           but instead by OpenAM when handling policy agent requests.
          </para>
         </listitem>
        </itemizedlist>
    
        <para>
         The fix for <link xlink:show="new"
         xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-3509"
         >OPENAM-3509</link> ensures that OpenAM considers a trailing slash
         as part of the resource name to match.
         This improves compatibility between self and subtree modes,
         and compatibility with older policy agents.
        </para>
       </listitem>
      <listitem>
       <para>The Device ID (Match), HMAC One-Time Password (HOTP), and
        Device ID (Save) modules, configured together in an authentication chain,
        provide the same functionality as the Device Print Authentication
        module that is present in OpenAM 11.x versions.
       </para>
        <para>
         The Device Print authentication module is only available
         for OpenAM 11.x versions and their upgrades.
         If you have upgraded from OpenAM 11.x to OpenAM 12.0 you
         can still use the Device Print module, customize it, and create new instances
         of the module or use the Device ID (Match) and Device ID (Save) modules.
        </para>
       <important><para>The Device ID (Match) profiles (that is, device fingerprints)
        are incompatible with profiles created from the Device Print authentication module.
        If the user has existing device print profiles, created from the Device
        Print authentication module, these old profiles will always fail to match the
        client's new device profiles using the scripted Device ID (Match) module
        even when using the same device.</para>
        <para>With the Device ID (Match) and Device ID (Save) modules, the user must re-save each
         device profile, which deletes the old 11.x profiles stored for the user.</para>
       </important>
       </listitem>
    
       <listitem>
        <para>
         Following a change to the SAML 2.0 pages in OpenAM,
         you no longer customize <filename>saml2login.template</filename>
         and <filename>saml2loginwithrelay.template</filename>
         to add a progress bar for single sign on.
         Instead, customize <filename>saml2/jsp/autosubmitaccessrights.jsp</filename>
         as described in the procedure,
         <link xlink:show="new" xlink:href="admin-guide#show-saml2-sso-login-progress"
         xlink:role="http://docbook.org/xlink/role/olink"><citetitle
         >To Indicate Progress During SSO</citetitle></link>.
        </para>
       </listitem>
    
       <listitem>
        <para>Changing passwords by using a PUT REST API call is no longer
         supported.</para>
        <para>Use a POST request to
         <literal>/json/<replaceable>subrealm</replaceable
          >/users/<replaceable>username</replaceable>?_action=changePassword</literal>
         to change a password.</para>
       </listitem>
    
       <listitem>
        <para>The response returned when submitting incorrect credentials to
         <literal>/json/authenticate</literal> has changed.</para>
        <table pgwide="1">
         <title>Failed Authentication Message</title>
    
         <tgroup cols="2">
          <colspec colnum="1" colwidth="1*"/>
          <colspec colnum="2" colwidth="1*"/>
    
          <thead>
           <row>
            <entry>OpenAM 11.0.1</entry>
            <entry>OpenAM 12.0.0</entry>
           </row>
          </thead>
    
          <tbody>
           <row>
            <entry>
    <programlisting language="javascript">{
     "errorMessage": "Authentication Failed!!",
     "failureUrl": "https://openam.example.com:8443"
    }</programlisting>
            </entry>
            <entry>
    <programlisting language="javascript">{
     "code": 401,
     "reason": "Unauthorized",
     "message": "Authentication Failed!!",
     "detail": {
      "failureUrl": "https://openam.example.com:8443"
     }
    }</programlisting>
            </entry>
           </row>
          </tbody>
         </tgroup>
        </table>
       </listitem>
    
       <listitem>
        <para>
         When running OpenAM on WebLogic 11g, you must add a WebLogic-specific
         descriptor file, <filename>WEB-INF/weblogic.xml</filename> to the .war
         before deployment.
        </para>
       </listitem>
    
       <!-- OPENAM-5263 //-->
       <listitem>
       <para>
       In the OpenID Connect 1.0 module you can map local user profile attributes to
       OpenID Connect Token claims, allowing the module to retrieve the user profile
       based on the ID Token. The key is the ID Token field name and value is the
       local user profile attribute name.
       The default has been changed as follows: mail=email, uid=sub.
       (<link xlink:show="new"
              xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5263"
       >OPENAM-5263</link>)</para>
       </listitem>
    
       <listitem>
        <para>
         The class hierarchy for the <literal>ResourceName</literal> interfaces has
         changed. Previous implementations should be source-compatible, but will not
         be binary-compatible, and will need recompiling.
        </para>
       </listitem>
    
       <!-- OPENAM-5279 //-->
       <listitem>
        <para>
         The OAuth2 provider uses RSA as its default encryption
         algorithm. The default OAuth2 client agent configuration has been changed
         to RS256 to match the OAuth2 provider algorithm.
         The client agent continues to support HMAC algorithms; only the default
         encryption algorithm has been changed to support out-of-the-box functionality.
         (<link
         xlink:show="new"
         xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5279"
         >OPENAM-5279</link>)
        </para>
       </listitem>
    
       <listitem>
        <para>
        The distributed authentication service (DAS) and cross-domain single sign-on
        (CDSSO) do not support the <literal>iPSPCookie/DProPCookie</literal>
        query string parameter to set a <literal>DProPCookie</literal> in the
        user-agent as a mechanism for cookie persistence. Neither DAS nor CDSSO retains
        <literal>iPSPCookie=yes</literal>.
        </para>
       </listitem>
    
       <listitem>
        <para>Updates to OAuth 2.0 and OpenID Connect authentication
         modules mean that any custom implementations of
         <literal>org.forgerock.openam.authentication.modules.oauth2.AccountMapper</literal> or
         <literal>org.forgerock.openam.authentication.modules.oauth2.AttributeMapper</literal>
         no longer work, and needs to be reimplemented against
         <literal>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</literal>
         and/or <literal>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</literal>
         as appropriate.
        </para>
       </listitem>
    
       <listitem>
        <para>
         The XUI, now the default for end-user pages, handles DNS/realm alias
         differently from the classic UI, which was the default in previous OpenAM
         versions.
         With the classic UI, the realm alias is specified both in the host name and
         the URI path. With the XUI, the host name alone specifies the realm. The XUI
         evaluates a realm specified in the path of the URL as a subrealm of the
         realm specified by the host name alias.
        </para>
        <para>
         For example, with the classic UI, you could authenticate to a realm,
         <literal>realm1</literal> using the DNS alias
         <literal>realm1.example.com:8080</literal>
         and the realm query parameter, <literal>realm=realm1</literal>, as follows:
        </para>
        <programlisting>
    http://realm1.example.com:8080/openam/UI/Login?realm=realm1
        </programlisting>
        <para>
         With XUI, you do not include a realm in the URI if it has already been
         mapped as now any URI realm is additive and specifies a subrealm of the
         DNS alias realm.
         For example, using the following URL indicates that you are attempting
         to authenticate to <literal>/realm1/realm1</literal> (that is, the sub-realm,
         <literal>realm1</literal> under the realm, <literal>realm1</literal>).
        </para>
        <programlisting>
    http://realm1.example.com:8080/openam/XUI/#Login/realm1
        </programlisting>
        <para>
         As another example, if you have a sub-realm called <literal>test</literal> under
         <literal>/realm1</literal> and make a request to:
        </para>
        <programlisting>
    http://realm1.example.com:8080/openam/XUI/#Login/test
        </programlisting>
        <para>
         The request authenticates to <literal>/realm1/test</literal>.
         Note also that the use of URI realm is preferred over realm as a query parameter.
        </para>
       </listitem>
      </itemizedlist>
     </section>
    
     <section xml:id="deprecated">
      <title>Deprecated Functionality</title>
      
      <para>The following functionality is deprecated in OpenAM
      <?eval ${serverDocTargetVersion}?>, and is likely to be removed in a future
      release.</para>
    
      <itemizedlist>
    
       <listitem>
        <para>
         Classic (JATO-based) UI is deprecated for end user pages.
         OpenAM offers the JavaScript-based XUI as a replacement.
         Classic UI for end user pages is likely to be removed in a future release.
        </para>
       </listitem>
    
       <listitem>
        <para>Older REST services relying on the following endpoints are
         deprecated.</para>
    
        <simplelist type="vert" columns="2">
         <member>/identity/attributes</member>
         <member>/identity/authenticate</member>
         <member>/identity/authorize</member>
         <member>/identity/create</member>
         <member>/identity/delete</member>
         <member>/identity/isTokenValid</member>
         <!-- Pending replacement <member>/identity/log</member> -->
         <member>/identity/logout</member>
         <member>/identity/read</member>
         <member>/identity/search</member>
         <member>/identity/update</member>
         <member>/ws/1/entitlement/decision</member>
         <member>/ws/1/entitlement/decisions</member>
         <member>/ws/1/entitlement/entitlement</member>
         <member>/ws/1/entitlement/entitlements</member>
        </simplelist>
    
        <para>The following table shows how legacy and newer endpoints
         correspond.</para>
    
        <table pgwide="1">
         <title>REST Endpoints</title>
    
         <tgroup cols="2">
          <colspec colnum="1" colwidth="1*"/>
          <colspec colnum="2" colwidth="1*"/>
    
          <thead>
           <row>
            <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability"
                         xlink:role="http://docbook.org/xlink/role/olink">Deprecated</link> URIs</entry>
            <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability"
                               xlink:role="http://docbook.org/xlink/role/olink">Evolving</link> URIs</entry>
           </row>
          </thead>
    
          <tbody>
           <row>
            <entry>/identity/attributes</entry>
            <entry>/json/users</entry>
           </row>
    
           <row>
            <entry>/identity/authenticate</entry>
            <entry>/json/authenticate</entry>
           </row>
    
           <row>
            <entry>/identity/authorize</entry>
            <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry>
           </row>
    
           <row>
            <entry>/identity/create, /identity/delete, /identity/read,
             /identity/search, /identity/update</entry>
            <entry>/json/agents, /json/groups, /json/realms, /json/users</entry>
           </row>
    
           <row>
            <entry>/identity/isTokenValid</entry>
            <entry>/json/sessions/<replaceable>tokenId</replaceable>?_action=validate</entry>
           </row>
    
           <!--
           <row>
            <entry>/identity/log</entry>
            <entry>Pending replacement</entry>
           </row>
           -->
    
           <row>
            <entry>/identity/logout</entry>
            <entry>/json/sessions/?_action=logout</entry>
           </row>
    
           <row>
            <entry>/ws/1/entitlement/decision, /ws/1/entitlement/decisions,
             /ws/1/entitlement/entitlement, /ws/1/entitlement/entitlements</entry>
            <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/applications</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/applicationtypes</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/conditiontypes</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/dashboard</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/decisionscombiners</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/policies</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/referrals</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/serverinfo</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/subjectattributes</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/json/subjecttypes</entry>
           </row>
    
           <row>
            <entry>N/A</entry>
            <entry>/xacml/policies</entry>
           </row>
          </tbody>
         </tgroup>
        </table>
    
        <para>Find examples in the <citetitle>Developer Guide</citetitle> chapter <link
         xlink:href="dev-guide#chap-rest" xlink:role="http://docbook.org/xlink/role/olink"
         xlink:show="new"><citetitle>Using RESTful Web Services</citetitle></link>.</para>
    
        <para>Support for the older REST services is likely to be removed in a
         future release in favor of the newer REST services. Older REST services
         will be removed only after replacement REST services are introduced.</para>
       </listitem>
    
       <!-- AME-5059 //-->
       <listitem>
        <para>With the implementation of XACML 3.0 support when importing and
        exporting policies the following <option>ssoadm</option> commands
         have been replaced:</para>
    
        <table>
        <title>Policy Import and Export with ssoadm</title>
    
        <tgroup cols="2">
        <colspec colnum="1" colwidth="1*"/>
        <colspec colnum="2" colwidth="1*"/>
    
        <thead>
         <row>
          <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability"
                       xlink:role="http://docbook.org/xlink/role/olink">
           Deprecated</link> Command</entry>
          <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability"
                             xlink:role="http://docbook.org/xlink/role/olink">
           Evolving</link> Command</entry>
         </row>
        </thead>
    
        <tbody>
        <row>
         <entry><literal>create-policies</literal></entry>
         <entry><literal>create-xacml</literal></entry>
        </row>
         <row>
          <entry><literal>delete-policies</literal></entry>
          <entry><literal>delete-xacml</literal></entry>
         </row>
         <row>
          <entry><literal>list-policies</literal></entry>
          <entry><literal>list-xacml</literal></entry>
         </row>
         <row>
          <entry><literal>update-policies</literal></entry>
          <entry><literal>create-xacml</literal></entry>
         </row>
        </tbody>
        </tgroup>
        </table>
    
        <para>For more information, see the <citetitle>OpenAM
         Reference</citetitle> section <link xlink:show="new"
         xlink:href="reference#ssoadm-1"
         xlink:role="http://docbook.org/xlink/role/olink">
         ssoadm — configure OpenAM core services</link>.</para>
       </listitem>
    
       <!-- Are any of these deprecated features removed in OpenAM 12.0.0? -->
       <!-- START: Deprecated in OpenAM 11.0.0 -->
       <listitem>
        <para>With the implementation of OAuth 2.0 in this release, OAuth 1.0 has been 
        deprecated. OAuth 1.0 support was originally provided in OpenAM 9.</para>
       </listitem>
    
       <listitem>
        <para>The Netscape LDAP API is to be removed from OpenAM, with OpenAM
        using the OpenDJ LDAP SDK instead. This affects all classes in
        <literal>com.sun.identity.shared.ldap.*</literal> packages.</para>
       </listitem>
    
       <listitem>
        <para>OpenAM currently uses Sun Java System Application Framework (JATO).
        JATO is deprecated and is likely to be replaced in a future release.</para>
       </listitem>
    
       <listitem>
        <para>With the implementation of the Persistent Cookie authentication module, the
        Core Authentication module persistent cookie options are deprecated and are
        likely to be removed in a future release.</para>
       </listitem>
       <!-- END: Deprecated in OpenAM 11.0.0 -->
    
       <listitem>
        <para>
         The OAuth 2.0 plugin interface for custom scopes,
         <link
          xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/Scope.html"
          xlink:show="new"><literal>Scope</literal></link>
         is deprecated and likely to be removed in a future release.
        </para>
    
        <para>
         Custom OAuth 2.0 scopes plugins now implement the
         <link
          xlink:href="${javadocBase}?org/forgerock/oauth2/core/ScopeValidator.html"
          xlink:show="new"
          ><literal>ScopeValidator</literal></link> interface instead.
         For an example, see the <citetitle>Developer's Guide</citetitle> chapter,
         <link
          xlink:href="dev-guide#chap-oauth2-scopes"
          xlink:role="http://docbook.org/xlink/role/olink"
          xlink:show="new"
          ><citetitle>Customizing OAuth 2.0 Scope Handling</citetitle></link>.
        </para>
       </listitem>
    
       <listitem>
        <para>
         The OAuth 2.0 plugin interface for custom response types,
         <link
          xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/ResponseType.html"
          xlink:show="new"><literal>ResponseType</literal></link>
         is deprecated and likely to be removed in a future release.
        </para>
    
        <para>
         Custom OAuth 2.0 response type plugins now implement the
         <link
          xlink:href="${javadocBase}?org/forgerock/oauth2/core/ResponseTypeHandler.html"
          xlink:show="new"
          ><literal>ResponseTypeHandler</literal></link> interface instead.
        </para>
       </listitem>
      </itemizedlist>
     </section>
    
     <section xml:id="removed">
      <title>Removed Functionality</title>
    
      <itemizedlist>
       <listitem>
        <para>
         No functionality has been removed in this release.
        </para>
       </listitem>
      </itemizedlist>
     </section>
    
    </chapter>
    
    
    git-svn-id: https://svn.forgerock.org/openam/trunk@11949 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    David.Goldsmith
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11946 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    chris.lee
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11942 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    chris.lee
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11941 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    neil.madden
     
  • git-svn-id: https://svn.forgerock.org/openam/trunk@11935 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    mark
     

16 Dec, 2014

3 commits