org.forgerock / org.forgerock.openam

04 Feb, 2015

1 commit

  • e0fa569b   OPENAM-5485 Fix build from outside folder containing pom.xml ... Browse Dir » 
    Thanks to Andy Forrest for finding both the issue and also the fix.

I confirm that the one-line fix he proposes in a comment of OPENAM-5485
does work fine and results in the expected artifact.

So I am committing this patch to fix the build without further review.

git-svn-id: https://svn.forgerock.org/openam/trunk@12330 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    mark
     

16 Jan, 2015

1 commit

14 Jan, 2015

1 commit

10 Jan, 2015

1 commit

  • fdd7869f   Fix links ... Browse Dir » 
    Yesterday we transferred the openid repo to the ForgeRock community space.
The old link technically still works, as GitHub uses a redirect.
The link used here is now the direct link, however.

git-svn-id: https://svn.forgerock.org/openam/trunk@12038 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    mark
     

18 Dec, 2014

2 commits

17 Dec, 2014

4 commits

  • 79d473fa   <?xml version="1.0" encoding="UTF-8"?> ... Browse Dir » 
    <!--
  ! CCPL HEADER START
  !
  ! This work is licensed under the Creative Commons
  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
  ! To view a copy of this license, visit
  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
  ! or send a letter to Creative Commons, 444 Castro Street,
  ! Suite 900, Mountain View, California, 94041, USA.
  !
  ! You can also obtain a copy of the license at
  ! src/main/resources/legal-notices/CC-BY-NC-ND.txt.
  ! See the License for the specific language governing permissions
  ! and limitations under the License.
  !
  ! If applicable, add the following below this CCPL HEADER, with the fields
  ! enclosed by brackets "[]" replaced with your own identifying information:
  !      Portions Copyright [yyyy] [name of copyright owner]
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-compatibility'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>OpenAM Changes & Deprecated Functionality</title>

 <para>This chapter covers both major changes to existing functionality, and
 also deprecated and removed functionality.</para>

 <section xml:id="changes">
  <title>Important Changes to Existing Functionality</title>

  <itemizedlist>

   <!-- Update docs for click-through license acceptance KEEP THIS AT TOP -->
   <listitem>
       <para>All OpenAM core server, tools, and agent installers now display a
        software license acceptance screen prior to configuration.
        You must agree to the license to continue the configuration. </para>
       <para>For users implementing scripted or silent installs, the installers
       and upgrader tools provide a <option>--acceptLicense</option> command-line
       option, indicating that you have read and accepted the terms of the
       license. If the option is not present on the command-line invocation,
       the installer or upgrader will interactively present a license agreement
       screen to the user.</para>
   </listitem>

   <!-- AME-4013, AME-2766, etc. -->
   <listitem>
    <para>
     When you visit the Policies tab for a realm in OpenAM console,
     OpenAM now directs you to the new policy editor.
     For instructions on using the new policy editor,
     see the <citetitle>Administration Guide</citetitle> chapter,
     <link
      xlink:href="admin-guide#chap-authz-policy"
      xlink:show="new"
      xlink:role="http://docbook.org/xlink/role/olink"
     ><citetitle>Defining Authorization Policies</citetitle></link>.
     Notice that policies now belong to applications
     as described in that chapter.
    </para>

    <itemizedlist>
     <para>
      OpenAM has changed its internal representation for policies
      to better fit the underlying implementation,
      which is based on a new engine
      designed for higher performance and finer grained policies.
      When you upgrade to this version,
      OpenAM migrates your policies to the new representation.
     </para>

     <para>
      Depending on your existing policies before upgrade,
      you can see the following differences:
     </para>

     <listitem>
      <para>
       Existing policies with multiple resource rules
       map to multiple new policies.
      </para>

      <para>
       When a single policy maps to multiple policies during migration,
       OpenAM appends a number to the existing name for each new policy.
       This allows you to recognize the set of policies
       when you must manage them together,
       for example to change them all in the same way.
      </para>

      <para>
       This behavior is to optimize policy evaluation performance.
       The newer policy engine matches resources to policies during evaluation
       with indexing that proves very efficient
       as long as each policy specifies one resource pattern.
       OpenAM processes the list of resources in policies in linear fashion,
       so long lists of resources can slow policy evaluation.
      </para>
     </listitem>

     <listitem>
      <para>
       Conditions in existing policies map to newer representations.
      </para>

      <para>
       New representations exist for all existing conditions
       provided in OpenAM out of the box.
       Custom conditions developed for your deployment
       do not map to any of the newer conditions provided.
       In that case you must implement your custom conditions
       by implementing the newer service provider interfaces,
       and then replace your existing policies to use them.
      </para>

      <para>
       To see how to implement a custom policy plugin,
       see the <citetitle>Developer's Guide</citetitle> chapter,
       <link
        xlink:href="dev-guide#chap-policy-spi"
        xlink:show="new"
        xlink:role="http://docbook.org/xlink/role/olink"
       ><citetitle>Customizing Policy Evaluation</citetitle></link>.
      </para>
     </listitem>

     <listitem>
      <para>
       When OpenAM encounters issues migrating policies during upgrade,
       it writes messages about the problems in the upgrade log.
       When you open a policy in the policy editor
       that caused problems during the upgrade process
       the policy editor shows the issues,
       but does not let you fix them directly.
       Instead you must create equivalent, corrected policies
       in order to use them in OpenAM.
      </para>
     </listitem>
     <listitem>
      <para>
       It is strongly recommended <emphasis>not</emphasis> to use the
       forward slash character
       in policy names. Users running OpenAM servers on Tomcat
       and JBoss web containers will not be able to manipulate policies
       with the forward slash character in their names without setting the
       <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
       argument in the <literal>CATALINA_OPTS</literal> environment variable
       before starting the OpenAM web container.
      </para>
      <para>
       It is also strongly recommended not to enable
       the <literal>ALLOW_ENCODED_SLASH=true</literal> setting while running
       OpenAM in production. Using this option introduces a security risk.
       See
       <link
        xlink:href="http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
        ">Apache Tomcat 6.x Vulnerabilities</link>
       and
       <link
        xlink:href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
        ">the related CVE</link>
       for more information.
      </para>
      <para>
       If you have policy names with forward slashes after
       migration to OpenAM 12, rename the policies so that they
       do not have forward slashes. Perform the following steps
       if you use Tomcat or JBoss as your OpenAM web container:
       <orderedlist>
        <listitem>
         <para>
           Stop the OpenAM web container.
         </para>
        </listitem>
        <listitem>
         <para>
          Add the
          <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
          setting to the <literal>CATALINA_OPTS</literal> environment variable.
         </para>
        </listitem>
        <listitem>
         <para>
          Restart the OpenAM web container.
         </para>
        </listitem>
        <listitem>
         <para>
          Rename any policies with forward slashes in their names.
         </para>
        </listitem>
        <listitem>
         <para>
          Stop the OpenAM web container.
         </para>
        </listitem>
        <listitem>
         <para>
          Remove the
          <literal>&#x2011;Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal>
          setting from the <literal>CATALINA_OPTS</literal> environment variable.
         </para>
        </listitem>
        <listitem>
         <para>
          Restart the OpenAM web container.
         </para>
        </listitem>
       </orderedlist>
      </para>
     </listitem>
    </itemizedlist>

    <itemizedlist>
     <para>
      OpenAM configuration has changed in several ways to accommodate
      the changes to the way policies are managed:
     </para>

     <listitem>
      <para>
       The Policy Configuration Service is simplified.
       For details see the <citetitle>Reference</citetitle> section,
       <link
        xlink:href="reference#policy-configuration"
        xlink:show="new"
        xlink:role="http://docbook.org/xlink/role/olink"
       ><citetitle>Policy Configuration</citetitle></link>.
      </para>
     </listitem>

     <listitem>
      <para>
       OpenAM now requires policy referrals only when an application
       is administered across multiple realms,
       as can be the case when one policy agent protects multiple applications.
       Otherwise, OpenAM can use new settings in policy agent profiles
       to direct policy agent requests to the appropriate realm and application.
      </para>

      <!-- AME-5055 -->
      <note><para>Referrals are not shown by default in the policy
       editor. To enable them, in the OpenAM console, select Configuration >
       Global > Policy Configuration, set Activate Referrals to Enabled, and
       then click Save.</para></note>

      <para>
       The web and Java EE policy agent profiles includes the new settings
       under OpenAM Services > Policy Client Service in OpenAM console.
       These new settings allow you to set the realm and application
       for a policy agent.
       The settings are compatible with existing policy agents,
       as they are not used by the policy agents themselves,
       but instead by OpenAM when handling policy agent requests.
      </para>
     </listitem>
    </itemizedlist>

    <para>
     The fix for <link xlink:show="new"
     xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-3509"
     >OPENAM-3509</link> ensures that OpenAM considers a trailing slash
     as part of the resource name to match.
     This improves compatibility between self and subtree modes,
     and compatibility with older policy agents.
    </para>
   </listitem>
  <listitem>
   <para>The Device ID (Match), HMAC One-Time Password (HOTP), and
    Device ID (Save) modules, configured together in an authentication chain,
    provide the same functionality as the Device Print Authentication
    module that is present in OpenAM 11.x versions.
   </para>
    <para>
     The Device Print authentication module is only available
     for OpenAM 11.x versions and their upgrades.
     If you have upgraded from OpenAM 11.x to OpenAM 12.0 you
     can still use the Device Print module, customize it, and create new instances
     of the module or use the Device ID (Match) and Device ID (Save) modules.
    </para>
   <important><para>The Device ID (Match) profiles (that is, device fingerprints)
    are incompatible with profiles created from the Device Print authentication module.
    If the user has existing device print profiles, created from the Device
    Print authentication module, these old profiles will always fail to match the
    client's new device profiles using the scripted Device ID (Match) module
    even when using the same device.</para>
    <para>With the Device ID (Match) and Device ID (Save) modules, the user must re-save each
     device profile, which deletes the old 11.x profiles stored for the user.</para>
   </important>
   </listitem>

   <listitem>
    <para>
     Following a change to the SAML 2.0 pages in OpenAM,
     you no longer customize <filename>saml2login.template</filename>
     and <filename>saml2loginwithrelay.template</filename>
     to add a progress bar for single sign on.
     Instead, customize <filename>saml2/jsp/autosubmitaccessrights.jsp</filename>
     as described in the procedure,
     <link xlink:show="new" xlink:href="admin-guide#show-saml2-sso-login-progress"
     xlink:role="http://docbook.org/xlink/role/olink"><citetitle
     >To Indicate Progress During SSO</citetitle></link>.
    </para>
   </listitem>

   <listitem>
    <para>Changing passwords by using a PUT REST API call is no longer
     supported.</para>
    <para>Use a POST request to
     <literal>/json/<replaceable>subrealm</replaceable
      >/users/<replaceable>username</replaceable>?_action=changePassword</literal>
     to change a password.</para>
   </listitem>

   <listitem>
    <para>The response returned when submitting incorrect credentials to
     <literal>/json/authenticate</literal> has changed.</para>
    <table pgwide="1">
     <title>Failed Authentication Message</title>

     <tgroup cols="2">
      <colspec colnum="1" colwidth="1*"/>
      <colspec colnum="2" colwidth="1*"/>

      <thead>
       <row>
        <entry>OpenAM 11.0.1</entry>
        <entry>OpenAM 12.0.0</entry>
       </row>
      </thead>

      <tbody>
       <row>
        <entry>
<programlisting language="javascript">{
 "errorMessage": "Authentication Failed!!",
 "failureUrl": "https://openam.example.com:8443"
}</programlisting>
        </entry>
        <entry>
<programlisting language="javascript">{
 "code": 401,
 "reason": "Unauthorized",
 "message": "Authentication Failed!!",
 "detail": {
  "failureUrl": "https://openam.example.com:8443"
 }
}</programlisting>
        </entry>
       </row>
      </tbody>
     </tgroup>
    </table>
   </listitem>

   <listitem>
    <para>
     When running OpenAM on WebLogic 11g, you must add a WebLogic-specific
     descriptor file, <filename>WEB-INF/weblogic.xml</filename> to the .war
     before deployment.
    </para>
   </listitem>

   <!-- OPENAM-5263 //-->
   <listitem>
   <para>
   In the OpenID Connect 1.0 module you can map local user profile attributes to
   OpenID Connect Token claims, allowing the module to retrieve the user profile
   based on the ID Token. The key is the ID Token field name and value is the
   local user profile attribute name.
   The default has been changed as follows: mail=email, uid=sub.
   (<link xlink:show="new"
          xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5263"
   >OPENAM-5263</link>)</para>
   </listitem>

   <listitem>
    <para>
     The class hierarchy for the <literal>ResourceName</literal> interfaces has
     changed. Previous implementations should be source-compatible, but will not
     be binary-compatible, and will need recompiling.
    </para>
   </listitem>

   <!-- OPENAM-5279 //-->
   <listitem>
    <para>
     The OAuth2 provider uses RSA as its default encryption
     algorithm. The default OAuth2 client agent configuration has been changed
     to RS256 to match the OAuth2 provider algorithm.
     The client agent continues to support HMAC algorithms; only the default
     encryption algorithm has been changed to support out-of-the-box functionality.
     (<link
     xlink:show="new"
     xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5279"
     >OPENAM-5279</link>)
    </para>
   </listitem>

   <listitem>
    <para>
    The distributed authentication service (DAS) and cross-domain single sign-on
    (CDSSO) do not support the <literal>iPSPCookie/DProPCookie</literal>
    query string parameter to set a <literal>DProPCookie</literal> in the
    user-agent as a mechanism for cookie persistence. Neither DAS nor CDSSO retains
    <literal>iPSPCookie=yes</literal>.
    </para>
   </listitem>

   <listitem>
    <para>Updates to OAuth 2.0 and OpenID Connect authentication
     modules mean that any custom implementations of
     <literal>org.forgerock.openam.authentication.modules.oauth2.AccountMapper</literal> or
     <literal>org.forgerock.openam.authentication.modules.oauth2.AttributeMapper</literal>
     no longer work, and needs to be reimplemented against
     <literal>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</literal>
     and/or <literal>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</literal>
     as appropriate.
    </para>
   </listitem>

   <listitem>
    <para>
     The XUI, now the default for end-user pages, handles DNS/realm alias
     differently from the classic UI, which was the default in previous OpenAM
     versions.
     With the classic UI, the realm alias is specified both in the host name and
     the URI path. With the XUI, the host name alone specifies the realm. The XUI
     evaluates a realm specified in the path of the URL as a subrealm of the
     realm specified by the host name alias.
    </para>
    <para>
     For example, with the classic UI, you could authenticate to a realm,
     <literal>realm1</literal> using the DNS alias
     <literal>realm1.example.com:8080</literal>
     and the realm query parameter, <literal>realm=realm1</literal>, as follows:
    </para>
    <programlisting>
http://realm1.example.com:8080/openam/UI/Login?realm=realm1
    </programlisting>
    <para>
     With XUI, you do not include a realm in the URI if it has already been
     mapped as now any URI realm is additive and specifies a subrealm of the
     DNS alias realm.
     For example, using the following URL indicates that you are attempting
     to authenticate to <literal>/realm1/realm1</literal> (that is, the sub-realm,
     <literal>realm1</literal> under the realm, <literal>realm1</literal>).
    </para>
    <programlisting>
http://realm1.example.com:8080/openam/XUI/#Login/realm1
    </programlisting>
    <para>
     As another example, if you have a sub-realm called <literal>test</literal> under
     <literal>/realm1</literal> and make a request to:
    </para>
    <programlisting>
http://realm1.example.com:8080/openam/XUI/#Login/test
    </programlisting>
    <para>
     The request authenticates to <literal>/realm1/test</literal>.
     Note also that the use of URI realm is preferred over realm as a query parameter.
    </para>
   </listitem>
  </itemizedlist>
 </section>

 <section xml:id="deprecated">
  <title>Deprecated Functionality</title>
  
  <para>The following functionality is deprecated in OpenAM
  <?eval ${serverDocTargetVersion}?>, and is likely to be removed in a future
  release.</para>

  <itemizedlist>

   <listitem>
    <para>
     Classic (JATO-based) UI is deprecated for end user pages.
     OpenAM offers the JavaScript-based XUI as a replacement.
     Classic UI for end user pages is likely to be removed in a future release.
    </para>
   </listitem>

   <listitem>
    <para>Older REST services relying on the following endpoints are
     deprecated.</para>

    <simplelist type="vert" columns="2">
     <member>/identity/attributes</member>
     <member>/identity/authenticate</member>
     <member>/identity/authorize</member>
     <member>/identity/create</member>
     <member>/identity/delete</member>
     <member>/identity/isTokenValid</member>
     <!-- Pending replacement <member>/identity/log</member> -->
     <member>/identity/logout</member>
     <member>/identity/read</member>
     <member>/identity/search</member>
     <member>/identity/update</member>
     <member>/ws/1/entitlement/decision</member>
     <member>/ws/1/entitlement/decisions</member>
     <member>/ws/1/entitlement/entitlement</member>
     <member>/ws/1/entitlement/entitlements</member>
    </simplelist>

    <para>The following table shows how legacy and newer endpoints
     correspond.</para>

    <table pgwide="1">
     <title>REST Endpoints</title>

     <tgroup cols="2">
      <colspec colnum="1" colwidth="1*"/>
      <colspec colnum="2" colwidth="1*"/>

      <thead>
       <row>
        <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability"
                     xlink:role="http://docbook.org/xlink/role/olink">Deprecated</link> URIs</entry>
        <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability"
                           xlink:role="http://docbook.org/xlink/role/olink">Evolving</link> URIs</entry>
       </row>
      </thead>

      <tbody>
       <row>
        <entry>/identity/attributes</entry>
        <entry>/json/users</entry>
       </row>

       <row>
        <entry>/identity/authenticate</entry>
        <entry>/json/authenticate</entry>
       </row>

       <row>
        <entry>/identity/authorize</entry>
        <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry>
       </row>

       <row>
        <entry>/identity/create, /identity/delete, /identity/read,
         /identity/search, /identity/update</entry>
        <entry>/json/agents, /json/groups, /json/realms, /json/users</entry>
       </row>

       <row>
        <entry>/identity/isTokenValid</entry>
        <entry>/json/sessions/<replaceable>tokenId</replaceable>?_action=validate</entry>
       </row>

       <!--
       <row>
        <entry>/identity/log</entry>
        <entry>Pending replacement</entry>
       </row>
       -->

       <row>
        <entry>/identity/logout</entry>
        <entry>/json/sessions/?_action=logout</entry>
       </row>

       <row>
        <entry>/ws/1/entitlement/decision, /ws/1/entitlement/decisions,
         /ws/1/entitlement/entitlement, /ws/1/entitlement/entitlements</entry>
        <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/applications</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/applicationtypes</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/conditiontypes</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/dashboard</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/decisionscombiners</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/policies</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/referrals</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/serverinfo</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/subjectattributes</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/json/subjecttypes</entry>
       </row>

       <row>
        <entry>N/A</entry>
        <entry>/xacml/policies</entry>
       </row>
      </tbody>
     </tgroup>
    </table>

    <para>Find examples in the <citetitle>Developer Guide</citetitle> chapter <link
     xlink:href="dev-guide#chap-rest" xlink:role="http://docbook.org/xlink/role/olink"
     xlink:show="new"><citetitle>Using RESTful Web Services</citetitle></link>.</para>

    <para>Support for the older REST services is likely to be removed in a
     future release in favor of the newer REST services. Older REST services
     will be removed only after replacement REST services are introduced.</para>
   </listitem>

   <!-- AME-5059 //-->
   <listitem>
    <para>With the implementation of XACML 3.0 support when importing and
    exporting policies the following <option>ssoadm</option> commands
     have been replaced:</para>

    <table>
    <title>Policy Import and Export with ssoadm</title>

    <tgroup cols="2">
    <colspec colnum="1" colwidth="1*"/>
    <colspec colnum="2" colwidth="1*"/>

    <thead>
     <row>
      <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability"
                   xlink:role="http://docbook.org/xlink/role/olink">
       Deprecated</link> Command</entry>
      <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability"
                         xlink:role="http://docbook.org/xlink/role/olink">
       Evolving</link> Command</entry>
     </row>
    </thead>

    <tbody>
    <row>
     <entry><literal>create-policies</literal></entry>
     <entry><literal>create-xacml</literal></entry>
    </row>
     <row>
      <entry><literal>delete-policies</literal></entry>
      <entry><literal>delete-xacml</literal></entry>
     </row>
     <row>
      <entry><literal>list-policies</literal></entry>
      <entry><literal>list-xacml</literal></entry>
     </row>
     <row>
      <entry><literal>update-policies</literal></entry>
      <entry><literal>create-xacml</literal></entry>
     </row>
    </tbody>
    </tgroup>
    </table>

    <para>For more information, see the <citetitle>OpenAM
     Reference</citetitle> section <link xlink:show="new"
     xlink:href="reference#ssoadm-1"
     xlink:role="http://docbook.org/xlink/role/olink">
     ssoadm — configure OpenAM core services</link>.</para>
   </listitem>

   <!-- Are any of these deprecated features removed in OpenAM 12.0.0? -->
   <!-- START: Deprecated in OpenAM 11.0.0 -->
   <listitem>
    <para>With the implementation of OAuth 2.0 in this release, OAuth 1.0 has been 
    deprecated. OAuth 1.0 support was originally provided in OpenAM 9.</para>
   </listitem>

   <listitem>
    <para>The Netscape LDAP API is to be removed from OpenAM, with OpenAM
    using the OpenDJ LDAP SDK instead. This affects all classes in
    <literal>com.sun.identity.shared.ldap.*</literal> packages.</para>
   </listitem>

   <listitem>
    <para>OpenAM currently uses Sun Java System Application Framework (JATO).
    JATO is deprecated and is likely to be replaced in a future release.</para>
   </listitem>

   <listitem>
    <para>With the implementation of the Persistent Cookie authentication module, the
    Core Authentication module persistent cookie options are deprecated and are
    likely to be removed in a future release.</para>
   </listitem>
   <!-- END: Deprecated in OpenAM 11.0.0 -->

   <listitem>
    <para>
     The OAuth 2.0 plugin interface for custom scopes,
     <link
      xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/Scope.html"
      xlink:show="new"><literal>Scope</literal></link>
     is deprecated and likely to be removed in a future release.
    </para>

    <para>
     Custom OAuth 2.0 scopes plugins now implement the
     <link
      xlink:href="${javadocBase}?org/forgerock/oauth2/core/ScopeValidator.html"
      xlink:show="new"
      ><literal>ScopeValidator</literal></link> interface instead.
     For an example, see the <citetitle>Developer's Guide</citetitle> chapter,
     <link
      xlink:href="dev-guide#chap-oauth2-scopes"
      xlink:role="http://docbook.org/xlink/role/olink"
      xlink:show="new"
      ><citetitle>Customizing OAuth 2.0 Scope Handling</citetitle></link>.
    </para>
   </listitem>

   <listitem>
    <para>
     The OAuth 2.0 plugin interface for custom response types,
     <link
      xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/ResponseType.html"
      xlink:show="new"><literal>ResponseType</literal></link>
     is deprecated and likely to be removed in a future release.
    </para>

    <para>
     Custom OAuth 2.0 response type plugins now implement the
     <link
      xlink:href="${javadocBase}?org/forgerock/oauth2/core/ResponseTypeHandler.html"
      xlink:show="new"
      ><literal>ResponseTypeHandler</literal></link> interface instead.
    </para>
   </listitem>
  </itemizedlist>
 </section>

 <section xml:id="removed">
  <title>Removed Functionality</title>

  <itemizedlist>
   <listitem>
    <para>
     No functionality has been removed in this release.
    </para>
   </listitem>
  </itemizedlist>
 </section>

</chapter>


git-svn-id: https://svn.forgerock.org/openam/trunk@11949 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    David.Goldsmith
     
  • 150cbeb2   AME-5260 HipChat Review - Rebuilt list of known issues to include recently tagged JIRAs. ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openam/trunk@11946 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    chris.lee
     
  • bd136226   AME-5260 HipChat Review - Rebuilt list of known issues with improved JIRA query. ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openam/trunk@11942 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    chris.lee
     
  • 70a2279f   CR-5719 OPENAM-5337 Fix doc for/frrest/oauth2/token endpoint ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openam/trunk@11935 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
    mark
     

16 Dec, 2014

7 commits

15 Dec, 2014

3 commits

14 Dec, 2014

1 commit

13 Dec, 2014

1 commit

12 Dec, 2014

3 commits

11 Dec, 2014

7 commits

10 Dec, 2014

4 commits

09 Dec, 2014

4 commits