Key focus/features
- Whydah application to application sessions (to be enhanced in Whydah 2.4 * with adaptive end-to-end payload encryption)
- Resilience (fallacies of distributed computing)
*UAWA Applications - ApplicationModel enhancements
- UAWA Import/Export of Users and Applications
- UAWA TAG filters
- UAWA CRM and activity view
- OAUTH2 provider - early release
- DEFCON readiness
- Threat signaling readyness (to be enhanced in Whydah 2.4 with countermeasures)
- Enhanced accessibility of "inner workings" of the platform to simplify monitoring and mainternance
Whydah 2.3 - Release log
| Version | Main changes | Comment(s) |
|---|---|---|
| 2.3.94 | Fixed bug in anynomous usertoken creation and removed false positive validation errors in logs | |
| 2.3.92 | Fixed bug if setting applicationsesstionexpires to high in property | |
| 2.3.90 | Minor adjustments tp LastName and DefaultRolenames definitions | |
| 2.3.84 | Internal bottom-up quality work | |
| 2.3.75 | Tweaking the domain-driven security whitelisting | |
| 2.3.68 | Replaced all inner-workings of Whydah with domain-driven security implementation, enforcing strict white-listing on all data matched against the domain concept | might be som corner-cases we've not discovered yet |
| 2.3.44 | Squashed a few bugs in cache invalidation in UAS and applied more domain-driven security to key parts | should be worth a go |
| 2.3.38 | Enhanced the time-fields in typelib to smart-fields to remove pain/failure points | released to simplify in-the-wild test/verifications |
| 2.3.37 | Initial work on domain-driven security for Whydah key objects in typelib | released to simplify in-the-wild test/verifications |
| 2.3.31 | Post-pentest patch-release | |
| 2.3.27 | Synchronized maintenance release |
|
| 2.3.23 | Synchronized maintenance release |
|
| 2.3.22 | Synchronized maintenance release with lots of minor fixes | |
| 2.3.20 | completed the embedded crypto handling on receiving payload in all hystrix commands | |
| 2.3.19 | resilience in unstable network situations for application session handling by fail fast on application auth between sts and uas... (same should be implemented between uas and uib) | |
| 2.3.18 | now with initial crypto key per application session exchange and configuration of super-secure applications | |
| STS - using the testpage=enabled flag to choose verbose info in health (so it won't show in production setups) testpage=enabled for verbose info in /health | ||
| SDK and STS - early work on payload encryption and cryptokey rotation | ||
| 2.3.11 | SDK work on smarter and non-blocking session resilience | |
| 2.3.5 | STS - properties for default user and application sessions | Extra properties application.session.timeout=120, user.session.timeout=240 |
| 2.3.4 | STS - forced removal and cleanup of expired sessions | Partially released |
| 2.3.3 | UAS/STS - enhancments on false threatSignal positives and obfuscating the session id's | Partially released |
| 2.3.2 | UIB - enhanced application search index and UAS wiring | Partially released |
| 2.3 | Promoted to final 2.3 release | |
| 2.3.0-rc-7 | Updated more 3rd party dependencies for all modules. More initializing corner cases (NPEs) provoked and handled | |
| 2.3.0-rc-7 | Upgraded 3rd party dependencies | |
| 2.3.0-rc-5 | Work on ensuring that the DEFCON is distributed on all cornercases of UserToken distribution | |
| 2.3.0-rc-4 | more work on corner cases and optimizing the internal whydah session handling (SD and SDK integration) myuri added to UserAdminService properties | |
| 2.3.0-rc-3 | minor fortifying in SDK mainly | |
| 2.3.0-rc-2 | Weeded out a was startup snafu in SDK causing slower discovery/was connect | |
| 2.3.0-rc-1 | Promoted to rc-1 | |
| 2.3.0-beta-5 | Refactoring and cleanup in SDK systemtests | |
| 2.3.0-beta-4 | Some enhancements in status/handling of MFA/PIN processes in STS. Added supported userSessionSecurityLevel to Application Model (TypeLib) | |
| 2.3.0-beta-1 | Promoted to beta-1 release | |
| 2.3.0-alpha-24 | Minor cleanup and module synchronization with SDK implementation, and smarter backoff/handling of was in modules preventing catch-22 in bootstrapping corner cases | |
| 2.3.0-alpha-19 | Tweaking the UAS securityfilter with was sessions + security model. Fixed /applications/find/applicationID in UIB | |
| 2.3.0-alpha-17 | Bugs in UAS "/applications/find" fixed, "/applications" cache in UAS added refactoring and cleanup in the SDK vs Admin SDK |
|
| 2.3.0-alpha-11 | Synchronized early preparation to a whydah 2.3 release | |
| 2.3.0-alpha-9 | Enhanced /health endpoints in modules | |
| 2.3.0-alpha-8 | Wired securityfilter failures for UIB to threat signals | |
| 2.3.0-alpha-7 | Minor work on threat signals in SDK and STS | |
| 2.3.0-alpha-6 | Synchronized early preparation to a whydah 2.3 release | |
| 2.2.27 | OAuth2 API provider module (simplified API) | https://github.com/Cantara/Whydah-OAuth2Servicehttps://wiki.cantara.no/display/whydah/OAuth2Service |
| 2.2.26 | STS - ThreatSignal view expose the threatsignal log to build understanding of threshhold levels and mappings to DEFCON change actions | |
| 2.2.25 | Enhanced GUI for application administration in UAWA. | |
| 2.2.26 | UAWA - new ApplicationDetail admin view | |
| 2.2.25 | UIB - added async bolk queueing of UserIdentity to lucene index... 3x in throughput for import of users | |
| 2.2.24 | UIB - LDAP search timeout (1s) could prevent adding new users to large userdatabases (<50k users) fixed | |
| 2.2.23 | Some sync of STS and UAWA | |
| 2.2.22 | Typelib completely retrofitted into UIB | New UIB property: ldap.primary.alwayslookupinexternaldirectory=false // set to true if other application is updating the AD/LDAP server |
| 2.2.18 | Performance work on large userdatasets in UAWA, UAS and UIB | |
| 2.2.14 | UAWA, UAS and UIB enhancement for paginated user-aggregate searches and user import/export enhancements | |
| 2.2.11 | UAWA remote user search reintroduced to support huge user >1 mill installations | Synced full release. |
| 2.2.10 | UAWA bugfixes | Partially released. |
| 2.2.9 | TAG-filtering in UAWA GUI. | Partially released. |
| 2.2.7 | UAWA User CRM data view (for instances with CRMService). Fixes some special cornercases in user searches. | Must add crmservice property in UAWA to enable displaying crm-data. Partially released. |
| 2.2.6 | UAWA User Activity Log (for instances with StatisticsService) | Partially released. |
| 2.2.5 | Better application tag support in UAWA++, UAWA Application Activity Log (for instances with StatisticsService) Must add statisticsservice property in UAWA to enable application activity log feature. | |
| 2.2.3 | UAWA - Export and Import Users, corner-case of uawa useraggregate.json mapping found and fixed, mysql support in statisticsservice | |
| 2.2.2 | Some minor tweaking on ACL for UAWA and 3rd party applications. Signalling STS on userchange/delete to updated active UserTokens | |
| 2.2.1 | Updating content of active UserTokens if changed through UAS |
Labels:
None