v5.0.0

Changes since 5.0.0-alpha-3

• minor improvements
• improved examples
• updated documentation
• <jwtSessionManager/>: use sameSite also for cookie deletion to avoid browser warnings
• excluded Rhino Javascript engine from distribution. (to use either the Rhino or the GraalVM Javascript engine, you manually have to copy it into the lib/ folder. Start Membrane with <javascript/> to get more instructions.)

🟠 Warning: Unfortunately, the default configuration shipped does not start correctly. #421

v5.0.0-alpha-3

Changes since 5.0.0-alpha-2

• added <graphQLProtection /> for GraphQL endpoint protection
• new documentation website https://membrane-api.io
• several examples and tutorials are new or were improved
• OpenAPI validation: improved error responses (JSON formatted)
• added <beautifier/> (JSON)
• issue warning at startup, if using a JDK version before 17
• improved log output of <jwtAuth/>

v5.0.0-alpha-2

Changes since v5.0.0-alpha-1

• improved OpenAPI validator documentation and examples
• upgraded several dependencies (slf4j 2, log4j 2.19.0, commons-dbpc -> commons-dbcp2, javax.activation -> jakarta.activation, javax.mail -> jakarta.email, JUnit 5, swagger-parser 1.0.64, Saxon-HE 11.4 and others)
• use java-json-tools JSON schema validator
• removed unused libraries (blueprint/osgi support)

v5.0.0-alpha-1

Major changes

• Java 17 (language level, build time dependency and minimal Java runtime requirement)
• upgraded dependency: Spring 6.0.2
• dropped support for osgi, osgi-extender, sar deployment variants (standard zip file and war are still supported, of course)

Major Features

• added <openAPIProxy /> with OpenAPI-based request and response validation
• added support for trailers (https://www.rfc-editor.org/rfc/rfc7230.html#section-4.1.2)
• added support for JWT Profile for OAuth 2.0 Clients (https://www.rfc-editor.org/rfc/rfc7521 and https://www.rfc-editor.org/rfc/rfc7523)

Minor Features

• prefer Java 19 virtual threads, if available
• ACME: allow opening HTTPS ports without a certificate available
• better sharing of Timer instances for short-run background jobs
• added <return statusCode="404" />
• security: lower priority for CBC-based cipher suites
• upgraded dependencies (Bouncycastle 1.72, Jackson 2.14.1)
• use HTTP/2 for KubernetesClient
• <template pretty="true"> can now pretty-print JSON
• <oauth2Resource2 skipUserInfo="true"> can be used to avoid retrieval of the userinfo endpoint (but requires the access token to be a JWT)

Bug Fixes

• experimental HTTP/2: several fixes, some improvements for the HTTP/2 client (not completely finished yet)
• several fixes for the <adminConsole /> (counting of open connections, etc)

v4.9.1

• security update (<webServer ... />).

v4.9.0

• upgraded dependencies (Groovy to 4.0.6, json-schema-validator to 2.2.14, soa-model to 2.0.1, jackson-databind to 2.13.4.1)

v4.8.10

• experimental ACME (RFC 8555) implementation (aka support for https://letsencrypt.org/ )
• some work on the support for Membrane Kubernetes CustomResourceDefinitions (not complete yet)
• upgraded dependencies (Spring to 5.3.22, BouncyCastle to 1.71, Log4J to 2.18.0, Jackson to 1.13.4)
• drastically reduced number of Timer instances used for cleanup tasks on large setups
• drastically reduced number of HttpClient (and ConnectionPool) instances on large setups
• drastically reduced number of KubernetesClient instances on large setups (speeding up startup by only downloading the schema once)
• several smaller fixes

v4.8.8

• added a Redis-based session store redisSessionManager
• added the rule/serviceProxy name to the log context, added an example showing the JSON log format including the serviceProxy's name
• upgraded several dependencies

v4.8.7

• bumped log4j to 2.17.1

v4.8.6

• bumped log4j to 2.17.0