readme/changelog updates

CHANGES.md

@@ -0,0 +1,34 @@
+# Changelog
+
+## [2.0.5] - Release Feb 10, 2023
+- update java and javascript dependencies
+- update tomcat to 9.0.71 for onejar/docker images
+- update java to 11.0.18_10 in docker image
+- fix issue #688 - photo download mime type enforcement
+- fix issue #689 - XML entity reference attack on log event data
+- fix issue #690 - LDAP search filter injection during advanced peoplesearch and helpdesk queries
+- fix issue #691 - Helpdesk idle timeout not working
+- update default C/R PBKDF2/SHA512 iteration count to 1_000_000
+
+## [2.0.4] - Released Oct 1, 2022
+- version check service request frequency fix
+- update java and javascript dependencies
+- update tomcat to 9.0.67 for onejar/docker images
+- update java to 11.0.16.1 in docker image
+
+## [2.0.3] - Released July 30, 2022
+- version check service de-serialization error fix
+- fix issue with config guide buttons not working on storage selection page
+
+## [2.0.2] - Released July 7, 2022
+- add version check service
+- update java and npm, dependencies including tomcat 9.0.65 for onejar/docker images.
+- fix issue #542 - web actions do not save/load properly if a basic auth password is not included
+- fix issue #660 - Shortcut module does not display shortcuts based on …
+- fix issue with js dom/ready initialization on helpdesk/peoplesearch page loading
+- replace log4j with reload4j (issue #628)
+
+## [2.0.1] - Released March 11, 2022
+- Issue #573 - PWM 5081 at the end of user activation ( no profile assigned )
+- Issue #615 - Error 5203 while editing/removing challenge policy questions in config editor
+- Dependency/Library updates

README.md

@@ -1,84 +1,234 @@
 # PWM
 
-PWM is an open source password self service application for LDAP directories. PWM is an ideal candidate for organizations that wish to “roll their own” password self service solution, but do not wish to start from scratch. [Overview/Screenshots](https://docs.google.com/presentation/d/1LxDXV_iiToJXAzzT9mc1xXO0atVObmRpCame6qXOyxM/pub?slide=id.p8)
+PWM is an open source password self-service application for LDAP directories.
 
 Official project page is at [https://github.com/pwm-project/pwm/](https://github.com/pwm-project/pwm/).
 
 # Links
 * [PWM-General Google Group](https://groups.google.com/group/pwm-general) - please ask for assistance here first.
 * [PWM Documentation Wiki](https://github.com/pwm-project/pwm/wiki) - Home for PWM documentation
-* [Current Builds](https://www.pwm-project.org/artifacts/pwm/) - Current downloads built from recent github project commits
 * [PWM Reference](https://www.pwm-project.org/pwm/public/reference/) - Reference documentation built into PWM.
+* [Downloads](https://github.com/pwm-project/pwm/releases)
 
 # Features
-* Web based configuration manager with over 400 configurable settings
-* Configurable display values for every user-facing text string
-* Localized for Chinese (中文), Czech (ceština), Dutch (Nederlands), English, Finnish (suomi), French (français), German (Deutsch), Hebrew (עברית), Italian (italiano), Japanese (日本語), Korean (한국어), Polish (polski), Portuguese (português), Slovak (Slovenčina), Spanish (español), Thai (ไทย) and Turkish (Türkçe)
-* Polished, intuitive end-user interface with as-you-type password rule enforcement
-* Forgotten Password
-  * Store Responses in local server, standard RDBMS database, LDAP server or Novell NMAS repositories
-  * Use Forgotten Password, Email/SMS Token/PIN, TOTP, Remote REST service, User LDAP attribute values, or any combination
-  * Stand-alone, easy to deploy, java web application
-* Helpdesk password reset and intruder lockout clearing
-* New User Registration / Account Creation
-* Guest User Registration / Updating
-* PeopleSearch (white pages)
-* Account Activation  / First time password assignment
-* Administration modules including intruder-lockout manager, and online log viewer, daily stats viewer and user information debugging
-* Easy to customize JSP HTML pages
+* Web based configuration manager with over 500 configurable settings
+  * All configuration contained in a single importable/exportable file
+  * Configurable display values for every user-facing text string
+* Included localizations (not all are complete or current):
+  * English - English
+  * Catalan - català
+  * Chinese (China) - 中文 (中国)
+  * Chinese (Taiwan) - 中文 (台灣)
+  * Czech - čeština
+  * Danish - dansk
+  * Dutch - Nederlands
+  * English (Canada) - English (Canada)
+  * Finnish - suomi
+  * French - français
+  * French (Canada) - français (Canada)
+  * German - Deutsch
+  * Greek - Ελληνικά
+  * Hebrew - עברית
+  * Hungarian - magyar
+  * Italian - italiano
+  * Japanese - 日本語
+  * Korean - 한국어
+  * Norwegian - norsk
+  * Norwegian Bokmål - norsk bokmål
+  * Norwegian Nynorsk - nynorsk
+  * Polish - polski
+  * Portuguese - português
+  * Portuguese (Brazil) - português (Brasil)
+  * Russian - русский
+  * Slovak - slovenčina
+  * Spanish - español
+  * Swedish - svenska
+  * Thai - ไทย
+  * Turkish - Türkçe
+* LDAP Directory Support:
+  * Multiple LDAP vendor support:
+    * Generic LDAP (best-effort, LDAP password behavior and error handling is not standardized in LDAP)
+    * Directory 389
+      * Reading of configured user password policies
+    * NetIQ eDirectory
+      * Read Password Policies & Challenge Sets
+      * NMAS Operations and Error handling
+      * Support for NMAS user challenge/responses
+    * Microsoft Active Directory
+      * Reading of Fine-Grained Password Policy (FGPP) Password Setting Objects (PSO) (does not read domain policies)
+    * OpenLDAP
+  * Native LDAP retry/failover support of multiple redundant LDAP servers
+* Large set of locally configurable password polices
+  * Standard syntax rules
+  * Regex rules
+  * Password dictionary enforcement
+  * Remote REST server checking
+  * AD-style syntax groups
+  * Shared password history to prevent passwords from being reused organizationally
+* Modules
+  * Change Password
+    * as-you-type password rule enforcement
+    * password strength feedback display
+  * Account Activation / First time password assignment
+  * Forgotten Password
+    * Store Responses in local server, standard RDBMS database, LDAP server or eDirectory NMAS repositories
+    * User verification options:
+      * Email/SMS Token/PIN
+      * TOTP
+      * Remote REST service
+      * OAuth service
+      * User LDAP attribute values
+  * New User Registration / Account Creation
+  * Guest User Registration / Updating
+  * PeopleSearch (white pages)
+    * Configurable detail pages
+    * OrgChart view
+  * Helpdesk password reset and intruder lockout clearing
+  * Administration modules including intruder-lockout manager
+    * online log viewer
+    * daily stats viewer and user information debugging
+    * statistics
+    * audit records
+* Multiple Deployment Options
+  * Java WAR file (bring your own application server, tested with Apache Tomcat)
+  * Java single JAR file (bring your own Java VM)
+  * Docker container
 * Theme-able interface with several example CSS themes
-* Support for large dictionary wordlists to enforce strong passwords
-* Shared password history to prevent passwords from being reused organizationally
-* Automatic LDAP server fail-over to multiple ldap servers
-* Support for password replication checking and minimum time delays during password sets
-* Captcha support using reCaptcha
-* Integration with CAS
-* Support for minimal, restricted and mobile browsers with no cookies, javascript or css
-* Specialized skins for iPhone/Mobile devices
-* Designed for integration with existing portals and web security gateways
-* Directory Support
-  * Generic LDAP
-  * Directory 389
-  * NetIQ  eDirectory
-    * Password Policies & Challenge Sets
-    * NMAS Operations and Error handling
-    * Support for NMAS user challenge/responses
-  * Microsoft Active Directory
-  * OpenLDAP
-
-[NetIQ Self Service Password Reset](https://www.microfocus.com/en-us/products/netiq-self-service-password-reset/overview) is a commercial, supported self service password reset product based on PWM.
-
-# Build Information
+  * Mobile devices specific CSS themes
+  * Configuration support for additional web assets (css, js, images, etc)
+  * Force display of organizational
+* Captcha support using Google reCaptcha
+* Multiple SSO options
+  * Basic Authentication
+  * HTTP header username injection
+  * Central Authentication Service (CAS)
+  * OAuth client
+* REST Server APIs for most functionality
+  * Password set
+  * Forgotten password
+  * Password policy reading
+  * User attribute updates
+  * Password policy verification
+* Outbound REST API for custom integrations during user activities such as change password, new user registration, etc.
 
-Build pre-requisites:
-* Java 1.11 JDK or newer
-* Maven 3.2 or newer
+## Requirements
+
+Minimum requirements for PWM application.
+
+| PWM Version | Java [^1] | Servlet | Tomcat [^2] |
+| --- | --- | --- | --- |
+| v2.1 | 17 | 3.0 | 9 |
+| v2.0 | 11-17 | 3.0 | 8-9 |
+| v1.9 | 8-11 | 3.0 | 7-9 |
+
+[^1] There is no requirement for a specific Java implementation, PWM builds use [Adoptium](https://adoptium.net/).
+
+[^2] Tomcat isn't an explicit requirement, but it is the most common container used with PWM, and
+the one that is used for the docker and onejar builds.
+
+
+
+## Deploy
+PWM is distributed in the following artifacts, you can use whichever one is most convenient.
 
-Build execution:
-* Set `JAVA_HOME` environment variable to JDK home  
-* Run `mvn clean package` in base directory
+| Artifact | Description |
+| --- | --- |
+| WAR | Standard Java WAR (Web Archive) application deployment model, you need to have a working java & tomcat configuration on your server. |
+| Executable | Command line executable Java JAR application, includes tomcat. |
+| Docker | Docker image includes Java and Tomcat. |
 
-A WAR file suitable for deployment on Apache Tomcat is created in `webapp/target` directory.  Rename to `pwm.war` and copy into `tomcat/webapp` directory.
+For all deployment types, each PWM instance will need an _applicationPath_ directory defined on your local server for PWM's configuration,
+log, and runtime files.  Once PWM is configured, the initial web UI will prompt the administrator for LDAP and other configuration settings.
 
-Alternatively, an executable JAR file is created in `onejar\target`.  This JAR file is self-contained single executable with embedded Apache Tomcat runtime. To execute use a command similar to:   
+### WAR
 
-`java -jar pwm-onejar.jar`
+Steps:
+1) Get Apache tomcat working to the point you can access the tomcat landing page with your browser.  See tomcat documentation/help sites for
+   assistance with installing and configuring tomcat.
+2) Set the _PWM_APPLICATIONPATH_ environment variable in your tomcat instance to a local location of your _applicationPath_ directory. See tomcat and/or your
+   operating system documentation/help sites for assistance with configuring environment variables as the method for doing this depends on OS and deployment type.
+2) Place the pwm.war file in tomcat 'webapps' directory (rename from pwm-x.x.x.war with version naming)
+3) Access with /pwm url and configure
 
-The executable will show additional options that may be required.
+### Executable
+The 'onejar' artifact released with PWM has an embedded tomcat instance, so you don't need to install tomcat to use this
+version.  You will be responsible for getting it to run as a service, and you won't be able to do any advanced tomcat
+configuration.
 
-# Docker
+Requirements:
+* Java 11 JDK or better
 
-A docker image is created in `docker/target` as jib-image.tar.  You can import this docker image using a command similar to:
+Help:
+* `java -version` to ensure you have java 11 or better available
+* `java -jar pwm-onejar-2.0.0.jar` for command line help
 
-`docker load --input=jib-image.tar`
+Example for running onejar executable (with /pwm-applicationPath being the location to your _applicationPath_ directory):
+```
+java -jar pwm-onejar-2.0.0.jar -applicationPath /pwm-applicationPath 
+```
+By default the executable will remain attached to the console and listen for HTTPS connections on port 8443.
 
-Create docker container and run using:
 
-`docker run -d --name <container name> -p 8443:8443 pwm/pwm-webapp`
+### Docker
+The PWM docker image includes Java and Tomcat.  It listens using https on port 8443, and has a volume exposed
+as `/config`.  You will need to map the `/config` volume to some type of persistent docker
+volume for PWM to retain configuration.
 
-This will expose the https port to 8443.  If you want the configuration to persist to you can also expose
-the configuration volume of `/config` using the docker `-v` option during the container
-creation and map it to a directory on the docker host or use a docker volume container.  
-The PWM docker container will place all of it's configuration and runtime data in the `/config` volume.  If you do not use 
-a separate configuration volume, the config will be deleted when you delete the container.
+Requirements:
+* Server running docker
+
+Steps:
+
+1. Load your docker image with image nae of default _pwm/pwm-webapp_:
+```
+docker load --input=pwm-docker-image-v2.0.0.tar
+```
+
+1. Create docker image named _mypwm_, map to the server's 8443 port, and set the config volume to use the server's
+   local file system _/home/user/pwm-config_ folder:
+```
+docker create --name mypwm -p '8443:8443' --mount 'type=bind,source=/home/user/pwm-config,destination=/config' pwm/pwm-webapp
+```
+
+1. Start the _mypwm_ container:
+```
+docker start mypwm
+```
+
+## Build
+
+Build pre-requisites:
+* Java ( check requirements above for version )
+* Git
+* The build uses maven, but you do not need to install it; the maven wrapper in the source tree will download a local version.
+
+Build steps:
+1. Set _JAVA_HOME_ environment variable to JDK home.
+1. Clone the git project
+1. Change to pwm directory
+1. Run the maven build
+
+Linux example:
+```
+export JAVA_HOME="/home/vm/JavaJDKDirectory"
+git clone https://github.com/pwm-project/pwm
+cd pwm
+./mvnw clean verify
+```  
+Windows example:
+```
+set JAVA_HOME="c:\JavaJDKDirectory" 
+git clone https://github.com/pwm-project/pwm
+cd pwm
+mvnw.cmd clean verify
+```
+On Windows we recommend using paths without spaces (including for the JDK directory).
+
+Artifacts created:
+
+| Format | Directory |
+| --- | --- |
+| WAR | webapp/target |
+| Executable | onejar/target |
+| Docker | docker/target |
 

rest-test-service/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.pwm-project</groupId>
         <artifactId>pwm-parent</artifactId>
-        <version>2.0.5-SNAPSHOT</version>
+        <version>2.0.5</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

server/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <groupId>org.pwm-project</groupId>
         <artifactId>pwm-parent</artifactId>
-        <version>2.0.5-SNAPSHOT</version>
+        <version>2.0.5</version>
         <relativePath>../pom.xml</relativePath>
     </parent>