This is a patch update containing some memory-related bug fixes, and addresses a security advisory involving the use of the External, RemoteUser, X509, and SPNEGO login flows.
Fixing the security required an internal redesign of the External login flow (the other three essentially reuse the External flow to function) and the fix required changes to some Java classes that are part of the public API. This is allowed in a patch when necessary to address critical bugs. While these changes are visible, they do not impact the documented/intended "public" interface to the External login mechanism used by deployers.
The changes would only impact deployers in these cases:
- Anybody copying one of the impacted login flows for private use. This is something we expect somebody might have done but is explicitly not supported because doing so would also involve references to non-API classes that are subject to change at any time so is already known to be unsafe across upgrades.
- Anybody inheriting from the ExternalAuthentication class to provide an alternate concrete implementation of that class for use in a custom llgin flow. This would be very unlikely to do.
- Anybody directly instantiating/adding an instance of the ExternalAuthenticationContext class to the profile request context tree. This is also not something we would expect anybody to have done.
3.4.5 (Sep 18, 2019)