API gateway for REST, OpenAPI, GraphQL and SOAP written in Java.
Improvements:
<memcachedSessionManager cookiePrefix="..."/>
to support multiple Membrane instances using MemcacheD as session storage<flowInitiator logoutBeforeFlow="true" />
attribute<openapi>
response header validationFixes:
<openapi><rewrite>
logic<openapi>
response validation with status code 204Fixes:
docker run predic8/membrane
useXForwardedForAsClientAddr
Flag to <accessControl>
X-Forwarded-For
headerImprovements:
<openapi validateSecurity="yes">
to be able to selectively disable OpenAPI security validation (not advised ;-)Fixes:
Unfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.1
is therefore not working at the moment. Please build your own Docker image in the mean time.
Changes since 5.3.5:
Features:
<apiDocs/>
aggregating API documentation from OpenAPI definitions across service proxies<openapi/>
now validates scopes from various sources (e.g. API keys, JWT tokens, OAuth2 (also using JWT tokens))Fixes:
<requireAuth errorStatus="..."/>
by adding Content-Length: 0
to the responseUnfortunately, the Docker Image build process is currently broken: predic8/membrane:5.4.0
is therefore not working at the moment. Please build your own Docker image in the mean time.
Fixes since 5.3.4:
Changes since 5.3.3:
<openTelemetry>
configuration)Fixes:
<requireAuth required="false" .../>
to skip authentication, if no token is present<requireAuth errorStatus="401" .../>
to return specific error code on authentication failure<oAuth2Resource2 afterErrorUrl="/foo" .../>
to send user to error page after error during login<oAuth2Resource2 onlyRefreshToken="true" .../>
to allow Authorization Server to return no access token (only a refresh token)<requireAuth scope="foo" oauth2="oauth2"/>
and <requireAuth scope="bar" oauth2="oauth2"/>
to request multiple access tokens from Authorization ServerChanges:
<oauth2Resource2/>
and <jwtAuth/>
now fully support using a HTTP proxy to access the OAuth2 authorization server<oauth2Resource2/>
now prefers the form code POST, is offered by the OAuth2 authorization server<loginParameter/>
s can be specified per-<requireAuth/>
Improvements:
Improvements:
Bug fixes:
Changes:
Fixes: