Starting with release 1.7-11, the project successfully builds and runs on Java 9+ (Java 9 and 10 were checked). Please note that Tomcat 7 will not work in Java 9+, so you'll have to upgrade Tomcat as well is you are planning to run Superfly on these recent Java versions. Minimal Java version is raised to 8. Spring version is upgraded to 5.
Single Sign-on (SSO) based on redirects is implemented. Full spring-security integration is included.
All HttpClient timeouts are made configurable; default timeouts are configured which eliminates a freeze possibility.
All dynamically-generated URLs are made compatible with nginx mod_security module.
Extended user status information is accessible via SSOService.
Fixes in user-role-action associations editing via UI.
Reworked mail server management: now any number of SMTP servers may be defined. Each subsystem can be assigned one of these SMTP servers.
Made it possible to edit a user and reset their password and OTP table via an SSOService.
It adds a possibility for the user to save their PGP public key, so it may be used to send something to the user (via email) in encrypted form. This is currently used to send OTP tables to a user.
This version mainly strives to satisfy PCI DSS requirements so Superfly may be used as a component in a system with high security which is used to process credit cards data. Here are our new features:
- PCI DSS requirements are satisfied (see below in details)
- Password encryption: all passwords are hashed. Salt may be configured to be used. Any JCE-supported hashing algorithm may be used (SHA-256 is preconfigured for high security policy).
- Password expiration makes users to change their passwords with time. For PCI DSS, max password age is configured to be 90 days.
- Accounts suspension feature suspends accounts which were not used for some period in time (for PCI DSS, period is 90 days).
- Password form restrictions: too weak, too short, or used passwords are not allowed for strict mode
- First-time passwords are used for the first login and after password reset. They only allow user to change their password.
- Two-factor authentication using OTP (one-time password) technique is implemented.
- OTP extension point is defined, so you may implement your own OTP provider.
- Logging: every operation on system objects, as well as authentication attempts, are logged.
Most of the above is not needed for a 'usual', non-paranoidly-secure case, so you can easily configure what policy you need: 'none' (default one, with almost no PCI DSS conformance, but with least annoyance) or 'pcidss' (PCS DSS confirmant).
1.1-2 contains minor changes to UI. In particular, actions are sorted in the lists.
1.1 version adds several important features:
- Local mode to ease development
- Spring 3 support
- Jira integration allows to use a Superfly server as a security provider for Jira
- UI inhancements make UI more friendly
- This is the first release which is available from a Maven Central Repo
Thanks to Sonatype, our next release (and all subsequent releases) will be available in Maven Central Repository.
Superfly project which goal is to build a centralized web authentication system for Java has moved to Google Code. Source code is licensed under Apache 2 Licence.