#Release Notes

The Webswing version 23.2 comes with Jakarta EE support, Component migration, Drop-in deployments, Session inactivity and lock screen, Configurable file viewers and many other improvements and bug fixes. In this page list also other changes for minor releases.

#23.2.14 LTS

Release date: November 7th 2024

• #976 Admin console cluster config synchronization fix
• #1059 Option to dispose hidden windows
• #1066 Add debug logs for OIDC attributes

Fixed 3rd party CVE

• Denial of Service (DoS) - High Severity CVE-2024-8184

#23.2.13 LTS

Release date: October 4th 2024

• #1058: restricted resources translate baseUrl to absolute url
• #1049: Added audience claim to JWT token
• #976: config aggregation fix nullable values
• #989: Reconnecting to a session and clicking Start Again will not invoke the Shutdown Listener - fixed

Fixed 3rd party vulnerabilities

• Stack-based Buffer Overflow CVE-2024-7254
• Uncontrolled Resource Consumption CVE-2024-47554

#23.2.12 LTS

Release date: September 10th 2024

• #1046: Added system property ADMIN_CONSOLE_DISABLE_THREAD_DUMPS_AND_RECORDINGS
• #1044: Fixed File Drag'n'Drop

Fixed 3rd party vulnerabilities

• #1041: Updated PDF.js CVE-2024-4367, CVE-2024-34342
• Denial of Service (DoS) High Severity
• Information Exposure Low Severity

#23.2.11 LTS

Release date: August 12th 2024

• #1025: Add a system property to disable session logs in Admin Console
• #1028: Add getUserPrincipal into HttpServletRequest wrapper

#23.2.10 LTS

Release date: July 11th 2024

• #973: Session Log does not capture issue during startup
• #1013: Password input not working in TT recording
• #1011: fix unknown algorithm for Azure AD OpenID

#23.2.9 LTS

Release date: June 13th 2024

• #1002: Custom page for HTTP Response 404 Not found
• #1006: Max user sessions reached when opening a new tab in cluster
• #1005: support user can't access admin console
• #957 fix open login page after LoginTimeoutException; configurable message
• #1001: calling webswingInstance0.kill() before websocket connects has no effect - minimal fix
• #1000 set http transport factory for ssl
• #999: DD issue with underlined font
• #993: Webswing DnD handler prevents host app handlers

#23.2.8 LTS

Release date: May 8th 2024

• #987 fix loading jwks certs in IdTokenVerifier
• #957 Authentication issue with Keycloak in OIDC module
• #981 Upload files outside of the upload directory, High Severity Vulnerability CVE-2024-39332
• #985 added IdToken verification to OIDC module
• #983 expose double click distance threshold setting

Updating 3rd party dependecies

#23.2.7 LTS

Release date: April 4th 2024

• #944 File chooser provider interface improvements
• #952 Check Origin in Websocket connection for http/2
• #975 Fixed calling printDataTransferCompleted listener from print job
• #977 Sanitize locale and timezone strings from browser
• Removed com.sun.java.swing.plaf.gtk.GTKLookAndFeel from add-exports

#23.2.6 LTS

Release date: March 22nd 2024

• #914 Java 21 support
• #971 Sync clipboard not working after app start
• #974 Added option to create focusable HW popups

#23.2.5

Release date: March 7th 2024

• #905 Migration toolkit improvements
• #944 File chooser provider interface
• #949 OIDC: fixed default config value
• #952 Check Origin header in Websocket connection
• #955 Enforce max clients configuration for all connections from browser including reconnects
• #956 Support for Keycloak 18+
• #957 Authentication retry issue with Keycloak
• #958 Fixed EditLive freezing issue
• #959 Support locking key state (CAPS_LOCK, SCROLL_LOCK, NUM_LOCK)
• #962 File upload failed error handling
• #964 Fixed IME input
• #965 Fixed OS dependent flag --add-exports

Fixed 3rd party vulnerabilities

General

• Loop with Unreachable Exit Condition ('Infinite Loop') CVE-2024-25710 [High Severity]

#23.2.4

Release date: February 6th 2024

Here's the list with the issue numbers moved to the front and sorted:

• #931 Fixed synchronization of URL reloading in Admin Console
• #941 Fixed invokeAndWait exception when processing keyboard events
• #948 Fixed issue when downloading file without extension
• #949 OIDC security module - add option to url-encode redirect_uri
• #950 Direct drag'n'drop - API method to unregister drop component, show drop component overlay for visible rect bounds only
• #951 Java FX 17 support

Known issue: Version 23.2.4 introduces a problem with starting OIDC/Keycloak security module (Change #949 is missing default configuration value). Solution: To prevent NullPointerException (NPE), users must manually add "forceUrlEncodeCallbackUrl": false to the security module configuration or re-save the configuration in admin console.

#23.2.3

Release date: January 4th 2024

• #920 OIDC: use Apache HTTP client v2 for more robust DNS resolution
• #934 Fixed drag and drop issue with JWindow
• #937 Possible to undock window to a new tab
• #938 CRLF should be replaced by LF when getting the text from clipboard
• #939 Websocket not disconnected after network killed
• #941 Fixed processing order of keyboard triggered focus events
• #942 JDialog should not be maximized by double-clicking its title bar

Fixed 3rd party vulnerabilities

Test Tool

• NULL Pointer Dereference CVE-2023-5590 [High Severity]

Shiro Security module

• URL Redirection to Untrusted Site ('Open Redirect') CVE-2023-46750 [Medium Severity]

#23.2.2

Release date: December 6th 2023

• #905 Migration toolkit improvements
• #927 autoLogout does not work if shutdown triggered by user inactivity
• #928 Fixed pasting plain text to HTML JEditorpane
• #929 Configurable session logging in webswing server
• #930 Handshake sent before application start
• #931 Fixed race condition when reloading Admin Console server connection URLs while initializing
• #932 Fixed sessionpool.close.with.session not working
• #933 Shift + mouse wheel does not scroll horizontally
• #934 Fixed drag'n'drop between 2 Swing windows
• #935 Fixed windowClosing event preventDefault for iframes inside HtmlPanel

Fixed 3rd party vulnerabilities

Test Tool

• NULL Pointer Dereference CVE-2023-5590 [High Severity]

#23.2.1

Release date: November 9th 2023

• #858 DirectDraw fix for custom paints
• #865 Idle sessions not cleared when session pool dies
• #875 Session lock improvements
• #901 Show log tab in session detail view in Admin Console for resilient instances
• #901 Fixed font field in Admin Console config in cluster
• #901 Do not allow to scroll view in touch mode when offscreen input is focused
• #901 Fixed synchronization in event handling of Test Tool
• #901 Reset mirror when session changes with session switcher
• #901 Mirror and shutdown not working when instance reconnects to another server in cluster
• #901 Auto-scaler config change leaks a thread
• #901 Fixed recording playback for webkit browsers
• #905 Component migration improvements
• #909 Gracefully shutdown Jetty server
• #912 Improve throughput of SwingInstanceSet.findByInstanceId
• #915 Fixed issues with password manager
• #916 Mirror and shutdown not working when instance reconnects to another server in cluster
• #918 Improved instance reconnect after network disconnect
• #919 Netbeans splash screen image misplaced
• #924 Synchronized Admin Console endpoints - createApp, removeApp, startApp, stopApp
• Use Apache HTTP client for more robust DNS resolution in OIDC

Fixed 3rd party vulnerabilities

Test Tool

• Hotrod-client CVE-2023-4586

SAML2 Security module

• Apache Santuario: Private Key disclosure in debug-log output CVE-2023-44483

Jetty

• HTTP/2 HPACK integer overflow and buffer allocation CVE-2023-36478

#23.2

Release date: October 10th 2023

New Features and Major Changes:

• Jakarta EE: Support for Jakarta servlet containers, while keeping backward compatibility so Webswing can run on both Tomcat 9 and 10.
• Component migration (beta): Less invasive way to render your swing components as native web components
• Drop-in deployments: Create self-contained application packages includeing Webswing configurations for easy distribution and deployment
• Session inactivity and lock screen: User inactivity can now result in locking, disconnecting or terminating the session
• Configurable file viewers: Customize how specific file types are handled when open, print, or edit methods are used (see java.awt.Desktop)

Minor improvements:

• Vaadin integration
• Input mode support for touch devices
• Embedding fonts in PDF
• 3rd party vulnerability updates

Breaking change - custom security modules need to be rebuilt due to Jakarta EE support.