Open Service Platform

OSP Release Notes

Release 2024.1

Summary of Changes

  • The authentication framework includes a new Poco::OSP::Auth::PooledAuthAdminService class that supports database connection pooling for high-load servers.
  • The OSP web server supports a new redirectOn401 attribute that will redirect to the specified location instead of sending a 401 response due to an authentication failure.
  • Log messages for full request logging have been improved by indenting the HTTP request and response details. Also, the request details are logged as soon as the request has been received.
  • The Bundle Creator tool (bundle) supports a new strip option, allowing it to strip debug information from shared libraries before copying them into the bundle.
  • Various minor fixes and improvements.

Known Issues

  • The CMake build system places all generated bundle files in the same target directory, regardless of the selected build configuration (e.g., Debug, Release). Therefore, building different configurations in the same build directory is not recommended. Furthermore, on Windows, bundles built with CMake do not contain PDB files, unlike those built with the included Visual Studio project files.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2023.1

Summary of Changes

  • Improved authentication service with more secure password hashing (supporting PBKDF2 with HMAC-SHA256). Furthermore, it's possible to configure a session timeout, which is useful for MySQL servers that close the connection after a time of inactivity.
  • The username and password for the OSP Shell Client can now also be given in environment variables OSPSH_USERNAME and OSPSH_PASSWORD.
  • Various minor internal improvements.

Known Issues

  • The CMake build system places all generated bundle files in the same target directory, regardless of the selected build configuration (e.g., Debug, Release). Therefore, building different configurations in the same build directory is not recommended. Furthermore, on Windows, bundles built with CMake do not contain PDB files, unlike those built with the included Visual Studio project files.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2022.1

Summary of Changes

  • Added project and solution files for Visual Studio 2022.
  • AuthAdminService: Fixed an issue in checkDatabaseConnectivity() which would fail with SQLite due to a commit without active transaction.

Known Issues

  • The CMake build system places all generated bundle files in the same target directory, regardless of the selected build configuration (e.g., Debug, Release). Therefore, building different configurations in the same build directory is not recommended. Furthermore, on Windows, bundles built with CMake do not contain PDB files, unlike those built with the included Visual Studio project files.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2021.1

Summary of Changes

  • WebSessionManager: fixed a deadlock when cleaning a session.
  • WebServerDispatcher: fixed HSTS max-age directive in HTTP response header.
  • WebServerDispatcher: add support for X-Frame-Options HTTP response header.
  • WebServerDispatcher: add support for full request and response logging.
  • WebServerDispatcher: add exactMatch attribute to extension point.
  • WebServerDispatcher: add support for sending error responses with a JSON response body (compatible with RemotingNG REST transport). This can be enabled with the errorResponseFormat attribute in the extension point.
  • WebServerDispatcher: HTML error responses now contain a UUID with is also written to the log file for correlation.
  • WebServerDispatcher: Add a configuration option to globally enable or disable CORS handling.
  • Auth: added support for locking-out an account after too many failed authentication attempts.
  • Auth: LDAP attribute names can now be mapped to user attribute names.
  • Auth: Add support for two-factor authentication (2FA) with time-based one-time passwords (TOTPs). See Poco::OSP::Auth::TwoFactor::TwoFactorService.
  • The Bundle Creator tool supports a new command-line option to specify the binaries to include in the bundle. This overrides the <code> element in the bundle specification file.
  • CMake build support is now available in addition to Visual Studio project files and GNU Makefiles.

Known Issues

  • The CMake build system places all generated bundle files in the same target directory, regardless of the selected build configuration (e.g., Debug, Release). Therefore, building different configurations in the same build directory is not recommended. Furthermore, on Windows, bundles built with CMake do not contain PDB files, unlike those built with the included Visual Studio project files.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2020.1

Summary of Changes

  • The OSP framework now requires a C++14 compiler.
  • OSP Web: add special permission "**" which required either valid or no credentials. This is mostly useful for implementing REST APIs that support optional authentication.
  • OSP Web: added CORS (Cross-Origin Resource Sharing) support. CORS preflight requests and all CORS headers are optionally handled by the web server, configurable via extension point attributes.
  • OSP Auth: added support for "inline" user attributes, which are attributes directly stored in the auth_user table.
  • Performance improvements due to use of C++14 features such as std::string literals.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • The OSP framework now requires a C++14 compiler (Minimum compiler versions: Visual C++ 2015, GCC 5, Clang 3.4).

Release 2019.2

Summary of Changes

  • OSP Web: added support for security-related HTTP headers like Strict-Transport-Security, X-XSS-Protection and X-Content-Type-Options.
  • OSP Web: added support for bearer token-based authentication
  • OSP Web: allowed authentication methods can be restricted
  • OSP Web: for session and token-based authentication, also check that the associated user account still exists before granting authentication
  • OSP AuthAdminService: add support for SQL Server via ODBC
  • Poco::OSP::Auth::AuthService: new pure virtual method userExists() (has been moved to base class from Poco::OSP::Auth::AuthAdminService)

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

Release 2019.1

Summary of Changes

  • Added support for sealed bundles. Sealed bundles cannot be extended through extension bundles.
  • Poco::OSP::Auth::AuthAdminService: when user is deleted, also delete permissions, roles and attributes.
  • Poco::OSP::Auth::AuthAdminService: added usersWithPermission(), usersWithRole(), usersWithAttribute(), replaceRolesForUser(), replaceUserAttributes() and findUsersByAttribute() methods.
  • Poco::OSP::Auth::Data::AuthAdminServiceImpl: fixed a bug where some (implicit and read-only) transactions would not be committed properly, leading to stale data to be used due to repeatable-read transaction isolation.
  • Shell: added passwd command (allows hidden password entry)
  • Web: added Poco::OSP::Web::WebSessionStore service, which allows for implementation of persistent web sessions.
  • Web: when checking whether a request is authenticated, check for HTTP Basic credentials first before checking for an authenticated session.
  • Web: don't show exception details in 500 error page
  • BundleCreator: warn if non-empty <files> or <code> element is in bundle specification file, but no matching files can be found.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2018.1

Summary of Changes

  • Support for Modules. Modules are a way to specify dependencies between bundles, without referring to specific bundle names. Instead, bundles can declare which modules they provide, and which modules they require. The OSP framework then resolves module dependencies during the bundle resolve step.
  • Web: Improved support for cross-site request forgery (CSRF or XSRF) protection when using session-based authentication.
  • Mail: A Message-ID header can now be generated for outgoing messages.
  • New Poco::OSP::ServiceListener class for dynamically reacting to the availability of services.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2017.2

Summary of Changes

  • Bundle Signing now supports SHA-2 hash algorithms.
  • Improved error reporting in BundleLoader. If a bundle another bundle depends on fails to start, report the name of the failing bundle, not the name of the depending bundle.
  • BundleCreator: allow specifying the version of the bundle in the command-line arguments.
  • Web: added support for session-based authentication

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2017.1

Summary of Changes

  • Refactored AuthAdminService to enable different database backends (e.g., MongoDB) in addition to the existing SQL database backend.
  • AuthAdminService: added support for SCRAM-SHA-1 authentication over SASL.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2016.2

Summary of Changes

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2016.1

Summary of Changes

  • Poco::OSP::BundleRepository: prevent a bundle from being newly installed if a bundle with same symbolic name already exists.
  • Poco::OSP::BundleLoader: allow setting a fixed operating system name and architecture at compile time via POCO_TARGET_OSNAME and POCO_TARGET_OSARCH macros. If set, the values provided via these macros will be used instead of Poco::Environment::osName() and Poco::Environment::osArchitecture().
  • Poco::OSP::Auth::AuthAdminServiceImpl: use transactions consequently in all methods modifying the authentication database.
  • Poco::OSP::Auth::AuthAdminServiceImpl: new configuration setting "auth.ldap.localUsers". User accounts that match the regular expression specified with this property will never be looked up via LDAP, always via local database only.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2015.2

Summary of Changes

  • Allow passing arguments to OSP WebFilterExtensionPoint

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2015.1

Summary of Changes

  • OSP Web: WebServerDispatcher now consumes left over request data (e.g., if a POST request with data is sent to a handler only accepting GET. Previously, the next request would fail as leftover data from POST body would spill into next request).
  • OSP Auth: When authenticating a user via LDAP fails, the user is removed from the local user database, as authentication failure can also mean that the user no longer exists. Furthermore, LDAP attribute names are now case insensitive.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2014.1

Summary of Changes

  • Minor changes for compatibility with C++11.
  • Added MailDeliveryService, a Service wrapper around Poco::Net::SMTPClientSession.
  • Improved exception handling in web server request handler.
  • WebEvent improvements and fixes for Internet Explorer 11.
  • The OSP web server now uses its own thread pool instead of POCO's default pool.
  • Added support for web filters to the OSP web server.
  • WebSessionManager: added support for generating CRSF synchronizer tokens.
  • Web Server: Added support for mapping requests to request handlers using a regular expression.
  • Web Server: Added support for specifying allowed methods in request handlers.
  • Web Server: Added support for HTTP request logging.
  • OSP Shell: Bundle and service commands have been put into a separate bundle (com.appinf.osp.shell.commands).
  • OSP Shell: Help command now has aliases 'h' and '?' and also supports "help <command>" syntax.
  • OSP Core: Code cache is automatically updated with latest shared libraries if a new version of a bundle is installed. This can be disabled by setting the "osp.autoUpdateCodeCache" configuration property to false.
  • OSP Core: When stopping bundles, the bundle's run levels are accounted for.
  • OSP Core: Ignore directories in bundle repositories that are not valid bundles (not having a META-INF subdirectory).
  • OSP Core: BundleLoader has a new bundleError event fired when an error occurs while resolving or starting a bundle.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2013.2

Summary of Changes

  • Added WebEvent bundle, implementing the Poco::OSP::WebEvent::WebEventService for delivering asynchronous notifications to browser clients using a WebSocket based on a subject-based publish-subscribe mechanism. See the WebEvent sample for more information.
  • The Net bundle now unregisters the Poco::Net::HTTPStreamFactory and Poco::NetFTPStreamFactory when stopping.
  • The NetSSL_OpenSSL bundle now unregisters the Poco::Net::HTTPSStreamFactory when stopping.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2013.1

Summary of Changes

  • The WebServer and SecureWebServer bundles now correctly set serverName and softwareVersion in the Poco::Net::HTTPServerParams object. Previously, serverName was set to what is actually the softwareVersion. Furthermore, it is now possible to specify a listening host name or IP address in the configuration (in addition to the port number).

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2012.1

Summary of Changes

  • The OSP Command Shell application (ospsh) now supports command-line editing with the NetBSD Editline library (libedit). The library is automatically detected by the build system (checking for /usr/include/histedit.h).
  • The OSP web server can now be disabled through the configuration by specifying a port number of 0.
  • Poco::OSP::ServiceRegistry::unregisterService() now checks for a null ServiceRef.
  • The Bundle Creator tool supports a new command-line option (—no-deflate, -N) to disable compression of bundle file contents.
  • The OSP Web Server now supports gzip content compression for static content in bundles.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2011.2

Summary of Changes

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2011.1

Summary of Changes

  • Added Visual Studio project and solution files for 64-bit builds on Visual Studio 2008 and 2010.
  • Added basic iOS support to OSP (enabled by compiling OSP with -DPOCO_OSP_STATIC). This allows for static registration of bundle activators. This way, parts of OSP can also be used on platforms that don't support dynamic loading of shared libraries (such as iOS).
  • Poco::OSP::Web::WebSessionManager: it is now possible to control the domain and path of the session cookie by including them in the appName (e.g., myCookie@.mydomain.com/path).
  • Added Crypto bundle for deploying POCO Crypto library.
  • OSP Shell services command now supports —properties option to print service properties.
  • OSP Web Server: if a request handler factory now returns a 0 pointer instead of a proper request handler instance, a 404 error is reported.
  • OSP Web Server: added Poco::OSP::Web::WebServerService. Subclasses of this class are registered by the standard web server and secure web server bundles and can be used to find port numbers and server params of running web servers.
  • Web Index bundle no longer responds to arbitrary request URIs, only / and /index.html (fixes a potential security issue where a request for a non-existing path would automatically resolve to the Web Index bundle, even if it's not meant to be shown).
  • Web Info bundle now displays additional information and uses Poco::Net::NetworkInterface class instead of DNS to enumerate IP addresses (fixes exception with embedded systems that lack proper DNS configuration).
  • Added convenience methods getValue() and setValue() to Poco::OSP::Web::WebSession.
  • ServiceRegistry: when registering or unregistering a service, the lock on the registry is now released before the corresponding event is fired. This allows registration or deregistration of services from within the event handler. Previously, this would cause a deadlock.
  • Added Poco::OSP::ServiceFinder utility class template.
  • BundleCreator: added support for extension bundles.
  • OSP: added support for extension bundles.
  • The path(list) passed to BundleRepository can now include wildcard, as well as direct paths to bundles.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2009.2p4

Summary of Changes

  • fixed a bug in BundleLoader::unloadBundle(): now correctly fires a bundleUnloaded event instead of a bundleLoaded event.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 2009.2

Summary of Changes

  • OSP/Python now works with Python 2.6 as well.
  • fixed a 64-bit compatibility issue with OSP Python bundle
  • OSP: added ExtensionPoint::removeExtension()
  • OSP BundleCreator now fully supports variable expansion in bundle spec file
  • fixed #0000098: bad characters in OSP ServiceRegistry documentation
  • fixed #0000099: Poco::OSP::Service::type() and isA()

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • The Remoting bundles have been renamed from poco.remoting.* to com.appinf.remoting.* as poco.* is now strictly reserved for bundles related to the open source POCO C++ Libraries. If you have dependencies on Remoting bundles in your bundles, please change the bundle names accordingly. Also, make sure to remove the old poco.remoting bundles from your bundle repositories.

Release 2009.1

Summary of Changes

  • Based on POCO C++ Libraries 1.3.5
  • Bundles now have a numeric ID, valid and guaranteed to be unique during the runtime of the containing application. The ID of a bundle can be obtained with the id() member function.
  • New OSP Command Shell Service, allows for command-line based management of OSP applications. The shell can also be extended with custom commands.
  • Added OSPBundleSign library, which provides support for cryptographically signing bundles, as well as for verifying the signature of bundles.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 1.3.3

Summary of Changes

  • New SystemEvents class providing systemStarted and systemShuttingDown events. The SystemEvents object is available from the BundleContext with the systemEvents() member function.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 1.3.2

Summary of Changes

  • fixed 0000064: Bundle generator copies .abc (.svn) files into bundles
  • bugfix: bundle unload triggered wrong event
  • added sample for PreferencesService to OSP
  • the Remoting SOAP listener now works with the OSP web server (now a port must be specified together with ref="osp.web" in the listeners.xml file)
  • the OSP web server no longer crashes if a request handler factory returns null

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • None at this time.

Release 1.3.1

Release 1.3 of the POCO C++ Libraries is the first official release supporting the Open Service Platform.

Summary of Changes

  • OSP Web: check client IP address when accessing a WebSession
  • BundleCreator: empty dependency version in bundlespec is okay
  • fixed OSP shared library names to match naming conventions
  • Stopping a Remoting Transport bundle (such as poco.remoting.binary or poco.remoting.soap) before stopping the Remoting bundle will no longer crash the application, due to insufficient cleanup when unloading the transport library.

Known Issues

  • None at this time.

Incompatible Changes and Possible Transition Issues

  • OSP bundle shared library names have been changed to match naming conventions.

Frequently Asked Questions

What is the user name and password for the BundleAdmin tool?

The default user name and password is "admin", and "admin", respectively. See the AuthService documentation for information on how to change the password.