Skip to main content
Version: 7.2405.x.x LTS

Appendix M - Migrating from LTS-21 to LTS-24

As part of the migration, read through the following appendixes carefully as your setup is affected and will require action from your side. Your migration is mainly based on these documents:

After performing the changes required by the aforementioned appendixes, the rest of this document provides you with additional information:

  • The what's new section lists additional new features introduced into nevisAuth
  • The what has changed section lists fixes and changes of features existing in LTS-21
  • The what has been removed section lists removal of deprecated or outdated features and implementations
  • The third party dependency changes lists removal and upgrades of third party dependencies which can affect custom auth state or Groovy script state implementations
PostgreSQL Migration

If you're interested in migrating to PostgreSQL, visit the MariaDB to PostgreSQL Migration Guide.

What's new

  • EXPERIMENTAL: We introduced the property relayState.transformation to disable automatic RelayState encoding for ServiceProviderState. (NEVISAUTH-3972)
  • EXPERIMENTAL: We introduced the property openid.promptParameterSupported for using prompt parameter in AuthorizationServer. (NEVISAUTH-4526)
  • NEW: Added RHEL 9 support. (NEVISAUTH-4421)
  • NEW: We added OpenTelemetry metrics listing the configured auth state classes for analytical purposes. (NEVISAUTH-4503)
  • NEW: Introduced support for PostgreSQL 15 databases for the Remote Session Store and the OutOfContextDataService. (NEVISAUTH-4390)
  • NEW: We introduced the new property allowRedirect for the RelyingPartyState* and OAuth2ClientState AuthStates. Using this attribute, you can enable or disable redirecting to the original request link after authentication by the OpenID Connect identity provider. For more information see RelyingPartyState or OAuth2ClientState.
  • NEW: We introduced SAML Single Logout Flow with SOAP binding as an option for IdentityProviderState and ServiceProviderState. For more information see IdentityProviderState or ServiceProviderState.
  • NEW: A TokenIntrospectionService configured with only one AuthorizationServer AuthState can now be accessed without the AuthorizationServer AuthState name. For more information see REST service implementations.
  • NEW: We introduced the new encryptAccessToken property for AuthorizationServer that allows returning an AccessToken in JWS format. For more information see AuthorizationServer.
  • NEW: We introduced the new property nevismeta.updateMetadataWhenClientNotFound for AuthorizationServer that can control the cache update mechanism of nevisAuth from nevisMeta if a client is not found in its current cache.
  • NEW: The TokenIntrospectionService can now be protected with Basic Authentication. For more information see REST service implementations.
  • NEW: IdentityProviderState is now able to handle assertionConsumerServiceIndex in AuthnRequest. For more information see IdentityProviderState.
  • NEW: We introduced a new logger, DbPerformance. On INFO level, it logs the response time of the queries to the Remote session store and the Out of context data store. On DEBUG, it also logs the SQL statement and the parameters.
  • NEW: Added database index to the documentation for the Remote session cache. It can help with response time spikes when caused by a slower remote session store reaper (therefore blocking other database operations). There is no automatic database migration. ALTER TABLE TNSSA_AUTH_SESSION_CACHE ADD INDEX (ABSTO); (NEVISAUTH-3416)
  • NEW: Introduced singleLogoutURL configuration properties in the IdentityProviderState to use endpoints for logout different to the assertion consumer service endpoints of the ServiceProvider. For more information, see IdentityProviderState. (NEVISAUTH-3230)
  • NEW: Introduced Token Revocation REST Endpoint to revoke access token and refresh token. For more information, see REST service implementations. (NEVISAUTH-3434)
  • NEW: RelyingPartyState and OAuth2ClientState now support variable substitution in the property clientSecret. (NEVISAUTH-3411)
  • NEW: Introduced in.max_issue_age for ServiceProviderState to verify IssueInstant issued time. It allows to verify max age of AuthnInstant and IssueInstant separately. (NEVISAUTH-3315)
  • NEW: Introduced the JSON Web Key Set (JWKS) endpoint. Now nevisAuth returns the key set of the AuthorizationServer AuthStates specified in the configuration. For more information, see REST service implementations. (NEVISAUTH-3371)
  • NEW: Token Introspection Service and AccessTokenConsumer AuthState now can validate against JWS access token. (NEVISAUTH-3451)
  • NEW: Encode original URL of RelayState in ServiceProviderState before sent to IdentityProviderState. For more information, see ServiceProviderState. (NEVISAUTH-3341)
  • NEW: Introduced a new parameter nestedJWSAccessTokenfor AuthorizationServer to define how JWS Access Token is generated (nested or not). By default, the JWS Access Token is generated in a non-nested form. (NEVISAUTH-3464)
  • NEW: We introduce the Oauth2 Authorization Server Metadata/OIDC discovery endpoint. Now nevisAuth returns the metadata of the AuthorizationServer AuthStates specified in the configuration. For more information, see REST service implementations
  • NEW: We introduce an Experimental REST endpoint to manage sessions. It supports terminating multiple sessions belonging to the same user. For more information, see the REST service implementations. (NEVISAUTH-3558)
  • NEW: We introduced the property nevismeta.http.protocol.content-charset for AuthorizationServer to understand UTF-8 response body from nevisMeta. (NEVISAUTH-3630)
  • NEW: OAuth 2 server metadata/OIDC discovery endpoint can now be set to userinfo endpoint. (NEVISMETA-1744)
  • NEW: TANState configuration option autoRegenerate now allows the automatic regeneration of a new TAN to be disabled, if the maximum number of retries is exhausted. (NEVISAUTH-3420)
  • NEW: AuthorizationServer can now be set to Terms of Service, Policy, jwks and token_endpoint_auth_method for each client. (NEVISMETA-1749)
  • NEW: OAuth 2 server metadata/OIDC discovery endpoint now shows the correct token_endpoint_auth_method by combining data from clients. (NEVISMETA-1744)
  • NEW: SELinux policy templates are now available at /opt/nevisauth/selinux. (NEVISAPPLIANCE-567)
  • NEW: client.[clientId].secret in AuthorizationServer supports resolving configuration value from external variables. See chapter Passwords in the configuration in the reference guide for more details. (NEVISAUTH-3791)
  • NEW: clientSecret in RelyingPartyState supports resolving configuration value from external variables. See chapter Passwords in the configuration in the reference guide for more details. (NEVISAUTH-3791)
  • NEW: We introduced the property out.post.relayStateEncoding for encode post binding RelayState for IdentityProviderState. (NEVISAUTH-3800)
  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • NEW: AuthorizationServer with dataSource=nevismeta can now skip for a while the metadata updates triggered by an unknown client. (NEVISAUTH-3918)
  • NEW: acsUrlWhitelist.uris in IdentityProviderState supports Asterisk wildcard at the beginning and end of the URIs. (NEVISAUTH-3949)
  • NEW: Experimental feature: Configure acsUrlWhitelist.uris.refresh.period in IdentityProviderState to automatically refresh the value of acsUrlWhitelist.uris. The feature works with classic VM deployments only. (NEVISAUTH-3949)
  • NEW: For the JWTToken auth state, you can now configure the Key Identifier kid header parameter. (NEVISAUTH-3839)
  • NEW: The JWTToken auth state now automatically generates the X.509 certificate SHA-256 thumbprint header parameter x5t#S256 when a private key is supplied as part of the auth state configuration. (NEVISAUTH-3839)
  • NEW: Gui element labels now support the usage of expression language (EL), for example: <Gui name="account" label="#{something == 'someting' ? 'title.no_account' : 'title.account'}"> (NEVISAUTH-3675)
  • NEW: Gui element has an additional optional attribute renderElement with expression language (EL) support. This attribute defines whether the gui element will be sent to nevisLogRend to be rendered. (NEVISAUTH-3675)
  • NEW: AuthorizationServer now supports response_mode=form_post for the authorization code flow. (NEVISAUTH-3596)
  • NEW: AuthRequest now have a method getHttpHeader(String headerFieldName) to allow getting HTTP headers case insensitively in the esauth4.xml, custom auth states and groovy script states. (NEVISAUTH-4059)
  • NEW: We introduced Force Pushed Authorization Requests configuration for Authorization Server. (NEVISMETA-1857)
  • NEW: We added setting for Force Pushed Authorization Requests Endpoint configuration for OAuth2 Server Metadata/OIDC Discovery endpoint. (NEVISMETA-1857)
  • NEW: We added REST service for Force Pushed Authorization Requests Endpoint. (NEVISMETA-1857)
  • NEW: We added option client_secret_post for tokenEndpointAuthMethod in AuthorizationServer. (NEVISMETA-1858)
  • NEW: The Http Clients supplied by nevisAuth can now be configured programmatically. (NEVISAUTH-4350)
  • NEW: A new KerberosLoginAuthState is replacing the functionality of the removed FrontendKerberosAuthState. For further details see KerberosLoginAuthState. (NEVISAUTH-4193)
  • NEW: The AuthorizationServer and AccessTokenConsumer auth states now support Elliptic Curve (EC) keys besides RSA keys for Access Tokens. (NEVISAUTH-4358)
  • NEW: The AuthorizationServer auth state now supports ID Token encryption using keys from JWKS. You can either configure this inline, or in nevisMeta using the following properties for clients: jwks, jwksUri, idTokenEncryptedResponseAlg, idTokenEncryptedResponseEnc. As per specification, the encryption will be done when the idTokenEncryptedResponseAlg property is set and the keys will be taken from the jwks / jwksUri. Additionally, we also added the property idTokenSignedResponseAlg which allows you to configure the ID Token signature algorithm. Further new properties are the openid.jwks.httpclient.* which will be used when downloading keys from the jwksUri. The changes above have no effect on the Access Token encryption / signing. (NEVISAUTH-4269)
  • NEW: The AuthorizationServer auth state now supports Refresh Token rotation. It can be enabled by setting the rotateRefreshToken property to true. (NEVISAUTH-4320)
  • NEW: We added support for the acr claim in the ID Token. To achieve this, we added a new property openid.acr_values_supported to the AuthorizationServer and acr_values to the RelyingPartyState. DiscoveryService returns the supported acr values in the acr_values_supported property. (NEVISAUTH-4341)
  • NEW: The AuthorizationServer auth state now supports mapping between custom scope(s) and custom claim(s). (NEVISAUTH-4352)
  • NEW: ScriptStates now automatically imports the following three nevisAuth classes: HttpClient, Http and HttpClients HttpClients is made available via binding, see the new way to create and use http clients below. Additionally, some of the most common classes from the java.time API. In case this causes a problem, this behaviour can be disabled by setting the addAutoImports configuration property to false.
  • NEW: ScriptStates can create an HTTP client using the new HttpClients.create() method which will take the configuration properties automatically from the ScriptState configuration. Note that this method will cache the HTTP Client per ScriptState instance (So each ScriptState have it's own HTTP Client), therefore it will not be recreated at every request. (In case this is not desired, you can resort to the previously available creation methods.) This feature is only available for the ScriptStates and it is not available in other places. For the same reason, you should not import HttpClients when using the new method. (That will result in a groovy exception that this method is not found.)
  • NEW: The X509Login auth state has a new configuration option loadFileSystemFirst, which allows to switch the load order of the key material when the cryptoMaterialSupplier is configured to ldapwithfilesystem. By default, LDAP is loaded first and the filesystem afterwards, configuring loadFileSystemFirst=true will first load the key material from the file system. (NEVISAUTH-4439)
  • NEW: We added support for using JWT Bearer Token for Client Authentication in Authorization Server. (NEVISAUTH-4397)
  • NEW: We added support for JWT Bearer Grant. (NEVISAUTH-4512)
  • NEW: We support EC key for JWKS. (NEVISAUTH-4515)
  • NEW: Configuration option server.tls.verify-sni which allows to disable SNI validation Jetty. This can be used to mitigate a Java bug when a Java client is not sending SNI information when the hostname does not contain a dot. (NEVISAUTH-4624)

What has changed

BC logging replaced with slf4j

The logging interface from bc is changed to slf4j in Java AuthStates and ScriptStates. IF you use any of the methods marked with red, your AuthState breaks, as these methods are not available in slf4j. Note that this only covers regular logging methods, not the exotic utility methods available in the bc interface.

bcslf4j
enter(Object self, String method)enter(Object self, String method, Object params)Possible replacement: trace(String msg)trace(String format, Object arg)
leave()leave(Object result)Possible replacement: trace(String msg)trace(String format, Object arg)
error(String text)error(String text, Throwable exc)error(Throwable exc)error(String msg)error(String format, Object arg)…
warning(String text)warn(String msg)warn(String format, Object arg)…
info(String text)info(String msg)info(String format, Object arg)…
debug_low(String text)debug_med(String text)debug_high(String text)debug(String text)debug(String msg)debug(String format, Object arg)trace(String msg)trace(String format, Object arg)…
emergency(String text)alert(String text)critical(String text)msg(Severity severity, String text)msg(Severity severity, String text, Throwable exc)notice(String text)

General

  • UPGRADED: We upgraded from EL-API 2.0 to EL-API 5.0. You should check your existing EL statements used for compatibility. (NEVISAUTH-4109)
  • FIXED: We fixed an issue that caused TokenIntrospectionService to crash with the error message java.lang.IllegalStateException: The output stream has already been closed. The issue occurred with an incorrect AuthorizationServer name request parameter.
  • FIXED: RelyingPartyState can now understand the callback from IdP without a query string while using ResponseMode="form_post".
  • FIXED: We fixed a possible JDBC error which could break the retry mechanism of Session synchronization.
  • FIXED: We fixed the unknown login application issue when using compatLevel="none". The issue was caused by a missing domain attribute in the GuiDescriptor sent to nevisLogRend.
  • FIXED: We fixed the inappropriate separator handling for DeferredResponse in SAMLContext. (NEVISAUTH-3426)
  • FIXED: We fixed the bug where nvluser, nvbuser and members of the nevisadmin group could not use the nevisAuth Admin CLI commands. (NEVISAUTH-3560)
  • FIXED: You can now verify ArtifactResponse by setting in.verify with ArtifactResponse. (NEVISAUTH-3530)
  • FIXED: We fixed the inappropriate handling for DeferredResponse in SAMLContext. (NEVISAUTH-3697)
  • FIXED: OIDC Introspection uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)
  • FIXED: OIDC Introspection now uses proper URI for refresh tokens stored in nevisMeta. (NEVISAUTH-3688)
  • FIXED: The admin CLI now correctly lists instances located in a symlink directory. (NEVISAUTH-3718)
  • FIXED: We fixed the bug where the Long Access token TTL resulted in incorrect backlisting time. (NEVISAUTH-3627)
  • FIXED: SAML AuthStates are now able to handle AuthNRequests without issuer. (NEVISAUTH-3635)
  • FIXED: We fixed the duplicated key index definition in SqlOOCDService implementation. The change affects the automatic table creation in the nevisAuth component. No automatic migration is provided. The side-effect of the current behaviour is increased disk space usage, as the key index values are stored twice. (NEVISAUTH-3626) To fix or migrate existing systems, delete the duplicate index, assuming that the table definition from the reference guide or by the nevisAuth component are used: DROP INDEX IF EXISTS key_idx ON nevisauth_out_of_context_data_service; If a custom SQL script was used to create the database table, or it is not clear which index should be deleted, the following statement can be used to list indexes: SHOW indexes FROM nevisauth_out_of_context_data_service; If docker-based DB images are used, no changes are required.
  • FIXED: Invalid negative Token TTL values are set to 0 (zero). If this occurs, a debug message is generated Session already expired because notAfter has passed. Setting ttl=0". (NEVISAUTH-3999)
  • FIXED: Fixed a locking failure in the process of upgrading sessions to the authenticated state when idPreGenerate is enabled and the session has been already authenticated once. A warning is also introduced telling that this state is a likely missconfiguration in the system. (NEVISAUTH-4014)
  • FIXED: We fixed the incorrectly calculated x5t#S256 value by the JWTToken auth state. (NEVISAUTH-4198)
  • FIXED: We fixed the issue that in some cases nevisAuth could not parse the OAuth2 metadata fetched from nevisMeta. (NEVISAUTH-4210)
  • FIXED: We added missing required property id_token_signing_alg_values_supported of OpenID Connect Discovery service. (NEVISAUTH-4238)
  • FIXED: The httpclient.connection.timeout was handled incorrectly causing the value set to be ignored and defaulting to a 3minute timeout. This property now properly commands the connection & socket timeout together. New default value is a more reasonable 30 seconds. (NEVISAUTH-4063)
  • FIXED: We removed the excessive stacktrace printing on DEBUG log level in case of the message No resource found for. (NEVISAUTH-4111)
  • FIXED: We fixed the incorrectly calculated x5t#S256 value by the JWTToken auth state. (NEVISAUTH-4198)
  • FIXED: We fixed the issue that the OAuth 2.0 Authorization Server Metadata endpoint sometimes showed outdated information. (NEVISAUTH-4242)
  • FIXED: We fixed the incorrect calculation of the absolute timeout (absto), when the reaperTimeoutTolerance was not set. It's default value, 10% of the sessionMaxLifetime, was improperly calculated. This bug was introduced in the 2023 February release. (NEVISAUTH-4272)
  • FIXED: We fixed a concurrency issue in the DocumentProcessor and ConditionalDocumentProcessor auth states, which caused errors when the documents were refreshed. These errors occurred, because the document object was constructed using lazy initialization. This is no longer the case, which might increase memory usage when dealing with big xml documents. In case you experience a problem with this change, you can use the parser.lazyLoading backwards compatibility flag to restore the old behaviour. (NEVISAUTH-4268)
  • FIXED: We fixed NPE for IdentityProviderState when SP is not configured. (NEVISAUTH-4304)
  • FIXED: We fixed nevisAuth cannot understand some data from nevisMeta. (NEVISAUTH-4291)
  • FIXED: There is no NullPointerException printed into the log when an unauthenticated request calls the PAR endpoint. (NEVISAUTH-4248)
  • FIXED: We added a validation for Token Revocation service between client_id of the token and client_id that belong to authenticated call. (NEVISAUTH-3997)
  • FIXED: The RelyingPartyState is now correctly using the nevisAuth HttpClient and adheres to the httpclient.* configuration options. It was using the HttpUrlConnection to access jwks_uri. (NEVISAUTH-4295)
  • FIXED: Excessive stacktraces printing java.lang.NoSuchMethodException on DEBUG level in EL expression evaluations is removed. (NEVISAUTH-4298)
  • FIXED: The getHttpHeader method in the request object is now also properly accessible from EL expressions in the esauth4.xml. (NEVISAUTH-4331)
  • FIXED: The AuthorizationServer transition with invalid-redirect-uri now displays an error message on the UI instead of redirecting to the invalid uri. (NEVISAUTH-4362)
  • FIXED: The SQL OOCD incorrectly storing system default timezone timestamps in the reap_timestamp column. (The remote session store is not affected) After the fix always UTC timestamps will be stored. Existing data can be migrated with the following script if required. (in case your nevisFIDO instance was NOT running in UTC, or existing sessions are required to keep consistent) UPDATE nevisauth_out_of_context_data_service SET reap_timestamp = CONVERT_TZ(reap_timestamp, 'Europe/Zurich', 'UTC'); Replace the proper timezone information in the script where nevisAuth was running! When you check the data, note that mysql or any other client will convert timestamps to the timezone of the session. So in order to see the UTC timestamp values in your sql client you have to change your client's session timezone to UTC in the current session: SET @@session.time_zone = '+00:00';. (NEVISAUTH-4265)
  • FIXED: We have removed the validation between client_id in the token and client_id in AuthorizationHeader for token introspection endpoint. (NEVISAUTH-4402).
  • FIXED: We fixed parallel requests producing a StaleSessionException when using the same nevisAuth session. The issue happened in the case when one of them killed the session. (NEVISAUTH-4422).
  • FIXED: The local session reaper now removes invalid sessions from memory to avoid filling it up. The issue can raise when using ThottleSessionState or SAML logout (via the logout nevisAuth operation). (NEVISAUTH-4405).
  • FIXED: We fixed an error in the state handling of the session which caused the initial session state information to be lost when synchronizing to the database. This could cause that the pre generated session id was not used despite printing the warning "Keeping existing session to honor sessionIdPreGenerate". The fix is only applicable to new sessions, existing sessions cannot be fixed. (NEVISAUTH-4017)
  • FIXED: Content Type header (cty) with value JWT is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426).
  • FIXED: Type header (typ) with value JWT is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426).
  • FIXED: auth_time claim is added to ID Tokens. (NEVISAUTH-4436).
  • FIXED: The incorrect default file path was corrected to /opt/nevisauth/plugin which was producing the error Skipping unreadable file or directory on classPath: /opt/nevisauth/plugin/lib. This happens in the case when the auth state classPath is set together with a classLoadStrategy="PARENT_LAST". In this case the path /opt/nevisauth/plugin is automatically added to the auth state classPath as the last entry. (NEVISAUTH-4433).
  • FIXED: SAML SP-initiated SOAP logout doesn't fail with a NullPointerException anymore. (NEVISAUTH-4444)
  • FIXED: Access tokens are now signed with ES256 algorithm instead of RS256 in case using Elliptic Curve keys. (NEVISAUTH-4427)
  • FIXED: Content Type header (cty) with value JWT is added for Access Tokens and ID Tokens that contain JWT tokens in the payload. (NEVISAUTH-4426).
  • FIXED: Type header (typ) with value JWT is added for the nested tokens within the payload of Access Tokens and ID Tokens. (NEVISAUTH-4426).
  • FIXED: auth_time claim is added to ID Tokens. (NEVISAUTH-4436).
  • FIXED: OAuth2 authorization request doesn't throw error from OOCD, the maximum length of the Client ID is limited to 500 characters. (NEVISAUTH-4401)
  • FIXED: The SessionCoordinator accidentally releasing the writelock on the session when calling getSession in case the session was already writelocked from the same thread. This should only concern you if you directly use the SessionCoordinator in a custom auth state. Or if in a unit test you acquired the session for asserting some properties, in case the session was not released these test will possibly fail now (depending on what they are doing exactly). (NEVISAUTH-4442)
  • FIXED: The session object sometimes incorrectly returns the creation and last access time. This should only concern you if you built any logic on those fields. (NEVISAUTH-4382)
  • FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the keycurve parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449)
  • FIXED: The killSessions method of SessionCoordinator stopped killing sessions when an invalid session was found in the list of sessions to be killed. (NEVISAUTH-4382)
  • FIXED: We fixed the incorrect issue_date for refresh token. (NEVISAUTH-4469)
  • FIXED: The JWTToken and AccessTokenConsumer auth states now support private keys with elliptic curve algorithm when using PKCS11 integration. (Typically this is HSM) Note that in this case the keycurve parameter must be specified as the algorithm cannot be exctracted from the key itself. (NEVISAUTH-4449)
  • FIXED: Initialization failure when using key material from HSM via PKCS11. (NEVISAUTH-4085)
  • FIXED: A deadlock occurring in scenarios where several clients are using the same session attempt to authenticate at the same time. (NEVISAUTH-4525)
  • FIXED: We fixed the error response for missing response type in Authorization requests. (NEVISAUTH-4494)
  • FIXED: OAuth2 JWT Bearer Authorization Grant and JWT Client authentication not working correctly. (NEVISAUTH-4596)
  • FIXED: OAuth2 only return error redirect when valid redirect_uri is provided. (NEVISAUTH-4627)
  • FIXED: We made the encryption of the AccessToken work also for OAuth2. (NEVISAUTH-4630)
  • FIXED: We fixed corrupted SecToken generated by JWT Bearer Grant Authentication flow. (NEVISAUTH-4631)
  • FIXED: Getting BadConfigurationException when setting nevismeta.httpclient.authorization.basic.* properties. (NEVISAUTH-4520)
  • FIXED: The actorCert not extracted from HTTP Request. (NEVISAUTH-4649)
  • UPDATE: Token Introspection Service now checks whether the requested token was revoked in advance. (NEVISAUTH-3433)
  • UPDATE: New property introspectionService for AccessTokenConsumer to call to TokenIntrospection Endpoint and check the token still active or not before continue validation. For more information, see AccessTokenConsumer. (NEVISAUTH-3433)
  • CHANGED: TokenIntrospectionService now returns all the claims that are available in the token.
  • CHANGED: LitDict files are loaded as UTF-8 character encoded files by default, instead of ISO-8859-1. There is no automatic migration for existing LitDict files. The configuration option to control the character encoding during LitDict file loading still exists but was deprecated. For more information, see Language support. (NEVISAUTH-3477)
  • CHANGED: The automatic reload of logging configuration is supported by using the monitorInterval property of log4j2. The previous configuration option ch.nevis.tracing.refresh is removed. (NEVISAUTH-3519)
  • CHANGED: When processing an empty key, such as the default value of a GUI label, against the LitDict, an exception is no longer thrown, but an empty result is generated instead. (NEVISAUTH-3536)
  • CHANGED: The path attribute of the JWKs REST service has changed its meaning and its default value. The parameter is now the whole path of the service instead of only the base part. This means that we do not add anything automatically to the value of the parameter for building the path of the service. We also changed its default value according to this new approach. (NEVISAUTH-3453)
  • CHANGED: The transferId initiated by nevisProxy is replaced by the traceparent which consists of the trace_id and span_id. (OpenTelemetry terminology) In nevisAuth interfaces the TransferId is renamed to TraceId, in log patterns you can reference it via %X{trace_id}. The jcan.Op logging category is replaced by OpTrace - INFO for regular tracing, DEBUG for more detailed information. See OpenTelemetry monitoring setup (NEVISAUTH-4508)
  • CHANGED: Change the way nevisAuth communicate to nevisMeta for Persisted Consent and Refresh Token from XML to JSON. (NEVISAUTH-4555)
  • CHANGED: OAuth Token Introspection Endpoint always returns Bearer as the token_type in the response. (NEVISAUTH-3674)
  • CHANGED: Discovery endpoint shows subject_type_support when AuthorizationServer set openid.support to true. (NEVISAUTH-3779)
  • CHANGED: JWKs Service or JWKs URI must set when AuthorizationServer set openid.support to true. (NEVISAUTH-3779)
  • CHANGED: HttpClients in AuthStates are now created at AuthState initialization and not per request processing. Connection pooling can be properly configured now. (NEVISAUTH-4010)
  • CHANGED: Communication between nevisAuth and nevisMeta configured in the AuthorizationServer uses the ETag and the If-None-Match headers. You have to upgrade nevisMeta to 1.18.x.y before upgrading nevisAuth to 4.38.x.y. (NEVISAUTH-3918)
  • CHANGED: StringUtils, StringEscapeUtils, DateFormatUtils, DateUtils used in esauth4.xml expressions now uses commons-lang3, which is backwards compatible. (NEVISAUTH-1864)
  • CHANGED: All HTTP client implementations of nevisAuth and the corresponding auth states have been replaced with a new implementation, visit Appendix H for more details. (NEVISAUTH-3513)
  • CHANGED: We did a major cleanup in the session handling, which has 2 implications for custom AuthStates: the LocalSession type was merged into the Session type, the SessionCoordinator interface now contains all operations accessed by AuthStates therefore the LocalSessionCoordinator was deleted. (NEVISAUTH-3902)
  • CHANGED: Breaking changes in the session configuration. The SessionCache element is removed, configuration attributes are redistributed to the SessionCoordinator, SessionIndexing, LocalSessionStore and RemoteSessionStore elements. Most of the default values changed. Documented in more details in the migration guide. (NEVISAUTH-3902)
  • CHANGED: ConsentState now creates HttpClient per auth state, not per request. (NEVISAUTH-3596)
  • CHANGED: The excessive warning message renderElement evaluated to 'null' is now only logged on debug level. (NEVISAUTH-4096)
  • CHANGED: The nevisauth-test-authstateharness testing framework and the nevisAuth SDK examples now use JUnit 5. (NEVISAUTH-3865)
  • CHANGED: We simplified the JSON event logging in nevisAuth. The nevisevents-1.1.6.2.jar has been removed, the system property -Dch.nevis.events.config is no longer used and nevisevents.xml is not used. To enable the JSON event logging configure the ch.nevis.esauth.events logging category in the logging.yml to INFO. To disable it configure the ch.nevis.esauth.events logging category to FATAL. The previous logging category nevis.events is no longer effective, replace that with ch.nevis.esauth.events. Note that previously this logging category did not exist, therefore the logging level of the root logger will be applied to older nevisAuth instances. (NEVISAUTH-3937)
  • CHANGED: We added a validation for the token endpoint request. From now on the AuthorizationServer will not accept requests of a confidential client using an authentication method that doesn't match the one specified in the configuration of this client. If the authentication method for a confidential client is not set in the configuration, it's assumed to be client_secret_basic, as the standard mandates. (NEVISMETA-1859)
  • CHANGED: Align default timestamp behaviour on database level to avoid having the MariaDB behaviour defined here for update operations. nevisAuth at this point is not affected. For non docker based setups the following script should be manually run. ALTER TABLE 'TNSSA_AUTH_SESSION_CACHE' MODIFY COLUMN 'ABSTO' TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6); ALTER TABLE 'nevisauth_out_of_context_data_service' MODIFY COLUMN 'reap_timestamp' TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6); (NEVISAUTH-4285)
  • CHANGED: The MobileSignatureState is now using the CMS implementation from BouncyCastle instead of PKCS7. (NEVISAUTH-3814)
  • CHANGED: The SapTicketIssuer is now using the CMS implementation from BouncyCastle instead of PKCS7. (NEVISAUTH-4376)
  • CHANGED: Method lookup in the EL expressions in esauth4.xml changed to prefer method matches with exact arguments than varargs. Previously the result of an expression could become unpredictable in case of using a method which also had a vararg variant. The result was randomly changing based on the order the methods were returned by reflection. Example expression method call susceptible to this error: StringUtils.join. (NEVISAUTH-4180)
  • CHANGED: The deprecated Java X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN() method calls were replaced in the nevisAuth codebase. nevisAuth used the non-standard Java formatting getSubjectDN().getName() for getting the String DN representation. To remain backwards compatible we use X509Certificate.getSubjectX500Principal().toString() which executes the same formatting as the old one. Note that X509Certificate.getSubjectX500Principal().getName() will use RFC-2253 formatting, which is different from the non-standard format - in case if you have to change this in custom auth states. The following auth states are affected: X509Login, MobileSignatureState, WSSHeaderValidation, SAML. Additionally, certificate handling in general and the SecurityTokenService. Furthermore, non-standard RDN attribute separator / is no longer supported in the X509Login. (NEVISAUTH-4132)
  • CHANGED: We now set the java.io.tmpdir system property by default to /var/opt/nevisauth/<instance>/tmp. When nevisAuth is started Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461)
  • CHANGED: Added back the connectionMaxLifeTime for the remote session store and default value is now 1800000 (30 minutes). (NEVISAUTH-4473)
  • CHANGED: OOCD, Session and SecToken related interfaces are changed to use Instant and Duration types instead of Date and long. The useGmt configuration option is removed from the TokenSpec in the TokenAssembler (default was useGmt=true). Note that in case you used useGmt=false in the TokenAssembler the system will be switched to use UTC and all currently valid sectokens in your system will become invalid as the issue date is part of the signature. (NEVISAUTH-4173)
  • CHANGED: We now set the java.io.tmpdir system property by default to /var/opt/nevisauth/<instance>/tmp. When nevisAuth is started, Jetty unpacks the nevisauth .war file there and requires it at runtime. Originally the system /tmp folder was used for this purpose, however at some cases it can happen that a system cleanup job deletes the Jetty prefixed directories which causes nevisAuth to return errors. (NEVISAUTH-4461)
  • CHANGED: The default mail.transport.protocol is now stmps. In case you didn't specify this, properties defined as mail.smtp will not work anymore. Change those to mail.smtps. (NEVISAUTH-4201)
  • CHANGED: The nevisAuth session API only accepts String attribute values. Previously it was possible to add any value. If it was not a String, a warning was logged, and it was not saved to the database. This change can be tricky with ScriptStates as groovy does not do type-safe checks for the session Map used in the scripts. It is possible to add and retrieve a non String value inside the script, but a java.lang.ClassCastException happens in Java, to make finding errors easier nevisAuth will actively check for such cases after the execution of the script and throw an error detailing what is wrong. In your scripts you might have to change the behaviour to store a String value, by either changing your logic, or serialising your object to a String. (NEVISAUTH-4424)
  • CHANGED: New Jetty version used in nevisAuth performs more strict validation for TLS connections. The SNI will be checked for matching the hostname in the configured certificate. (NEVISAUTH-4089)
  • CHANGED: The SQL based OOCD and remote session store user and password configuration fallback for the attributes are also applied if they are set to be empty. Schema user password now falls back together with the schema user, not independently. An empty user or password for the data user is no longer accepted. (NEVISAUTH-4480)

What has been removed

General

  • DEPRECATED: The system property ch.nevis.esauth.litdict.charset.encoding to control the character encoding during LitDict file loading is deprecated.. (NEVISAUTH-3477)
  • DEPRECATED: The verifySignature, verifyTrust, ignoreDataEncryption, ignoreKeyEncryption, extractX509SignerCertOnly and allowNamespaceQualifiedPasswordTypes configuration options in the WSSHeaderValidation auth state are deprecated and planned to be removed without replacement. (NEVISAUTH-3522)
  • REMOVED: The FileSystemOOCDService is removed. For testing purposes use the LocalOutOfContextDataStore configuration (in-memory). For production purposes use the RemoteOutOfContextDataStore configuration (SQL-based). By default, there is no OOCD configured as it is only required for certain use-cases. In case the use of OOCD is attempted when not configured it will throw an error at runtime. SAML and OAuth2 / OIDC flows both require OOCD. Also in any case if you used the OOCD in your esauth4.xml EL expressions or ScriptStates or custom java AuthStates. Visit Appendix K for additional information. (NEVISAUTH-4329)
  • REMOVED: JavaScript support for the ScriptState is removed. Use groovy scripts instead. (NEVISAUTH-4369)
  • REMOVED: Deprecated methods and command line utilities in jcan-sectoken are removed. (NEVISAUTH-3856)
  • REMOVED: Deprecated sectoken formats 0.9, 1.0, ASN1-1.0 are removed. Recommended format is CSSO-1.0. (NEVISAUTH-4011)
  • REMOVED: The El expression variables AuthDateUtils, DateFormatUtils, DateUtils, DateTimeZone, DateTime are removed. Use the following java.time classes instead: Duration, DateTimeFormatter, Instant, LocalDate, LocalDateTime, ZonedDateTime, ZoneOffset, ZoneId, ChronoUnit. Visit Appendix J For more see: tutorial and specification. (NEVISAUTH-4128)
  • REMOVED: The NevisSyslogAppenderis no longer available. As a replacement we suggest SocketAppender. You can find the reasons and an example in the Logging configuration / Syslog section in the reference guide. (NEVISAUTH-3519)
  • REMOVED: The Oracle JDBC and MSSQL JDBC jar are no longer bundled into the application, download them manually from Oracle and Microsoft. This only affects the JDBCAuthState. (NEVISAUTH-3086)
  • REMOVED: The method getHttpHeaderFromRequest in the AuthState base class is removed. Use the new request.getHttpHeader instead. (NEVISAUTH-4059)
  • REMOVED: Configuration file esauth4.management.xml used only for v1 and v2 nevisAdmin is removed. (NEVISAUTH-2520)
  • REMOVED: Custom SessionId generation by configuring your custom class using "file://..." in the sessionIdRandomBytes is removed. (NEVISAUTH-4381)
  • REMOVED: The constant TokenSignature.DFLT_ALGORITHM using SHA1 was removed from jcan-sectoken, use the value SHA256withRSA instead. (NEVISIDM-9456)
  • REMOVED: The nevisauth-test-authstateharness-fat no longer embeds the following 3rd party dependencies: log4j, slf4j, groovy-test, groovy-test-junit5, groovy-testng as these can easily cause an unresolvable version clash. (NEVISAUTH-4553)
  • REMOVED: The previously deprecated Couchbase support of the OOCD is removed completely. (NEVISAUTH-3466)
  • REMOVED: We removed the Groovy test libraries groovy-test, groovy-test-junit5, groovy-testng and their dependencies from /opt/nevisauth/plugin/. As Groovy is used in ScriptStates, it cannot use test classes in production code. (NEVISAUTH-3938)
  • REMOVED: We removed the vmargs legacy command in administrative cli. Use the nevisauth <instance> config env to configure the JAVA_OPTS. (NEVISAUTH-3134)
  • REMOVED: We removed the backwards compatibility system property ch.nevis.esauth.wstrust.SecurityTokenService.SecTokenHackURI. (NEVISAUTH-2098)
  • REMOVED: We removed the custom database driver setting mechanism using Class.forName() for the remote session store. In kubernetes environments this sporadically caused nevisAuth to hang on startup, which was caused by a static intializer block deadlock between java.sql.DriverManager and org.mariadb.jdbc.Driver. Now the determination of which database driver should be used is entirely decided by the JDBC drivers on the classpath based on the supplied JDBC url. In case you use MySql, the database driver is determined by the implementation details of the driver. (NEVISAUTH-4076)
  • REMOVED: We removed the deprecated MySQL support in the remote session store. (NEVISAUTH-4078)
  • REMOVED: jcan-saml is now streamlined to it's sole purpose: verify SAML Assertions. Generation, signing and command line utilities are removed and jcan-saml-tools is discontinued. (NEVISAUTH-4134)

env.conf

  • REMOVED: We removed default heapdump and GC settings from default env.conf configuration template. (NEVISAUTH-3600)

esauth4.xml

  • REMOVED: We removed the AccessController child element from the AuthEngine section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: We renamed the Store logging category to LocalSessionStore and Syncer to RemoteSessionStore. (NEVISAUTH-3902)
  • REMOVED: We removed the name, mode, proxyTarget, proxyProvider, sessionCheckAccessOnly, sessionEstablishedAccessOnly, joinPolicy attributes and the AccessController, HandoverPolicy, Monitor child elements from the SessionCoordinator section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: We removed the name, notifierThreads attributes and the StaticSessionMember child element from the SessionCache section of the esauth4.xml. (NEVISAUTH-3902)
  • REMOVED: The syncDelay, syncRefreshInterval attributes of the RemoteSessionStore are removed. (NEVISAUTH-4387)
  • REMOVED: The deprecated securityLevel attribute of the esauth-server element in the esauth4.xml is removed. (NEVISAUTH-4387)
  • REMOVED: The deprecated server TLS configuration property require-client-auth is removed. Use the successor client-auth instead. (NEVISAUTH-3610)
  • REMOVED: The configuration option connectionMaxRetry of the remote session store was removed, no longer used with the new HikariCP based connection pooling. (NEVISAUTH-4097)
  • REMOVED: The deprecated http://www.adnovum.ch/schema/nevis_sectoken.xsd TokenType in the RequestSecurityToken object for the SecurityTokenService is removed, use http://nevis.ch/nevisauth/xsd/secToken#CSSO-1.0 instead. We no longer guess a default TokenType if none specified, clients must send the TokenType. (NEVISAUTH-4239)
  • REMOVED: The session option of the service.binding configuration option was removed. The session bound web service client was not saved in the database therefore rendering the option useless in most setups. This option could be configured in the SecurityTokenServiceClient, RadiusAuthState, MobileSignatureState. The default value remains thread. (NEVISAUTH-4424)
  • DEPRECATED: The remote session store property connectionMaxRetry is removed without a replacement as it belongs to the old connector implementation. Similar behaviour can be controlled by the new connectionTimeout property. (NEVISAUTH-4279)
  • DEPRECATED: The locale property of the SecurityTokenServiceClient is deprecated and will be removed without a replacement in one of the upcoming releases. By default, UTC is used. (NEVISAUTH-4173)
  • DEPRECATED: The useGmt property of the TokenSpec configuration in the esauth4.xml is deprecated and will be removed without a replacement in the future. The default value is true. (NEVISAUTH-4173

Auth States

  • REMOVED: SapTicketValidator is removed without replacement. (NEVISAUTH-4126)
  • REMOVED: UsernameToken is removed auth state. Use the WSSHeaderValidation instead with the transition untoken. (NEVISAUTH-4056)
  • REMOVED: HttpAuthState is removed. Refer to the ScriptState documentation for replacement options.
  • REMOVED: AdfsTokenRequester auth state is removed without replacement. (NEVISAUTH-3654)
  • REMOVED: ch.nevis.esauth.auth.states.saml.AuthnRequestProvider is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: ch.nevis.esauth.auth.states.saml.ProviderCommon is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: ch.nevis.esauth.auth.states.saml.SAMLProtocolDispatcher is removed without a replacement. (NEVISAUTH-3945)
  • REMOVED: ch.nevis.esauth.auth.states.saml.SAMLAssertion is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.saml.SAMLResponse_WLS is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.saml.SAMLResponse is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.standard.SOAPDispatcher is removed without replacement. (NEVISAUTH-3822)
  • REMOVED: AssembleInArgs, CreateSessionState, SetIntoSession, AddEncodedOutArgs, AddSecurityRole, OutArgsToSession auth states are removed and superseded by the TransformAttributes. Note that the TransformAttributes does not keep the order of the property elements in the esauth4.xml, so do not rely on the order of how the variables are defined. Additionally, the syntax =~ is no longer supported in the condition of the property name. (NEVISAUTH-3971)
  • REMOVED: ch.nevis.esauth.auth.states.jndi.ConditionalDispatcherState is removed, use the ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState instead. Package rename only. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.standard.Dispatcher and ch.nevis.esauth.auth.states.jndi.DomainDispatcher. For dispatching purposes use the ConditionalDispatcherState instead. (NEVISAUTH-4131)
  • REMOVED: ch.nevis.esauth.auth.states.mtan.MTANMailAuthState is removed, use the ch.nevis.esauth.auth.states.tan.TANState instead. AuthState rename only. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.saml.Consumeris removed, use the ch.nevis.esauth.auth.states.saml.ServiceProviderState instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.saml.Provider is removed, use the ch.nevis.esauth.auth.states.saml.IdentityProviderState instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.saml.RequestProcessor is removed, use the ch.nevis.esauth.auth.states.saml.IdentityProviderState instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.sectoken.SecTokenAssembler is removed, use the ch.nevis.esauth.auth.states.sectoken.TokenAssemblerState instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.standard.AuthCheckSingleSession is removed, use the ch.nevis.esauth.auth.states.standard.ThrottleSessionsState instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.standard.SendMailis removed, use the ch.nevis.esauth.auth.states.mail.SendMail instead. Package rename only. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.wsTrustClient.WsTrustClientState is removed, use the ch.nevis.esauth.auth.states.wstrust.SecurityTokenServiceClient instead. (NEVISAUTH-3822)
  • REMOVED: ch.nevis.esauth.auth.states.xml.SecTokenSecuredUrlDomProvider is removed, use the ch.nevis.esauth.auth.states.xml.DynamicIntervalUrlDomProvider instead. This is a utility class. (NEVISAUTH-3822)
  • REMOVED: AuthHandoverState is removed. (NEVISAUTH-4214)
  • REMOVED: FrontendKerberosAuthState and BackendKerberosAuthState auth states. The replacement for the FrontendKerberosAuthState is the KerberosLoginAuthState. The BackendKerberosAuthState has no replacement. (NEVISAUTH-3823)
  • REMOVED: AuthDispatcher auth state is removed. (NEVISAUTH-4445)
  • REMOVED: ClientCertInfo and ClientCertFingerprint are removed without replacement. (NEVISAUTH-4213)

Auth State Properties

  • REMOVED: Configuration option crlExpirationTolerance in the X509Login auth state is removed, use the replacement revocationCheckExpirationTolerance instead. (NEVISAUTH-3931)
  • REMOVED: eCH SAML extensions called eCH-0113 is no longer supported. The ch.glue.suisseid:sdk:1.1.0 dependency is removed to improve security, as it is no longer in active use. (NEVISAUTH-3598)
  • REMOVED: Http support in DocumentProcessor and ConditionalDocumentProcessor AuthStates property parser.schema is removed. (NEVISAUTH-3658)
  • REMOVED: Backwards compatibility flag useStaticIv is removed. You can no longer enable insecure encryption in ReadFromCacheState, ConditionalDocumentProcessor, and TransformAttributes. (NEVISAUTH-2695)
  • REMOVED: aspsmssoap channel in the TAN auth state is removed, use the http channel instead. (NEVISAUTH-4135)
  • REMOVED: SwissPhoneXml TAN channel is removed, use the SwissPhone TAN channel instead. (NEVISAUTH-3645)
  • REMOVED: EMI/UCP TAN channel is removed without a replacement. (NEVISAUTH-3472)
  • REMOVED: The configuration and notes property smtpHost and smtpPort of the SendMail and the TAN auth states are removed. Use mail.smtp.host and mail.smtp.port instead. (NEVISAUTH-4201)

Third-party dependency changes

Removals

  • REMOVED: We removed the third-party dependencies commons-collections, commons-lang, commons-digester, commons-beanutils which are optional dependencies of Jradius. In case if those would be required for your use-case, add those manually to the AuthState classpath. (NEVISAUTH-4164)
  • REMOVED: We removed the joda-time third-party dependency. (NEVISAUTH-4128)
  • REMOVED: We removed the commons-io third-party dependency. (NEVISAUTH-3887)
  • REMOVED: We removed the bcprov-jdk15on and bcpkix-jdk15on third-party dependencies (replaced by jdk18on). (NEVISAUTH-4115)
  • REMOVED: We removed the jcan-log and jcan-optrace third-party dependencies. OpTrace logging is replaced by OpenTelemetry. (NEVISAUTH-4089)
  • REMOVED: We removed the jcan-sec dependency. In case you used packages ch.nevis.jcan.sec.tools.* in your AuthState, you can replace that functionality with standard Java features or Bouncy Castle. (NEVISAUTH-3862)
  • REMOVED: We removed the nevis-common-commons-1.0.10.0.jar library from nevisAuth, what was required from those for nevisAuth are now part of the nevisAuth code. (NEVISAUTH-3937)

Upgrades

  • UPGRADED: We upgraded the angus mail third-party dependencies to version 2.0.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the apache Http Client third-party dependencies to version 5.3.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the bouncy castle third-party dependencies to version 1.78. (NEVISAUTH-4641)
  • UPGRADED: We upgraded the commons-codec third-party dependency to version 1.16.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the commons-fileupload third-party dependency to version 1.5. (NEVISAUTH-4324)
  • UPGRADED: We upgraded the commons-pool third-party dependency to version 1.6. (NEVISAUTH-3568)
  • UPGRADED: We upgraded the eclipse moxy third-party dependency to version 2.7.12. (NEVISAUTH-4280)
  • UPGRADED: We upgraded the fastInfoset third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the google autovalue third-party dependency is upgraded to version 1.9. (NEVISAUTH-3568)
  • UPGRADED: We upgraded the groovy third-party dependencies to version 4.0.21. See groovy 4 release notes for changes. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the guava third-party dependencies to version 33.1.0-jre. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the hk2-api third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the hk2-locator third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the hk2-utils third-party dependency to version 3.0.3. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jackson third-party dependency to version 2.17.0. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the jakarta servlet api third-party dependency to version 6.0 (NEVISAUTH-4585)
  • UPGRADED: We upgraded the jakarta-activation-api, jakarta-annotation-api, jakarta-inject, jakarta-json-api third-party dependencies to version 2.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta-json-bind third-party dependency to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta-validation third-party dependency to version 3.0.2. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.ws.rs.api third-party dependency to version 3.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.xml.bind-api, jakarta.xml.ws-api third-party dependency to version 4.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jakarta.xml.soap-api third-party dependencies to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the javassist third-party dependency to version 3.29.0-GA. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the javax.mail:mail 1.4.7 to com.sun.mail:jakarta.mail 2.0.1
  • UPGRADED: We upgraded the jaxb-impl third-party dependency to version 4.0.2. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the jaxen third-party dependency to version 2.0.0. (NEVISAUTH-4021)
  • UPGRADED: We upgraded the jaxrs third-party dependency to version 2.39.1. (NEVISAUTH-4280)
  • UPGRADED: We upgraded the jaxrs-ri third-party dependency to version 2.3.5. (NEVISAUTH-3471)
  • UPGRADED: We upgraded the jcan-saml, jcan-sectoken dependency to version 8.2405.0.x. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the jdom third-party dependency is upgraded to version 2.0.6.1. Note that this can break custom Java and Groovy AuthStates, if you use the package org.jdom. Version 2.x provides org.jdom2 package naming, so org.jdom no longer works. (NEVISAUTH-3473)
  • UPGRADED: We upgraded the jersey third-party dependencies to version 3.1.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the jetty third-party dependencies to version 12.0.8. (NEVISAUTH-4585)
  • UPGRADED: We upgraded the jhlabs filters third-party dependency used in the CaptchaState to version 2.0.235-1. (NEVISAUTH-4124)
  • UPGRADED: We upgraded the json-smart third-party dependency to version 2.4.8. (NEVISAUTH-3468)
  • UPGRADED: We upgraded the ldap-unboudid third-party dependency to version 7.0.0. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the libphonenumber third-party dependency to version 8.13.34. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the log4j third-party dependencies to version 2.23.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the mariadb connector third-party dependency to version 3.3.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the mariadb jdbc driver third-party dependency to version 3.1.4. (NEVISAUTH-4324)
  • UPGRADED: We upgraded the mariadb-java-client third-party dependency to version 3.1.2. In case you used configuration parameters in the JDBC url check the removed options here. Other notable difference is that the driver no longer sets certain properties including the autocommit check your database configuration and add the ?autocommit=true to your connection url if needed. The new driver also allows better logging options, see here. (NEVISAUTH-3977)
  • UPGRADED: We upgraded the mimepull third-party dependency to version 1.10.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the nimbus oauth2 SDK third-party dependency to version 10.11. (NEVISAUTH-4324)
  • UPGRADED: We upgraded the nimbus oicd sdk third-party dependency to version 11.10.1. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the oauth2-oidc-sdk third party dependency is upgraded to version 9.43.1. (NEVISAUTH-3805)
  • UPGRADED: We upgraded the opensaml third-party dependencies to version 4.3.0. (NEVISAUTH-4075)
  • UPGRADED: We upgraded the opentelemetry api third-party dependency to version 1.37.0 (NEVISAUTH-4546)
  • UPGRADED: We upgraded the org.eclipse.persistence.asm third-party dependency to version 9.4.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the org.eclipse.persistence.core, org.eclipse.persistence.moxy third-party dependencies to version 4.0.1. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the parsson third-party dependency to version 1.1.6. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the postgresql jdbc driver third-party dependency to version 42.7.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the rhino third-party dependency to version 1.7.14. (NEVISAUTH-3568)
  • UPGRADED: We upgraded the saaj-impl third-party dependency to version 3.0.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the servlet API to version 5. Migration from javax.servlet packages to jakarta.servlet. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.12, which has a breaking change in custom AuthStates testing setups. Instead of log4j-slf4j-impl, use the new log4j implementation log4j-slf4j2-impl. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the snakeyaml third-party dependencies to version 2.0. (NEVISAUTH-3964)
  • UPGRADED: We upgraded the stax-ex third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the streambuffer third-party dependency to version 2.1.0. (NEVISAUTH-4089)
  • UPGRADED: We upgraded the tinyradius third-party dependency to version 1.1.3. (NEVISAUTH-3568)
  • UPGRADED: We upgraded the unboundid-ldapsdk third party dependency is upgraded to version 6.0.6. (NEVISAUTH-3804)
  • UPGRADED: We upgraded the woodstox third-party dependency to version 6.6.2. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the wss4j third-party dependency to version 3.0.3. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.4. (NEVISAUTH-4553)
  • UPGRADED: We upgraded the yasson third-party dependency to version 3.0.2. (NEVISAUTH-4089)