Skip to main content
Version: 8.2405.x.x RR

Appendix I - Java 17 upgrade and changes introduced with 7.2311.0.x

Together with Java 17 upgrade, a major cleanup was done in multiple places including the update of most dependencies. This appendix will guide you through the changes.

Custom auth states

It is recommended to recompile custom Java auth states, REST or SOAP services using Java 17 and nevisAuth artifacts version 7.2311.x. As all of those are likely to become incompatible.

Note, that recompilation does not warrant that everything will work fine. Even if the build is successful, runtime issues can still arise. Therefore, thorough testing of any custom development is recommended.

Nevis does not recommend and will not provide support for using Java 8 compiled custom Java auth states, REST or SOAP services in nevisAuth version 7.2311.x.

nevisAuth API changes

The following chapter summarizes the changes in the nevisAuth SDK.

caution

The following list does not contain every change made in the internal artifact nevisauth-core or other modules.

Date handling

Java 8 introduced a new java.time API which replaces the old legacy API (java.util.Date, java.utils.Calendar and more)

The community and industry seems to be lagging behind with introducing the new java.time API. This is caused by Java API itself using the legacy date API in core places, because it is very difficult to replace.

Third party libraries used by nevisAuth start to use the java.time API more and more. Therefore, Nevis also moved on to use the java.time API. This causes breaking changes in multiple places of the nevisAuth API.

As the date handling is quite complex, the separate Date Handling Changes guide you through the changes there.

OOCD

Changes in the OOCD interface because of the date handling and removing deprecated API & features. For more see OOCD Changes.

Session

WhereOldReplacement
NevisSessiongetAttributeNamesgetAttributeNamesIterator
NevisSessionacquireReadOnly
NevisSessionacquireReadWrite- (moved to Session)
NevisSessionrelease- (moved to Session)
NevisSessionObject getData();Map<String, String> getData();
NevisSessionObject getAttribute(String name);String getAttribute(String name);
NevisSessionvoid setAttribute(String name, Object value);void setAttribute(String name, String value);
SessionisInitialisAuthentic Note it is the inverse!
SessiongetDomainMappings
SessionsetDomainMappings
ScriptStateMap<?,?> sessionMap<String,String> session

ScriptStates

The change that the Session attributes are only accepting String has a special caveat in Groovy scripts.

Map and types in Groovy

Groovy itself does not enforce types strictly on a Map object; thus in a groovy script, you can actually set a non String object in a String typed Map. This behaviour causes a ClassCastException in nevisAuth when the Session is accessed from the Java code.

To mitigate this the ScriptState will check the session attributes for any non String values and throw an exception with the name of the keys and types.

A special case of this is when a org.codehaus.groovy.runtime.GStringImpl type is added as a Session attribute. This happens when using an expression inside double quotes. Example: session.put("outarg.$name", value) working replacement: session.put('outarg.' + name, value).

Below is an example of how to convert non String objects to JSON to store it in the session. Based on our experience, the most typical case is when a script try to store a Map object in the session. In some cases a simple concatenation could also work - but using the JSON utilities from Groovy reduces the chance of an error. (You don't have to worry about escaping.) As serialisation is a complex topic, this approach might not work with more complex Java types.

Map to JSON example
import groovy.json.JsonOutput
import groovy.json.JsonSlurper

def originalMap = [
key1: 'value1',
key2: 'value2'
]
session.put('test', JsonOutput.toJson(originalMap));

def restoredMap = new JsonSlurper().parseText(session['test'])
Storing Objects as Strings

In previous versions nevisAuth did not store non String session attributes in the remote session store. When migrating to store session attributes in String format in your scripts, mind that now nevisAuth also stores those in the database. In case you just temporarily stored some objects in the session and relied on the remote session store to throw them away, now you have to take care of removing those from the session yourself. (If those are not to be stored in the session on the long term.)

AuthEngine / AuthState general

WhereOldReplacement
AuthConstDEFAULT_TRANSITIONDEFAULT_RESULT
AuthConstLAST_TRANSITIONLAST_RESULT
AuthConstLAST_STATECURRENT_STATE
AuthConstINVALID_INPUTAUTH_FAILED
AuthConstNEVIS_AUTH_GUI
AuthStateisInitialDispatcher
AuthStategetAttributegetMandatoryAttribute or getOptionalAttribute
AuthStateconvertListDescriptorgetListAttribute
AuthStategetHttpHeaderFromRequestrequest.getHttpHeader
AuthStategetTransitiongetTransition with AuthRequest and AuthResponse parameters
AuthTransitiongetNamegetTriggeringCondition
AuthTransitiongetStategetTargetState
AuthRequestgetDomainMapping
AuthRequestgetDomainMappings
AuthResponsesetDomainMappings
AuthResponseaddDomainMapping
AuditablegetDomainMappings
EL expressionaddDomainMapping

Utilities

OldReplacement
CommandStarter, CommandWaiter, StreamConnectorCommandExecutor
deprecated encryptWhereNeccessary method in the Communicator, EncrypterencryptWhereNeccessary with additional arguments
AuthSSLContextFactory
AuthSSLX509TrustManager
Command line utilities in jcan-saml
SAML Assertion / Response generation signing in jcan-samlUse OpenSaml 4.
jcan-saml-tools.jar
Command line utilities in jcan-sectoken
Deprecated methods in jcan-sectoken

OpTracing

Implementation

The old library jcan-optrace relies on the javax.servlet API, therefore it is not compatible with the new Java 17 nevisAuth release. As Nevis does not have the source of this library the jcan.Op OpTrace logs will be replaced by using OpenTelemetry Java agent.

Default behaviour

By default, the nevisAuth RPM package does not contain the binaries or configuration for OpenTelemetry therefore by default there is no OpTrace. To set up OpenTelemetry check out the guide here.

Configuration

OpenTelemetry requires Java agent configuration in the env.conf and its own configuration file, see the guide for more.

Configuration changes

OOCD

Changes in the OOCD configuration to unify the database related configurations in nevisAuth. For more see Appendix K.

esauth4.xml

Property changes

WhereOldReplacement
RemoteSessionStoreconnectionMaxRetry
SendMail & TansmtpHostmail.smtp.host
SendMail & TansmtpPortmail.smtp.port
esauth-serversecurityLevel
X509LogincrlExpirationTolerancerevocationCheckExpirationTolerance

Property value changes

WherePropertyChange
RemoteSessionStoreproviderlegacyjdbc provider option removed
RemoteSessionStoresessionIdRandomBytescustom class support using "file://..." removed
SecurityTokenServiceClient RadiusAuthState MobileSignatureStateservice.bindingsession option removed

env.conf JAVA_OPTS

JVM system properties from Java

Some JVM system properties are discontinued in Java:

  • -XX:+UseConcMarkSweepGC
  • -XX:+UseParNewGC

There might be others, we don't have a complete list of those. In case you have a no longer supported JVM system property you will encounter an error like this:

Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Unrecognized VM option 'UseConcMarkSweepGC'
Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Error: Could not create the Java Virtual Machine.
Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Error: A fatal exception has occurred. Program will exit.
caution

The error message above will be present in the system out therefore in the systemd journal. As the process fails before logging could be set up.

System properties can be removed because of turned on by default:

  • -server -> default on 64bit vms
  • -XX:+UseContainerSupport -> default true

Nevis system properties

The following properties can be removed:

  • -Dch.nevis.bc.io.TracerCfg related to the logging framework, not used.
  • -Dch.nevis.tracing.refresh related to the logging framework, not used.
  • -Djava.security.krb5.conf the new KerberosLogin auth state does not support impersonation/delegation, so it is not a “Kerberos client” anymore.
  • -Dch.nevis.esauth.litdict.charset.encoding By default nevisAuth uses UTF-8. In case you have your litdict files UTF-8 encoded (which they should be) it is not necessary to define this.
  • -Dch.nevis.esauth.wstrust.SecurityTokenService.SecTokenHackURI old backwards compatibility flag.

Java 17 API changes

This chapter contains the non nevisAuth specific changes caused by upgrading Java to version 17.

Java modules (JPMS)

nevisAuth and the authentication components do not define any Java modules JPMS. Components rely on the automatic unnamed module handling of Java. This is a backwards compatibility feature allowing access to all codebase as before Java 9 when there was no JPMS.

Introducing JPMS would cause severe restrictions on what can be accessed from the nevisAuth codebase, therefore custom Java auth states developed by customers would no longer be able to access code from the nevisauth-core jar, only nevisauth-authstate-api and nevisauth-commons.

note

Accessing code from nevisauth-core is already considered a bad practice and is done at your own risk. Though we are aware that because of historical reasons many rely on nevisauth-core. We recommend using the offical SDK which is shipped in the nevisauth rpm package and mainly consist of the nevisauth-authstate-api and nevisauth-commons.

In the future, JPMS modules will be introduced at some point which will probably require additions to our SDK, however without our knowledge of what customers exactly require there will be no extensions. Therefore, again we recommend customers currently relying on nevisauth-core to try to use the SDK and inform us via the official support channels if something is missing.

Java internal packages

Even though nevisAuth itself does not define JPMS modules, Java 17 already have modules itself. You can no longer access Java packages which are considered to be internal by Java itself.

In case you used a Java internal package which is no longer public, you will receive a compile error. In certain cases for example reflection usage might be only spotted at runtime.

Internal Java modules/packages we encountered in the nevisAuth during the Java 17 migration (this is not a complete list of all Java internal modules):

  • java.security.jgss/sun.security.krb5
  • java.security.jgss/sun.security.krb5.internal
  • java.security.jgss/sun.security.krb5.internal.ccache
  • java.security.jgss/sun.security.jgss
  • java.security.jgss/sun.security.jgss.krb5
  • java.base/sun.security.provider
  • java.base/sun.security.util
  • java.base/sun.security.pkcs
  • java.base/sun.security.x509

Some of the security features can be accessed via the java.security package. Though it does not expose the whole feature set previously available via sun.security. In some cases you might have to find replacement implementations for example using Bouncy Castle.

It is also possible to encounter a third party dependency which uses Java internal API and because of that you can no longer use it. These typically only surface at runtime. Unless you use the --add-exports command line option and specify a module/package to force Java to expose that internal API. The --add-exports option is a last resort for backwards compatibility, it is not recommended and not clear how long will be available. At Nevis we used this approach in our unit testing setup in one case, where Mockserver uses internal Java API for dealing with X509 certificates. You can find the example for this in the pom.xml in the SDK example project in the RPM.

caution

Nevis cannot provide support for replacing Java internal package usages in custom auth states. Nevis does not recommend and support the usage of --add-exports parameters to make internal Java API publicly available in production code.

SubjectDN and IssuerDN

Java X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN() method are deprecated.

The method getSubjectDN().getName() used a non-standard format for getting the String DN representation (This comes from Java). It was used in multiple places in nevisAuth and possibly also in custom auth states or groovy scripts.

To remain backwards compatible we use X509Certificate.getSubjectX500Principal().toString() which uses the same formatting as the old one. Note that X509Certificate.getSubjectX500Principal().getName() will use RFC-2253 formatting, which is different from the non-standard format.

The following auth states are affected:

  • X509Login
  • MobileSignatureState (special because the SubjectDN is stored in nevisIdm)
  • WSSHeaderValidation
  • SAML

Additionally, certificate handling in general and the SecurityTokenService. Furthermore, the non-standard RDN attribute separator / is no longer supported in the X509Login.

Default encoding

We noticed changes of the default encoding in some places in from ISO-8559-1 to UTF-8 which is the Java 17 default. We are not aware of the extent of these changes in Java itself or third party libraries. Based on our testing nevisAuth is not affected, because in most cases the encoding can be configured, so the Java default value does not matter. So far we are only aware of nevisLogRend being affected. However, there is a possibility that we did not notice some parts which may be affected.

Furthermore, it is possible that in custom auths states this default value change causes encoding errors, which can be fixed by either providing the desired encoding or changing the encoding to UTF-8.

Data changes

OOCD

The deprecated File based OOCD was removed, in case you used that you might want to preform a data migration to an SQL database, see Appendix K.

3rd party dependencies

Most of the 3rd party dependencies used in nevisAuth were upgraded to the latest version. Many of these had to be upgraded in the same time because of multiple dependencies interlocking with each other. Example of this are WSS4j, OpenSAML and Bouncy Castle.

Changes in dependency versions

The dependency upgrades can cause breaking change in custom auth states as in many occasions a new major version is used, which often have different artifact names and groupings.

The following chapters list the major upgrades which in our opinion could cause issues with custom auth states or groovy scripts.

Bouncy Castle 1.7.x

Bouncy Castle dependencies are upgraded to 1.7.x from version 1.6.x. The more noteworthy change is that now we are using the -jdk18on artifacts instead of the -jdk15on.

Groovy 4.x

The Groovy library responsible for running Groovy ScriptStates is upgraded to version 4.x from the previous 3.x. See Groovy 4 release notes.

JAXB 4.x / JAX-WS 4.x / JAX-RS 3.x

JAXB, JAX-WS are upgraded from version 2.x to 4.x. JAX-RS is upgraded from 2.x to 3.x.

This could have an impact in case you have a custom SOAP webservice or REST implementation.

EL expressions / EL API 5.0

We upgraded to EL API 5.0 from 2.0. Nevis did not notice any breaking changes during testing, however it is worth keeping this change in mind.

Jetty 11.x

Jetty is upgraded to version 11.x from version 9.x. This should have no noticable impact for nevisAuth users.

The only thing noticed so far is that the TLS connection validation is stricter. It requires the SNI to match the hostname of the server side certificates.

OpenSAML 4.x

The OpenSAML dependency is upgraded to version 4.x from version 2.x. This can cause issues in case you have a SAML related custom auth state.

This upgrade is tightly coupled with the WSS4j upgrade from 1.x to version 3.x. (WSS4j depends on OpenSAML) The Wss4j dependency is mainly restricted to the WSSHeaderValidation auth state.

Servlet API 5 and JavaX / Jakarta packages

Mainly coupled with the Jetty upgrade we also switched to Servlet API version 5 from the previous version 3.1.

Could affect custom REST services or perhaps third party dependencies used by custom auth states which are using javax.servlet API. Those might become incompatible.

Note that the component Ninja used to validate SecTokens is now also using the jakarta.servlet API.

Removed dependencies

Removed / changed dependencies which in our opinion could affect custom auth states:

OldReplacement
bcprov-jdk15onbcprov-jdk18on
bcpkix-jdk15onbcpkix-jdk18on
bcutil-jdk15onbcutil-jdk18on
commons-beanutils
commons-collections
commons-digester
commons-langcommons-lang3
commons-iouse Java API
joda-timeuse the java.time API
jcan-logslf4j
jcan-optraceOpenTelemetry
jcan-commons
jdomjdom2
kerberos-decodingkerb4j / kerby
info

Note that this table states the current behaviour out of the box. You can add any of these back or add other replacement libraries by specifying them on the auth state classpath. Though using old not maintained libraries is not recommended for security reasons.

The list above is not complete in a sense that it does not list all dependency version updates.

Looking for missing classes without IDE

When developing custom java auth states it is possible you encounter some classes which seems to be missing in the new release, a good starting point can be where this class was before in the previous version.

As nevisAuth is packaged into a .war file, so simply searching under /opt/nevisauth might not give a complete result. Therefore, it makes sense unpack it first: cd /opt/nevisauth/deploy && unzip nevisauth.war && cd ... To locate in which jar a class is can be done using with the following command: find /opt/nevisauth -name '*.jar' -exec grep -Hls YourClassNameGoesHere {} \;

Full list of dependency changes

4.40.3.07.2311.0.x
FastInfoset-1.2.18.jarFastInfoset-2.1.0.jar
HikariCP-4.0.3.jarHikariCP-5.0.1.jar
ant-1.10.12.jarant-1.10.14.jar
ant-antlr-1.10.12.jarant-antlr-1.10.14.jar
ant-junit-1.10.12.jarant-junit-1.10.14.jar
ant-launcher-1.10.12.jarant-launcher-1.10.14.jar
aopalliance-repackaged-2.6.1.jaraopalliance-repackaged-3.0.4.jar
apache-el-10.1.7.jar
asm-9.3.jarasm-9.5.jar
asm-analysis-9.5.jar
asm-tree-9.5.jar
asm-util-9.5.jar
bcpkix-jdk15on-1.60.jarbcpkix-jdk18on-1.76.jar
bcprov-jdk15on-1.60.jarbcprov-jdk18on-1.76.jar
bcutil-jdk18on-1.76.jar
cache-api-1.1.0.jar
checker-qual-3.36.0.jarchecker-qual-3.39.0.jar
commons-beanutils-1.9.4.jar
commons-collections-3.2.2.jar
commons-digester-1.8.jar
commons-httpclient-3.1.jar
commons-io-2.13.0.jar
commons-lang-2.6.jar
commons-lang3-3.12.0.jarcommons-lang3-3.13.0.jar
commons-pool-1.6.jarcommons-pool-1.5.4.jar
cryptacular-1.2.5.jar
ehcache-3.10.8-jakarta.jar
error_prone_annotations-2.18.0.jarerror_prone_annotations-2.21.1.jar
esapi-2.0.1.jar
filters-20101209.jarfilters-2.0.235-1.jar
groovy-3.0.18.jargroovy-4.0.15.jar
groovy-ant-3.0.18.jargroovy-ant-4.0.15.jar
groovy-astbuilder-3.0.18.jar
groovy-cli-picocli-3.0.18.jargroovy-cli-picocli-4.0.15.jar
groovy-console-3.0.18.jargroovy-console-4.0.15.jar
groovy-datetime-3.0.18.jargroovy-datetime-4.0.15.jar
groovy-docgenerator-3.0.18.jargroovy-docgenerator-4.0.15.jar
groovy-groovydoc-3.0.18.jargroovy-groovydoc-4.0.15.jar
groovy-groovysh-3.0.18.jargroovy-groovysh-4.0.15.jar
groovy-jmx-3.0.18.jargroovy-jmx-4.0.15.jar
groovy-json-3.0.18.jargroovy-json-4.0.15.jar
groovy-jsr223-3.0.18.jargroovy-jsr223-4.0.15.jar
groovy-macro-3.0.18.jargroovy-macro-4.0.15.jar
groovy-nio-3.0.18.jargroovy-nio-4.0.15.jar
groovy-servlet-3.0.18.jargroovy-servlet-4.0.15.jar
groovy-sql-3.0.18.jargroovy-sql-4.0.15.jar
groovy-swing-3.0.18.jargroovy-swing-4.0.15.jar
groovy-templates-3.0.18.jargroovy-templates-4.0.15.jar
groovy-xml-3.0.18.jargroovy-xml-4.0.15.jar
groovy-yaml-4.0.15.jar
guava-32.1.1-jre.jarguava-32.1.3-jre.jar
hk2-api-2.6.1.jarhk2-api-3.0.4.jar
hk2-locator-2.6.1.jarhk2-locator-3.0.4.jar
hk2-utils-2.6.1.jarhk2-utils-3.0.4.jar
httpclient-4.5.14.jar
httpcore-4.4.16.jar
ivy-2.5.2.jar
jackson-annotations-2.15.2.jarjackson-annotations-2.15.3.jar
jackson-core-2.15.2.jarjackson-core-2.15.3.jar
jackson-databind-2.15.2.jarjackson-databind-2.15.3.jar
jackson-dataformat-properties-2.15.2.jarjackson-dataformat-properties-2.15.3.jar
jackson-dataformat-yaml-2.15.2.jarjackson-dataformat-yaml-2.15.3.jar
jackson-datatype-jsr310-2.15.3.jar
jackson-module-jaxb-annotations-2.15.2.jar
jackson-module-jakarta-xmlbind-annotations-2.15.3.jar
jakarta.activation-api-1.2.2.jarjakarta.activation-api-2.1.2.jar
jakarta.annotation-api-1.3.5.jarjakarta.annotation-api-2.1.1.jar
jakarta.el-api-5.0.1.jar
jakarta.inject-2.6.1.jarjakarta.inject-api-2.0.1.jar
jakarta.json-1.1.6-module.jar
jakarta.json-1.1.6.jar
jakarta.json-api-1.1.6.jarjakarta.json-api-2.1.2.jar
jakarta.json.bind-api-1.0.2.jarjakarta.json.bind-api-3.0.0.jar
jakarta.jws-api-2.1.0.jar
jakarta.mail-api-2.1.2.jar
jakarta.transaction-api-2.0.0.jar
jakarta.validation-api-2.0.2.jarjakarta.validation-api-3.0.2.jar
jakarta.ws.rs-api-2.1.6.jarjakarta.ws.rs-api-3.1.0.jar
jakarta.xml.bind-api-2.3.3.jarjakarta.xml.bind-api-4.0.0.jar
jakarta.xml.soap-api-1.4.2.jarjakarta.xml.soap-api-3.0.0.jar
jakarta.xml.ws-api-2.3.3.jarjakarta.xml.ws-api-4.0.0.jar
jasypt-1.9.3.jar
java-support-8.4.0.jar
javaparser-core-3.25.1.jarjavaparser-core-3.25.5.jar
javax.servlet-api-3.1.0.jar
jaxb-core-4.0.2.jar
jaxb-impl-2.3.8.jarjaxb-impl-4.0.2.jar
jaxrs-ri-2.40.jarjaxrs-ri-3.1.3.jar
jaxws-rt-2.3.6.jarjaxws-rt-4.0.1.jar
jcan-commons-1.0.3.0.jar
jcan-log-api-1.8.3.0.jar
jcan-log-slf4j-1.8.3.0.jar
jcan-optrace-1.1.4.0.jar
jcan-optrace-jee5-1.1.4.0.jar
jcan-saml-7.2311.0.3.jar
jcan-saml-xmlbeans-1.1.8.0.jarjcan-saml-xmlbeans-7.2311.0.3.jar
jcan-sectoken-1.3.3.0.jarjcan-sectoken-7.2311.0.4.jar
jersey-client-2.40.jarjersey-client-3.1.3.jar
jersey-common-2.40.jarjersey-common-3.1.3.jar
jersey-container-servlet-2.40.jarjersey-container-servlet-3.1.3.jar
jersey-container-servlet-core-2.40.jarjersey-container-servlet-core-3.1.3.jar
jersey-entity-filtering-2.40.jarjersey-entity-filtering-3.1.3.jar
jersey-hk2-2.40.jarjersey-hk2-3.1.3.jar
jersey-media-jaxb-2.40.jarjersey-media-jaxb-3.1.3.jar
jersey-media-json-binding-2.40.jarjersey-media-json-binding-3.1.3.jar
jersey-media-moxy-2.40.jarjersey-media-moxy-3.1.3.jar
jersey-media-sse-2.40.jarjersey-media-sse-3.1.3.jar
jersey-server-2.40.jarjersey-server-3.1.3.jar
jetty-continuation-9.4.51.v20230217.jar
jetty-http-9.4.51.v20230217.jarjetty-http-11.0.17.jar
jetty-io-9.4.51.v20230217.jarjetty-io-11.0.17.jar
jetty-jakarta-servlet-api-5.0.2.jar
jetty-jndi-9.4.51.v20230217.jarjetty-jndi-11.0.17.jar
jetty-plus-9.4.51.v20230217.jarjetty-plus-11.0.17.jar
jetty-rewrite-9.4.51.v20230217.jarjetty-rewrite-11.0.17.jar
jetty-schemas-3.1.jarjetty-schemas-5.2.jar
jetty-security-9.4.51.v20230217.jarjetty-security-11.0.17.jar
jetty-server-9.4.51.v20230217.jarjetty-server-11.0.17.jar
jetty-servlet-9.4.51.v20230217.jarjetty-servlet-11.0.17.jar
jetty-util-9.4.51.v20230217.jarjetty-util-11.0.17.jar
jetty-util-ajax-9.4.51.v20230217.jar
jetty-webapp-9.4.51.v20230217.jarjetty-webapp-11.0.17.jar
jetty-xml-9.4.51.v20230217.jarjetty-xml-11.0.17.jar
joda-time-2.12.5.jar
juel-api-2.2.4.jar
juel-impl-2.2.4.jar
kerberos-decoding-4.40.3.0.jar
libphonenumber-8.13.17.jarlibphonenumber-8.13.23.jar
listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
mariadb-java-client-3.1.4.jarmariadb-java-client-3.2.0.jar
metrics-core-4.2.15.jar
mimepull-1.9.15.jarmimepull-1.10.0.jar
nevisauth-aspsms-4.40.3.0.jar
nevisauth-authstates-core-4.40.3.0.jarnevisauth-authstates-core-7.2311.0.6.jar
nevisauth-authstates-oasis-4.40.3.0.jarnevisauth-authstates-oasis-7.2311.0.6.jar
nevisauth-authstates-oauth-4.40.3.0.jarnevisauth-authstates-oauth-7.2311.0.6.jar
nevisauth-authstates-thirdparty-4.40.3.0.jar
nevisauth-core-4.40.3.0.jarnevisauth-core-7.2311.0.6.jar
nevisauth-jaxws-oasis-4.40.3.0.jarnevisauth-jaxws-oasis-7.2311.0.6.jar
nevisauth-misc-4.40.3.0.jarnevisauth-misc-7.2311.0.6.jar
nevisauth-mss-4.40.3.0.jarnevisauth-mss-7.2311.0.6.jar
nevisauth-rest-services-4.40.3.0.jarnevisauth-rest-services-7.2311.0.6.jar
nevisauth-server-4.40.3.0.jarnevisauth-server-7.2311.0.6.jar
nevisauth-webservices-4.40.3.0.jarnevisauth-webservices-7.2311.0.6.jar
nevisauth-webservices-generated-4.40.3.0.jarnevisauth-webservices-generated-7.2311.0.6.jar
nevisauth-xmlbeans-4.40.3.0.jar
nimbus-jose-jwt-9.30.2.jarnimbus-jose-jwt-9.35.jar
not-yet-commons-ssl-0.3.9.jar
oauth2-oidc-sdk-10.11.jaroauth2-oidc-sdk-11.2.jar
opensaml-2.6.4.jaropensaml-core-4.3.0.jar
opensaml-messaging-api-4.3.0.jar
opensaml-profile-api-4.3.0.jar
opensaml-saml-api-4.3.0.jar
opensaml-saml-impl-4.3.0.jar
opensaml-security-api-4.3.0.jar
opensaml-security-impl-4.3.0.jar
opensaml-soap-api-4.3.0.jar
opensaml-soap-impl-4.3.0.jar
opensaml-storage-api-4.3.0.jar
opensaml-xacml-api-4.3.0.jar
opensaml-xacml-impl-4.3.0.jar
opensaml-xacml-saml-api-4.3.0.jar
opensaml-xacml-saml-impl-4.3.0.jar
opensaml-xmlsec-api-4.3.0.jar
opensaml-xmlsec-impl-4.3.0.jar
openws-1.5.4.jar
org.abego.treelayout.core-1.0.3.jar
org.eclipse.persistence.asm-9.4.0.jarorg.eclipse.persistence.asm-9.5.0.jar
org.eclipse.persistence.core-2.7.12.jarorg.eclipse.persistence.core-4.0.2.jar
org.eclipse.persistence.moxy-2.7.12.jarorg.eclipse.persistence.moxy-4.0.2.jar
parsson-1.1.1.jar
picocli-4.6.3.jarpicocli-4.7.5.jar
policy-2.7.10.jar
saaj-impl-1.5.3.jarsaaj-impl-3.0.0.jar
slf4j-api-2.0.7.jarslf4j-api-2.0.9.jar
snakeyaml-2.0.jarsnakeyaml-2.1.jar
stax-ex-1.8.3.jarstax-ex-2.1.0.jar
streambuffer-1.5.10.jarstreambuffer-2.1.0.jar
velocity-1.7.jar
velocity-engine-core-2.3.jar
wss4j-1.6.16.jarwss4j-ws-security-common-3.0.1.jar
wss4j-ws-security-dom-3.0.1.jar
xmlbeans-3.1.0.jarxmlbeans-5.1.1.jar
xmlsec-1.5.8.jarxmlsec-3.0.3.jar
xmltooling-1.4.4.jar
yasson-1.0.11.jaryasson-3.0.3.jar

Troubleshooting

ERROR: Attribute "X" must be declared for element type "Y".

This error is a bit misleading by the jdom2 parsing library. It means that you used an attribute in the esauth4.xml which is not allowed because it was not defined. You are likely using an attribute which is no longer available because it has been removed. The solution is to either completely remove it or use the replacement if there is one.

org.jdom2.input.JDOMParseException: Error on line 22 of document file:/var/opt/nevisauth/default/conf/esauth4.xml: Attribute "X" must be declared for element type "Y".

BadMessageException: 400: Invalid SNI

This is the case mentioned above; Jetty 11 is stricter about the TLS connection validation than previous versions. The hostname used to connect to nevisAuth must match the hostname used in the certificates used by nevisAuth. (Configured in the nevisauth.yml server configuration)

This can be either done by:

  • Changing the url where you connect to from nevisProxy.
  • Changing the certificates to use a different host name.

AuthStateException: Non String session attribute was set

This exception is thrown intentionally from groovy ScriptStates. The session attributes only support String values. See here. Check the groovy script for the attribute mentioned in the exception and change the implementation to store the attribute value as String.

ch.nevis.esauth.auth.engine.AuthStateException: Non String session attribute was set by ScriptState 'Test_ScriptState'. Attribute 'test' is type 'java.util.ArrayList'

Unrecognized VM option

This exception is thrown when a JVM argument is used which is no longer support by Java 17. Either remove the argument or look for a replacement depending on the property.

nevisauth-server[2026]: Unrecognized VM option 'UseConcMarkSweepGC'
nevisauth-server[2026]: Error: Could not create the Java Virtual Machine.

The property in the example can be removed.

java.lang.NullPointerException: Cannot invoke "javax.xml.namespace.QName.getLocalPart()"

The following exception can occour for the SecurityTokenService or ArtifactResolutionService or any other service using JAX-WS webservice stack:

java.lang.NullPointerException: Cannot invoke "javax.xml.namespace.QName.getLocalPart()" because the return value of "com.sun.xml.ws.api.message.Packet.getWSDLOperation()" is null
at io.opentelemetry.javaagent.instrumentation.metro.MetroRequest.getSpanName(MetroRequest.java:30) ~[opentelemetry-javaagent.jar:?]
at io.opentelemetry.javaagent.instrumentation.metro.MetroRequest.[init](MetroRequest.java:17) ~[opentelemetry-javaagent.jar:?]
at io.opentelemetry.javaagent.instrumentation.metro.MetroHelper.start(MetroHelper.java:29) ~[opentelemetry-javaagent.jar:?]
at io.opentelemetry.javaagent.instrumentation.metro.TracingTube.processRequest(TracingTube.java:37) ~[opentelemetry-javaagent.jar:?]

The issue here is that OpenTelemetry Metro extension does not yet support JAX-WS version 3 or newer. In order to mitigate the issue you can disable the Metro OpenTelemetry extension by the following configuration option in the JAVA_OPTS in the env.conf: -Dotel.instrumentation.metro.enabled=false