Release notes
Ninja 7.2402.0.1 - 21.02.2024
- NEW: Added
add-dependencies-to-maven-repo.shin theninja-<version>.zipto simplify deploying artifacts to the local maven repository. (NINJA-228)
Ninja 7.2311.0.5 - 15.11.2023
Breaking changes
- REMOVED: Non UTC expiration dates for SecTokens. This is the pair of the
useGmtproperty removal for theTokenSpecconfiguration in the esauth4.xml in nevisAuth. From now we always use UTC (previous default). (NEVISAUTH-4173) - REMOVED:
jcan-samlis now streamlined to it's sole purpose: verify SAML Assertions. Generation, signing and command line utilities are removed andjcan-saml-toolsis discontinued. (NEVISAUTH-4134) - REMOVED: Deprecated methods and command line utilities in
jcan-sectokenare removed. (NEVISAUTH-3856) - CHANGED: The ninja-uber.jar is discontinued. Originally it was intended to ease integration, however its usefulness was decreased by clashing version of dependencies. Now we ship all Nevis Ninja related artifacts and their
pom.xmlto provide flexibility in a zip file. See the description for more. (NINJA-222) - CHANGED: Interfaces in the Ninja / jcan-sectoken / jcan-saml API classes are now using the
java.time.Instantinstead of the oldjava.util.Datetypes where it is possible. Also, methods previously usingObjectreturn types and arguments were mostly migrated to accept/produceString. (NEVISAUTH-4418) - UPGRADED: We upgraded Servlet API to version 5. Migration from
javax.servletpackages tojakarta.servlet. Ninja version 7.2311.x is not supported withjavax.serletAPI and Nevis component versions compiled using Java 8. (NINJA-214)
Changes
- UPGRADED: We upgraded the slf4j third-party dependency to version 2.0.6. (NINJA-214)
- UPGRADED: We upgraded jcan-sectoken to support Java17. (NEVISAUTH-3856)
- UPGRADED: We upgraded jcan-saml to support Java17. (NEVISAUTH-3855)
- UPGRADED: We upgraded the xmlsec third-party dependency to version 3.0.3. (NEVISAUTH-4393)
Ninja 2.1.3.1 - 15.02.2023
Changes
- FIXED: We upgraded
jcan-samlandjcan-sectokenwhich no longer use the libraryjcan-commons.jcan-commonsis no longer shipped. (NEVISAUTH-3861)
Ninja 2.1.2.1 - 16.11.2022
Ninja 2.x disclaimer
The major breaking changes in the 2.x stream of Ninja are the following:
- Container-specific login modules are removed.
- Logging bridges are removed. Ninja uses the SLF4J logging API, which requires customers to supply the logging provider
.jarto the classpath. - Support for newer Java versions (> 8) is added.
Customers can choose between the following courses of action regarding Ninja:
- Stay on the ninja 1.x versions with the currently supported container login modules, where we do not plan updates.
- Use ninja 2.x with Ninja Authentication Filter, or implementing custom container login modules and the desired logging bridges.
Changes
- FIXED: We upgraded the Jcan-saml third-party dependency woodstox due to the CVE-2022-40153 vulnerability. Note that the CVE report has quality issues, see the comments https://github.com/x-stream/xstream/issues/304#issuecomment-1254647926 and https://github.com/FasterXML/woodstox/issues/157. (NEVISAUTH-3879)
Ninja 2.1.1.1 - 01.08.2022
Ninja 2.x disclaimer
The major breaking changes in the 2.x stream of Ninja are the following:
- Container-specific login modules are removed.
- Logging bridges are removed. Ninja uses the SLF4J logging API, which requires customers to supply the logging provider
.jarto the classpath. - Support for newer Java versions (> 8) is added.
Customers can choose between the following courses of action regarding Ninja:
- Stay on the ninja 1.x versions with the currently supported container login modules, where we do not plan updates.
- Use ninja 2.x with Ninja Authentication Filter, or implementing custom container login modules and the desired logging bridges.
Changes
- FIXED: Jcan-saml 3rd party dependency Xalan is removed due to new vulnerability `http://nvd.nist.gov/vuln/detail/CVE-2022-34169. The library was not used anymore. (NEVISAUTH-3759)
Ninja 2.1.0.0 - 20.07.2022
Ninja 2.x disclaimer
This disclaimer serves to transparently inform the deep changes done in the Ninja artefact indicated by the 2.x major version number change.
The major breaking changes in the 2.x stream of Ninja are the following:
- No container-specific login modules
- No logging bridges. Ninja uses the SLF4J logging API which requires customers to supply the concrete logging provider
.jarto the classpath - Support for newer Java versions (> 8)
So customers have the choice of:
- Staying on the ninja 1.x versions with the currently supported container login modules, where we do not plan updates.
- Using ninja 2.x with Ninja Authentication Filter, or implementing custom container login modules and the desired logging bridges.
Changes
- FIXED: Ninja is now able to correctly verify SAML2-signed SecTokens related to
Cannot load SchemaTypeSystemRuntimeExceptions. (NINJA-203)
Ninja 2.0.0.5 - 19.07.2022
Ninja 2.x disclaimer
This disclaimer serves to transparently inform the deep changes done in the Ninja artefact indicated by the 2.x major version number change.
The major breaking changes in the 2.x stream of Ninja are the following:
- No container-specific login modules
- No logging bridges. Ninja uses the SLF4J logging API which requires customers to supply the concrete logging provider
.jarto the classpath - Support for newer Java versions (> 8)
So customers have the choice of:
- Staying on the ninja 1.x versions with the currently supported container login modules, where we do not plan updates.
- Using ninja 2.x with Ninja Authentication Filter, or implementing custom container login modules and the desired logging bridges.
Changes
- UPGRADE: We upgraded the
jcan-sectokendependency to version 2.0.0.2. (NEVISAUTH-3734) - UPGRADE: We upgraded the
jcan-samldependency to version 1.1.9.0. (NEVISAUTH-3734)
Ninja 2.0.0.4 - 21.06.2022
Ninja 2.x disclaimer
This disclaimer serves to transparently inform the deep changes done in the Ninja artefact indicated by the 2.x major version number change.
The major breaking changes in the 2.x stream of Ninja are:
- No container specific login modules
- No logging bridges. Ninja uses the SLF4J logging API which requires customers to supply the concrete logging provider
.jarto the classpath - Support for newer Java versions (> 8)
So customers have the choice of:
- Staying on the ninja 1.x versions with the currently supported container login modules, where we do not plan updates.
- Using ninja 2.x with Ninja Authentication Filter, or implementing custom container login modules and the desired logging bridges.
Breaking changes
- REMOVED: We removed the support of all container-specific login modules (NINJA-184):
- REMOVED: We removed the Jira Seraph integration module. (NINJA-184)
- REMOVED: We removed the Ninja logging bridges and all related interfaces and abstract classes, and migrated to SLF4J API instead. (NINJA-193)
- REMOVED: We removed the support for customer-specific
SecTokenimplementations, and migrated fromch.adnovum.jcan-sectokento thech.nevis.jcan-sectokenimplementation. (NINJA-194)
Changes
- NEW: The
Principalis no longer stored in the session. By default, theSecTokenis checked on each request. To keep the legacy behavior, that is, caching thePrincipalin the session, use the newCachePrincipalconfiguration property. - NEW: We released Ninja uber / fat JAR containing all Ninja modules and their dependencies. (NINJA-192)