Details
-
Improvement
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
-
Empty show more show less
-
AdminX 11
-
5
Description
From the release notes of Pac4j https://www.pac4j.org/docs/release-notes.html, noticed a warning "The 4.x stream is no longer maintained except via the LTS program."
That means we will not have bug and security fixes from pac4j v4 anymore, I suggest that we should upgrade to version 5 asap.
Dev notes:
There are some works already done by Maxime https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/browse?at=refs%2Fheads%2Fpac4j-v5.
Double check jee-pac4j-5.0.0.jar: CVE-2021-44878 after upgrading.
The dependency pac4j-jee in the pom is deprecated in v5.4.0:
From the release notes: https://github.com/pac4j/pac4j/blob/master/documentation/docs/release-notes.md
v5.4.0:
- Deprecated the pac4j-jee dependency (JEE components in the org.pac4j.core and org.pac4j.saml packages, based on the javax.servlet-api library v4) to be replaced by:
- the pac4j-javaee dependency (JEE components in the org.pac4j.jee package, based on the javax.servlet-api library v4) or
- the pac4j-jakartaee dependency (JEE components in the org.pac4j.jee package, based on the jakarta.servlet-api library v5)
Remove old pac4j related configuration - https://git.magnolia-cms.com/projects/CLOUD/repos/magnolia-cloud/pull-requests/506/overview