[MGNLSSO-105] Upgrade Pac4j from v4.x to v5.x cause the v4.x is no longer maintained Created: 14/Apr/22  Updated: 05/Sep/22  Resolved: 07/Jun/22

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0.0, Tech Prod Ready

Type: Improvement Priority: Major
Reporter: Nguyen Phung Chi Assignee: Thai Chi Minh
Resolution: Done Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 4.5d Time Spent: 4.5d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLSSO-125 Implementation Technical task Completed Thai Chi Minh  
MGNLSSO-126 Remove related supressions Technical task Completed Thai Chi Minh  
MGNLSSO-127 Review Technical task Completed Nguyen Phung Chi  
MGNLSSO-128 PiQA Technical task Completed Nguyen Phung Chi  
MGNLSSO-129 Final QA Technical task Completed Nguyen Phung Chi  
MGNLSSO-133 Remove old pac4j related configuratio... Technical task Completed Nguyen Phung Chi  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Epic Link: SSO support for custom IdPs
Sprint: AdminX 11
Story Points: 5
Team: AdminX

 Description   

From the release notes of Pac4j https://www.pac4j.org/docs/release-notes.html, noticed a warning "The 4.x stream is no longer maintained except via the LTS program."

That means we will not have bug and security fixes from pac4j v4 anymore, I suggest that we should upgrade to version 5 asap.

Dev notes:

There are some works already done by Maxime https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/browse?at=refs%2Fheads%2Fpac4j-v5

Double check jee-pac4j-5.0.0.jar: CVE-2021-44878 after upgrading.

The dependency pac4j-jee in the pom is deprecated in v5.4.0:

From the release notes: https://github.com/pac4j/pac4j/blob/master/documentation/docs/release-notes.md

v5.4.0:

  • Deprecated the pac4j-jee dependency (JEE components in the org.pac4j.core and org.pac4j.saml packages, based on the javax.servlet-api library v4) to be replaced by:
    • the pac4j-javaee dependency (JEE components in the org.pac4j.jee package, based on the javax.servlet-api library v4) or
    • the pac4j-jakartaee dependency (JEE components in the org.pac4j.jee package, based on the jakarta.servlet-api library v5)

Remove old pac4j related configuration - https://git.magnolia-cms.com/projects/CLOUD/repos/magnolia-cloud/pull-requests/506/overview


Generated at Mon Feb 12 10:51:09 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.