Appendix L - Java 17 upgrade and changes related to 7.2311.0.x
Together with Java 17 upgrade, a major cleanup was done in multiple places including the update of most dependencies. This appendix will guide you through the changes.
It is recommended to recompile custom Java auth states, REST or SOAP services using Java 17 and nevisAuth artifacts version 7.2311.x. As all of those are likely to become incompatible.
Note, that recompilation does not warrant that everything will work fine. Even if the build is successful, runtime issues can still arise. Therefore, thorough testing of any custom development is recommended.
Nevis does not recommend and will not provide support for using Java 8 compiled custom Java auth states, REST or SOAP services in nevisAuth version 7.2311.x.
nevisAuth API changes
The following chapter summarizes the changes in the nevisAuth SDK.
The following list does not contain every change made in the internal artifact nevisauth-core or other modules.
Date handling
Java 8 introduced a new java.time API which replaces the old legacy API (java.util.Date, java.utils.Calendar and more)
The community and industry seems to be lagging behind with introducing the new java.time API. This is caused by Java API itself using the legacy date API in core places, because it is very difficult to replace.
Third party libraries used by nevisAuth start to use the java.time API more and more. Therefore, Nevis also moved on to use the java.time API. This causes breaking changes in multiple places of the nevisAuth API.
As the date handling is quite complex, the separate Appendix J guides you through the changes there.
OOCD
Changes in the OOCD interface because of the date handling and removing deprecated API & features. For more see Appendix K.
Session
| Where | Old | Replacement |
|---|---|---|
NevisSession | getAttributeNames | getAttributeNamesIterator |
NevisSession | acquireReadOnly | ❌ |
NevisSession | acquireReadWrite | - (moved to Session) |
NevisSession | release | - (moved to Session) |
NevisSession | Object getData(); | Map<String, String> getData(); |
NevisSession | Object getAttribute(String name); | String getAttribute(String name); |
NevisSession | void setAttribute(String name, Object value); | void setAttribute(String name, String value); |
Session | isInitial | isAuthentic Note it is the inverse! |
Session | getDomainMappings | ❌ |
Session | setDomainMappings | ❌ |
ScriptState | Map<?,?> session | Map<String,String> session |
ScriptStates
The change that the Session attributes are only accepting String has a special caveat in Groovy scripts.
Groovy itself does not enforce types strictly on a Map object; thus in a groovy script, you can actually set a non String object in a String typed Map. This behaviour causes a ClassCastException in nevisAuth when the Session is accessed from the Java code.
To mitigate this the ScriptState will check the session attributes for any non String values and throw an exception with the name of the keys and types.
A special case of this is when a org.codehaus.groovy.runtime.GStringImpl type is added as a Session attribute. This happens when using an expression inside double quotes. Example: session.put("outarg.$name", value) working replacement: session.put('outarg.' + name, value).
Below is an example of how to convert non String objects to JSON to store it in the session. Based on our experience, the most typical case is when a script try to store a Map object in the session. In some cases a simple concatenation could also work - but using the JSON utilities from Groovy reduces the chance of an error. (You don't have to worry about escaping.) As serialisation is a complex topic, this approach might not work with more complex Java types.
import groovy.json.JsonOutput
import groovy.json.JsonSlurper
def originalMap = [
key1: 'value1',
key2: 'value2'
]
session.put('test', JsonOutput.toJson(originalMap));
def restoredMap = new JsonSlurper().parseText(session['test'])
In previous versions nevisAuth did not store non String session attributes in the remote session store. When migrating to store session attributes in String format in your scripts, mind that now nevisAuth also stores those in the database. In case you just temporarily stored some objects in the session and relied on the remote session store to throw them away, now you have to take care of removing those from the session yourself. (If those are not to be stored in the session on the long term.)
AuthEngine / AuthState general
| Where | Old | Replacement |
|---|---|---|
AuthConst | DEFAULT_TRANSITION | DEFAULT_RESULT |
AuthConst | LAST_TRANSITION | LAST_RESULT |
AuthConst | LAST_STATE | CURRENT_STATE |
AuthConst | INVALID_INPUT | AUTH_FAILED |
AuthConst | NEVIS_AUTH_GUI | ❌ |
AuthState | isInitialDispatcher | ❌ |
AuthState | getAttribute | getMandatoryAttribute or getOptionalAttribute |
AuthState | convertListDescriptor | getListAttribute |
AuthState | getHttpHeaderFromRequest | request.getHttpHeader |
AuthState | getTransition | getTransition with AuthRequest and AuthResponse parameters |
AuthTransition | getName | getTriggeringCondition |
AuthTransition | getState | getTargetState |
AuthRequest | getDomainMapping | ❌ |
AuthRequest | getDomainMappings | ❌ |
AuthResponse | setDomainMappings | ❌ |
AuthResponse | addDomainMapping | ❌ |
Auditable | getDomainMappings | ❌ |
EL expression | addDomainMapping | ❌ |
Utilities
| Old | Replacement |
|---|---|
CommandStarter, CommandWaiter, StreamConnector | CommandExecutor |
deprecated encryptWhereNeccessary method in the Communicator, Encrypter | encryptWhereNeccessary with additional arguments |
AuthSSLContextFactory | ❌ |
AuthSSLX509TrustManager | ❌ |
Command line utilities in jcan-saml | ❌ |
SAML Assertion / Response generation signing in jcan-saml | Use OpenSaml 4. |
jcan-saml-tools.jar | ❌ |
Command line utilities in jcan-sectoken | ❌ |
Deprecated methods in jcan-sectoken | ❌ |
OpTracing
Implementation
The old library jcan-optrace relies on the javax.servlet API, therefore it is not compatible with the new Java 17 nevisAuth release.
As Nevis does not have the source of this library the jcan.Op OpTrace logs will be replaced by using OpenTelemetry Java agent.
Default behaviour
By default, the nevisAuth RPM package does not contain the binaries or configuration for OpenTelemetry therefore by default there is no OpTrace. To set up OpenTelemetry check out the guide here.
Configuration
OpenTelemetry requires Java agent configuration in the env.conf and its own configuration file, see the guide for more.
Configuration changes
OOCD
Changes in the OOCD configuration to unify the database related configurations in nevisAuth. For more see Appendix K.
esauth4.xml
Property changes
| Where | Old | Replacement |
|---|---|---|
RemoteSessionStore | connectionMaxRetry | ❌ |
SendMail & Tan | smtpHost | mail.smtp.host |
SendMail & Tan | smtpPort | mail.smtp.port |
esauth-server | securityLevel | ❌ |
X509Login | crlExpirationTolerance | revocationCheckExpirationTolerance |
Property value changes
| Where | Property | Change |
|---|---|---|
RemoteSessionStore | provider | legacyjdbc provider option removed |
RemoteSessionStore | sessionIdRandomBytes | custom class support using "file://..." removed |
SecurityTokenServiceClient RadiusAuthState MobileSignatureState | service.binding | session option removed |
env.conf JAVA_OPTS
JVM system properties from Java
Some JVM system properties are discontinued in Java:
-XX:+UseConcMarkSweepGC-XX:+UseParNewGC
There might be others, we don't have a complete list of those. In case you have a no longer supported JVM system property you will encounter an error like this:
Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Unrecognized VM option 'UseConcMarkSweepGC'
Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Error: Could not create the Java Virtual Machine.
Sep 05 09:13:01 10a605af06ed nevisauth-server[2026]: Error: A fatal exception has occurred. Program will exit.
The error message above will be present in the system out therefore in the systemd journal. As the process fails before logging could be set up.
System properties can be removed because of turned on by default:
-server-> default on 64bit vms-XX:+UseContainerSupport-> default true
Nevis system properties
The following properties can be removed:
-Dch.nevis.bc.io.TracerCfgrelated to the logging framework, not used.-Dch.nevis.tracing.refreshrelated to the logging framework, not used.-Djava.security.krb5.confthe new KerberosLogin auth state does not support impersonation/delegation, so it is not a “Kerberos client” anymore.-Dch.nevis.esauth.litdict.charset.encodingBy default nevisAuth uses UTF-8. In case you have your litdict files UTF-8 encoded (which they should be) it is not necessary to define this.-Dch.nevis.esauth.wstrust.SecurityTokenService.SecTokenHackURIold backwards compatibility flag.
Java 17 API changes
This chapter contains the non nevisAuth specific changes caused by upgrading Java to version 17.
Java modules (JPMS)
nevisAuth and the authentication components do not define any Java modules JPMS. Components rely on the automatic unnamed module handling of Java. This is a backwards compatibility feature allowing access to all codebase as before Java 9 when there was no JPMS.
Introducing JPMS would cause severe restrictions on what can be accessed from the nevisAuth codebase, therefore custom Java auth states developed by customers would no longer be able to access code from the nevisauth-core jar, only nevisauth-authstate-api and nevisauth-commons.
Accessing code from nevisauth-core is already considered a bad practice and is done at your own risk. Though we are aware that because of historical reasons many rely on nevisauth-core.
We recommend using the offical SDK which is shipped in the nevisauth rpm package and mainly consist of the nevisauth-authstate-api and nevisauth-commons.
In the future, JPMS modules will be introduced at some point which will probably require additions to our SDK, however without our knowledge of what customers exactly require there will be no extensions.
Therefore, again we recommend customers currently relying on nevisauth-core to try to use the SDK and inform us via the official support channels if something is missing.
Java internal packages
Even though nevisAuth itself does not define JPMS modules, Java 17 already have modules itself. You can no longer access Java packages which are considered to be internal by Java itself.
In case you used a Java internal package which is no longer public, you will receive a compile error. In certain cases for example reflection usage might be only spotted at runtime.
Internal Java modules/packages we encountered in the nevisAuth during the Java 17 migration (this is not a complete list of all Java internal modules):
- java.security.jgss/sun.security.krb5
- java.security.jgss/sun.security.krb5.internal
- java.security.jgss/sun.security.krb5.internal.ccache
- java.security.jgss/sun.security.jgss
- java.security.jgss/sun.security.jgss.krb5
- java.base/sun.security.provider
- java.base/sun.security.util
- java.base/sun.security.pkcs
- java.base/sun.security.x509
Some of the security features can be accessed via the java.security package. Though it does not expose the whole feature set previously available via sun.security. In some cases you might have to find replacement implementations for example using Bouncy Castle.
It is also possible to encounter a third party dependency which uses Java internal API and because of that you can no longer use it. These typically only surface at runtime. Unless you use the --add-exports command line option and specify a module/package to force Java to expose that internal API. The --add-exports option is a last resort for backwards compatibility, it is not recommended and not clear how long will be available. At Nevis we used this approach in our unit testing setup in one case, where Mockserver uses internal Java API for dealing with X509 certificates. You can find the example for this in the pom.xml in the SDK example project in the RPM.
Nevis cannot provide support for replacing Java internal package usages in custom auth states.
Nevis does not recommend and support the usage of --add-exports parameters to make internal Java API publicly available in production code.
SubjectDN and IssuerDN
Java X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN() method are deprecated.
The method getSubjectDN().getName() used a non-standard format for getting the String DN representation (This comes from Java). It was used in multiple places in nevisAuth and possibly also in custom auth states or groovy scripts.
To remain backwards compatible we use X509Certificate.getSubjectX500Principal().toString() which uses the same formatting as the old one. Note that X509Certificate.getSubjectX500Principal().getName() will use RFC-2253 formatting, which is different from the non-standard format.
The following auth states are affected:
- X509Login
- MobileSignatureState (special because the SubjectDN is stored in nevisIdm)
- WSSHeaderValidation
- SAML
Additionally, certificate handling in general and the SecurityTokenService. Furthermore, the non-standard RDN attribute separator / is no longer supported in the X509Login.
Default encoding
We noticed changes of the default encoding in some places in from ISO-8559-1 to UTF-8 which is the Java 17 default. We are not aware of the extent of these changes in Java itself or third party libraries. Based on our testing nevisAuth is not affected, because in most cases the encoding can be configured, so the Java default value does not matter. So far we are only aware of nevisLogRend being affected. However, there is a possibility that we did not notice some parts which may be affected.
Furthermore, it is possible that in custom auths states this default value change causes encoding errors, which can be fixed by either providing the desired encoding or changing the encoding to UTF-8.
Data changes
OOCD
The deprecated File based OOCD was removed, in case you used that you might want to preform a data migration to an SQL database, see Appendix K.
3rd party dependencies
Most of the 3rd party dependencies used in nevisAuth were upgraded to the latest version. Many of these had to be upgraded in the same time because of multiple dependencies interlocking with each other. Example of this are WSS4j, OpenSAML and Bouncy Castle.
Changes in dependency versions
The dependency upgrades can cause breaking change in custom auth states as in many occasions a new major version is used, which often have different artifact names and groupings.
The following chapters list the major upgrades which in our opinion could cause issues with custom auth states or groovy scripts.
Bouncy Castle 1.7.x
Bouncy Castle dependencies are upgraded to 1.7.x from version 1.6.x. The more noteworthy change is that now we are using the -jdk18on artifacts instead of the -jdk15on.
Groovy 4.x
The Groovy library responsible for running Groovy ScriptStates is upgraded to version 4.x from the previous 3.x. See Groovy 4 release notes.
JAXB 4.x / JAX-WS 4.x / JAX-RS 3.x
JAXB, JAX-WS are upgraded from version 2.x to 4.x. JAX-RS is upgraded from 2.x to 3.x.
This could have an impact in case you have a custom SOAP webservice or REST implementation.
EL expressions / EL API 5.0
We upgraded to EL API 5.0 from 2.0. Nevis did not notice any breaking changes during testing, however it is worth keeping this change in mind.
Jetty 11.x
Jetty is upgraded to version 11.x from version 9.x. This should have no noticable impact for nevisAuth users.
The only thing noticed so far is that the TLS connection validation is stricter. It requires the SNI to match the hostname of the server side certificates.
OpenSAML 4.x
The OpenSAML dependency is upgraded to version 4.x from version 2.x. This can cause issues in case you have a SAML related custom auth state.
This upgrade is tightly coupled with the WSS4j upgrade from 1.x to version 3.x. (WSS4j depends on OpenSAML) The Wss4j dependency is mainly restricted to the WSSHeaderValidation auth state.
Servlet API 5 and JavaX / Jakarta packages
Mainly coupled with the Jetty upgrade we also switched to Servlet API version 5 from the previous version 3.1.
Could affect custom REST services or perhaps third party dependencies used by custom auth states which are using javax.servlet API. Those might become incompatible.
Note that the component Ninja used to validate SecTokens is now also using the jakarta.servlet API.
Removed dependencies
Removed / changed dependencies which in our opinion could affect custom auth states:
| Old | Replacement |
|---|---|
bcprov-jdk15on | bcprov-jdk18on |
bcpkix-jdk15on | bcpkix-jdk18on |
bcutil-jdk15on | bcutil-jdk18on |
commons-beanutils | ❌ |
commons-collections | ❌ |
commons-digester | ❌ |
commons-lang | commons-lang3 |
commons-io | use Java API |
joda-time | use the java.time API |
jcan-log | slf4j |
jcan-optrace | OpenTelemetry |
jcan-commons | ❌ |
jdom | jdom2 |
kerberos-decoding | kerb4j / kerby |
Note that this table states the current behaviour out of the box. You can add any of these back or add other replacement libraries by specifying them on the auth state classpath. Though using old not maintained libraries is not recommended for security reasons.
The list above is not complete in a sense that it does not list all dependency version updates.
Looking for missing classes without IDE
When developing custom java auth states it is possible you encounter some classes which seems to be missing in the new release, a good starting point can be where this class was before in the previous version.
As nevisAuth is packaged into a .war file, so simply searching under /opt/nevisauth might not give a complete result. Therefore, it makes sense unpack it first: cd /opt/nevisauth/deploy && unzip nevisauth.war && cd ... To locate in which jar a class is can be done using with the following command:
find /opt/nevisauth -name '*.jar' -exec grep -Hls YourClassNameGoesHere {} \;
Full list of dependency changes
| 4.40.3.0 | 7.2311.0.x |
|---|---|
| FastInfoset-1.2.18.jar | FastInfoset-2.1.0.jar |
| HikariCP-4.0.3.jar | HikariCP-5.0.1.jar |
| ant-1.10.12.jar | ant-1.10.14.jar |
| ant-antlr-1.10.12.jar | ant-antlr-1.10.14.jar |
| ant-junit-1.10.12.jar | ant-junit-1.10.14.jar |
| ant-launcher-1.10.12.jar | ant-launcher-1.10.14.jar |
| aopalliance-repackaged-2.6.1.jar | aopalliance-repackaged-3.0.4.jar |
| ❌ | apache-el-10.1.7.jar |
| asm-9.3.jar | asm-9.5.jar |
| ❌ | asm-analysis-9.5.jar |
| ❌ | asm-tree-9.5.jar |
| ❌ | asm-util-9.5.jar |
| bcpkix-jdk15on-1.60.jar | bcpkix-jdk18on-1.76.jar |
| bcprov-jdk15on-1.60.jar | bcprov-jdk18on-1.76.jar |
| ❌ | bcutil-jdk18on-1.76.jar |
| ❌ | cache-api-1.1.0.jar |
| checker-qual-3.36.0.jar | checker-qual-3.39.0.jar |
| commons-beanutils-1.9.4.jar | ❌ |
| commons-collections-3.2.2.jar | ❌ |
| commons-digester-1.8.jar | ❌ |
| commons-httpclient-3.1.jar | ❌ |
| commons-io-2.13.0.jar | ❌ |
| commons-lang-2.6.jar | ❌ |
| commons-lang3-3.12.0.jar | commons-lang3-3.13.0.jar |
| commons-pool-1.6.jar | commons-pool-1.5.4.jar |
| ❌ | cryptacular-1.2.5.jar |
| ❌ | ehcache-3.10.8-jakarta.jar |
| error_prone_annotations-2.18.0.jar | error_prone_annotations-2.21.1.jar |
| esapi-2.0.1.jar | ❌ |
| filters-20101209.jar | filters-2.0.235-1.jar |
| groovy-3.0.18.jar | groovy-4.0.15.jar |
| groovy-ant-3.0.18.jar | groovy-ant-4.0.15.jar |
| groovy-astbuilder-3.0.18.jar | ❌ |
| groovy-cli-picocli-3.0.18.jar | groovy-cli-picocli-4.0.15.jar |
| groovy-console-3.0.18.jar | groovy-console-4.0.15.jar |
| groovy-datetime-3.0.18.jar | groovy-datetime-4.0.15.jar |
| groovy-docgenerator-3.0.18.jar | groovy-docgenerator-4.0.15.jar |
| groovy-groovydoc-3.0.18.jar | groovy-groovydoc-4.0.15.jar |
| groovy-groovysh-3.0.18.jar | groovy-groovysh-4.0.15.jar |
| groovy-jmx-3.0.18.jar | groovy-jmx-4.0.15.jar |
| groovy-json-3.0.18.jar | groovy-json-4.0.15.jar |
| groovy-jsr223-3.0.18.jar | groovy-jsr223-4.0.15.jar |
| groovy-macro-3.0.18.jar | groovy-macro-4.0.15.jar |
| groovy-nio-3.0.18.jar | groovy-nio-4.0.15.jar |
| groovy-servlet-3.0.18.jar | groovy-servlet-4.0.15.jar |
| groovy-sql-3.0.18.jar | groovy-sql-4.0.15.jar |
| groovy-swing-3.0.18.jar | groovy-swing-4.0.15.jar |
| groovy-templates-3.0.18.jar | groovy-templates-4.0.15.jar |
| groovy-xml-3.0.18.jar | groovy-xml-4.0.15.jar |
| ❌ | groovy-yaml-4.0.15.jar |
| guava-32.1.1-jre.jar | guava-32.1.3-jre.jar |
| hk2-api-2.6.1.jar | hk2-api-3.0.4.jar |
| hk2-locator-2.6.1.jar | hk2-locator-3.0.4.jar |
| hk2-utils-2.6.1.jar | hk2-utils-3.0.4.jar |
| ❌ | httpclient-4.5.14.jar |
| ❌ | httpcore-4.4.16.jar |
| ❌ | ivy-2.5.2.jar |
| jackson-annotations-2.15.2.jar | jackson-annotations-2.15.3.jar |
| jackson-core-2.15.2.jar | jackson-core-2.15.3.jar |
| jackson-databind-2.15.2.jar | jackson-databind-2.15.3.jar |
| jackson-dataformat-properties-2.15.2.jar | jackson-dataformat-properties-2.15.3.jar |
| jackson-dataformat-yaml-2.15.2.jar | jackson-dataformat-yaml-2.15.3.jar |
| ❌ | jackson-datatype-jsr310-2.15.3.jar |
| jackson-module-jaxb-annotations-2.15.2.jar | ❌ |
| ❌ | jackson-module-jakarta-xmlbind-annotations-2.15.3.jar |
| jakarta.activation-api-1.2.2.jar | jakarta.activation-api-2.1.2.jar |
| jakarta.annotation-api-1.3.5.jar | jakarta.annotation-api-2.1.1.jar |
| ❌ | jakarta.el-api-5.0.1.jar |
| jakarta.inject-2.6.1.jar | jakarta.inject-api-2.0.1.jar |
| jakarta.json-1.1.6-module.jar | ❌ |
| jakarta.json-1.1.6.jar | ❌ |
| jakarta.json-api-1.1.6.jar | jakarta.json-api-2.1.2.jar |
| jakarta.json.bind-api-1.0.2.jar | jakarta.json.bind-api-3.0.0.jar |
| jakarta.jws-api-2.1.0.jar | ❌ |
| ❌ | jakarta.mail-api-2.1.2.jar |
| ❌ | jakarta.transaction-api-2.0.0.jar |
| jakarta.validation-api-2.0.2.jar | jakarta.validation-api-3.0.2.jar |
| jakarta.ws.rs-api-2.1.6.jar | jakarta.ws.rs-api-3.1.0.jar |
| jakarta.xml.bind-api-2.3.3.jar | jakarta.xml.bind-api-4.0.0.jar |
| jakarta.xml.soap-api-1.4.2.jar | jakarta.xml.soap-api-3.0.0.jar |
| jakarta.xml.ws-api-2.3.3.jar | jakarta.xml.ws-api-4.0.0.jar |
| ❌ | jasypt-1.9.3.jar |
| ❌ | java-support-8.4.0.jar |
| javaparser-core-3.25.1.jar | javaparser-core-3.25.5.jar |
| javax.servlet-api-3.1.0.jar | ❌ |
| ❌ | jaxb-core-4.0.2.jar |
| jaxb-impl-2.3.8.jar | jaxb-impl-4.0.2.jar |
| jaxrs-ri-2.40.jar | jaxrs-ri-3.1.3.jar |
| jaxws-rt-2.3.6.jar | jaxws-rt-4.0.1.jar |
| jcan-commons-1.0.3.0.jar | ❌ |
| jcan-log-api-1.8.3.0.jar | ❌ |
| jcan-log-slf4j-1.8.3.0.jar | ❌ |
| jcan-optrace-1.1.4.0.jar | ❌ |
| jcan-optrace-jee5-1.1.4.0.jar | ❌ |
| ❌ | jcan-saml-7.2311.0.3.jar |
| jcan-saml-xmlbeans-1.1.8.0.jar | jcan-saml-xmlbeans-7.2311.0.3.jar |
| jcan-sectoken-1.3.3.0.jar | jcan-sectoken-7.2311.0.4.jar |
| jersey-client-2.40.jar | jersey-client-3.1.3.jar |
| jersey-common-2.40.jar | jersey-common-3.1.3.jar |
| jersey-container-servlet-2.40.jar | jersey-container-servlet-3.1.3.jar |
| jersey-container-servlet-core-2.40.jar | jersey-container-servlet-core-3.1.3.jar |
| jersey-entity-filtering-2.40.jar | jersey-entity-filtering-3.1.3.jar |
| jersey-hk2-2.40.jar | jersey-hk2-3.1.3.jar |
| jersey-media-jaxb-2.40.jar | jersey-media-jaxb-3.1.3.jar |
| jersey-media-json-binding-2.40.jar | jersey-media-json-binding-3.1.3.jar |
| jersey-media-moxy-2.40.jar | jersey-media-moxy-3.1.3.jar |
| jersey-media-sse-2.40.jar | jersey-media-sse-3.1.3.jar |
| jersey-server-2.40.jar | jersey-server-3.1.3.jar |
| jetty-continuation-9.4.51.v20230217.jar | ❌ |
| jetty-http-9.4.51.v20230217.jar | jetty-http-11.0.17.jar |
| jetty-io-9.4.51.v20230217.jar | jetty-io-11.0.17.jar |
| ❌ | jetty-jakarta-servlet-api-5.0.2.jar |
| jetty-jndi-9.4.51.v20230217.jar | jetty-jndi-11.0.17.jar |
| jetty-plus-9.4.51.v20230217.jar | jetty-plus-11.0.17.jar |
| jetty-rewrite-9.4.51.v20230217.jar | jetty-rewrite-11.0.17.jar |
| jetty-schemas-3.1.jar | jetty-schemas-5.2.jar |
| jetty-security-9.4.51.v20230217.jar | jetty-security-11.0.17.jar |
| jetty-server-9.4.51.v20230217.jar | jetty-server-11.0.17.jar |
| jetty-servlet-9.4.51.v20230217.jar | jetty-servlet-11.0.17.jar |
| jetty-util-9.4.51.v20230217.jar | jetty-util-11.0.17.jar |
| jetty-util-ajax-9.4.51.v20230217.jar | ❌ |
| jetty-webapp-9.4.51.v20230217.jar | jetty-webapp-11.0.17.jar |
| jetty-xml-9.4.51.v20230217.jar | jetty-xml-11.0.17.jar |
| joda-time-2.12.5.jar | ❌ |
| juel-api-2.2.4.jar | ❌ |
| juel-impl-2.2.4.jar | ❌ |
| kerberos-decoding-4.40.3.0.jar | ❌ |
| libphonenumber-8.13.17.jar | libphonenumber-8.13.23.jar |
| ❌ | listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar |
| mariadb-java-client-3.1.4.jar | mariadb-java-client-3.2.0.jar |
| ❌ | metrics-core-4.2.15.jar |
| mimepull-1.9.15.jar | mimepull-1.10.0.jar |
| nevisauth-aspsms-4.40.3.0.jar | ❌ |
| nevisauth-authstates-core-4.40.3.0.jar | nevisauth-authstates-core-7.2311.0.6.jar |
| nevisauth-authstates-oasis-4.40.3.0.jar | nevisauth-authstates-oasis-7.2311.0.6.jar |
| nevisauth-authstates-oauth-4.40.3.0.jar | nevisauth-authstates-oauth-7.2311.0.6.jar |
| nevisauth-authstates-thirdparty-4.40.3.0.jar | ❌ |
| nevisauth-core-4.40.3.0.jar | nevisauth-core-7.2311.0.6.jar |
| nevisauth-jaxws-oasis-4.40.3.0.jar | nevisauth-jaxws-oasis-7.2311.0.6.jar |
| nevisauth-misc-4.40.3.0.jar | nevisauth-misc-7.2311.0.6.jar |
| nevisauth-mss-4.40.3.0.jar | nevisauth-mss-7.2311.0.6.jar |
| nevisauth-rest-services-4.40.3.0.jar | nevisauth-rest-services-7.2311.0.6.jar |
| nevisauth-server-4.40.3.0.jar | nevisauth-server-7.2311.0.6.jar |
| nevisauth-webservices-4.40.3.0.jar | nevisauth-webservices-7.2311.0.6.jar |
| nevisauth-webservices-generated-4.40.3.0.jar | nevisauth-webservices-generated-7.2311.0.6.jar |
| nevisauth-xmlbeans-4.40.3.0.jar | ❌ |
| nimbus-jose-jwt-9.30.2.jar | nimbus-jose-jwt-9.35.jar |
| not-yet-commons-ssl-0.3.9.jar | ❌ |
| oauth2-oidc-sdk-10.11.jar | oauth2-oidc-sdk-11.2.jar |
| opensaml-2.6.4.jar | opensaml-core-4.3.0.jar |
| ❌ | opensaml-messaging-api-4.3.0.jar |
| ❌ | opensaml-profile-api-4.3.0.jar |
| ❌ | opensaml-saml-api-4.3.0.jar |
| ❌ | opensaml-saml-impl-4.3.0.jar |
| ❌ | opensaml-security-api-4.3.0.jar |
| ❌ | opensaml-security-impl-4.3.0.jar |
| ❌ | opensaml-soap-api-4.3.0.jar |
| ❌ | opensaml-soap-impl-4.3.0.jar |
| ❌ | opensaml-storage-api-4.3.0.jar |
| ❌ | opensaml-xacml-api-4.3.0.jar |
| ❌ | opensaml-xacml-impl-4.3.0.jar |
| ❌ | opensaml-xacml-saml-api-4.3.0.jar |
| ❌ | opensaml-xacml-saml-impl-4.3.0.jar |
| ❌ | opensaml-xmlsec-api-4.3.0.jar |
| ❌ | opensaml-xmlsec-impl-4.3.0.jar |
| openws-1.5.4.jar | ❌ |
| ❌ | org.abego.treelayout.core-1.0.3.jar |
| org.eclipse.persistence.asm-9.4.0.jar | org.eclipse.persistence.asm-9.5.0.jar |
| org.eclipse.persistence.core-2.7.12.jar | org.eclipse.persistence.core-4.0.2.jar |
| org.eclipse.persistence.moxy-2.7.12.jar | org.eclipse.persistence.moxy-4.0.2.jar |
| ❌ | parsson-1.1.1.jar |
| picocli-4.6.3.jar | picocli-4.7.5.jar |
| policy-2.7.10.jar | ❌ |
| saaj-impl-1.5.3.jar | saaj-impl-3.0.0.jar |
| slf4j-api-2.0.7.jar | slf4j-api-2.0.9.jar |
| snakeyaml-2.0.jar | snakeyaml-2.1.jar |
| stax-ex-1.8.3.jar | stax-ex-2.1.0.jar |
| streambuffer-1.5.10.jar | streambuffer-2.1.0.jar |
| velocity-1.7.jar | ❌ |
| ❌ | velocity-engine-core-2.3.jar |
| wss4j-1.6.16.jar | wss4j-ws-security-common-3.0.1.jar |
| ❌ | wss4j-ws-security-dom-3.0.1.jar |
| xmlbeans-3.1.0.jar | xmlbeans-5.1.1.jar |
| xmlsec-1.5.8.jar | xmlsec-3.0.3.jar |
| xmltooling-1.4.4.jar | ❌ |
| yasson-1.0.11.jar | yasson-3.0.3.jar |
Troubleshooting
ERROR: Attribute "X" must be declared for element type "Y".
This error is a bit misleading by the jdom2 parsing library. It means that you used an attribute in the esauth4.xml which is not allowed because it was not defined. You are likely using an attribute which is no longer available because it has been removed. The solution is to either completely remove it or use the replacement if there is one.
org.jdom2.input.JDOMParseException: Error on line 22 of document file:/var/opt/nevisauth/default/conf/esauth4.xml: Attribute "X" must be declared for element type "Y".
BadMessageException: 400: Invalid SNI
This is the case mentioned above; Jetty 11 is stricter about the TLS connection validation than previous versions. The hostname used to connect to nevisAuth must match the hostname used in the certificates used by nevisAuth. (Configured in the nevisauth.yml server configuration)
This can be either done by:
- Changing the url where you connect to from nevisProxy.
- Changing the certificates to use a different host name.
AuthStateException: Non String session attribute was set
This exception is thrown intentionally from groovy ScriptStates. The session attributes only support String values. See here.
Check the groovy script for the attribute mentioned in the exception and change the implementation to store the attribute value as String.
ch.nevis.esauth.auth.engine.AuthStateException: Non String session attribute was set by ScriptState 'Test_ScriptState'. Attribute 'test' is type 'java.util.ArrayList'
Unrecognized VM option
This exception is thrown when a JVM argument is used which is no longer support by Java 17. Either remove the argument or look for a replacement depending on the property.
nevisauth-server[2026]: Unrecognized VM option 'UseConcMarkSweepGC'
nevisauth-server[2026]: Error: Could not create the Java Virtual Machine.
The property in the example can be removed.