Security and authentication improvements
The following improvements regarding security and authentication have been made.
Second endpoint when external SSO is active (#659507)
When Single-Sign-On with an external provider is used, it is now possible to enable a second OIDC endpoint which allows to use database or LDAP authentication. This is useful if the external SSO service is temporarily unavailable or specific tasks need to be performed by a user who is not managed in the external SSO infrastructure.
For the regular operation of ConSol CM, it is not required to configure a second endpoint. If a second endpoint is configured, it is recommended to enable it only during the time when it is actually needed.
The precondition for configuring a second endpoint is that a second URL for accessing the Web Client or Web Admin Suite is available. This can be configured for example using a proxy.
The second endpoint can be configured in the OIDC in the Web Client and OIDC in the Web Admin Suite sections of the Authentication page of the Web Admin Suite. If OIDC enabled is set to true and External is selected in the Provider type field, the link Create configuration for second endpoint is displayed below the provider type. When the user clicks the link, a new section for the second endpoint is shown. It contains the following settings:
- OIDC enabled: Indicates whether the second endpoint for user authentication via OIDC is enabled.
- Redirect URI: The OIDC endpoint of the second URL to the Web Client, e.g.
https://nosso.myurl.consol.cm/cm-client/oidc/. - URL of the authentication authority: The URL where the authentication application is available, e.g.
https://nosso.myurl.consol.cm/cmas-auth-user.
The respective system properties are created as a secondEndpoint configuration.
Third-party library changes
The following third-party libraries have been updated or replaced in this ConSol CM version:
- angus-activation (#665910): Updated to version 2.0.2
- angus-mail (#665910): Updated to version 2.0.4
- avro (#665910): Updated to version 1.11.4
- atmosphere (#665617): Updated to version 4.0.1
- axios (#665914, #666125, #666173): Updated to version 1.12.0
- bcpkix-jdk18on (#665492): Updated to version 1.81
- commons-fileupload (#665910): Updated to version 2.0.0-M4
- commons-io (#665910): Updated to version 2.20.0
- docx4j-export (#665910): Updated to version 11.5.5
- dom purify (#665914): Updated to version 3.2.4
- dozer-core (#666338): Updated to version 7.0.0
- flapdoodle (#666147): Updated to version 4.21.0
- formio (#665127): Updated to version 5.2.0
- formio/js (#665914): Updated to version 5.1.2
- formio/react (#665914): Updated to version 6.1.0
- froala (#666330): Updated to version 4.5.2
- hibernate (#665612): Updated to version 6.6.20
- infinispan (#666308): Updated to version 15.1.7
- jackson (#665492): Updated to version 2.17.2
- jointJS (#665332): Updated to version 4.1.1
- logback (#665910, #666394): Updated to version 1.3.15 and 1.5.19
- Material UI (#665332): Updated to version 7.1.1
- mssql-jdbc (#666516, #666526): Updated to version 12.10.2.jre11
- mobx (#665617): Updated to version 6.13.7
- netty (#665492, #665910): Updated to version 4.1.127
- nimbus-jose-jwt (#665912, #665915): Updated to version 10.0.2
- primereact (#665846): Updated to version 10.9.6
- react (#665332, #665617): Updated to version 18.2.0 in the Web Client and to version 19.1.0 in the Web Admin Suite
- spring (#665910): Updated to version 6.2.11
- spring boot (#665912, #666058, #666125, #666198, #666248, #666618, #666632): Updated to version 3.5.6 and 3.5.7
- spring security (#665910): Updated to version 6.4.11
- tomcat (#666619): Updated to version 10.1.48 in CM/Track
- vite (#666125, #666563, #666564): Updated to version 5.4.20 in CM/Track and to version 6.4.1 in the Web Admin Suite and the Web Client
- wicket (#665910): Updated to version 10.6.0
The users need to update CM/Doc for this change to become effective.
Third-party library removals
The following third-party libraries have been removed in this ConSol CM version:
- commons-lang (#666312): Replaced by
commons-lang3and custom classes - http-builder (#665910): Removed, use
org.apache.http.impl.client.HttpClientBuilderinstead - ini4j (#665910): Removed
On update, the following replacements are done automatically:
- Replace
import org.apache.commons.lang.math.LongRangewithimport com.consol.cmas.common.model.LongRange - Replace
import org.apache.commons.lang.math.NumberRangewithimport com.consol.cmas.common.model.NumberRange - Replace
org.apache.commons.langwithorg.apache.commons.lang3
When importing a scene, which was exported from a ConSol CM system with a version lower than 6.18.1, you need to modify the imports manually in all scripts which are embedded in workflows. In regular scripts, including scripts of the type Workflow, these changes are performed automatically.
Please also check the official migration guide: https://commons.apache.org/proper/commons-lang/article3_0.html.