Skip to main content
Version: 6.18 (draft)

Security and authentication improvements

The following improvements regarding security and authentication have been made.

Prevent system access using FreeMarker templates (#645938)

ConSol CM has been hardened against attempts to execute system commands and access system files through technical templates using FreeMarker.

Alternative OIDC name field for users (#661766)

The Users page of the Web Client has been extended with the setting OIDC name. It allows to provide an alternative username for authenticating users with external OIDC providers. This is needed when the usernames used in the customer's OIDC infrastructure do not match the existing usernames (logins) in ConSol CM, and there is no way to map them using regular expressions.

During OIDC authentication, the system will first attempt to match the username returned by the SSO provider with the new OIDC name. If no match is found, the system will revert to the previous mechanism and try to match it with the login name.

Unique values

The OIDC name must be unique across both the login names and other OIDC names. If conflicts are detected during import, the conflicting user will be renamed with (1) and disabled, and a corresponding entry will be written to the log files.

Authentication in CM/Archive with authentication application (#662179)

The CM/Archive application now uses the same internal authentication application as the Web Client and Web Admin Suite. This streamlines the authentication processes by using OpenID Connect technology for all three clients.

The authentication information for CM/Archive is saved in new system properties starting with oidc.archive in the module cmas-core-security. The properties are created automatically on setup and update.

  • oidc.archive.accessTokenValidity.default: Validity of the access tokens; replaces client.archive.access.token.validity.seconds of the module cmas-auth-server.
  • oidc.archive.clientId.default: Client ID; can be modified; must match archive.oidc.client.id in archive.properties
  • oidc.archive.clientSecret.default: Client secret; can be modified; must match archive.oidc.client.secret in archive.properties
  • oidc.archive.redirectUri.default: URI where CM/Archive is deployed; must match archive.oidc.redirect.uri in archive.properties
  • oidc.archive.refreshTokenValidity.default: Validity of the refresh tokens; replaces client.archive.refresh.token.validity.seconds of the module cmas-auth-server.

The unneeded properties of the module cmas-auth-server have been removed

The archive.properties file has been adjusted accordingly.

The following properties have been added:

  • archive.oidc.client.id=archive
  • archive.oidc.client.secret=YOUR_PASSWORD_HERE
  • archive.oidc.issuer= http://CMAS_AUTH_USER_BACKEND/cmas-auth-user
  • archive.oidc.redirect.uri=http://ARCHIVE_URL/oidc/
  • archive.oidc.state.ttl=28800
  • archive.oidc.global.logout=true

The following properties have been removed:

  • archive.cm6.endpoint
  • archive.oauth2.server.uri
  • archive.oauth2.access.token.signing.key
  • archive.oauth2.client.id
  • archive.oauth2.client.secret
warning

You need to adjust the archive.properties file manually after the update. The values of client ID, client secret and redirect URI must match the values of the respective system properties. You can modify the client ID as desired.

info

The proxy configuration for the authserver endpoint of the ConSol CM backend is not needed anymore, because CM/Archive now uses CMAS_AUTH_USER_BACKEND.

Deactivate newly created users resulting from name collisions on import (#662306)

When a user with a different transfer key but the same name as an existing user is imported, a new user with the suffix (1) is created. This new user is now deactivated automatically for security reasons. A warning message is written to the log files and shown in the Import results panel.

Third-party library changes

The following third-party libraries have been updated or replaced in this ConSol CM version:

  • atmoshpere (#661107): Updated from version 2.5.2 to 3.0.8
  • babel (#664971): Updated to version 7.27.1
  • babel-traverse (#664971): Updated from version 7.23.7 to 7.25.0
  • bootstrap (#662421): Updated from version 4.6.0 to 5.3.3
  • docx4j (#661108): Updated from version 8.3.4 to 11.4.11
  • freemarker (#664267): Updated from version 2.3.28 to 2.3.34
  • formio (#662974): Updated from version 4.16.0 to 5.0.0
  • groovy (#662158): Updated to version 4.0.23
  • groovy-wslite (#662649): Updated from version 1.1.3 to 2.0.0
  • http-proxy-middleware (#664971, #664972): Updated to version 2.0.9 (Web Client) and 3.0.5 (Web Admin Suite)
  • hibernate (#664267): Updated from version 5.6.15 to 6.6.8
  • infinispan (#661108): Updated from version 11.0.16 to 15.0.7
  • jackson (#661108): Updated from version 2.13.5 to 2.17.2
  • jackson databind (#661108): Updated from version 2.13.4.2 to 2.17.2
  • javax activation (#661107): Replaced by jakarta activation in version 2.0.1
  • javax annotation (#661107): Replaced by jakarta annotation in version 3.0.0
  • javax mail (#661107, #662787): Replaced by angus mail and jakarta servlet
  • javax servlet (#661107): Replaced by jakarta servlet in version 6.1.0
  • jersey (#661108): Updated from version 2.37 to 3.1.7
  • mui (#664500): Updated to version 6.4.7 in CM/Archive
  • netty (#664296): Updated to version 4.1.118
  • react (#664500): Updated from version 16.13.1 to 19.0.0 in CM/Archive
  • react-router (#664967): Updated from version 7.5.1 to 7.5.3 in CM/Archive
  • spring (#664267): Updated from version 5.3.27 to 6.2.3
  • spring boot (#664267): Updated to 3.4.3 (core), 3.4.4 (CM/Archive), 3.4.5 (ETL Runner) 3.4.6 (CMRF, authentication applications)
  • spring security (#664267): Updated from version 5.8.11 to 6.4.3
  • tomcat (#661972): Updated to version 10.1.40
  • vite (#661972, #664972): Updated to version 5.4.19 (CM/Track V3) and 6.2.7 (Web Admin Suite)
  • wicket (#661356, #664557): Updated from version 9.13.0 to 10.5.0
Update instructions

In version 6.18.0, the libraries which handle email sending have been changed.

Before updating to version 6.18.0, you need to ensure that the table cmas_outgoing_email table, which stores queued outgoing emails, is empty. Waiting emails from earlier versions cannot be sent after the update.

During the update, import statements referring to mailing libraries are automatically adjusted in all kinds of scripts.

Import of older scenes

When importing a scene, which was exported from a ConSol CM system with a version lower than 6.18.0, you need to modify the following imports in all scripts which are embedded in workflows:

  • Replace javax.mail with jakarta.mail
  • Replace javax.activation with jakarta.activation
  • Replace com.sun.mail with org.eclipse.angus.mail

In regular scripts, including scripts of the type Workflow, these changes are performed automatically.

Third-party library removals

The following third-party libraries have been removed in this ConSol CM version:

  • castor (#658943): Replaced by jackson in the scene export mechanism
  • jolokia (#662651): Removed due to lack of usage
Scene import

Due to the removal of castor, only scenes exported with ConSol CM version 6.17.0.0 or higher can be imported. Scenes created with a version lower than 6.17.0.0 will be rejected. If you want to import a scene from an older version into a system with version 6.18, you need to upgrade the source system to 6.17 first and then do the export.