What's new in 0.1.0-alpha28

Camunda Security Library Release Notes - Version 0.1.0-alpha28

Executive Summary

Version 0.1.0-alpha28 introduces significant enhancements to the Camunda Security Library, including multiple new features that establish core interfaces and capabilities for handling security within the library framework. This release also adds several Architecture Decision Records (ADRs) that guide the evolving architecture, along with improved documentation to assist in the integration and adoption of the library.

Breaking Changes

None

New Features

Added /task workflow for small, independently mergeable work.
Introduced new core outbound adapter interfaces.
Defined inbound port interfaces in the core module.
Implemented deployment-strategy wiring and renamed the adapters module.
Added a /tour orientation skill.
Created the skeleton for the camunda-security-library module.

Bug Fixes

None

Improvements

Architecture Decision Records (ADRs) added/modified:
- ADR-0013: Multi-IdP OIDC configuration via additive providers.oidc.<id>.* shape
- ADR-0017: SessionStorePort contract and CSL ownership of the web-session lifecycle
- ADR-0018: CamundaUserPort contract migration to CSL
- ADR-0019: Migrate OC's Authorization<T> runtime check spec to CSL as RequiredAuthorization<T>; keep the CSL domain Jackson-free
- ADR-0020: Issuer-aware JwtDecoder for multi-provider OIDC token validation
- ADR-0021: BasicAuthUserDetailsPort for basic-auth user resolution
- ADR-0022: Lift resource access control framework into CSL core
Updated adoption/integration documentation, including:
- docs/adopters/persistent-web-sessions.md
- docs/adopters/ports.md
- docs/adopters/security-filter-chains.md
Renamed "Security Gateway Framework" to "Camunda Security Library" in documentation.
Renamed hexagonal naming conventions to Port/Adapter in documentation.

Modified Public API Classes

io.camunda.security.api.model.config.SessionConfiguration
io.camunda.security.api.model.session.PersistentSession
io.camunda.security.api.model.user.CamundaUserDTO

Full Changelog

What's Changed

Add ADRs from unified identity architecture by @Ben-Sheppard in #1
docs: add AI agent harness and project context by @Ben-Sheppard in #2
refactor: extract workflow docs to agent-neutral location by @Ben-Sheppard in #3
feat: add /task workflow for small, independently mergeable work by @Ben-Sheppard in #4
refactor: use native GitHub issue types and sub-issue relationships by @Ben-Sheppard in #10
docs: require clickable URLs when linking files in issues by @Ben-Sheppard in #12
chore: align java baseline to 21 and ignore local worktrees by @megglos in #14
docs: rename Security Gateway Framework to Camunda Security Library by @megglos in #15
feat: add camunda-security-library module skeleton by @megglos in #23
docs: rename hexagonal naming conventions to Port/Adapter by @megglos in #26
feat: define outbound adapter interfaces in core by @megglos in #28
Architecture vision of the identity unified architecture by @p-wunderlich in #13
feat: define inbound port interfaces in core by @megglos in #27
feat: add deployment-strategy wiring and rename adapters module by @megglos in #29
feat(skills): add /tour orientation skill by @Ben-Sheppard in #41
ci: add renovate config and validation workflow by @megglos in #46
docs: add pull request template by @megglos in #47
build: adopt Spotless with Google Java Format and license-header check by @megglos in #45
test(arch): forbid framework runtime deps in core by @megglos in #44
chore: extend .gitignore for Java, Maven, and IDE files by @megglos in #42
ci(build): add checkstyle with shared ruleset by @megglos in #43
ci: deploy SNAPSHOTs to Camunda Artifactory on push to main by @megglos in #51
build: add managed git hooks via core.hooksPath by @megglos in #48
feat: extract central security filter chains from spike by @Ben-Sheppard in #49
ci(deps): enforce declaration of used dependencies via dependency:analyze by @megglos in #31
ci: add maven release workflow by @megglos in #59
ci(release): clone target/checkout from local working copy by @megglos in #67
build: stop POM formatting churn on every release by @megglos in #68
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 29118bc by @renovate[bot] in #85
chore(deps): update dependency maven to v3.9.15 by @renovate[bot] in #86
docs: adjust ADR for frontend integration after discussion by @mrm1st3r in #52
ci(release): create canary branch and open mergeback PR by @megglos in #87
Update architecture vision after kickoff by @p-wunderlich in #81
docs(contributing): document the release workflow by @megglos in #89
docs(contributing): apply review wording — "cut" → "create" by @megglos in #91
refactor: align port and adapter naming with port/in and port/out by @megglos in #92
Move camunda authentication model + holder to CSL by @p-wunderlich in #79
chore(release): merge back 0.1.0-alpha2 into main by @github-actions[bot] in #97
chore(renovate): raise throughput for nightly + weekend updates by @megglos in #98
ci(renovate): auto-approve labelled renovate PRs to enable automerge by @megglos in #99
chore(deps): update ghcr.io/renovatebot/renovate docker digest to b3297dc by @renovate[bot] in #100
chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.5.5 by @renovate[bot] in #101
fix(deps): update dependency org.springframework.boot:spring-boot-dependencies to v4.0.6 by @renovate[bot] in #102
fix(deps): update dependency org.testcontainers:testcontainers-bom to v2 by @renovate[bot] in #117
chore(deps): update dependency com.puppycrawl.tools:checkstyle to v13 by @renovate[bot] in #116
chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3 by @renovate[bot] in #115
chore(deps): update actions/setup-java action to v5 by @renovate[bot] in #114
chore(deps): update actions/checkout action to v6 by @renovate[bot] in #113
chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.12.0 by @renovate[bot] in #110
chore(deps): update dependency org.apache.maven.plugins:maven-jar-plugin to v3.5.0 by @renovate[bot] in #109
chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.10.0 by @renovate[bot] in #107
chore(deps): update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.15.0 by @renovate[bot] in #106
chore(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.6.0 by @renovate[bot] in #105
chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.6.2 by @renovate[bot] in #108
fix(deps): update archunit.version to v1.4.2 by @renovate[bot] in #111
chore(deps): update ghcr.io/renovatebot/renovate docker digest to d0026e7 by @renovate[bot] in #118
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 72e0e22 by @renovate[bot] in #119
chore(deps): update ghcr.io/renovatebot/renovate docker digest to b9e6514 by @renovate[bot] in #120
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 8331320 by @renovate[bot] in #121
fix(hooks): align commit-msg header length with commitlint default by @megglos in #122
feat: validate username/clientId exclusivity in CamundaAuthentication by @p-wunderlich in #123
Relocate config to api + disable spring auto config by @p-wunderlich in #124
feat(csl): add ResourcePermissionPort, AuthorizationRepositoryPort, and web-app SPIs by @Ben-Sheppard in #69
refactor: relocate io.camunda.security.autoconfigure.spring to io.camunda.security.spring by @p-wunderlich in #127
chore(deps): update ghcr.io/renovatebot/renovate docker digest to b1e44b4 by @renovate[bot] in #128
chore: add CODEOWNERS for default PR reviewer assignment by @Ben-Sheppard in #130
docs: document explicit import requirement for Spring configurations … by @p-wunderlich in #131
feat(csl-adapters): lift WebAppAuthorizationCheckFilter by @Ben-Sheppard in #129
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 38aac6e by @renovate[bot] in #134
feat(csl-adapters): wire web app authorization filter into webapp chains by @Ben-Sheppard in #132
docs: add ADR-0009 and adopter guide section for web app authorization by @Ben-Sheppard in #135
feat: add default authentication holder implementations for HTTP sess… by @p-wunderlich in #125
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 4c84638 by @renovate[bot] in #140
feat: integrate AI-generated release summaries in release workflow by @p-wunderlich in #139
feat(csl-core): add admin-user setup SPIs by @Ben-Sheppard in #136
chore(release): merge back 0.1.0-alpha3 into main by @github-actions[bot] in #141
feat(csl-adapters): lift AdminUserCheckFilter into spring-boot-starter by @Ben-Sheppard in #137
feat(csl-adapters): wire AdminUserCheckFilter into webapp chains by @Ben-Sheppard in #138
docs: add ADR-0010 and adopter guide section for admin-user setup by @Ben-Sheppard in #143
Improve release text by @p-wunderlich in #142
chore: add @marcosbarbero as a codeowner by @Ben-Sheppard in #145
docs: add /adr skill and default ADR-writing in standard flow by @Ben-Sheppard in #144
chore(deps): update ghcr.io/renovatebot/renovate docker digest to b0fe9bb by @renovate[bot] in #147
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 033293a by @renovate[bot] in #148
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 4b00071 by @renovate[bot] in #149
chore(deps): update ghcr.io/renovatebot/renovate docker digest to fad87e9 by @renovate[bot] in #150
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 976d49d by @renovate[bot] in #151
chore(deps): update ghcr.io/renovatebot/renovate docker digest to 04a60fe by @renovate[bot] in #152
chore(deps): update ghcr.io/renovatebot/renovate docker digest to d99924e by @renovate[bot] in #153
chore(renovate): stop digest-pinning the renovate bot image by @megglos in #154
feat: enable OC chain adoption (permit-all webapp, OAuth2 resolver hook, WWW-Authenticate fix) by @megglos in #146
chore(release): merge back 0.1.0-alpha4 into main by @github-actions[bot] in #155
refactor: optimize DefaultCamundaAuthenticationProvider caching and… by @p-wunderlich in #159
chore(release): merge back 0.1.0-alpha5 into main by @github-actions[bot] in #160
feat: rename starter SPIs to *Port + library defaults to *Adapter by @megglos in #158
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.173.3 by @renovate[bot] in #177
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.173.5 by @renovate[bot] in #178
chore(release): merge back 0.1.0-alpha6 into main by @github-actions[bot] in #164
fix(spring-boot-starter): honor wildcard resource grants by @megglos in #181
feat(spring-boot-starter): add opt-in CamundaSecurityAutoConfiguration umbrella by @megglos in #180
95 move authentication holder implementations to csl increment 2 by @p-wunderlich in #172
chore(release): merge back 0.1.0-alpha7 into main by @github-actions[bot] in #188
fix(spring-boot-starter): scope admin-user check filter to basic-auth chain by @megglos in #190
fix: restore old state of OidcConfiguration and add docs by @p-wunderlich in #193
95 move authentication holder implementations to csl increment 3 by @p-wunderlich in #197
chore(release): merge back 0.1.0-alpha8 into main by @github-actions[bot] in #194
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.177.4 by @renovate[bot] in #191
chore(release): merge back 0.1.0-alpha9 into main by @github-actions[bot] in #201
fix: write X-CSRF-TOKEN response header before chain dispatch by @megglos in #203
feat(csl-adapters): lift CamundaOidcLogoutSuccessHandler as default LogoutSuccessHandler by @Ben-Sheppard in #196
feat(csl-adapters): default providers.oidc to empty map and cover binding (#74) by @Ben-Sheppard in #214
feat(csl-adapters): build per-provider ClientRegistration in OidcBeansConfiguration (#75) by @Ben-Sheppard in #215
docs(adr-0013): record additive multi-IdP OIDC configuration and adopter guide (#76) by @Ben-Sheppard in #216
feat(csl-adapters): wire OIDC user-info-enabled toggle into ClientRegistration by @Ben-Sheppard in #219
feat(csl-adapters): wire additional-jwk-set-uris into the default JwtDecoder by @Ben-Sheppard in #222
chore(deps): update dependency maven to v3.9.16 by @renovate[bot] in #224
chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.6.3 by @renovate[bot] in #226
test(api): add unit tests for ConfiguredUser/MappingRule/Tenant/Group/Role (#183) by @p-wunderlich in #225
fix(deps): update dependency com.nimbusds:nimbus-jose-jwt to v10.9 by @renovate[bot] in #227
chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3.5.1 by @renovate[bot] in #217
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.185.0 by @renovate[bot] in #212
chore(deps): update hashicorp/vault-action action to v4 by @renovate[bot] in #192
fix(spring-boot-starter): qualify LogoutSuccessHandler in Javadoc @link by @Ben-Sheppard in #230
fix(spring-boot-starter): apply explicit OIDC URI overrides after discovery by @Ben-Sheppard in #234
chore(release): merge back 0.1.0-alpha11 into main by @github-actions[bot] in #231
feat: add lazy-loading supplier methods on CamundaAuthentication by @timcline in #176
chore(release): merge back 0.1.0-alpha12 into main by @github-actions[bot] in #235
chore(release): merge back 0.1.0-alpha13 into main by @github-actions[bot] in #236
fix: add readonly admin to DefaultRole by @mrm1st3r in #237
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.186.1 by @renovate[bot] in #249
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.186.2 by @renovate[bot] in #250
fix: convert ConfiguredUser and ConfiguredMappingRule to records by @p-wunderlich in #251
Iteration 8: 95 move conditional annotations to csl by @p-wunderlich in #248
docs: ADR-0016 – CSL authz enum ownership and layered usage by @p-wunderlich in #228
feat: add DefaultRole.ids() by @mrm1st3r in #247
feat(spring-boot-starter): lift ClientAwareOAuth2AuthorizationRequestResolver into CSL by @Ben-Sheppard in #254
test(config): add unit tests for ConfiguredAuthorization (inc4b) by @p-wunderlich in #256
chore(release): merge back 0.1.0-alpha14 into main by @github-actions[bot] in #252
chore(release): merge back 0.1.0-alpha15 into main by @github-actions[bot] in #257
docs(workflow): add formatting step to pre-commit verification by @p-wunderlich in #253
chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.190.1 by @renovate[bot] in #259
chore(renovate): suppress non-major updates for renovate lint image by @megglos in #260
feat: migrate OIDC and username/password auth converters to CSL (Inc 5, #184) by @Ben-Sheppard in #258
feat: enhance CamundaSecurityLibraryProperties with new configuration… by @p-wunderlich in #261
fix(spring-boot-starter): map unknown-issuer JwtException to BadJwtException by @Ben-Sheppard in #263
chore(release): merge back 0.1.0-alpha16 into main by @github-actions[bot] in #262
chore(release): merge back 0.1.0-alpha17 into main by @github-actions[bot] in #264
feat(spring-boot-starter): add CamundaAuthenticationBeansConfiguration (Inc 7a) by @p-wunderlich in #266
feat: per-field lazy membership resolution via MembershipPort by @megglos in #267
chore(release): merge back 0.1.0-alpha18 into main by @github-actions[bot] in #268
chore(release): merge back 0.1.0-alpha19 into main by @github-actions[bot] in #272
feat(oidc): migrate OidcAuthenticationConfigurationRepository from OC to CSL (increment 9) by @p-wunderlich in #270
fix(oidc): install login-page picker filter on OIDC webapp chain by @megglos in #273
feat(oidc): migrate WebappRedirectStrategy to CSL (increment 10) by @p-wunderlich in #275
feat(inc-11): migrate AssertionJwkProvider to CSL by @p-wunderlich in #276
chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.5.6 by @renovate[bot] in #279
chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3.6.0 by @renovate[bot] in #280
docs: add /epic skill, GH template, and workflow doc by @Ben-Sheppard in #310
fix(deps): update dependency com.nimbusds:nimbus-jose-jwt to v10.9.1 by @renovate[bot] in #317
chore(release): merge back 0.1.0-alpha21 into main by @github-actions[bot] in #277
chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.11.0 by @renovate[bot] in #314
chore(deps): update dependency com.puppycrawl.tools:checkstyle to v13.5.0 by @renovate[bot] in #316
feat: migrate persistent web session lifecycle into CSL behind SessionStorePort by @p-wunderlich in #315
docs(workflows): add issues to CSL and Identity org projects by @Ben-Sheppard in #320
chore(deps): update actions/checkout action to v6.0.3 by @renovate[bot] in #354
chore(release): merge back 0.1.0-alpha22 into main by @github-actions[bot] in #321
feat(user): migrate CamundaUserPort and DTO to CSL (Inc-13) by @p-wunderlich in #346
chore(codeowners): use csl-team instead of individual owners by @Ben-Sheppard in #356
fix(release): drop broken @link to core port in CamundaUserDTO javadoc by @p-wunderlich in #359
docs(adopters): show how to import WebSessionConfiguration so host overrides actually win by @p-wunderlich in #357
chore(release): merge back 0.1.0-alpha23 into main by @github-actions[bot] in #360
feat(core): migrate MappingRuleMatcher from OC security-core by @p-wunderlich in #353
test(api): enforce non-null collection defaults on user model records by @p-wunderlich in #363
ci: auto-publish releases to Maven Central by @Ben-Sheppard in #364
chore: add logging and user-docs guidelines to agent instructions by @p-wunderlich in #366
feat(authz): migrate Authorization to CSL as RequiredAuthorization by @p-wunderlich in #355
feat(authz): migrate SecurityContext and authorization condition types to CSL (issue #352) by @p-wunderlich in #370
chore(release): merge back 0.1.0-alpha24 into main by @github-actions[bot] in #365
chore(release): merge back 0.1.0-alpha25 into main by @github-actions[bot] in #368
chore(release): merge back 0.1.0-alpha26 into main by @github-actions[bot] in #371
feat(oidc): issuer-aware JwtDecoder for multi-provider token validation (#221) by @megglos in #373
feat(auth): add UserDetailsPort and CSL UserDetailsService for basic-auth user resolution by @megglos in #374
chore(release): merge back 0.1.0-alpha27 into main by @github-actions[bot] in #376
feat(inc15): migrate resource access control framework to CSL by @p-wunderlich in #377

New Contributors

@Ben-Sheppard made their first contribution in #1
@megglos made their first contribution in #14
@renovate[bot] made their first contribution in #85
@mrm1st3r made their first contribution in #52
@github-actions[bot] made their first contribution in #97
@timcline made their first contribution in #176

Full Changelog: https://github.com/camunda/camunda-security-library/commits/0.1.0-alpha28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0.1.0-alpha28

Choose a tag to compare

Sorry, something went wrong.