0.1.0-alpha32

What's new in 0.1.0-alpha32

Release Notes for Camunda Security Library Version 0.1.0-alpha32

Executive Summary

Version 0.1.0-alpha32 introduces significant architectural updates, including multiple Architecture Decision Records (ADRs) that enhance identity management and resource access control. New features such as the addition of task workflows and outbound/inbound adapter interfaces enrich the library's capabilities. Comprehensive documentation improvements have been made to aid integration and adoption.

Breaking Changes

• None

New Features

• Introduced new workflows with the addition of the /task workflow for small, independently mergeable work.
• Added core outbound adapter interfaces.
• Defined inbound port interfaces for enhanced adaptability and integration.
• Implemented deployment-strategy wiring and renamed the adapters module.
• Introduced the /tour orientation skill.
• Created a skeleton for the camunda-security-library module.

Bug Fixes

• None

Improvements

• Added multiple Architecture Decision Records (ADRs), including:
  • ADR-0013: Multi-IdP OIDC configuration
  • ADR-0020: Issuer-aware JwtDecoder for multi-provider OIDC
  • ADR-0021: BasicAuthUserDetailsPort for user resolution
  • ADR-0022: Resource access control framework enhancements
  • ADR-0024: Dedicated validation module for entity validators
  • Additional improvements related to Scoped webapp security chains and other framework extensions.
• Updated adoption/integration documentation, including:
  • docs/adopters/ports.md
  • docs/adopters/security-filter-chains.md
• Enhanced public API classes, notably:
  • io.camunda.security.api.context.CamundaSecurityScopeProvider
  • io.camunda.security.api.model.CamundaAuthentication
  • io.camunda.security.api.model.authz.AuthorizationResourceType
  • io.camunda.security.api.model.authz.PermissionType
  • io.camunda.security.api.model.authz.ResourceType
• Refactored workflow documentation to an agent-neutral location for easier navigation.
• Updated various documentation files, including a new pull request template and renaming conventions in the documentation.

---

Full Changelog

What's Changed

• Add ADRs from unified identity architecture by @Ben-Sheppard in #1
• docs: add AI agent harness and project context by @Ben-Sheppard in #2
• refactor: extract workflow docs to agent-neutral location by @Ben-Sheppard in #3
• feat: add /task workflow for small, independently mergeable work by @Ben-Sheppard in #4
• refactor: use native GitHub issue types and sub-issue relationships by @Ben-Sheppard in #10
• docs: require clickable URLs when linking files in issues by @Ben-Sheppard in #12
• chore: align java baseline to 21 and ignore local worktrees by @megglos in #14
• docs: rename Security Gateway Framework to Camunda Security Library by @megglos in #15
• feat: add camunda-security-library module skeleton by @megglos in #23
• docs: rename hexagonal naming conventions to Port/Adapter by @megglos in #26
• feat: define outbound adapter interfaces in core by @megglos in #28
• Architecture vision of the identity unified architecture by @p-wunderlich in #13
• feat: define inbound port interfaces in core by @megglos in #27
• feat: add deployment-strategy wiring and rename adapters module by @megglos in #29
• feat(skills): add /tour orientation skill by @Ben-Sheppard in #41
• ci: add renovate config and validation workflow by @megglos in #46
• docs: add pull request template by @megglos in #47
• build: adopt Spotless with Google Java Format and license-header check by @megglos in #45
• test(arch): forbid framework runtime deps in core by @megglos in #44
• chore: extend .gitignore for Java, Maven, and IDE files by @megglos in #42
• ci(build): add checkstyle with shared ruleset by @megglos in #43
• ci: deploy SNAPSHOTs to Camunda Artifactory on push to main by @megglos in #51
• build: add managed git hooks via core.hooksPath by @megglos in #48
• feat: extract central security filter chains from spike by @Ben-Sheppard in #49
• ci(deps): enforce declaration of used dependencies via dependency:analyze by @megglos in #31
• ci: add maven release workflow by @megglos in #59
• ci(release): clone target/checkout from local working copy by @megglos in #67
• build: stop POM formatting churn on every release by @megglos in #68
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 29118bc by @renovate[bot] in #85
• chore(deps): update dependency maven to v3.9.15 by @renovate[bot] in #86
• docs: adjust ADR for frontend integration after discussion by @mrm1st3r in #52
• ci(release): create canary branch and open mergeback PR by @megglos in #87
• Update architecture vision after kickoff by @p-wunderlich in #81
• docs(contributing): document the release workflow by @megglos in #89
• docs(contributing): apply review wording — "cut" → "create" by @megglos in #91
• refactor: align port and adapter naming with port/in and port/out by @megglos in #92
• Move camunda authentication model + holder to CSL by @p-wunderlich in #79
• chore(release): merge back 0.1.0-alpha2 into main by @github-actions[bot] in #97
• chore(renovate): raise throughput for nightly + weekend updates by @megglos in #98
• ci(renovate): auto-approve labelled renovate PRs to enable automerge by @megglos in #99
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to b3297dc by @renovate[bot] in #100
• chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.5.5 by @renovate[bot] in #101
• fix(deps): update dependency org.springframework.boot:spring-boot-dependencies to v4.0.6 by @renovate[bot] in #102
• fix(deps): update dependency org.testcontainers:testcontainers-bom to v2 by @renovate[bot] in #117
• chore(deps): update dependency com.puppycrawl.tools:checkstyle to v13 by @renovate[bot] in #116
• chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3 by @renovate[bot] in #115
• chore(deps): update actions/setup-java action to v5 by @renovate[bot] in #114
• chore(deps): update actions/checkout action to v6 by @renovate[bot] in #113
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.12.0 by @renovate[bot] in #110
• chore(deps): update dependency org.apache.maven.plugins:maven-jar-plugin to v3.5.0 by @renovate[bot] in #109
• chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.10.0 by @renovate[bot] in #107
• chore(deps): update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.15.0 by @renovate[bot] in #106
• chore(deps): update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.6.0 by @renovate[bot] in #105
• chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.6.2 by @renovate[bot] in #108
• fix(deps): update archunit.version to v1.4.2 by @renovate[bot] in #111
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to d0026e7 by @renovate[bot] in #118
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 72e0e22 by @renovate[bot] in #119
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to b9e6514 by @renovate[bot] in #120
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 8331320 by @renovate[bot] in #121
• fix(hooks): align commit-msg header length with commitlint default by @megglos in #122
• feat: validate username/clientId exclusivity in CamundaAuthentication by @p-wunderlich in #123
• Relocate config to api + disable spring auto config by @p-wunderlich in #124
• feat(csl): add ResourcePermissionPort, AuthorizationRepositoryPort, and web-app SPIs by @Ben-Sheppard in #69
• refactor: relocate io.camunda.security.autoconfigure.spring to io.camunda.security.spring by @p-wunderlich in #127
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to b1e44b4 by @renovate[bot] in #128
• chore: add CODEOWNERS for default PR reviewer assignment by @Ben-Sheppard in #130
• docs: document explicit import requirement for Spring configurations … by @p-wunderlich in #131
• feat(csl-adapters): lift WebAppAuthorizationCheckFilter by @Ben-Sheppard in #129
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 38aac6e by @renovate[bot] in #134
• feat(csl-adapters): wire web app authorization filter into webapp chains by @Ben-Sheppard in #132
• docs: add ADR-0009 and adopter guide section for web app authorization by @Ben-Sheppard in #135
• feat: add default authentication holder implementations for HTTP sess… by @p-wunderlich in #125
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 4c84638 by @renovate[bot] in #140
• feat: integrate AI-generated release summaries in release workflow by @p-wunderlich in #139
• feat(csl-core): add admin-user setup SPIs by @Ben-Sheppard in #136
• chore(release): merge back 0.1.0-alpha3 into main by @github-actions[bot] in #141
• feat(csl-adapters): lift AdminUserCheckFilter into spring-boot-starter by @Ben-Sheppard in #137
• feat(csl-adapters): wire AdminUserCheckFilter into webapp chains by @Ben-Sheppard in #138
• docs: add ADR-0010 and adopter guide section for admin-user setup by @Ben-Sheppard in #143
• Improve release text by @p-wunderlich in #142
• chore: add @marcosbarbero as a codeowner by @Ben-Sheppard in #145
• docs: add /adr skill and default ADR-writing in standard flow by @Ben-Sheppard in #144
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to b0fe9bb by @renovate[bot] in #147
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 033293a by @renovate[bot] in #148
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 4b00071 by @renovate[bot] in #149
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to fad87e9 by @renovate[bot] in #150
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 976d49d by @renovate[bot] in #151
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to 04a60fe by @renovate[bot] in #152
• chore(deps): update ghcr.io/renovatebot/renovate docker digest to d99924e by @renovate[bot] in #153
• chore(renovate): stop digest-pinning the renovate bot image by @megglos in #154
• feat: enable OC chain adoption (permit-all webapp, OAuth2 resolver hook, WWW-Authenticate fix) by @megglos in #146
• chore(release): merge back 0.1.0-alpha4 into main by @github-actions[bot] in #155
• refactor: optimize DefaultCamundaAuthenticationProvider caching and… by @p-wunderlich in #159
• chore(release): merge back 0.1.0-alpha5 into main by @github-actions[bot] in #160
• feat: rename starter SPIs to *Port + library defaults to *Adapter by @megglos in #158
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.173.3 by @renovate[bot] in #177
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.173.5 by @renovate[bot] in #178
• chore(release): merge back 0.1.0-alpha6 into main by @github-actions[bot] in #164
• fix(spring-boot-starter): honor wildcard resource grants by @megglos in #181
• feat(spring-boot-starter): add opt-in CamundaSecurityAutoConfiguration umbrella by @megglos in #180
• 95 move authentication holder implementations to csl increment 2 by @p-wunderlich in #172
• chore(release): merge back 0.1.0-alpha7 into main by @github-actions[bot] in #188
• fix(spring-boot-starter): scope admin-user check filter to basic-auth chain by @megglos in #190
• fix: restore old state of OidcConfiguration and add docs by @p-wunderlich in #193
• 95 move authentication holder implementations to csl increment 3 by @p-wunderlich in #197
• chore(release): merge back 0.1.0-alpha8 into main by @github-actions[bot] in #194
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.177.4 by @renovate[bot] in #191
• chore(release): merge back 0.1.0-alpha9 into main by @github-actions[bot] in #201
• fix: write X-CSRF-TOKEN response header before chain dispatch by @megglos in #203
• feat(csl-adapters): lift CamundaOidcLogoutSuccessHandler as default LogoutSuccessHandler by @Ben-Sheppard in #196
• feat(csl-adapters): default providers.oidc to empty map and cover binding (#74) by @Ben-Sheppard in #214
• feat(csl-adapters): build per-provider ClientRegistration in OidcBeansConfiguration (#75) by @Ben-Sheppard in #215
• docs(adr-0013): record additive multi-IdP OIDC configuration and adopter guide (#76) by @Ben-Sheppard in #216
• feat(csl-adapters): wire OIDC user-info-enabled toggle into ClientRegistration by @Ben-Sheppard in #219
• feat(csl-adapters): wire additional-jwk-set-uris into the default JwtDecoder by @Ben-Sheppard in #222
• chore(deps): update dependency maven to v3.9.16 by @renovate[bot] in #224
• chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.6.3 by @renovate[bot] in #226
• test(api): add unit tests for ConfiguredUser/MappingRule/Tenant/Group/Role (#183) by @p-wunderlich in #225
• fix(deps): update dependency com.nimbusds:nimbus-jose-jwt to v10.9 by @renovate[bot] in #227
• chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3.5.1 by @renovate[bot] in #217
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.185.0 by @renovate[bot] in #212
• chore(deps): update hashicorp/vault-action action to v4 by @renovate[bot] in #192
• fix(spring-boot-starter): qualify LogoutSuccessHandler in Javadoc @link by @Ben-Sheppard in #230
• fix(spring-boot-starter): apply explicit OIDC URI overrides after discovery by @Ben-Sheppard in #234
• chore(release): merge back 0.1.0-alpha11 into main by @github-actions[bot] in #231
• feat: add lazy-loading supplier methods on CamundaAuthentication by @timcline in #176
• chore(release): merge back 0.1.0-alpha12 into main by @github-actions[bot] in #235
• chore(release): merge back 0.1.0-alpha13 into main by @github-actions[bot] in #236
• fix: add readonly admin to DefaultRole by @mrm1st3r in #237
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.186.1 by @renovate[bot] in #249
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.186.2 by @renovate[bot] in #250
• fix: convert ConfiguredUser and ConfiguredMappingRule to records by @p-wunderlich in #251
• Iteration 8: 95 move conditional annotations to csl by @p-wunderlich in #248
• docs: ADR-0016 – CSL authz enum ownership and layered usage by @p-wunderlich in #228
• feat: add DefaultRole.ids() by @mrm1st3r in #247
• feat(spring-boot-starter): lift ClientAwareOAuth2AuthorizationRequestResolver into CSL by @Ben-Sheppard in #254
• test(config): add unit tests for ConfiguredAuthorization (inc4b) by @p-wunderlich in #256
• chore(release): merge back 0.1.0-alpha14 into main by @github-actions[bot] in #252
• chore(release): merge back 0.1.0-alpha15 into main by @github-actions[bot] in #257
• docs(workflow): add formatting step to pre-commit verification by @p-wunderlich in #253
• chore(deps): update ghcr.io/renovatebot/renovate docker tag to v43.190.1 by @renovate[bot] in #259
• chore(renovate): suppress non-major updates for renovate lint image by @megglos in #260
• feat: migrate OIDC and username/password auth converters to CSL (Inc 5, #184) by @Ben-Sheppard in #258
• feat: enhance CamundaSecurityLibraryProperties with new configuration… by @p-wunderlich in #261
• fix(spring-boot-starter): map unknown-issuer JwtException to BadJwtException by @Ben-Sheppard in #263
• chore(release): merge back 0.1.0-alpha16 into main by @github-actions[bot] in #262
• chore(release): merge back 0.1.0-alpha17 into main by @github-actions[bot] in #264
• feat(spring-boot-starter): add CamundaAuthenticationBeansConfiguration (Inc 7a) by @p-wunderlich in #266
• feat: per-field lazy membership resolution via MembershipPort by @megglos in #267
• chore(release): merge back 0.1.0-alpha18 into main by @github-actions[bot] in #268
• chore(release): merge back 0.1.0-alpha19 into main by @github-actions[bot] in #272
• feat(oidc): migrate OidcAuthenticationConfigurationRepository from OC to CSL (increment 9) by @p-wunderlich in #270
• fix(oidc): install login-page picker filter on OIDC webapp chain by @megglos in #273
• feat(oidc): migrate WebappRedirectStrategy to CSL (increment 10) by @p-wunderlich in #275
• feat(inc-11): migrate AssertionJwkProvider to CSL by @p-wunderlich in #276
• chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.5.6 by @renovate[bot] in #279
• chore(deps): update dependency com.diffplug.spotless:spotless-maven-plugin to v3.6.0 by @renovate[bot] in #280
• docs: add /epic skill, GH template, and workflow doc by @Ben-Sheppard in #310
• fix(deps): update dependency com.nimbusds:nimbus-jose-jwt to v10.9.1 by @renovate[bot] in #317
• chore(release): merge back 0.1.0-alpha21 into main by @github-actions[bot] in #277
• chore(deps): update dependency org.apache.maven.plugins:maven-dependency-plugin to v3.11.0 by @renovate[bot] in #314
• chore(deps): update dependency com.puppycrawl.tools:checkstyle to v13.5.0 by @renovate[bot] in #316
• feat: migrate persistent web session lifecycle into CSL behind SessionStorePort by @p-wunderlich in #315
• docs(workflows): add issues to CSL and Identity org projects by @Ben-Sheppard in #320
• chore(deps): update actions/checkout action to v6.0.3 by @renovate[bot] in #354
• chore(release): merge back 0.1.0-alpha22 into main by @github-actions[bot] in #321
• feat(user): migrate CamundaUserPort and DTO to CSL (Inc-13) by @p-wunderlich in #346
• chore(codeowners): use csl-team instead of individual owners by @Ben-Sheppard in #356
• fix(release): drop broken @link to core port in CamundaUserDTO javadoc by @p-wunderlich in #359
• docs(adopters): show how to import WebSessionConfiguration so host overrides actually win by @p-wunderlich in #357
• chore(release): merge back 0.1.0-alpha23 into main by @github-actions[bot] in #360
• feat(core): migrate MappingRuleMatcher from OC security-core by @p-wunderlich in #353
• test(api): enforce non-null collection defaults on user model records by @p-wunderlich in #363
• ci: auto-publish releases to Maven Central by @Ben-Sheppard in #364
• chore: add logging and user-docs guidelines to agent instructions by @p-wunderlich in #366
• feat(authz): migrate Authorization to CSL as RequiredAuthorization by @p-wunderlich in #355
• feat(authz): migrate SecurityContext and authorization condition types to CSL (issue #352) by @p-wunderlich in #370
• chore(release): merge back 0.1.0-alpha24 into main by @github-actions[bot] in #365
• chore(release): merge back 0.1.0-alpha25 into main by @github-actions[bot] in #368
• chore(release): merge back 0.1.0-alpha26 into main by @github-actions[bot] in #371
• feat(oidc): issuer-aware JwtDecoder for multi-provider token validation (#221) by @megglos in #373
• feat(auth): add UserDetailsPort and CSL UserDetailsService for basic-auth user resolution by @megglos in #374
• chore(release): merge back 0.1.0-alpha27 into main by @github-actions[bot] in #376
• feat(inc15): migrate resource access control framework to CSL by @p-wunderlich in #377
• refactor(oidc): remove bearer-token resource server from the OIDC webapp chain by @megglos in #382
• chore(release): merge back 0.1.0-alpha28 into main by @github-actions[bot] in #381
• fix(api): drop null-valued claims when building CamundaAuthentication by @megglos in #386
• feat(validation): add validation module with entity validators (inc-16) by @p-wunderlich in #384
• feat(auth): add CamundaSecurityScopeProvider SPI + per-scope API chain builders by @megglos in #378
• chore(release): merge back 0.1.0-alpha29 into main by @github-actions[bot] in #383
• fix(validation): escape Enum<?> Javadoc HTML + add doclint to verify by @p-wunderlich in #395
• Release/0.1.0 alpha30 by @megglos in #396
• feat(starter): add UserInfo claim augmentation with caching and metrics by @Ben-Sheppard in #405
• fix(deps): update spring boot to v4.1.0 by @renovate[bot] in #407
• chore(deps): update version.checkstyle to v13.6.0 by @renovate[bot] in #409
• test(oidc): extract shared OidcTestServer fixture, migrate 5 test classes by @megglos in #410
• feat: ship spring-configuration-metadata for camunda.security.* properties by @joaquinfelici in #408
• docs: ADR-0027 + design — scoped webapp security chains & per-scope sessions by @megglos in #411
• refactor: extract ScopedWebappSecurityChainBuilder from webapp configs by @megglos in #415
• chore: upgrade google-java-format to 1.35 by @mrm1st3r in #419
• test(oidc): add RFC 9068 at+jwt typ-header acceptance tests for JwtDecoder by @p-wunderlich in #417
• chore(release): merge back 0.1.0-alpha31 into main by @github-actions[bot] in #412
• refactor: add StubSecurityPaths test builder and adopt it across SecurityPathPort stubs by @megglos in #420
• chore(deps): update actions/setup-java action to v5.3.0 by @renovate[bot] in #422
• chore(deps): update plugin.version.spotless to v3.7.0 by @renovate[bot] in #423
• feat: make OIDC resolver, login links, and CSRF support base-path aware by @megglos in #421
• refactor: make ScopedWebappSecurityChainBuilder a bean with injected collaborators by @megglos in #425
• docs: add ADR-0028 extending CSL authz model for search and engine layers by @p-wunderlich in #387
• feat: add scoped webapp security chain builder by @megglos in #424
• feat: register per-scope webapp security chains with session isolation by @megglos in #427
• feat: Add PermissionType CREATE_BATCH_OPERATION_UPDATE_JOB by @georgios-goulos in #433

New Contributors

• @Ben-Sheppard made their first contribution in #1
• @megglos made their first contribution in #14
• @renovate[bot] made their first contribution in #85
• @mrm1st3r made their first contribution in #52
• @github-actions[bot] made their first contribution in #97
• @timcline made their first contribution in #176
• @joaquinfelici made their first contribution in #408
• @georgios-goulos made their first contribution in #433

Full Changelog: https://github.com/camunda/camunda-security-library/commits/0.1.0-alpha32