OBSDATA-11013 Upgrade pac4j to v5

[Ashi Bhardwaj (ashibhardwaj)]

Fixes OBSDATA-11013.

Summary of Changes

Version Updates (pom.xml)

• pac4j: 4.5.7 → 5.7.3
• nimbus-jose-jwt: 8.22.1 → 9.37.2
• oauth2-oidc-sdk: 8.22 → 10.8

New Dependency Added

• Added pac4j-jee dependency (JEE components were moved to separate module in pac4j 5.x)

Import Changes Across Files

• JEEContext and JEEHttpActionAdapter moved from pac4j-core to pac4j-jee
• CallContext removed (no longer exists in pac4j 5.x)
• JavaSerializer from org.pac4j.core.util removed

Code Changes

• Pac4jFilter.java
  • Updated constructor to match pac4j 5.x API
  • Removed CallContext usage
  • Updated imports for JEE components
• Pac4jSessionStore.java
  • Replaced pac4j's JavaSerializer with standard Java serialization
  • Updated constructor to include cookieName parameter
  • Fixed serialization/deserialization logic
• Pac4jAuthenticator.java
  • Updated to use callback path constant instead of method call
  • Updated constructor parameters order
• Test Files
  • Updated Pac4jFilterTest.java and Pac4jSessionStoreTest.java to match new APIs
  • Fixed constructor calls with updated parameters

Configuration Files

• Updated licenses.yaml for new dependency versions
• Updated owasp-dependency-check-suppressions.xml for security scanning

Potential Breaking Changes & Risks

1. Session Serialization Change
   Risk: The switch from pac4j's JavaSerializer to standard Java serialization could cause issues with existing user sessions
   Impact: Users with active sessions might need to re-authenticate after the upgrade
2. JEE Dependency Separation
   Risk: The move of JEE components to pac4j-jee module could affect deployment
   Impact: Need to ensure the new dependency is properly included in distribution
3. API Changes
   Risk: pac4j 5.x has significant API changes that could affect custom configurations
   Impact: Any custom pac4j configurations outside this codebase might break
4. Java 8 Compatibility
   Risk: The OWASP suppressions mentioned pac4j 5.7.3 might not support JDK 8
   Impact: Could affect environments still running Java 8

To-do

• Test thoroughly in a stag environment before merging the PR
• Update documentation to reflect the new pac4j version requirements

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.