ashibhardwaj opened a new pull request, #18259: URL: https://github.com/apache/druid/pull/18259
<!-- Thanks for trying to help us make Apache Druid be the best it can be! Please fill out as much of the following information as is possible (where relevant, and remove it when irrelevant) to help make the intention and scope of this PR clear in order to ease review. --> <!-- Please read the doc for contribution (https://github.com/apache/druid/blob/master/CONTRIBUTING.md) before making this PR. Also, once you open a PR, please _avoid using force pushes and rebasing_ since these make it difficult for reviewers to see what you've changed in response to their reviews. See [the 'If your pull request shows conflicts with master' section](https://github.com/apache/druid/blob/master/CONTRIBUTING.md#if-your-pull-request-shows-conflicts-with-master) for more details. --> Fixes CVE-2023-52428. <!-- Replace XXXX with the id of the issue fixed in this PR. Remove this section if there is no corresponding issue. Don't reference the issue in the title of this pull-request. --> <!-- If you are a committer, follow the PR action item checklist for committers: https://github.com/apache/druid/blob/master/dev/committer-instructions.md#pr-and-issue-action-item-checklist-for-committers. --> ### Description <!-- Describe the goal of this PR, what problem are you fixing. If there is a corresponding issue (referenced above), it's not necessary to repeat the description here, however, you may choose to keep one summary sentence. --> <!-- Describe your patch: what did you change in code? How did you fix the problem? --> <!-- If there are several relatively logically separate changes in this PR, create a mini-section for each of them. For example: --> CVE-2023-52428 requires upgrading nimbus-jose-jwt to `9.37.2` which is not compatible with pac4j v4. Therefore, this PR does a major version upgrade from pac4j v4.5.7 to v5.7.3. ## Summary of Changes #### Version Updates (pom.xml) - pac4j: 4.5.7 → 5.7.3 - nimbus-jose-jwt: 8.22.1 → 9.37.2 - oauth2-oidc-sdk: 8.22 → 10.8 #### New Dependency Added - Added pac4j-jee dependency (JEE components were moved to separate module in pac4j 5.x) #### Import Changes Across Files - JEEContext and JEEHttpActionAdapter moved from pac4j-core to pac4j-jee - CallContext removed (no longer exists in pac4j 5.x) - JavaSerializer from org.pac4j.core.util removed #### Code Changes - Pac4jFilter.java - Updated constructor to match pac4j 5.x API - Removed CallContext usage - Updated imports for JEE components - Pac4jSessionStore.java - Replaced pac4j's JavaSerializer with standard Java serialization - Pac4jAuthenticator.java - Updated to use callback path constant - Test Files - Updated Pac4jFilterTest.java and Pac4jSessionStoreTest.java to match new APIs - Fixed constructor calls with updated parameters #### Configuration Files - Updated licenses.yaml for new dependency versions - Updated owasp-dependency-check-suppressions.xml for security scanning ### Potential Breaking Changes & Risks 1. Session Serialization Change Risk: The switch from pac4j's JavaSerializer to standard Java serialization could cause issues with existing user sessions Impact: Users with active sessions might need to re-authenticate after the upgrade 2. JEE Dependency Separation Risk: The move of JEE components to pac4j-jee module could affect deployment Impact: Need to ensure the new dependency is properly included in distribution 3. API Changes Risk: pac4j 5.x has significant API changes that could affect custom configurations Impact: Any custom pac4j configurations outside this codebase might break 4. Java 8 Compatibility Risk: The OWASP suppressions mentioned pac4j 5.7.3 might not support JDK 8 Impact: Could affect environments still running Java 8 This PR has: - [x] been self-reviewed. - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.) - [ ] added documentation for new or modified features or behaviors. - [x] a release note entry in the PR description. - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [x] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md) - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [ ] added integration tests. - [x] been tested in a test Druid cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
