February Update

The SP and legacy IdP branch have stablized so V4 development has started in earnest. Deprecated code is being actively removed from all the projects and that work should be mostly complete this month. We've completed two major development tasks: moving the projects up to Spring 5 and Java 11, and replacing the Guava Predicate/Function interfaces throughout the code base with the standard Java 8 functional interfaces.

V4 will be built with and require Java 11, but we're still evaluating exactly what versions of Java 11 to officially support or recommend. There may or may not be reliably "pure" distributions of "free for use" Java 11 after September, and we expect to end up officially testing and certifying a (very) limited number of possible implementations with the rest left to the "probably works" category that OpenJDK used to live in. All of this is subject to change, and there will probably be some additional information available during Spring or Summer. Of course, feedback from members will have to be taken into consideration.

Java 8+ includes a number of new standard features that have replaced, or will replace, various proprietary libraries. The first conversion done was the Predicate/Function mechanism that is heavily used across the code, but also by deployers in various ways to customize behavior. For the most part, existing scripts and plugins will work compatibly after the conversion, with some small issues that should lead to warnings in V4 before causing any breakage in future versions.

We will also be migrating the Date/Time classes and interfaces to Java's standard classes, and this is likely to lead to a small number of incompatibilities, but the details will be clearer once that work is done.

Other open investigations and projects underway:

• Evaluating Velocity alternatives for possible use as a replacement, principally FreeMarker since it remains officially supported by Spring. Velocity will be supported for the time being, but we have to maintain that supporting code so moving away from it is a possibility, though not an urgent need.
• Work continues to clean up an OIDC authentication module, which will lead into more significant design work on proxy features over the summer.
• Discussions about how/when/who to incorporate the V3 OIDC extension. It is not officially targeted for V4 but remains a possibility.

A revised dependency management process is being worked on to avoid the need to privately host all of the dependencies of the codebase by pinning artifacts with PGP keys and/or checksums, and extending a Maven plugin to verify our dependencies at build-time. We continue to seek the best way to keep the build process safe from the attacks that standard Maven projects leave themselves open to and that have caused huge security vulnerabilities in other non-Java platforms, demonstrating our paranoia was well founded.

Finally, a regression was identified in the Java 9+ JNDI LDAP provider that causes connection leaks and/or crashes. So far the regression hasn't appeared in Java 8 but does affect all later versions. The bug has been reported to Oracle but so far the only workaround appears to be switching to an alternate LDAP provider. The ldaptive library has been heavily used by its authors with the UnboundID LDAP client, so we are tenatively planning to move to it as a V4 default, as JNDI has been a frequent source of bugs. We also have documentation prepared describing how to do this with V3. We may, if we decided it's warranted and safe, decide to ship a V3 patch with this change, but it depends on what Oracle does with the bug in the next couple of months.